Import postgres files from omnibus-chef-server

Repo https://github.com/opscode/omnibus-chef-server.git Path files/chef-server-cookbooks/chef-server/ Revision 6a11fd840045a7ae7961e5a37439371b7407f3e9

Import postgres files from omnibus-chef-server
Repo https://github.com/opscode/omnibus-chef-server.git Path files/chef-server-cookbooks/chef-server/ Revision 6a11fd840045a7ae7961e5a37439371b7407f3e9
Jacob Vosmaer
1 parent 22c45c12
Showing 11 changed files with 1475 additions and 0 deletions Show diff stats
files/gitlab-cookbooks/gitlab/attributes/default.rb
files/gitlab-cookbooks/gitlab/libraries/chef_server.rb
files/gitlab-cookbooks/gitlab/libraries/helper.rb
files/gitlab-cookbooks/gitlab/recipes/postgresql.rb
files/gitlab-cookbooks/gitlab/templates/default/90-postgresql.conf.sysctl.erb
files/gitlab-cookbooks/gitlab/templates/default/pg_hba.conf.erb
files/gitlab-cookbooks/gitlab/templates/default/postgresql-init.erb
files/gitlab-cookbooks/gitlab/templates/default/postgresql.conf.erb
files/gitlab-cookbooks/gitlab/templates/default/sv-postgresql-control-t.erb
files/gitlab-cookbooks/gitlab/templates/default/sv-postgresql-log-run.erb
files/gitlab-cookbooks/gitlab/templates/default/sv-postgresql-run.erb
@@ -0,0 +1,279 @@
+#
+# Copyright:: Copyright (c) 2012 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+###
+# High level options
+###
+default['chef_server']['api_version'] = "11.0.2"
+default['chef_server']['flavor'] = "osc" # Open Source Chef
+
+default['chef_server']['notification_email'] = "info@example.com"
+default['chef_server']['bootstrap']['enable'] = true
+
+####
+# The Chef User that services run as
+####
+# The username for the chef services user
+default['chef_server']['user']['username'] = "chef_server"
+# The shell for the chef services user
+default['chef_server']['user']['shell'] = "/bin/sh"
+# The home directory for the chef services user
+default['chef_server']['user']['home'] = "/opt/chef-server/embedded"
+
+####
+# RabbitMQ
+####
+default['chef_server']['rabbitmq']['enable'] = true
+default['chef_server']['rabbitmq']['ha'] = false
+default['chef_server']['rabbitmq']['dir'] = "/var/opt/chef-server/rabbitmq"
+default['chef_server']['rabbitmq']['data_dir'] = "/var/opt/chef-server/rabbitmq/db"
+default['chef_server']['rabbitmq']['log_directory'] = "/var/log/chef-server/rabbitmq"
+default['chef_server']['rabbitmq']['vhost'] = '/chef'
+default['chef_server']['rabbitmq']['user'] = 'chef'
+default['chef_server']['rabbitmq']['password'] = 'chefrocks'
+default['chef_server']['rabbitmq']['node_ip_address'] = '127.0.0.1'
+default['chef_server']['rabbitmq']['node_port'] = '8672'
+default['chef_server']['rabbitmq']['nodename'] = 'rabbit@localhost'
+default['chef_server']['rabbitmq']['vip'] = '127.0.0.1'
+default['chef_server']['rabbitmq']['consumer_id'] = 'hotsauce'
+
+####
+# Chef Solr
+####
+default['chef_server']['chef-solr']['enable'] = true
+default['chef_server']['chef-solr']['ha'] = false
+default['chef_server']['chef-solr']['dir'] = "/var/opt/chef-server/chef-solr"
+default['chef_server']['chef-solr']['data_dir'] = "/var/opt/chef-server/chef-solr/data"
+default['chef_server']['chef-solr']['log_directory'] = "/var/log/chef-server/chef-solr"
+# defaults for heap size and new generation size are computed in the chef-solr
+# recipe based on node memory
+default['chef_server']['chef-solr']['heap_size'] = nil
+default['chef_server']['chef-solr']['new_size'] = nil
+default['chef_server']['chef-solr']['java_opts'] = ""
+default['chef_server']['chef-solr']['ip_address'] = '127.0.0.1'
+default['chef_server']['chef-solr']['vip'] = '127.0.0.1'
+default['chef_server']['chef-solr']['port'] = 8983
+default['chef_server']['chef-solr']['ram_buffer_size'] = 200
+default['chef_server']['chef-solr']['merge_factor'] = 100
+default['chef_server']['chef-solr']['max_merge_docs'] = 2147483647
+default['chef_server']['chef-solr']['max_field_length'] = 100000
+default['chef_server']['chef-solr']['max_commit_docs'] = 1000
+default['chef_server']['chef-solr']['commit_interval'] = 60000 # in ms
+default['chef_server']['chef-solr']['poll_seconds'] = 20 # slave -> master poll interval in seconds, max of 60 (see solrconfig.xml.erb)
+
+####
+# Chef Expander
+####
+default['chef_server']['chef-expander']['enable'] = true
+default['chef_server']['chef-expander']['ha'] = false
+default['chef_server']['chef-expander']['dir'] = "/var/opt/chef-server/chef-expander"
+default['chef_server']['chef-expander']['log_directory'] = "/var/log/chef-server/chef-expander"
+default['chef_server']['chef-expander']['reindexer_log_directory'] = "/var/log/chef-server/chef-expander-reindexer"
+default['chef_server']['chef-expander']['consumer_id'] = "default"
+default['chef_server']['chef-expander']['nodes'] = 2
+
+####
+# Bookshelf
+####
+default['chef_server']['bookshelf']['enable'] = true
+default['chef_server']['bookshelf']['ha'] = false
+default['chef_server']['bookshelf']['dir'] = "/var/opt/chef-server/bookshelf"
+default['chef_server']['bookshelf']['data_dir'] = "/var/opt/chef-server/bookshelf/data"
+default['chef_server']['bookshelf']['log_directory'] = "/var/log/chef-server/bookshelf"
+default['chef_server']['bookshelf']['svlogd_size'] = 1000000
+default['chef_server']['bookshelf']['svlogd_num'] = 10
+default['chef_server']['bookshelf']['vip'] = node['fqdn']
+default['chef_server']['bookshelf']['url'] = "https://#{node['fqdn']}"
+# Default: set to Host: header. Override to hardcode a url, "http://..."
+default['chef_server']['bookshelf']['external_url'] = :host_header
+default['chef_server']['bookshelf']['listen'] = '127.0.0.1'
+default['chef_server']['bookshelf']['port'] = 4321
+default['chef_server']['bookshelf']['stream_download'] = true
+default['chef_server']['bookshelf']['access_key_id'] = "generated-by-default"
+default['chef_server']['bookshelf']['secret_access_key'] = "generated-by-default"
+
+####
+# Erlang Chef Server API
+####
+default['chef_server']['erchef']['enable'] = true
+default['chef_server']['erchef']['ha'] = false
+default['chef_server']['erchef']['dir'] = "/var/opt/chef-server/erchef"
+default['chef_server']['erchef']['log_directory'] = "/var/log/chef-server/erchef"
+default['chef_server']['erchef']['svlogd_size'] = 1000000
+default['chef_server']['erchef']['svlogd_num'] = 10
+default['chef_server']['erchef']['vip'] = '127.0.0.1'
+default['chef_server']['erchef']['listen'] = '127.0.0.1'
+default['chef_server']['erchef']['port'] = 8000
+default['chef_server']['erchef']['auth_skew'] = '900'
+default['chef_server']['erchef']['bulk_fetch_batch_size'] = '5'
+default['chef_server']['erchef']['max_cache_size'] = '10000'
+default['chef_server']['erchef']['cache_ttl'] = '3600'
+default['chef_server']['erchef']['db_pool_size'] = '20'
+default['chef_server']['erchef']['ibrowse_max_sessions'] = 256
+default['chef_server']['erchef']['ibrowse_max_pipeline_size'] = 1
+# Default: generate signed URLs based upon Host: header. Override with a url, "http:// ..."
+default['chef_server']['erchef']['base_resource_url'] = :host_header
+default['chef_server']['erchef']['s3_bucket'] = 'bookshelf'
+default['chef_server']['erchef']['s3_url_ttl'] = 900
+default['chef_server']['erchef']['s3_parallel_ops_timeout'] = 5000
+default['chef_server']['erchef']['s3_parallel_ops_fanout'] = 20
+default['chef_server']['erchef']['proxy_user'] = "pivotal"
+default['chef_server']['erchef']['validation_client_name'] = "chef-validator"
+default['chef_server']['erchef']['umask'] = "0022"
+default['chef_server']['erchef']['web_ui_client_name'] = "chef-webui"
+default['chef_server']['erchef']['root_metric_key'] = "chefAPI"
+default['chef_server']['erchef']['depsolver_worker_count'] = 5
+default['chef_server']['erchef']['depsolver_timeout'] = 5000
+default['chef_server']['erchef']['max_request_size'] = 1000000
+
+####
+# Chef Server WebUI
+####
+default['chef_server']['chef-server-webui']['enable'] = true
+default['chef_server']['chef-server-webui']['ha'] = false
+default['chef_server']['chef-server-webui']['dir'] = "/var/opt/chef-server/chef-server-webui"
+default['chef_server']['chef-server-webui']['log_directory'] = "/var/log/chef-server/chef-server-webui"
+default['chef_server']['chef-server-webui']['environment'] = 'chefserver'
+default['chef_server']['chef-server-webui']['listen'] = '127.0.0.1'
+default['chef_server']['chef-server-webui']['vip'] = '127.0.0.1'
+default['chef_server']['chef-server-webui']['port'] = 9462
+default['chef_server']['chef-server-webui']['backlog'] = 1024
+default['chef_server']['chef-server-webui']['tcp_nodelay'] = true
+default['chef_server']['chef-server-webui']['worker_timeout'] = 3600
+default['chef_server']['chef-server-webui']['umask'] = "0022"
+default['chef_server']['chef-server-webui']['worker_processes'] = 2
+default['chef_server']['chef-server-webui']['session_key'] = "_sandbox_session"
+default['chef_server']['chef-server-webui']['cookie_domain'] = "all"
+default['chef_server']['chef-server-webui']['cookie_secret'] = "47b3b8d95dea455baf32155e95d1e64e"
+default['chef_server']['chef-server-webui']['web_ui_client_name'] = "chef-webui"
+default['chef_server']['chef-server-webui']['web_ui_admin_user_name'] = "admin"
+default['chef_server']['chef-server-webui']['web_ui_admin_default_password'] = "p@ssw0rd1"
+
+####
+# Chef Pedant
+####
+default['chef_server']['chef-pedant']['dir'] = "/var/opt/chef-server/chef-pedant"
+default['chef_server']['chef-pedant']['log_directory'] = "/var/log/chef-server/chef-pedant"
+default['chef_server']['chef-pedant']['log_http_requests'] = true
+
+###
+# Estatsd
+###
+default['chef_server']['estatsd']['enable'] = true
+default['chef_server']['estatsd']['dir'] = "/var/opt/chef-server/estatsd"
+default['chef_server']['estatsd']['log_directory'] = "/var/log/chef-server/estatsd"
+default['chef_server']['estatsd']['vip'] = "127.0.0.1"
+default['chef_server']['estatsd']['port'] = 9466
+
+###
+# Load Balancer
+###
+default['chef_server']['lb']['enable'] = true
+default['chef_server']['lb']['vip'] = "127.0.0.1"
+default['chef_server']['lb']['api_fqdn'] = node['fqdn']
+default['chef_server']['lb']['web_ui_fqdn'] = node['fqdn']
+default['chef_server']['lb']['cache_cookbook_files'] = false
+default['chef_server']['lb']['debug'] = false
+default['chef_server']['lb']['upstream']['erchef'] = [ "127.0.0.1" ]
+default['chef_server']['lb']['upstream']['chef-server-webui'] = [ "127.0.0.1" ]
+default['chef_server']['lb']['upstream']['bookshelf'] = [ "127.0.0.1" ]
+
+####
+# Nginx
+####
+default['chef_server']['nginx']['enable'] = true
+default['chef_server']['nginx']['ha'] = false
+default['chef_server']['nginx']['dir'] = "/var/opt/chef-server/nginx"
+default['chef_server']['nginx']['log_directory'] = "/var/log/chef-server/nginx"
+default['chef_server']['nginx']['ssl_port'] = 443
+default['chef_server']['nginx']['enable_non_ssl'] = false
+default['chef_server']['nginx']['non_ssl_port'] = 80
+default['chef_server']['nginx']['server_name'] = node['fqdn']
+default['chef_server']['nginx']['url'] = "https://#{node['fqdn']}"
+# These options provide the current best security with TSLv1
+#default['chef_server']['nginx']['ssl_protocols'] = "-ALL +TLSv1"
+#default['chef_server']['nginx']['ssl_ciphers'] = "RC4:!MD5"
+# This might be necessary for auditors that want no MEDIUM security ciphers and don't understand BEAST attacks
+#default['chef_server']['nginx']['ssl_protocols'] = "-ALL +SSLv3 +TLSv1"
+#default['chef_server']['nginx']['ssl_ciphers'] = "HIGH:!MEDIUM:!LOW:!ADH:!kEDH:!aNULL:!eNULL:!EXP:!SSLv2:!SEED:!CAMELLIA:!PSK"
+# The following favors performance and compatibility, addresses BEAST, and should pass a PCI audit
+default['chef_server']['nginx']['ssl_protocols'] = "SSLv3 TLSv1"
+default['chef_server']['nginx']['ssl_ciphers'] = "RC4-SHA:RC4-MD5:RC4:RSA:HIGH:MEDIUM:!LOW:!kEDH:!aNULL:!ADH:!eNULL:!EXP:!SSLv2:!SEED:!CAMELLIA:!PSK"
+default['chef_server']['nginx']['ssl_certificate'] = nil
+default['chef_server']['nginx']['ssl_certificate_key'] = nil
+default['chef_server']['nginx']['ssl_country_name'] = "US"
+default['chef_server']['nginx']['ssl_state_name'] = "WA"
