- pull_request
concurrency:
- group: ${{ github.workflow }}-{{ github.head_ref || github.ref }}
+ group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
cancel-in-progress: true
jobs:
- pull_request
concurrency:
- group: ${{ github.workflow }}-{{ github.head_ref || github.ref }}
+ group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
cancel-in-progress: true
jobs:
kitchen:
name: Test Kitchen
- runs-on: ubuntu-latest
+ runs-on: ubuntu-22.04
strategy:
matrix:
suite:
- spamassassin
- ssl
- stateofthemap
+ - stateofthemap-jekyll
+ - stateofthemap-static
+ - stateofthemap-wordpress
- subversion
- supybot
- switch2osm
- wordpress
- wiki
os:
- - ubuntu-2004
+ - ubuntu-2204
+ include:
+ - os: ubuntu-2004
+ suite: mailman
+ - os: ubuntu-2004
+ suite: osqa
+ exclude:
+ - suite: mailman
+ os: ubuntu-2204
+ - suite: osqa
+ os: ubuntu-2204
fail-fast: false
steps:
- name: Check out code
- name: Setup ruby
uses: ruby/setup-ruby@v1
with:
+ ruby-version: 3.1
bundler-cache: true
- name: Run kitchen test ${{ matrix.suite }}-${{ matrix.os }}
run: bundle exec kitchen test ${{ matrix.suite }}-${{ matrix.os }}
---
driver:
name: dokken
- chef_version: 17
+ chef_version: 18
volumes:
- /var/lib/docker
env:
name: dokken
chef_license: accept
data_bags_path: test/data_bags
+ slow_resource_report: true
verifier:
root_path: /opt/verifier
pid_one_command: /bin/systemd
intermediate_instructions:
- RUN /usr/bin/apt-get update -y
+ - name: ubuntu-22.04
+ driver:
+ image: dokken/ubuntu-22.04
+ privileged: true
+ pid_one_command: /bin/systemd
+ intermediate_instructions:
+ - RUN /usr/bin/apt-get update -y
suites:
- name: accounts
- name: letsencrypt
run_list:
- recipe[letsencrypt::default]
- attributes:
- apt:
- sources:
- - openstreetmap
- name: logstash
run_list:
- recipe[logstash::default]
- name: stateofthemap
run_list:
- recipe[stateofthemap::default]
+ - name: stateofthemap-static
+ run_list:
+ - recipe[stateofthemap::static]
+ - name: stateofthemap-jekyll
+ run_list:
+ - recipe[stateofthemap::jekyll]
+ - name: stateofthemap-wordpress
+ run_list:
+ - recipe[stateofthemap::wordpress]
- name: subversion
run_list:
- recipe[subversion::default]
inherit_from: .rubocop_todo.yml
AllCops:
- TargetRubyVersion: 3.0
+ TargetRubyVersion: 3.1
ChefModernize/IncludingAptDefaultRecipe:
Enabled: false
# Basic Dockerfile to run cookstyle linting
# run: docker build -t chef-test .
-FROM ruby:2.7-alpine as build
+FROM ruby:3.1-alpine as build
# Add Gem build requirements
RUN apk add --no-cache build-base
ast (2.4.2)
bcrypt_pbkdf (1.1.0)
builder (3.2.4)
- chef-utils (17.10.0)
+ chef-utils (18.0.161)
concurrent-ruby
concurrent-ruby (1.1.10)
cookstyle (7.32.1)
multi_json
ed25519 (1.3.0)
erubi (1.11.0)
- excon (0.92.4)
+ excon (0.93.1)
ffi (1.15.5)
gssapi (1.3.1)
ffi (>= 1.0.1)
logging (2.3.1)
little-plugger (~> 1.1)
multi_json (~> 1.14)
- mixlib-install (3.12.19)
+ mixlib-install (3.12.20)
mixlib-shellout
mixlib-versioning
thor
chef-utils
mixlib-versioning (1.2.12)
multi_json (1.15.0)
- net-scp (3.0.0)
- net-ssh (>= 2.6.5, < 7.0.0)
- net-ssh (6.1.0)
+ net-scp (4.0.0)
+ net-ssh (>= 2.6.5, < 8.0.0)
+ net-ssh (7.0.1)
net-ssh-gateway (2.0.0)
net-ssh (>= 4.0.0)
net-telnet (0.1.1)
nori (2.6.0)
- parallel (1.21.0)
- parser (3.1.1.0)
+ parallel (1.22.1)
+ parser (3.1.2.1)
ast (~> 2.4.1)
pastel (0.8.0)
tty-color (~> 0.5)
rainbow (3.1.1)
- regexp_parser (2.2.1)
+ regexp_parser (2.6.0)
rexml (3.2.5)
- rspec (3.10.0)
- rspec-core (~> 3.10.0)
- rspec-expectations (~> 3.10.0)
- rspec-mocks (~> 3.10.0)
- rspec-core (3.10.2)
- rspec-support (~> 3.10.0)
- rspec-expectations (3.10.2)
+ rspec (3.11.0)
+ rspec-core (~> 3.11.0)
+ rspec-expectations (~> 3.11.0)
+ rspec-mocks (~> 3.11.0)
+ rspec-core (3.11.0)
+ rspec-support (~> 3.11.0)
+ rspec-expectations (3.11.1)
diff-lcs (>= 1.2.0, < 2.0)
- rspec-support (~> 3.10.0)
+ rspec-support (~> 3.11.0)
rspec-its (1.3.0)
rspec-core (>= 3.0.0)
rspec-expectations (>= 3.0.0)
- rspec-mocks (3.10.3)
+ rspec-mocks (3.11.1)
diff-lcs (>= 1.2.0, < 2.0)
- rspec-support (~> 3.10.0)
- rspec-support (3.10.3)
+ rspec-support (~> 3.11.0)
+ rspec-support (3.11.1)
rubocop (1.25.1)
parallel (~> 1.10)
parser (>= 3.1.0.0)
rubocop-ast (>= 1.15.1, < 2.0)
ruby-progressbar (~> 1.7)
unicode-display_width (>= 1.4.0, < 3.0)
- rubocop-ast (1.16.0)
+ rubocop-ast (1.22.0)
parser (>= 3.1.1.0)
ruby-progressbar (1.11.0)
rubyntlm (0.6.3)
rspec-its
specinfra (~> 2.72)
sfl (2.3)
- specinfra (2.83.1)
+ specinfra (2.83.3)
net-scp
net-ssh (>= 2.7)
net-telnet (= 0.1.1)
unicode-display_width (>= 1.5, < 3.0)
unicode_utils (~> 1.4)
strings-ansi (0.2.0)
- test-kitchen (3.3.2)
+ test-kitchen (3.4.0)
bcrypt_pbkdf (~> 1.0)
chef-utils (>= 16.4.35)
ed25519 (~> 1.2)
license-acceptance (>= 1.0.11, < 3.0)
mixlib-install (~> 3.6)
mixlib-shellout (>= 1.2, < 4.0)
- net-scp (>= 1.1, < 4.0)
- net-ssh (>= 2.9, < 7.0)
+ net-scp (>= 1.1, < 5.0)
+ net-ssh (>= 2.9, < 8.0)
net-ssh-gateway (>= 1.2, < 3.0)
thor (>= 0.19, < 2.0)
winrm (~> 2.0)
tty-screen (~> 0.8)
wisper (~> 2.0)
tty-screen (0.8.1)
- unicode-display_width (2.2.0)
+ unicode-display_width (2.3.0)
unicode_utils (1.4.0)
winrm (2.3.6)
builder (>= 2.1.2)
--- /dev/null
+# Generated by /usr/bin/select-editor
+SELECTED_EDITOR="/usr/bin/vim.basic"
--- /dev/null
+# DO NOT EDIT - This file is being maintained by Chef - use authorized_keys2 instead
+ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAB9jIwQu1TmXcQH6FXEz53fkTX3abCgjflwdESnaR5qKw6hUcvAIjPXiGLFGdl+nR56aCbQrbXQVF3Hug2+057xcAEAhFj0aIOoDhgEkZ0uK4GIElZjCUugYLt3AbQXTRpEXtXaL1wzyBmFqbTMOxDOzaif+PYWwDHC1yo1C5jhSlRmRg== jesus@Mac-mini-de-Jesus.local
--- /dev/null
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEVkoOPte6R6jN5w7yny+YLtoZGl/XLQL2aSjhgyNHrh matt@HEX
--- /dev/null
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCYxvvG3WcrofBviPhEhKuEBiej3WcLMEhYloJB0pOGF1DaK8kD6QRlH4mZaNmm4mZCQIUv2KfgxDyPmp8byGZniVQzx74dlFDozFY+q9beokQA/f5RjtWs2G8gO+V4UdNXxo9q3cvfjiK9eXtjLjYyMkwb8n6Y3jrpt7CDflb7Pa+yJF9C1ugPooa739YNw5M8qPWdP1QVK8M7zZTeUbGh1xWReGCwcKFNDtoOSyj1XXkKSvfGd+spKqfwKOHOqVXQYNtSm+nnIuGilLp8caFa3lOvcGnlXgSKExeiMq/zG7vlvierkuwz00yOxF6h6BgjLztLCsknt3mD92vhUqQz
conf "deflate.conf.erb"
end
-if node[:apache][:reqtimeout]
- apache_module "reqtimeout" do
- action [:enable]
- end
-else
- apache_module "reqtimeout" do
- action [:disable]
- end
-end
-
apache_module "headers"
apache_module "ssl"
# DO NOT EDIT - This file is being maintained by Chef
-<IfModule mod_deflate.c>
- <IfModule mod_filter.c>
- AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml
- AddOutputFilterByType BROTLI_COMPRESS text/css
- AddOutputFilterByType BROTLI_COMPRESS application/x-javascript application/javascript application/ecmascript
- AddOutputFilterByType BROTLI_COMPRESS application/rss+xml
- AddOutputFilterByType BROTLI_COMPRESS application/xml
- AddOutputFilterByType BROTLI_COMPRESS image/svg+xml
- </IfModule>
+<IfModule mod_brotli.c>
+ <IfModule mod_filter.c>
+ AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript
+ AddOutputFilterByType BROTLI_COMPRESS application/x-javascript application/javascript application/ecmascript
+ AddOutputFilterByType BROTLI_COMPRESS application/rss+xml
+ AddOutputFilterByType BROTLI_COMPRESS application/wasm
+ AddOutputFilterByType BROTLI_COMPRESS application/xml
+ AddOutputFilterByType BROTLI_COMPRESS image/svg+xml
+ </IfModule>
</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
# DO NOT EDIT - This file is being maintained by Chef
<IfModule mod_deflate.c>
- <IfModule mod_filter.c>
- # these are known to be safe with MSIE 6
- AddOutputFilterByType DEFLATE text/html text/plain text/xml
-
- # everything else may cause problems with MSIE 6
- AddOutputFilterByType DEFLATE text/css
- AddOutputFilterByType DEFLATE application/x-javascript application/javascript application/ecmascript
- AddOutputFilterByType DEFLATE application/rss+xml
- AddOutputFilterByType DEFLATE application/xml
- AddOutputFilterByType DEFLATE image/svg+xml
- </IfModule>
+ <IfModule mod_filter.c>
+ AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript
+ AddOutputFilterByType DEFLATE application/x-javascript application/javascript application/ecmascript
+ AddOutputFilterByType DEFLATE application/rss+xml
+ AddOutputFilterByType DEFLATE application/wasm
+ AddOutputFilterByType DEFLATE application/xml
+ AddOutputFilterByType DEFLATE image/svg+xml
+ </IfModule>
</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
-default[:apt][:sources] = [ "openstreetmap" ]
default[:apt][:unattended_upgrades][:enable] = true
default[:apt][:unattended_upgrades][:remove_unused_dependencies] = true
action :nothing
end
-archive_host = if node[:country]
- "#{node[:country]}.archive.ubuntu.com"
- else
- "archive.ubuntu.com"
- end
+if intel?
+ archive_host = if node[:country]
+ "#{node[:country]}.archive.ubuntu.com"
+ else
+ "archive.ubuntu.com"
+ end
+ archive_security_host = "security.ubuntu.com"
+ archive_distro = "ubuntu"
+else
+ archive_host = "ports.ubuntu.com"
+ archive_security_host = archive_host
+ archive_distro = "ubuntu-ports"
+end
template "/etc/apt/sources.list" do
source "sources.list.erb"
owner "root"
group "root"
mode "644"
- variables :archive_host => archive_host, :codename => node[:lsb][:codename]
+ variables :archive_host => archive_host, :archive_security_host => archive_security_host, :archive_distro => archive_distro, :codename => node[:lsb][:codename]
notifies :update, "apt_update[/etc/apt/sources.list]", :immediately
end
-repository_actions = Hash.new do |_, repository|
- node[:apt][:sources].include?(repository) ? :add : :remove
-end
-
-apt_repository "ubuntugis-stable" do
- action repository_actions["ubuntugis-stable"]
- uri "ppa:ubuntugis/ppa"
-end
-
-apt_repository "ubuntugis-unstable" do
- action repository_actions["ubuntugis-unstable"]
- uri "ppa:ubuntugis/ubuntugis-unstable"
-end
-
-apt_repository "git-core" do
- action repository_actions["git-core"]
- uri "ppa:git-core/ppa"
-end
-
-apt_repository "maxmind" do
- action repository_actions["maxmind"]
- uri "ppa:maxmind/ppa"
-end
-
apt_repository "openstreetmap" do
- action repository_actions["openstreetmap"]
uri "ppa:osmadmins/ppa"
end
-apt_repository "management-component-pack" do
- action repository_actions["management-component-pack"]
- uri "https://downloads.linux.hpe.com/SDR/repo/mcp"
- distribution "bionic/current-gen9"
- components ["non-free"]
- key "C208ADDE26C2B797"
-end
-
-apt_repository "hwraid" do
- action repository_actions["hwraid"]
- uri "https://hwraid.le-vert.net/ubuntu"
- distribution "precise"
- components ["main"]
- key "6005210E23B3D3B4"
-end
-
-apt_repository "nginx" do
- action repository_actions["nginx"]
- arch "amd64"
- uri "https://nginx.org/packages/ubuntu"
- components ["nginx"]
- key "ABF5BD827BD9BF62"
-end
-
-apt_repository "elasticsearch6.x" do
- action repository_actions["elasticsearch6.x"]
- uri "https://artifacts.elastic.co/packages/6.x/apt"
- distribution "stable"
- components ["main"]
- key "D27D666CD88E42B4"
-end
-
-apt_repository "elasticsearch8.x" do
- action repository_actions["elasticsearch8.x"]
- uri "https://artifacts.elastic.co/packages/8.x/apt"
- distribution "stable"
- components ["main"]
- key "D27D666CD88E42B4"
-end
-
-apt_repository "passenger" do
- action repository_actions["passenger"]
- uri "https://oss-binaries.phusionpassenger.com/apt/passenger"
- components ["main"]
- key "561F9B9CAC40B2F7"
-end
-
-apt_repository "postgresql" do
- action repository_actions["postgresql"]
- uri "https://apt.postgresql.org/pub/repos/apt"
- distribution "#{node[:lsb][:codename]}-pgdg"
- components ["main"]
- key "7FCC7D46ACCC4CF8"
-end
-
-apt_repository "docker" do
- action repository_actions["docker"]
- uri "https://download.docker.com/linux/ubuntu"
- arch "amd64"
- components ["stable"]
- key "https://download.docker.com/linux/ubuntu/gpg"
-end
-
-apt_repository "grafana" do
- action repository_actions["grafana"]
- uri "https://packages.grafana.com/enterprise/deb"
- distribution "stable"
- components ["main"]
- key "https://packages.grafana.com/gpg.key"
-end
-
-apt_repository "timescaledb" do
- action repository_actions["timescaledb"]
- uri "https://packagecloud.io/timescale/timescaledb/ubuntu"
- components ["main"]
- key "https://packagecloud.io/timescale/timescaledb/gpgkey"
-end
-
package "unattended-upgrades"
if Dir.exist?("/usr/share/unattended-upgrades")
--- /dev/null
+#
+# Cookbook:: apt
+# Recipe:: docker
+#
+# Copyright:: 2022, Tom Hughes
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include_recipe "apt"
+
+docker_arch = if arm?
+ "arm64"
+ else
+ "amd64"
+ end
+
+apt_repository "docker" do
+ uri "https://download.docker.com/linux/ubuntu"
+ arch docker_arch
+ components ["stable"]
+ key "https://download.docker.com/linux/ubuntu/gpg"
+end
--- /dev/null
+#
+# Cookbook:: apt
+# Recipe:: elasticsearch6
+#
+# Copyright:: 2022, Tom Hughes
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include_recipe "apt"
+
+apt_repository "elasticsearch6.x" do
+ uri "https://artifacts.elastic.co/packages/6.x/apt"
+ distribution "stable"
+ components ["main"]
+ key "D27D666CD88E42B4"
+end
--- /dev/null
+#
+# Cookbook:: apt
+# Recipe:: elasticsearch8
+#
+# Copyright:: 2022, Tom Hughes
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include_recipe "apt"
+
+apt_repository "elasticsearch8.x" do
+ uri "https://artifacts.elastic.co/packages/8.x/apt"
+ distribution "stable"
+ components ["main"]
+ key "D27D666CD88E42B4"
+end
--- /dev/null
+#
+# Cookbook:: apt
+# Recipe:: git-core
+#
+# Copyright:: 2022, Tom Hughes
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include_recipe "apt"
+
+apt_repository "git-core" do
+ uri "ppa:git-core/ppa"
+end
--- /dev/null
+#
+# Cookbook:: apt
+# Recipe:: grafana
+#
+# Copyright:: 2022, Tom Hughes
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include_recipe "apt"
+
+apt_repository "grafana" do
+ uri "https://packages.grafana.com/enterprise/deb"
+ distribution "stable"
+ components ["main"]
+ key "https://packages.grafana.com/gpg.key"
+end
--- /dev/null
+#
+# Cookbook:: apt
+# Recipe:: hwraid
+#
+# Copyright:: 2022, Tom Hughes
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include_recipe "apt"
+
+apt_repository "hwraid" do
+ uri "https://hwraid.le-vert.net/ubuntu"
+ distribution "precise"
+ components ["main"]
+ key "6005210E23B3D3B4"
+end
--- /dev/null
+#
+# Cookbook:: apt
+# Recipe:: management-component-pack
+#
+# Copyright:: 2022, Tom Hughes
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include_recipe "apt"
+
+apt_repository "management-component-pack" do
+ action :remove
+end
+
+if node[:dmi][:system][:product_name].end_with?("Gen10")
+ apt_repository "mcp-jammy" do
+ uri "https://downloads.linux.hpe.com/SDR/repo/mcp"
+ distribution "jammy/current"
+ components ["non-free"]
+ key "C208ADDE26C2B797"
+ end
+
+ apt_repository "mcp-focal-gen10" do
+ uri "https://downloads.linux.hpe.com/SDR/repo/mcp"
+ distribution "focal/current-gen10"
+ components ["non-free"]
+ key "C208ADDE26C2B797"
+ end
+else
+ apt_repository "mcp-bionic-gen9" do
+ uri "https://downloads.linux.hpe.com/SDR/repo/mcp"
+ distribution "bionic/current-gen9"
+ components ["non-free"]
+ key "C208ADDE26C2B797"
+ end
+end
--- /dev/null
+#
+# Cookbook:: apt
+# Recipe:: maxmind
+#
+# Copyright:: 2022, Tom Hughes
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include_recipe "apt"
+
+apt_repository "maxmind" do
+ uri "ppa:maxmind/ppa"
+end
--- /dev/null
+#
+# Cookbook:: apt
+# Recipe:: nginx
+#
+# Copyright:: 2022, Tom Hughes
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include_recipe "apt"
+
+apt_repository "nginx" do
+ arch "amd64"
+ uri "https://nginx.org/packages/ubuntu"
+ components ["nginx"]
+ key "ABF5BD827BD9BF62"
+end
--- /dev/null
+#
+# Cookbook:: apt
+# Recipe:: nodesource
+#
+# Copyright:: 2022, Tom Hughes
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include_recipe "apt"
+
+apt_repository "nodesource" do
+ uri "https://deb.nodesource.com/node_18.x"
+ components ["main"]
+ key "1655A0AB68576280"
+end
--- /dev/null
+#
+# Cookbook:: apt
+# Recipe:: passenger
+#
+# Copyright:: 2022, Tom Hughes
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include_recipe "apt"
+
+apt_repository "passenger" do
+ uri "https://oss-binaries.phusionpassenger.com/apt/passenger"
+ components ["main"]
+ key "561F9B9CAC40B2F7"
+end
--- /dev/null
+#
+# Cookbook:: apt
+# Recipe:: postgresql
+#
+# Copyright:: 2022, Tom Hughes
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include_recipe "apt"
+
+apt_repository "postgresql" do
+ uri "https://apt.postgresql.org/pub/repos/apt"
+ distribution "#{node[:lsb][:codename]}-pgdg"
+ components ["main"]
+ key "7FCC7D46ACCC4CF8"
+end
--- /dev/null
+#
+# Cookbook:: apt
+# Recipe:: timescaledb
+#
+# Copyright:: 2022, Tom Hughes
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include_recipe "apt"
+include_recipe "apt::postgresql"
+
+apt_repository "timescaledb" do
+ uri "https://packagecloud.io/timescale/timescaledb/ubuntu"
+ components ["main"]
+ key "https://packagecloud.io/timescale/timescaledb/gpgkey"
+end
--- /dev/null
+#
+# Cookbook:: apt
+# Recipe:: ubuntugis-stable
+#
+# Copyright:: 2022, Tom Hughes
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include_recipe "apt"
+
+apt_repository "ubuntugis-stable" do
+ uri "ppa:ubuntugis/ppa"
+end
--- /dev/null
+#
+# Cookbook:: apt
+# Recipe:: ubuntugis-unstable
+#
+# Copyright:: 2022, Tom Hughes
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include_recipe "apt"
+
+apt_repository "ubuntugis-unstable" do
+ uri "ppa:ubuntugis/ubuntugis-unstable"
+end
--- /dev/null
+#
+# Cookbook:: apt
+# Recipe:: yarn
+#
+# Copyright:: 2022, Tom Hughes
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include_recipe "apt"
+
+apt_repository "yarn" do
+ uri "https://dl.yarnpkg.com/debian"
+ distribution "stable"
+ components ["main"]
+ key "23E7166788B63E1E"
+end
# DO NOT EDIT - This file is being maintained by Chef
-deb http://<%= @archive_host %>/ubuntu/ <%= @codename %> main restricted
-# deb-src http://<%= @archive_host %>/ubuntu/ <%= @codename %> main restricted
+deb http://<%= @archive_host %>/<%= @archive_distro %>/ <%= @codename %> main restricted
+# deb-src http://<%= @archive_host %>/<%= @archive_distro %>/ <%= @codename %> main restricted
## Major bug fix updates produced after the final release of the
## distribution.
-deb http://<%= @archive_host %>/ubuntu/ <%= @codename %>-updates main restricted
-# deb-src http://<%= @archive_host %>/ubuntu/ <%= @codename %>-updates main restricted
+deb http://<%= @archive_host %>/<%= @archive_distro %>/ <%= @codename %>-updates main restricted
+# deb-src http://<%= @archive_host %>/<%= @archive_distro %>/ <%= @codename %>-updates main restricted
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.
-deb http://<%= @archive_host %>/ubuntu/ <%= @codename %> universe
-# deb-src http://<%= @archive_host %>/ubuntu/ <%= @codename %> universe
-deb http://<%= @archive_host %>/ubuntu/ <%= @codename %>-updates universe
-# deb-src http://<%= @archive_host %>/ubuntu/ <%= @codename %>-updates universe
+deb http://<%= @archive_host %>/<%= @archive_distro %>/ <%= @codename %> universe
+# deb-src http://<%= @archive_host %>/<%= @archive_distro %>/ <%= @codename %> universe
+deb http://<%= @archive_host %>/<%= @archive_distro %>/ <%= @codename %>-updates universe
+# deb-src http://<%= @archive_host %>/<%= @archive_distro %>/ <%= @codename %>-updates universe
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.
-deb http://<%= @archive_host %>/ubuntu/ <%= @codename %> multiverse
-# deb-src http://<%= @archive_host %>/ubuntu/ <%= @codename %> multiverse
-deb http://<%= @archive_host %>/ubuntu/ <%= @codename %>-updates multiverse
-# deb-src http://<%= @archive_host %>/ubuntu/ <%= @codename %>-updates multiverse
+deb http://<%= @archive_host %>/<%= @archive_distro %>/ <%= @codename %> multiverse
+# deb-src http://<%= @archive_host %>/<%= @archive_distro %>/ <%= @codename %> multiverse
+deb http://<%= @archive_host %>/<%= @archive_distro %>/ <%= @codename %>-updates multiverse
+# deb-src http://<%= @archive_host %>/<%= @archive_distro %>/ <%= @codename %>-updates multiverse
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
-deb http://<%= @archive_host %>/ubuntu/ <%= @codename %>-backports main restricted universe multiverse
-# deb-src http://<%= @archive_host %>/ubuntu/ <%= @codename %>-backports main restricted universe multiverse
+deb http://<%= @archive_host %>/<%= @archive_distro %>/ <%= @codename %>-backports main restricted universe multiverse
+# deb-src http://<%= @archive_host %>/<%= @archive_distro %>/ <%= @codename %>-backports main restricted universe multiverse
-## Uncomment the following two lines to add software from Canonical's
-## 'partner' repository.
-## This software is not part of Ubuntu, but is offered by Canonical and the
-## respective vendors as a service to Ubuntu users.
-# deb http://archive.canonical.com/ubuntu <%= @codename %> partner
-# deb-src http://archive.canonical.com/ubuntu <%= @codename %> partner
-
-deb http://security.ubuntu.com/ubuntu/ <%= @codename %>-security main restricted
-# deb-src http://security.ubuntu.com/ubuntu/ <%= @codename %>-security main restricted
-deb http://security.ubuntu.com/ubuntu/ <%= @codename %>-security universe
-# deb-src http://security.ubuntu.com/ubuntu/ <%= @codename %>-security universe
-deb http://security.ubuntu.com/ubuntu/ <%= @codename %>-security multiverse
-# deb-src http://security.ubuntu.com/ubuntu/ <%= @codename %>-security multiverse
+deb http://<%= @archive_security_host %>/<%= @archive_distro %>/ <%= @codename %>-security main restricted
+# deb-src http://<%= @archive_security_host %>/<%= @archive_distro %>/ <%= @codename %>-security main restricted
+deb http://<%= @archive_security_host %>/<%= @archive_distro %>/ <%= @codename %>-security universe
+# deb-src http://<%= @archive_security_host %>/<%= @archive_distro %>/ <%= @codename %>-security universe
+deb http://<%= @archive_security_host %>/<%= @archive_distro %>/ <%= @codename %>-security multiverse
+# deb-src http://<%= @archive_security_host %>/<%= @archive_distro %>/ <%= @codename %>-security multiverse
}
my $dates = join("|", @dates);
-my $match = qr/^${prefix}\d{4}-\d{2}-\d{2}\./;
-my $keep = qr/^${prefix}(?:${dates})\./;
+my $match = qr/^\Q${prefix}\E\d{4}-\d{2}-\d{2}\./;
+my $keep = qr/^\Q${prefix}\E(?:${dates})\./;
opendir(DIR, "$dir") || die "Can't open ${dir}: $!";
-my @files = sort(grep($match, readdir(DIR)));
+my @files = sort(grep(/$match/, readdir(DIR)));
closedir(DIR);
3.0.0 IN PTR ridley.ucl.openstreetmap.org.
4.0.0 IN PTR snap-02.ucl.openstreetmap.org.
-5.0.0 IN PTR norbert.ucl.openstreetmap.org.
-6.0.0 IN PTR urmel.ucl.openstreetmap.org.
-7.0.0 IN PTR faffy.ucl.openstreetmap.org.
-8.0.0 IN PTR zark.ucl.openstreetmap.org.
9.0.0 IN PTR eustace.ucl.openstreetmap.org.
10.0.0 IN PTR eddie.ucl.openstreetmap.org.
11.0.0 IN PTR draco.ucl.openstreetmap.org.
12.0.0 IN PTR sarel.ucl.openstreetmap.org.
13.0.0 IN PTR noquiklos.ucl.openstreetmap.org.
-14.0.0 IN PTR errol.ucl.openstreetmap.org.
15.0.0 IN PTR ysera.ucl.openstreetmap.org.
17.0.0 IN PTR clifford.ucl.openstreetmap.org.
19.0.0 IN PTR grindtooth.ucl.openstreetmap.org.
20.0.0 IN PTR pummelzacken.ucl.openstreetmap.org.
-40.0.0 IN PTR tiamat-00.ucl.openstreetmap.org.
-41.0.0 IN PTR tiamat-01.ucl.openstreetmap.org.
-42.0.0 IN PTR tiamat-02.ucl.openstreetmap.org.
-43.0.0 IN PTR tiamat-03.ucl.openstreetmap.org.
-44.0.0 IN PTR tiamat-10.ucl.openstreetmap.org.
-45.0.0 IN PTR tiamat-11.ucl.openstreetmap.org.
-46.0.0 IN PTR tiamat-12.ucl.openstreetmap.org.
-47.0.0 IN PTR tiamat-13.ucl.openstreetmap.org.
-48.0.0 IN PTR tiamat-20.ucl.openstreetmap.org.
-49.0.0 IN PTR tiamat-21.ucl.openstreetmap.org.
-50.0.0 IN PTR tiamat-22.ucl.openstreetmap.org.
-51.0.0 IN PTR tiamat-23.ucl.openstreetmap.org.
3.1.0 IN PTR ridley.oob.openstreetmap.org.
4.1.0 IN PTR snap-02.oob.openstreetmap.org.
-5.1.0 IN PTR norbert.oob.openstreetmap.org.
-6.1.0 IN PTR urmel.oob.openstreetmap.org.
-8.1.0 IN PTR zark.oob.openstreetmap.org.
9.1.0 IN PTR eustace.oob.openstreetmap.org.
10.1.0 IN PTR eddie.oob.openstreetmap.org.
11.1.0 IN PTR draco.oob.openstreetmap.org.
12.1.0 IN PTR sarel.oob.openstreetmap.org.
13.1.0 IN PTR noquiklos.oob.openstreetmap.org.
-14.1.0 IN PTR errol.oob.openstreetmap.org.
15.1.0 IN PTR ysera.oob.openstreetmap.org.
17.1.0 IN PTR clifford.oob.openstreetmap.org.
19.1.0 IN PTR grindtooth.oob.openstreetmap.org.
20.1.0 IN PTR pummelzacken.oob.openstreetmap.org.
-40.1.0 IN PTR tiamat-00.oob.openstreetmap.org.
-41.1.0 IN PTR tiamat-01.oob.openstreetmap.org.
-42.1.0 IN PTR tiamat-02.oob.openstreetmap.org.
-43.1.0 IN PTR tiamat-03.oob.openstreetmap.org.
-44.1.0 IN PTR tiamat-10.oob.openstreetmap.org.
-45.1.0 IN PTR tiamat-11.oob.openstreetmap.org.
-46.1.0 IN PTR tiamat-12.oob.openstreetmap.org.
-47.1.0 IN PTR tiamat-13.oob.openstreetmap.org.
-48.1.0 IN PTR tiamat-20.oob.openstreetmap.org.
-49.1.0 IN PTR tiamat-21.oob.openstreetmap.org.
-50.1.0 IN PTR tiamat-22.oob.openstreetmap.org.
-51.1.0 IN PTR tiamat-23.oob.openstreetmap.org.
-
-2.16.0 IN PTR orm.bm.openstreetmap.org.
-3.16.0 IN PTR shenron.bm.openstreetmap.org.
20.32.0 IN PTR grisu.bm.openstreetmap.org.
21.32.0 IN PTR spike-04.bm.openstreetmap.org.
22.32.0 IN PTR spike-05.bm.openstreetmap.org.
40.32.0 IN PTR katla.bm.openstreetmap.org.
-41.32.0 IN PTR thorn-04.bm.openstreetmap.org.
-42.32.0 IN PTR thorn-05.bm.openstreetmap.org.
20.33.0 IN PTR grisu.oob.openstreetmap.org.
21.33.0 IN PTR spike-04.oob.openstreetmap.org.
22.33.0 IN PTR spike-05.oob.openstreetmap.org.
40.33.0 IN PTR katla.oob.openstreetmap.org.
-41.33.0 IN PTR thorn-04.oob.openstreetmap.org.
-42.33.0 IN PTR thorn-05.oob.openstreetmap.org.
+3.48.0 IN PTR faffy.ams.openstreetmap.org.
9.48.0 IN PTR dulcy.ams.openstreetmap.org.
10.48.0 IN PTR ironbelly.ams.openstreetmap.org.
11.48.0 IN PTR spike-06.ams.openstreetmap.org.
13.48.0 IN PTR spike-08.ams.openstreetmap.org.
14.48.0 IN PTR tabaluga.ams.openstreetmap.org.
15.48.0 IN PTR odin.ams.openstreetmap.org.
-16.48.0 IN PTR lockheed.ams.openstreetmap.org.
+17.48.0 IN PTR norbert.ams.openstreetmap.org.
49.48.0 IN PTR snap-01.ams.openstreetmap.org.
50.48.0 IN PTR karm.ams.openstreetmap.org.
52.48.0 IN PTR thorn-02.ams.openstreetmap.org.
101.48.0 IN PTR pdu2.ams.openstreetmap.org.
102.48.0 IN PTR oob1.ams.openstreetmap.org.
+3.49.0 IN PTR faffy.oob.openstreetmap.org.
9.49.0 IN PTR dulcy.oob.openstreetmap.org.
10.49.0 IN PTR ironbelly.oob.openstreetmap.org.
11.49.0 IN PTR spike-06.oob.openstreetmap.org.
13.49.0 IN PTR spike-08.oob.openstreetmap.org.
14.49.0 IN PTR tabaluga.oob.openstreetmap.org.
15.49.0 IN PTR odin.oob.openstreetmap.org.
-16.49.0 IN PTR lockheed.oob.openstreetmap.org.
+17.49.0 IN PTR norbert.oob.openstreetmap.org.
