Modify Opscode's Postfix Cookbook to Use an Encrypted Data Bag - nshenry03/chef-repo GitHub Wiki
From Joshua Timberman's Encrypted Data Bag for Postfix SASL Authentication post.
To begin, I forked Opscode's Postfix Cookbook and then cloned it to a directory on my machine where I work on cookbooks (outside of the chef repository). I then added the original repository as another remote named 'upstream' so that I can keep track of the original repository: git remote add upstream [email protected]:opscode-cookbooks/postfix.git
.
Okay, on to editing the code...
First I modify the metadata.rb
. I change the 'maintainer' and 'maintainer_email' settings (since we will be responsible for keeping up with Opscode's updates and we will be responsible for any code that we add). I then change README.md
to document that this cookbook was forked from
I follow Josh's post and create a secret key:
openssl rand -base64 512 > .chef/encrypted_data_bag_secret
Next, I created the actual data bag.
knife data bag create encrypted_data_bags
Next I created the data bag item using the secret key. This is created directly on the Chef Server, rather than a plain text file (see next steps for file contents).
knife data bag create encrypted_data_bags postfix --secret-file ~/.chef/encrypted_data_bag_secret
I’m not saving the plaintext data bag item, but will store the encrypted item, so I’ll retrieve it from the Chef Server and redirect the output to a JSON file.
mkdir data_bags/encrypted_data_bags
knife data bag show encrypted_data_bags postfix -Fj > data_bags/encrypted_data_bags/postfix.json
Contents of data_bags/encrypted_data_bags/postfix.json
:
{
"id": "postfix",
"production" : {
"user": "encrypted string here",
"passwd": "encrypted string here"
},
"staging" : {
"user": "encrypted string here",
"passwd": "encrypted string here"
},
"test" : {
"user": "encrypted string here",
"passwd": "encrypted string here"
},
"development" : {
"user": "encrypted string here",
"passwd": "encrypted string here"
},
"_default" : {
"user": "encrypted string here",
"passwd": "encrypted string here"
}
}
The current recipe doesn’t support using an encrypted data bag item, so I had to modify it. First, load the encrypted data bag item.
smtp_sasl = encrypted_data_bag_item("encrypted_data_bags", "postfix")
This access the "encrypted_data_bags" data bag for the "postfix" item, and uses the default value for the secret key file (which is “/etc/chef/encrypted_data_bag_secret”.
Next, I update the sasl_passwd template to pass in the user and password from the data bag item.
template "/etc/postfix/sasl_passwd" do
#...
variables(
:smtp_sasl_passwd => smtp_sasl[node.chef_environment]['passwd'],
:smtp_sasl_user_name => smtp_sasl[node.chef_environment]['user']
)
#...
end
Then, update the sasl template to use the new values:
<%= node[:postfix][:relayhost] %> <%= @smtp_sasl_user_name %>:<%= @smtp_sasl_passwd %>
Finally, we want to modify the cookbook to support the 'smtp_tls_security_level' configuration option...
In attributes/default.rb
, add the following line (under 'smtp_tls_cafile'):
default['postfix']['smtp_tls_security_level'] = ""
In templates/default/main.cf.erb
, add the following line (under 'smtp_tls_cafile'):
smtp_tls_security_level = <%= node['postfix']['smtp_tls_security_level'] %>
NOTE: You can see the changes I've made by cloning my postfix repo and running the following:
git diff '3d18ce0e397a5dfb996848c9db44e0e794b332f8' '2.1.7'