+default['chef_server']['nginx']['ssl_locality_name'] = "Seattle"
+default['chef_server']['nginx']['ssl_company_name'] = "YouCorp"
+default['chef_server']['nginx']['ssl_organizational_unit_name'] = "Operations"
+default['chef_server']['nginx']['ssl_email_address'] = "you@example.com"
+default['chef_server']['nginx']['worker_processes'] = node['cpu']['total'].to_i
+default['chef_server']['nginx']['worker_connections'] = 10240
+default['chef_server']['nginx']['sendfile'] = 'on'
+default['chef_server']['nginx']['tcp_nopush'] = 'on'
+default['chef_server']['nginx']['tcp_nodelay'] = 'on'
+default['chef_server']['nginx']['gzip'] = "on"
+default['chef_server']['nginx']['gzip_http_version'] = "1.0"
+default['chef_server']['nginx']['gzip_comp_level'] = "2"
+default['chef_server']['nginx']['gzip_proxied'] = "any"
+default['chef_server']['nginx']['gzip_types'] = [ "text/plain", "text/css", "application/x-javascript", "text/xml", "application/xml", "application/xml+rss", "text/javascript", "application/json" ]
+default['chef_server']['nginx']['keepalive_timeout'] = 65
+default['chef_server']['nginx']['client_max_body_size'] = '250m'
+default['chef_server']['nginx']['cache_max_size'] = '5000m'
+
+###
+# PostgreSQL
+###
+default['chef_server']['postgresql']['enable'] = true
+default['chef_server']['postgresql']['ha'] = false
+default['chef_server']['postgresql']['dir'] = "/var/opt/chef-server/postgresql"
+default['chef_server']['postgresql']['data_dir'] = "/var/opt/chef-server/postgresql/data"
+default['chef_server']['postgresql']['log_directory'] = "/var/log/chef-server/postgresql"
+default['chef_server']['postgresql']['svlogd_size'] = 1000000
+default['chef_server']['postgresql']['svlogd_num'] = 10
+default['chef_server']['postgresql']['username'] = "opscode-pgsql"
+default['chef_server']['postgresql']['shell'] = "/bin/sh"
+default['chef_server']['postgresql']['home'] = "/var/opt/chef-server/postgresql"
+default['chef_server']['postgresql']['user_path'] = "/opt/chef-server/embedded/bin:/opt/chef-server/bin:$PATH"
+default['chef_server']['postgresql']['sql_user'] = "opscode_chef"
+default['chef_server']['postgresql']['sql_password'] = "snakepliskin"
+default['chef_server']['postgresql']['sql_ro_user'] = "opscode_chef_ro"
+default['chef_server']['postgresql']['sql_ro_password'] = "shmunzeltazzen"
+default['chef_server']['postgresql']['vip'] = "127.0.0.1"
+default['chef_server']['postgresql']['port'] = 5432
+default['chef_server']['postgresql']['listen_address'] = 'localhost'
+default['chef_server']['postgresql']['max_connections'] = 200
+default['chef_server']['postgresql']['md5_auth_cidr_addresses'] = [ ]
+default['chef_server']['postgresql']['trust_auth_cidr_addresses'] = [ '127.0.0.1/32', '::1/128' ]
+default['chef_server']['postgresql']['shmmax'] = kernel['machine'] =~ /x86_64/ ? 17179869184 : 4294967295
+default['chef_server']['postgresql']['shmall'] = kernel['machine'] =~ /x86_64/ ? 4194304 : 1048575
+
+# Resolves CHEF-3889
+if (node['memory']['total'].to_i / 4) > ((node['chef_server']['postgresql']['shmmax'].to_i / 1024) - 2097152)
+  # guard against setting shared_buffers > shmmax on hosts with installed RAM > 64GB
+  # use 2GB less than shmmax as the default for these large memory machines
+  default['chef_server']['postgresql']['shared_buffers'] = "14336MB"
+else
+  default['chef_server']['postgresql']['shared_buffers'] = "#{(node['memory']['total'].to_i / 4) / (1024)}MB"
+end
+
+default['chef_server']['postgresql']['work_mem'] = "8MB"
+default['chef_server']['postgresql']['effective_cache_size'] = "#{(node['memory']['total'].to_i / 2) / (1024)}MB"
+default['chef_server']['postgresql']['checkpoint_segments'] = 10
+default['chef_server']['postgresql']['checkpoint_timeout'] = "5min"
+default['chef_server']['postgresql']['checkpoint_completion_target'] = 0.9
+default['chef_server']['postgresql']['checkpoint_warning'] = "30s"
@@ -0,0 +1,140 @@
+#
+# Copyright:: Copyright (c) 2012 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'mixlib/config'
+require 'chef/mash'
+require 'chef/json_compat'
+require 'chef/mixin/deep_merge'
+require 'securerandom'
+
+module ChefServer
+  extend(Mixlib::Config)
+
+  rabbitmq Mash.new
+  chef_solr Mash.new
+  chef_expander Mash.new
+  erchef Mash.new
+  chef_server_webui Mash.new
+  lb Mash.new
+  postgresql Mash.new
+  bookshelf Mash.new
+  bootstrap Mash.new
+  nginx Mash.new
+  api_fqdn nil
+  node nil
+  notification_email nil
+
+  class << self
+
+    # guards against creating secrets on non-bootstrap node
+    def generate_hex(chars)
+      SecureRandom.hex(chars)
+    end
+
+    def generate_secrets(node_name)
+      existing_secrets ||= Hash.new
+      if File.exists?("/etc/chef-server/chef-server-secrets.json")
+        existing_secrets = Chef::JSONCompat.from_json(File.read("/etc/chef-server/chef-server-secrets.json"))
+      end
+      existing_secrets.each do |k, v|
+        v.each do |pk, p|
+          ChefServer[k][pk] = p
+        end
+      end
+
+      ChefServer['rabbitmq']['password'] ||= generate_hex(50)
+      ChefServer['chef_server_webui']['cookie_secret'] ||= generate_hex(50)
+      ChefServer['postgresql']['sql_password'] ||= generate_hex(50)
+      ChefServer['postgresql']['sql_ro_password'] ||= generate_hex(50)
+      ChefServer['bookshelf']['access_key_id'] ||= generate_hex(20)
+      ChefServer['bookshelf']['secret_access_key'] ||= generate_hex(40)
+
+      if File.directory?("/etc/chef-server")
+        File.open("/etc/chef-server/chef-server-secrets.json", "w") do |f|
+          f.puts(
+            Chef::JSONCompat.to_json_pretty({
+              'rabbitmq' => {
+                'password' => ChefServer['rabbitmq']['password'],
+              },
+              'chef_server_webui' => {
+                'cookie_secret' => ChefServer['chef_server_webui']['cookie_secret'],
+              },
+              'postgresql' => {
+                'sql_password' => ChefServer['postgresql']['sql_password'],
+                'sql_ro_password' => ChefServer['postgresql']['sql_ro_password']
+              },
+              'bookshelf' => {
+                'access_key_id' => ChefServer['bookshelf']['access_key_id'],
+                'secret_access_key' => ChefServer['bookshelf']['secret_access_key']
+              }
+            })
+          )
+          system("chmod 0600 /etc/chef-server/chef-server-secrets.json")
+        end
+      end
+    end
+
+    def generate_hash
+      results = { "chef_server" => {} }
+      [
+        "rabbitmq",
+        "chef_solr",
+        "chef_expander",
+        "erchef",
+        "chef_server_webui",
+        "lb",
+        "postgresql",
+        "nginx",
+        "bookshelf",
+        "bootstrap"
+      ].each do |key|
+        rkey = key.gsub('_', '-')
+        results['chef_server'][rkey] = ChefServer[key]
+      end
+      results['chef_server']['notification_email'] = ChefServer['notification_email']
+
+      results
+    end
+
+    def gen_api_fqdn
+      ChefServer["lb"]["api_fqdn"] ||= ChefServer['api_fqdn']
+      ChefServer["lb"]["web_ui_fqdn"] ||= ChefServer['api_fqdn']
+      ChefServer["nginx"]["server_name"] ||= ChefServer['api_fqdn']
+
+      # If the user manually set an Nginx URL in the config file all bets are
+      # off...we just cross our fingers and hope they constructed the URL
+      # correctly! We may want to remove this 'private' config value from the
+      # documenation.
+      if ChefServer["nginx"]["url"].nil?
+        ChefServer["nginx"]["url"] = "https://#{ChefServer['api_fqdn']}"
+        if ChefServer["nginx"]["ssl_port"]
+          ChefServer["nginx"]["url"] << ":#{ChefServer["nginx"]["ssl_port"]}"
+        end
+      end
+
+      # The external bookshelf URL should match the external lb
+      ChefServer["bookshelf"]["url"] ||= ChefServer["nginx"]["url"]
+    end
+
+    def generate_config(node_name)
+      generate_secrets(node_name)
+      ChefServer[:api_fqdn] ||= node_name
+      gen_api_fqdn
+      generate_hash
+    end
+  end
+end
@@ -0,0 +1,194 @@
+#
+# Copyright:: Copyright (c) 2012 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'mixlib/shellout'
+
+class PgHelper
+  attr_reader :node
+
+  def initialize(node)
+    @node = node
+  end
+
+  def is_running?
+    OmnibusHelper.service_up?("postgresql")
+  end
+
+  def database_exists?(db_name)
+    psql_cmd(["-d 'template1'",
+              "-c 'select datname from pg_database' -x",
+              "| grep #{db_name}"])
+  end
+
+  def sql_user_exists?
+    user_exists?(node['chef_server']['postgresql']['sql_user'])
+  end
+
+  def sql_ro_user_exists?
+    user_exists?(node['chef_server']['postgresql']['sql_ro_user'])
+  end
+  
+  def user_exists?(db_user)
+    psql_cmd(["-d 'template1'",
+              "-c 'select usename from pg_user' -x",
+              "|grep #{db_user}"])
+  end
+
+  def psql_cmd(cmd_list)
+    cmd = ["/opt/chef-server/embedded/bin/chpst",
+           "-u #{pg_user}",
+           "/opt/chef-server/embedded/bin/psql",
+           "--port #{pg_port}",
+           cmd_list.join(" ")].join(" ")
+    do_shell_out(cmd, 0)
+  end
+
+  def pg_user
+    node['chef_server']['postgresql']['username']
+  end
+
+  def pg_port
+    node['chef_server']['postgresql']['port']
+  end
+
+  def do_shell_out(cmd, expect_status)
+    o = Mixlib::ShellOut.new(cmd)
+    o.run_command
+    o.exitstatus == expect_status
+  end
+
+end
+
+class OmnibusHelper
+
+  def self.should_notify?(service_name)
+    File.symlink?("/opt/chef-server/service/#{service_name}") && service_up?(service_name)
+  end
+
+  def self.service_up?(service_name)
+    o = Mixlib::ShellOut.new("/opt/chef-server/bin/chef-server-ctl status #{service_name}")
+    o.run_command
+    o.exitstatus == 0
+  end
+
+  # generate a certificate signed by the opscode ca key
+  #
+  # === Returns
+  # [cert, key]
+  #
+  def self.gen_certificate
+    key = OpenSSL::PKey::RSA.generate(2048)
+    public_key = key.public_key
+    cert_uuid = UUIDTools::UUID.random_create
+    common_name = "URI:http://opscode.com/GUIDS/#{cert_uuid}"
+    info = [["C", "US"], ["ST", "Washington"], ["L", "Seattle"], ["O", "Opscode, Inc."], ["OU", "Certificate Service"], ["CN", common_name]]
+    cert = OpenSSL::X509::Certificate.new
+    cert.subject = OpenSSL::X509::Name.new(info)
+    cert.issuer = ca_certificate.subject
+    cert.not_before = Time.now
+    cert.not_after = Time.now + 10 * 365 * 24 * 60 * 60 # 10 years
+    cert.public_key = public_key
+    cert.serial = 1
+    cert.version = 3
+
+    ef = OpenSSL::X509::ExtensionFactory.new
+    ef.subject_certificate = cert
+    ef.issuer_certificate = ca_certificate
+    cert.extensions = [
+                       ef.create_extension("basicConstraints","CA:FALSE",true),
+                       ef.create_extension("subjectKeyIdentifier", "hash")
+                      ]
+    cert.sign(ca_keypair, OpenSSL::Digest::SHA1.new)
+
+    return cert, key
+  end
+
+  ######################################################################
+  #
+  # the following is the Opscode CA key and certificate, copied from
+  # the cert project(s)
+  #
+  ######################################################################
+
+  def self.ca_certificate
+    @_ca_cert ||=
+      begin
+        cert_string = <<-EOCERT
+-----BEGIN CERTIFICATE-----
+MIIDyDCCAzGgAwIBAwIBATANBgkqhkiG9w0BAQUFADCBnjELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFjAUBgNVBAoM
+DU9wc2NvZGUsIEluYy4xHDAaBgNVBAsME0NlcnRpZmljYXRlIFNlcnZpY2UxMjAw
+BgNVBAMMKW9wc2NvZGUuY29tL2VtYWlsQWRkcmVzcz1hdXRoQG9wc2NvZGUuY29t
+MB4XDTA5MDUwNjIzMDEzNVoXDTE5MDUwNDIzMDEzNVowgZ4xCzAJBgNVBAYTAlVT
+MRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRYwFAYDVQQK
+DA1PcHNjb2RlLCBJbmMuMRwwGgYDVQQLDBNDZXJ0aWZpY2F0ZSBTZXJ2aWNlMTIw
+MAYDVQQDDClvcHNjb2RlLmNvbS9lbWFpbEFkZHJlc3M9YXV0aEBvcHNjb2RlLmNv
+bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAlKTCZPmifZe9ruxlQpWRj+yx
+Mxt6+omH44jSfj4Obrnmm5eqVhRwjSfHOq383IeilFrNqC5VkiZrlLh8uhuTeaCy
+PE1eED7DZOmwuswTui49DqXiVE39jB6TnzZ3mr6HOPHXtPhSzdtILo18RMmgyfm/