49.49.0 IN PTR snap-01.oob.openstreetmap.org.
50.49.0 IN PTR karm.oob.openstreetmap.org.
52.49.0 IN PTR thorn-02.oob.openstreetmap.org.
wordpress_theme "blog.openstreetmap.org-osmblog-wp-theme" do
theme "osmblog-wp-theme"
site "blog.openstreetmap.org"
- repository "https://github.com/harry-wood/osmblog-wp-theme.git"
+ repository "https://github.com/osmfoundation/osmblog-wp-theme.git"
end
wordpress_plugin "blog.openstreetmap.org-google-analytics-for-wordpress" do
+ action :delete
plugin "google-analytics-for-wordpress"
site "blog.openstreetmap.org"
end
# end
wordpress_plugin "blog.openstreetmap.org-shareadraft" do
+ action :delete
plugin "shareadraft"
site "blog.openstreetmap.org"
end
+wordpress_plugin "blog.openstreetmap.org-public-post-preview" do
+ plugin "public-post-preview"
+ site "blog.openstreetmap.org"
+end
+
wordpress_plugin "blog.openstreetmap.org-sitepress-multilingual-cms" do
plugin "sitepress-multilingual-cms"
site "blog.openstreetmap.org"
end
wordpress_plugin "blog.openstreetmap.org-wordpress-importer" do
+ action :delete
plugin "wordpress-importer"
site "blog.openstreetmap.org"
end
depends "apache"
depends "git"
depends "ruby"
+depends "systemd"
mode "0755"
end
-cron_d "blogs" do
- minute "*/30"
+systemd_service "blogs-update" do
+ description "Update blog aggregator"
+ exec_start "/usr/local/bin/blogs-update"
user "blogs"
- command "/usr/local/bin/blogs-update"
- mailto "admins@openstreetmap.org"
+ sandbox :enable_network => true
+ read_write_paths "/srv/blogs.openstreetmap.org"
+end
+
+systemd_timer "blogs-update" do
+ description "Update blog aggregator"
+ on_boot_sec "15m"
+ on_unit_inactive_sec "30m"
+end
+
+service "blogs-update.timer" do
+ action [:enable, :start]
end
template "/etc/cron.daily/blogs-backup" do
-# Add the opscode APT source for chef
-default[:apt][:sources] = node[:apt][:sources] | ["opscode"]
-
# Set the default server version
-default[:chef][:server][:version] = "12.17.33"
+default[:chef][:server][:version] = "15.1.7"
# Set the default client version
-default[:chef][:client][:version] = "17.10.3"
+default[:chef][:client][:version] = "18.0.169"
--- /dev/null
+module OpenStreetMap
+ module Mixin
+ module CPU
+ def cpu_cores
+ [dig("cpu", "total").to_i, dig("cpu", "cores").to_i, 4].max
+ end
+ end
+ end
+end
+
+Chef::Node.include(OpenStreetMap::Mixin::CPU)
-class Chef
+module OpenStreetMap
module Mixin
module EditFile
def edit_file(file, &_block)
end
end
end
-
- class Recipe
- include Chef::Mixin::EditFile
- end
end
+
+Chef::DSL::Recipe.include(OpenStreetMap::Mixin::EditFile)
require "digest"
-class Chef
+module OpenStreetMap
module Mixin
module PersistentToken
def persistent_token(*args)
end
end
end
-
- class Recipe
- include Chef::Mixin::PersistentToken
- end
end
+
+Chef::DSL::Recipe.include(OpenStreetMap::Mixin::PersistentToken)
+++ /dev/null
-class Chef
- class Recipe
- def random_password(length)
- Array.new(length) do
- "!\#$%&()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghijklmnopqrstuvwxyz{|}~"[rand(91)].chr
- end.join
- end
- end
-end
depends "ohai"
depends "munin"
depends "systemd"
-gem "mail"
+gem "mail", "= 2.7.1"
end
end
-ubuntu_release = if node[:lsb][:release].to_f < 22.04
- node[:lsb][:release]
- else
- "20.04"
- end
+ubuntu_release = node[:lsb][:release]
remote_file "#{cache_dir}/#{chef_package}" do
source "https://packages.chef.io/files/stable/chef/#{chef_version}/ubuntu/#{ubuntu_release}/#{chef_package}"
systemd_service "chef-client" do
description "Chef client"
exec_start "/usr/bin/chef-client"
+ nice 10
end
systemd_timer "chef-client" do
# end
#
# remote_file "#{cache_dir}/#{chef_package}" do
-# source "https://packages.chef.io/files/stable/chef-server/#{chef_version}/ubuntu/16.04/#{chef_package}"
+# source "https://packages.chef.io/files/stable/chef-server/#{chef_version}/ubuntu/20.04/chef-server-core_#{chef_version}-1_amd64.deb"
# owner "root"
# group "root"
# mode 0644
wordpress_theme "osmblog-wp-theme" do
site "join.osmfoundation.org"
- repository "https://github.com/harry-wood/osmblog-wp-theme.git"
+ repository "https://github.com/osmfoundation/osmblog-wp-theme.git"
end
wordpress_plugin "registration-honeypot" do
content settings
end
-cron_d "osmf-crm" do
- minute "*/15"
+systemd_service "osmf-crm-jobs" do
+ description "Run CRM jobs"
+ exec_start "/usr/bin/php #{civicrm_directory}/civicrm/bin/cli.php -s join.osmfoundation.org -u batch -p \"#{passwords['batch']}\" -e Job -a execute"
user "www-data"
- command "php #{civicrm_directory}/civicrm/bin/cli.php -s join.osmfoundation.org -u batch -p \"#{passwords['batch']}\" -e Job -a execute 2>&1 | egrep -v '^PHP (Deprecated|Warning):'"
- mailto "admins@openstreetmap.org"
+ sandbox :enable_network => true
+ memory_deny_write_execute false
+ restrict_address_families "AF_UNIX"
+ read_write_paths "/srv/join.osmfoundation.org/wp-content/uploads/civicrm"
+end
+
+systemd_timer "osmf-crm-jobs" do
+ description "Run CRM jobs"
+ on_boot_sec "15m"
+ on_unit_inactive_sec "15m"
+end
+
+service "osmf-crm-jobs.timer" do
+ action [:enable, :start]
end
template "/etc/cron.daily/osmf-crm-backup" do
version "1.0.0"
supports "ubuntu"
+depends "accounts"
# limitations under the License.
#
+include_recipe "accounts"
+
package %w[
clamav-daemon
clamav-freshclam
supports "ubuntu"
depends "accounts"
depends "docker"
+depends "exim"
depends "geoipupdate"
depends "git"
depends "ssl"
include_recipe "accounts"
include_recipe "docker"
-include_recipe "geoipupdate"
include_recipe "git"
include_recipe "ssl"
passwords = data_bag_item("community", "passwords")
license_keys = data_bag_item("geoipupdate", "license-keys") unless kitchen?
+# Disable any default installed apache2 service. Web server is embedded within the discourse docker container
+service "apache2" do
+ action [:disable, :stop]
+end
+
directory "/srv/community.openstreetmap.org" do
owner "root"
group "root"
# Workaround bug: https://github.com/discourse/discourse_docker/pull/505
# params:
-# version: v2.8.7
+# version: v2.8.13 - NOT USED HERE. UPDATE THE EXEC GIT ACTIONS BELOW WITH VERSION
env:
LC_ALL: en_US.UTF-8
## How many concurrent web requests are supported? Depends on memory and CPU cores.
## will be set automatically by bootstrap based on detected CPUs, or you can override
- UNICORN_WORKERS: 8
+ UNICORN_WORKERS: <%= node.cpu_cores %>
## TODO: The domain name this Discourse instance will respond to
DISCOURSE_HOSTNAME: community.openstreetmap.org
+ DISCOURSE_CDN_URL: https://community-cdn.openstreetmap.org
## Uncomment if you want the container to be started with the same
## hostname (-h option) as specified above (default "$hostname-$config")
## on initial signup example 'user1@example.com,user2@example.com'
DISCOURSE_DEVELOPER_EMAILS: 'operations@openstreetmap.org'
- ## TODO: The SMTP mail server used to validate new accounts and send notifications
- # SMTP ADDRESS, username, and password are required
- # WARNING the char '#' in SMTP password can cause problems!
- DISCOURSE_SMTP_ADDRESS: mail.openstreetmap.org
- DISCOURSE_SMTP_PORT: 26
+ DISCOURSE_SMTP_ADDRESS: <%= node[:exim][:smarthost_via].split(":", 2)[0] %>
+ DISCOURSE_SMTP_PORT: <%= node[:exim][:smarthost_via].split(":", 2)[1] || "25" %>
+ DISCOURSE_SMTP_OPENSSL_VERIFY_MODE: none
DISCOURSE_SMTP_USER_NAME:
DISCOURSE_SMTP_PASSWORD:
- # DISCOURSE_SMTP_ENABLE_START_TLS: true # (optional, default true)
DISCOURSE_SMTP_DOMAIN: community.openstreetmap.org
DISCOURSE_NOTIFICATION_EMAIL: community@noreply.openstreetmap.org
- exec:
cd: $home
cmd:
- - git fetch --depth=1 origin tag v2.8.7 --no-tags
- - git checkout v2.8.7
+ - git fetch --depth=1 origin tag v2.8.13 --no-tags
+ - git checkout v2.8.13
after_ssl:
- replace:
filename: "/etc/nginx/conf.d/discourse.conf"
depends "postgresql"
depends "python"
depends "ruby"
+depends "systemd"
depends "web"
mode "755"
end
-cron_d "backup-db" do
- minute "00"
- hour "02"
- weekday "1"
+systemd_service "backup-db" do
+ description "Database backup"
+ exec_start "/usr/local/bin/backup-db"
user "osmbackup"
- command "/usr/local/bin/backup-db"
- mailto "admins@openstreetmap.org"
+ sandbox :enable_network => true
+ restrict_address_families "AF_UNIX"
+ read_write_paths "/store/backup"
+end
+
+systemd_timer "backup-db" do
+ description "Database backup"
+ on_calendar "Mon 02:00 #{node[:timezone]}"
+end
+
+service "backup-db.timer" do
+ action [:enable, :start]
end
end
node[:postgresql][:versions].each do |db_version|
- pg_config = "/usr/lib/postgresql/#{db_version}/bin/pg_config"
- function_directory = "/srv/www.openstreetmap.org/rails/db/functions/#{db_version}"
-
- directory function_directory do
- owner "rails"
- group "rails"
- mode "755"
- end
-
- execute function_directory do
- action :nothing
- command "make BUNDLE=#{node[:ruby][:bundle]} PG_CONFIG=#{pg_config} DESTDIR=#{function_directory}"
- cwd "/srv/www.openstreetmap.org/rails/db/functions"
- user "rails"
- group "rails"
- subscribes :run, "directory[#{function_directory}]"
- subscribes :run, "git[/srv/www.openstreetmap.org/rails]"
- end
-
- link "/usr/lib/postgresql/#{db_version}/lib/libpgosm.so" do
- to "#{function_directory}/libpgosm.so"
- owner "root"
- group "root"
- end
-
directory "/opt/osmdbt/build-#{db_version}" do
owner "root"
group "root"
database "openstreetmap"
only_if { node[:postgresql][:clusters][node[:db][:cluster]] && node[:postgresql][:clusters][node[:db][:cluster]][:version] >= 9.0 }
end
-
-file "/etc/cron.daily/rails-db" do
- action :delete
-end
include_recipe "ruby"
package %w[
+ ant
+ default-jdk-headless
+ default-jre-headless
+ golang
+ composer
+ php-apcu
php-cgi
php-cli
php-curl
php-db
+ php-gd
+ php-igbinary
php-imagick
+ php-intl
+ php-mbstring
+ php-memcache
php-mysql
php-pear
php-pgsql
php-sqlite3
+ php-xml
pngcrush
pngquant
+ python-is-python3
python3
+ python3-brotli
python3-bs4
python3-cheetah
python3-dateutil
+ python3-dev
+ python3-dotenv
+ python3-lxml
+ python3-lz4
python3-magic
+ python3-pil
python3-psycopg2
+ python3-venv
+ python3-pyproj
python3-gdal
+ gdal-bin
+ proj-bin
g++
gcc
make
libfcgi-dev
libxml2-dev
libmemcached-dev
+ libboost-dev
libboost-regex-dev
libboost-system-dev
libboost-program-options-dev
zlib1g-dev
nano
osm2pgsql
+ osmosis
+ at
+ awscli
+ mailutils
+ lua-any
+ luajit
+ fonts-dejavu
+ fonts-dejavu-core
+ fonts-dejavu-extra
+ fonts-droid-fallback
+ fonts-liberation
+ fonts-noto-mono
+ gnuplot-nox
+ graphviz
+ irssi
+ jq
+ lz4
+ lzip
+ lzop
+ pbzip2
+ pigz
+ unrar
+ unzip
+ zip
+ netcat
+ tmux
+ whois
+ redis
+ r-base
+ pandoc
]
+# Add uk_os_OSTN15_NTv2_OSGBtoETRS.tif used for reprojecting OS data
+execute "uk_os_OSTN15_NTv2_OSGBtoETRS.tif" do
+ command "projsync --file uk_os_OSTN15_NTv2_OSGBtoETRS.tif --system-directory"
+ not_if { ::File.exist?("/usr/share/proj/uk_os_OSTN15_NTv2_OSGBtoETRS.tif") }
+end
+
nodejs_package "svgo"
python_package "geojson" do
"memory_limit" => "128M",
"post_max_size" => "32M",
"upload_max_filesize" => "32M"
- php_admin_values "sendmail_path" => "/usr/sbin/sendmail -t -i -f #{name}@errol.openstreetmap.org",
+ php_admin_values "sendmail_path" => "/usr/sbin/sendmail -t -i -f #{name}@dev.openstreetmap.org",
"open_basedir" => "/home/#{name}/:/tmp/:/usr/share/php/"
php_flags "display_errors" => "on"
end
end
end
+node[:postgresql][:versions].each do |version|
+ package "postgresql-#{version}-postgis-3"
+end
+
if node[:postgresql][:clusters][:"14/main"]
postgresql_user "apis" do
cluster "14/main"
systemd_service "rails-jobs@" do
description "Rails job queue runner"
type "simple"
+ environment "RAILS_ENV" => "production", "SLEEP_DELAY" => "60"
user "apis"
working_directory "/srv/%i.apis.dev.openstreetmap.org/rails"
exec_start "#{node[:ruby][:bundle]} exec rails jobs:work"
restart "on-failure"
- private_tmp true
- private_devices true
- protect_system "full"
- protect_home true
- no_new_privileges true
+ nice 10
+ sandbox :enable_network => true
+ restrict_address_families "AF_UNIX"
+ memory_deny_write_execute false
+ read_write_paths "/srv/%i.apis.dev.openstreetmap.org/logs"
end
systemd_service "cgimap@" do
user "apis"
exec_start "/srv/%i.apis.dev.openstreetmap.org/cgimap/openstreetmap-cgimap --daemon --port $CGIMAP_PORT --instances 5"
exec_reload "/bin/kill -HUP $MAINPID"
- private_tmp true
- private_devices true
- protect_system "full"
- protect_home true
- no_new_privileges true
+ sandbox :enable_network => true
+ restrict_address_families "AF_UNIX"
+ read_write_paths ["/srv/%i.apis.dev.openstreetmap.org/logs", "/srv/%i.apis.dev.openstreetmap.org/rails/tmp"]
restart "on-failure"
end
action [:enable, :start]
supports :restart => true
subscribes :restart, "rails_port[#{site_name}]"
- subscribes :restart, "systemd_service[#{name}]"
+ subscribes :restart, "systemd_service[rails-jobs@]"
only_if "fgrep -q delayed_job #{rails_directory}/Gemfile.lock"
end
user "apis"
group "apis"
subscribes :run, "execute[#{cgimap_directory}/configure]", :immediately
- notifies :restart, "service[cgimap@#{name}]"
end
template "/etc/default/cgimap-#{name}" do
:database_port => node[:postgresql][:clusters][:"14/main"][:port],
:database_name => database_name,
:log_directory => log_directory
- notifies :restart, "service[cgimap@#{name}]"
end
service "cgimap@#{name}" do
action [:start, :enable]
+ subscribes :restart, "execute[#{cgimap_directory}/Makefile]"
+ subscribes :restart, "template[/etc/default/cgimap-#{name}]"
+ subscribes :restart, "systemd_service[cgimap@]"
end
end
# Remove Proxy request header to mitigate https://httpoxy.org/
RequestHeader unset Proxy early
- ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/run/php/default.sock|fcgi://127.0.0.1
- ProxyPassMatch ^/(.*\.phpx(/.*)?)$ unix:/run/php/default.sock|fcgi://127.0.0.1
- ProxyPassMatch ^/(.*\.phpj(/.*)?)$ unix:/run/php/default.sock|fcgi://127.0.0.1
+ ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/run/php/php-default-fpm.sock|fcgi://127.0.0.1
+ ProxyPassMatch ^/(.*\.phpx(/.*)?)$ unix:/run/php/php-default-fpm.sock|fcgi://127.0.0.1
+ ProxyPassMatch ^/(.*\.phpj(/.*)?)$ unix:/run/php/php-default-fpm.sock|fcgi://127.0.0.1
</VirtualHost>
<VirtualHost *:80>
RewriteRule ^/cgi-bin/(.*)$ /~<%= @user %>/cgi-bin/$1 [PT,L]
<FilesMatch ".+\.ph(p|ps|p3|tml)$">
- SetHandler "proxy:unix:/run/php/<%= @user %>.sock|fcgi://127.0.0.1"
+ SetHandler "proxy:unix:/run/php/php-<%= @user %>-fpm.sock|fcgi://127.0.0.1"
</FilesMatch>
</VirtualHost>
<html>
-<body>
-You've reached errol, the OpenStreetMap dev server. <br />
-<dl>
-<dt>If you are a user...</dt>
-<dd>You probably want <a href="https://www.openstreetmap.org/">OpenStreetMap</a> itself.</dd>
-<dt>If you are a developer...</dt>
-<dd>You might be interested in <a href="https://apis.dev.openstreetmap.org/">live instances</a> of various <a href="https://github.com/openstreetmap/openstreetmap-website#readme">Rails Port</a> code branches for testing clients against.</dd>
-</body>
+ <body>
+ <h4>
+ You've reached <a href="https://hardware.openstreetmap.org/servers/faffy.openstreetmap.org/">faffy</a>, the OpenStreetMap dev server.
+ </h4>
+ <dl>
+ <dt>If you are a user...</dt>
+ <dd>
+ You probably want
+ <a href="https://www.openstreetmap.org/">OpenStreetMap</a> itself.
+ </dd>
+ <dt>If you are a developer...</dt>
+ <dd>
+ You might be interested in
+ <a href="https://apis.dev.openstreetmap.org/">live instances</a> of
+ various
+ <a href="https://github.com/openstreetmap/openstreetmap-website#readme">Rails Port</a>
+ code branches for testing clients against.
+ </dd>
+ <dt>Request an account</dt>
+ <dd>
+ Anyone who wants to work on OpenStreetMap-related projects can
+ <a href="https://github.com/openstreetmap/operations/issues/new?assignees=Firefishy&labels=faffy%2Cuser+request&template=ACCOUNT-REQUEST.yml&title=%5BAccount+request%5D%3A+">request an account</a>
+ on the dev server.
+ </dd>
+ </dl>
+ </body>
</html>
# DO NOT EDIT - This file is being maintained by Chef
-option architecture-type code 93 = unsigned integer 16;
+option arch code 93 = unsigned integer 16;
+# ilo5 expects TZ data per rfc4833
+option PCode code 100 = text;
+option TCode code 101 = text;
default-lease-time 600;
max-lease-time 7200;
option routers <%= interface[:gateway] %>;
option domain-name "<%= @domain %>";
option domain-name-servers <%= interface[:gateway] %>;
- option ntp-servers <%= node[:ntp][:servers].first %>;
-
- class "pxeclients" {
- match if substring (option vendor-class-identifier, 0, 9) = "PXEClient";
- next-server <%= interface[:gateway] %>;
-
- if option architecture-type = 00:07 {
- filename "netboot.xyz.efi";
- } else {
- filename "netboot.xyz.kpxe";
- }
+ option ntp-servers <%= node[:ntp][:servers].join(", ") %>;
+
+ option time-offset 0;
+ option PCode "UTC0";
+ option TCode "Etc/UTC";
+
+ next-server <%= interface[:gateway] %>;
+
+ # See https://netboot.xyz/docs/docker/#dhcp-configurations
+ if exists user-class and ( option user-class = "iPXE" ) {
+ filename "http://boot.netboot.xyz/menu.ipxe";
+ } elsif option arch = encode-int ( 16, 16 ) {
+ filename "http://boot.netboot.xyz/ipxe/netboot.xyz.efi";
+ option vendor-class-identifier "HTTPClient";
+ } elsif option arch = 00:07 {
+ filename "netboot.xyz.efi";
+ } else {
+ filename "netboot.xyz.kpxe";
}
}
<% end -%>
fixed-address eddie.oob.openstreetmap.org;
}
-host errol.oob.openstreetmap.org {
- hardware ethernet 00:e0:81:c0:8d:01;
- server-name "errol.oob.openstreetmap.org";
- fixed-address errol.oob.openstreetmap.org;
-}
-
host eustace.oob.openstreetmap.org {
hardware ethernet 1c:c1:de:71:4d:2e;
server-name "eustace.oob.openstreetmap.org";
fixed-address eustace.oob.openstreetmap.org;
}
+host faffy.oob.openstreetmap.org {
+ hardware ethernet 98:f2:b3:21:f6:e2;
+ server-name "faffy.oob.openstreetmap.org";
+ fixed-address faffy.oob.openstreetmap.org;
+}
+
host fafnir.oob.openstreetmap.org {
hardware ethernet 38:63:bb:39:f0:96;
server-name "fafnir.oob.openstreetmap.org";
fixed-address konqi.oob.openstreetmap.org;
}
-host lockheed.oob.openstreetmap.org {
- hardware ethernet 44:1e:a1:57:8f:fe;
- server-name "lockheed.oob.openstreetmap.org";
- fixed-address lockheed.oob.openstreetmap.org;
-}
-
host longma.oob.openstreetmap.org {
hardware ethernet 3c:ec:ef:2f:6d:4e;
server-name "longma.oob.openstreetmap.org";
fixed-address thorn-03.oob.openstreetmap.org;
}
-host urmel.oob.openstreetmap.org {
- hardware ethernet 1c:c1:de:e7:4d:b2;
- server-name "urmel.oob.openstreetmap.org";
- fixed-address urmel.oob.openstreetmap.org;
-}
-
host ysera.oob.openstreetmap.org {
hardware ethernet ac:1f:6b:c1:40:2a;
server-name "ysera.oob.openstreetmap.org";
Require all granted
<FilesMatch ".+\.ph(ar|p|tml)$">
- SetHandler "proxy:unix:/run/php/<%= @name %>.sock|fcgi://127.0.0.1"
+ SetHandler "proxy:unix:/run/php/php-<%= @name %>-fpm.sock|fcgi://127.0.0.1"
</FilesMatch>
</Directory>
depends "accounts"
depends "apache"
depends "git"
+depends "systemd"
libwww-perl
libxml-treebuilder-perl
libxml-writer-perl
+ libyaml-perl
libyaml-libyaml-perl
lockfile-progs
]
-remote_file "/usr/local/bin/dnscontrol" do
- action :create
- source "https://github.com/StackExchange/dnscontrol/releases/download/v3.12.0/dnscontrol-Linux"
+cache_dir = Chef::Config[:file_cache_path]
+
+dnscontrol_version = "3.23.0"
+
+dnscontrol_arch = if arm?
+ "arm64"
+ else
+ "amd64"
+ end
+
+remote_file "#{cache_dir}/dnscontrol-#{dnscontrol_version}.deb" do
+ source "https://github.com/StackExchange/dnscontrol/releases/download/v#{dnscontrol_version}/dnscontrol-#{dnscontrol_version}.#{dnscontrol_arch}.deb"
owner "root"
group "root"
- mode "755"
+ mode "644"
+ backup false
+end
+
+dpkg_package "dnscontrol" do
+ action :nothing
+ source "#{cache_dir}/dnscontrol-#{dnscontrol_version}.deb"
+ subscribes :install, "remote_file[#{cache_dir}/dnscontrol-#{dnscontrol_version}.deb]"
end
directory "/srv/dns.openstreetmap.org" do
variables :passwords => passwords, :geoservers => geoservers
end
-cron_d "dns" do
- minute "*/3"
+systemd_service "dns-check" do
+ description "Rebuild DNS zones with GeoDNS changes"
+ exec_start "/usr/local/bin/dns-check"
user "git"
- command "/usr/local/bin/dns-check"
- mailto "admins@openstreetmap.org"
+ sandbox :enable_network => true
+ proc_subset "all"
+ read_write_paths "/var/lib/dns"
+end
+
+systemd_timer "dns-check" do
+ description "Rebuild DNS zones with GeoDNS changes"
+ on_boot_sec "3m"
+ on_unit_active_sec "3m"
+end
+
+service "dns-check.timer" do
+ action [:enable, :start]
end
{
"gandi_v5": {
+ "TYPE": "GANDI_V5",
"apikey": "<%= @passwords["gandi"] %>",
"sharing_id": "7028b616-ba65-11e7-8343-00163ec31f40"
},
"cloudflare": {
+ "TYPE": "CLOUDFLAREAPI",
"accountid": "049c95aba02c95fc1e78a9d255282e0f",
"accountname": "OpenStreetMap",
"apitoken": "<%= @passwords["cloudflare"] %>"
git pull -q
-make --jobs update
+make --jobs check update
lockfile-remove update
+++ /dev/null
-# Add the docker APT source
-default[:apt][:sources] = node[:apt][:sources] | ["docker"]
version "1.0.0"
supports "ubuntu"
depends "apt"
+depends "systemd"
# limitations under the License.
#
-include_recipe "apt"
+include_recipe "apt::docker"
package %w[
docker-ce
action [:enable, :start]
subscribes :restart, "template[/etc/docker/daemon.json]"
end
+
+systemd_service "docker-system-prune" do
+ description "Cleanup up unused docker images and containers"
+ after ["docker.service"]
+ wants ["docker.service"]
+ user "root"
+ exec_start "/usr/bin/docker system prune --all --force"
+ sandbox :enable_network => true
+ memory_deny_write_execute false
+ restrict_address_families "AF_UNIX"
+end
+
+systemd_timer "docker-system-prune" do
+ description "Cleanup up unused docker images and containers"
+ on_boot_sec "2h"
+ on_unit_active_sec "7d"
+ randomized_delay_sec "4h"
+end
+
+service "docker-system-prune.timer" do
+ action [:enable, :start]
+end
depends "git"
depends "mysql"
depends "php"
+depends "systemd"
template "apache.erb"
end
-cron_d "osmf-donate" do
- minute "*/2"
+systemd_service "osmf-donate" do
+ description "Update donation list"
+ exec_start "/usr/bin/php /srv/donate.openstreetmap.org/scripts/update_csv_donate2016.php"
+ working_directory "/srv/donate.openstreetmap.org/scripts"
user "donate"
- command "cd /srv/donate.openstreetmap.org/scripts/; /usr/bin/php /srv/donate.openstreetmap.org/scripts/update_csv_donate2016.php"
+ sandbox true
+ memory_deny_write_execute true
+ restrict_address_families "AF_UNIX"
+ read_write_paths "/srv/donate.openstreetmap.org/data"
+end
+
+systemd_timer "osmf-donate" do
+ description "Update donation list"
+ on_boot_sec "2m"
+ on_unit_inactive_sec "2m"
+end
+
+service "osmf-donate.timer" do
+ action [:enable, :start]
end
template "/etc/cron.daily/osmf-donate-backup" do
Require all granted
<FilesMatch ".+\.ph(ar|p|tml)$">
- SetHandler "proxy:unix:/run/php/donate.openstreetmap.org.sock|fcgi://127.0.0.1"
+ SetHandler "proxy:unix:/run/php/php-donate.openstreetmap.org-fpm.sock|fcgi://127.0.0.1"
</FilesMatch>
</Directory>
default[:elasticsearch][:cluster][:routing][:allocation][:disk][:watermark][:high] = "90%"
default[:elasticsearch][:cluster][:routing][:allocation][:disk][:watermark][:flood_stage] = "95%"
default[:elasticsearch][:path][:data] = "/var/lib/elasticsearch"
-
-default[:apt][:sources] |= ["elasticsearch#{node[:elasticsearch][:version]}"]
# limitations under the License.
#
-include_recipe "apt"
+case node[:elasticsearch][:version]
+when "6.x" then include_recipe "apt::elasticsearch6"
+when "8.x" then include_recipe "apt::elasticsearch8"
+end
package "default-jre-headless"
package "elasticsearch"
exim4
openssl
ssl-cert
+ mailutils
]
package "exim4-daemon-heavy" do
only_if { ::File.exist?("/var/run/clamav/clamd.ctl") }
end
+group "Debian-exim" do
+ action :modify
+ members "clamav"
+ append true
+ only_if { ::File.exist?("/var/run/clamav/clamd.ctl") }
+end
+
group "ssl-cert" do
action :modify
members "Debian-exim"
relay_from_hosts = node[:exim][:relay_from_hosts]
if node[:exim][:smarthost_name]
- search(:node, "roles:gateway") do |gateway|
- allowed_ips = gateway.interfaces(:role => :internal).map do |interface|
- "#{interface[:network]}/#{interface[:prefix]}"
- end
-
- node.default[:networking][:wireguard][:peers] << {
- :public_key => gateway[:networking][:wireguard][:public_key],
- :allowed_ips => allowed_ips,
- :endpoint => "#{gateway.name}:51820"
- }
- end
-
search(:node, "exim_smarthost_via:#{node[:exim][:smarthost_name]}\\:*").each do |host|
relay_from_hosts |= host.ipaddresses(:role => :external)
end
purge true
end
+template "/etc/mail.rc" do
+ source "mail.rc.erb"
+ owner "root"
+ group "root"
+ mode "644"
+end
+
munin_plugin "exim_mailqueue"
munin_plugin "exim_mailstats"
prometheus_exporter "exim" do
port 9636
+ user "Debian-exim"
+ protect_proc "default"
end
if node[:exim][:smarthost_name]
--- /dev/null
+# DO NOT EDIT - This file is being maintained by Chef
+
+set sendmail="smtp://localhost"
prometheus_exporter "fail2ban" do
port 9635
+ user "root"
+ restrict_address_families "AF_UNIX"
end
DocumentRoot /srv/forum.openstreetmap.org/html
<FilesMatch ".+\.ph(ar|p|tml)$">
- SetHandler "proxy:unix:/run/php/forum.openstreetmap.org.sock|fcgi://127.0.0.1"
+ SetHandler "proxy:unix:/run/php/php-forum.openstreetmap.org-fpm.sock|fcgi://127.0.0.1"
</FilesMatch>
</VirtualHost>
email_sender "webmaster@openstreetmap.org"
email_sender_name "OSMF Board Wiki"
private_site true
- version "1.37"
+ version "1.38"
end
cookbook_file "/srv/board.osmfoundation.org/Wiki.png" do
email_sender "webmaster@openstreetmap.org"
email_sender_name "OSMF Board Wiki"
private_site true
- version "1.37"
+ version "1.38"
end
cookbook_file "/srv/dwg.osmfoundation.org/Wiki.png" do
email_sender "webmaster@openstreetmap.org"
email_sender_name "OSMF Board Wiki"
private_site true
- version "1.37"
+ version "1.38"
end
cookbook_file "/srv/mwg.osmfoundation.org/Wiki.png" do
email_sender_name "OSMF Wiki"
private_accounts true
extra_file_extensions ["mp3"]
- version "1.37"
+ version "1.38"
end
mediawiki_skin "osmf" do
group node[:mediawiki][:group]
mode "644"
end
+
+template "/srv/wiki.osmfoundation.org/robots.txt" do
+ owner node[:mediawiki][:user]
+ group node[:mediawiki][:group]
+ mode "644"
+ source "robots.txt.erb"
+end
--- /dev/null
+User-agent: ia_archiver
+Allow: /
+
+User-agent: 008
+Disallow: /
+
+User-agent: *
+Disallow: /index.php/
+Disallow: /wiki/Spam
+Disallow: /wiki/Donate/International_Bank_Transfers
+Allow: /w/load.php
+Allow: /w/images/
+Allow: /w/skins/
+Disallow: /w/
+Disallow: /wiki/Special:Collection
+Disallow: /wiki/Special:Random
+Disallow: /wiki/Special%3ARandom
+Disallow: /wiki/Special:Search
+
+User-agent: Exabot
+Crawl-delay: 60
user "root"
exec_start "/bin/systemctl reload-or-restart gdnsd"
standard_output "null"
- private_tmp true
- private_devices true
- protect_system "full"
- protect_home true
- no_new_privileges true
+ sandbox true
+ restrict_address_families "AF_UNIX"
end
systemd_path "gdnsd-reload" do
default[:geoipupdate][:account] = "149244"
default[:geoipupdate][:editions] = %w[GeoLite2-ASN GeoLite2-City GeoLite2-Country]
default[:geoipupdate][:directory] = "/usr/share/GeoIP"
-
-default[:apt][:sources] |= ["maxmind"]
# limitations under the License.
#
-include_recipe "apt"
+include_recipe "apt::maxmind"
license_keys = data_bag_item("geoipupdate", "license-keys")
description "Update GeoIP databases"
user "root"
exec_start "/usr/bin/geoipupdate"
- private_tmp true
- private_devices true
- protect_system "strict"
- protect_home true
+ sandbox :enable_network => true
read_write_paths node[:geoipupdate][:directory]
end
default[:git][:private_user] = "git"
default[:git][:private_group] = "git"
default[:git][:private_nodes] = "fqdn:*"
-
-default[:apt][:sources] |= ["git-core"]
# limitations under the License.
#
-include_recipe "apt"
+include_recipe "apt::git-core"
package "git"
package "gitweb"
+apache_module "cgid"
apache_module "rewrite"
git_site = node[:git][:host]
user "gpstile"
working_directory "/srv/gps-tile.openstreetmap.org"
exec_start "/srv/gps-tile.openstreetmap.org/updater/update"
- private_tmp true
- private_devices true
- protect_system "full"
- protect_home true
- no_new_privileges true
+ nice 10
+ sandbox :enable_network => true
+ read_write_paths "/srv/gps-tile.openstreetmap.org"
restart "on-failure"
end
if node[:dmi] && node[:dmi][:system]
case node[:dmi][:system][:manufacturer]
when "HP"
- default[:apt][:sources] |= ["management-component-pack"]
-
case node[:dmi][:system][:product_name]
when "ProLiant DL360 G6", "ProLiant DL360 G7", "ProLiant SE326M1R2"
default[:hardware][:sensors][:"power_meter-*"][:power][:power1] = { :ignore => true }
end
end
-if node[:kernel] && node[:kernel][:modules]
- raidmods = node[:kernel][:modules].keys & %w[cciss hpsa mptsas mpt2sas mpt3sas megaraid_mm megaraid_sas aacraid]
-
- default[:apt][:sources] |= ["hwraid"] unless raidmods.empty?
