include_recipe "tools"
blocks = data_bag_item("tile", "blocks")
+ admins = data_bag_item("apache", "admins")
web_passwords = data_bag_item("web", "passwords")
apache_module "alias"
fastlyips = JSON.parse(IO.read("#{Chef::Config[:file_cache_path]}/fastly-ip-list.json"))
+ remote_file "#{Chef::Config[:file_cache_path]}/statuscake-locations.json" do
+ source "https://app.statuscake.com/Workfloor/Locations.php?format=json"
+ compile_time true
+ ignore_failure true
+ end
+
+ statuscakelocations = JSON.parse(IO.read("#{Chef::Config[:file_cache_path]}/statuscake-locations.json"))
+
apache_site "default" do
action :disable
end
apache_site "tile.openstreetmap.org" do
template "apache.erb"
- variables :fastly => fastlyips["addresses"]
+ variables :fastly => fastlyips["addresses"] + fastlyips["ipv6_addresses"],
+ :statuscake => statuscakelocations.flat_map { |_, v| [v["ip"], v["ipv6"]] },
+ :admins => admins["hosts"]
end
template "/etc/logrotate.d/apache2" do
mode "644"
end
+tile_directories = node[:tile][:styles].collect do |_, style|
+ style[:tile_directories].collect { |directory| directory[:name] }
+end.flatten.sort.uniq
+
package "renderd"
systemd_service "renderd" do
after "postgresql.service"
wants "postgresql.service"
limit_nofile 4096
- private_tmp true
- private_devices true
- private_network true
- protect_system "full"
- protect_home true
- no_new_privileges true
+ sandbox true
+ restrict_address_families "AF_UNIX"
+ read_write_paths tile_directories
restart "on-failure"
end
-systemd_service "renderd" do
- action :delete
-end
-
service "renderd" do
action [:enable, :start]
subscribes :restart, "systemd_service[renderd]"
python_version "3"
end
-unifont = if node[:lsb][:release].to_f < 22.04
- "ttf-unifont"
- else
- "fonts-unifont"
- end
-
-package %W[
- fonts-noto-cjk
- fonts-noto-hinted
- fonts-noto-unhinted
- fonts-hanazono
- #{unifont}
-]
-
-["NotoSansArabicUI-Regular.ttf", "NotoSansArabicUI-Bold.ttf"].each do |font|
- remote_file "/usr/share/fonts/truetype/noto/#{font}" do
- action :create_if_missing
- source "https://github.com/googlei18n/noto-fonts/raw/master/hinted/#{font}"
- owner "root"
- group "root"
- mode "644"
- end
-end
-
directory "/srv/tile.openstreetmap.org/cgi-bin" do
owner "tile"
group "tile"
mode "755"
end
-template "/etc/cron.hourly/export" do
- source "export.cron.erb"
- owner "root"
- group "root"
- mode "755"
+systemd_service "export-cleanup" do
+ description "Cleanup stale export temporary files"
+ joins_namespace_of "apache2.service"
+ exec_start "find /tmp -ignore_readdir_race -name 'export??????' -mmin +60 -delete"
+ user "www-data"
+ sandbox true
+end
+
+systemd_timer "export-cleanup" do
+ description "Cleanup stale export temporary files"
+ on_boot_sec "60m"
+ on_unit_inactive_sec "60m"
+end
+
+service "export-cleanup.timer" do
+ action [:enable, :start]
end
directory "/srv/tile.openstreetmap.org/data" do
mode "755"
end
-package "mapnik-utils"
+package %w[
+ mapnik-utils
+ tar
+ unzip
+]
node[:tile][:data].each_value do |data|
url = data[:url]
end
if file =~ /\.tgz$/
- package "tar"
-
execute file do
action :nothing
command "tar -zxf #{file} -C #{directory}"
group "tile"
end
elsif file =~ /\.tar\.bz2$/
- package "tar"
-
execute file do
action :nothing
command "tar -jxf #{file} -C #{directory}"
group "tile"
end
elsif file =~ /\.zip$/
- package "unzip"
-
execute file do
action :nothing
command "unzip -qq -o #{file} -d #{directory}"
systemd_service "update-lowzoom@" do
description "Low zoom tile update service for %i layer"