+csrwct1B3GuQ9LSVMXkCAwEAAaOCARIwggEOMA8GA1UdEwEB/wQFMAMBAf8wHQYD
+VR0OBBYEFJ228MdlU86GfVLsQx8rleAeM+eLMA4GA1UdDwEB/wQEAwIBBjCBywYD
+VR0jBIHDMIHAgBSdtvDHZVPOhn1S7EMfK5XgHjPni6GBpKSBoTCBnjELMAkGA1UE
+BhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFjAU
+BgNVBAoMDU9wc2NvZGUsIEluYy4xHDAaBgNVBAsME0NlcnRpZmljYXRlIFNlcnZp
+Y2UxMjAwBgNVBAMMKW9wc2NvZGUuY29tL2VtYWlsQWRkcmVzcz1hdXRoQG9wc2Nv
+ZGUuY29tggEBMA0GCSqGSIb3DQEBBQUAA4GBAHJxAnwTt/liAMfZf5Khg7Mck4f+
+IkO3rjoI23XNbVHlctTOieSwzRZtBRdNOTzQvzzhh1KKpl3Rt04rrRPQvDeO/Usm
+pVr6g+lk2hhDgKKeR4J7qXZmlemZTrFZoobdoijDaOT5NuqkGt5ANdTqzRwbC9zQ
+t6vXSWGCFoo4AEic
+-----END CERTIFICATE-----
+EOCERT
+        OpenSSL::X509::Certificate.new(cert_string)
+      end
+  end
+
+  def self.ca_keypair
+    @_ca_key ||=
+      begin
+        keypair_string = <<-EOKEY
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgQCUpMJk+aJ9l72u7GVClZGP7LEzG3r6iYfjiNJ+Pg5uueabl6pW
+FHCNJ8c6rfzch6KUWs2oLlWSJmuUuHy6G5N5oLI8TV4QPsNk6bC6zBO6Lj0OpeJU
+Tf2MHpOfNneavoc48de0+FLN20gujXxEyaDJ+b9yyvBy3UHca5D0tJUxeQIDAQAB
+AoGAYAPRIeJyiIfk2cIPYqQ0g3BTwfyFQqJl6Z7uwOca8YEZqfWc7L+FOFiyg3/x
+rw3aAdRptbJASgiRQ16sCpdXeaRFY5gcO2MnqmCyoyp2//zhdFReSC+Akim1UPtG
+5SqqdV9I0TBl+1JlMiivn677mXGij+qyQjSWxW2pGVsbTSUCQQDDLb/DgoD0+N6O
+FIoJ/Mh5cgIxQhqXu/dylEv/I3goSJdXPAqhsnsa6zYQGdftnvMK1ZXS/hYL4i06
+w9lKDV8PAkEAwvaz1oUtXLNfYYAF42c1BoBhqCzjXSzMWPu5BlWQzSsdzgVgDuX3
+LlkiIdRtMcMaNskaBTtIClCxaEm3rUnm9wJAEOp2JEu7QYAQSeAd1p/CAESRTBOe
+mmgAGj4gGAzK7TLdawIZKcp+QOcB2INk44NTLS01vwOmhYEkymMPAgwGoQJAKimq
+GMFyXvLXtME4BMbEG+TVucYDYZoXk0LU776/cu9ZIb3d2Tr4asiR7hj/iFx2JdT1
+0J3SZZCv3SrcExjBXwJABS3/iQroe24tvrmyy4tc5YG5ygIRaBUCs6dn0fbisX/9
+K1oq5Lnwimy4l2NI0o/lxIqnwFilACjs3tuXH1OhMA==
+-----END RSA PRIVATE KEY-----
+EOKEY
+        OpenSSL::PKey::RSA.new(keypair_string)
+      end
+  end
+
+  def self.erl_atom_or_string(term)
+    case term
+    when Symbol
+      term
+    when String
+      "\"#{term}\""
+    else
+      "undefined"
+    end
+  end
+end
+
@@ -0,0 +1,188 @@
+#
+# Copyright:: Copyright (c) 2012 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+postgresql_dir = node['chef_server']['postgresql']['dir']
+postgresql_data_dir = node['chef_server']['postgresql']['data_dir']
+postgresql_data_dir_symlink = File.join(postgresql_dir, "data")
+postgresql_log_dir = node['chef_server']['postgresql']['log_directory']
+chef_db_dir = Dir.glob("/opt/chef-server/embedded/service/erchef/lib/chef_db-*").first
+
+user node['chef_server']['postgresql']['username'] do
+  system true
+  shell node['chef_server']['postgresql']['shell']
+  home node['chef_server']['postgresql']['home']
+end
+
+directory postgresql_log_dir do
+  owner node['chef_server']['postgresql']['username']
+  recursive true
+end
+
+directory postgresql_dir do
+  owner node['chef_server']['postgresql']['username']
+  mode "0700"
+end
+
+directory postgresql_data_dir do
+  owner node['chef_server']['postgresql']['username']
+  mode "0700"
+  recursive true
+end
+
+link postgresql_data_dir_symlink do
+  to postgresql_data_dir
+  not_if { postgresql_data_dir == postgresql_data_dir_symlink }
+end
+
+file File.join(node['chef_server']['postgresql']['home'], ".profile") do
+  owner node['chef_server']['postgresql']['username']
+  mode "0644"
+  content <<-EOH
+PATH=#{node['chef_server']['postgresql']['user_path']}
+EOH
+end
+
+if File.directory?("/etc/sysctl.d") && File.exists?("/etc/init.d/procps")
+  # smells like ubuntu...
+  service "procps" do
+    action :nothing
+  end
+
+  template "/etc/sysctl.d/90-postgresql.conf" do
+    source "90-postgresql.conf.sysctl.erb"
+    owner "root"
+    mode  "0644"
+    variables(node['chef_server']['postgresql'].to_hash)
+    notifies :start, 'service[procps]', :immediately
+  end
+else
+  # hope this works...
+  execute "sysctl" do
+    command "/sbin/sysctl -p /etc/sysctl.conf"
+    action :nothing
+  end
+
+  bash "add shm settings" do
+    user "root"
+    code <<-EOF
+      echo 'kernel.shmmax = #{node['chef_server']['postgresql']['shmmax']}' >> /etc/sysctl.conf
+      echo 'kernel.shmall = #{node['chef_server']['postgresql']['shmall']}' >> /etc/sysctl.conf
+    EOF
+    notifies :run, 'execute[sysctl]', :immediately
+    not_if "egrep '^kernel.shmmax = ' /etc/sysctl.conf"
+  end
+end
+
+execute "/opt/chef-server/embedded/bin/initdb -D #{postgresql_data_dir}" do
+  user node['chef_server']['postgresql']['username']
+  not_if { File.exists?(File.join(postgresql_data_dir, "PG_VERSION")) }
+end
+
+postgresql_config = File.join(postgresql_data_dir, "postgresql.conf")
+
+template postgresql_config do
+  source "postgresql.conf.erb"
+  owner node['chef_server']['postgresql']['username']
+  mode "0644"
+  variables(node['chef_server']['postgresql'].to_hash)
+  notifies :restart, 'service[postgresql]' if OmnibusHelper.should_notify?("postgresql")
+end
+
+pg_hba_config = File.join(postgresql_data_dir, "pg_hba.conf")
+
+template pg_hba_config do
+  source "pg_hba.conf.erb"
+  owner node['chef_server']['postgresql']['username']
+  mode "0644"
+  variables(node['chef_server']['postgresql'].to_hash)
+  notifies :restart, 'service[postgresql]' if OmnibusHelper.should_notify?("postgresql")
+end
+
+should_notify = OmnibusHelper.should_notify?("postgresql")
+
+runit_service "postgresql" do
+  down node['chef_server']['postgresql']['ha']
+  control(['t'])
+  options({
+    :log_directory => postgresql_log_dir,
+    :svlogd_size => node['chef_server']['postgresql']['svlogd_size'],
+    :svlogd_num  => node['chef_server']['postgresql']['svlogd_num']
+  }.merge(params))
+end
+
+if node['chef_server']['bootstrap']['enable']
+  execute "/opt/chef-server/bin/chef-server-ctl start postgresql" do
+    retries 20
+  end
+end
+
+###
+# Create the database, migrate it, and create the users we need, and grant them
+# privileges.
+###
+pg_helper = PgHelper.new(node)
+pg_port = node['chef_server']['postgresql']['port']
+pg_user = node['chef_server']['postgresql']['username']
+bin_dir = "/opt/chef-server/embedded/bin"
+db_name = "opscode_chef"
+
+execute "create #{db_name} database" do
+  command "#{bin_dir}/createdb -T template0 --port #{pg_port} -E UTF-8 #{db_name}"
+  user pg_user
+  not_if { !pg_helper.is_running? || pg_helper.database_exists?(db_name) }
+  retries 30
+  notifies :run, "execute[migrate_database]", :immediately
+end
+
+execute "migrate_database" do
+  command "#{bin_dir}/psql #{db_name} --port #{pg_port} < priv/pgsql_schema.sql"
+  cwd chef_db_dir
+  user pg_user
+  action :nothing
+end
+
+sql_user        = node['chef_server']['postgresql']['sql_user']
+sql_user_passwd = node['chef_server']['postgresql']['sql_password']
+
+execute "#{bin_dir}/psql --port #{pg_port} -d '#{db_name}' -c \"CREATE USER #{sql_user} WITH SUPERUSER ENCRYPTED PASSWORD '#{sql_user_passwd}'\"" do
+  cwd chef_db_dir
+  user pg_user
+  notifies :run, "execute[grant #{db_name} privileges]", :immediately
+  not_if { !pg_helper.is_running? || pg_helper.sql_user_exists? }
+end
+
+execute "grant #{db_name} privileges" do
+  command "#{bin_dir}/psql --port #{pg_port} -d '#{db_name}' -c \"GRANT ALL PRIVILEGES ON DATABASE #{db_name} TO #{sql_user}\""
+  user pg_user
+  action :nothing
+end
+
+sql_ro_user = node['chef_server']['postgresql']['sql_ro_user']
+sql_ro_user_passwd = node['chef_server']['postgresql']['sql_ro_password']
+
+execute "#{bin_dir}/psql --port #{pg_port} -d '#{db_name}' -c \"CREATE USER #{sql_ro_user} WITH SUPERUSER ENCRYPTED PASSWORD '#{sql_ro_user_passwd}'\"" do
+  cwd chef_db_dir
+  user pg_user
+  notifies :run, "execute[grant #{db_name}_ro privileges]", :immediately
+  not_if { !pg_helper.is_running? || pg_helper.sql_ro_user_exists? }
+end
+
+execute "grant #{db_name}_ro privileges" do
+  command "#{bin_dir}/psql --port #{pg_port} -d '#{db_name}' -c \"GRANT ALL PRIVILEGES ON DATABASE #{db_name} TO #{sql_ro_user}\""
+  user pg_user
+  action :nothing
+end
@@ -0,0 +1,5 @@
+#
+# chef server postgresql kernel shm tweaks
+#
+kernel.shmmax = <%= node['chef_server']['postgresql']['shmmax'] %>
+kernel.shmall = <%= node['chef_server']['postgresql']['shmall'] %>
@@ -0,0 +1,75 @@
+# PostgreSQL Client Authentication Configuration File
+# ===================================================
+#
+# Refer to the "Client Authentication" section in the
+# PostgreSQL documentation for a complete description
+# of this file.  A short synopsis follows.
+#
+# This file controls: which hosts are allowed to connect, how clients
+# are authenticated, which PostgreSQL user names they can use, which
+# databases they can access.  Records take one of these forms:
+#
+# local      DATABASE  USER  METHOD  [OPTION]
+# host       DATABASE  USER  CIDR-ADDRESS  METHOD  [OPTION]
+# hostssl    DATABASE  USER  CIDR-ADDRESS  METHOD  [OPTION]
+# hostnossl  DATABASE  USER  CIDR-ADDRESS  METHOD  [OPTION]
+#
+# (The uppercase items must be replaced by actual values.)
+#
+# The first field is the connection type: "local" is a Unix-domain socket,
+# "host" is either a plain or SSL-encrypted TCP/IP socket, "hostssl" is an
+# SSL-encrypted TCP/IP socket, and "hostnossl" is a plain TCP/IP socket.
+#
+# DATABASE can be "all", "sameuser", "samerole", a database name, or
+# a comma-separated list thereof.
+#
+# USER can be "all", a user name, a group name prefixed with "+", or
+# a comma-separated list thereof.  In both the DATABASE and USER fields
+# you can also write a file name prefixed with "@" to include names from
+# a separate file.
+#
+# CIDR-ADDRESS specifies the set of hosts the record matches.
+# It is made up of an IP address and a CIDR mask that is an integer
+# (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that specifies
+# the number of significant bits in the mask.  Alternatively, you can write
+# an IP address and netmask in separate columns to specify the set of hosts.
+#
+# METHOD can be "trust", "reject", "md5", "crypt", "password", "gss", "sspi",
+# "krb5", "ident", "pam" or "ldap".  Note that "password" sends passwords
+# in clear text; "md5" is preferred since it sends encrypted passwords.
+#
+# OPTION is the ident map or the name of the PAM service, depending on METHOD.
+#
+# Database and user names containing spaces, commas, quotes and other special
+# characters must be quoted. Quoting one of the keywords "all", "sameuser" or
+# "samerole" makes the name lose its special character, and just match a
+# database or username with that name.
+#
+# This file is read on server startup and when the postmaster receives
+# a SIGHUP signal.  If you edit the file on a running system, you have
+# to SIGHUP the postmaster for the changes to take effect.  You can use
+# "pg_ctl reload" to do that.
+
+# Put your actual configuration here
+# ----------------------------------
+#
+# If you want to allow non-local connections, you need to add more
+# "host" records. In that case you will also need to make PostgreSQL listen
+# on a non-local interface via the listen_addresses configuration parameter,
+# or via the -i or -h command line switches.
+#
+
+
+# TYPE  DATABASE    USER        CIDR-ADDRESS          METHOD
+
+# "local" is for Unix domain socket connections only
+local   all         all                               trust
+
+<% node['chef_server']['postgresql']['trust_auth_cidr_addresses'].each do |cidr| %>
+host    all         all         <%= cidr %>           trust
+<% end %>
+
+<% node['chef_server']['postgresql']['md5_auth_cidr_addresses'].each do |cidr| %>
+host    all         all         <%= cidr %>           md5
+<% end %>
+
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+#
+# make postgresql stop/restart send sigint to terminate clients to postgresql
+# immediately.
+#
+
+RETVAL=0
+
+case "$1" in
+  stop|force-stop)
+    /opt/chef-server/embedded/bin/sv once postgresql
+    /opt/chef-server/embedded/bin/sv interrupt postgresql
+    RETVAL=$?
+    ;;
+  restart)
+    /opt/chef-server/embedded/bin/sv once postgresql
+    /opt/chef-server/embedded/bin/sv interrupt postgresql
+    sleep 5
+    /opt/chef-server/embedded/bin/sv start postgresql
+    RETVAL=$?
+    ;;
+	*)
+		/opt/chef-server/embedded/bin/sv $1 postgresql
+    RETVAL=$?