-end
-
if node[:kernel][:modules].include?("ipmi_si")
default[:hardware][:modules] |= ["ipmi_devintf"]
# limitations under the License.
#
-include_recipe "apt"
include_recipe "git"
include_recipe "munin"
include_recipe "prometheus"
end
case manufacturer
-when "HP"
+when "HP", "HPE"
+ include_recipe "apt::management-component-pack"
+
package "hponcfg"
execute "update-ilo" do
action :nothing
command "/usr/sbin/hponcfg -f /etc/ilo-defaults.xml"
+ not_if { kitchen? }
end
template "/etc/ilo-defaults.xml" do
action [:enable, :start]
supports :status => true, :restart => true
end
+ elsif product.end_with?("Gen10")
+ package "amsd" do
+ action :install
+ notifies :restart, "service[amsd]"
+ end
+
+ service "amsd" do
+ action [:enable, :start]
+ supports :status => true, :restart => true
+ end
end
- units << "1"
+ units << if product.end_with?("Gen10")
+ "0"
+ else
+ "1"
+ end
when "TYAN"
units << "0"
when "TYAN Computer Corporation"
units.sort.uniq.each do |unit|
service "serial-getty@ttyS#{unit}" do
action [:enable, :start]
+ not_if { kitchen? }
end
end
end
end
+package "initramfs-tools"
+
execute "update-initramfs" do
action :nothing
command "update-initramfs -u -k all"
prometheus_exporter "ipmi" do
port 9290
+ user "root"
+ private_devices false
+ protect_clock false
+ system_call_filter ["@system-service", "@raw-io"]
options "--config.file=/etc/prometheus/ipmi_local.yml"
subscribes :restart, "template[/etc/prometheus/ipmi_local.yml]"
end
template "lldp.rb.erb"
end
+package %w[
+ rasdaemon
+ ruby-sqlite3
+]
+
+service "rasdaemon" do
+ action [:enable, :start]
+end
+
+prometheus_exporter "rasdaemon" do
+ port 9797
+ user "root"
+end
+
tools_packages = []
status_packages = {}
end
end
+include_recipe "apt::hwraid" unless status_packages.empty?
+
if status_packages.include?("cciss-vol-status")
template "/usr/local/bin/cciss-vol-statusd" do
source "cciss-vol-statusd.erb"
systemd_service "cciss-vol-statusd" do
description "Check cciss_vol_status values in the background"
exec_start "/usr/local/bin/cciss-vol-statusd"
+ nice 10
private_tmp true
protect_system "full"
protect_home true
if !intel_ssds.empty? || !intel_nvmes.empty?
package "unzip"
- intel_mas_tool_version = "1.10"
- intel_mas_package_version = "#{intel_mas_tool_version}.155-0"
+ sst_tool_version = "1.3"
+ sst_package_version = "#{sst_tool_version}.208-0"
- remote_file "#{Chef::Config[:file_cache_path]}/Intel_MAS_CLI_Tool_#{intel_mas_tool_version}_Linux.zip" do
- source "https://downloadmirror.intel.com/646992/Intel_MAS_CLI_Tool_Linux_#{intel_mas_tool_version}-v2.zip"
- end
+ # remote_file "#{Chef::Config[:file_cache_path]}/SST_CLI_Linux_#{sst_tool_version}.zip" do
+ # source "https://downloadmirror.intel.com/743764/SST_CLI_Linux_#{sst_tool_version}.zip"
+ # end
- execute "#{Chef::Config[:file_cache_path]}/Intel_MAS_CLI_Tool_#{intel_mas_tool_version}_Linux.zip" do
- command "unzip Intel_MAS_CLI_Tool_#{intel_mas_tool_version}_Linux.zip intelmas_#{intel_mas_package_version}_amd64.deb"
+ execute "#{Chef::Config[:file_cache_path]}/SST_CLI_Linux_#{sst_tool_version}.zip" do
+ command "unzip SST_CLI_Linux_#{sst_tool_version}.zip sst_#{sst_package_version}_amd64.deb"
cwd Chef::Config[:file_cache_path]
user "root"
group "root"
- not_if { ::File.exist?("#{Chef::Config[:file_cache_path]}/intelmas_#{intel_mas_package_version}_amd64.deb") }
+ not_if { ::File.exist?("#{Chef::Config[:file_cache_path]}/sst_#{sst_package_version}_amd64.deb") }
end
- dpkg_package "intelmas" do
- version "#{intel_mas_package_version}"
- source "#{Chef::Config[:file_cache_path]}/intelmas_#{intel_mas_package_version}_amd64.deb"
+ dpkg_package "sst" do
+ version "#{sst_package_version}"
+ source "#{Chef::Config[:file_cache_path]}/sst_#{sst_package_version}_amd64.deb"
end
- dpkg_package "isdct" do
+ dpkg_package "intelmas" do
action :purge
end
end
prometheus_collector "smart" do
interval "15m"
+ user "root"
+ capability_bounding_set %w[CAP_DAC_OVERRIDE CAP_SYS_ADMIN CAP_SYS_RAWIO]
+ private_devices false
+ private_users false
+ protect_clock false
end
# Don't try and do munin monitoring of disks behind
content mdadm_conf
end
- service "mdadm" do
+ service "mdmonitor" do
action :nothing
subscribes :restart, "file[/etc/mdadm/mdadm.conf]"
end
prometheus_collector "ohai" do
interval "15m"
+ user "root"
+ proc_subset "all"
+ capability_bounding_set %w[CAP_DAC_OVERRIDE CAP_SYS_ADMIN]
+ private_devices false
+ private_users false
+ protect_clock false
+ protect_kernel_modules false
end
+++ /dev/null
-#!/bin/sh
-
-# DO NOT EDIT - This file is being maintained by Chef
-
-echo "$MESSAGE" | /usr/bin/mail -s "Machine Check Exception for <%= node[:fqdn] %>" admins@openstreetmap.org
def find_megaraid_disks(devices)
controllers = []
arrays = []
+ disks = []
controller = nil
array = nil
devices[:disks] << disk
controller[:disks] << disk[:id]
array[:disks] << disk[:id]
+
+ disks << disk
elsif disk && line =~ /^Firmware state:\s+(\S.*)$/
status, state = Regexp.last_match(1).split(/,\s*/)
case status
end
elsif disk && line =~ /^(\S.*\S)\s*:\s+(\S.*)$/
case Regexp.last_match(1)
- when "Device Id" then disk[:smart_device] = "megaraid,#{Regexp.last_match(2)}"
+ when "Device Id" then disk[:device_id] = Regexp.last_match(2)
when "WWN" then disk[:wwn] = Regexp.last_match(2)
when "PD Type" then disk[:interface] = Regexp.last_match(2)
when "Raw Size" then disk[:size] = memory_to_disk_size(Regexp.last_match(2).sub(/\s*\[.*\]$/, ""))
controller = controllers[Regexp.last_match(1).to_i]
elsif controller && line =~ /^Enclosure Device ID: \d+$/
disk = {
- :controller => controller[:id]
+ :controller => controller[:id],
+ :arrays => []
}
elsif disk && line =~ /^WWN:\s+(\S+)$/
unless devices[:disks].find { |d| d[:wwn] == Regexp.last_match(1) }
disk[:wwn] = Regexp.last_match(1)
devices[:disks] << disk
+
+ disks << disk
end
elsif disk && line =~ /^Firmware state:\s+(\S.*)$/
status, state = Regexp.last_match(1).split(/,\s*/)
end
elsif disk && line =~ /^(\S.*\S)\s*:\s+(\S.*)$/
case Regexp.last_match(1)
- when "Device Id" then disk[:smart_device] = "megaraid,#{Regexp.last_match(2)}"
+ when "Device Id" then disk[:device_id] = Regexp.last_match(2)
when "PD Type" then disk[:interface] = Regexp.last_match(2)
when "Raw Size" then disk[:size] = memory_to_disk_size(Regexp.last_match(2).sub(/\s*\[.*\]$/, ""))
when "Inquiry Data" then disk[:vendor], disk[:model], disk[:serial_number] = Regexp.last_match(2).split
controller[:device] = "/dev/#{File.basename(device)}"
end
end
+
+ disks.each do |disk|
+ controller = devices[:controllers][disk[:controller]]
+
+ if id = disk.delete(:device_id)
+ if device = Dir.glob("/sys/bus/pci/devices/#{controller[:pci_slot]}/host*/target0:0:#{id}/0:0:#{id}:0/block/sd*").first
+ disk[:device] = "/dev/#{File.basename(device)}"
+ else
+ disk[:smart_device] = "megaraid,#{id}"
+ end
+ end
+ end
end
def find_mpt1_disks(devices)
<% elsif disk[:device] =~ /nvme/ -%>
/dev/<%= disk[:device] %>|nvme
<% else -%>
-/dev/<%= disk[:device] %>|sat
+/dev/<%= disk[:device] %>|auto
<% end -%>
<% end -%>
--- /dev/null
+name "ideditor"
+maintainer "OpenStreetMap Administrators"
+maintainer_email "admins@openstreetmap.org"
+license "Apache-2.0"
+description "Configures ideditor.com web site"
+
+version "1.0.0"
+supports "ubuntu"
+depends "apache"
--- /dev/null
+#
+# Cookbook:: ideditor
+# Recipe:: default
+#
+# Copyright:: 2022, OpenStreetMap Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include_recipe "apache"
+
+ssl_certificate "preview.ideditor.com" do
+ domains ["preview.ideditor.com"]
+ notifies :reload, "service[apache2]"
+end
+
+apache_site "preview.ideditor.com" do
+ template "apache.erb"
+end
--- /dev/null
+# DO NOT EDIT - This file is being maintained by Chef
+
+<VirtualHost *:80>
+ ServerName <%= @name %>
+ ServerAdmin webmaster@openstreetmap.org
+
+ CustomLog /var/log/apache2/<%= @name %>-access.log combined
+ ErrorLog /var/log/apache2/<%= @name %>-error.log
+
+ RedirectPermanent /.well-known/acme-challenge/ http://acme.openstreetmap.org/.well-known/acme-challenge/
+ Redirect permanent / https://<%= @name %>/
+</VirtualHost>
+<VirtualHost *:443>
+ ServerName <%= @name %>
+ ServerAdmin webmaster@openstreetmap.org
+
+ CustomLog /var/log/apache2/<%= @name %>-access.log combined
+ ErrorLog /var/log/apache2/<%= @name %>-error.log
+
+ SSLEngine on
+ SSLCertificateFile /etc/ssl/certs/<%= @name %>.pem
+ SSLCertificateKeyFile /etc/ssl/private/<%= @name %>.key
+
+ RewriteEngine on
+ RewriteRule ^/release/?.* https://ideditor-release.netlify.app/ [QSD,L,R=307]
+ RewriteRule ^/?.* https://ideditor.netlify.app/ [QSD,L,R=307]
+</VirtualHost>
include_recipe "nginx"
include_recipe "git"
-# Imagery gdal Requirements
-package "gdal-bin"
-# python-gdal - disable while broken in gis unstable repo
+# Imagery gdal and proj requirements
+package %w[
+ gdal-bin
+ python3-gdal
+ proj-bin
+]
-# Imagery MapServer + Mapcache Requirements
+# Imagery MapServer + Mapcache requirements
package %w[
cgi-mapserver
mapcache-cgi
mapcache-tools
]
-# Mapserver via Nginx requires as fastcgi spawner
+# Mapserver via nginx requires as fastcgi spawner
package %w[
spawn-fcgi
multiwatch
recursive true
end
-directory "/srv/imagery/common/ostn02-ntv2-data" do
- owner "root"
- group "root"
- mode "755"
-end
-
-remote_file "#{Chef::Config[:file_cache_path]}/ostn02-ntv2-data.zip" do
- source "https://www.ordnancesurvey.co.uk/docs/gps/ostn02-ntv2-data.zip"
- not_if { ::File.exist?("/srv/imagery/common/ostn02-ntv2-data/OSTN02_NTv2.gsb") }
-end
-
-archive_file "#{Chef::Config[:file_cache_path]}/ostn02-ntv2-data.zip" do
- destination "/srv/imagery/common/ostn02-ntv2-data"
- owner "root"
- group "root"
- not_if { ::File.exist?("/srv/imagery/common/ostn02-ntv2-data/OSTN02_NTv2.gsb") }
+# Pre-download uk_os_OSTN15_NTv2_OSGBtoETRS.tif used for EPSG:27700 conversions
+execute "uk_os_OSTN15_NTv2_OSGBtoETRS.tif" do
+ command "projsync --file uk_os_OSTN15_NTv2_OSGBtoETRS.tif --system-directory"
+ not_if { ::File.exist?("/usr/share/proj/uk_os_OSTN15_NTv2_OSGBtoETRS.tif") }
end
nginx_site "default" do
copyright "Contains OS data © Crown copyright and database right 2022"
background_colour "213 244 248" # OS OpenMap Local Water Blue
extension "os_om_local_png"
- url_aliases ["/om-local-2022-04", "/om-local"]
+end
+
+imagery_layer "gb_os_om_local_2022_10" do
+ site "os.openstreetmap.org"
+ title "OS OpenMap Local - October 2022"
+ projection "EPSG:27700"
+ source "/data/imagery/gb/openmap-local/2022-10/os-openmap-local-2022-10.vrt"
+ copyright "Contains OS data © Crown copyright and database right 2022"
+ background_colour "213 244 248" # OS OpenMap Local Water Blue
+ extension "os_om_local_png"
+ url_aliases ["/om-local-2022-10", "/om-local"]
default_layer true
end
end
layers = Dir.glob("/srv/imagery/layers/#{new_resource.site}/*.yml").collect do |path|
- YAML.safe_load(::File.read(path), [Symbol])
+ YAML.safe_load(::File.read(path), :permitted_classes => [Symbol])
end
declare_resource :template, "/srv/#{new_resource.site}/imagery.js" do
systemd_service "mapserv-fcgi-#{new_resource.site}" do
description "Map server for #{new_resource.site} layer"
environment "MS_MAP_PATTERN" => "^/srv/imagery/mapserver/",
- "=" => "0",
+ "MS_DEBUGLEVEL" => "0",
"MS_ERRORFILE" => "stderr",
"GDAL_CACHEMAX" => "512"
limit_nofile 16384
memory_high "1G"
- memory_max "2G"
+ memory_max "4G"
user "imagery"
group "imagery"
- exec_start "/usr/bin/multiwatch -f 12 --signal=TERM -- /usr/lib/cgi-bin/mapserv"
+ exec_start "/usr/bin/multiwatch -f 8 --signal=TERM -- /usr/lib/cgi-bin/mapserv"
standard_input "socket"
- private_tmp true
- private_devices true
- private_network true
- protect_system "full"
- protect_home true
- no_new_privileges true
- # Terminate service after 5mins. Service is socket activated
- runtime_max_sec 300
+ sandbox true
+ restrict_address_families "AF_UNIX"
+ # Terminate service after 30mins. Service is socket activated
+ runtime_max_sec 1800
end
systemd_socket "mapserv-fcgi-#{new_resource.site}" do
<% end -%>
IMAGETYPE <%= @extension %>
PROJECTION
- <% if @projection == "EPSG:27700" -%>
- <%# Override EPSG:27700 to use accurate nadgrid %>
- "+proj=tmerc +lat_0=49 +lon_0=-2 +k=0.9996012717 +x_0=400000 +y_0=-100000 +ellps=airy +datum=OSGB36 +units=m +no_defs +nadgrids=/srv/imagery/common/ostn02-ntv2-data/OSTN02_NTv2.gsb"
- <% elsif @projection == "namibia_aerial" -%>
+ <% if @projection == "namibia_aerial" -%>
"+proj=tmerc +lat_0=0 +lon_0=17 +k=1 +x_0=600000 +y_0=10000000 +ellps=WGS84 +units=m +no_defs"
<% else -%>
"init=<%= @projection.downcase %>"
NAME "<%= @layer %>"
DATA "<%= @source %>"
PROJECTION
- <% if @projection == "EPSG:27700" -%>
- <%# Override EPSG:27700 to use accurate nadgrid %>
- "+proj=tmerc +lat_0=49 +lon_0=-2 +k=0.9996012717 +x_0=400000 +y_0=-100000 +ellps=airy +datum=OSGB36 +units=m +no_defs +nadgrids=/srv/imagery/common/ostn02-ntv2-data/OSTN02_NTv2.gsb"
- <% elsif @projection == "namibia_aerial" -%>
+ <% if @projection == "namibia_aerial" -%>
"+proj=tmerc +lat_0=0 +lon_0=17 +k=1 +x_0=600000 +y_0=10000000 +ellps=WGS84 +units=m +no_defs"
<% else -%>
"init=<%= @projection.downcase %>"
# Override QUERY_STRING to force mapserver query parameters
fastcgi_param QUERY_STRING "map=/srv/imagery/mapserver/layer-<%= @layer %>.map&mode=tile&layers=<%= @layer %>&tilemode=gmap&tile=$2+$3+$1";
fastcgi_pass "<%= @site %>_fastcgi";
- fastcgi_buffers 8 64k;
- fastcgi_busy_buffers_size 64k;
include fastcgi_params;
fastcgi_param REQUEST_METHOD "GET";
fastcgi_param HTTP_PROXY "";
keepalive_requests 0;
- # Ignore client abort as it causes issues with the pipeline
- fastcgi_ignore_client_abort on;
-
fastcgi_catch_stderr "Image handling error";
fastcgi_next_upstream error timeout invalid_header http_500 http_503;
variables :certificates => certificates
end
-cron_d "letencrypt-renew" do
- minute "00"
- hour "*/12"
+systemd_service "letsencrypt-renew" do
+ description "Renew letsencrypt certificates"
+ exec_start "/srv/acme.openstreetmap.org/bin/renew"
user "letsencrypt"
- command "/srv/acme.openstreetmap.org/bin/renew"
- mailto "admins@openstreetmap.org"
+ sandbox :enable_network => true
+ read_write_paths [
+ "/srv/acme.openstreetmap.org/config",
+ "/srv/acme.openstreetmap.org/html",
+ "/srv/acme.openstreetmap.org/logs",
+ "/srv/acme.openstreetmap.org/work"
+ ]
end
-cron_d "letencrypt-check" do
- minute "30"
- hour "*/12"
+systemd_timer "letsencrypt-renew" do
+ description "Renew letsencrypt certificates"
+ on_boot_sec "1h"
+ on_unit_inactive_sec "12h"
+end
+
+service "letsencrypt-renew.timer" do
+ action [:enable, :start]
+end
+
+systemd_service "letsencrypt-check" do
+ description "Check letsencrypt certificates"
+ exec_start "/srv/acme.openstreetmap.org/bin/check-certificates"
user "letsencrypt"
- command "/srv/acme.openstreetmap.org/bin/check-certificates"
- mailto "admins@openstreetmap.org"
+ sandbox :enable_network => true
+end
+
+systemd_timer "letsencrypt-check" do
+ description "Check letsencrypt certificates"
+ on_boot_sec "2h"
+ on_unit_inactive_sec "12h"
+end
+
+service "letsencrypt-check.timer" do
+ action [:enable, :start]
end
template "/etc/logrotate.d/letsencrypt" do
require "yaml"
-include_recipe "apt"
+include_recipe "apt::elasticsearch8"
package "filebeat"
-default[:matomo][:version] = "4.11.0"
+default[:matomo][:version] = "4.13.0"
default[:matomo][:plugins] = {
"Actions" => nil,
"Annotations" => nil,
depends "geoipupdate"
depends "mysql"
depends "php"
+depends "systemd"
passwords = data_bag_item("matomo", "passwords")
package %w[
+ brotli
+ gzip
php-cli
php-curl
php-mbstring
geoip_directory = node[:geoipupdate][:directory]
-directory "/opt/matomo-#{version}" do
- owner "root"
- group "root"
- mode "0755"
-end
-
remote_file "#{Chef::Config[:file_cache_path]}/matomo-#{version}.zip" do
source "https://builds.matomo.org/matomo-#{version}.zip"
end
archive_file "#{Chef::Config[:file_cache_path]}/matomo-#{version}.zip" do
- action :nothing
destination "/opt/matomo-#{version}"
- overwrite true
- owner "root"
- group "root"
- subscribes :extract, "remote_file[#{Chef::Config[:file_cache_path]}/matomo-#{version}.zip]", :immediately
notifies :run, "notify_group[matomo-updated]"
end
end
archive_file "#{Chef::Config[:file_cache_path]}/matomo-#{plugin_name}-#{plugin_version}.zip" do
- action :nothing
- destination "/opt/matomo-#{version}/matomo/plugins"
- overwrite true
- owner "root"
- group "root"
- subscribes :extract, "remote_file[#{Chef::Config[:file_cache_path]}/matomo-#{plugin_name}-#{plugin_version}.zip]", :immediately
+ destination "/opt/matomo-#{plugin_name}-#{plugin_version}"
+ end
+
+ link "/opt/matomo-#{version}/matomo/plugins/#{plugin_name}" do
+ to "/opt/matomo-#{plugin_name}-#{plugin_version}/#{plugin_name}"
notifies :run, "notify_group[matomo-updated]"
end
end
subscribes :run, "execute[core:update]"
end
+ execute "/opt/matomo-#{version}/matomo/matomo.br" do
+ action :nothing
+ command "brotli --keep --force --best /opt/matomo-#{version}/matomo/matomo.js"
+ cwd "/opt/matomo-#{version}"
+ user "root"
+ group "root"
+ subscribes :run, "execute[custom-matomo-js:update]"
+ end
+
execute "/opt/matomo-#{version}/matomo/matomo.js" do
action :nothing
- command "gzip -k -9 /opt/matomo-#{version}/matomo/matomo.js"
+ command "gzip --keep --force --best /opt/matomo-#{version}/matomo/matomo.js"
+ cwd "/opt/matomo-#{version}"
+ user "root"
+ group "root"
+ subscribes :run, "execute[custom-matomo-js:update]"
+ end
+
+ execute "/opt/matomo-#{version}/matomo/piwik.br" do
+ action :nothing
+ command "brotli --keep --force --best /opt/matomo-#{version}/matomo/piwik.js"
cwd "/opt/matomo-#{version}"
user "root"
group "root"
execute "/opt/matomo-#{version}/matomo/piwik.js" do
action :nothing
- command "gzip -k -9 /opt/matomo-#{version}/matomo/piwik.js"
+ command "gzip --keep --force --best /opt/matomo-#{version}/matomo/piwik.js"
cwd "/opt/matomo-#{version}"
user "root"
group "root"
template "apache.erb"
end
-cron_d "matomo" do
- minute "5"
+systemd_service "matomo-archive" do
+ description "Matomo report archiving"
+ exec_start "/usr/bin/php /srv/matomo.openstreetmap.org/console core:archive --url=https://matomo.openstreetmap.org/"
user "www-data"
- command "/usr/bin/php /srv/matomo.openstreetmap.org/console core:archive --quiet --url=https://matomo.openstreetmap.org/"
+ sandbox true
+ proc_subset "all"
+ memory_deny_write_execute false
+ restrict_address_families "AF_UNIX"
+ read_write_paths "/opt/matomo-#{version}/matomo/tmp"
+end
+
+systemd_timer "matomo-archive" do
+ description "Matomo report archiving"
+ on_boot_sec "30m"
+ on_unit_inactive_sec "30m"
+end
+
+service "matomo-archive.timer" do
+ action [:enable, :start]
end
ExpiresActive On
RewriteEngine on
- RewriteCond "%{HTTP:Accept-encoding}" "gzip"
+ RewriteCond "%{HTTP:Accept-Encoding}" "br"
+ RewriteCond "%{REQUEST_FILENAME}\.br" -s
+ RewriteRule "^(.*)\.js" "$1\.js\.br" [QSA]
+
+ RewriteCond "%{HTTP:Accept-Encoding}" "gzip"
RewriteCond "%{REQUEST_FILENAME}\.gz" -s
RewriteRule "^(.*)\.js" "$1\.js\.gz" [QSA]
- RewriteRule "\.js\.gz$" "-" [T=text/javascript,E=no-gzip:1]
+ RewriteRule "\.js\.(br|gz)$" "-" [T=text/javascript,E=no-gzip:1,E=no-brotli:1]
+
+ <FilesMatch "\.js\.br$">
+ Header append Content-Encoding br
+ Header append Vary Accept-Encoding
+ </FilesMatch>
<FilesMatch "\.js\.gz$">
Header append Content-Encoding gzip
Header append Vary Accept-Encoding
</FilesMatch>
- <FilesMatch "(\.js|\.js\.gz)$">
+ <FilesMatch "(\.js|\.js\.gz|\.js\.br)$">
ExpiresDefault "access plus 1 week"
Header set Cache-Control "max-age=604800"
</FilesMatch>
<FilesMatch ".+\.ph(ar|p|tml)$">
- SetHandler "proxy:unix:/run/php/matomo.openstreetmap.org.sock|fcgi://127.0.0.1"
+ SetHandler "proxy:unix:/run/php/php-matomo.openstreetmap.org-fpm.sock|fcgi://127.0.0.1"
</FilesMatch>
</Directory>
depends "memcached"
depends "mysql"
depends "php"
+depends "systemd"
php-zip
composer
unzip
+ ffmpeg
]
# Mediawiki enhanced difference engine
apache_module "proxy"
apache_module "proxy_fcgi"
apache_module "rewrite"
+
+systemd_service "mediawiki-sitemap@" do
+ description "Generate sitemap.xml for %i"
+ exec_start "/usr/bin/php -d memory_limit=2048M -d error_reporting=22517 /srv/%i/w/maintenance/generateSitemap.php --server=https://%i --urlpath=https://%i/ --fspath=/srv/%i --quiet --skip-redirects"
+ user node[:mediawiki][:user]
+ nice 10
+ sandbox true
+ memory_deny_write_execute false
+ restrict_address_families "AF_UNIX"
+ read_write_paths "/srv/%i"
+end
+
+systemd_timer "mediawiki-sitemap@" do
+ description "Generate sitemap.xml for %i"
+ on_calendar "00:30"
+end
+
+systemd_service "mediawiki-jobs@" do
+ description "Run mediawiki jobs for %i"
+ exec_start "/usr/bin/php -d memory_limit=2048M -d error_reporting=22517 /srv/%i/w/maintenance/runJobs.php --server=https://%i --maxtime=175 --memory-limit=2048M --procs=8 --nothrottle --quiet"
+ user node[:mediawiki][:user]
+ nice 10
+ sandbox true
+ memory_deny_write_execute false
+ restrict_address_families "AF_UNIX"
+ read_write_paths "/srv/%i"
+end
+
+systemd_timer "mediawiki-jobs@" do
+ description "Run mediawiki jobs for %i"
+ on_boot_sec "3m"
+ on_unit_inactive_sec "3m"
+end
+
+systemd_service "mediawiki-email-jobs@" do
+ description "Run mediawiki email jobs for %i"
+ exec_start "/usr/bin/php -d memory_limit=2048M -d error_reporting=22517 /srv/%i/w/maintenance/runJobs.php --server=https://%i --maxtime=55 --type=enotifNotify --memory-limit=2048M --procs=4 --nothrottle --quiet"
+ user node[:mediawiki][:user]
+ nice 10
+ sandbox :enable_network => true
+ memory_deny_write_execute false
+ restrict_address_families "AF_UNIX"
+end
+
+systemd_timer "mediawiki-email-jobs@" do
+ description "Run mediawiki email jobs for %i"
+ on_boot_sec "1m"
+ on_unit_inactive_sec "1m"
+end
+
+systemd_service "mediawiki-refresh-links@" do
+ description "Refresh mediawiki links for %i"
+ exec_start "/usr/bin/php -d memory_limit=2048M -d error_reporting=22517 /srv/%i/w/maintenance/refreshLinks.php --server=https://%i --memory-limit=2048M --quiet"
+ user node[:mediawiki][:user]
+ nice 10
+ sandbox true
+ memory_deny_write_execute false
+ restrict_address_families "AF_UNIX"
+end
+
+systemd_timer "mediawiki-refresh-links@" do
+ description "Refresh mediawiki links for %i"
+ on_calendar "Sat 00:05"
+end
+
+systemd_service "mediawiki-cleanup-gs" do
+ description "Clean up imagemagick gs_* files"
+ exec_start "/usr/bin/find /tmp -maxdepth 1 -type f -user www-data -mmin +90 -name 'gs_*' -delete"
+ user node[:mediawiki][:user]
+ sandbox true
+end
+
+systemd_timer "mediawiki-cleanup-gs" do
+ description "Clean up imagemagick gs_* files"
+ on_calendar "02:10"
+end
+
+service "mediawiki-cleanup-gs.timer" do
+ action [:enable, :start]
+end
+
+systemd_service "mediawiki-cleanup-magick" do
+ description "Clean up imagemagick magick-* files"
+ exec_start "/usr/bin/find /tmp -maxdepth 1 -type f -user www-data -mmin +90 -name 'magick-*' -delete"
+ user node[:mediawiki][:user]
+ sandbox true
+end
+
+systemd_timer "mediawiki-cleanup-magick" do
+ description "Clean up imagemagick magick-* files"
+ on_calendar "02:20"
+end
+
+service "mediawiki-cleanup-magick.timer" do
+ action [:enable, :start]
+end
notifies :run, "execute[#{mediawiki_directory}/maintenance/update.php]"
end
- cron_d "mediawiki-#{cron_name}-sitemap" do
- comment "Generate sitemap.xml daily"
- minute "30"
- hour "0"
- user node[:mediawiki][:user]
- command "/usr/bin/nice /usr/bin/php -d memory_limit=2048M -d error_reporting=22517 #{site_directory}/w/maintenance/generateSitemap.php --server=https://#{new_resource.site} --urlpath=https://#{new_resource.site}/ --fspath=#{site_directory} --quiet --skip-redirects"
+ service "mediawiki-sitemap@#{new_resource.site}.timer" do
+ action [:enable, :start]
end
- cron_d "mediawiki-#{cron_name}-jobs" do
- comment "Run mediawiki jobs"
- minute "*/3"
- user node[:mediawiki][:user]
- command "/usr/bin/nice /usr/bin/php -d memory_limit=2048M -d error_reporting=22517 #{site_directory}/w/maintenance/runJobs.php --server=https://#{new_resource.site} --maxtime=160 --memory-limit=2048M --procs=8 --quiet"
+ service "mediawiki-jobs@#{new_resource.site}.timer" do
+ action [:enable, :start]
end
- cron_d "mediawiki-#{cron_name}-email-jobs" do
- comment "Run mediawiki email jobs"
- user node[:mediawiki][:user]
- command "/usr/bin/nice /usr/bin/php -d memory_limit=2048M -d error_reporting=22517 #{site_directory}/w/maintenance/runJobs.php --server=https://#{new_resource.site} --maxtime=30 --type=enotifNotify --memory-limit=2048M --procs=4 --quiet"
+ service "mediawiki-email-jobs@#{new_resource.site}.timer" do
+ action [:enable, :start]
end
- cron_d "mediawiki-#{cron_name}-refresh-links" do
- comment "Run mediawiki refresh links table weekly"
- minute "5"
- hour "0"
- weekday "0"
- user node[:mediawiki][:user]
- command "/usr/bin/nice /usr/bin/php -d memory_limit=2048M -d error_reporting=22517 #{site_directory}/w/maintenance/refreshLinks.php --server=https://#{new_resource.site} --memory-limit=2048M --quiet"
- end
-
- cron_d "mediawiki-#{cron_name}-cleanup-gs" do
- comment "Clean up imagemagick garbage"
- minute "10"
- hour "2"
- user node[:mediawiki][:user]
- command "/usr/bin/find /tmp/ -maxdepth 1 -type f -user www-data -mmin +90 -name 'gs_*' -delete"
- end
-
- cron_d "mediawiki-#{cron_name}-cleanup-magick" do
- comment "Clean up imagemagick garbage"
- minute "20"
- hour "2"
- user node[:mediawiki][:user]
- command "/usr/bin/find /tmp/ -maxdepth 1 -type f -user www-data -mmin +90 -name 'magick-*' -delete"
+ service "mediawiki-refresh-links@#{new_resource.site}.timer" do
+ action [:enable, :start]
end
template "/etc/cron.daily/mediawiki-#{cron_name}-backup" do
mediawiki_extension "osmtaginfo" do
site new_resource.site
- repository "https://github.com/Firefishy/osmtaginfo.git"
+ repository "https://github.com/openstreetmap/osmtaginfo.git"
tag "live"
update_site false
end
update_site false
end
- mediawiki_extension "SimpleMap" do
- site new_resource.site
- template "mw-ext-SimpleMap.inc.php.erb"
- repository "https://github.com/Firefishy/SimpleMap.git"
- tag "live"
- update_site false
- action :delete
- end
-
- mediawiki_extension "SlippyMap" do
- site new_resource.site
- update_site false
- action :delete
- end
-
- mediawiki_extension "Mantle" do
- site new_resource.site
- update_site false
- action :delete
- end
-
mediawiki_extension "DisableAccount" do
site new_resource.site
template "mw-ext-DisableAccount.inc.php.erb"
mediawiki_extension "QuickInstantCommons" do
site new_resource.site
update_site false
- reference "master"
end
else
mediawiki_extension "QuickInstantCommons" do
end
action_class do
- include Chef::Mixin::PersistentToken
+ include OpenStreetMap::Mixin::PersistentToken
def site_directory
new_resource.directory || "/srv/#{new_resource.site}"
$wgEnotifUseJobQ = true;
+$wgSMTP = [
+ "host" => "localhost",
+ "socket_options" => [
+ "ssl" => [
+ "verify_peer_name" => false
+ ]
+ ]
+];
+
## Database settings
$wgDBtype = "mysql";
$wgDBserver = "<%= @database_params[:host] %>";
# Disable IP in Header to avoid cache issue
$wgShowIPinHeader = FALSE;
-# Job Runs mostly by cron
-$wgJobRunRate = 0.01;
+# Job Runs by cron
+$wgJobRunRate = 0;
# dissolves double redirects automatically
$wgFixDoubleRedirects = TRUE;
$wgNamespacesWithSubpages[NS_PROPOSAL] = TRUE;
$wgContentNamespaces[] = NS_PROPOSAL;
define('NS_PROPOSAL_TALK', 3001);
-$wgExtraNamespaces[NS_PROPOSAL_TALK] = 'Proposal talk';
+$wgExtraNamespaces[NS_PROPOSAL_TALK] = 'Proposal_talk';
$wgNamespacesWithSubpages[NS_PROPOSAL_TALK] = TRUE;
$wgNamespacesToBeSearchedDefault[NS_LANG_DE] = TRUE;
<% end -%>
<% if @name == "wiki.openstreetmap.org" -%>
-# setting the search weight of the main wiki's proposal namespace lower then general talk pages (0.2), but
-# higher then wiki project namespace (0.1)
-# Documentation at https://phabricator.wikimedia.org/source/extension-cirrussearch/browse/master/docs/settings.txt$693
-$wgCirrusSearchNamespaceWeights = array_merge ( $wgCirrusSearchNamespaceWeights, array ( NS_PROPOSAL => 0.15 ));
+# Placeholder for the wiki.openstreetmap.org specific config
<% end -%>
<% if not(@mediawiki[:private_accounts]) and not(@mediawiki[:private_site]) -%>
unset( $wgGroupsAddToSelf['autoconfirmed'] );
unset( $wgGroupsRemoveFromSelf['autoconfirmed'] );
<% end -%>
+
+# Increase curl timeout to allow parsoid requests to heavy pages like Map Features
+# Mediawiki 1.38 has fix to allow this to be set by $wgVirtualRestConfig
+# https://phabricator.wikimedia.org/T285478
+$wgHTTPTimeout = 240;
Require all granted
<FilesMatch ".+\.ph(ar|p|tml)$">
- SetHandler "proxy:unix:/run/php/<%= @name %>.sock|fcgi://127.0.0.1"
+ SetHandler "proxy:unix:/run/php/php-<%= @name %>-fpm.sock|fcgi://127.0.0.1"
</FilesMatch>
</Directory>
end
end
-munin_plugin "hpasmcli_temp" do
- action :delete
-end
-
-munin_plugin "hpasmcli_fans" do
- action :delete
-end
-
-munin_plugin "http_loadtime" do
- action :delete
-end
-
node[:network][:interfaces].each do |ifname, ifattr|
if ifattr[:flags]&.include?("UP") && !ifattr[:flags].include?("LOOPBACK")
if node[:hardware] &&
address <%= client.internal_ipaddress || client.external_ipaddress %>
<% elsif client[:networking][:roles][:external][:zone] == "ams" -%>
address <%= client.internal_ipaddress || client.external_ipaddress %>
+<% elsif client[:networking][:roles][:external][:zone] == "dub" -%>
+ address <%= client.internal_ipaddress || client.external_ipaddress %>
<% elsif client[:networking][:roles][:external][:zone] == "bm" -%>
address <%= client.internal_ipaddress || client.external_ipaddress %>
<% elsif client.external_ipaddress -%>
deviceplan["parameters"] = {
"mode" => interface[:bond][:mode] || "active-backup",
- "primary" => interface[:bond][:slaves].first,
"mii-monitor-interval" => interface[:bond][:miimon] || 100,
"down-delay" => interface[:bond][:downdelay] || 200,
"up-delay" => interface[:bond][:updelay] || 200
}
+ deviceplan["parameters"]["primary"] = interface[:bond][:slaves].first if deviceplan["parameters"]["mode"] == "active-backup"
deviceplan["parameters"]["transmit-hash-policy"] = interface[:bond][:xmithashpolicy] if interface[:bond][:xmithashpolicy]
deviceplan["parameters"]["lacp-rate"] = interface[:bond][:lacprate] if interface[:bond][:lacprate]
end
package "wireguard-tools" do
compile_time true
+ options "--no-install-recommends"
end
directory "/var/lib/systemd/wireguard" do
}
end
- search(:node, "roles:mail OR roles:prometheus") do |server|
+ search(:node, "roles:shenron OR roles:prometheus") do |server|
allowed_ips = server.interfaces(:role => :internal).map do |interface|
"#{interface[:network]}/#{interface[:prefix]}"
end
:allowed_ips => "10.89.123.1/32",
:endpoint => "roaming.firefishy.com:51820"
}
+ elsif node[:roles].include?("shenron")
+ search(:node, "roles:gateway") do |gateway|
+ allowed_ips = gateway.interfaces(:role => :internal).map do |interface|
+ "#{interface[:network]}/#{interface[:prefix]}"
+ end
+
+ node.default[:networking][:wireguard][:peers] << {
+ :public_key => gateway[:networking][:wireguard][:public_key],
+ :allowed_ips => allowed_ips,
+ :endpoint => "#{gateway.name}:51820"
+ }
+ end
end
template "/etc/systemd/network/wireguard.netdev" do
STARTUP_ENABLED=Yes
###############################################################################
-# V E R B O S I T Y
+# V E R B O S I T Y
###############################################################################
VERBOSITY=1
NFACCT=
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
PERL=/usr/bin/perl
REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
###############################################################################
-# R S H / R C P C O M M A N D S
+# R S H / R C P C O M M A N D S
###############################################################################
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
default[:nginx][:cache][:proxy][:keys_zone] = "proxy_cache_zone:128M"
default[:nginx][:cache][:proxy][:inactive] = "45d"
default[:nginx][:cache][:proxy][:max_size] = "16384M"
-
-# Enable nginx repository
-default[:apt][:sources] = node[:apt][:sources] | ["nginx"]
depends "networking"
depends "prometheus"
depends "ssl"
+depends "systemd"
