X-Git-Url: https://git.openstreetmap.org/chef.git/blobdiff_plain/2bfb0ef07fb64314f5c4ded641a8c280df9c1d0b..34fa7af72d6aa3ea6ff7c236bbd35aadcfcfc306:/cookbooks/web/recipes/rails.rb diff --git a/cookbooks/web/recipes/rails.rb b/cookbooks/web/recipes/rails.rb index c60655f9e..c5130a91a 100644 --- a/cookbooks/web/recipes/rails.rb +++ b/cookbooks/web/recipes/rails.rb @@ -42,14 +42,6 @@ end nodejs_package "svgo" -template "/etc/cron.hourly/passenger" do - cookbook "web" - source "passenger.cron.erb" - owner "root" - group "root" - mode "755" -end - rails_directory = "#{node[:web][:base_directory]}/rails" matomo = data_bag_item("web", "matomo") @@ -122,19 +114,23 @@ rails_port "www.openstreetmap.org" do oauth_application web_passwords["oauth_application"] matomo_configuration "location" => matomo[:location], "site" => matomo[:site], + "visitor_cookie_timeout" => matomo[:visitor_cookie_timeout], + "referral_cookie_timeout" => matomo[:referral_cookie_timeout], + "session_cookie_timeout" => matomo[:session_cookie_timeout], "goals" => matomo[:goals].to_hash google_auth_id "651529786092-6c5ahcu0tpp95emiec8uibg11asmk34t.apps.googleusercontent.com" google_auth_secret web_passwords["google_auth_secret"] google_openid_realm "https://www.openstreetmap.org" facebook_auth_id "427915424036881" facebook_auth_secret web_passwords["facebook_auth_secret"] - windowslive_auth_id "0000000040153C51" - windowslive_auth_secret web_passwords["windowslive_auth_secret"] + microsoft_auth_id "45ef48fb-6a13-4239-b842-133608b8edd7" + microsoft_auth_secret web_passwords["microsoft_auth_secret"] github_auth_id "acf7da34edee99e35499" github_auth_secret web_passwords["github_auth_secret"] wikipedia_auth_id "e4fe0c2c5855d23ed7e1f1c0fa1f1c58" wikipedia_auth_secret web_passwords["wikipedia_auth_secret"] thunderforest_key web_passwords["thunderforest_key"] + tracestrack_key web_passwords["tracestrack_key"] totp_key web_passwords["totp_key"] csp_enforce true trace_use_job_queue true @@ -147,21 +143,37 @@ rails_port "www.openstreetmap.org" do avatar_storage_url "https://openstreetmap-user-avatars.s3.dualstack.eu-west-1.amazonaws.com" trace_image_storage_url "https://openstreetmap-gps-images.s3.dualstack.eu-west-1.amazonaws.com" overpass_url "https://query.openstreetmap.org/query-features" + overpass_credentials true + signup_ip_per_day 24 + signup_ip_max_burst 48 + signup_email_per_day 1 + signup_email_max_burst 2 + doorkeeper_signing_key web_passwords["openid_connect_key"].join("\n") + # Requests to modify the imagery blacklist should come from the DWG only + imagery_blacklist [ + # Current Google imagery URLs have google or googleapis in the domain + ".*\\.google(apis)?\\..*/.*", + # Blacklist VWorld + "http://xdworld\\.vworld\\.kr:8080/.*", + # Blacklist here + ".*\\.here\\.com[/:].*", + # Blacklist Mapy.cz + ".*\\.mapy\\.cz.*" + ] end systemd_service "rails-jobs@" do description "Rails job queue runner" type "simple" - environment "RAILS_ENV" => "production", "QUEUE" => "%I" + environment "RAILS_ENV" => "production", "QUEUE" => "%I", "SLEEP_DELAY" => "60" user "rails" working_directory rails_directory exec_start "#{node[:ruby][:bundle]} exec rails jobs:work" restart "on-failure" - private_tmp true - private_devices true - protect_system "full" - protect_home true - no_new_privileges true + nice 10 + sandbox :enable_network => true + memory_deny_write_execute false + read_write_paths "/var/log/web" end package "libjson-xs-perl" @@ -193,12 +205,12 @@ systemd_service "api-statistics" do user "rails" group "adm" exec_start "/usr/local/bin/api-statistics" - private_tmp true - private_devices true - private_network true - protect_system "full" - protect_home true - no_new_privileges true + nice 10 + sandbox true + read_write_paths [ + "/srv/www.openstreetmap.org/rails/tmp", + "/var/lib/prometheus/node-exporter" + ] restart "on-failure" end