+esac
+
+exit $RETVAL
+
@@ -0,0 +1,556 @@
+# -----------------------------
+# PostgreSQL configuration file
+# -----------------------------
+#
+# This file consists of lines of the form:
+#
+#   name = value
+#
+# (The "=" is optional.)  Whitespace may be used.  Comments are introduced with
+# "#" anywhere on a line.  The complete list of parameter names and allowed
+# values can be found in the PostgreSQL documentation.
+#
+# The commented-out settings shown in this file represent the default values.
+# Re-commenting a setting is NOT sufficient to revert it to the default value;
+# you need to reload the server.
+#
+# This file is read on server startup and when the server receives a SIGHUP
+# signal.  If you edit the file on a running system, you have to SIGHUP the
+# server for the changes to take effect, or use "pg_ctl reload".  Some
+# parameters, which are marked below, require a server shutdown and restart to
+# take effect.
+#
+# Any parameter can also be given as a command-line option to the server, e.g.,
+# "postgres -c log_connections=on".  Some parameters can be changed at run time
+# with the "SET" SQL command.
+#
+# Memory units:  kB = kilobytes        Time units:  ms  = milliseconds
+#                MB = megabytes                     s   = seconds
+#                GB = gigabytes                     min = minutes
+#                                                   h   = hours
+#                                                   d   = days
+
+
+#------------------------------------------------------------------------------
+# FILE LOCATIONS
+#------------------------------------------------------------------------------
+
+# The default values of these variables are driven from the -D command-line
+# option or PGDATA environment variable, represented here as ConfigDir.
+
+#data_directory = 'ConfigDir'   # use data in another directory
+          # (change requires restart)
+#hba_file = 'ConfigDir/pg_hba.conf' # host-based authentication file
+          # (change requires restart)
+#ident_file = 'ConfigDir/pg_ident.conf' # ident configuration file
+          # (change requires restart)
+
+# If external_pid_file is not explicitly set, no extra PID file is written.
+#external_pid_file = '(none)'   # write an extra PID file
+          # (change requires restart)
+
+
+#------------------------------------------------------------------------------
+# CONNECTIONS AND AUTHENTICATION
+#------------------------------------------------------------------------------
+
+# - Connection Settings -
+
+listen_addresses = '<%= node['chef_server']['postgresql']['listen_address'] %>'    # what IP address(es) to listen on;
+          # comma-separated list of addresses;
+          # defaults to 'localhost', '*' = all
+          # (change requires restart)
+port = <%= node['chef_server']['postgresql']['port'] %>        # (change requires restart)
+max_connections = <%= node['chef_server']['postgresql']['max_connections'] %>      # (change requires restart)
+# Note:  Increasing max_connections costs ~400 bytes of shared memory per
+# connection slot, plus lock space (see max_locks_per_transaction).
+#superuser_reserved_connections = 3 # (change requires restart)
+#unix_socket_directory = ''   # (change requires restart)
+#unix_socket_group = ''     # (change requires restart)
+#unix_socket_permissions = 0777   # begin with 0 to use octal notation
+          # (change requires restart)
+#bonjour = off        # advertise server via Bonjour
+          # (change requires restart)
+#bonjour_name = ''      # defaults to the computer name
+          # (change requires restart)
+
+# - Security and Authentication -
+
+#authentication_timeout = 1min    # 1s-600s
+#ssl = off        # (change requires restart)
+#ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH'  # allowed SSL ciphers
+          # (change requires restart)
+#ssl_renegotiation_limit = 512MB  # amount of data between renegotiations
+#password_encryption = on
+#db_user_namespace = off
+
+# Kerberos and GSSAPI
+#krb_server_keyfile = ''
+#krb_srvname = 'postgres'   # (Kerberos only)
+#krb_caseins_users = off
+
+# - TCP Keepalives -
+# see "man 7 tcp" for details
+
+#tcp_keepalives_idle = 0    # TCP_KEEPIDLE, in seconds;
+          # 0 selects the system default
+#tcp_keepalives_interval = 0    # TCP_KEEPINTVL, in seconds;
+          # 0 selects the system default
+#tcp_keepalives_count = 0   # TCP_KEEPCNT;
+          # 0 selects the system default
+
+
+#------------------------------------------------------------------------------
+# RESOURCE USAGE (except WAL)
+#------------------------------------------------------------------------------
+
+# - Memory -
+
+shared_buffers = <%= node['chef_server']['postgresql']['shared_buffers'] %> # min 128kB
+          # (change requires restart)
+#temp_buffers = 8MB     # min 800kB
+#max_prepared_transactions = 0    # zero disables the feature
+          # (change requires restart)
+# Note:  Increasing max_prepared_transactions costs ~600 bytes of shared memory
+# per transaction slot, plus lock space (see max_locks_per_transaction).
+# It is not advisable to set max_prepared_transactions nonzero unless you
+# actively intend to use prepared transactions.
+work_mem = <%= node['chef_server']['postgresql']['work_mem'] %>				# min 64kB
+#maintenance_work_mem = 16MB    # min 1MB
+#max_stack_depth = 2MB      # min 100kB
+
+# - Kernel Resource Usage -
+
+#max_files_per_process = 1000   # min 25
+          # (change requires restart)
+#shared_preload_libraries = ''    # (change requires restart)
+
+# - Cost-Based Vacuum Delay -
+
+#vacuum_cost_delay = 0ms    # 0-100 milliseconds
+#vacuum_cost_page_hit = 1   # 0-10000 credits
+#vacuum_cost_page_miss = 10   # 0-10000 credits
+#vacuum_cost_page_dirty = 20    # 0-10000 credits
+#vacuum_cost_limit = 200    # 1-10000 credits
+
+# - Background Writer -
+
+#bgwriter_delay = 200ms     # 10-10000ms between rounds
+#bgwriter_lru_maxpages = 100    # 0-1000 max buffers written/round
+#bgwriter_lru_multiplier = 2.0    # 0-10.0 multipler on buffers scanned/round
+
+# - Asynchronous Behavior -
+
+#effective_io_concurrency = 1   # 1-1000. 0 disables prefetching
+
+
+#------------------------------------------------------------------------------
+# WRITE AHEAD LOG
+#------------------------------------------------------------------------------
+
+# - Settings -
+
+#wal_level = minimal      # minimal, archive, or hot_standby
+          # (change requires restart)
+#fsync = on       # turns forced synchronization on or off
+#synchronous_commit = on    # synchronization level; on, off, or local
+#wal_sync_method = fsync    # the default is the first option
+          # supported by the operating system:
+          #   open_datasync
+          #   fdatasync (default on Linux)
+          #   fsync
+          #   fsync_writethrough
+          #   open_sync
+#full_page_writes = on      # recover from partial page writes
+#wal_buffers = -1     # min 32kB, -1 sets based on shared_buffers
+          # (change requires restart)
+#wal_writer_delay = 200ms   # 1-10000 milliseconds
+
+#commit_delay = 0     # range 0-100000, in microseconds
+#commit_siblings = 5      # range 1-1000
+
+# - Checkpoints -
+
+checkpoint_segments =  <%= node['chef_server']['postgresql']['checkpoint_segments'] %>		# in logfile segments, min 1, 16MB each, default 3
+checkpoint_timeout = <%= node['chef_server']['postgresql']['checkpoint_timeout'] %>		# range 30s-1h, default 5min
+checkpoint_completion_target = <%= node['chef_server']['postgresql']['checkpoint_completion_target'] %>	# checkpoint target duration, 0.0 - 1.0, default 0.5
+checkpoint_warning = <%= node['chef_server']['postgresql']['checkpoint_warning'] %>		# 0 disables, default 30s
+
+# - Archiving -
+
+#archive_mode = off   # allows archiving to be done
+        # (change requires restart)
+#archive_command = ''   # command to use to archive a logfile segment
+#archive_timeout = 0    # force a logfile segment switch after this
+        # number of seconds; 0 disables
+
+
+#------------------------------------------------------------------------------
+# REPLICATION
+#------------------------------------------------------------------------------
+
+# - Master Server -
+
+# These settings are ignored on a standby server
+
+#max_wal_senders = 0    # max number of walsender processes
+        # (change requires restart)
+#wal_sender_delay = 1s    # walsender cycle time, 1-10000 milliseconds
+#wal_keep_segments = 0    # in logfile segments, 16MB each; 0 disables
+#vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed
+#replication_timeout = 60s  # in milliseconds; 0 disables
+#synchronous_standby_names = '' # standby servers that provide sync rep
+        # comma-separated list of application_name
+        # from standby(s); '*' = all
+
+# - Standby Servers -
+
+# These settings are ignored on a master server
+
+#hot_standby = off      # "on" allows queries during recovery
+          # (change requires restart)
+#max_standby_archive_delay = 30s  # max delay before canceling queries
+          # when reading WAL from archive;
+          # -1 allows indefinite delay
+#max_standby_streaming_delay = 30s  # max delay before canceling queries
+          # when reading streaming WAL;
+          # -1 allows indefinite delay
+#wal_receiver_status_interval = 10s # send replies at least this often
+          # 0 disables
+#hot_standby_feedback = off   # send info from standby to prevent
+          # query conflicts
+
+
+#------------------------------------------------------------------------------
+# QUERY TUNING
+#------------------------------------------------------------------------------
+
+# - Planner Method Configuration -
+
+#enable_bitmapscan = on
+#enable_hashagg = on
+#enable_hashjoin = on
+#enable_indexscan = on
+#enable_material = on
+#enable_mergejoin = on
+#enable_nestloop = on
+#enable_seqscan = on
+#enable_sort = on
+#enable_tidscan = on
+
+# - Planner Cost Constants -
+
+#seq_page_cost = 1.0      # measured on an arbitrary scale
+#random_page_cost = 4.0     # same scale as above
+#cpu_tuple_cost = 0.01      # same scale as above
+#cpu_index_tuple_cost = 0.005   # same scale as above
+#cpu_operator_cost = 0.0025   # same scale as above
+effective_cache_size = <%= node['chef_server']['postgresql']['effective_cache_size'] %> # Default 128MB
+
+# - Genetic Query Optimizer -
+
+#geqo = on
+#geqo_threshold = 12
+#geqo_effort = 5      # range 1-10
+#geqo_pool_size = 0     # selects default based on effort
+#geqo_generations = 0     # selects default based on effort
+#geqo_selection_bias = 2.0    # range 1.5-2.0
+#geqo_seed = 0.0      # range 0.0-1.0
+
+# - Other Planner Options -
+
+#default_statistics_target = 100  # range 1-10000
+#constraint_exclusion = partition # on, off, or partition
+#cursor_tuple_fraction = 0.1    # range 0.0-1.0
+#from_collapse_limit = 8
+#join_collapse_limit = 8    # 1 disables collapsing of explicit
+          # JOIN clauses
+
+
+#------------------------------------------------------------------------------
+# ERROR REPORTING AND LOGGING
+#------------------------------------------------------------------------------
+
+# - Where to Log -
+
+#log_destination = 'stderr'   # Valid values are combinations of
+          # stderr, csvlog, syslog, and eventlog,
+          # depending on platform.  csvlog
+          # requires logging_collector to be on.
+
+# This is used when logging to stderr:
+#logging_collector = off    # Enable capturing of stderr and csvlog
+          # into log files. Required to be on for
+          # csvlogs.
+          # (change requires restart)
+
+# These are only used if logging_collector is on:
+#log_directory = 'pg_log'   # directory where log files are written,
+          # can be absolute or relative to PGDATA
+#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log'  # log file name pattern,
+          # can include strftime() escapes
+#log_file_mode = 0600     # creation mode for log files,
+          # begin with 0 to use octal notation
+#log_truncate_on_rotation = off   # If on, an existing log file with the
+          # same name as the new log file will be
+          # truncated rather than appended to.
+          # But such truncation only occurs on
+          # time-driven rotation, not on restarts
+          # or size-driven rotation.  Default is
+          # off, meaning append to existing files
+          # in all cases.
+#log_rotation_age = 1d      # Automatic rotation of logfiles will
+          # happen after that time.  0 disables.
+#log_rotation_size = 10MB   # Automatic rotation of logfiles will
+          # happen after that much log output.
+          # 0 disables.
+
+# These are relevant when logging to syslog:
+#syslog_facility = 'LOCAL0'
+#syslog_ident = 'postgres'
+
+#silent_mode = off      # Run server silently.
+          # DO NOT USE without syslog or
+          # logging_collector
+          # (change requires restart)
+
+
+# - When to Log -
+
+#client_min_messages = notice   # values in order of decreasing detail:
+          #   debug5
+          #   debug4
+          #   debug3
+          #   debug2
+          #   debug1
+          #   log
+          #   notice
+          #   warning
+          #   error
+
+#log_min_messages = warning   # values in order of decreasing detail:
+          #   debug5
+          #   debug4
+          #   debug3
+          #   debug2
+          #   debug1
+          #   info
+          #   notice
+          #   warning
+          #   error
+          #   log
+          #   fatal
+          #   panic
+
+#log_min_error_statement = error  # values in order of decreasing detail:
+          #   debug5
+          #   debug4
+          #   debug3
+          #   debug2
+          #   debug1
+          #   info
+          #   notice
+          #   warning
+          #   error
+          #   log
+          #   fatal
+          #   panic (effectively off)
+
+#log_min_duration_statement = -1  # -1 is disabled, 0 logs all statements
+          # and their durations, > 0 logs only
+          # statements running at least this number
+          # of milliseconds
+
+
+# - What to Log -
+
+#debug_print_parse = off
+#debug_print_rewritten = off
+#debug_print_plan = off
+#debug_pretty_print = on
+#log_checkpoints = off
+#log_connections = off
+#log_disconnections = off
+#log_duration = off
+#log_error_verbosity = default    # terse, default, or verbose messages
+#log_hostname = off
+#log_line_prefix = ''     # special values:
+          #   %a = application name
+          #   %u = user name
+          #   %d = database name
+          #   %r = remote host and port
+          #   %h = remote host
+          #   %p = process ID
+          #   %t = timestamp without milliseconds
+          #   %m = timestamp with milliseconds
+          #   %i = command tag
+          #   %e = SQL state
+          #   %c = session ID
+          #   %l = session line number
+          #   %s = session start timestamp
+          #   %v = virtual transaction ID
+          #   %x = transaction ID (0 if none)
+          #   %q = stop here in non-session
+          #        processes
+          #   %% = '%'
+          # e.g. '<%u%%%d> '
+#log_lock_waits = off     # log lock waits >= deadlock_timeout
+#log_statement = 'none'     # none, ddl, mod, all
+#log_temp_files = -1      # log temporary files equal or larger
+          # than the specified size in kilobytes;
+          # -1 disables, 0 logs all temp files
+#log_timezone = '(defaults to server environment setting)'
+
+
+#------------------------------------------------------------------------------
+# RUNTIME STATISTICS
+#------------------------------------------------------------------------------
+
+# - Query/Index Statistics Collector -
+
+#track_activities = on
+#track_counts = on
+#track_functions = none     # none, pl, all
+#track_activity_query_size = 1024   # (change requires restart)
+#update_process_title = on
+#stats_temp_directory = 'pg_stat_tmp'
+
+
+# - Statistics Monitoring -
+
+#log_parser_stats = off
+#log_planner_stats = off
+#log_executor_stats = off
+#log_statement_stats = off
+
+
+#------------------------------------------------------------------------------
+# AUTOVACUUM PARAMETERS
+#------------------------------------------------------------------------------
+
+#autovacuum = on      # Enable autovacuum subprocess?  'on'
+          # requires track_counts to also be on.