- conflicts "render-lowzoom.service"
user "tile"
+ exec_start_pre "+/bin/systemctl stop render-lowzoom.service"
exec_start "/bin/bash /usr/local/bin/update-lowzoom-%i"
runtime_directory "update-lowzoom-%i"
- private_tmp true
- private_devices true
- private_network true
- protect_system "full"
- protect_home true
- no_new_privileges true
+ sandbox true
+ restrict_address_families "AF_UNIX"
+ read_write_paths [
+ "/srv/tile.openstreetmap.org/tiles/%i",
+ "/var/log/tile"
+ ]
restart "on-failure"
end
group "tile"
end
+ if details[:fonts_script]
+ execute details[:fonts_script] do
+ action :nothing
+ command details[:fonts_script]
+ cwd style_directory
+ user "tile"
+ group "tile"
+ subscribes :run, "git[#{style_directory}]"
+ end
+ end
+
execute "#{style_directory}/project.mml" do
action :nothing
- command "carto -a 3.0.0 project.mml > project.xml"
+ command "carto -a 3.0.22 project.mml > project.xml"
cwd style_directory
user "tile"
group "tile"
superuser true
end
+postgresql_user "pnorman" do
+ cluster node[:tile][:database][:cluster]
+ superuser true
+end
+
postgresql_user "tile" do
cluster node[:tile][:database][:cluster]
end
user "tile"
group "adm"
exec_start "/usr/local/bin/tile-ratelimit"
- private_tmp true
- private_devices true
- private_network true
- protect_system "full"
- protect_home true
+ nice 10
+ sandbox true
read_write_paths "/srv/tile.openstreetmap.org/conf"
- no_new_privileges true
restart "on-failure"
end
type "simple"
user "_renderd"
exec_start "/usr/local/bin/expire-tiles"
+ nice 10
standard_output "null"
- private_tmp true
- private_devices true
- protect_system "full"
- protect_home true
- no_new_privileges true
+ sandbox true
+ read_write_paths tile_directories + [
+ "/store/database/nodes",
+ "/var/lib/replicate/expire-queue",
+ "/var/log/tile"
+ ]
end
systemd_path "expire-tiles" do
wants "postgresql.service"
user "tile"
exec_start "/usr/local/bin/replicate"
- private_tmp true
- private_devices true
- protect_system "full"
- protect_home true
- no_new_privileges true
+ sandbox :enable_network => true
+ restrict_address_families "AF_UNIX"
+ read_write_paths [
+ "/store/database/nodes",
+ "/var/lib/replicate",
+ "/var/log/tile"
+ ]
restart "on-failure"
end
condition_path_exists_glob "!/run/update-lowzoom-*"
user "tile"
exec_start "/usr/local/bin/render-lowzoom"
- private_tmp true
- private_devices true
- private_network true
- protect_system "full"
- protect_home true
- no_new_privileges true
+ sandbox true
+ restrict_address_families "AF_UNIX"
+ read_write_paths "/var/log/tile"
end
systemd_timer "render-lowzoom" do
mode "755"
end
-tile_directories = node[:tile][:styles].collect do |_, style|
- style[:tile_directories].collect { |directory| directory[:name] }
-end.flatten.sort.uniq
+systemd_service "cleanup-tiles@" do
+ description "Cleanup old tiles for /%I"
+ exec_start "/usr/local/bin/cleanup-tiles /%I"
+ user "_renderd"
+ io_scheduling_class "idle"
+ sandbox true
+ read_write_paths "/%I"
+end
+
+systemd_timer "cleanup-tiles@" do
+ description "Cleanup old tiles for /%I"
+ on_boot_sec "30m"
+ on_unit_inactive_sec "60m"
+ randomized_delay_sec "10m"
+end
tile_directories.each do |directory|
- label = directory.gsub("/", "-")
+ label = directory[1..].gsub("/", "-")
- cron_d "cleanup-tiles#{label}" do
- minute "0"
- user "_renderd"
- command "ionice -c 3 /usr/local/bin/cleanup-tiles #{directory}"
- mailto "admins@openstreetmap.org"
+ service "cleanup-tiles@#{label}.timer" do
+ action [:enable, :start]
end
end
projects / chef.git / commitdiff