# limitations under the License.
#
-include_recipe "apt"
+include_recipe "apt::nginx"
include_recipe "munin"
include_recipe "prometheus"
include_recipe "ssl"
port 9113
options "--nginx.scrape-uri=http://localhost:8050/nginx_status"
end
-
-template "/usr/local/bin/nginx-old-cache-cleanup" do
- source "nginx-old-cache-cleanup.erb"
- owner "root"
- group "root"
- mode "755"
-end
-
-cron_d "nginx-old-cache-cleanup" do
- minute "15"
- hour "23"
- user "www-data"
- command "/usr/bin/timeout 6h /usr/local/bin/nginx-old-cache-cleanup"
-end
+++ /dev/null
-#!/bin/bash
-set -e
-/usr/bin/renice -n 19 $$ >/dev/null
-/usr/bin/ionice -c 3 -p $$ >/dev/null
-[[ -d "/var/cache/nginx/fastcgi-cache" ]] && /usr/bin/find /var/cache/nginx/fastcgi-cache/?/??/ -maxdepth 1 -type f -delete 2>/dev/null || /bin/true
-[[ -d "/var/cache/nginx/fastcgi-cache" ]] && /usr/bin/find /var/cache/nginx/fastcgi-cache/ -maxdepth 2 -mindepth 2 -type d -wholename '*/?/??' -delete
-[[ -d "/var/cache/nginx/fastcgi-cache" ]] && /usr/bin/find /var/cache/nginx/fastcgi-cache/ -maxdepth 1 -mindepth 1 -type d -wholename '*/?' -delete
-[[ -d "/var/cache/nginx/proxy-cache" ]] && /usr/bin/find /var/cache/nginx/proxy-cache/?/??/ -maxdepth 1 -type f -delete 2>/dev/null || /bin/true
-[[ -d "/var/cache/nginx/proxy-cache" ]] && /usr/bin/find /var/cache/nginx/proxy-cache/ -maxdepth 2 -mindepth 2 -type d -wholename '*/?/??' -delete
-[[ -d "/var/cache/nginx/proxy-cache" ]] && /usr/bin/find /var/cache/nginx/proxy-cache/ -maxdepth 1 -mindepth 1 -type d -wholename '*/?' -delete
version "1.0.0"
supports "ubuntu"
+depends "apt"
# limitations under the License.
#
+include_recipe "apt::nodesource"
+include_recipe "apt::yarn"
+
package %w[
nodejs
- npm
+ yarn
g++
make
]
-
-template "/usr/local/bin/yarn" do
- source "yarn.erb"
- owner "root"
- group "root"
- mode "755"
-end
+++ /dev/null
-#!/bin/sh
-
-<% if node[:lsb][:release].to_f < 22.04 -%>
-exec /usr/bin/yarnpkg --ignore-engines "$@"
-<% else -%>
-exec /usr/bin/yarnpkg "$@"
-<% end -%>
}
default[:nominatim][:config] = {
- :tokenizer => "icu"
+ :tokenizer => "icu",
+ :forward_dependencies => "no"
}
default[:nominatim][:redirects] = {}
libbz2-dev
libpq-dev
libproj-dev
+ liblua5.3-dev
+ lua5.3
python3-pyosmium
python3-psycopg2
python3-dotenv
:dbname => node[:nominatim][:dbname],
:flatnode_file => node[:nominatim][:flatnode_file],
:log_file => "#{node[:nominatim][:logdir]}/query.log",
- :tokenizer => node[:nominatim][:config][:tokenizer]
+ :tokenizer => node[:nominatim][:config][:tokenizer],
+ :forward_dependencies => node[:nominatim][:config][:forward_dependencies]
end
%w[wikimedia-importance.sql.gz gb_postcodes.csv.gz us_postcodes.csv.gz].each do |fname|
prometheus_exporter "nominatim" do
port 8082
user "www-data"
+ restrict_address_families "AF_UNIX"
options [
"--nominatim.query-log=#{node[:nominatim][:logdir]}/query.log",
"--nominatim.database-name=#{node[:nominatim][:dbname]}"
upstream nominatim_service {
- server unix:/run/php/nominatim.openstreetmap.org.sock;
+ server unix:/run/php/php-nominatim.openstreetmap.org-fpm.sock;
}
map $uri $nominatim_script_name {
8.43.85.3 1; # gnome
8.43.85.4 1; # gnome
8.43.85.5 1; # gnome
+ 2620:52:3:1:5054:ff:fe0a:75a4 1; # gnome
+ 2620:52:3:1:5054:ff:fe0a:75a2 1; # gnome
+ 2620:52:3:1:5054:ff:fe0a:75aa 1; # gnome
}
map $missing_email$missing_referer$http_user_agent $blocked_user_agent {
NOMINATIM_USE_US_TIGER_DATA=yes
NOMINATIM_TOKENIZER="<%= @tokenizer %>"
+NOMINATIM_UPDATE_FORWARD_DEPENDENCIES="<%= @forward_dependencies %>"
NOMINATIM_TABLESPACE_SEARCH_DATA=dsearch
NOMINATIM_TABLESPACE_SEARCH_INDEX=isearch
# DO NOT EDIT - This file is being maintained by Chef
+<% if node[:lsb][:release].to_f >= 22.04 -%>
+# Include configuration files found in /etc/chrony/conf.d.
+confdir /etc/chrony/conf.d
+<% end -%>
+
# Servers
<% node[:ntp][:servers].each do |server| -%>
pool <%= server %> iburst
allow ::1/128
# Run an initial NTP sync on daemon startup
-initstepslew 30 time.cloudflare.com time.google.com <%= node[:ntp][:servers].join(" ") %>
+# Use a few IPs here to workaround DNSSEC failure if time is wrong: https://github.com/openstreetmap/operations/issues/654
+initstepslew 30 216.239.35.0 216.239.35.4 216.239.35.8 216.239.35.12 time.google.com time.cloudflare.com <%= node[:ntp][:servers].join(" ") %>
+
+<% if node[:lsb][:release].to_f >= 22.04 -%>
+# Use NTP sources found in /etc/chrony/sources.d.
+sourcedir /etc/chrony/sources.d
+<% end -%>
# This directive specify the location of the file containing ID/key pairs for
# NTP authentication.
# information.
driftfile /var/lib/chrony/chrony.drift
+<% if node[:lsb][:release].to_f >= 22.04 -%>
+# Save NTS keys and cookies.
+ntsdumpdir /var/lib/chrony
+<% end -%>
+
# Uncomment the following line to turn logging on.
#log tracking measurements statistics
ridley.oob.openstreetmap.org,ridley.oob,10.0.1.3 ssh-dss AAAAB3NzaC1kc3MAAACBAKzNiUprAK/uF6ippll2gTyE7QIYg8kcE1a59/4iyyh56ChG3W4bq8jgA6ZLvJRks+rbKnjs98duqFKFoGC7sXmvNvLGD7jtSbAUkiPzNUsQ1uwPatNJk/mY5zzHjaxmgOUfA0EtDxKgvxli0atn8Xj8PGy49BbtlBPdnS+tItQ/AAAAFQCO2II1Su14H1gaeU0ogUCkG20ePQAAAIEAo0+0I7Ha53KM9xJWt1qQAVTV3FTGrOwrmedpz6JYcyELhNhC/ZUDOXu5GKqkp5SRcXZ9NRV4FiDMZgKvMGyvRcF1ZOkytNGtx12FiXAzVsM55O+hszLouqZocJVXY6Km3SKmVkymGi+unoowCHWMWJEIAjz80KyR7dsXHQKqIXEAAACAdlDbeOLTQLcgwTGRMbJR63fz6zvQQMZVJ3DDYzQxiW/0qB2CeaB0CuS9DDSJBLVlp2C9MIVnDxxaQi1KmUOvNs2fqb0NEZ8AQG7clCASgf9nXN0EBju+dZ+lGcB6c5ZIcDB/z0gFEp/16sHe8bay70Zp+S4ot6jXD5UM/pLSmF4=
snap-02.oob.openstreetmap.org,snap-02.oob,10.0.1.4 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCKyiu+/H4R/Dx1dzhWIH2Z4+SHyhgo6xONxKjlC6te2blHPjbiWgZzS+WWQXj8siiv6w98p/DonTV/+tqW9RP7fJLca0UBjexQwZBGxjBWPsMCG5bdjWLtiQCN5vVD5Hy3A/6TUeHFYfbSbEuUO+VZVHR6fVMJ0sHHy9eIIwDNsyzGoi2SDB/QsuNgSK8y0TGBQzqHPv0AAGhvmvRONGO/htLZ3lsSuvZQ0D9NPx2fNbcFzkPsOUH05I+1+Wq3tnB7doJ/+hzj6/+wyPZar0zqhNs9YJrKrSOxiltVNnObwFHWvEZabHF3jKDNzmr4IHYUgEMwoMeHvXwI1ly0xz8T
snap-02.oob.openstreetmap.org,snap-02.oob,10.0.1.4 ssh-dss AAAAB3NzaC1kc3MAAACBAJPM2TEec9aDLSkHqKHQ6mLj9Z2SFsCWIA63kxUSw8wOZMFY7nkoYw9N/ieNLCpw/cfVO7W9Lo0TNXbnSew9js6Zvs6HvKQq+gzTVbBwep5s1jzjxeXUmVBx7Ifef3Fy2vpDUhNigS7tPjw6lXP4EZTnTmzXM7tUHO7EdUX9SiajAAAAFQCyZBIKfsp0XFvi8udODBp8XDHgOQAAAIEAgVA5BUZVTGiD61bSEnbnDCVtJRUVInCeyWspw6gWD1xVtWcxkgznayGINl7E7BtSMuIYXKaagCkr0bEyTaeZNspJhRPEYxqKKFlipvBFZB0KbblrRRfURA5HZmlIZlTlf2hyNpIEEIzPLXkwTgU43wRfsaBl7Pkzwo/3zMfF5+sAAACBAIfSYe40ueqHSxP9X/j0K0LpF9qprmA3P1N4+vE8vVOJsAnTQuXMcVNKdyN1bATCtGZKMGWOPnpiBaXK8K8ckiRrE/nNfyvSKBcvyvPLQ9yyN3BYpXak+GAj3sJCekl6tQwD4Z9N/0229+Ot2/ymJ0lrnyHsI8+p2Gj2als4uAXZ
-urmel.oob.openstreetmap.org,urmel.oob,10.0.1.6 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC/Z50neDHObFvqY7SjrvtebendKtlfZ5KdpUHJXzootFg5zli09HaMep8YuEqBK9n1H06qnLQY6Hr3tKUEMBjjn1VS/hiB3OQlAqci0YEqcgwyiBTz2Etkb7lDXgJVDcFA5Pjj5sKnXw7gi4Nmkgg6cfQb81fed1ySGArcFY6PFQ==
-urmel.oob.openstreetmap.org,urmel.oob,10.0.1.6 ssh-rsa AAAAB3NzaC1kc3MAAACBAJr/RfX1uZxsD/wuhnTwManZnbVET7yjqGx9H9oVXgDfGNDpk22U0/7VKh0BVHi7iC6Z92YWgCG2Os/SuZgOLqXxdJAjZv9iYqBFQBszzBjGpbtpmOZPzi4q/B4KtXmsiWVPk/eQoW7JodeaalGEflJbYY4rdtfNhWl7uR79NH9lAAAAFQCGJ68LbEk6z0t0fV6UuM2C3KDODwAAAIEAilB3PdoejxgWtd5zVWfK1pYooWyplBp0/qkQ/WV1sT/4+LsuDk1ttszD4DkyvSFwgXKULdcWl56YI2+rFS9busxyNVhM8u5ou7rMvL/laNqkruK8FGdObo1CrpqNS1CuTEcZnIXJcz9grYdmwx9Vt51V0TP7ExKggijX0FmYN4YAAACAJZy0ekCJk2l2kJwTN6D7J4NLIip4Xyv7YZhOuguhEXjmowQrAqsXRyBED0cMdC4DuUOO0AmbLJ7cw/IJ9rf5d87ZVRx8EBaGLd+WAtDGoSsLnYgY9iRWpKkYqfhLAwSfXA9d5iO1rh+FWngLsCBJ3aDurJvQHCw/xVai76tnWTU=
#zark.oob.openstreetmap.org,zark.oob,10.0.1.8 ssh-rsa
#zark.oob.openstreetmap.org,zark.oob,10.0.1.8 ssh-dss
eustace.oob.openstreetmap.org,eustace.oob,10.0.1.9 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC9wLWa3gAdXL/oUw67cLoHKiIOd959u++OOjXLR2OcyDkSLNTQgYkawEOcNgRVBcLjXh7ej9ktuTFbLWwR/Uvx7ftP5MH0Luo7Z9CvrQjw9Eu+G/CdGzvilHSeSAdCJYWemHXqKT9Qo9zJt2BI7wRfkFKdA5uXezwMYQtiQRHMkw==
sarel.oob.openstreetmap.org,sarel.oob,10.0.1.12 ssh-dss AAAAB3NzaC1kc3MAAACBAKZf6qtRHGHjPfOP3drwO1m28l4fpN5X5c8ArkeKhV3aTzY404uwCsSvfYQUw/s24E+989MWZxLUO0Ib+nV+hWlK0nxI85bQPIvOjaWNtbggOfNdz4VyNcLxxzsiJqNhQpGQ3LW2zQ7fsP9pM5ALAs7MDOaSdNja58aUgEMY1ta5AAAAFQC1r9L5Mkax780fOnwkDB6eIaNjCwAAAH97vSxdyRel4IucL4Ckn7Y/zVwFeLpwHiVP41MN7dO2aApuWvsygLU/FUAouv/3PRug/bAAS56w2/JLKVvyo1aRPNHAvgPFEDodqLc+dnC1bXFu1VR69ntQYTEe6iReLlwzeEPLwTW5ucGHddXVbP2jG3R+JEmGGt87P3JxicCjAAAAgQCXV76oba/hqR50+HL1YjMeMPjBj8DfyNPcuEJwSO+TFbn4IW4xkxYYl3w4NuD8H6gj2Myk55Wza5BIR0oTWtuQuGiAKld+sIcMb7R2rT2KustEVuvy5GM1/NkAJ+sUa4lTTl64KPpFukFIC8Ma4hiEhXA4LnN02DZe0NdvyqkC9Q==
noquiklos.oob.openstreetmap.org,noquiklos.oob,10.0.1.13 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDE5XeF6tG4hu9M0m+JWh4QJmL/52+cfeXbV4qfWwdJjSH9yBzYP9LiDM97gMXMUSnomAs7GO0KMwEdO9xuIZWeYFyHvs+1a73fAus8bcAbrZPuFfPfrW3JHKtWsfhUqYNJuRHLaimLIRyqgsXy3WAHf35v9kY1DmMWkf5/VTrp0w==
noquiklos.oob.openstreetmap.org,noquiklos.oob,10.0.1.13 ssh-dss AAAAB3NzaC1kc3MAAACBAPK6Av/wAEtRnOx12117EtAhBPnodjQur0/k0pTAaGCZNnLY3E5SD7CvSqtB+LhRO/VSHXl1Obkh4mvR6oKEDE2XOWEG5Ofq3mWngT9Ejo0Rretzc1JU7L6WPZ8N/D+3kQUXpxDYzK9CcKz90k0msZUFRfGkHVE12ip9f7G/BWPRAAAAFQC5wUn4ZkWjt0z+/bUUOe298i0QvwAAAIEAz6dx6w5equWz3T8DWPM8LRGhE6ASrwR2UNpFe+sW5EBp/M+Zgg5Ztne1nIQaDSh1iKL0qzSGYxTIb/sIDKAxy6CzTjEhWRGmuDRTPQkXwD9iXcNaLChEEP6AryrI193LnLKRGKVve6gP2vH4tpn3Ve68HSKL4Ggz2L9ysKxJppEAAACABSHM7Ez/2oMaDGNRvgWc+ViB3QZOB1CTnDOkRZuhZXFMmTGXaWPzlwqPLZKg+wVOnJgBJ4BTUV6WovPGPYWadNuqhlsKjflFQyYSkyBA+4gvZ45TwbDE4HTQ1BGlXJVA3vq5HAqcxlo2CAj4HCQJgVHzd7sfH+WwyruGDu58ThU=
-errol.oob.openstreetmap.org,errol.oob,10.0.1.14 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA1riMj4gWqiovniYhlFNUxMm/AGmV/C2GjcMP+NcJ1ZyP4OdytGeGfhUm5GwVwraimkFQQlfEDcUWY7OX4EG115E8i15cUt6s6Ya2E6AXydigvBbrdp8MNnPOWBifVN3/5Cgi8nrAebmPs88ZZx2KM/Df5qIB2rHYpuHYyl+MpqE=
-errol.oob.openstreetmap.org,errol.oob,10.0.1.14 ssh-dss AAAAB3NzaC1kc3MAAACBAKcnhyMz3C4sku0e1/nFailjoPcMwLazXq4H/kUsdlt+f2By73F5KdUWffxoeRNL0UVT7+VCKG6IXmXGkKVfvpTipFjkP1N+b7I4SuJcQ/EUNPTCGAfC3l691K8jUBD6WSlQUqZtKGnpDS1zI/ZIYiNqrQnWu2RTYnP3QvY7JigDAAAAFQDI6aaH6mWx7vTVS9m3tyXQ4GQ08wAAAIAQjAM+q8Hfp1h45UjTeD2jIA74asQl0M+4q+4EcnNPnKXRbEBIg4rCWkHdd06uhayXZ91KzCDcj1b2LSb2zOE4U1MDEpdVnz22PuEl/f6/epKmLOqHoOGu9/9Lud6OoZQSveEPYmcpEEpt1RCN9ZvkVtFdLwtQ8+CSSGXg8yfCxgAAAIEAjQztmG1LN/e7pNRY0MtV148rJY3mR2knJegg0yBOEWHUGtKY91lgboWie1YTGR3RiXckJFFYkOGWAxqEVM//+rW0hatCxEp/mWEt/GWKPpV52fc4BUhJbi9hb8sg+dAvfoHwUL3CzHzqapaRNxxbfest8dfvascAjRDFP7yxU9w=
yevaud.oob.openstreetmap.org,yevaud.oob,10.0.1.15 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAuWeUQd5ssUd5VFyTMXgC+U6c7s63mtuEj+cL6x8EU8PqNS12RGwLpeAI5VL8UzM0YLyPjPh/yzdQN2tl9ufK7KZF0apvoSZgp/uwyG+CgdFSf66nTrZN4NA/QP1ikH3kbqcM87LfNjCrMXnqMBJ/OCqz2z+An8t0KGDXS8haxlU=
yevaud.oob.openstreetmap.org,yevaud.oob,10.0.1.15 ssh-dss AAAAB3NzaC1kc3MAAACBAL6RC7IMuQEtD4JIRmBJEownC0a7ZEvfCTw20PV5MjWb6twZlGBK3IA/0yV0oJ+75W6VWizn3cWSBS3y1zD8KktF4fh4+FVyin9WTyFuwME8cYmRPV+kuOa1lF1sLJxqvZJRjKMjweLeNTKnl1mb03049SL2YoGwMOTdVgVBjEyFAAAAFQC7rQIvnfLYbQdX87DwlzfMDALOoQAAAIEAmAu2kK8atEOR1Sc6maxYKSf68MYMHoTpm2MW9q2x5ls982kfEUMJ3h641cbRgOAuCmQU3gHnt73sl5LY3K3oLijIhSQm8+l+GkrXVhdwx7ScLXf+8TJZRWiP6Q98VWM4E3L4wmiJksLbTlxdoew3lv8gGhbpk0XuSyLWIBZIKJAAAACATogkqFXhPFzOMRJAR6G8J4bOqg9Ae2cGtf4aMZ9xdm/Hm7YLSu3kn5IhawwU+DL494VF+ky69T01iY3e4m/kQhYB4emlqsRHzVscblVH+GL6sVEkct0HMzfqzEFcfYWqqMdig9EwTzHwJzkAb4WqZdGnWG3Ln88x3liyDZTpGco=
clifford.oob.openstreetmap.org,clifford.oob,10.0.1.17 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCsCrNQ+QQg2UUGhBpgjlLAF4gI48VDGmcF9prulYDxduyGJIrqhOjQtKLjNksMr8TEblmJsI4JzPf1lY1rVL3Q/aZWJD5X4Q0DgEtNzfinI9JAy77JASj1osBPU2RfWSvK9C2TnEoXHxuyGKMw9iuuPLppNMjZ103PYprQeAXi1w==
tabaluga.oob.openstreetmap.org,tabaluga.oob,10.0.49.14 ssh-dss AAAAB3NzaC1kc3MAAACBAIQNHSK0uo1CehCFag09Hd+bJ+CDD0LPWoE/6B8Ye3woVQw8XhJPIygWyHlsFo4rbgkTnvz4ooKTUHnisEIoAA6hlqFTVP1LQQarkmba5Gf05x42hYKjM6mYvcoDMAdnkPueqKIa2CQVNCg3sopI2isxaUUWPEqrVeTMgI40ofd7AAAAFQCSNIl/McB7R/7q4fFxZ2dVGtvJGwAAAIBNRHSJrnm4IDYufJetkWyn4KEIkycUMDs1WE1H1LbtmsIaBAGaz1QJKclPCin+hCv/Rne4oPoZWGl3SqB7hjBkvKUOKRaMp4eG1YCpEvAhgNIFjPkgdekctQ1H6/+7CkQmMVelh78cUMOUYEoky7ISiaKUT3z8O9EEjPIndreNBQAAAIAQeqPxG9B+RJtcOqnW5d9M8VVUNeW10A2R2AMtTEH+/hjaoXUPpL3bQ0Fl3aWQKYJMRpOM64GgLswEhxeWf0PzSAi5CwBmyhIEUJpJ0jHOYSUXC6sLpBMV1ad4gF/63CBAgL1fUnQ/FWDtZwDEnBksDbYSS6EJB5m1o1vOx3SHWw==
odin.oob.openstreetmap.org,odin.oob,10.0.49.15 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCeK2EVK4rbsdoTq84Cl5kLhbJk7gbaNav61yFuSKfSsizzbH/tzxmiFA7mtB39WU/BlFsTHAg1mHY7cCPE01E811CDPIQhZGEyloh5ftbTACCcGAjKBhYpwTPEteBqlIk3lpN1TNTsnJSYaQay3rbOQ+IXTb8nzKYjTgANQ6QXxSq4BfuRmvMRlNw7ZuIerhs8OL2G/pxldL6AYDPDFXBs9mvvqqS0fw8rzxkjFNUc/z9odFoChtlZVbp33/LTIBQU1dY/XTxaekErjT7H93KG9NP8mmIFZtU8oRo8553ogTYVxFr6hD5D6KkbveaFU9oBDRYlJPWtdHksF8RAEpjN
odin.oob.openstreetmap.org,odin.oob,10.0.49.15 ssh-dss AAAAB3NzaC1kc3MAAACBAMxXgZGeLxWyQCErmy0aGppk2/xHj3GTATPCQgf/Mtm5PYK7c3x8Z/fEop/BBnY2/YDE709g28Tv+61I4SD9D33OO6ABPEapHEwqp3CIYuA8+JFJhuo6Sz9h9bca6fx/KVjdDq9wbmx5IOqEFQlBoCSGJvYw5pTptVFN+nLeiTLjAAAAFQDt76BO4R+GaDn6/SeJvP3xAuqkmwAAAIEAgbhpMfB2Gk+babYDnWTWMkFO1FObUdi8/3NmiS1XUPCzdGkL1h2psoQIMXFtrNfEzSPx320rjC17T+JD1KGzXTBsPSd49MhznMc13JK2YT6KJm3io1CLKuzje4SxrpddM1Uvs/sOLmeAbdNqlUsAM8KUedEYTo/SXeVecos6dboAAACAasbTSjiTPW3NwH1yrEV8xWFCAmsmAPvqwGjaLjrrDdNQCbJ0KHMY+lbUAmT6oZ5qcrwwc2A6B+/v9XBISiT5XWELdP56bhuDcWC78aJDdtfDK1xuMtsHX5tpQcKB7IrPI+2UYVhz7zosvcCbn8FukgDx8sEcp28rHaFB5WPCjig=
-lockheed.oob.openstreetmap.org,lockheed.oob,10.0.49.16 ssh-dss AAAAB3NzaC1kc3MAAACBAKZf6qtRHGHjPfOP3drwO1m28l4fpN5X5c8ArkeKhV3aTzY404uwCsSvfYQUw/s24E+989MWZxLUO0Ib+nV+hWlK0nxI85bQPIvOjaWNtbggOfNdz4VyNcLxxzsiJqNhQpGQ3LW2zQ7fsP9pM5ALAs7MDOaSdNja58aUgEMY1ta5AAAAFQC1r9L5Mkax780fOnwkDB6eIaNjCwAAAH97vSxdyRel4IucL4Ckn7Y/zVwFeLpwHiVP41MN7dO2aApuWvsygLU/FUAouv/3PRug/bAAS56w2/JLKVvyo1aRPNHAvgPFEDodqLc+dnC1bXFu1VR69ntQYTEe6iReLlwzeEPLwTW5ucGHddXVbP2jG3R+JEmGGt87P3JxicCjAAAAgQCFBaTPsbNtWlUSsGnRzObp3NVC6MOro10p4qSXB0kwAB+hQx/IrIH8BjduR+b6Uv2cm/UMnGRzS/1lGYe15cSs0V/IOUyXdVeX+jB0TXzS4hTqclGKJ0Ay2WEsgW27IdPxIjQg/W77s9AZ2UlyEtT7gK2oergD60yUvRfLLJioYA==
norbert.oob.openstreetmap.org,norbert.oob,10.0.49.17 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAHaxesONNY+jIQmZKVKjsg5PPTYytFpBG9qx5Qjgk7PoPt4VcxZu0X3snv6toy2s4zjmnIo7+T014+ihKF5RzzYB3sRwHgx2QIXp9zjCkeB8HCSyMsnKWUoJcyxDrVy0gS0GgbmzIAL3n47budeyxYW20Bk9iy+b4z2KUGJnMrmhJ76eZkawtsr1DxRIrCWDrXNz66+msk7v/3DDUZFAACkPEF83YVECiNsBeKn5nm82W16OEFKOMsQXM65DjPTzH4iKajlA2j8DTf5qOtgiGGtLVQ8b5erwibgbXFfd1wWsqxhEP25z5omnheSujCkhYoZJ4+larVgqU+CUvCHE7
snap-01.oob.openstreetmap.org,snap-01.oob,10.0.49.49 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcKedgjsKRd3zPnZkJNL7iZYHay+KBd73bw4PjyHmblyUOcdtMx5yEntBHGcWAs5lwc4mNZgKbSJfuuW142oq+r+3I8UzcvYQGJKAvR5quKCn/c+iDkX56SQvh7SOtgf0K2K0dfHdQEh/jw56AewKcPxgCV5vBJ63ce0gETq3/Fj6mJwIYLU1kjyJiyusng9EWlgbodx8ma1zFM0dlxdHxeMkE38pcnrpOxNhV7qbGY9doU2VFUPQnCQOzpUtLr6n0J8l/1ubPnBsN/VAAYGMNbxwGgpUt+Hpwgl7dcn+1FQfFUUL54inUuP7Y2EV1bEY/WyhfLDkMRwgm+X96QctT
snap-01.oob.openstreetmap.org,snap-01.oob,10.0.49.49 ssh-dss AAAAB3NzaC1kc3MAAACBAL7X2T4wZtS3IUAc4YiwmM96y6dCC95Rxx1ybwYd37muYousIUYA4W5h9uUQivSmcrjfEQB4kvL6Ie3fEElMnY0Zo3hVcbC5fknJ4Xmfk03Ubg6cVPAkI2xfDsmh0zlpo70WbWSB9d/NuSkRb1rE3LwIk3dn5N5l8+HZjF3jpe6NAAAAFQDV2cgvPobL9hg6v4cx0ftM8sFs4QAAAIEAuYP9hGd/O8C7fMYKqD9w8VnCSgiKRV+KZyyAQBl89mm7VjFlDwu+9yxhQ7VRMSaLVVY3oeHWo5H5Fd5ajRBOpQZRIfjQ56c2kEfuQ31Ind7gqUDRGypNSpWti7Tw5ELTzfV2JPyWQVXQAmoEKzqYsOYktwWmjVCjI9wiiSoPrXkAAACACUoUI2o3eO9wSTiha/arqt4qkTHiESi7L9IuSomAr7JpvMMcCanKVSqhOV22wS08z7IVz2bVAIjzzMCf08b8Z+l8ypKtMkrDqkLr2MwkPR6cX85v+TMAdZ1kEDjWSLqsvcQOYLSlkKWDp3XbSO8G8GAQL4Vkk1uenMs7YSPVCWg=
group "otrs"
exec_start "/opt/otrs/bin/otrs.Daemon.pl start"
private_tmp true
- protect_system "full"
+ protect_system "strict"
protect_home true
- read_write_paths "/var/log/exim4"
+ read_write_paths ["/opt/otrs-#{version}/var", "/var/log/exim4", "/var/spool/exim4"]
end
service "otrs" do
default[:overpass][:fqdn] = "overpass.openstreetmap.org"
-default[:overpass][:version] = "0.7.57"
-default[:overpass][:full_version] = "0.7.57.2"
+default[:overpass][:version] = "0.7.59.1"
# One of: no, meta, attic
default[:overpass][:meta_mode] = "attic"
# One of: no, gz, lz4
depends "accounts"
depends "apache"
depends "munin"
+depends "prometheus"
depends "ruby"
depends "systemd"
include_recipe "accounts"
include_recipe "apache"
include_recipe "munin"
+include_recipe "prometheus"
include_recipe "ruby"
username = "overpass"
## Install overpass from source
-srcdir = "#{basedir}/src/osm-3s_v#{node[:overpass][:full_version]}"
+srcdir = "#{basedir}/src/osm-3s_v#{node[:overpass][:version]}"
package %w[
build-essential
user username
cwd srcdir
command "./configure --enable-lz4 --prefix=#{basedir} && make install"
+ notifies :restart, "service[overpass-dispatcher]"
+ notifies :restart, "service[overpass-area-dispatcher]"
end
## Setup Apache
systemd_service "overpass-dispatcher" do
description "Overpass Main Dispatcher"
+ wants ["overpass-area-dispatcher.service"]
working_directory basedir
exec_start "#{basedir}/bin/dispatcher --osm-base #{meta_map_short[node[:overpass][:meta_mode]]} --db-dir=#{basedir}/db --rate-limit=#{node[:overpass][:rate_limit]} --space=#{node[:overpass][:dispatcher_space]}"
exec_stop "#{basedir}/bin/dispatcher --osm-base --terminate"
systemd_service "overpass-area-dispatcher" do
description "Overpass Area Dispatcher"
- after ["overpass-dispatcher"]
+ after ["overpass-dispatcher.service"]
working_directory basedir
exec_start "#{basedir}/bin/dispatcher --areas #{meta_map_short[node[:overpass][:meta_mode]]} --db-dir=#{basedir}/db"
exec_stop "#{basedir}/bin/dispatcher --areas --terminate"
systemd_service "overpass-update" do
description "Overpass Update Application"
- after ["overpass-dispatcher"]
+ after ["overpass-dispatcher.service"]
+ wants ["overpass-area-processor.service"]
working_directory basedir
exec_start "#{basedir}/bin/overpass-update-db"
standard_output "append:#{logdir}/update.log"
user username
+ restart "on-success"
end
if node[:overpass][:meta_mode] == "attic"
systemd_service "overpass-area-processor" do
description "Overpass Area Processor"
- after ["overpass-area-dispatcher"]
+ after ["overpass-area-dispatcher.service", "overpass-update.service"]
working_directory basedir
exec_start "#{basedir}/bin/overpass-update-areas"
standard_output "append:#{logdir}/area-processor.log"
+ restart "on-success"
nice 19
user username
end
else
systemd_service "overpass-area-processor" do
description "Overpass Area Processor"
- after ["overpass-area-dispatcher"]
+ after ["overpass-area-dispatcher.service", "overpass-update.service"]
working_directory basedir
exec_start "#{basedir}/bin/osm3s_query --progress --rules"
standard_input "file:#{srcdir}/rules/areas.osm3s"
standard_output "append:#{logdir}/area-processor.log"
+ restart "on-success"
nice 19
user username
end
end
systemd_timer "overpass-area-processor" do
- description "Update areas in Overpass"
- on_calendar "*-*-* *:*:00"
+ action :delete
end
service "overpass-area-processor" do
- action [:enable]
+ action [:disable]
end
template "/etc/logrotate.d/overpass" do
conf_variables :user => username
end
end
+
+prometheus_exporter "overpass" do
+ port 9898
+ user username
+ restrict_address_families "AF_UNIX"
+ options [
+ "--overpass.base-directory=#{basedir}"
+ ]
+end
DocumentRoot <%= @directory %>
+ RewriteEngine on
RewriteMap totp prg:/srv/query.openstreetmap.org/apache/totp-filter
RewriteCond ${totp:%{HTTP_COOKIE}} =0
- RewriteRule ^.*$ - [F,L]
+ RewriteRule ^/query-features - [F,L]
<% if node[:overpass][:restricted_api] -%>
ScriptAlias /query-features <%= @script_directory %>/interpreter
# Remove Origin so Overpass does not interfere.
RequestHeader unset Origin
Header always add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
+ Header always add Access-Control-Allow-Credentials true
<% else -%>
ScriptAlias /api/ <%= @script_directory %>/
<% end -%>
META=
<% end -%>
-while true; do
- status=3 # make it sleep on issues
+status=3 # make it sleep on issues
- if [ -f <%= @basedir %>/db/replicate-id ]; then
- # first apply any pending updates
- if [ -f <%= @basedir %>/diffs/latest.osc ]; then
- DATA_VERSION=`osmium fileinfo -e -g data.timestamp.last <%= @basedir %>/diffs/latest.osc`
- if [ "x$DATA_VERSION" != "x" ]; then
- echo "Downloaded up to timestamp $DATA_VERSION"
- while ! <%= @basedir %>/bin/update_from_dir --osc-dir=<%= @basedir %>/diffs --version=$DATA_VERSION $META --flush-size=0; do
- echo "Error while updating. Retry in 1 min."