+#log_autovacuum_min_duration = -1 # -1 disables, 0 logs all actions and
+          # their durations, > 0 logs only
+          # actions running at least this number
+          # of milliseconds.
+#autovacuum_max_workers = 3   # max number of autovacuum subprocesses
+          # (change requires restart)
+#autovacuum_naptime = 1min    # time between autovacuum runs
+#autovacuum_vacuum_threshold = 50 # min number of row updates before
+          # vacuum
+#autovacuum_analyze_threshold = 50  # min number of row updates before
+          # analyze
+#autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum
+#autovacuum_analyze_scale_factor = 0.1  # fraction of table size before analyze
+#autovacuum_freeze_max_age = 200000000  # maximum XID age before forced vacuum
+          # (change requires restart)
+#autovacuum_vacuum_cost_delay = 20ms  # default vacuum cost delay for
+          # autovacuum, in milliseconds;
+          # -1 means use vacuum_cost_delay
+#autovacuum_vacuum_cost_limit = -1  # default vacuum cost limit for
+          # autovacuum, -1 means use
+          # vacuum_cost_limit
+
+
+#------------------------------------------------------------------------------
+# CLIENT CONNECTION DEFAULTS
+#------------------------------------------------------------------------------
+
+# - Statement Behavior -
+
+#search_path = '"$user",public'   # schema names
+#default_tablespace = ''    # a tablespace name, '' uses the default
+#temp_tablespaces = ''      # a list of tablespace names, '' uses
+          # only default tablespace
+#check_function_bodies = on
+#default_transaction_isolation = 'read committed'
+#default_transaction_read_only = off
+#default_transaction_deferrable = off
+#session_replication_role = 'origin'
+#statement_timeout = 0      # in milliseconds, 0 is disabled
+#vacuum_freeze_min_age = 50000000
+#vacuum_freeze_table_age = 150000000
+#bytea_output = 'hex'     # hex, escape
+#xmlbinary = 'base64'
+#xmloption = 'content'
+
+# - Locale and Formatting -
+
+datestyle = 'iso, mdy'
+#intervalstyle = 'postgres'
+#timezone = '(defaults to server environment setting)'
+#timezone_abbreviations = 'Default'     # Select the set of available time zone
+          # abbreviations.  Currently, there are
+          #   Default
+          #   Australia
+          #   India
+          # You can create your own file in
+          # share/timezonesets/.
+#extra_float_digits = 0     # min -15, max 3
+#client_encoding = sql_ascii    # actually, defaults to database
+          # encoding
+
+# These settings are initialized by initdb, but they can be changed.
+lc_messages = 'C'     # locale for system error message
+          # strings
+lc_monetary = 'C'     # locale for monetary formatting
+lc_numeric = 'C'      # locale for number formatting
+lc_time = 'C'       # locale for time formatting
+
+# default configuration for text search
+default_text_search_config = 'pg_catalog.english'
+
+# - Other Defaults -
+
+#dynamic_library_path = '$libdir'
+#local_preload_libraries = ''
+
+
+#------------------------------------------------------------------------------
+# LOCK MANAGEMENT
+#------------------------------------------------------------------------------
+
+#deadlock_timeout = 1s
+#max_locks_per_transaction = 64   # min 10
+          # (change requires restart)
+# Note:  Each lock table slot uses ~270 bytes of shared memory, and there are
+# max_locks_per_transaction * (max_connections + max_prepared_transactions)
+# lock table slots.
+#max_pred_locks_per_transaction = 64  # min 10
+          # (change requires restart)
+
+#------------------------------------------------------------------------------
+# VERSION/PLATFORM COMPATIBILITY
+#------------------------------------------------------------------------------
+
+# - Previous PostgreSQL Versions -
+
+#array_nulls = on
+#backslash_quote = safe_encoding  # on, off, or safe_encoding
+#default_with_oids = off
+#escape_string_warning = on
+#lo_compat_privileges = off
+#quote_all_identifiers = off
+#sql_inheritance = on
+#standard_conforming_strings = on
+#synchronize_seqscans = on
+
+# - Other Platforms and Clients -
+
+#transform_null_equals = off
+
+
+#------------------------------------------------------------------------------
+# ERROR HANDLING
+#------------------------------------------------------------------------------
+
+#exit_on_error = off        # terminate session on any error?
+#restart_after_crash = on     # reinitialize after backend crash?
+
+
+#------------------------------------------------------------------------------
+# CUSTOMIZED OPTIONS
+#------------------------------------------------------------------------------
+
+#custom_variable_classes = ''   # list of custom variable class names
@@ -0,0 +1,3 @@
+#!/bin/sh
+echo "received TERM from runit, sending INT instead to force quit connections"
+/opt/chef-server/embedded/bin/sv interrupt postgresql
@@ -0,0 +1,2 @@
+#!/bin/sh
+exec svlogd -tt <%= @options[:log_directory] %>
@@ -0,0 +1,4 @@
+#!/bin/sh
+exec 2>&1
+exec chpst -P -U <%= node['chef_server']['postgresql']['username'] %> -u <%= node['chef_server']['postgresql']['username'] %> /opt/chef-server/embedded/bin/postgres -D <%= File.join(node['chef_server']['postgresql']['dir'], "data") %>
+
...	...	@@ -0,0 +1,279 @@
	1	+#
	2	+# Copyright:: Copyright (c) 2012 Opscode, Inc.
	3	+# License:: Apache License, Version 2.0
	4	+#
	5	+# Licensed under the Apache License, Version 2.0 (the "License");
	6	+# you may not use this file except in compliance with the License.
	7	+# You may obtain a copy of the License at
	8	+#
	9	+# http://www.apache.org/licenses/LICENSE-2.0
	10	+#
	11	+# Unless required by applicable law or agreed to in writing, software
	12	+# distributed under the License is distributed on an "AS IS" BASIS,
	13	+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	14	+# See the License for the specific language governing permissions and
	15	+# limitations under the License.
	16	+#
	17	+
	18	+###
	19	+# High level options
	20	+###
	21	+default['chef_server']['api_version'] = "11.0.2"
	22	+default['chef_server']['flavor'] = "osc" # Open Source Chef
	23	+
	24	+default['chef_server']['notification_email'] = "info@example.com"
	25	+default['chef_server']['bootstrap']['enable'] = true
	26	+
	27	+####
	28	+# The Chef User that services run as
	29	+####
	30	+# The username for the chef services user
	31	+default['chef_server']['user']['username'] = "chef_server"
	32	+# The shell for the chef services user
	33	+default['chef_server']['user']['shell'] = "/bin/sh"
	34	+# The home directory for the chef services user
	35	+default['chef_server']['user']['home'] = "/opt/chef-server/embedded"
	36	+
	37	+####
	38	+# RabbitMQ
	39	+####
	40	+default['chef_server']['rabbitmq']['enable'] = true
	41	+default['chef_server']['rabbitmq']['ha'] = false
	42	+default['chef_server']['rabbitmq']['dir'] = "/var/opt/chef-server/rabbitmq"
	43	+default['chef_server']['rabbitmq']['data_dir'] = "/var/opt/chef-server/rabbitmq/db"
	44	+default['chef_server']['rabbitmq']['log_directory'] = "/var/log/chef-server/rabbitmq"
	45	+default['chef_server']['rabbitmq']['vhost'] = '/chef'
	46	+default['chef_server']['rabbitmq']['user'] = 'chef'
	47	+default['chef_server']['rabbitmq']['password'] = 'chefrocks'
	48	+default['chef_server']['rabbitmq']['node_ip_address'] = '127.0.0.1'
	49	+default['chef_server']['rabbitmq']['node_port'] = '8672'
	50	+default['chef_server']['rabbitmq']['nodename'] = 'rabbit@localhost'
	51	+default['chef_server']['rabbitmq']['vip'] = '127.0.0.1'
	52	+default['chef_server']['rabbitmq']['consumer_id'] = 'hotsauce'
	53	+
	54	+####
	55	+# Chef Solr
	56	+####
	57	+default['chef_server']['chef-solr']['enable'] = true
	58	+default['chef_server']['chef-solr']['ha'] = false
	59	+default['chef_server']['chef-solr']['dir'] = "/var/opt/chef-server/chef-solr"
	60	+default['chef_server']['chef-solr']['data_dir'] = "/var/opt/chef-server/chef-solr/data"
	61	+default['chef_server']['chef-solr']['log_directory'] = "/var/log/chef-server/chef-solr"
	62	+# defaults for heap size and new generation size are computed in the chef-solr
	63	+# recipe based on node memory
	64	+default['chef_server']['chef-solr']['heap_size'] = nil
	65	+default['chef_server']['chef-solr']['new_size'] = nil
	66	+default['chef_server']['chef-solr']['java_opts'] = ""
	67	+default['chef_server']['chef-solr']['ip_address'] = '127.0.0.1'
	68	+default['chef_server']['chef-solr']['vip'] = '127.0.0.1'
	69	+default['chef_server']['chef-solr']['port'] = 8983
	70	+default['chef_server']['chef-solr']['ram_buffer_size'] = 200
	71	+default['chef_server']['chef-solr']['merge_factor'] = 100
	72	+default['chef_server']['chef-solr']['max_merge_docs'] = 2147483647
	73	+default['chef_server']['chef-solr']['max_field_length'] = 100000
	74	+default['chef_server']['chef-solr']['max_commit_docs'] = 1000
	75	+default['chef_server']['chef-solr']['commit_interval'] = 60000 # in ms
	76	+default['chef_server']['chef-solr']['poll_seconds'] = 20 # slave -> master poll interval in seconds, max of 60 (see solrconfig.xml.erb)
	77	+
	78	+####
	79	+# Chef Expander
	80	+####
	81	+default['chef_server']['chef-expander']['enable'] = true
	82	+default['chef_server']['chef-expander']['ha'] = false
	83	+default['chef_server']['chef-expander']['dir'] = "/var/opt/chef-server/chef-expander"
	84	+default['chef_server']['chef-expander']['log_directory'] = "/var/log/chef-server/chef-expander"
	85	+default['chef_server']['chef-expander']['reindexer_log_directory'] = "/var/log/chef-server/chef-expander-reindexer"
	86	+default['chef_server']['chef-expander']['consumer_id'] = "default"
	87	+default['chef_server']['chef-expander']['nodes'] = 2
	88	+
	89	+####
	90	+# Bookshelf
	91	+####
	92	+default['chef_server']['bookshelf']['enable'] = true
	93	+default['chef_server']['bookshelf']['ha'] = false
	94	+default['chef_server']['bookshelf']['dir'] = "/var/opt/chef-server/bookshelf"
	95	+default['chef_server']['bookshelf']['data_dir'] = "/var/opt/chef-server/bookshelf/data"
	96	+default['chef_server']['bookshelf']['log_directory'] = "/var/log/chef-server/bookshelf"
	97	+default['chef_server']['bookshelf']['svlogd_size'] = 1000000
	98	+default['chef_server']['bookshelf']['svlogd_num'] = 10
	99	+default['chef_server']['bookshelf']['vip'] = node['fqdn']
	100	+default['chef_server']['bookshelf']['url'] = "https://#{node['fqdn']}"
	101	+# Default: set to Host: header. Override to hardcode a url, "http://..."
	102	+default['chef_server']['bookshelf']['external_url'] = :host_header
	103	+default['chef_server']['bookshelf']['listen'] = '127.0.0.1'
	104	+default['chef_server']['bookshelf']['port'] = 4321
	105	+default['chef_server']['bookshelf']['stream_download'] = true
	106	+default['chef_server']['bookshelf']['access_key_id'] = "generated-by-default"
	107	+default['chef_server']['bookshelf']['secret_access_key'] = "generated-by-default"
	108	+
	109	+####
	110	+# Erlang Chef Server API
	111	+####
	112	+default['chef_server']['erchef']['enable'] = true
	113	+default['chef_server']['erchef']['ha'] = false
	114	+default['chef_server']['erchef']['dir'] = "/var/opt/chef-server/erchef"
	115	+default['chef_server']['erchef']['log_directory'] = "/var/log/chef-server/erchef"
	116	+default['chef_server']['erchef']['svlogd_size'] = 1000000
	117	+default['chef_server']['erchef']['svlogd_num'] = 10
	118	+default['chef_server']['erchef']['vip'] = '127.0.0.1'
	119	+default['chef_server']['erchef']['listen'] = '127.0.0.1'
	120	+default['chef_server']['erchef']['port'] = 8000
	121	+default['chef_server']['erchef']['auth_skew'] = '900'
	122	+default['chef_server']['erchef']['bulk_fetch_batch_size'] = '5'
	123	+default['chef_server']['erchef']['max_cache_size'] = '10000'
	124	+default['chef_server']['erchef']['cache_ttl'] = '3600'
	125	+default['chef_server']['erchef']['db_pool_size'] = '20'
	126	+default['chef_server']['erchef']['ibrowse_max_sessions'] = 256
	127	+default['chef_server']['erchef']['ibrowse_max_pipeline_size'] = 1
	128	+# Default: generate signed URLs based upon Host: header. Override with a url, "http:// ..."
