Improve sandboxing of prometheus collectors

[chef.git] / cookbooks / nominatim / recipes / default.rb

diff --git a/cookbooks/nominatim/recipes/default.rb b/cookbooks/nominatim/recipes/default.rb
index 7b218d9511324d6b876286bdb7a4ba79925f2072..537de83f5d8080e968bd312d52884a8925c4a9e9 100644 (file)
--- a/cookbooks/nominatim/recipes/default.rb
+++ b/cookbooks/nominatim/recipes/default.rb
@@ -131,6 +131,8 @@ package %w[
   libbz2-dev
   libpq-dev
   libproj-dev
+  liblua5.3-dev
+  lua5.3
   python3-pyosmium
   python3-psycopg2
   python3-dotenv
@@ -226,7 +228,8 @@ template "#{project_directory}/.env" do
             :dbname => node[:nominatim][:dbname],
             :flatnode_file => node[:nominatim][:flatnode_file],
             :log_file => "#{node[:nominatim][:logdir]}/query.log",
-            :tokenizer => node[:nominatim][:config][:tokenizer]
+            :tokenizer => node[:nominatim][:config][:tokenizer],
+            :forward_dependencies => node[:nominatim][:config][:forward_dependencies]
 end
 
 %w[wikimedia-importance.sql.gz gb_postcodes.csv.gz us_postcodes.csv.gz].each do |fname|
@@ -509,6 +512,7 @@ end
 prometheus_exporter "nominatim" do
   port 8082
   user "www-data"
+  restrict_address_families "AF_UNIX"
   options [
     "--nominatim.query-log=#{node[:nominatim][:logdir]}/query.log",
     "--nominatim.database-name=#{node[:nominatim][:dbname]}"