- sleep 60
- done
- fi
- rm <%= @basedir %>/diffs/latest.osc
+if [ -f <%= @basedir %>/db/replicate-id ]; then
+ # first apply any pending updates
+ if [ -f <%= @basedir %>/diffs/latest.osc ]; then
+ DATA_VERSION=`osmium fileinfo -e -g data.timestamp.last <%= @basedir %>/diffs/latest.osc`
+ if [ "x$DATA_VERSION" != "x" ]; then
+ echo "Downloaded up to timestamp $DATA_VERSION"
+ while ! <%= @basedir %>/bin/update_from_dir --osc-dir=<%= @basedir %>/diffs --version=$DATA_VERSION $META --flush-size=0; do
+ echo "Error while updating. Retry in 1 min."
+ sleep 60
+ done
fi
-
- $PYOSMIUM -v -s 1000 -o <%= @basedir %>/diffs/latest.osc
- status=$?
- fi
-
- if [ $status -eq 0 ]; then
- echo "Downloaded next batch."
- elif [ $status -eq 3 ]; then
rm <%= @basedir %>/diffs/latest.osc
- echo "No new data, sleeping for a minute."
- sleep 60
- else
- echo "Fatal error, stopping updates."
- exit $status
fi
-done
+
+ $PYOSMIUM -v -s 1000 -o <%= @basedir %>/diffs/latest.osc
+ status=$?
+fi
+
+if [ $status -eq 0 ]; then
+ echo "Downloaded next batch."
+elif [ $status -eq 3 ]; then
+ rm <%= @basedir %>/diffs/latest.osc
+ echo "No new data, sleeping for a minute."
+ sleep 60
+else
+ echo "Fatal error, stopping updates."
+ exit $status
+fi
#!/usr/bin/ruby
-requrie "cgi"
+require "cgi"
require "rotp"
totp = ROTP::TOTP.new("<%= @totp_key %>", :interval => 3600)
STDIN.each_line do |header|
- cookies = CGI::Cookie.parse(header)
+ cookies = CGI::Cookie.parse(header.chomp)
- if totp.verify(cookies["_osm_totp_token"], :drift_behind => 3600, :drift_ahead => 3600)
- puts "1"
+ if cookie = cookies.fetch("_osm_totp_token", nil)
+ if totp.verify(cookie.value.first, :drift_behind => 3600, :drift_ahead => 3600)
+ STDOUT.syswrite("1\n")
+ else
+ STDOUT.syswrite("0\n")
+ end
else
- puts "0"
+ STDOUT.syswrite("0\n")
end
end
--- /dev/null
+# oxidized cookbook
+
+This cookbook installs and configures [oxidized](https://github.com/ytti/oxidized) to
+backup the configurations of OpenStreetMap equipment.
--- /dev/null
+default[:accounts][:users][:oxidized][:status] = :role
--- /dev/null
+name "oxidized"
+maintainer "OpenStreetMap Administrators"
+maintainer_email "admins@openstreetmap.org"
+license "Apache-2.0"
+description "Configures oxidized to backup equipment configuration"
+
+version "1.0.0"
+supports "ubuntu"
+depends "accounts"
+depends "git"
+depends "ruby"
--- /dev/null
+#
+# Cookbook:: oxidized
+# Recipe:: default
+#
+# Copyright:: 2022, OpenStreetMap Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include_recipe "git"
+include_recipe "ruby"
+
+package %w[
+ gcc
+ g++
+ make
+ cmake
+ libssl-dev
+ libssh2-1-dev
+ zlib1g-dev
+ pkg-config
+]
+
+keys = data_bag_item("oxidized", "keys")
+devices = data_bag_item("oxidized", "devices")
+
+directory "/etc/oxidized" do
+ owner "root"
+ group "root"
+ mode "755"
+end
+
+template "/etc/oxidized/config" do
+ source "config.erb"
+ owner "oxidized"
+ group "oxidized"
+ mode "444"
+ notifies :restart, "service[oxidized]"
+end
+
+template "/etc/oxidized/routers.db" do
+ source "routers.db.erb"
+ owner "oxidized"
+ group "oxidized"
+ mode "400"
+ variables :devices => devices
+ notifies :restart, "service[oxidized]"
+end
+
+directory "/var/log/oxidized" do
+ owner "oxidized"
+ group "oxidized"
+ mode "755"
+end
+
+directory "/opt/oxidized" do
+ owner "oxidized"
+ group "oxidized"
+ mode "755"
+end
+
+git "/opt/oxidized/daemon" do
+ action :sync
+ repository "https://github.com/openstreetmap/oxidized.git"
+ depth 1
+ user "oxidized"
+ group "oxidized"
+ notifies :run, "bundle_install[/opt/oxidized/daemon]", :immediately
+end
+
+directory "/opt/oxidized/.ssh" do
+ owner "oxidized"
+ group "oxidized"
+ mode "700"
+end
+
+# Key is set as a deployment key in github repo
+file "/opt/oxidized/.ssh/id_ed25519" do
+ content keys["git"].join("\n")
+ owner "oxidized"
+ group "oxidized"
+ mode "400"
+ notifies :delete, "file[/opt/oxidized/.ssh/id_ed25519.pub]", :immediately
+ notifies :restart, "service[oxidized]"
+end
+
+# Ensure public key is deleted if private key is changed. Trigged by notify
+file "/opt/oxidized/.ssh/id_ed25519.pub" do
+ action :nothing
+end
+
+execute "/opt/oxidized/.ssh/id_ed25519.pub" do
+ command "ssh-keygen -f /opt/oxidized/.ssh/id_ed25519 -y > /opt/oxidized/.ssh/id_ed25519.pub"
+ user "oxidized"
+ group "oxidized"
+ creates "/opt/oxidized/.ssh/id_ed25519.pub"
+ notifies :restart, "service[oxidized]"
+end
+
+ssh_known_hosts_entry "github.com" do
+ action [:create, :flush]
+ file_location "/opt/oxidized/.ssh/known_hosts"
+ owner "oxidized"
+ group "oxidized"
+end
+
+directory "/var/lib/oxidized" do
+ owner "oxidized"
+ group "oxidized"
+ mode "750"
+end
+
+git "/var/lib/oxidized/configs.git" do
+ action :sync
+ repository "git@github.com:openstreetmap/oxidized-configs.git" # Uses oxidized ssh key
+ checkout_branch "master" # branch is hardcoded in oxidized
+ user "oxidized"
+ group "oxidized"
+end
+
+bundle_install "/opt/oxidized/daemon" do
+ action :nothing
+ options "--deployment"
+ user "oxidized"
+ group "oxidized"
+ notifies :restart, "service[oxidized]"
+end
+
+# Based on https://github.com/ytti/oxidized/blob/master/extra/oxidized.service
+systemd_service "oxidized" do
+ description "oxidized network device backup daemon"
+ after "network.target"
+ user "oxidized"
+ working_directory "/opt/oxidized/daemon"
+ runtime_directory "oxidized"
+ exec_start "#{node[:ruby][:bundle]} exec oxidized"
+ environment "OXIDIZED_HOME" => "/etc/oxidized",
+ "OXIDIZED_LOGS" => "/var/log/oxidized"
+ nice 10
+ sandbox :enable_network => true
+ read_write_paths ["/run/oxidized", "/var/lib/oxidized", "/var/log/oxidized"]
+ restart "on-failure"
+ notifies :restart, "service[oxidized]"
+end
+
+service "oxidized" do
+ action [:enable, :start]
+end
+
+template "/etc/logrotate.d/oxidized" do
+ source "logrotate.erb"
+ owner "root"
+ group "root"
+ mode "644"
+end
--- /dev/null
+---
+# DO NOT EDIT - This file is being maintained by Chef
+rest: false
+timeout: 60
+vars:
+ remove_secret: true
+pid: "/run/oxidized/oxidized.pid"
+crash:
+ directory: /var/lib/oxidized/crashes
+input:
+ default: ssh
+output:
+ default: git
+ git:
+ single_repo: true
+ user: oxidized
+ email: oxidized@openstreetmap.org
+ repo: "/var/lib/oxidized/configs.git"
+hooks:
+ push_to_remote:
+ type: githubrepo
+ events: [post_store]
+ remote_repo: git@github.com:openstreetmap/oxidized-configs.git
+ privatekey: /opt/oxidized/.ssh/id_ed25519
+source:
+ default: csv
+ csv:
+ file: "/etc/oxidized/routers.db"
+ delimiter: !ruby/regexp /:/
+ map:
+ name: 0
+ model: 1
+ input: 2
+ username: 3
+ password: 4
+model_map:
+ juniper: junos
+ apc: apc_aos
+ ciscocmb: ciscosmb
--- /dev/null
+# DO NOT EDIT - This file is being maintained by Chef
+
+/var/log/oxidized/*.log {
+ rotate 12
+ weekly
+ size 10M
+ compress
+ delaycompress
+ missingok
+}
--- /dev/null
+# DO NOT EDIT - This file is being maintained by Chef
+<% @devices[:hardware].keys.sort.each do |d| -%>
+<%= d -%>:<%= @devices[:hardware][d][:device] -%>:<%= @devices[:hardware][d][:input] -%>:<%= @devices[:hardware][d][:username] -%>:<%= @devices[:hardware][d][:password] %>
+<% end -%>
default[:passenger][:max_pool_size] = 6
default[:passenger][:pool_idle_time] = 300
default[:passenger][:instance_registry_dir] = "/run/passenger"
-
-default[:apt][:sources] = node[:apt][:sources] | ["passenger"]
#
include_recipe "apache"
-include_recipe "apt"
+include_recipe "apt::passenger"
include_recipe "munin"
include_recipe "prometheus"
include_recipe "ruby"
prometheus_exporter "passenger" do
port 9149
+ user "root"
environment "PASSENGER_INSTANCE_REGISTRY_DIR" => node[:passenger][:instance_registry_dir]
+ restrict_address_families "AF_UNIX"
end
if new_resource.prometheus_port
prometheus_exporter "phpfpm" do
port new_resource.prometheus_port
+ restrict_address_families "AF_UNIX"
service service_name
+ group "www-data"
command "server"
- options "--phpfpm.scrape-uri=#{scrape_uri}"
+ options "--phpfpm.scrape-uri=#{scrape_uri} --phpfpm.fix-process-count"
end
else
prometheus_exporter "phpfpm" do
if new_resource.port
"tcp://127.0.0.1:#{new_resource.port}/status"
else
- "unix:///run/php/#{new_resource.pool}.sock;/status"
+ "unix:///run/php/php-#{new_resource.pool}-fpm.sock;/status"
end
end
end
listen = 127.0.0.1:<%= @port %>
listen.backlog = 256
<% else -%>
-listen = /run/php/<%= @pool %>.sock
+listen = /run/php/php-<%= @pool %>-fpm.sock
listen.owner = www-data
listen.group = www-data
<% end -%>
default[:planet][:dump][:xml_history_directory] = "/store/planet/planet/full-history"
default[:planet][:dump][:pbf_directory] = "/store/planet/pbf"
default[:planet][:dump][:pbf_history_directory] = "/store/planet/pbf/full-history"
-
-default[:planet][:current][:jobs] = {}
--- /dev/null
+#!/usr/bin/python3
+
+print( """
+<html>
+ <head>
+ <title>OpenStreetMap historical CC BY-SA 2.0 licensed data</title>
+ <link href="/style.css" rel="stylesheet" type="text/css">
+ </head>
+ <body>
+<img id="logo" src="/logo.png" alt="OSM logo" width="128" height="128">
+<h1>planet.openstreetmap.org - cc by-sa</h1>
+<p>Licensed under the <a href="http://creativecommons.org/licenses/by-sa/2.0/">CC BY-SA 2.0</a></p>
+<p> </p>
+""")
# limitations under the License.
#
+node.default[:accounts][:users][:planet][:status] = :role
+
include_recipe "accounts"
package %w[
mode "755"
end
-template "/usr/local/bin/planet-update-file" do
- source "planet-update-file.erb"
- owner "root"
- group "root"
- mode "755"
-end
-
directory "/var/lib/planet" do
owner "planet"
group "planet"
not_if { kitchen? }
end
-cron_d "planet-update" do
- minute "37"
- hour "1"
- user "root"
- command "/usr/local/bin/planet-update"
-end
-
-template "/etc/logrotate.d/planet-update" do
- source "planet-update.logrotate.erb"
- owner "root"
- group "root"
- mode "644"
+systemd_service "planet-update" do
+ description "Planet file update"
+ type "oneshot"
+ exec_start "/usr/local/bin/planet-update"
+ user "planet"
+ sandbox :enable_network => true
+ read_write_paths "/var/lib/planet"
end
files_mode "755"
end
+remote_directory "/store/planet/cc-by-sa" do
+ source "ccbysa_cgi"
+ owner "www-data"
+ group "planet"
+ mode "775"
+ files_owner "root"
+ files_group "root"
+ files_mode "755"
+end
+
remote_directory "/store/planet/cc-by-sa/full-experimental" do
source "ccbysa_history_cgi"
owner "www-data"
munin_plugin "planet_age"
-template "/usr/local/bin/old-planet-file-cleanup" do
- source "old-planet-file-cleanup.erb"
+template "/usr/local/bin/planet-file-cleanup" do
+ source "planet-file-cleanup.erb"
owner "root"
group "root"
mode "755"
end
-cron_d "old-planet-file-cleanup" do
- comment "run this on the first monday of the month at 3:44am"
- minute "44"
- hour "3"
- day "1-7"
+systemd_service "planet-file-cleanup" do
+ description "Cleanup old planet files"
+ exec_start "/usr/local/bin/planet-file-cleanup --debug"
user "www-data"
- command "test $(date +\\%u) -eq 1 && /usr/local/bin/old-planet-file-cleanup --debug"
- mailto "zerebubuth@gmail.com"
+ sandbox true
+ read_write_paths [
+ node[:planet][:dump][:xml_directory],
+ node[:planet][:dump][:pbf_directory]
+ ]
+end
+
+systemd_timer "planet-file-cleanup" do
+ description "Cleanup old planet files"
+ on_calendar "Mon *-*-1..7 03:44"
+end
+
+service "planet-file-cleanup.timer" do
+ action [:enable, :start]
end
git "/opt/planet-dump-ng" do
action :sync
repository "https://github.com/zerebubuth/planet-dump-ng.git"
- revision "v1.2.4"
+ revision "v1.2.6"
depth 1
user "root"
group "root"
user "www-data"
exec_start "/usr/local/bin/planetdump %i"
memory_max "64G"
- private_tmp true
- protect_system "full"
- protect_home true
- read_write_paths "/var/log/exim4"
+ sandbox true
+ read_write_paths [
+ "/store/planetdump",
+ "/store/planet/pbf",
+ "/store/planet/planet",
+ "/var/log/exim4",
+ "/var/spool/exim4"
+ ]
end
-cron_d "planet-dump-mirror" do
- minute "*/10"
+systemd_service "planet-dump-mirror" do
+ description "Update planet dump mirrors"
+ exec_start "/usr/local/bin/planet-mirror-redirect-update"
user "www-data"
- command "/usr/local/bin/planet-mirror-redirect-update"
- mailto "horntail-www-data-cron@firefishy.com"
+ sandbox :enable_network => true
+ memory_deny_write_execute false
+ read_write_paths "/store/planet/.htaccess"
+end
+
+systemd_timer "planet-dump-mirror" do
+ description "Update planet dump mirrors"
+ on_boot_sec "10min"
+ on_unit_inactive_sec "10min"
+end
+
+service "planet-dump-mirror.timer" do
+ action [:enable, :start]
end
variables :password => db_passwords["planetdump"]
end
-cron_d "planet-notes-dump" do
- minute "0"
- hour "3"
+systemd_service "planet-notes-dump" do
+ description "Create notes dump"
+ exec_start "/usr/local/bin/planet-notes-dump"
user "www-data"
- command "/usr/local/bin/planet-notes-dump"
- mailto "grant-smaug@firefishy.com"
+ sandbox :enable_network => true
+ read_write_paths "/store/planet/notes"
end
-cron_d "planet-notes-cleanup" do
- comment "Delete Planet Notes dump files older than 8 days"
- minute "10"
- hour "8"
+systemd_timer "planet-notes-dump" do
+ description "Create notes dump"
+ on_calendar "03:00"
+end
+
+service "planet-notes-dump.timer" do
+ action [:enable, :start]
+end
+
+template "/usr/local/bin/planet-notes-cleanup" do
+ source "planet-notes-cleanup.erb"
+ owner "root"
+ group "root"
+ mode "755"
+end
+
+systemd_service "planet-notes-cleanup" do
+ description "Delete old notes dumps"
+ exec_start "/usr/local/bin/planet-notes-cleanup"
user "www-data"
- command "find /store/planet/notes/20??/ -maxdepth 1 -type f -iname 'planet-notes-??????.osn*' -printf '\%T@ \%p\n' | sort -k 1nr | sed 's/^[^ ]* //' | tail -n +17 | xargs -r rm -f"
- mailto "grant-smaug@firefishy.com"
+ sandbox true
+ read_write_paths "/store/planet/notes"
+end
+
+systemd_timer "planet-notes-cleanup" do
+ description "Delete old notes dumps"
+ on_calendar "08:10"
+end
+
+service "planet-notes-cleanup.timer" do
+ action [:enable, :start]
end
description "Update list of users accepting CTs"
user "planet"
exec_start "/usr/local/bin/users-agreed"
- private_tmp true
- private_devices true
- protect_system "full"
- protect_home true
- restrict_address_families %w[AF_INET AF_INET6]
- no_new_privileges true
+ nice 10
+ sandbox :enable_network => true
+ read_write_paths "/store/planet/users_agreed"
end
systemd_timer "users-agreed" do
description "Update list of deleted users"
user "planet"
exec_start "/usr/local/bin/users-deleted"
- private_tmp true
- private_devices true
- protect_system "full"
- protect_home true
- restrict_address_families %w[AF_INET AF_INET6]
- no_new_privileges true
+ nice 10
+ sandbox :enable_network => true
+ read_write_paths "/store/planet/users_deleted"
end
systemd_timer "users-deleted" do
description "Changesets replication"
user "planet"
exec_start "/usr/local/bin/replicate-changesets /etc/replication/changesets.conf"
- private_tmp true
- private_devices true
- protect_system "full"
- protect_home true
- restrict_address_families %w[AF_INET AF_INET6]
- no_new_privileges true
+ sandbox :enable_network => true
+ read_write_paths [
+ "/run/replication",
+ "/store/planet/replication/changesets"
+ ]
end
systemd_timer "replication-changesets" do
user "planet"
working_directory "/etc/replication"
exec_start "/usr/local/bin/replicate-minute"
- private_tmp true
- private_devices true
- protect_system "full"
- protect_home true
- restrict_address_families %w[AF_INET AF_INET6]
- no_new_privileges true
+ sandbox :enable_network => true
+ read_write_paths [
+ "/run/replication",
+ "/store",
+ "/var/lib/replication/minute"
+ ]
end
systemd_timer "replication-minutely" do
user "planet"
exec_start "/usr/local/bin/osmosis -q --merge-replication-files workingDirectory=/var/lib/replication/hour"
environment "LD_PRELOAD" => "/opt/flush/flush.so"
- private_tmp true
- private_devices true
- protect_system "full"
- protect_home true
- restrict_address_families %w[AF_INET AF_INET6]
- no_new_privileges true
+ sandbox :enable_network => true
+ memory_deny_write_execute false
+ read_write_paths [
+ "/store/planet/replication/hour",
+ "/var/lib/replication/hour"
+ ]
end
systemd_timer "replication-hourly" do
user "planet"
exec_start "/usr/local/bin/osmosis -q --merge-replication-files workingDirectory=/var/lib/replication/day"
environment "LD_PRELOAD" => "/opt/flush/flush.so"
- private_tmp true
- private_devices true
- protect_system "full"
- protect_home true
- restrict_address_families %w[AF_INET AF_INET6]
- no_new_privileges true
+ sandbox :enable_network => true
+ memory_deny_write_execute false
+ read_write_paths [
+ "/store/planet/replication/day",
+ "/var/lib/replication/day"
+ ]
end
systemd_timer "replication-daily" do
description "Cleanup replication"
user "planet"
exec_start "/usr/local/bin/replicate-cleanup"
- private_tmp true
- private_devices true
- private_network true
- protect_system "full"
- protect_home true
- no_new_privileges true
+ sandbox true
+ read_write_paths "/var/lib/replication"
end
systemd_timer "replication-cleanup" do
--- /dev/null
+#!/bin/bash
+
+exec find /store/planet/notes/20?? -maxdepth 1 -type f -iname 'planet-notes-??????.osn*' -printf '%T@ %p\n' | \
+ sort -k 1nr | \
+ sed 's/^[^ ]* //' | \
+ tail -n +17 | \
+ xargs -r rm -f
+++ /dev/null
-#!/bin/sh
-
-# DO NOT EDIT - This file is being maintained by Chef
-
-# setup
-
-SUFFIX="osh.pbf"
-
-PLANETDIR="/var/lib/planet"
-PLANETPREV="${PLANETDIR}/planet-previous.${SUFFIX}"
-PLANETCURR="${PLANETDIR}/planet.${SUFFIX}"
-PLANETNEW="${PLANETDIR}/planet-new.${SUFFIX}"
-
-pyosmium-up-to-date -vvv -o "$PLANETNEW" "$PLANETCURR"
-retval=$?
-
-while [ $retval -eq 1 ]; do
- mv "$PLANETCURR" "$PLANETPREV"
- mv "$PLANETNEW" "$PLANETCURR"
- pyosmium-up-to-date -vvv -o "$PLANETNEW" "$PLANETCURR"
- retval=$?
-done
-
-if [ $retval -ne 0 ]; then
- exit $retval
-fi
-
-# cleanup
-
-mv "$PLANETCURR" "$PLANETPREV"
-mv "$PLANETNEW" "$PLANETCURR"
# DO NOT EDIT - This file is being maintained by Chef
-exec >> /var/log/planet-update.log 2>&1
+# setup
-echo "Updating planet file..."
+SUFFIX="osh.pbf"
-/sbin/runuser -u planet -- /usr/local/bin/planet-update-file
+PLANETDIR="/var/lib/planet"
+PLANETPREV="${PLANETDIR}/planet-previous.${SUFFIX}"
+PLANETCURR="${PLANETDIR}/planet.${SUFFIX}"
+PLANETNEW="${PLANETDIR}/planet-new.${SUFFIX}"
-echo "Running jobs..."
-<% node[:planet][:current][:jobs].each_value do |job| -%>
+pyosmium-up-to-date -vvv -o "$PLANETNEW" "$PLANETCURR"
+retval=$?
-echo "Running '<%= job[:command] %>' as user '<%= job[:user] %>'..."
+while [ $retval -eq 1 ]; do
+ mv "$PLANETCURR" "$PLANETPREV"
+ mv "$PLANETNEW" "$PLANETCURR"
+ pyosmium-up-to-date -vvv -o "$PLANETNEW" "$PLANETCURR"
+ retval=$?
+done
-/sbin/runuser -u "<%= job[:user] %>" -- "<%= job[:command] %>"
-<% end -%>
+if [ $retval -ne 0 ]; then
+ exit $retval
+fi
-echo "Done."
+# cleanup
+
+mv "$PLANETCURR" "$PLANETPREV"
+mv "$PLANETNEW" "$PLANETCURR"
+++ /dev/null
-/var/log/planet-update.log {
- compress
- notifempty
- missingok
-}
fi
fi
-# Redirect this shell's output to a file. This is so that it
-# can be emailed later, since this script is run from incron
-# and incron doesn't yet support MAILTO like cron does. The
-# command below appears to work in bash as well as dash.
-logfile="/tmp/planetdump.log.$$"
-exec > "${logfile}" 2>&1
-
# Create lock file
echo $$ > /tmp/planetdump.lock
function cleanup {
# Remove the lock file
rm /tmp/planetdump.lock
-
- # Send an email with the output, since incron doesn't yet
- # support doing this in the incrontab
- if [[ -s "$logfile" ]]
- then
- mailx -s "Planet dump output: ${file}" admins@openstreetmap.org zerebubuth@gmail.com < "${logfile}"
- fi
-
- # Remove the log file
- rm -f "${logfile}"
}
# Remove lock on exit
-w "https://ftp5.gwdg.de/pub/misc/openstreetmap/planet.openstreetmap.org/${web_path}" \
-w "https://ftpmirror.your.org/pub/openstreetmap/${web_path}" \
-w "https://mirror.init7.net/openstreetmap/${web_path}" \
- -w "https://free.nchc.org.tw/osm.planet/${web_path}" \
-w "https://ftp.fau.de/osm-planet/${web_path}" \
-w "https://ftp.spline.de/pub/openstreetmap/${web_path}" \
- -w "https://osm.openarchive.site/${name}" \
-w "https://downloads.opencagedata.com/planet/${name}" \
-w "https://planet.osm-hr.org/${web_path}" \
-w "https://planet.maps.mail.ru/${web_path}" \
default[:postgresql][:settings][:defaults][:early_authentication_rules] = []
default[:postgresql][:settings][:defaults][:late_authentication_rules] = []
default[:postgresql][:settings][:defaults][:standby_mode] = "off"
-
-default[:apt][:sources] = node[:apt][:sources] | ["postgresql"]
# limitations under the License.
#
-include_recipe "apt"
+include_recipe "apt::postgresql"
include_recipe "munin"
include_recipe "prometheus"
prometheus_exporter "postgres" do
port 9187
+ scrape_interval "1m"
+ scrape_timeout "1m"
user "postgres"
options "--extend.query-path=/etc/prometheus/exporters/postgres_queries.yml"
environment "DATA_SOURCE_URI" => uris.sort.uniq.first,
"PG_EXPORTER_AUTO_DISCOVER_DATABASES" => "true",
"PG_EXPORTER_EXCLUDE_DATABASES" => "postgres,template0,template1"
+ restrict_address_families "AF_UNIX"
subscribes :restart, "template[/etc/prometheus/exporters/postgres_queries.yml]"
end
pg_replication:
- query: "SELECT EXTRACT(EPOCH FROM (now() - pg_last_xact_replay_timestamp())) AS lag_seconds"
+ query: "SELECT CASE WHEN NOT pg_is_in_recovery() THEN 0 ELSE GREATEST (0, EXTRACT(EPOCH FROM (now() - pg_last_xact_replay_timestamp()))) END AS lag_seconds"
master: true
metrics:
- lag_seconds:
<% if node[:postgresql][:monitor_tables] -%>
pg_stat_user_tables:
- query: "SELECT current_database() datname, schemaname, relname, seq_scan, seq_tup_read, idx_scan, idx_tup_fetch, n_tup_ins, n_tup_upd, n_tup_del, n_tup_hot_upd, n_live_tup, n_dead_tup, n_mod_since_analyze, COALESCE(last_vacuum, '1970-01-01Z'), COALESCE(last_vacuum, '1970-01-01Z') as last_vacuum, COALESCE(last_autovacuum, '1970-01-01Z') as last_autovacuum, COALESCE(last_analyze, '1970-01-01Z') as last_analyze, COALESCE(last_autoanalyze, '1970-01-01Z') as last_autoanalyze, vacuum_count, autovacuum_count, analyze_count, autoanalyze_count FROM pg_stat_user_tables"
+ query: "SELECT current_database() datname, schemaname, relname, seq_scan, seq_tup_read, idx_scan, idx_tup_fetch, n_tup_ins, n_tup_upd, n_tup_del, n_tup_hot_upd, n_live_tup, n_dead_tup, n_mod_since_analyze, COALESCE(last_vacuum, '1970-01-01Z') as last_vacuum, COALESCE(last_autovacuum, '1970-01-01Z') as last_autovacuum, COALESCE(last_analyze, '1970-01-01Z') as last_analyze, COALESCE(last_autoanalyze, '1970-01-01Z') as last_autoanalyze, vacuum_count, autovacuum_count, analyze_count, autoanalyze_count FROM pg_stat_user_tables"
metrics:
- datname:
usage: "LABEL"
description: "Number of buffer hits in this table's TOAST table indexes (if any)"
<% end -%>
-pg_database:
- query: "SELECT pg_database.oid AS datid, pg_database.datname, pg_database_size(pg_database.datname) AS size_bytes FROM pg_database"
- master: true
- cache_seconds: 30
- metrics:
- - datid:
- usage: "LABEL"
- description: "ID of the database"
- - datname:
- usage: "LABEL"
- description: "Name of the database"
- - size_bytes:
- usage: "GAUGE"
- description: "Disk space used by the database"
-
pg_unfrozen_ids:
query: "SELECT current_database() AS datname, max(age(relfrozenxid)) AS xid_age, max(mxid_age(relminmxid)) AS mxid_age FROM pg_class WHERE relkind IN ('r', 'm')"
metrics:
default[:prometheus][:snmp] = {}
default[:prometheus][:metrics] = {}
default[:prometheus][:files] = []
-default[:prometheus][:promscale] = false
-
-if node[:recipes].include?("prometheus::server")
- default[:apt][:sources] |= %w[grafana timescaledb]
-end
+default[:prometheus][:promscale] = true
prometheus_exporter "node" do
port 9100
+ user "root"
+ proc_subset "all"
+ protect_clock false
+ restrict_address_families %w[AF_UNIX AF_NETLINK]
+ system_call_filter ["@system-service", "@clock"]
options %w[
--collector.textfile.directory=/var/lib/prometheus/node-exporter
--collector.interrupts
#
include_recipe "apache"
-include_recipe "apt"
+include_recipe "apt::grafana"
+include_recipe "apt::timescaledb"
include_recipe "networking"
include_recipe "timescaledb"
prometheus_exporter "statuscake" do
port 9595
+ scrape_interval "5m"
+ scrape_timeout "2m"
environment "STATUSCAKE_APIKEY" => tokens["statuscake"]
end
cache_dir = Chef::Config[:file_cache_path]
-prometheus_version = "2.31.1"
-alertmanager_version = "0.23.0"
-karma_version = "0.105"
+prometheus_version = "2.39.1"
+alertmanager_version = "0.24.0"
+karma_version = "0.108"
directory "/opt/prometheus-server" do
owner "root"
subscribes :extract, "remote_file[#{cache_dir}/karma-linux-amd64.tar.gz]"
end
-promscale_version = "0.13.0"
+promscale_version = "0.16.0"
database_version = node[:timescaledb][:database_version]
database_cluster = "#{database_version}/main"
user "prometheus"
exec_start "/opt/promscale/bin/promscale --db.uri postgresql:///promscale?host=/run/postgresql&port=5432 --db.connections-max 400"
limit_nofile 16384
- private_tmp true
- protect_system "strict"
- protect_home true
- no_new_privileges true
+ sandbox :enable_network => true
+ restrict_address_families "AF_UNIX"
end
if node[:prometheus][:promscale]
address = exporter[:address]
sni = exporter[:sni]
scrape_interval = exporter[:scrape_interval]
+ scrape_timeout = exporter[:scrape_timeout]
metric_relabel = exporter[:metric_relabel] || []
else
name = key
address = exporter
sni = nil
scrape_interval = nil
+ scrape_timeout = nil
metric_relabel = []
end
:sni => sni,
:instance => client.name.split(".").first,
:scrape_interval => scrape_interval,
+ :scrape_timeout => scrape_timeout,
:metric_relabel => metric_relabel
}
end
notifies :restart, "service[prometheus-alertmanager]"
end
+link "/usr/local/bin/promtool" do
+ to "/opt/prometheus-server/prometheus/promtool"
+end
+
template "/etc/prometheus/alertmanager.yml" do
source "alertmanager.yml.erb"
owner "root"
subscribes :restart, "archive_file[#{cache_dir}/alertmanager.linux-amd64.tar.gz]"
end
-template "/etc/prometheus/amtool.yml" do
+directory "/etc/amtool" do
+ owner "root"
+ group "root"
+ mode "755"
+end
+
+template "/etc/amtool/config.yml" do
source "amtool.yml.erb"
owner "root"
group "root"
mode "644"
end
+link "/usr/local/bin/amtool" do
+ to "/opt/prometheus-server/alertmanager/amtool"
+end
+
template "/etc/prometheus/karma.yml" do
source "karma.yml.erb"
owner "root"
description "Alert dashboard for Prometheus Alertmanager"
user "prometheus"
exec_start "/opt/prometheus-server/karma/karma-linux-amd64 --config.file=/etc/prometheus/karma.yml"
- private_tmp true
- private_devices true
- protect_system "full"
- protect_home true
- no_new_privileges true
+ sandbox :enable_network => true
restart "on-failure"
end
action [:enable, :start]
subscribes :reload, "template[/etc/prometheus/karma.yml]"
subscribes :restart, "archive_file[#{cache_dir}/karma-linux-amd64.tar.gz]"
+ subscribes :restart, "systemd_service[prometheus-karma]"
end
package "grafana-enterprise"
property :collector, :kind_of => String, :name_property => true
property :interval, :kind_of => [Integer, String], :required => [:create]
+property :user, :kind_of => String
property :options, :kind_of => [String, Array]
property :environment, :kind_of => Hash, :default => {}
+property :proc_subset, String
+property :capability_bounding_set, [String, Array]
+property :private_devices, [true, false]
+property :private_users, [true, false]
+property :protect_clock, [true, false]
+property :protect_kernel_modules, [true, false]
action :create do
systemd_service service_name do
description "Prometheus #{new_resource.collector} collector"
- user "root"
+ user new_resource.user
+ dynamic_user new_resource.user.nil?