	129	+default['chef_server']['erchef']['base_resource_url'] = :host_header
	130	+default['chef_server']['erchef']['s3_bucket'] = 'bookshelf'
	131	+default['chef_server']['erchef']['s3_url_ttl'] = 900
	132	+default['chef_server']['erchef']['s3_parallel_ops_timeout'] = 5000
	133	+default['chef_server']['erchef']['s3_parallel_ops_fanout'] = 20
	134	+default['chef_server']['erchef']['proxy_user'] = "pivotal"
	135	+default['chef_server']['erchef']['validation_client_name'] = "chef-validator"
	136	+default['chef_server']['erchef']['umask'] = "0022"
	137	+default['chef_server']['erchef']['web_ui_client_name'] = "chef-webui"
	138	+default['chef_server']['erchef']['root_metric_key'] = "chefAPI"
	139	+default['chef_server']['erchef']['depsolver_worker_count'] = 5
	140	+default['chef_server']['erchef']['depsolver_timeout'] = 5000
	141	+default['chef_server']['erchef']['max_request_size'] = 1000000
	142	+
	143	+####
	144	+# Chef Server WebUI
	145	+####
	146	+default['chef_server']['chef-server-webui']['enable'] = true
	147	+default['chef_server']['chef-server-webui']['ha'] = false
	148	+default['chef_server']['chef-server-webui']['dir'] = "/var/opt/chef-server/chef-server-webui"
	149	+default['chef_server']['chef-server-webui']['log_directory'] = "/var/log/chef-server/chef-server-webui"
	150	+default['chef_server']['chef-server-webui']['environment'] = 'chefserver'
	151	+default['chef_server']['chef-server-webui']['listen'] = '127.0.0.1'
	152	+default['chef_server']['chef-server-webui']['vip'] = '127.0.0.1'
	153	+default['chef_server']['chef-server-webui']['port'] = 9462
	154	+default['chef_server']['chef-server-webui']['backlog'] = 1024
	155	+default['chef_server']['chef-server-webui']['tcp_nodelay'] = true
	156	+default['chef_server']['chef-server-webui']['worker_timeout'] = 3600
	157	+default['chef_server']['chef-server-webui']['umask'] = "0022"
	158	+default['chef_server']['chef-server-webui']['worker_processes'] = 2
	159	+default['chef_server']['chef-server-webui']['session_key'] = "_sandbox_session"
	160	+default['chef_server']['chef-server-webui']['cookie_domain'] = "all"
	161	+default['chef_server']['chef-server-webui']['cookie_secret'] = "47b3b8d95dea455baf32155e95d1e64e"
	162	+default['chef_server']['chef-server-webui']['web_ui_client_name'] = "chef-webui"
	163	+default['chef_server']['chef-server-webui']['web_ui_admin_user_name'] = "admin"
	164	+default['chef_server']['chef-server-webui']['web_ui_admin_default_password'] = "p@ssw0rd1"
	165	+
	166	+####
	167	+# Chef Pedant
	168	+####
	169	+default['chef_server']['chef-pedant']['dir'] = "/var/opt/chef-server/chef-pedant"
	170	+default['chef_server']['chef-pedant']['log_directory'] = "/var/log/chef-server/chef-pedant"
	171	+default['chef_server']['chef-pedant']['log_http_requests'] = true
	172	+
	173	+###
	174	+# Estatsd
	175	+###
	176	+default['chef_server']['estatsd']['enable'] = true
	177	+default['chef_server']['estatsd']['dir'] = "/var/opt/chef-server/estatsd"
	178	+default['chef_server']['estatsd']['log_directory'] = "/var/log/chef-server/estatsd"
	179	+default['chef_server']['estatsd']['vip'] = "127.0.0.1"
	180	+default['chef_server']['estatsd']['port'] = 9466
	181	+
	182	+###
	183	+# Load Balancer
	184	+###
	185	+default['chef_server']['lb']['enable'] = true
	186	+default['chef_server']['lb']['vip'] = "127.0.0.1"
	187	+default['chef_server']['lb']['api_fqdn'] = node['fqdn']
	188	+default['chef_server']['lb']['web_ui_fqdn'] = node['fqdn']
	189	+default['chef_server']['lb']['cache_cookbook_files'] = false
	190	+default['chef_server']['lb']['debug'] = false
	191	+default['chef_server']['lb']['upstream']['erchef'] = [ "127.0.0.1" ]
	192	+default['chef_server']['lb']['upstream']['chef-server-webui'] = [ "127.0.0.1" ]
	193	+default['chef_server']['lb']['upstream']['bookshelf'] = [ "127.0.0.1" ]
	194	+
	195	+####
	196	+# Nginx
	197	+####
	198	+default['chef_server']['nginx']['enable'] = true
	199	+default['chef_server']['nginx']['ha'] = false
	200	+default['chef_server']['nginx']['dir'] = "/var/opt/chef-server/nginx"
	201	+default['chef_server']['nginx']['log_directory'] = "/var/log/chef-server/nginx"
	202	+default['chef_server']['nginx']['ssl_port'] = 443
	203	+default['chef_server']['nginx']['enable_non_ssl'] = false
	204	+default['chef_server']['nginx']['non_ssl_port'] = 80
	205	+default['chef_server']['nginx']['server_name'] = node['fqdn']
	206	+default['chef_server']['nginx']['url'] = "https://#{node['fqdn']}"
	207	+# These options provide the current best security with TSLv1
	208	+#default['chef_server']['nginx']['ssl_protocols'] = "-ALL +TLSv1"
	209	+#default['chef_server']['nginx']['ssl_ciphers'] = "RC4:!MD5"
	210	+# This might be necessary for auditors that want no MEDIUM security ciphers and don't understand BEAST attacks
	211	+#default['chef_server']['nginx']['ssl_protocols'] = "-ALL +SSLv3 +TLSv1"
	212	+#default['chef_server']['nginx']['ssl_ciphers'] = "HIGH:!MEDIUM:!LOW:!ADH:!kEDH:!aNULL:!eNULL:!EXP:!SSLv2:!SEED:!CAMELLIA:!PSK"
	213	+# The following favors performance and compatibility, addresses BEAST, and should pass a PCI audit
	214	+default['chef_server']['nginx']['ssl_protocols'] = "SSLv3 TLSv1"
	215	+default['chef_server']['nginx']['ssl_ciphers'] = "RC4-SHA:RC4-MD5:RC4:RSA:HIGH:MEDIUM:!LOW:!kEDH:!aNULL:!ADH:!eNULL:!EXP:!SSLv2:!SEED:!CAMELLIA:!PSK"
	216	+default['chef_server']['nginx']['ssl_certificate'] = nil
	217	+default['chef_server']['nginx']['ssl_certificate_key'] = nil
	218	+default['chef_server']['nginx']['ssl_country_name'] = "US"
	219	+default['chef_server']['nginx']['ssl_state_name'] = "WA"
	220	+default['chef_server']['nginx']['ssl_locality_name'] = "Seattle"
	221	+default['chef_server']['nginx']['ssl_company_name'] = "YouCorp"
	222	+default['chef_server']['nginx']['ssl_organizational_unit_name'] = "Operations"
	223	+default['chef_server']['nginx']['ssl_email_address'] = "you@example.com"
	224	+default['chef_server']['nginx']['worker_processes'] = node['cpu']['total'].to_i
	225	+default['chef_server']['nginx']['worker_connections'] = 10240
	226	+default['chef_server']['nginx']['sendfile'] = 'on'
	227	+default['chef_server']['nginx']['tcp_nopush'] = 'on'
	228	+default['chef_server']['nginx']['tcp_nodelay'] = 'on'
	229	+default['chef_server']['nginx']['gzip'] = "on"
	230	+default['chef_server']['nginx']['gzip_http_version'] = "1.0"
	231	+default['chef_server']['nginx']['gzip_comp_level'] = "2"
	232	+default['chef_server']['nginx']['gzip_proxied'] = "any"
	233	+default['chef_server']['nginx']['gzip_types'] = [ "text/plain", "text/css", "application/x-javascript", "text/xml", "application/xml", "application/xml+rss", "text/javascript", "application/json" ]
	234	+default['chef_server']['nginx']['keepalive_timeout'] = 65
	235	+default['chef_server']['nginx']['client_max_body_size'] = '250m'
	236	+default['chef_server']['nginx']['cache_max_size'] = '5000m'
	237	+
	238	+###
	239	+# PostgreSQL
	240	+###
	241	+default['chef_server']['postgresql']['enable'] = true
	242	+default['chef_server']['postgresql']['ha'] = false
	243	+default['chef_server']['postgresql']['dir'] = "/var/opt/chef-server/postgresql"
	244	+default['chef_server']['postgresql']['data_dir'] = "/var/opt/chef-server/postgresql/data"
	245	+default['chef_server']['postgresql']['log_directory'] = "/var/log/chef-server/postgresql"
	246	+default['chef_server']['postgresql']['svlogd_size'] = 1000000
	247	+default['chef_server']['postgresql']['svlogd_num'] = 10
	248	+default['chef_server']['postgresql']['username'] = "opscode-pgsql"
	249	+default['chef_server']['postgresql']['shell'] = "/bin/sh"
	250	+default['chef_server']['postgresql']['home'] = "/var/opt/chef-server/postgresql"
	251	+default['chef_server']['postgresql']['user_path'] = "/opt/chef-server/embedded/bin:/opt/chef-server/bin:$PATH"
	252	+default['chef_server']['postgresql']['sql_user'] = "opscode_chef"
	253	+default['chef_server']['postgresql']['sql_password'] = "snakepliskin"
	254	+default['chef_server']['postgresql']['sql_ro_user'] = "opscode_chef_ro"
	255	+default['chef_server']['postgresql']['sql_ro_password'] = "shmunzeltazzen"
	256	+default['chef_server']['postgresql']['vip'] = "127.0.0.1"
	257	+default['chef_server']['postgresql']['port'] = 5432
	258	+default['chef_server']['postgresql']['listen_address'] = 'localhost'
	259	+default['chef_server']['postgresql']['max_connections'] = 200
	260	+default['chef_server']['postgresql']['md5_auth_cidr_addresses'] = [ ]
	261	+default['chef_server']['postgresql']['trust_auth_cidr_addresses'] = [ '127.0.0.1/32', '::1/128' ]
	262	+default['chef_server']['postgresql']['shmmax'] = kernel['machine'] =~ /x86_64/ ? 17179869184 : 4294967295
	263	+default['chef_server']['postgresql']['shmall'] = kernel['machine'] =~ /x86_64/ ? 4194304 : 1048575
	264	+
	265	+# Resolves CHEF-3889
	266	+if (node['memory']['total'].to_i / 4) > ((node['chef_server']['postgresql']['shmmax'].to_i / 1024) - 2097152)
	267	+ # guard against setting shared_buffers > shmmax on hosts with installed RAM > 64GB
	268	+ # use 2GB less than shmmax as the default for these large memory machines
	269	+ default['chef_server']['postgresql']['shared_buffers'] = "14336MB"
	270	+else
	271	+ default['chef_server']['postgresql']['shared_buffers'] = "#{(node['memory']['total'].to_i / 4) / (1024)}MB"
	272	+end
	273	+
	274	+default['chef_server']['postgresql']['work_mem'] = "8MB"
	275	+default['chef_server']['postgresql']['effective_cache_size'] = "#{(node['memory']['total'].to_i / 2) / (1024)}MB"
	276	+default['chef_server']['postgresql']['checkpoint_segments'] = 10
	277	+default['chef_server']['postgresql']['checkpoint_timeout'] = "5min"
	278	+default['chef_server']['postgresql']['checkpoint_completion_target'] = 0.9
	279	+default['chef_server']['postgresql']['checkpoint_warning'] = "30s"
...	...
...	...	@@ -0,0 +1,140 @@
	1	+#
	2	+# Copyright:: Copyright (c) 2012 Opscode, Inc.
	3	+# License:: Apache License, Version 2.0
	4	+#
	5	+# Licensed under the Apache License, Version 2.0 (the "License");
	6	+# you may not use this file except in compliance with the License.
	7	+# You may obtain a copy of the License at
	8	+#
	9	+# http://www.apache.org/licenses/LICENSE-2.0
	10	+#
	11	+# Unless required by applicable law or agreed to in writing, software
	12	+# distributed under the License is distributed on an "AS IS" BASIS,
	13	+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	14	+# See the License for the specific language governing permissions and
	15	+# limitations under the License.
	16	+#
	17	+
	18	+require 'mixlib/config'
	19	+require 'chef/mash'
	20	+require 'chef/json_compat'
	21	+require 'chef/mixin/deep_merge'
	22	+require 'securerandom'
	23	+
	24	+module ChefServer
	25	+ extend(Mixlib::Config)
	26	+
	27	+ rabbitmq Mash.new
	28	+ chef_solr Mash.new
	29	+ chef_expander Mash.new
	30	+ erchef Mash.new
	31	+ chef_server_webui Mash.new
	32	+ lb Mash.new
	33	+ postgresql Mash.new
	34	+ bookshelf Mash.new
	35	+ bootstrap Mash.new
	36	+ nginx Mash.new
	37	+ api_fqdn nil
	38	+ node nil
	39	+ notification_email nil
	40	+
	41	+ class << self
	42	+
	43	+ # guards against creating secrets on non-bootstrap node
	44	+ def generate_hex(chars)
	45	+ SecureRandom.hex(chars)
	46	+ end
	47	+
	48	+ def generate_secrets(node_name)
	49	+ existing_secrets \|\|= Hash.new
	50	+ if File.exists?("/etc/chef-server/chef-server-secrets.json")
	51	+ existing_secrets = Chef::JSONCompat.from_json(File.read("/etc/chef-server/chef-server-secrets.json"))
	52	+ end
	53	+ existing_secrets.each do \|k, v\|
	54	+ v.each do \|pk, p\|
	55	+ ChefServer[k][pk] = p
	56	+ end
	57	+ end
	58	+
	59	+ ChefServer['rabbitmq']['password'] \|\|= generate_hex(50)
	60	+ ChefServer['chef_server_webui']['cookie_secret'] \|\|= generate_hex(50)
	61	+ ChefServer['postgresql']['sql_password'] \|\|= generate_hex(50)
	62	+ ChefServer['postgresql']['sql_ro_password'] \|\|= generate_hex(50)
	63	+ ChefServer['bookshelf']['access_key_id'] \|\|= generate_hex(20)
	64	+ ChefServer['bookshelf']['secret_access_key'] \|\|= generate_hex(40)
	65	+
	66	+ if File.directory?("/etc/chef-server")
	67	+ File.open("/etc/chef-server/chef-server-secrets.json", "w") do \|f\|
	68	+ f.puts(
	69	+ Chef::JSONCompat.to_json_pretty({
	70	+ 'rabbitmq' => {
	71	+ 'password' => ChefServer['rabbitmq']['password'],
	72	+ },
	73	+ 'chef_server_webui' => {
	74	+ 'cookie_secret' => ChefServer['chef_server_webui']['cookie_secret'],
	75	+ },
	76	+ 'postgresql' => {
	77	+ 'sql_password' => ChefServer['postgresql']['sql_password'],
	78	+ 'sql_ro_password' => ChefServer['postgresql']['sql_ro_password']
	79	+ },
	80	+ 'bookshelf' => {
	81	+ 'access_key_id' => ChefServer['bookshelf']['access_key_id'],
	82	+ 'secret_access_key' => ChefServer['bookshelf']['secret_access_key']
	83	+ }
	84	+ })
	85	+ )
	86	+ system("chmod 0600 /etc/chef-server/chef-server-secrets.json")
	87	+ end
	88	+ end
	89	+ end
	90	+
	91	+ def generate_hash
	92	+ results = { "chef_server" => {} }
	93	+ [
	94	+ "rabbitmq",
	95	+ "chef_solr",
	96	+ "chef_expander",
	97	+ "erchef",
	98	+ "chef_server_webui",
	99	+ "lb",
	100	+ "postgresql",
	101	+ "nginx",
	102	+ "bookshelf",
	103	+ "bootstrap"
	104	+ ].each do \|key\|
	105	+ rkey = key.gsub('_', '-')
	106	+ results['chef_server'][rkey] = ChefServer[key]
	107	+ end
	108	+ results['chef_server']['notification_email'] = ChefServer['notification_email']
	109	+
	110	+ results
	111	+ end
	112	+
	113	+ def gen_api_fqdn
	114	+ ChefServer["lb"]["api_fqdn"] \|\|= ChefServer['api_fqdn']
	115	+ ChefServer["lb"]["web_ui_fqdn"] \|\|= ChefServer['api_fqdn']
	116	+ ChefServer["nginx"]["server_name"] \|\|= ChefServer['api_fqdn']
	117	+
	118	+ # If the user manually set an Nginx URL in the config file all bets are
	119	+ # off...we just cross our fingers and hope they constructed the URL
	120	+ # correctly! We may want to remove this 'private' config value from the
	121	+ # documenation.
