X-Git-Url: https://git.openstreetmap.org/chef.git/blobdiff_plain/a6a40aaf96f0620bf8f4a6e9f01b44ff25d8307b..fa94eb23315195c6af34a5152e7f3426b42c7e3f:/cookbooks/tile/recipes/default.rb

diff --git a/cookbooks/tile/recipes/default.rb b/cookbooks/tile/recipes/default.rb
index 957caa8ca..64807f74c 100644
--- a/cookbooks/tile/recipes/default.rb
+++ b/cookbooks/tile/recipes/default.rb
@@ -84,6 +84,18 @@ directory "/srv/tile.openstreetmap.org" do
   mode "755"
 end
 
+directory "/srv/tile.openstreetmap.org/conf" do
+  owner "tile"
+  group "tile"
+  mode "755"
+end
+
+file "/srv/tile.openstreetmap.org/conf/ip.map" do
+  owner "tile"
+  group "adm"
+  mode "644"
+end
+
 package "renderd"
 
 systemd_service "renderd" do
@@ -482,6 +494,10 @@ package %w[
   python3-pyproj
 ]
 
+gem_package "apachelogregex"
+gem_package "file-tail"
+gem_package "lru_redux"
+
 remote_directory "/usr/local/bin" do
   source "bin"
   owner "root"
@@ -492,6 +508,35 @@ remote_directory "/usr/local/bin" do
   files_mode "755"
 end
 
+template "/usr/local/bin/tile-ratelimit" do
+  source "tile-ratelimit.erb"
+  owner "root"
+  group "root"
+  mode "755"
+end
+
+systemd_service "tile-ratelimit" do
+  description "Monitor tile requests and enforce rate limits"
+  after "apache2.service"
+  user "tile"
+  group "adm"
+  exec_start "/usr/local/bin/tile-ratelimit"
+  private_tmp true
+  private_devices true
+  private_network true
+  protect_system "full"
+  protect_home true
+  read_write_paths "/srv/tile.openstreetmap.org/conf"
+  no_new_privileges true
+  restart "on-failure"
+end
+
+service "tile-ratelimit" do
+  action [:enable, :start]
+  subscribes :restart, "file[/usr/local/bin/tile-ratelimit]"
+  subscribes :restart, "systemd_service[tile-ratelimit]"
+end
+
 template "/usr/local/bin/expire-tiles" do
   source "expire-tiles.erb"
   owner "root"