+ group "adm"
environment new_resource.environment
standard_output "file:/var/lib/prometheus/node-exporter/#{new_resource.collector}.new"
standard_error "journal"
exec_start "#{executable_path} #{executable_options}"
exec_start_post "/bin/mv /var/lib/prometheus/node-exporter/#{new_resource.collector}.new /var/lib/prometheus/node-exporter/#{new_resource.collector}.prom"
- private_tmp true
- protect_system "strict"
- protect_home true
+ sandbox true
+ proc_subset new_resource.proc_subset if new_resource.property_is_set?(:proc_subset)
+ capability_bounding_set new_resource.capability_bounding_set if new_resource.property_is_set?(:capability_bounding_set)
+ private_devices new_resource.private_devices if new_resource.property_is_set?(:private_devices)
+ private_users new_resource.private_users if new_resource.property_is_set?(:private_users)
+ protect_clock new_resource.protect_clock if new_resource.property_is_set?(:protect_clock)
+ protect_kernel_modules new_resource.protect_kernel_modules if new_resource.property_is_set?(:protect_kernel_modules)
read_write_paths ["/var/lib/prometheus/node-exporter", "/var/lock", "/var/log"]
- no_new_privileges true
end
systemd_timer service_name do
property :port, :kind_of => Integer, :required => [:create]
property :listen_switch, :kind_of => String, :default => "web.listen-address"
property :listen_type, :kind_of => String, :default => "address"
-property :user, :kind_of => String, :default => "root"
+property :user, :kind_of => String
+property :group, :kind_of => String
property :command, :kind_of => String
property :options, :kind_of => [String, Array]
property :environment, :kind_of => Hash, :default => {}
+property :protect_proc, String
+property :proc_subset, String
+property :private_devices, [true, false]
+property :protect_clock, [true, false]
+property :restrict_address_families, [String, Array]
+property :system_call_filter, [String, Array]
property :service, :kind_of => String
property :scrape_interval, :kind_of => String
+property :scrape_timeout, :kind_of => String
property :metric_relabel, :kind_of => Array
property :register_target, :kind_of => [TrueClass, FalseClass], :default => true
description "Prometheus #{new_resource.exporter} exporter"
type "simple"
user new_resource.user
+ dynamic_user new_resource.user.nil?
+ group new_resource.group
environment new_resource.environment
exec_start "#{executable_path} #{new_resource.command} #{executable_options}"
- private_tmp true
- protect_system "strict"
- protect_home true
- no_new_privileges true
+ sandbox :enable_network => true
+ protect_proc new_resource.protect_proc if new_resource.property_is_set?(:protect_proc)
+ proc_subset new_resource.proc_subset if new_resource.property_is_set?(:proc_subset)
+ private_devices new_resource.private_devices if new_resource.property_is_set?(:private_devices)
+ protect_clock new_resource.protect_clock if new_resource.property_is_set?(:protect_clock)
+ restrict_address_families new_resource.restrict_address_families if new_resource.property_is_set?(:restrict_address_families)
+ system_call_filter new_resource.system_call_filter if new_resource.property_is_set?(:system_call_filter)
end
service service_name do
:name => new_resource.exporter,
:address => listen_address,
:scrape_interval => new_resource.scrape_interval,
+ :scrape_timeout => new_resource.scrape_timeout,
:metric_relabel => new_resource.metric_relabel
}
end
end
def executable_path
- "/opt/prometheus-exporters/exporters/#{new_resource.exporter}/#{new_resource.exporter}_exporter"
+ if ::File.exist?("#{executable_directory}/#{executable_name}_#{executable_architecture}")
+ "#{executable_directory}/#{executable_name}_#{executable_architecture}"
+ else
+ "#{executable_directory}/#{executable_name}"
+ end
+ end
+
+ def executable_directory
+ "/opt/prometheus-exporters/exporters/#{new_resource.exporter}"
+ end
+
+ def executable_name
+ "#{new_resource.exporter}_exporter"
+ end
+
+ def executable_architecture
+ node[:kernel][:machine]
end
def executable_options
rules:
- alert: pdu current draw
expr: rPDU2PhaseStatusCurrent{site="amsterdam",rPDU2PhaseStatusIndex="1"} / 10 > 10
- for: 5m
+ for: 6m
labels:
alertgroup: "amsterdam"
annotations:
current: "{{ $value | humanize }}A"
- alert: site current draw
expr: sum(rPDU2PhaseStatusCurrent{site="amsterdam",rPDU2PhaseStatusIndex="1"} / 10) > 13
- for: 5m
+ for: 6m
labels:
alertgroup: "amsterdam"
annotations:
current: "{{ $value | humanize }}A"
- alert: site temperature
- expr: min(rPDU2SensorTempHumidityStatusTempC{site="amsterdam"}) / 10 < 18 or min(rPDU2SensorTempHumidityStatusTempC{site="amsterdam"}) / 10 > 25
- for: 5m
+ expr: min(rPDU2SensorTempHumidityStatusTempC{site="amsterdam"}) / 10 < 18 or min(rPDU2SensorTempHumidityStatusTempC{site="amsterdam"}) / 10 > 25.5
+ for: 6m
labels:
alertgroup: "amsterdam"
annotations:
temperature: "{{ $value | humanize }}C"
- alert: site humidity
expr: max(rPDU2SensorTempHumidityStatusRelativeHumidity{site="amsterdam"}) / 100 < 0.25 or max(rPDU2SensorTempHumidityStatusRelativeHumidity{site="amsterdam"}) / 100 > 0.65
- for: 5m
+ for: 6m
labels:
alertgroup: "amsterdam"
annotations:
alertgroup: database
annotations:
delay: "{{ $value | humanizeDuration }}"
+ - name: dublin
+ rules:
+ - alert: pdu current draw
+ expr: rPDU2PhaseStatusCurrent{site="dublin",rPDU2PhaseStatusIndex="1"} / 10 > 13
+ for: 6m
+ labels:
+ alertgroup: "dublin"
+ annotations:
+ current: "{{ $value | humanize }}A"
+ - alert: site current draw
+ expr: sum(rPDU2PhaseStatusCurrent{site="dublin",rPDU2PhaseStatusIndex="1"} / 10) > 17
+ for: 6m
+ labels:
+ alertgroup: "dublin"
+ annotations:
+ current: "{{ $value | humanize }}A"
+ - alert: site temperature
+ expr: min(rPDU2SensorTempHumidityStatusTempC{site="dublin"}) / 10 < 18 or min(rPDU2SensorTempHumidityStatusTempC{site="dublin"}) / 10 > 25.5
+ for: 6m
+ labels:
+ alertgroup: "dublin"
+ annotations:
+ temperature: "{{ $value | humanize }}C"
+ - alert: site humidity
+ expr: max(rPDU2SensorTempHumidityStatusRelativeHumidity{site="dublin"}) / 100 < 0.25 or max(rPDU2SensorTempHumidityStatusRelativeHumidity{site="dublin"}) / 100 > 0.65
+ for: 6m
+ labels:
+ alertgroup: "dublin"
+ annotations:
+ humidity: "{{ $value | humanizePercentage }}"
- name: fastly
rules:
- alert: fastly error rate
annotations:
error_rate: "{{ $value | humanizePercentage }}"
- alert: fastly healthcheck failing
- expr: count(fastly_healthcheck_status == 0) > 0
+ expr: count(fastly_healthcheck_status == 0) by (service) > 0
for: 15m
labels:
alertgroup: fastly
- - alert: fastly healthcheck failing
- expr: count(fastly_healthcheck_status == 0) > 4
+ - alert: multiple fastly healthchecks failing
+ expr: count(fastly_healthcheck_status == 0) by (service) > 4
for: 5m
labels:
alertgroup: fastly
alertgroup: "{{ $labels.instance }}"
- name: juniper
rules:
+ - alert: juniper cpu alarm
+ expr: jnxOperatingCPU{jnxOperatingContentsIndex="7"} > 30
+ for: 5m
+ labels:
+ alertgroup: "{{ $labels.site }}"
- alert: juniper fan alarm
- expr: jnxOperatingState{jnxOperatingContentsIndex="4",jnxOperatingState!="running"} > 0
+ expr: jnxOperatingState{jnxOperatingContentsIndex="4",jnxOperatingState!~"running.*"} > 0
for: 5m
labels:
alertgroup: "{{ $labels.site }}"
- alert: juniper power alarm
- expr: jnxOperatingState{jnxOperatingContentsIndex="2",jnxOperatingState!="running"} > 0
+ expr: jnxOperatingState{jnxOperatingContentsIndex="2",jnxOperatingState!~"running.*"} > 0
for: 5m
labels:
alertgroup: "{{ $labels.site }}"
- name: mail
rules:
+ - alert: exim down
+ expr: exim_up == 0
+ for: 5m
+ labels:
+ alertgroup: "{{ $labels.instance }}"
- alert: exim queue length
expr: exim_queue > exim_queue_limit
for: 60m
alertgroup: "{{ $labels.instance }}"
annotations:
error_rate: "{{ $value | humanizePercentage }}"
- - alert: interface transmit errors
+ - alert: wireguard interface transmit errors
expr: rate(node_network_transmit_errs_total{device=~"wg.*"}[1m]) / rate(node_network_transmit_packets_total{device=~"wg.*"}[1m]) > 0.05
for: 1h
labels:
alertgroup: "{{ $labels.instance }}"
annotations:
entries_used: "{{ $value | humanizePercentage }}"
+ - name: nominatim
+ rules:
+ - alert: nominatim replication delay
+ expr: nominatim_replication_delay > 10800
+ for: 1h
+ labels:
+ alertgroup: nominatim
+ annotations:
+ delay: "{{ $value | humanizeDuration }}"
+ - name: overpass
+ rules:
+ - alert: overpass osm database age
+ expr: overpass_database_age_seconds{database="osm"} > 3600
+ for: 1h
+ labels:
+ alertgroup: overpass
+ annotations:
+ age: "{{ $value | humanizeDuration }}"
+ - alert: overpass area database age
+ expr: overpass_database_age_seconds{database="area"} > 86400
+ for: 1h
+ labels:
+ alertgroup: overpass
+ annotations:
+ age: "{{ $value | humanizeDuration }}"
+ - name: passenger
+ rules:
+ - alert: passenger down
+ expr: passenger_up == 0
+ for: 5m
+ labels:
+ alertgroup: "{{ $labels.instance }}"
+ - alert: passenger queuing
+ expr: passenger_top_level_request_queue > 0
+ for: 5m
+ labels:
+ alertgroup: "{{ $labels.instance }}"
+ - alert: passenger application queuing
+ expr: passenger_app_request_queue > 0
+ for: 5m
+ labels:
+ alertgroup: "{{ $labels.instance }}"
- name: planet
rules:
- alert: planet dump overdue
annotations:
connections_used: "{{ $value | humanizePercentage }}"
- alert: postgresql deadlocks
- expr: increase(pg_stat_database_deadlocks[1m]) > 5
+ expr: increase(pg_stat_database_deadlocks{datname!="nominatim"}[1m]) > 5
for: 0m
labels:
alertgroup: "{{ $labels.instance }}"
for: 5m
labels:
alertgroup: "{{ $labels.instance }}"
+ - name: rasdaemon
+ rules:
+ - alert: memory controller errors
+ expr: increase(rasdaemon_mc_events_total[1m]) > 0
+ for: 0m
+ labels:
+ alertgroup: "{{ $labels.instance }}"
+ annotations:
+ new_errors: "{{ $value }}"
+ - alert: pcie aer errors
+ expr: increase(rasdaemon_aer_events_total[1m]) > 0
+ for: 0m
+ labels:
+ alertgroup: "{{ $labels.instance }}"
+ annotations:
+ new_ercrors: "{{ $value }}"
- name: smart
rules:
- alert: smart failure
for: 5m
labels:
alertgroup: "{{ $labels.instance }}"
- - alert: systemd failed service
+ - alert: systemd failed chef client service
expr: node_systemd_unit_state{state="failed",name="chef-client.service"} == 1
for: 6h
labels:
[security]
admin_user = admin
admin_password = <%= @passwords[:grafana_admin] %>
+disable_gravatar = true
+cookie_secure = true
[smtp]
enabled = true
<% if targets.first[:scrape_interval] -%>
scrape_interval: <%= targets.first[:scrape_interval] %>
<% end -%>
+<% if targets.first[:scrape_timeout] -%>
+ scrape_timeout: <%= targets.first[:scrape_timeout] %>
+<% end -%>
<% if targets.first[:sni] -%>
tls_config:
server_name: <%= targets.first[:sni] %>
- source_labels: [__address__]
regex: "[^/]+/([^/]+)/.*"
target_label: __param_module
+ - source_labels: [__address__]
+ regex: "[^/]+/([^/]+)/.*"
+ target_label: module
- source_labels: [__address__]
regex: "[^/]+/[^/]+/(.*)"
target_label: __address__
systemd_service "rsync-override" do
service "rsync"
dropin "override"
- exec_start "/usr/bin/rsync --daemon --no-detach --bwlimit=16384"
+ exec_start "/usr/bin/rsync --daemon --no-detach"
+ nice 10
read_write_paths writable_paths.sort
notifies :restart, "service[rsync]"
end
end
ssl_certificate "hardware.openstreetmap.org" do
- domains ["hardware.openstreetmap.org", "hardware.osm.org"]
+ domains ["hardware.openstreetmap.org", "hardware.osm.org", "hardware.osmfoundation.org"]
notifies :reload, "service[apache2]"
end
apache_site "hardware.openstreetmap.org" do
template "apache.erb"
directory "/srv/hardware.openstreetmap.org/_site"
- variables :aliases => ["hardware.osm.org"]
+ variables :aliases => ["hardware.osm.org", "hardware.osmfoundation.org"]
end
default[:ssl][:openssl_ciphers] = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
-default[:ssl][:gnutls_ciphers] = "NONE:+AEAD:+SHA256:+SHA1:+SHA384:+SHA512:+CURVE-X25519:+CURVE-SECP256R1:+CURVE-SECP384R1:+CURVE-SECP521R1:+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-DSA-SHA1:-SIGN-DSA-SHA224:-SIGN-DSA-SHA256:-SIGN-DSA-SHA384:-SIGN-DSA-SHA512:+AES-256-GCM:+AES-256-CCM:+CHACHA20-POLY1305:+CAMELLIA-256-GCM:+AES-256-CBC:+CAMELLIA-256-CBC:+AES-128-GCM:+AES-128-CCM:+CAMELLIA-128-GCM:+AES-128-CBC:+CAMELLIA-128-CBC:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-DTLS1.2:+VERS-DTLS1.0:+COMP-NULL:%PROFILE_LOW"
+default[:ssl][:gnutls_ciphers] = "NONE:+AEAD:+SHA256:+SHA1:+SHA384:+SHA512:+CURVE-X25519:+CURVE-SECP256R1:+CURVE-SECP384R1:+CURVE-SECP521R1:+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-DSA-SHA1:-SIGN-DSA-SHA224:-SIGN-DSA-SHA256:-SIGN-DSA-SHA384:-SIGN-DSA-SHA512:+AES-256-GCM:+AES-256-CCM:+CHACHA20-POLY1305:+CAMELLIA-256-GCM:+AES-256-CBC:+CAMELLIA-256-CBC:+AES-128-GCM:+AES-128-CCM:+CAMELLIA-128-GCM:+AES-128-CBC:+CAMELLIA-128-CBC:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+VERS-TLS1.3:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-DTLS1.2:+VERS-DTLS1.0:+COMP-NULL:%PROFILE_LOW"
default[:ssl][:strict_transport_security] = "max-age=31536000; includeSubDomains; preload"
default[:ssl][:ct_report_uri] = "https://openstreetmap.report-uri.com/r/d/ct/reportOnly"
version "1.0.0"
supports "ubuntu"
+depends "apache"
+depends "git"
depends "ruby"
depends "wordpress"
# limitations under the License.
#
-include_recipe "ruby"
-include_recipe "wordpress"
+include_recipe "apache"
+include_recipe "git"
-passwords = data_bag_item("stateofthemap", "passwords")
+apache_module "expires"
git "/srv/stateofthemap.org" do
action :sync
template "apache.erb"
directory "/srv/stateofthemap.org"
end
-
-directory "/srv/2007.stateofthemap.org" do
- owner "wordpress"
- group "wordpress"
- mode "755"
-end
-
-wordpress_site "2007.stateofthemap.org" do
- aliases "2007.stateofthemap.com"
- directory "/srv/2007.stateofthemap.org/wp"
- database_name "sotm2007"
- database_user "sotm2007"
- database_password passwords["sotm2007"]
- database_prefix "wp_sotm_"
- fpm_prometheus_port 12007
-end
-
-wordpress_theme "2007.stateofthemap.org-refreshwp-11" do
- theme "refreshwp-11"
- site "2007.stateofthemap.org"
- repository "https://git.openstreetmap.org/public/stateofthemap.git"
- revision "theme-2007"
-end
-
-# wordpress_plugin "2007.stateofthemap.org-geopress" do
-# plugin "geopress"
-# site "2007.stateofthemap.org"
-# end
-
-directory "/srv/2008.stateofthemap.org" do
- owner "wordpress"
- group "wordpress"
- mode "755"
-end
-
-wordpress_site "2008.stateofthemap.org" do
- aliases "2008.stateofthemap.com"
- directory "/srv/2008.stateofthemap.org/wp"
- database_name "sotm2008"
- database_user "sotm2008"
- database_password passwords["sotm2008"]
- database_prefix "wp_sotm08_"
- fpm_prometheus_port 12008
-end
-
-wordpress_theme "2008.stateofthemap.org-refreshwp-11" do
- theme "refreshwp-11"
- site "2008.stateofthemap.org"
- repository "https://git.openstreetmap.org/public/stateofthemap.git"
- revision "theme-2008"
-end
-
-# wordpress_plugin "2008.stateofthemap.org-geopress" do
-# plugin "geopress"
-# site "2008.stateofthemap.org"
-# end
-
-directory "/srv/2009.stateofthemap.org" do
- owner "wordpress"
- group "wordpress"
- mode "755"
-end
-
-git "/srv/2009.stateofthemap.org" do
- action :sync
- repository "https://git.openstreetmap.org/public/stateofthemap.git"
- revision "resources-2009"
- depth 1
- user "wordpress"
- group "wordpress"
-end
-
-wordpress_site "2009.stateofthemap.org" do
- aliases "2009.stateofthemap.com"
- directory "/srv/2009.stateofthemap.org/wp"
- database_name "sotm2009"
- database_user "sotm2009"
- database_password passwords["sotm2009"]
- urls "/register" => "/srv/2009.stateofthemap.org/register",
- "/register-pro-user" => "/srv/2009.stateofthemap.org/register-pro-user",
- "/podcasts" => "/srv/2009.stateofthemap.org/podcasts"
- fpm_prometheus_port 12009
-end
-
-wordpress_theme "2009.stateofthemap.org-aerodrome" do
- theme "aerodrome"
- site "2009.stateofthemap.org"
- repository "https://git.openstreetmap.org/public/stateofthemap.git"
- revision "theme-2009"
-end
-
-# wordpress_plugin "2009.stateofthemap.org-wp-sticky" do
-# plugin "wp-sticky"
-# site "2009.stateofthemap.org"
-# end
-
-directory "/srv/2010.stateofthemap.org" do
- owner "wordpress"
- group "wordpress"
- mode "755"
-end
-
-git "/srv/2010.stateofthemap.org" do
- action :sync
- repository "https://git.openstreetmap.org/public/stateofthemap.git"
- revision "resources-2010"
- depth 1
- user "wordpress"
- group "wordpress"
-end
-
-wordpress_site "2010.stateofthemap.org" do
- aliases "2010.stateofthemap.com"
- directory "/srv/2010.stateofthemap.org/wp"
- database_name "sotm2010"
- database_user "sotm2010"
- database_password passwords["sotm2010"]
- urls "/register" => "/srv/2010.stateofthemap.org/register"
- fpm_prometheus_port 12010
-end
-
-wordpress_theme "2010.stateofthemap.org-aerodrome" do
- theme "aerodrome"
- site "2010.stateofthemap.org"
- repository "https://git.openstreetmap.org/public/stateofthemap.git"
- revision "theme-2010"
-end
-
-wordpress_plugin "2010.stateofthemap.org-sitepress-multilingual-cms" do
- plugin "sitepress-multilingual-cms"
- site "2010.stateofthemap.org"
- repository "https://git.openstreetmap.org/private/sitepress-multilingual-cms.git"
- revision "master"
- not_if { kitchen? }
-end
-
-# wordpress_plugin "2010.stateofthemap.org-wp-sticky" do
-# plugin "wp-sticky"
-# site "2010.stateofthemap.org"
-# end
-
-directory "/srv/2011.stateofthemap.org" do
- owner "wordpress"
- group "wordpress"
- mode "755"
-end
-
-git "/srv/2011.stateofthemap.org" do
- action :sync
- repository "https://git.openstreetmap.org/public/stateofthemap.git"
- revision "resources-2011"
- depth 1
- user "wordpress"
- group "wordpress"
-end
-
-wordpress_site "2011.stateofthemap.org" do
- aliases "2011.stateofthemap.com"
- directory "/srv/2011.stateofthemap.org/wp"
- database_name "sotm2011"
- database_user "sotm2011"
- database_password passwords["sotm2011"]
- urls "/register" => "/srv/2011.stateofthemap.org/register"
- fpm_prometheus_port 12011
-end
-
-wordpress_theme "2011.stateofthemap.org-aerodrome" do
- theme "aerodrome"
- site "2011.stateofthemap.org"
- repository "https://git.openstreetmap.org/public/stateofthemap.git"
- revision "theme-2011"
-end
-
-wordpress_plugin "2011.stateofthemap.org-sitepress-multilingual-cms" do
- plugin "sitepress-multilingual-cms"
- site "2011.stateofthemap.org"
- repository "https://git.openstreetmap.org/private/sitepress-multilingual-cms.git"
- revision "master"
- not_if { kitchen? }
-end
-
-# wordpress_plugin "2011.stateofthemap.org-wp-sticky" do
-# plugin "wp-sticky"
-# site "2011.stateofthemap.org"
-# end
-
-directory "/srv/2012.stateofthemap.org" do
- owner "wordpress"
- group "wordpress"
- mode "755"
-end
-
-git "/srv/2012.stateofthemap.org" do
- action :sync
- repository "https://git.openstreetmap.org/public/stateofthemap.git"
- revision "resources-2012"
- depth 1
- user "wordpress"
- group "wordpress"
-end
-
-wordpress_site "2012.stateofthemap.org" do
- aliases "2012.stateofthemap.com"
- directory "/srv/2012.stateofthemap.org/wp"
- database_name "sotm2012"
- database_user "sotm2012"
- database_password passwords["sotm2012"]
- urls "/register" => "/srv/2012.stateofthemap.org/register"
- fpm_prometheus_port 12012
-end
-
-wordpress_theme "2012.stateofthemap.org-aerodrome" do
- theme "aerodrome"
- site "2012.stateofthemap.org"
- repository "https://git.openstreetmap.org/public/stateofthemap.git"
- revision "theme-2012"
-end
-
-wordpress_plugin "2012.stateofthemap.org-leaflet-maps-marker" do
- plugin "leaflet-maps-marker"
- site "2012.stateofthemap.org"
-end
-
-wordpress_plugin "2012.stateofthemap.org-sitepress-multilingual-cms" do
- plugin "sitepress-multilingual-cms"
- site "2012.stateofthemap.org"
- repository "https://git.openstreetmap.org/private/sitepress-multilingual-cms.git"
- revision "master"
- not_if { kitchen? }
-end
-
-# wordpress_plugin "2012.stateofthemap.org-wp-sticky" do
-# plugin "wp-sticky"
-# site "2012.stateofthemap.org"
-# end
-
-%w[2013].each do |year|
- git "/srv/#{year}.stateofthemap.org" do
- action :sync
- repository "https://git.openstreetmap.org/public/stateofthemap.git"
- revision "site-#{year}"
- depth 1
- user "root"
- group "root"
- end
-
- ssl_certificate "#{year}.stateofthemap.org" do
- domains ["#{year}.stateofthemap.org", "#{year}.stateofthemap.com", "#{year}.sotm.org"]
- notifies :reload, "service[apache2]"
- end
-
- apache_site "#{year}.stateofthemap.org" do
- template "apache.static.erb"
- directory "/srv/#{year}.stateofthemap.org"
- variables :year => year
- end
-end
-
-package %w[
- gcc
- g++
- make
- libssl-dev
- zlib1g-dev
- pkg-config
-]
-
-apache_module "expires"
-apache_module "rewrite"
-
-%w[2016 2017 2018 2019 2020 2021 2022].each do |year|
- git "/srv/#{year}.stateofthemap.org" do
- action :sync
- repository "https://github.com/openstreetmap/stateofthemap-#{year}.git"
- depth 1
- user "root"
- group "root"
- notifies :run, "bundle_install[/srv/#{year}.stateofthemap.org]"
- end
-
- directory "/srv/#{year}.stateofthemap.org/_site" do
- mode "755"
- owner "nobody"
- group "nogroup"
- end
-
- # Workaround https://github.com/jekyll/jekyll/issues/7804
- # by creating a .jekyll-cache folder
- directory "/srv/#{year}.stateofthemap.org/.jekyll-cache" do
- mode "755"
- owner "nobody"
- group "nogroup"
- end
-
- bundle_install "/srv/#{year}.stateofthemap.org" do
- action :nothing
- options "--deployment --jobs #{node[:cpu][:total]}"
- user "root"
- group "root"
- notifies :run, "bundle_exec[/srv/#{year}.stateofthemap.org]"
- only_if { ::File.exist?("/srv/#{year}.stateofthemap.org/Gemfile") }
- end
-
- bundle_exec "/srv/#{year}.stateofthemap.org" do
- action :nothing
- command "jekyll build --trace --baseurl=https://#{year}.stateofthemap.org"
- user "nobody"
- group "nogroup"
- environment "LANG" => "C.UTF-8"
- end
-
- ssl_certificate "#{year}.stateofthemap.org" do
- domains ["#{year}.stateofthemap.org", "#{year}.stateofthemap.com", "#{year}.sotm.org"]
- notifies :reload, "service[apache2]"
- end
-
- apache_site "#{year}.stateofthemap.org" do
- template "apache.jekyll.erb"
- directory "/srv/#{year}.stateofthemap.org/_site"
- variables :year => year
- end
-end
-
-template "/etc/cron.daily/sotm-backup" do
- source "backup.cron.erb"
- owner "root"
- group "root"
- mode "750"
- variables :passwords => passwords
-end
--- /dev/null
+#
+# Cookbook:: stateofthemap
+# Recipe:: jekyll
+#
+# Copyright:: 2022, OpenStreetMap Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include_recipe "stateofthemap"
+include_recipe "ruby"
+
+package %w[
+ gcc
+ g++
+ make
+ libssl-dev
+ zlib1g-dev
+ pkg-config
+]
+
+apache_module "expires"
+apache_module "rewrite"
+
+%w[2016 2017 2018 2019 2020 2021 2022].each do |year|
+ git "/srv/#{year}.stateofthemap.org" do
+ action :sync
+ repository "https://github.com/openstreetmap/stateofthemap-#{year}.git"
+ depth 1
+ user "root"
+ group "root"
+ notifies :run, "bundle_install[/srv/#{year}.stateofthemap.org]"
+ end
+
+ directory "/srv/#{year}.stateofthemap.org/_site" do
+ mode "755"
+ owner "nobody"
+ group "nogroup"
+ end
+
+ # Workaround https://github.com/jekyll/jekyll/issues/7804
+ # by creating a .jekyll-cache folder
+ directory "/srv/#{year}.stateofthemap.org/.jekyll-cache" do
+ mode "755"
+ owner "nobody"
+ group "nogroup"
+ end
+
+ bundle_install "/srv/#{year}.stateofthemap.org" do
+ action :nothing
+ options "--deployment --jobs #{node.cpu_cores}"
+ user "root"
+ group "root"
+ notifies :run, "bundle_exec[/srv/#{year}.stateofthemap.org]"
+ only_if { ::File.exist?("/srv/#{year}.stateofthemap.org/Gemfile") }
+ end
+
+ bundle_exec "/srv/#{year}.stateofthemap.org" do
+ action :nothing
+ command "jekyll build --trace --baseurl=https://#{year}.stateofthemap.org"
+ user "nobody"
+ group "nogroup"
+ environment "LANG" => "C.UTF-8"
+ end
+
+ ssl_certificate "#{year}.stateofthemap.org" do
+ domains ["#{year}.stateofthemap.org", "#{year}.stateofthemap.com", "#{year}.sotm.org"]
+ notifies :reload, "service[apache2]"
+ end
+
+ apache_site "#{year}.stateofthemap.org" do
+ template "apache.jekyll.erb"
+ directory "/srv/#{year}.stateofthemap.org/_site"
+ variables :year => year
+ end
+end
--- /dev/null
+#
+# Cookbook:: stateofthemap
+# Recipe:: static
+#
+# Copyright:: 2022, OpenStreetMap Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include_recipe "stateofthemap"
+
+%w[2013].each do |year|
+ git "/srv/#{year}.stateofthemap.org" do
+ action :sync
+ repository "https://git.openstreetmap.org/public/stateofthemap.git"
+ revision "site-#{year}"
+ depth 1
+ user "root"
+ group "root"
+ end
+
+ ssl_certificate "#{year}.stateofthemap.org" do
+ domains ["#{year}.stateofthemap.org", "#{year}.stateofthemap.com", "#{year}.sotm.org"]
+ notifies :reload, "service[apache2]"
+ end
+
+ apache_site "#{year}.stateofthemap.org" do
+ template "apache.static.erb"
+ directory "/srv/#{year}.stateofthemap.org"
+ variables :year => year
+ end
+end
--- /dev/null
+#
+# Cookbook:: stateofthemap
+# Recipe:: wordpress
+#
+# Copyright:: 2022, OpenStreetMap Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include_recipe "stateofthemap"
+include_recipe "wordpress"
+
+passwords = data_bag_item("stateofthemap", "passwords")
+
+directory "/srv/2007.stateofthemap.org" do
+ owner "wordpress"
+ group "wordpress"
+ mode "755"
+end
+
+wordpress_site "2007.stateofthemap.org" do
+ aliases "2007.stateofthemap.com"
+ directory "/srv/2007.stateofthemap.org/wp"
+ database_name "sotm2007"
+ database_user "sotm2007"
+ database_password passwords["sotm2007"]
+ database_prefix "wp_sotm_"
+ fpm_prometheus_port 12007
+end
+
+wordpress_theme "2007.stateofthemap.org-refreshwp-11" do
+ theme "refreshwp-11"
+ site "2007.stateofthemap.org"
+ repository "https://git.openstreetmap.org/public/stateofthemap.git"
+ revision "theme-2007"
+end
+
+# wordpress_plugin "2007.stateofthemap.org-geopress" do
+# plugin "geopress"
+# site "2007.stateofthemap.org"
+# end
+
+directory "/srv/2008.stateofthemap.org" do
+ owner "wordpress"
+ group "wordpress"
+ mode "755"
+end
+
+wordpress_site "2008.stateofthemap.org" do
+ aliases "2008.stateofthemap.com"
+ directory "/srv/2008.stateofthemap.org/wp"
+ database_name "sotm2008"
+ database_user "sotm2008"
+ database_password passwords["sotm2008"]
+ database_prefix "wp_sotm08_"
+ fpm_prometheus_port 12008
+end
+
+wordpress_theme "2008.stateofthemap.org-refreshwp-11" do
+ theme "refreshwp-11"
+ site "2008.stateofthemap.org"
+ repository "https://git.openstreetmap.org/public/stateofthemap.git"
+ revision "theme-2008"
+end
+
+# wordpress_plugin "2008.stateofthemap.org-geopress" do
+# plugin "geopress"
+# site "2008.stateofthemap.org"
+# end
+
+directory "/srv/2009.stateofthemap.org" do
+ owner "wordpress"
+ group "wordpress"
+ mode "755"
+end
+
+git "/srv/2009.stateofthemap.org" do
+ action :sync
+ repository "https://git.openstreetmap.org/public/stateofthemap.git"
+ revision "resources-2009"
+ depth 1
+ user "wordpress"
+ group "wordpress"
+end
+
+wordpress_site "2009.stateofthemap.org" do
+ aliases "2009.stateofthemap.com"
+ directory "/srv/2009.stateofthemap.org/wp"
+ database_name "sotm2009"
+ database_user "sotm2009"
+ database_password passwords["sotm2009"]
+ urls "/register" => "/srv/2009.stateofthemap.org/register",
+ "/register-pro-user" => "/srv/2009.stateofthemap.org/register-pro-user",
+ "/podcasts" => "/srv/2009.stateofthemap.org/podcasts"
+ fpm_prometheus_port 12009
+end
+
+wordpress_theme "2009.stateofthemap.org-aerodrome" do
+ theme "aerodrome"
+ site "2009.stateofthemap.org"
+ repository "https://git.openstreetmap.org/public/stateofthemap.git"
+ revision "theme-2009"
+end
+
+# wordpress_plugin "2009.stateofthemap.org-wp-sticky" do
+# plugin "wp-sticky"
+# site "2009.stateofthemap.org"
+# end
+
+directory "/srv/2010.stateofthemap.org" do
+ owner "wordpress"
+ group "wordpress"
+ mode "755"
+end
+
+git "/srv/2010.stateofthemap.org" do
+ action :sync
+ repository "https://git.openstreetmap.org/public/stateofthemap.git"
+ revision "resources-2010"
+ depth 1
+ user "wordpress"
+ group "wordpress"
+end
+
+wordpress_site "2010.stateofthemap.org" do
+ aliases "2010.stateofthemap.com"
+ directory "/srv/2010.stateofthemap.org/wp"
+ database_name "sotm2010"
+ database_user "sotm2010"
+ database_password passwords["sotm2010"]
+ urls "/register" => "/srv/2010.stateofthemap.org/register"
+ fpm_prometheus_port 12010
+end
+
+wordpress_theme "2010.stateofthemap.org-aerodrome" do
+ theme "aerodrome"
+ site "2010.stateofthemap.org"
+ repository "https://git.openstreetmap.org/public/stateofthemap.git"
+ revision "theme-2010"
+end
+
+wordpress_plugin "2010.stateofthemap.org-sitepress-multilingual-cms" do
+ plugin "sitepress-multilingual-cms"
+ site "2010.stateofthemap.org"
+ repository "https://git.openstreetmap.org/private/sitepress-multilingual-cms.git"
+ revision "master"
+ not_if { kitchen? }
+end
+
+# wordpress_plugin "2010.stateofthemap.org-wp-sticky" do
+# plugin "wp-sticky"
+# site "2010.stateofthemap.org"
+# end
+
+directory "/srv/2011.stateofthemap.org" do
+ owner "wordpress"
+ group "wordpress"
+ mode "755"
+end
+
+git "/srv/2011.stateofthemap.org" do
+ action :sync
+ repository "https://git.openstreetmap.org/public/stateofthemap.git"
+ revision "resources-2011"
+ depth 1
+ user "wordpress"
+ group "wordpress"
+end
+
+wordpress_site "2011.stateofthemap.org" do
+ aliases "2011.stateofthemap.com"
+ directory "/srv/2011.stateofthemap.org/wp"
+ database_name "sotm2011"
+ database_user "sotm2011"
+ database_password passwords["sotm2011"]
+ urls "/register" => "/srv/2011.stateofthemap.org/register"
+ fpm_prometheus_port 12011
+end
+
+wordpress_theme "2011.stateofthemap.org-aerodrome" do
+ theme "aerodrome"
+ site "2011.stateofthemap.org"
+ repository "https://git.openstreetmap.org/public/stateofthemap.git"
+ revision "theme-2011"
+end
+
+wordpress_plugin "2011.stateofthemap.org-sitepress-multilingual-cms" do
+ plugin "sitepress-multilingual-cms"
+ site "2011.stateofthemap.org"
+ repository "https://git.openstreetmap.org/private/sitepress-multilingual-cms.git"
+ revision "master"
+ not_if { kitchen? }
+end
+
+# wordpress_plugin "2011.stateofthemap.org-wp-sticky" do
+# plugin "wp-sticky"
+# site "2011.stateofthemap.org"
+# end
+
+directory "/srv/2012.stateofthemap.org" do
+ owner "wordpress"
+ group "wordpress"
+ mode "755"
+end
+
+git "/srv/2012.stateofthemap.org" do
+ action :sync
+ repository "https://git.openstreetmap.org/public/stateofthemap.git"
+ revision "resources-2012"
+ depth 1
+ user "wordpress"
+ group "wordpress"
+end
+
+wordpress_site "2012.stateofthemap.org" do
+ aliases "2012.stateofthemap.com"
+ directory "/srv/2012.stateofthemap.org/wp"
+ database_name "sotm2012"
+ database_user "sotm2012"
+ database_password passwords["sotm2012"]
+ urls "/register" => "/srv/2012.stateofthemap.org/register"
+ fpm_prometheus_port 12012
+end
+
+wordpress_theme "2012.stateofthemap.org-aerodrome" do
+ theme "aerodrome"
+ site "2012.stateofthemap.org"
+ repository "https://git.openstreetmap.org/public/stateofthemap.git"
+ revision "theme-2012"
+end
+
+wordpress_plugin "2012.stateofthemap.org-leaflet-maps-marker" do
+ plugin "leaflet-maps-marker"
+ site "2012.stateofthemap.org"
+end
+
+wordpress_plugin "2012.stateofthemap.org-sitepress-multilingual-cms" do
+ plugin "sitepress-multilingual-cms"
+ site "2012.stateofthemap.org"
+ repository "https://git.openstreetmap.org/private/sitepress-multilingual-cms.git"
+ revision "master"
+ not_if { kitchen? }
+end
+
+# wordpress_plugin "2012.stateofthemap.org-wp-sticky" do