	122	+ if ChefServer["nginx"]["url"].nil?
	123	+ ChefServer["nginx"]["url"] = "https://#{ChefServer['api_fqdn']}"
	124	+ if ChefServer["nginx"]["ssl_port"]
	125	+ ChefServer["nginx"]["url"] << ":#{ChefServer["nginx"]["ssl_port"]}"
	126	+ end
	127	+ end
	128	+
	129	+ # The external bookshelf URL should match the external lb
	130	+ ChefServer["bookshelf"]["url"] \|\|= ChefServer["nginx"]["url"]
	131	+ end
	132	+
	133	+ def generate_config(node_name)
	134	+ generate_secrets(node_name)
	135	+ ChefServer[:api_fqdn] \|\|= node_name
	136	+ gen_api_fqdn
	137	+ generate_hash
	138	+ end
	139	+ end
	140	+end
...	...
...	...	@@ -0,0 +1,194 @@
	1	+#
	2	+# Copyright:: Copyright (c) 2012 Opscode, Inc.
	3	+# License:: Apache License, Version 2.0
	4	+#
	5	+# Licensed under the Apache License, Version 2.0 (the "License");
	6	+# you may not use this file except in compliance with the License.
	7	+# You may obtain a copy of the License at
	8	+#
	9	+# http://www.apache.org/licenses/LICENSE-2.0
	10	+#
	11	+# Unless required by applicable law or agreed to in writing, software
	12	+# distributed under the License is distributed on an "AS IS" BASIS,
	13	+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	14	+# See the License for the specific language governing permissions and
	15	+# limitations under the License.
	16	+#
	17	+
	18	+require 'mixlib/shellout'
	19	+
	20	+class PgHelper
	21	+ attr_reader :node
	22	+
	23	+ def initialize(node)
	24	+ @node = node
	25	+ end
	26	+
	27	+ def is_running?
	28	+ OmnibusHelper.service_up?("postgresql")
	29	+ end
	30	+
	31	+ def database_exists?(db_name)
	32	+ psql_cmd(["-d 'template1'",
	33	+ "-c 'select datname from pg_database' -x",
	34	+ "\| grep #{db_name}"])
	35	+ end
	36	+
	37	+ def sql_user_exists?
	38	+ user_exists?(node['chef_server']['postgresql']['sql_user'])
	39	+ end
	40	+
	41	+ def sql_ro_user_exists?
	42	+ user_exists?(node['chef_server']['postgresql']['sql_ro_user'])
	43	+ end
	44	+
	45	+ def user_exists?(db_user)
	46	+ psql_cmd(["-d 'template1'",
	47	+ "-c 'select usename from pg_user' -x",
	48	+ "\|grep #{db_user}"])
	49	+ end
	50	+
	51	+ def psql_cmd(cmd_list)
	52	+ cmd = ["/opt/chef-server/embedded/bin/chpst",
	53	+ "-u #{pg_user}",
	54	+ "/opt/chef-server/embedded/bin/psql",
	55	+ "--port #{pg_port}",
	56	+ cmd_list.join(" ")].join(" ")
	57	+ do_shell_out(cmd, 0)
	58	+ end
	59	+
	60	+ def pg_user
	61	+ node['chef_server']['postgresql']['username']
	62	+ end
	63	+
	64	+ def pg_port
	65	+ node['chef_server']['postgresql']['port']
	66	+ end
	67	+
	68	+ def do_shell_out(cmd, expect_status)
	69	+ o = Mixlib::ShellOut.new(cmd)
	70	+ o.run_command
	71	+ o.exitstatus == expect_status
	72	+ end
	73	+
	74	+end
	75	+
	76	+class OmnibusHelper
	77	+
	78	+ def self.should_notify?(service_name)
	79	+ File.symlink?("/opt/chef-server/service/#{service_name}") && service_up?(service_name)
	80	+ end
	81	+
	82	+ def self.service_up?(service_name)
	83	+ o = Mixlib::ShellOut.new("/opt/chef-server/bin/chef-server-ctl status #{service_name}")
	84	+ o.run_command
	85	+ o.exitstatus == 0
	86	+ end
	87	+
	88	+ # generate a certificate signed by the opscode ca key
	89	+ #
	90	+ # === Returns
	91	+ # [cert, key]
	92	+ #
	93	+ def self.gen_certificate
	94	+ key = OpenSSL::PKey::RSA.generate(2048)
	95	+ public_key = key.public_key
	96	+ cert_uuid = UUIDTools::UUID.random_create
	97	+ common_name = "URI:http://opscode.com/GUIDS/#{cert_uuid}"
	98	+ info = [["C", "US"], ["ST", "Washington"], ["L", "Seattle"], ["O", "Opscode, Inc."], ["OU", "Certificate Service"], ["CN", common_name]]
	99	+ cert = OpenSSL::X509::Certificate.new
	100	+ cert.subject = OpenSSL::X509::Name.new(info)
	101	+ cert.issuer = ca_certificate.subject
	102	+ cert.not_before = Time.now
	103	+ cert.not_after = Time.now + 10 * 365 * 24 * 60 * 60 # 10 years
	104	+ cert.public_key = public_key
	105	+ cert.serial = 1
	106	+ cert.version = 3
	107	+
	108	+ ef = OpenSSL::X509::ExtensionFactory.new
	109	+ ef.subject_certificate = cert
	110	+ ef.issuer_certificate = ca_certificate
	111	+ cert.extensions = [
	112	+ ef.create_extension("basicConstraints","CA:FALSE",true),
	113	+ ef.create_extension("subjectKeyIdentifier", "hash")
	114	+ ]
	115	+ cert.sign(ca_keypair, OpenSSL::Digest::SHA1.new)
	116	+
	117	+ return cert, key
	118	+ end
	119	+
	120	+ ######################################################################
	121	+ #
	122	+ # the following is the Opscode CA key and certificate, copied from
	123	+ # the cert project(s)
	124	+ #
	125	+ ######################################################################
	126	+
	127	+ def self.ca_certificate
	128	+ @_ca_cert \|\|=
	129	+ begin
	130	+ cert_string = <<-EOCERT
	131	+-----BEGIN CERTIFICATE-----
	132	+MIIDyDCCAzGgAwIBAwIBATANBgkqhkiG9w0BAQUFADCBnjELMAkGA1UEBhMCVVMx
	133	+EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFjAUBgNVBAoM
	134	+DU9wc2NvZGUsIEluYy4xHDAaBgNVBAsME0NlcnRpZmljYXRlIFNlcnZpY2UxMjAw
	135	+BgNVBAMMKW9wc2NvZGUuY29tL2VtYWlsQWRkcmVzcz1hdXRoQG9wc2NvZGUuY29t
	136	+MB4XDTA5MDUwNjIzMDEzNVoXDTE5MDUwNDIzMDEzNVowgZ4xCzAJBgNVBAYTAlVT
	137	+MRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRYwFAYDVQQK
	138	+DA1PcHNjb2RlLCBJbmMuMRwwGgYDVQQLDBNDZXJ0aWZpY2F0ZSBTZXJ2aWNlMTIw
	139	+MAYDVQQDDClvcHNjb2RlLmNvbS9lbWFpbEFkZHJlc3M9YXV0aEBvcHNjb2RlLmNv
	140	+bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAlKTCZPmifZe9ruxlQpWRj+yx
	141	+Mxt6+omH44jSfj4Obrnmm5eqVhRwjSfHOq383IeilFrNqC5VkiZrlLh8uhuTeaCy
	142	+PE1eED7DZOmwuswTui49DqXiVE39jB6TnzZ3mr6HOPHXtPhSzdtILo18RMmgyfm/
	143	+csrwct1B3GuQ9LSVMXkCAwEAAaOCARIwggEOMA8GA1UdEwEB/wQFMAMBAf8wHQYD
	144	+VR0OBBYEFJ228MdlU86GfVLsQx8rleAeM+eLMA4GA1UdDwEB/wQEAwIBBjCBywYD
	145	+VR0jBIHDMIHAgBSdtvDHZVPOhn1S7EMfK5XgHjPni6GBpKSBoTCBnjELMAkGA1UE
	146	+BhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFjAU
	147	+BgNVBAoMDU9wc2NvZGUsIEluYy4xHDAaBgNVBAsME0NlcnRpZmljYXRlIFNlcnZp
	148	+Y2UxMjAwBgNVBAMMKW9wc2NvZGUuY29tL2VtYWlsQWRkcmVzcz1hdXRoQG9wc2Nv
	149	+ZGUuY29tggEBMA0GCSqGSIb3DQEBBQUAA4GBAHJxAnwTt/liAMfZf5Khg7Mck4f+
	150	+IkO3rjoI23XNbVHlctTOieSwzRZtBRdNOTzQvzzhh1KKpl3Rt04rrRPQvDeO/Usm
	151	+pVr6g+lk2hhDgKKeR4J7qXZmlemZTrFZoobdoijDaOT5NuqkGt5ANdTqzRwbC9zQ
	152	+t6vXSWGCFoo4AEic
	153	+-----END CERTIFICATE-----
	154	+EOCERT
	155	+ OpenSSL::X509::Certificate.new(cert_string)
	156	+ end
	157	+ end
	158	+
	159	+ def self.ca_keypair
	160	+ @_ca_key \|\|=
	161	+ begin
	162	+ keypair_string = <<-EOKEY
	163	+-----BEGIN RSA PRIVATE KEY-----
	164	+MIICWwIBAAKBgQCUpMJk+aJ9l72u7GVClZGP7LEzG3r6iYfjiNJ+Pg5uueabl6pW
	165	+FHCNJ8c6rfzch6KUWs2oLlWSJmuUuHy6G5N5oLI8TV4QPsNk6bC6zBO6Lj0OpeJU
	166	+Tf2MHpOfNneavoc48de0+FLN20gujXxEyaDJ+b9yyvBy3UHca5D0tJUxeQIDAQAB
	167	+AoGAYAPRIeJyiIfk2cIPYqQ0g3BTwfyFQqJl6Z7uwOca8YEZqfWc7L+FOFiyg3/x
	168	+rw3aAdRptbJASgiRQ16sCpdXeaRFY5gcO2MnqmCyoyp2//zhdFReSC+Akim1UPtG
	169	+5SqqdV9I0TBl+1JlMiivn677mXGij+qyQjSWxW2pGVsbTSUCQQDDLb/DgoD0+N6O
	170	+FIoJ/Mh5cgIxQhqXu/dylEv/I3goSJdXPAqhsnsa6zYQGdftnvMK1ZXS/hYL4i06
	171	+w9lKDV8PAkEAwvaz1oUtXLNfYYAF42c1BoBhqCzjXSzMWPu5BlWQzSsdzgVgDuX3
	172	+LlkiIdRtMcMaNskaBTtIClCxaEm3rUnm9wJAEOp2JEu7QYAQSeAd1p/CAESRTBOe
	173	+mmgAGj4gGAzK7TLdawIZKcp+QOcB2INk44NTLS01vwOmhYEkymMPAgwGoQJAKimq
	174	+GMFyXvLXtME4BMbEG+TVucYDYZoXk0LU776/cu9ZIb3d2Tr4asiR7hj/iFx2JdT1
	175	+0J3SZZCv3SrcExjBXwJABS3/iQroe24tvrmyy4tc5YG5ygIRaBUCs6dn0fbisX/9
	176	+K1oq5Lnwimy4l2NI0o/lxIqnwFilACjs3tuXH1OhMA==
	177	+-----END RSA PRIVATE KEY-----
	178	+EOKEY
	179	+ OpenSSL::PKey::RSA.new(keypair_string)
	180	+ end
	181	+ end
	182	+
	183	+ def self.erl_atom_or_string(term)
	184	+ case term
	185	+ when Symbol
	186	+ term
	187	+ when String
	188	+ "\"#{term}\""
	189	+ else
	190	+ "undefined"
	191	+ end
	192	+ end
	193	+end
	194	+
...	...
...	...	@@ -0,0 +1,188 @@
	1	+#
	2	+# Copyright:: Copyright (c) 2012 Opscode, Inc.
	3	+# License:: Apache License, Version 2.0
	4	+#
	5	+# Licensed under the Apache License, Version 2.0 (the "License");
	6	+# you may not use this file except in compliance with the License.