+# plugin "wp-sticky"
+# site "2012.stateofthemap.org"
+# end
+
+template "/etc/cron.daily/sotm-backup" do
+ source "backup.cron.erb"
+ owner "root"
+ group "root"
+ mode "750"
+ variables :passwords => passwords
+end
RewriteRule ^/applications/editors/merkaartor/?.* https://github.com/openstreetmap/svn-archive/tree/main/applications/editors/merkaartor [QSD,L,R=permanent]
RewriteRule ^/applications/editors/josm-ng/?.* https://github.com/openstreetmap/svn-archive/tree/main/applications/editors/josm-ng [QSD,L,R=permanent]
RewriteRule ^/applications/editors/osmpedit/?.* https://github.com/openstreetmap/svn-archive/tree/main/applications/editors/osmpedit [QSD,L,R=permanent]
+ RewriteRule ^/applications/editors/josm/plugins/opendata/dist/fr\.datagouvfr\.jar.* https://raw.githubusercontent.com/openstreetmap/svn-archive/main/applications/editors/josm/plugins/opendata/dist/fr.datagouvfr.jar [QSD,L,R=permanent]
+ RewriteRule ^/applications/editors/josm/plugins/opendata/dist/fr\.paris\.jar.* https://raw.githubusercontent.com/openstreetmap/svn-archive/main/applications/editors/josm/plugins/opendata/dist/fr.paris.jar [QSD,L,R=permanent]
+ RewriteRule ^/applications/editors/josm/plugins/opendata/dist/fr\.toulouse\.jar.* https://raw.githubusercontent.com/openstreetmap/svn-archive/main/applications/editors/josm/plugins/opendata/dist/fr.toulouse.jar [QSD,L,R=permanent]
+ RewriteRule ^/applications/editors/josm/plugins/opendata/modules-icons\.zip https://raw.githubusercontent.com/openstreetmap/svn-archive/main/applications/editors/josm/plugins/opendata/modules-icons.zip [QSD,L,R=permanent]
+ RewriteRule ^/applications/editors/josm/plugins/opendata/modules\.txt.* https://raw.githubusercontent.com/openstreetmap/svn-archive/main/applications/editors/josm/plugins/opendata/modules.txt [QSD,L,R=permanent]
+ RewriteRule ^/applications/editors/josm/plugins/cadastre-fr/images/cadastre_small\.png https://raw.githubusercontent.com/openstreetmap/svn-archive/main/applications/editors/josm/plugins/cadastre-fr/images/cadastre_small.png [QSD,L,R=permanent]
RewriteRule ^/applications/editors/josm/plugins/?.* https://github.com/openstreetmap/svn-archive/tree/main/applications/editors/josm/plugins [QSD,L,R=permanent]
RewriteRule ^/applications/editors/josm/?.* https://github.com/openstreetmap/svn-archive/tree/main/applications/editors/josm [QSD,L,R=permanent]
RewriteRule ^/applications/editors/osm-editor/?.* https://github.com/openstreetmap/svn-archive/tree/main/applications/editors/osm-editor [QSD,L,R=permanent]
after "network.target"
user "supybot"
exec_start "/usr/bin/supybot /etc/supybot/supybot.conf"
- private_tmp true
- private_devices true
- protect_system true
- protect_home true
- no_new_privileges true
+ sandbox :enable_network => true
+ read_write_paths ["/etc/supybot", "/var/lib/supybot", "/var/log/supybot"]
restart "on-failure"
end
channels = #osm-dev
commit message = [%s|%b|%a] %m %l
-[osm-potlatch2]
-short name = osm-potlatch2
-url = https://git.openstreetmap.org/public/potlatch2.git
-branch = master
-commit link = https://github.com/openstreetmap/potlatch2/commit/%c
-channels = #osm-dev
-commit message = [%s|%b|%a] %m %l
-
-[osm-gpx-import]
-short name = osm-gpx-import
-url = https://git.openstreetmap.org/public/gpx-import.git
-branch = master
-commit link = https://git.osm.org/gpx-import.git/commitdiff/%c
-channels = #osm-dev
-commit message = [%s|%b|%a] %m %l
-
[osm-nominatim]
short name = osm-nominatim
url = https://git.openstreetmap.org/public/nominatim.git
channels = #osm-dev
commit message = [%s|%b|%a] %m %l
-[osm-planetdump]
-short name = osm-planetdump
-url = https://git.openstreetmap.org/public/planetdump.git
+[osm-planetdump-ng]
+short name = osm-planetdump-ng
+url = https://github.com/zerebubuth/planet-dump-ng.git
branch = master
-commit link = https://git.osm.org/planetdump.git/commitdiff/%c
+commit link = https://github.com/zerebubuth/planet-dump-ng-commit/%c
channels = #osm-dev
commit message = [%s|%b|%a] %m %l
property :after, [String, Array]
property :conflicts, [String, Array]
property :wants, [String, Array]
+property :joins_namespace_of, [String, Array]
property :type, String, :is => %w[simple forking oneshot dbus notify idle]
property :limit_nofile, Integer
property :limit_as, [Integer, String]
property :environment_file, [String, Hash]
property :user, String
property :group, String
+property :dynamic_user, [true, false]
property :working_directory, String
-property :exec_start_pre, String
-property :exec_start, String
-property :exec_start_post, String
+property :exec_start_pre, [String, Array]
+property :exec_start, [String, Array]
+property :exec_start_post, [String, Array]
property :exec_stop, String
property :exec_reload, String
property :runtime_directory, String
property :success_exit_status, [Integer, String, Array]
property :restart, String,
:is => %w[on-success on-failure on-abnormal on-watchdog on-abort always]
-property :private_tmp, [true, false]
-property :private_devices, [true, false]
-property :private_network, [true, false]
-property :protect_system, [TrueClass, FalseClass, String]
-property :protect_home, [TrueClass, FalseClass, String]
+property :protect_proc, String,
+ :is => %w[noaccess invisible ptraceable default]
+property :proc_subset, String,
+ :is => %w[all pid]
+property :capability_bounding_set, [String, Array]
+property :no_new_privileges, [true, false]
+property :protect_system, [true, false, String]
+property :protect_home, [true, false, String]
property :read_write_paths, [String, Array]
property :read_only_paths, [String, Array]
property :inaccessible_paths, [String, Array]
+property :private_tmp, [true, false]
+property :private_devices, [true, false]
+property :private_network, [true, false]
+property :private_ipc, [true, false]
+property :private_users, [true, false]
+property :protect_hostname, [true, false]
+property :protect_clock, [true, false]
+property :protect_kernel_tunables, [true, false]
+property :protect_kernel_modules, [true, false]
+property :protect_kernel_logs, [true, false]
+property :protect_control_groups, [true, false]
property :restrict_address_families, [String, Array]
-property :no_new_privileges, [true, false]
+property :restrict_namespaces, [true, false, String, Array]
+property :lock_personality, [true, false]
+property :memory_deny_write_execute, [true, false]
+property :restrict_realtime, [true, false]
+property :restrict_suid_sgid, [true, false]
+property :remove_ipc, [true, false]
+property :system_call_filter, [String, Array]
+property :system_call_architectures, [String, Array]
property :tasks_max, Integer
property :timeout_start_sec, Integer
property :timeout_stop_sec, Integer
property :io_scheduling_priority, Integer
property :kill_mode, String,
:is => %w[control-group process mixed none]
+property :sandbox, [true, false, Hash]
action :create do
service_variables = new_resource.to_hash
service_variables[:type] ||= "simple"
end
+ if new_resource.sandbox
+ service_variables[:protect_proc] = "invisible" unless property_is_set?(:protect_proc)
+ service_variables[:proc_subset] = "pid" unless property_is_set?(:proc_subset)
+ service_variables[:capability_bounding_set] = [] unless property_is_set?(:capability_bounding_set)
+ service_variables[:no_new_privileges] = true unless property_is_set?(:no_new_privileges)
+ service_variables[:protect_system] = "strict" unless property_is_set?(:protect_system)
+ service_variables[:protect_home] = true unless property_is_set?(:protect_home)
+ service_variables[:private_tmp] = true unless property_is_set?(:private_tmp)
+ service_variables[:private_devices] = true unless property_is_set?(:private_devices)
+ service_variables[:private_network] = true unless property_is_set?(:private_network)
+ service_variables[:private_ipc] = true unless property_is_set?(:private_ipc)
+ service_variables[:private_users] = true unless property_is_set?(:private_users)
+ service_variables[:protect_hostname] = true unless property_is_set?(:protect_hostname)
+ service_variables[:protect_clock] = true unless property_is_set?(:protect_clock)
+ service_variables[:protect_kernel_tunables] = true unless property_is_set?(:protect_kernel_tunables)
+ service_variables[:protect_kernel_modules] = true unless property_is_set?(:protect_kernel_modules)
+ service_variables[:protect_kernel_logs] = true unless property_is_set?(:protect_kernel_logs)
+ service_variables[:protect_control_groups] = true unless property_is_set?(:protect_control_groups)
+ service_variables[:restrict_address_families] = [] unless property_is_set?(:restrict_address_families)
+ service_variables[:restrict_namespaces] = true unless property_is_set?(:restrict_namespaces)
+ service_variables[:lock_personality] = true unless property_is_set?(:lock_personality)
+ service_variables[:memory_deny_write_execute] = true unless property_is_set?(:memory_deny_write_execute)
+ service_variables[:restrict_realtime] = true unless property_is_set?(:restrict_realtime)
+ service_variables[:restrict_suid_sgid] = true unless property_is_set?(:restrict_suid_sgid)
+ service_variables[:remove_ipc] = true unless property_is_set?(:remove_ipc)
+ service_variables[:system_call_filter] = "@system-service" unless property_is_set?(:system_call_filter)
+ service_variables[:system_call_architectures] = "native" unless property_is_set?(:system_call_architectures)
+
+ if sandbox_option(:enable_network)
+ service_variables[:private_network] = false
+ service_variables[:restrict_address_families] = Array(service_variables[:restrict_address_families]).append("AF_INET", "AF_INET6").reject { |f| f == "none" }
+ end
+ end
+
if new_resource.environment_file.is_a?(Hash)
template "/etc/default/#{new_resource.service}" do
cookbook "systemd"
end
action_class do
+ def sandbox_option(option)
+ new_resource.sandbox[option] if new_resource.sandbox.is_a?(Hash)
+ end
+
def dropin_directory
"/etc/systemd/system/#{new_resource.service}.service.d"
end
<% if @wants -%>
Wants=<%= Array(@wants).join(" ") %>
<% end -%>
+<% if @joins_namespace_of -%>
+JoinsNamespaceOf=<%= Array(@joins_namespace_of).join(" ") %>
+<% end -%>
[Service]
<% if @type -%>
<% if @group -%>
Group=<%= @group %>
<% end -%>
+<% if @dynamic_user -%>
+DynamicUser=<%= @dynamic_user %>
+<% end -%>
<% if @working_directory -%>
WorkingDirectory=<%= @working_directory %>
<% end -%>
<% if @dropin -%>
ExecStartPre=
<% end -%>
-ExecStartPre=<%= @exec_start_pre %>
+<% Array(@exec_start_pre).each do |exec_start_pre| -%>
+ExecStartPre=<%= exec_start_pre %>
+<% end -%>
<% end -%>
<% if @exec_start -%>
<% if @dropin -%>
ExecStart=
<% end -%>
-ExecStart=<%= @exec_start %>
+<% Array(@exec_start).each do |exec_start| -%>
+ExecStart=<%= exec_start %>
+<% end -%>
<% end -%>
<% if @exec_start_post -%>
<% if @dropin -%>
ExecStartPost=
<% end -%>
-ExecStartPost=<%= @exec_start_post %>
+<% Array(@exec_start_post).each do |exec_start_post| -%>
+ExecStartPost=<%= exec_start_post %>
+<% end -%>
<% end -%>
<% if @exec_stop -%>
<% if @dropin -%>
<% if @standard_error -%>
StandardError=<%= @standard_error %>
<% end -%>
-<% if @private_tmp -%>
-PrivateTmp=<%= @private_tmp %>
+<% if @protect_proc && node[:lsb][:release].to_f >= 22.04 -%>
+ProtectProc=<%= @protect_proc %>
<% end -%>
-<% if @private_devices -%>
-PrivateDevices=<%= @private_devices %>
+<% if @proc_subset && node[:lsb][:release].to_f >= 22.04 -%>
+ProcSubset=<%= @proc_subset %>
<% end -%>
-<% if @private_network -%>
-PrivateNetwork=<%= @private_network %>
+<% if @no_new_privileges -%>
+NoNewPrivileges=<%= @no_new_privileges %>
+<% end -%>
+<% if @capability_bounding_set -%>
+CapabilityBoundingSet=<%= Array(@capability_bounding_set).sort.uniq.join(" ") %>
<% end -%>
<% if @protect_system -%>
ProtectSystem=<%= @protect_system %>
ProtectHome=<%= @protect_home %>
<% end -%>
<% if @read_write_paths -%>
-ReadWritePaths=<%= Array(@read_write_paths).join(" ") %>
+ReadWritePaths=<%= Array(@read_write_paths).sort.uniq.join(" ") %>
<% end -%>
<% if @read_only_paths -%>
-ReadOnlyPaths=<%= Array(@read_only_paths).join(" ") %>
+ReadOnlyPaths=<%= Array(@read_only_paths).sort.uniq.join(" ") %>
<% end -%>
<% if @inaccessible_paths -%>
-InaccessiblePaths=<%= Array(@inaccessible_paths).join(" ") %>
+InaccessiblePaths=<%= Array(@inaccessible_paths).sort.uniq.join(" ") %>
+<% end -%>
+<% if @private_tmp -%>
+PrivateTmp=<%= @private_tmp %>
+<% end -%>
+<% if @private_devices -%>
+PrivateDevices=<%= @private_devices %>
+<% end -%>
+<% if @private_network -%>
+PrivateNetwork=<%= @private_network %>
+<% end -%>
+<% if @private_ipc && node[:lsb][:release].to_f >= 22.04 -%>
+PrivateIPC=<%= @private_ipc %>
+<% end -%>
+<% if @private_users -%>
+PrivateUsers=<%= @private_users %>
+<% end -%>
+<% if @protect_hostname -%>
+ProtectHostname=<%= @protect_hostname %>
+<% end -%>
+<% if @protect_clock -%>
+ProtectClock=<%= @protect_clock %>
+<% end -%>
+<% if @protect_kernel_tunables -%>
+ProtectKernelTunables=<%= @protect_kernel_tunables %>
+<% end -%>
+<% if @protect_kernel_modules -%>
+ProtectKernelModules=<%= @protect_kernel_modules %>
+<% end -%>
+<% if @protect_kernel_logs -%>
+ProtectKernelLogs=<%= @protect_kernel_logs %>
+<% end -%>
+<% if @protect_control_groups -%>
+ProtectControlGroups=<%= @protect_control_groups %>
<% end -%>
<% if @restrict_address_families -%>
-RestrictAddressFamilies=<%= Array(@restrict_address_families).join(" ") %>
+RestrictAddressFamilies=<%= Array(@restrict_address_families).sort.uniq.join(" ") %>
<% end -%>
-<% if @no_new_privileges -%>
-NoNewPrivileges=<%= @no_new_privileges %>
+<% if @restrict_namespaces -%>
+RestrictNamespaces=<%= Array(@restrict_namespaces).sort.uniq.join(" ") %>
+<% end -%>
+<% if @lock_personality -%>
+LockPersonality=<%= @lock_personality %>
+<% end -%>
+<% if @memory_deny_write_execute -%>
+MemoryDenyWriteExecute=<%= @memory_deny_write_execute %>
+<% end -%>
+<% if @restrict_realtime -%>
+RestrictRealtime=<%= @restrict_realtime %>
+<% end -%>
+<% if @restrict_suid_sgid -%>
+RestrictSUIDSGID=<%= @restrict_suid_sgid %>
+<% end -%>
+<% if @remove_ipc -%>
+RemoveIPC=<%= @remove_ipc %>
+<% end -%>
+<% if @system_call_filter -%>
+SystemCallFilter=<%= Array(@system_call_filter).join(" ") %>
+<% end -%>
+<% if @system_call_architectures -%>
+SystemCallArchitectures=<%= Array(@system_call_architectures).sort.uniq.join(" ") %>
<% end -%>
<% if @tasks_max -%>
TasksMax=<%= @tasks_max %>
depends "apache"
depends "git"
depends "passenger"
+depends "planet"
depends "ruby"
include_recipe "apache"
include_recipe "git"
include_recipe "passenger"
+include_recipe "planet::current"
include_recipe "ruby"
package %w[
mode "440"
end
+systemd_service "taginfo-update@" do
+ description "Taginfo update for %i"
+ wants "planet-update.service"
+ after "planet-update.service"
+ exec_start "/srv/%i/bin/update"
+ user "taginfo"
+ sandbox :enable_network => true
+ restrict_address_families "AF_UNIX"
+ read_write_paths [
+ "/srv/%i/data",
+ "/srv/%i/download",
+ "/srv/%i/sources",
+ "/var/log/taginfo/%i"
+ ]
+end
+
+systemd_timer "taginfo-update@" do
+ description "Taginfo update for %i"
+ on_calendar "01:37"
+end
+
node[:taginfo][:sites].each do |site|
site_name = site[:name]
site_aliases = Array(site[:aliases])
directory "#{directory}/taginfo/web/public"
variables :aliases => site_aliases
end
-end
-template "/usr/local/bin/taginfo-update" do
- source "taginfo-update.erb"
- owner "root"
- group "root"
- mode "755"
- variables :sites => node[:taginfo][:sites]
+ service "taginfo-update@#{site_name}.timer" do
+ action [:enable, :start]
+ end
end
+++ /dev/null
-#!/bin/sh
-
-# DO NOT EDIT - This file is being maintained by Chef
-
-<% @sites.each do |site| -%>
-<% if site[:directory] -%>
-<%= site[:directory] %>/bin/update
-<% else -%>
-/srv/<%= site[:name] %>/bin/update
-<% end -%>
-<% end -%>
mv $ROOT/sources/taginfo-*.db $ROOT/sources/*/taginfo-*.db $ROOT/data
mv $ROOT/sources/download/* $ROOT/download
-sudo PASSENGER_INSTANCE_REGISTRY_DIR=<%= node[:passenger][:instance_registry_dir] %> /usr/bin/passenger-config restart-app $ROOT/taginfo/web > /dev/null
+PASSENGER_INSTANCE_REGISTRY_DIR=<%= node[:passenger][:instance_registry_dir] %> /usr/bin/passenger-config restart-app $ROOT/taginfo/web > /dev/null
find $ROOT/sources/log -mtime +28 -delete
mode "644"
end
+tile_directories = node[:tile][:styles].collect do |_, style|
+ style[:tile_directories].collect { |directory| directory[:name] }
+end.flatten.sort.uniq
+
package "renderd"
systemd_service "renderd" do
after "postgresql.service"
wants "postgresql.service"
limit_nofile 4096
- private_tmp true
- private_devices true
- private_network true
- protect_system "full"
- protect_home true
- no_new_privileges true
+ sandbox true
+ restrict_address_families "AF_UNIX"
+ read_write_paths tile_directories
restart "on-failure"
end
-systemd_service "renderd" do
- action :delete
-end
-
service "renderd" do
action [:enable, :start]
subscribes :restart, "systemd_service[renderd]"
python_version "3"
end
-unifont = if node[:lsb][:release].to_f < 22.04
- "ttf-unifont"
- else
- "fonts-unifont"
- end
-
-package %W[
- fonts-noto-cjk
- fonts-noto-hinted
- fonts-noto-unhinted
- fonts-hanazono
- #{unifont}
-]
-
-["NotoSansArabicUI-Regular.ttf", "NotoSansArabicUI-Bold.ttf"].each do |font|
- remote_file "/usr/share/fonts/truetype/noto/#{font}" do
- action :create_if_missing
- source "https://github.com/googlei18n/noto-fonts/raw/master/hinted/#{font}"
- owner "root"
- group "root"
- mode "644"
- end
-end
-
directory "/srv/tile.openstreetmap.org/cgi-bin" do
owner "tile"
group "tile"
mode "755"
end
-template "/etc/cron.hourly/export" do
- source "export.cron.erb"
- owner "root"
- group "root"
- mode "755"
+systemd_service "export-cleanup" do
+ description "Cleanup stale export temporary files"
+ joins_namespace_of "apache2.service"
+ exec_start "find /tmp -ignore_readdir_race -name 'export??????' -mmin +60 -delete"
+ user "www-data"
+ sandbox true
+end
+
+systemd_timer "export-cleanup" do
+ description "Cleanup stale export temporary files"
+ on_boot_sec "60m"
+ on_unit_inactive_sec "60m"
+end
+
+service "export-cleanup.timer" do
+ action [:enable, :start]
end
directory "/srv/tile.openstreetmap.org/data" do
mode "755"
end
-package "mapnik-utils"
+package %w[
+ mapnik-utils
+ tar
+ unzip
+]
node[:tile][:data].each_value do |data|
url = data[:url]
end
if file =~ /\.tgz$/
- package "tar"
-
execute file do
action :nothing
command "tar -zxf #{file} -C #{directory}"
group "tile"
end
elsif file =~ /\.tar\.bz2$/
- package "tar"
-
execute file do
action :nothing
command "tar -jxf #{file} -C #{directory}"
group "tile"
end
elsif file =~ /\.zip$/
- package "unzip"
-
execute file do
action :nothing
command "unzip -qq -o #{file} -d #{directory}"
systemd_service "update-lowzoom@" do
description "Low zoom tile update service for %i layer"
- conflicts "render-lowzoom.service"
user "tile"
+ exec_start_pre "+/bin/systemctl stop render-lowzoom.service"
exec_start "/bin/bash /usr/local/bin/update-lowzoom-%i"
runtime_directory "update-lowzoom-%i"
- private_tmp true
- private_devices true
- private_network true
- protect_system "full"
- protect_home true
- no_new_privileges true
+ sandbox true
+ restrict_address_families "AF_UNIX"
+ read_write_paths [
+ "/srv/tile.openstreetmap.org/tiles/%i",
+ "/var/log/tile"
+ ]
restart "on-failure"
end
group "tile"
end
+ if details[:fonts_script]
+ execute details[:fonts_script] do
+ action :nothing
+ command details[:fonts_script]
+ cwd style_directory
+ user "tile"
+ group "tile"
+ subscribes :run, "git[#{style_directory}]"
+ end
+ end
+
execute "#{style_directory}/project.mml" do
action :nothing
- command "carto -a 3.0.0 project.mml > project.xml"
+ command "carto -a 3.0.22 project.mml > project.xml"
cwd style_directory
user "tile"
group "tile"
superuser true
end
+postgresql_user "pnorman" do
+ cluster node[:tile][:database][:cluster]
+ superuser true
+end
+
postgresql_user "tile" do
cluster node[:tile][:database][:cluster]
end
user "tile"
group "adm"
exec_start "/usr/local/bin/tile-ratelimit"
- private_tmp true
- private_devices true
- private_network true
- protect_system "full"
- protect_home true
+ nice 10
+ sandbox true
read_write_paths "/srv/tile.openstreetmap.org/conf"
- no_new_privileges true
restart "on-failure"
end
type "simple"
user "_renderd"
exec_start "/usr/local/bin/expire-tiles"
+ nice 10
standard_output "null"
- private_tmp true
- private_devices true
- protect_system "full"
- protect_home true
- no_new_privileges true
+ sandbox true
+ read_write_paths tile_directories + [
+ "/store/database/nodes",
+ "/var/lib/replicate/expire-queue",
+ "/var/log/tile"
+ ]
end
systemd_path "expire-tiles" do
wants "postgresql.service"
user "tile"
exec_start "/usr/local/bin/replicate"
- private_tmp true
- private_devices true
- protect_system "full"
- protect_home true
- no_new_privileges true
+ sandbox :enable_network => true
+ restrict_address_families "AF_UNIX"
+ read_write_paths [
+ "/store/database/nodes",
+ "/var/lib/replicate",
+ "/var/log/tile"
+ ]
restart "on-failure"
end
condition_path_exists_glob "!/run/update-lowzoom-*"
user "tile"
exec_start "/usr/local/bin/render-lowzoom"
- private_tmp true
- private_devices true
- private_network true
- protect_system "full"
- protect_home true
- no_new_privileges true
+ sandbox true
+ restrict_address_families "AF_UNIX"
+ read_write_paths "/var/log/tile"
end
systemd_timer "render-lowzoom" do
mode "755"
end
-tile_directories = node[:tile][:styles].collect do |_, style|
- style[:tile_directories].collect { |directory| directory[:name] }
-end.flatten.sort.uniq
+systemd_service "cleanup-tiles@" do
+ description "Cleanup old tiles for /%I"
+ exec_start "/usr/local/bin/cleanup-tiles /%I"
+ user "_renderd"
+ io_scheduling_class "idle"
+ sandbox true
+ read_write_paths "/%I"
+end
+
+systemd_timer "cleanup-tiles@" do
+ description "Cleanup old tiles for /%I"
+ on_boot_sec "30m"
+ on_unit_inactive_sec "60m"
+ randomized_delay_sec "10m"
+end
tile_directories.each do |directory|
- label = directory.gsub("/", "-")
+ label = directory[1..].gsub("/", "-")
- cron_d "cleanup-tiles#{label}" do
- minute "0"
- user "_renderd"
- command "ionice -c 3 /usr/local/bin/cleanup-tiles #{directory}"
- mailto "admins@openstreetmap.org"
+ service "cleanup-tiles@#{label}.timer" do
+ action [:enable, :start]
end
end
+++ /dev/null
-#!/bin/sh
-
-# DO NOT EDIT - This file is being maintained by Chef
-
-# Removes stale tmp files from the export tab
-exec find /tmp -ignore_readdir_race -name 'export??????' -mmin +60 -delete
daily
size 1G
missingok
- rotate 28
+ rotate 14
compress
delaycompress
notifempty
--timestamp=${timestamp} \
--tile-dir=/srv/tile.openstreetmap.org/tiles \
--socket=/var/run/renderd/renderd.sock \
- --num-threads=<%= node[:cpu][:total] - 1 %> \
+ --num-threads=<%= node.cpu_cores - 1 %> \
--map="<%= style %>" \
- --max-load=<%= node[:cpu][:total] %> \
+ --max-load=<%= node.cpu_cores - 1 %> \
--min-zoom=0 --max-zoom=12
}
[renderd]
socketname=/var/run/renderd/renderd.sock
-num_threads=<%= node[:cpu][:total] - 1 %>
+num_threads=<%= node.cpu_cores - 1 %>
tile_dir=/srv/tile.openstreetmap.org/tiles
stats_file=/var/run/renderd/renderd.stats
--timestamp=$(stat -c %Y "/srv/tile.openstreetmap.org/styles/<%= @style %>/project.xml") \
--tile-dir=/srv/tile.openstreetmap.org/tiles \
--socket=/var/run/renderd/renderd.sock \
- --num-threads=<%= node[:cpu][:total] - 1 %> \
+ --num-threads=<%= node.cpu_cores - 1 %> \
--map="<%= @style %>" \
- --max-load=<%= node[:cpu][:total] %> \
+ --max-load=<%= node.cpu_cores - 1 %> \
--min-zoom=0 --max-zoom=12
}
python_package "tilelog" do
python_virtualenv tilelog_directory
python_version "3"
- version "1.4.0"
+ version "1.4.1"
end
directory tilelog_output_directory do
description "Tile log analysis"
user "www-data"
exec_start "/usr/local/bin/tilelog"
- private_tmp true
- private_devices true
- protect_system "strict"
- protect_home true
+ nice 10
+ sandbox :enable_network => true
read_write_paths tilelog_output_directory
end
default[:timescaledb][:database_version] = "14"
default[:timescaledb][:max_background_workers] = 8
-
-default[:apt][:sources] |= ["timescaledb"]
# limitations under the License.
#
-include_recipe "apt"
+include_recipe "apt::timescaledb"
database_version = node[:timescaledb][:database_version]
end
# Remove some unused and unwanted packages
-package %w[mlocate nano whoopsie] do
+package %w[mlocate whoopsie] do
action :purge
end
apache_module "proxy_fcgi"
apache_module "lbmethod_byrequests"
apache_module "lbmethod_bybusyness"
+apache_module "reqtimeout"
apache_module "rewrite"
apache_module "unique_id"
action [:enable, :start]
supports :restart => true
subscribes :restart, "rails_port[www.openstreetmap.org]"
- subscribes :restart, "systemd_service[rails-jobs]"
+ subscribes :restart, "systemd_service[rails-jobs@]"
end
service "rails-jobs@storage" do
action [:enable, :start]
supports :restart => true
subscribes :restart, "rails_port[www.openstreetmap.org]"
- subscribes :restart, "systemd_service[rails-jobs]"
+ subscribes :restart, "systemd_service[rails-jobs@]"
end
service "rails-jobs@traces" do
action [:enable, :start]
supports :restart => true
subscribes :restart, "rails_port[www.openstreetmap.org]"
- subscribes :restart, "systemd_service[rails-jobs]"
+ subscribes :restart, "systemd_service[rails-jobs@]"
end
nodejs_package "svgo"
-template "/etc/cron.hourly/passenger" do
- cookbook "web"
- source "passenger.cron.erb"
- owner "root"
- group "root"
- mode "755"
-end
-
rails_directory = "#{node[:web][:base_directory]}/rails"
matomo = data_bag_item("web", "matomo")
oauth_application web_passwords["oauth_application"]
matomo_configuration "location" => matomo[:location],
"site" => matomo[:site],
+ "visitor_cookie_timeout" => matomo[:visitor_cookie_timeout],
+ "referral_cookie_timeout" => matomo[:referral_cookie_timeout],
+ "session_cookie_timeout" => matomo[:session_cookie_timeout],
"goals" => matomo[:goals].to_hash
google_auth_id "651529786092-6c5ahcu0tpp95emiec8uibg11asmk34t.apps.googleusercontent.com"
google_auth_secret web_passwords["google_auth_secret"]
avatar_storage_url "https://openstreetmap-user-avatars.s3.dualstack.eu-west-1.amazonaws.com"
trace_image_storage_url "https://openstreetmap-gps-images.s3.dualstack.eu-west-1.amazonaws.com"
overpass_url "https://query.openstreetmap.org/query-features"
+ overpass_credentials true
end
systemd_service "rails-jobs@" do
description "Rails job queue runner"
type "simple"
- environment "RAILS_ENV" => "production", "QUEUE" => "%I"
+ environment "RAILS_ENV" => "production", "QUEUE" => "%I", "SLEEP_DELAY" => "60"
user "rails"
working_directory rails_directory
exec_start "#{node[:ruby][:bundle]} exec rails jobs:work"
restart "on-failure"
- private_tmp true
- private_devices true
- protect_system "full"
- protect_home true
- no_new_privileges true
+ nice 10
+ sandbox :enable_network => true
+ memory_deny_write_execute false
+ read_write_paths "/var/log/web"
end
package "libjson-xs-perl"
user "rails"
group "adm"
exec_start "/usr/local/bin/api-statistics"
- private_tmp true
- private_devices true
- private_network true
- protect_system "full"
- protect_home true
- no_new_privileges true
+ nice 10
+ sandbox true
+ read_write_paths [
+ "/srv/www.openstreetmap.org/rails/tmp",
+ "/var/lib/prometheus/node-exporter"
+ ]
restart "on-failure"
end
variables :ruby => ruby, :directory => rails_directory
end
-cron_d "statistics" do
- minute "0"
- hour "0"
+systemd_service "web-statistics" do
+ description "Generate web statistics"
+ environment "RAILS_ENV" => "production"
user "rails"
- command "/usr/local/bin/statistics"
+ working_directory rails_directory
+ exec_start "/usr/local/bin/statistics"
+ sandbox :enable_network => true
+ memory_deny_write_execute false
+ read_write_paths ["#{rails_directory}/tmp", "/var/log/web"]
+end
+
+systemd_timer "web-statistics" do
+ description "Generate web statistics"
+ on_calendar "00:00:00"
+end
+
+service "web-statistics.timer" do
+ action [:enable, :start]
end
property :oauth_application, String
property :nominatim_url, String
property :overpass_url, String
+property :overpass_credentials, [true, false], :default => false
property :google_auth_id, String
property :google_auth_secret, String
property :google_openid_realm, String
"oauth_application",
"nominatim_url",
"overpass_url",
+ "overpass_credentials",
"google_auth_id",
"google_auth_secret",
"google_openid_realm",
only_if { new_resource.run_migrations }
end
- package "yarnpkg" do
- only_if { new_resource.build_assets }
- end
-
bundle_exec "#{rails_directory}/package.json" do
action :nothing
directory rails_directory
end
action_class do
- include Chef::Mixin::EditFile
+ include OpenStreetMap::Mixin::EditFile
def rails_directory
new_resource.directory || "/srv/#{new_resource.site}"
ExpiresActive On
RewriteEngine on
+ #
+ # Configure timeouts
+ #
+ RequestReadTimeout handshake=20-40,MinRate=500 header=20-40,MinRate=500 body=20,MinRate=500
+
#
# Add the unique ID to the request headers
#
+++ /dev/null
-#!/bin/sh
-
-# Get a list of rack processes that are running
-pgrep -u rails -f Rack | sort > /tmp/rails.actual.$$
-
-# Get a list of rack processes we expect to be running
-PASSENGER_INSTANCE_REGISTRY_DIR=<%= node[:passenger][:instance_registry_dir] %> passenger-status | awk '/PID:/ { print $3 }' | sort > /tmp/rails.expected.$$
-
-# Get a list of unexpected rack processes
-pids=$(comm -23 /tmp/rails.actual.$$ /tmp/rails.expected.$$)
-
-# Kill any expected rack processes
-[ -n "$pids" ] && kill -9 $pids > /dev/null 2>&1
-
-# Remove our temporary files
-rm -f /tmp/rails.actual.$$ /tmp/rails.expected.$$
version "1.0.0"
supports "ubuntu"
depends "mediawiki"
+depends "systemd"
mode "0775"
end
-cron_d "wiki-dump" do
- minute "0"
- hour "2"
+systemd_service "wiki-dump" do
+ description "Wiki dump"
+ type "oneshot"
+ exec_start "/usr/bin/php w/maintenance/dumpBackup.php --full --quiet --output=gzip:dump/dump.xml.gz"
+ working_directory "/srv/wiki.openstreetmap.org"
user "wiki"
- command "cd /srv/wiki.openstreetmap.org && php w/maintenance/dumpBackup.php --full --quiet --output=gzip:dump/dump.xml.gz"
+ sandbox :enable_network => true
+ memory_deny_write_execute false
+ restrict_address_families "AF_UNIX"
+ read_write_paths "/srv/wiki.openstreetmap.org/dump"
+end
+
+systemd_timer "wiki-dump" do
+ description "Wiki dump"
+ on_calendar "02:00"
+end
+
+service "wiki-dump.timer" do
+ action [:enable, :start]
+end
+
+systemd_service "wiki-rdf-dump" do
+ description "Wiki RDF dump"
+ type "oneshot"
+ exec_start [
+ "/usr/bin/php w/extensions/Wikibase/repo/maintenance/dumpRdf.php --wiki wiki --format ttl --flavor full-dump --entity-type item --entity-type property --no-cache --output /tmp/wikibase-rdf.ttl",
+ "/bin/gzip -9 /tmp/wikibase-rdf.ttl",
+ "/bin/mv /tmp/wikibase-rdf.ttl.gz /srv/wiki.openstreetmap.org/dump/wikibase-rdf.ttl.gz"
+ ]
+ working_directory "/srv/wiki.openstreetmap.org"
+ user "wiki"
+ sandbox :enable_network => true
+ memory_deny_write_execute false
+ restrict_address_families "AF_UNIX"
+ read_write_paths "/srv/wiki.openstreetmap.org/dump"
+end
+
+systemd_timer "wiki-rdf-dump" do
+ description "Wiki RDF dump"
+ on_calendar "04:00"
+end
+
+service "wiki-rdf-dump.timer" do
+ action [:enable, :start]
end
];
$wgWBClientSettings['namespaces'] = [ NS_MAIN ];
+$wgWBClientSettings['repoSiteName'] = 'Data Items';
// Avoid complaints that nobody seems to know the cause off...
$wgWBClientSettings['entityUsagePerPageLimit'] = 500;
end
action_class do
- include Chef::Mixin::EditFile
- include Chef::Mixin::PersistentToken
+ include OpenStreetMap::Mixin::EditFile
+ include OpenStreetMap::Mixin::PersistentToken
def site_directory
new_resource.directory || "/srv/#{new_resource.site}"
Require all granted
<FilesMatch ".+\.ph(ar|p|tml)$">
- SetHandler "proxy:unix:/run/php/<%= @name %>.sock|fcgi://127.0.0.1"
+ SetHandler "proxy:unix:/run/php/php-<%= @name %>-fpm.sock|fcgi://127.0.0.1"
</FilesMatch>
</Directory>
--- /dev/null
+name "aws-us-east-2"
+description "Role applied to all servers at AWS us-east-2"
+
+default_attributes(
+ :location => "Ohio"
+)
+
+run_list(
+ "role[us]",
+ "role[aws]"
+)
--- /dev/null
+name "aws"
+description "Role applied to all servers at AWS"
+
+default_attributes(
+ :hosted_by => "AWS"
+)
+
+override_attributes(
+ :ntp => {
+ :servers => ["169.254.169.123"]
+ }
+)
}
},
:default_qdisc => {
- :comment => "Use fq as the default queuing discipline and cubic for congestion control",
+ :comment => "Use fq as the default queuing discipline",
:parameters => {
- "net.core.default_qdisc" => "fq",
- "net.ipv4.tcp_congestion_control" => "cubic"
+ "net.core.default_qdisc" => "fq"
}
},
:tune_cpu_scheduler => {
--- /dev/null
+name "blogs"
+description "Role applied to all blog aggregators"
+
+run_list(
+ "recipe[blogs]"
+)
:members => [:grant, :tomh]
}
}
+ },
+ :exim => {
+ :smarthost_via => "fafnir.openstreetmap.org:26"
}
)
:cobra => { :status => :user },
:ppawel => { :status => :user },
:simon04 => { :status => :user },
+ :jeslop => { :status => :user },
:jfire => { :status => :user },
:malenki => { :status => :user },
:lonvia => { :status => :user },
}
}
},
+ :exim => {
+ :smarthost_via => "fafnir.openstreetmap.org:26"
+ },
:postgresql => {
:versions => ["14"],
:settings => {
:family => :inet,
:address => "10.0.48.9",
:bond => {
+ :mode => "802.3ad",
+ :lacprate => "fast",
+ :xmithashpolicy => "layer3+4",
:slaves => %w[ens18f0 ens18f1]
}
},
:dbcluster => "14/main",
:postgis => "3",
:flatnode_file => "/ssd/nominatim/nodes.store",
- :logdir => "/ssd/nominatim/log"
+ :logdir => "/ssd/nominatim/log",
+ :config => {
+ :forward_dependencies => "yes"
+ }
}
)
+++ /dev/null
-name "errol"
-description "Master role applied to errol"
-
-default_attributes(
- :devices => {
- :osdsk => {
- :comment => "First os disk",
- :type => "block",
- :bus => "scsi",
- :serial => "20004d927fffff800",
- :attrs => {
- "queue/scheduler" => "deadline",
- "queue/nr_requests" => "512"
- }
- },
- :homedsk => {
- :comment => "First home disk",
- :type => "block",
- :bus => "scsi",
- :serial => "20004d927fffff801",
- :attrs => {
- "queue/scheduler" => "deadline",
- "queue/nr_requests" => "512"
- }
- }
- },
- :networking => {
- :interfaces => {
- :internal_ipv4 => {
- :interface => "eth0.2801",
- :role => :internal,
- :family => :inet,
- :address => "10.0.0.14"
- },
- :external_ipv4 => {
- :interface => "eth0.2800",
- :role => :external,
- :family => :inet,
- :address => "193.60.236.13"
- }
- }
- }
-)
-
-run_list(
- "role[ucl]",
- "role[tyan-s7010]",
- "role[dev]"
-)
-name "lockheed"
-description "Master role applied to lockheed"
+name "faffy"
+description "Master role applied to faffy"
default_attributes(
:networking => {
:interface => "bond0",
:role => :internal,
:family => :inet,
- :address => "10.0.48.16",
+ :address => "10.0.48.3",
:bond => {
- :slaves => %w[eth0 eth1]
+ :mode => "802.3ad",
+ :lacprate => "fast",
+ :xmithashpolicy => "layer3+4",
+ :slaves => %w[eno1 eno2 eno3 eno4 eno5 eno6]
}
},
:external_ipv4 => {
:interface => "bond0.2",
:role => :external,
:family => :inet,
- :address => "130.117.76.16"
+ :address => "130.117.76.3"
},
:external_ipv6 => {
:interface => "bond0.2",
:role => :external,
:family => :inet6,
- :address => "2001:978:2:2C::172:10"
+ :address => "2001:978:2:2C::172:3"
}
-
}
}
)
run_list(
"role[equinix-ams]",
- "role[subversion]",
- "role[trac]",
- "role[irc]",
- "recipe[blogs]"
+ "role[dev]"
)
:first_address => "10.0.79.1",
:last_address => "10.0.79.254"
},
+ :exim => {
+ :smarthost_name => "fafnir.openstreetmap.org",
+ :routes => {
+ :openstreetmap => {
+ :comment => "openstreetmap.org",
+ :domains => ["openstreetmap.org"],
+ :host => ["shenron.openstreetmap.org"]
+ }
+ }
+ },
:networking => {
:interfaces => {
:internal_ipv4 => {
"role[equinix-dub]",
"role[hp-g9]",
"role[gateway]",
+ "role[mail]",
"recipe[dhcpd]"
)
description "Role applied to all OSMF servers"
default_attributes(
- :apt => {
- :sources => ["passenger"]
- },
:elasticsearch => {
:version => "6.x",
:cluster => {
:list => false,
:transfer_logging => false,
:hosts_allow => [
- "193.60.236.20" # sarel
+ "184.104.226.102", # idris
+ "2001:470:1:b3b::6" # idris
]
}
}
:status => :user,
:shell => "/usr/bin/git-shell"
},
+ :stereo => {
+ :status => :user,
+ :shell => "/usr/bin/git-shell"
+ },
:git => {
:status => :role,
- :members => [:tomh, :grant, :matt, :lonvia, :yellowbkpk]
+ :members => [:tomh, :grant, :matt, :lonvia, :yellowbkpk, :stereo]
}
}
},
run_list(
"role[equinix-dub]",
- "role[hp-g9]"
+ "role[hp-g9]",
+ "role[chef-server]",
+ "role[chef-repository]",
+ "role[dns]",
+ "role[git]",
+ "role[letsencrypt]",
+ "role[oxidized]",
+ "recipe[serverinfo]"
)
description "Master role applied to ironbelly"
default_attributes(
- :apt => {
- :sources => ["ubuntugis-unstable"]
- },
:bind => {
:clients => "equinix-ams"
},
:family => :inet,
:address => "10.0.48.10",
:bond => {
+ :mode => "802.3ad",
+ :lacprate => "fast",
+ :xmithashpolicy => "layer3+4",
:slaves => %w[eth0 eth1]
}
},
:snmp => {
"pdu1" => { :address => "10.0.48.100", :modules => %w[apcups], :labels => { "site" => "amsterdam" } },
"pdu2" => { :address => "10.0.48.101", :modules => %w[apcups], :labels => { "site" => "amsterdam" } },
- "switch1" => { :address => "130.117.76.2", :modules => %w[if_mib cisco_550x], :labels => { "site" => "amsterdam" } }
+ "switch1" => { :address => "130.117.76.2", :modules => %w[if_mib juniper_ex4300], :labels => { "site" => "amsterdam" } }
},
:metrics => {
:uplink_interface => {
:help => "Site uplink interface name",
- :labels => { :site => "amsterdam", :name => "te[12]/0/1" }
+ :labels => { :site => "amsterdam", :name => "ge-[01]/2/0" }
}
}
},
:family => :inet,
:address => "10.0.48.50",
:bond => {
+ :mode => "802.3ad",
+ :lacprate => "fast",
+ :xmithashpolicy => "layer3+4",
:slaves => %w[enp1s0f0 enp1s0f1 enp2s0f0 enp2s0f1]
}
}
name "logstash-forwarder"
description "Role applied to all logstash forwarders"
-default_attributes(
- :apt => {
- :sources => ["elasticsearch8.x"]
- }
-)
-
run_list(
"recipe[logstash::forwarder]"
)
"nominatim.openstreetmap.org" => {
:max_children => 200
}
+ },
+ :config => {
+ :forward_dependencies => "yes"
}
}
)
:apache => {
:mpm => "event",
:event => {
- :server_limit => 18,
- :max_request_workers => 450,
- :min_spare_threads => 50,
- :max_spare_threads => 150,
+ :server_limit => 30,
+ :max_request_workers => 1000,
+ :threads_per_child => 50,
+ :min_spare_threads => 75,
+ :max_spare_threads => 175,
:listen_cores_buckets_ratio => 4
}
},
run_list(
"role[equinix-dub]",
- "role[hp-g9]"
+ "role[hp-g9]",
+ "role[subversion]",
+ "role[trac]",
+ "role[irc]",
+ "role[blogs]",
+ "role[munin]"
)
:family => :inet,
:address => "10.0.48.17",
:bond => {
+ :mode => "802.3ad",
+ :lacprate => "fast",
+ :xmithashpolicy => "layer3+4",
:slaves => %w[enp25s0f0 enp25s0f1]
}
},
:family => :inet,
:address => "10.0.48.15",
:bond => {
+ :mode => "802.3ad",
+ :lacprate => "fast",
+ :xmithashpolicy => "layer3+4",
:slaves => %w[eno1 eno2]
}
},
default_attributes(
:exim => {
+ :smarthost_via => "fafnir.openstreetmap.org:26",
:local_domains => ["otrs.openstreetmap.org"],
:routes => {
:otrs_otrs => {
:overpass => {
:fqdn => "query.openstreetmap.org",
:meta_mode => "no",
- :compression_mode => "no",
+ :compression_mode => "lz4",
:restricted_api => true
+ },
+ :prometheus => {
+ :files => %w[
+ /srv/query.openstreetmap.org/diffs/latest.osc
+ ]
}
)
--- /dev/null
+name "oxidized"
+description "Role applied to all oxidized servers"
+
+default_attributes(
+ :accounts => {
+ :users => {
+ :oxidized => {
+ :status => :role,
+ :members => [:grant, :tomh]
+ }
+ }
+ }
+)
+
+run_list(
+ "recipe[oxidized]"
+)
--- /dev/null
+name "palulukon"
+description "Master role applied to palulukon"
+
+default_attributes(
+ :networking => {
+ :interfaces => {
+ :external_ipv4 => {
+ :interface => "ens5",
+ :role => :external,
+ :family => :inet,
+ :address => "172.31.37.101",
+ :prefix => "20",
+ :gateway => "172.31.32.1",
+ :public_address => "3.144.0.72"
+ }
+ }
+ },
+ :postgresql => {
+ :settings => {
+ :defaults => {
+ :shared_buffers => "8GB",
+ :maintenance_work_mem => "7144MB",
+ :effective_cache_size => "16GB"
+ }
+ }
+ },
+ :sysctl => {
+ :postgres => {
+ :comment => "Increase shared memory for postgres",
+ :parameters => {
+ "kernel.shmmax" => 9 * 1024 * 1024 * 1024,
+ "kernel.shmall" => 9 * 1024 * 1024 * 1024 / 4096
+ }
+ }
+ },
+ :tile => {
+ :database => {
+ :cluster => "14/main",
+ :postgis => "3"
+ },
+ :mapnik => "3.1",
+ :styles => {
+ :default => {
+ :tile_directories => [
+ { :name => "/store/tiles/default", :min_zoom => 0, :max_zoom => 19 }
+ ]
+ }
+ }
+ }
+)
+
+override_attributes(
+ :networking => {
+ :nameservers => ["172.31.0.2"]
+ }
+)
+
+run_list(
+ "role[aws-us-east-2]",
+ "role[tile]"
+)
+++ /dev/null
-name "planet-current"
-description "Role applied to all servers needing an up to date planet file"
-
-default_attributes(
- :accounts => {
- :users => {
- :planet => {
- :status => :role
- }
- }
- }
-)
-
-run_list(
- "recipe[planet::current]"
-)
:mpm => "event",
:keepalive => true,
:event => {
- :server_limit => 20,
+ :server_limit => 30,
:max_request_workers => 1000,
:threads_per_child => 50,
:min_spare_threads => 75,
:tablespaces => {
"daux" => "/data/tablespaces/daux",
"iaux" => "/data/tablespaces/iaux"
+ },
+ :config => {
+ :forward_dependencies => "yes"
}
}
"role[donate]",
"recipe[hot]",
"recipe[dmca]",
- "recipe[dhcpd]"
+ "recipe[dhcpd]",
+ "recipe[ideditor]"
)
)
run_list(
- "role[ucl]",
- "role[chef-server]",
- "role[chef-repository]",
- "role[letsencrypt]",
- "role[git]",
- "role[dns]",
- "recipe[serverinfo]"
+ "role[ucl]"
)
}
}
},
- :hardware => {
- :mcelog => {
- :enabled => false
- }
- },
:networking => {
:interfaces => {
:external_ipv4 => {
:ignore => %w[in6]
}
},
- :mcelog => {
- :enabled => false
- },
:modules => [
"it87"
]
:family => :inet,
:address => "10.0.48.49",
:bond => {
+ :mode => "802.3ad",
+ :lacprate => "fast",
+ :xmithashpolicy => "layer3+4",
:slaves => %w[eno1 eno2 eno3 eno4]
}
}
+++ /dev/null
-name "spike-04"
-description "Master role applied to spike-04"
-
-default_attributes(
- :networking => {
- :interfaces => {
- :internal_ipv4 => {
- :interface => "bond0",
- :role => :internal,
- :family => :inet,
- :address => "10.0.32.21",
- :bond => {
- :slaves => %w[enp3s0f0 enp3s0f1]
- }
- },
- :external_ipv4 => {
- :interface => "bond0.214",
- :role => :external,
- :family => :inet,
- :address => "89.16.162.21"
- },
- :external_ipv6 => {
- :interface => "bond0.214",
- :role => :external,
- :family => :inet6,
- :address => "2001:41c9:2:d6::21"
- }
- }
- }
-)
-
-run_list(
- "role[bytemark]",
- "role[web-frontend]"
- # "role[web-gpximport]",
- # "role[web-statistics]",
- # "role[web-cleanup]"
-)
+++ /dev/null
-name "spike-05"
-description "Master role applied to spike-05"
-
-default_attributes(
- :networking => {
- :interfaces => {
- :internal_ipv4 => {
- :interface => "bond0",
- :role => :internal,
- :family => :inet,
- :address => "10.0.32.22",
- :bond => {
- :slaves => %w[enp3s0f0 enp3s0f1]
- }
- },
- :external_ipv4 => {
- :interface => "bond0.214",
- :role => :external,
- :family => :inet,
- :address => "89.16.162.22"
- },
- :external_ipv6 => {
- :interface => "bond0.214",
- :role => :external,
- :family => :inet6,
- :address => "2001:41c9:2:d6::22"
- }
- }
- }
-)
-
-run_list(
- "role[bytemark]",
- "role[web-frontend]"
-)
:family => :inet,
:address => "10.0.48.11",
:bond => {
+ :mode => "802.3ad",
+ :lacprate => "fast",
+ :xmithashpolicy => "layer3+4",
:slaves => %w[eno1 eno2]
}
},
:family => :inet,
:address => "10.0.48.12",
:bond => {
+ :mode => "802.3ad",
+ :lacprate => "fast",
+ :xmithashpolicy => "layer3+4",
:slaves => %w[eno1 eno2]
}
},
:family => :inet,
:address => "10.0.48.13",
:bond => {
+ :mode => "802.3ad",
+ :lacprate => "fast",
+ :xmithashpolicy => "layer3+4",
:slaves => %w[eno1 eno2]
}
},
description "Role applied to State of the Map servers"
run_list(
- "recipe[stateofthemap]"
+ "recipe[stateofthemap]",
+ "recipe[stateofthemap::jekyll]",
+ "recipe[stateofthemap::static]",
+ "recipe[stateofthemap::wordpress]"
)
+++ /dev/null
-name "supermicro-x8dtt-h"
-description "Role applied to all Supermicro X8DTT-H machines"
-
-default_attributes(
- :hardware => {
- :watchdog => "w83627hf_wdt"
- }
-)
:family => :inet,
:address => "10.0.48.14",
:bond => {
+ :mode => "802.3ad",
+ :lacprate => "fast",
+ :xmithashpolicy => "layer3+4",
:slaves => %w[eno1 eno2]
}
},
:passenger => {
:max_pool_size => 50
},
- :planet => {
- :current => {
- :jobs => {
- :taginfo => {
- :command => "/usr/local/bin/taginfo-update",
- :user => "taginfo"
- }
- }
- }
- },
:taginfo => {
:sites => [
{
)
run_list(
- "role[planet-current]",
"recipe[taginfo]"
)
+++ /dev/null
-name "thorn-02"
-description "Master role applied to thorn-02"
-
-default_attributes(
- :networking => {
- :interfaces => {
- :internal_ipv4 => {
- :interface => "bond0",
- :role => :internal,
- :family => :inet,
- :address => "10.0.48.52",
- :bond => {
- :slaves => %w[eth0 eth1]
- }
- }
- }
- }
-)
-
-run_list(
- "role[equinix-ams]"
-)
+++ /dev/null
-name "thorn-03"
-description "Master role applied to thorn-03"
-
-default_attributes(
- :networking => {
- :interfaces => {
- :internal_ipv4 => {
- :interface => "bond0",
- :role => :internal,
- :family => :inet,
- :address => "10.0.48.53",
- :bond => {
- :slaves => %w[eth0 eth1]
- }
- }
- }
- }
-)
-
-run_list(
- "role[equinix-ams]"
-)
+++ /dev/null
-name "thorn-04"
-description "Master role applied to thorn-04"
-
-default_attributes(
- :networking => {
- :interfaces => {
- :internal_ipv4 => {
- :interface => "bond0",
- :role => :internal,
- :family => :inet,
- :address => "10.0.32.41",
- :bond => {
- :slaves => %w[enp3s0f0 enp3s0f1]
- }
- }
- }
- }
-)
-
-run_list(
- "role[bytemark]"
-)
+++ /dev/null
-name "thorn-05"
-description "Master role applied to thorn-05"
-
-default_attributes(
- :networking => {
- :interfaces => {
- :internal_ipv4 => {
- :interface => "bond0",
- :role => :internal,
- :family => :inet,
- :address => "10.0.32.42",
- :bond => {
- :slaves => %w[enp3s0f0 enp3s0f1]
- }
- }
- }
- }
-)
-
-run_list(
- "role[bytemark]"
-)
+++ /dev/null
-name "tiamat-00"
-description "Master role applied to tiamat-00"
-
-default_attributes(
- :networking => {
- :interfaces => {
- :internal_ipv4 => {
- :interface => "enp1s0.2801",
- :role => :internal,
- :family => :inet,
- :address => "10.0.0.40"
- },
- :external_ipv4 => {
- :interface => "enp1s0.2800",
- :role => :external,
- :family => :inet,
- :address => "193.60.236.40"
- }
- }
- }
-)
-
-run_list(
- "role[ucl]",
- "role[supermicro-x8dtt-h]",
- "role[crm]"
-)
+++ /dev/null
-name "tiamat-01"
-description "Master role applied to tiamat-01"
-
-default_attributes(
- :networking => {
- :interfaces => {
- :internal_ipv4 => {
- :interface => "enp1s0.2801",
- :role => :internal,
- :family => :inet,
- :address => "10.0.0.41"
- },
- :external_ipv4 => {
- :interface => "enp1s0.2800",
- :role => :external,
- :family => :inet,
- :address => "193.60.236.41"
- }
- }
- }
-)
-
-run_list(
- "role[ucl]",
- "role[supermicro-x8dtt-h]"
-)
+++ /dev/null
-name "tiamat-02"
-description "Master role applied to tiamat-02"
-
-default_attributes(
- :networking => {
- :interfaces => {
- :internal_ipv4 => {
- :interface => "enp1s0.2801",
- :role => :internal,
- :family => :inet,
- :address => "10.0.0.42"
- },
- :external_ipv4 => {
- :interface => "enp1s0.2800",
- :role => :external,
- :family => :inet,
- :address => "193.60.236.42"
- }
- }
- }
-)
-
-run_list(
- "role[ucl]",
- "role[supermicro-x8dtt-h]"
-)
+++ /dev/null
-name "tiamat-03"
-description "Master role applied to tiamat-03"
-
-default_attributes(
- :networking => {
- :interfaces => {
- :internal_ipv4 => {
- :interface => "enp1s0.2801",
- :role => :internal,
- :family => :inet,
- :address => "10.0.0.43"
- },
- :external_ipv4 => {
- :interface => "enp1s0.2800",
- :role => :external,
- :family => :inet,
- :address => "193.60.236.43"
- }
- }
- }
-)
-
-run_list(
- "role[ucl]",
- "role[supermicro-x8dtt-h]"
-)
+++ /dev/null
-name "tiamat-10"
-description "Master role applied to tiamat-10"
-
-default_attributes(
- :networking => {
- :interfaces => {
- :internal_ipv4 => {
- :interface => "enp1s0.2801",
- :role => :internal,
- :family => :inet,
- :address => "10.0.0.44"
- },
- :external_ipv4 => {
- :interface => "enp1s0.2800",
- :role => :external,
- :family => :inet,
- :address => "193.60.236.44"
- }
- }
- }
-)
-
-run_list(
- "role[ucl]",
- "role[supermicro-x8dtt-h]"
-)
+++ /dev/null
-name "tiamat-11"
-description "Master role applied to tiamat-11"
-
-default_attributes(
- :networking => {
- :interfaces => {
- :internal_ipv4 => {
- :interface => "enp1s0.2801",
- :role => :internal,
- :family => :inet,
- :address => "10.0.0.45"
- },
- :external_ipv4 => {
- :interface => "enp1s0.2800",
- :role => :external,
- :family => :inet,
- :address => "193.60.236.45"
- }
- }
- }
-)
-
-run_list(
- "role[ucl]",
- "role[supermicro-x8dtt-h]"
-)
+++ /dev/null
-name "tiamat-12"
-description "Master role applied to tiamat-12"
-
-default_attributes(
- :networking => {
- :interfaces => {
- :internal_ipv4 => {
- :interface => "enp1s0.2801",
- :role => :internal,
- :family => :inet,
- :address => "10.0.0.46"
- },
- :external_ipv4 => {
- :interface => "enp1s0.2800",
- :role => :external,
- :family => :inet,
- :address => "193.60.236.46"
- }
- }
- }
-)
-
-run_list(
- "role[ucl]",
- "role[supermicro-x8dtt-h]"
-)
+++ /dev/null
-name "tiamat-13"
-description "Master role applied to tiamat-13"
-
-default_attributes(
- :networking => {
- :interfaces => {
- :internal_ipv4 => {
- :interface => "enp1s0.2801",
- :role => :internal,
- :family => :inet,
- :address => "10.0.0.47"
- },
- :external_ipv4 => {
- :interface => "enp1s0.2800",
- :role => :external,
- :family => :inet,
- :address => "193.60.236.47"
- }
- }
- }
-)
-
-run_list(
- "role[ucl]",
- "role[supermicro-x8dtt-h]"
-)
+++ /dev/null
-name "tiamat-20"
-description "Master role applied to tiamat-20"
-
-default_attributes(
- :networking => {
- :interfaces => {
- :internal_ipv4 => {
- :interface => "enp1s0.2801",
- :role => :internal,
- :family => :inet,
- :address => "10.0.0.48"
- },
- :external_ipv4 => {
- :interface => "enp1s0.2800",
- :role => :external,
- :family => :inet,
- :address => "193.60.236.48"
- }
- }
- }
-)
-
-run_list(
- "role[ucl]",
- "role[supermicro-x8dtt-h]"
-)
+++ /dev/null
-name "tiamat-21"
-description "Master role applied to tiamat-21"
-
-default_attributes(
- :networking => {
- :interfaces => {
- :internal_ipv4 => {
- :interface => "enp1s0.2801",
- :role => :internal,
- :family => :inet,
- :address => "10.0.0.49"
- },
- :external_ipv4 => {
- :interface => "enp1s0.2800",
- :role => :external,
- :family => :inet,
- :address => "193.60.236.49"
- }
- }
- }
-)
-
-run_list(
- "role[ucl]",
- "role[supermicro-x8dtt-h]"
-)
+++ /dev/null
-name "tiamat-22"
-description "Master role applied to tiamat-22"
-
-default_attributes(
- :networking => {
- :interfaces => {
- :internal_ipv4 => {
- :interface => "enp1s0.2801",
- :role => :internal,
- :family => :inet,
- :address => "10.0.0.50"
- },
- :external_ipv4 => {
- :interface => "enp1s0.2800",
- :role => :external,
- :family => :inet,
- :address => "193.60.236.50"
- }
- }
- }
-)
-
-run_list(
- "role[ucl]",
- "role[supermicro-x8dtt-h]"
-)
+++ /dev/null
-name "tiamat-23"
-description "Master role applied to tiamat-23"
-
-default_attributes(
- :networking => {
- :interfaces => {
- :internal_ipv4 => {
- :interface => "enp1s0.2801",
- :role => :internal,
- :family => :inet,
- :address => "10.0.0.51"
- },
- :external_ipv4 => {
- :interface => "enp1s0.2800",
- :role => :external,
- :family => :inet,
- :address => "193.60.236.51"
- }
- }
- }
-)
-
-run_list(
- "role[ucl]",
- "role[supermicro-x8dtt-h]"
-)
default_attributes(
:accounts => {
:users => {
+ :pnorman => { :status => :administrator },
:tile => {
- :members => [:jburgess, :tomh]
+ :members => [:jburgess, :tomh, :pnorman]
}
}
},
:styles => {
:default => {
:repository => "https://github.com/gravitystorm/openstreetmap-carto.git",
- :revision => "v5.5.1",
+ :revision => "v5.6.2",
+ :fonts_script => "/srv/tile.openstreetmap.org/styles/default/scripts/get-fonts.sh",
:max_zoom => 19
}
}
+++ /dev/null
-name "urmel"
-description "Master role applied to urmel"
-
-default_attributes(
- :networking => {
- :interfaces => {
- :internal_ipv4 => {
- :interface => "eth0.2801",
- :role => :internal,
- :family => :inet,
- :address => "10.0.0.6"
- },
- :external_ipv4 => {
- :interface => "eth0.2800",
- :role => :external,
- :family => :inet,
- :address => "193.60.236.21"
- }
- }
- }
-)
-
-run_list(
- "role[ucl]",
- "role[hp-dl360-g6]",
- "role[munin]"
-)
}
},
:exim => {
+ :smarthost_via => "fafnir.openstreetmap.org:26",
:trusted_users => %w[www-data wiki],
:aliases => {
:root => "grant"
]
},
:memcached => {
- :memory_limit => 1024,
+ :memory_limit => 4096,
:connection_limit => 8192,
:chunk_growth_factor => 1.25,
:min_item_size => 48
},
+ :sysctl => {
+ :swappiness => {
+ :comment => "Reduce swap usage",
+ :parameters => {
+ "vm.swappiness" => 10
+ }
+ }
+ },
:mysql => {
:settings => {
:mysqld => {
it { should be_enabled }
it { should be_running }
end
+
+describe docker_image("local_discourse/data:latest") do
+ it { should exist }
+end
+
+describe docker_image("local_discourse/mail-receiver:latest") do
+ it { should exist }
+end
+
+describe docker_image("local_discourse/web_only:latest") do
+ it { should exist }
+end
--- /dev/null
+require "serverspec"
+
+# Required by serverspec
+set :backend, :exec
+
+describe service("backup-db.timer") do
+ it { should be_enabled }
+ it { should be_running }
+end
--- /dev/null
+require "serverspec"
+
+# Required by serverspec
+set :backend, :exec
+
+describe package("postgresql-9.5") do
+ it { should be_installed }
+end
+
+describe service("postgresql@9.5-main") do
+ it { should be_enabled }
+ it { should be_running }
+end
+
+describe port(5432) do
+ it { should be_listening.with("tcp") }
+end
--- /dev/null
+require "serverspec"
+
+# Required by serverspec
+set :backend, :exec
+
+describe package("postgresql-9.5") do
+ it { should be_installed }
+end
+
+describe service("postgresql@9.5-main") do
+ it { should be_enabled }
+ it { should be_running }
+end
+
+describe port(5432) do
+ it { should be_listening.with("tcp") }
+end
--- /dev/null
+require "serverspec"
+
+# Required by serverspec
+set :backend, :exec
+
+describe package("postgresql-9.5") do
+ it { should be_installed }
+end
+
+describe service("postgresql@9.5-main") do
+ it { should be_enabled }
+ it { should be_running }
+end
+
+describe port(5432) do
+ it { should be_listening.with("tcp") }
+end
--- /dev/null
+require "serverspec"
+
+# Required by serverspec
+set :backend, :exec
+
+describe package("dnscontrol") do
+ it { should be_installed }
+end
+
+describe command("dnscontrol version") do
+ its(:exit_status) { should eq 0 }
+end
it { should be_installed }
end
-describe package("npm") do
+describe package("yarn") do
it { should be_installed }
end
it { should be_executable }
end
-describe file("/etc/cron.d/planet-dump-mirror") do
- it { should be_file }
+describe service("planet-dump-mirror.timer") do
+ it { should be_enabled }
+ it { should be_running }
end
it { should be_executable }
end
-describe file("/etc/cron.d/planet-notes-dump") do
- it { should be_file }
+describe service("planet-notes-dump.timer") do
+ it { should be_enabled }
+ it { should be_running }
end
--- /dev/null
+require "serverspec"
+
+# Required by serverspec
+set :backend, :exec
+
+describe package("apache2") do
+ it { should be_installed }
+end
+
+describe service("apache2") do
+ it { should be_enabled }
+ it { should be_running }
+end
+
+describe port(80) do
+ it { should be_listening.with("tcp") }
+end
+
+describe port(443) do
+ it { should be_listening.with("tcp") }
+end
--- /dev/null
+require "serverspec"
+
+# Required by serverspec
+set :backend, :exec
+
+describe package("apache2") do
+ it { should be_installed }
+end
+
+describe service("apache2") do
+ it { should be_enabled }
+ it { should be_running }
+end
+
+describe port(80) do
+ it { should be_listening.with("tcp") }
+end
+
+describe port(443) do
+ it { should be_listening.with("tcp") }
+end
--- /dev/null
+require "serverspec"
+
+# Required by serverspec
+set :backend, :exec
+
+describe package("apache2") do
+ it { should be_installed }
+end
+
+describe service("apache2") do
+ it { should be_enabled }
+ it { should be_running }
+end
+
+describe port(80) do
+ it { should be_listening.with("tcp") }
+end
+
+describe port(443) do
+ it { should be_listening.with("tcp") }
+end