	7	+# You may obtain a copy of the License at
	8	+#
	9	+# http://www.apache.org/licenses/LICENSE-2.0
	10	+#
	11	+# Unless required by applicable law or agreed to in writing, software
	12	+# distributed under the License is distributed on an "AS IS" BASIS,
	13	+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	14	+# See the License for the specific language governing permissions and
	15	+# limitations under the License.
	16	+#
	17	+
	18	+postgresql_dir = node['chef_server']['postgresql']['dir']
	19	+postgresql_data_dir = node['chef_server']['postgresql']['data_dir']
	20	+postgresql_data_dir_symlink = File.join(postgresql_dir, "data")
	21	+postgresql_log_dir = node['chef_server']['postgresql']['log_directory']
	22	+chef_db_dir = Dir.glob("/opt/chef-server/embedded/service/erchef/lib/chef_db-*").first
	23	+
	24	+user node['chef_server']['postgresql']['username'] do
	25	+ system true
	26	+ shell node['chef_server']['postgresql']['shell']
	27	+ home node['chef_server']['postgresql']['home']
	28	+end
	29	+
	30	+directory postgresql_log_dir do
	31	+ owner node['chef_server']['postgresql']['username']
	32	+ recursive true
	33	+end
	34	+
	35	+directory postgresql_dir do
	36	+ owner node['chef_server']['postgresql']['username']
	37	+ mode "0700"
	38	+end
	39	+
	40	+directory postgresql_data_dir do
	41	+ owner node['chef_server']['postgresql']['username']
	42	+ mode "0700"
	43	+ recursive true
	44	+end
	45	+
	46	+link postgresql_data_dir_symlink do
	47	+ to postgresql_data_dir
	48	+ not_if { postgresql_data_dir == postgresql_data_dir_symlink }
	49	+end
	50	+
	51	+file File.join(node['chef_server']['postgresql']['home'], ".profile") do
	52	+ owner node['chef_server']['postgresql']['username']
	53	+ mode "0644"
	54	+ content <<-EOH
	55	+PATH=#{node['chef_server']['postgresql']['user_path']}
	56	+EOH
	57	+end
	58	+
	59	+if File.directory?("/etc/sysctl.d") && File.exists?("/etc/init.d/procps")
	60	+ # smells like ubuntu...
	61	+ service "procps" do
	62	+ action :nothing
	63	+ end
	64	+
	65	+ template "/etc/sysctl.d/90-postgresql.conf" do
	66	+ source "90-postgresql.conf.sysctl.erb"
	67	+ owner "root"
	68	+ mode "0644"
	69	+ variables(node['chef_server']['postgresql'].to_hash)
	70	+ notifies :start, 'service[procps]', :immediately
	71	+ end
	72	+else
	73	+ # hope this works...
	74	+ execute "sysctl" do
	75	+ command "/sbin/sysctl -p /etc/sysctl.conf"
	76	+ action :nothing
	77	+ end
	78	+
	79	+ bash "add shm settings" do
	80	+ user "root"
	81	+ code <<-EOF
	82	+ echo 'kernel.shmmax = #{node['chef_server']['postgresql']['shmmax']}' >> /etc/sysctl.conf
	83	+ echo 'kernel.shmall = #{node['chef_server']['postgresql']['shmall']}' >> /etc/sysctl.conf
	84	+ EOF
	85	+ notifies :run, 'execute[sysctl]', :immediately
	86	+ not_if "egrep '^kernel.shmmax = ' /etc/sysctl.conf"
	87	+ end
	88	+end
	89	+
	90	+execute "/opt/chef-server/embedded/bin/initdb -D #{postgresql_data_dir}" do
	91	+ user node['chef_server']['postgresql']['username']
	92	+ not_if { File.exists?(File.join(postgresql_data_dir, "PG_VERSION")) }
	93	+end
	94	+
	95	+postgresql_config = File.join(postgresql_data_dir, "postgresql.conf")
	96	+
	97	+template postgresql_config do
	98	+ source "postgresql.conf.erb"
	99	+ owner node['chef_server']['postgresql']['username']
	100	+ mode "0644"
	101	+ variables(node['chef_server']['postgresql'].to_hash)
	102	+ notifies :restart, 'service[postgresql]' if OmnibusHelper.should_notify?("postgresql")
	103	+end
	104	+
	105	+pg_hba_config = File.join(postgresql_data_dir, "pg_hba.conf")
	106	+
	107	+template pg_hba_config do
	108	+ source "pg_hba.conf.erb"
	109	+ owner node['chef_server']['postgresql']['username']
	110	+ mode "0644"
	111	+ variables(node['chef_server']['postgresql'].to_hash)
	112	+ notifies :restart, 'service[postgresql]' if OmnibusHelper.should_notify?("postgresql")
	113	+end
	114	+
	115	+should_notify = OmnibusHelper.should_notify?("postgresql")
	116	+
	117	+runit_service "postgresql" do
	118	+ down node['chef_server']['postgresql']['ha']
	119	+ control(['t'])
	120	+ options({
	121	+ :log_directory => postgresql_log_dir,
	122	+ :svlogd_size => node['chef_server']['postgresql']['svlogd_size'],
	123	+ :svlogd_num => node['chef_server']['postgresql']['svlogd_num']
	124	+ }.merge(params))
	125	+end
	126	+
	127	+if node['chef_server']['bootstrap']['enable']
	128	+ execute "/opt/chef-server/bin/chef-server-ctl start postgresql" do
	129	+ retries 20
	130	+ end
	131	+end
	132	+
	133	+###
	134	+# Create the database, migrate it, and create the users we need, and grant them
	135	+# privileges.
	136	+###
	137	+pg_helper = PgHelper.new(node)
	138	+pg_port = node['chef_server']['postgresql']['port']
	139	+pg_user = node['chef_server']['postgresql']['username']
	140	+bin_dir = "/opt/chef-server/embedded/bin"
	141	+db_name = "opscode_chef"
	142	+
	143	+execute "create #{db_name} database" do
	144	+ command "#{bin_dir}/createdb -T template0 --port #{pg_port} -E UTF-8 #{db_name}"
	145	+ user pg_user
	146	+ not_if { !pg_helper.is_running? \|\| pg_helper.database_exists?(db_name) }
	147	+ retries 30
	148	+ notifies :run, "execute[migrate_database]", :immediately
	149	+end
	150	+
	151	+execute "migrate_database" do
	152	+ command "#{bin_dir}/psql #{db_name} --port #{pg_port} < priv/pgsql_schema.sql"
	153	+ cwd chef_db_dir
	154	+ user pg_user
	155	+ action :nothing
	156	+end
	157	+
	158	+sql_user = node['chef_server']['postgresql']['sql_user']
	159	+sql_user_passwd = node['chef_server']['postgresql']['sql_password']
	160	+
	161	+execute "#{bin_dir}/psql --port #{pg_port} -d '#{db_name}' -c \"CREATE USER #{sql_user} WITH SUPERUSER ENCRYPTED PASSWORD '#{sql_user_passwd}'\"" do
	162	+ cwd chef_db_dir
	163	+ user pg_user
	164	+ notifies :run, "execute[grant #{db_name} privileges]", :immediately
	165	+ not_if { !pg_helper.is_running? \|\| pg_helper.sql_user_exists? }
	166	+end
	167	+
	168	+execute "grant #{db_name} privileges" do
	169	+ command "#{bin_dir}/psql --port #{pg_port} -d '#{db_name}' -c \"GRANT ALL PRIVILEGES ON DATABASE #{db_name} TO #{sql_user}\""
	170	+ user pg_user
	171	+ action :nothing
	172	+end
	173	+
	174	+sql_ro_user = node['chef_server']['postgresql']['sql_ro_user']
	175	+sql_ro_user_passwd = node['chef_server']['postgresql']['sql_ro_password']
	176	+
	177	+execute "#{bin_dir}/psql --port #{pg_port} -d '#{db_name}' -c \"CREATE USER #{sql_ro_user} WITH SUPERUSER ENCRYPTED PASSWORD '#{sql_ro_user_passwd}'\"" do
	178	+ cwd chef_db_dir
	179	+ user pg_user
	180	+ notifies :run, "execute[grant #{db_name}_ro privileges]", :immediately
	181	+ not_if { !pg_helper.is_running? \|\| pg_helper.sql_ro_user_exists? }
	182	+end
	183	+
	184	+execute "grant #{db_name}_ro privileges" do
	185	+ command "#{bin_dir}/psql --port #{pg_port} -d '#{db_name}' -c \"GRANT ALL PRIVILEGES ON DATABASE #{db_name} TO #{sql_ro_user}\""
	186	+ user pg_user
	187	+ action :nothing
	188	+end
...	...
...	...	@@ -0,0 +1,5 @@
	1	+#
	2	+# chef server postgresql kernel shm tweaks
	3	+#
	4	+kernel.shmmax = <%= node['chef_server']['postgresql']['shmmax'] %>
	5	+kernel.shmall = <%= node['chef_server']['postgresql']['shmall'] %>
...	...
...	...	@@ -0,0 +1,75 @@
	1	+# PostgreSQL Client Authentication Configuration File
	2	+# ===================================================
	3	+#
	4	+# Refer to the "Client Authentication" section in the
	5	+# PostgreSQL documentation for a complete description
	6	+# of this file. A short synopsis follows.
	7	+#
	8	+# This file controls: which hosts are allowed to connect, how clients
	9	+# are authenticated, which PostgreSQL user names they can use, which
	10	+# databases they can access. Records take one of these forms:
	11	+#
	12	+# local DATABASE USER METHOD [OPTION]
	13	+# host DATABASE USER CIDR-ADDRESS METHOD [OPTION]
	14	+# hostssl DATABASE USER CIDR-ADDRESS METHOD [OPTION]
	15	+# hostnossl DATABASE USER CIDR-ADDRESS METHOD [OPTION]
	16	+#
	17	+# (The uppercase items must be replaced by actual values.)
	18	+#
	19	+# The first field is the connection type: "local" is a Unix-domain socket,
	20	+# "host" is either a plain or SSL-encrypted TCP/IP socket, "hostssl" is an
	21	+# SSL-encrypted TCP/IP socket, and "hostnossl" is a plain TCP/IP socket.
	22	+#
	23	+# DATABASE can be "all", "sameuser", "samerole", a database name, or
	24	+# a comma-separated list thereof.
	25	+#
	26	+# USER can be "all", a user name, a group name prefixed with "+", or
	27	+# a comma-separated list thereof. In both the DATABASE and USER fields
	28	+# you can also write a file name prefixed with "@" to include names from
	29	+# a separate file.
	30	+#
	31	+# CIDR-ADDRESS specifies the set of hosts the record matches.
	32	+# It is made up of an IP address and a CIDR mask that is an integer
	33	+# (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that specifies
	34	+# the number of significant bits in the mask. Alternatively, you can write
	35	+# an IP address and netmask in separate columns to specify the set of hosts.
	36	+#
	37	+# METHOD can be "trust", "reject", "md5", "crypt", "password", "gss", "sspi",
	38	+# "krb5", "ident", "pam" or "ldap". Note that "password" sends passwords
	39	+# in clear text; "md5" is preferred since it sends encrypted passwords.
	40	+#
	41	+# OPTION is the ident map or the name of the PAM service, depending on METHOD.
	42	+#
	43	+# Database and user names containing spaces, commas, quotes and other special
	44	+# characters must be quoted. Quoting one of the keywords "all", "sameuser" or
	45	+# "samerole" makes the name lose its special character, and just match a
	46	+# database or username with that name.
	47	+#
	48	+# This file is read on server startup and when the postmaster receives
	49	+# a SIGHUP signal. If you edit the file on a running system, you have
	50	+# to SIGHUP the postmaster for the changes to take effect. You can use
	51	+# "pg_ctl reload" to do that.
	52	+
	53	+# Put your actual configuration here
	54	+# ----------------------------------
	55	+#
	56	+# If you want to allow non-local connections, you need to add more
	57	+# "host" records. In that case you will also need to make PostgreSQL listen
	58	+# on a non-local interface via the listen_addresses configuration parameter,
	59	+# or via the -i or -h command line switches.
	60	+#
	61	+
	62	+
	63	+# TYPE DATABASE USER CIDR-ADDRESS METHOD
	64	+
	65	+# "local" is for Unix domain socket connections only
	66	+local all all trust
	67	+
	68	+<% node['chef_server']['postgresql']['trust_auth_cidr_addresses'].each do \|cidr\| %>
	69	+host all all <%= cidr %> trust
	70	+<% end %>
	71	+
	72	+<% node['chef_server']['postgresql']['md5_auth_cidr_addresses'].each do \|cidr\| %>
	73	+host all all <%= cidr %> md5
	74	+<% end %>
	75	+
...	...
...	...	@@ -0,0 +1,29 @@
	1	+#!/bin/sh
	2	+
	3	+#
	4	+# make postgresql stop/restart send sigint to terminate clients to postgresql
	5	+# immediately.
	6	+#
	7	+
	8	+RETVAL=0
	9	+
	10	+case "$1" in
	11	+ stop\|force-stop)
	12	+ /opt/chef-server/embedded/bin/sv once postgresql
	13	+ /opt/chef-server/embedded/bin/sv interrupt postgresql
	14	+ RETVAL=$?
	15	+ ;;
	16	+ restart)
	17	+ /opt/chef-server/embedded/bin/sv once postgresql
	18	+ /opt/chef-server/embedded/bin/sv interrupt postgresql
	19	+ sleep 5
	20	+ /opt/chef-server/embedded/bin/sv start postgresql
	21	+ RETVAL=$?
	22	+ ;;
	23	+ *)
	24	+ /opt/chef-server/embedded/bin/sv $1 postgresql
	25	+ RETVAL=$?
	26	+esac
	27	+
	28	+exit $RETVAL
	29	+
...	...
...	...	@@ -0,0 +1,3 @@
	1	+#!/bin/sh
	2	+echo "received TERM from runit, sending INT instead to force quit connections"
	3	+/opt/chef-server/embedded/bin/sv interrupt postgresql
...	...
...	...	@@ -0,0 +1,2 @@
	1	+#!/bin/sh
	2	+exec svlogd -tt <%= @options[:log_directory] %>
...	...
...	...	@@ -0,0 +1,4 @@
	1	+#!/bin/sh
	2	+exec 2>&1
	3	+exec chpst -P -U <%= node['chef_server']['postgresql']['username'] %> -u <%= node['chef_server']['postgresql']['username'] %> /opt/chef-server/embedded/bin/postgres -D <%= File.join(node['chef_server']['postgresql']['dir'], "data") %>
	4	+
...	...