imagery: restart titiler service to workaround resource leak

diff --git a/cookbooks/accounts/files/default/contrapunctus/.ssh/authorized_keys b/cookbooks/accounts/files/default/contrapunctus/.ssh/authorized_keys
new file mode 100644 (file)
index 0000000..032adbf
--- /dev/null
+++ b/cookbooks/accounts/files/default/contrapunctus/.ssh/authorized_keys
@@ -0,0 +1,2 @@
+# DO NOT EDIT - This file is being maintained by Chef - use authorized_keys2 instead
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwUG1hL4maYavu5UE8O/6N/O7BWQPoRR42IzWKx1tncf4BKbyf7ck5vP0fPYGDR54FsaZEOjCAQ+TwsozpGVBcxbWTo2ApxKM4MH3t/UHclRvmgj38wSQPc57hIBiWfkukKYq5vGPvw9Avd5LSyTKB5Sm9H0jYgVel5QtbGLIN1l/Liwc91T8hbk47vJ1NEy2WVvnPglQI/jZff0ZOc85O/bHxrtt6Nv/03p2BYPoObrCiGJkDO4mBQyUf/9FRoZ1ZcEyINTAgd1nS0CVLEMjMeYsqcRf1NEhY2ai1tZ0kHEOBia4cTlCiJhNUOgf/hz3HbIwTiTv04NmhpVZzOESnsaW9T6Wvb4/6G9JS+ZDZK54r4Ht0bsGt61IyhdPATKKHTzyktHQ/89K4YWppHhlzt4FZ3gyslpBv5lhagIXCjGN8+UP8295pKdBMknefbQfSsjYlxdCPZhI2XtyKDjmRTJRn78eKfrwdo/om0t6GHlDE+r259QvX98rSXOdUJjdbbITk+nS6cn5WK5O5RjMo1+e8EAOmC9vdE4zgeFJyNwxeCRUpIpv/233Cd2qG73r3czbhtLJji27vSLXomfeSBfiEfjBGi69VI07dwECwW31hdDUAAHL50HD53nJgRkxHDJHIPVmHBB2MA09etnUZ+24gzpAx/w5QnA2tYWRGZw== contrapunctus@disroot.org

diff --git a/cookbooks/blog/recipes/birthday.rb b/cookbooks/blog/recipes/birthday.rb
new file mode 100644 (file)
index 0000000..eac984a
--- /dev/null
+++ b/cookbooks/blog/recipes/birthday.rb
@@ -0,0 +1,59 @@
+#
+# Cookbook:: blog
+# Recipe:: birthday
+#
+# Copyright:: 2024, OpenStreetMap Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include_recipe "wordpress"
+
+passwords = data_bag_item("birthday20", "passwords")
+wp2fa_encrypt_keys = data_bag_item("birthday20", "wp2fa_encrypt_keys")
+
+directory "/srv/birthday20.openstreetmap.org" do
+  owner "wordpress"
+  group "wordpress"
+  mode "755"
+end
+
+wordpress_site "birthday20.openstreetmap.org" do
+  aliases ["birthday20.osm.org", "birthday20.openstreetmap.com",
+           "birthday20.openstreetmap.net", "birthday20.openstreetmaps.org"]
+  directory "/srv/birthday20.openstreetmap.org/wp"
+  database_name "osm-birthday20"
+  database_user "osm-birthday20-user"
+  database_password passwords["osm-birthday20-user"]
+  wp2fa_encrypt_key wp2fa_encrypt_keys["key"]
+  fpm_prometheus_port 11403
+end
+
+wordpress_plugin "birthday20.openstreetmap.org-shareadraft" do
+  action :delete
+  plugin "shareadraft"
+  site "birthday20.openstreetmap.org"
+end
+
+wordpress_plugin "birthday20.openstreetmap.org-public-post-preview" do
+  plugin "public-post-preview"
+  site "birthday20.openstreetmap.org"
+end
+
+template "/etc/cron.daily/birthday20-backup" do
+  source "backup-birthday20.cron.erb"
+  owner "root"
+  group "root"
+  mode "750"
+  variables :passwords => passwords
+end

diff --git a/cookbooks/blog/templates/default/backup-birthday20.cron.erb b/cookbooks/blog/templates/default/backup-birthday20.cron.erb
new file mode 100644 (file)
index 0000000..cef3d14
--- /dev/null
+++ b/cookbooks/blog/templates/default/backup-birthday20.cron.erb
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+# DO NOT EDIT - This file is being maintained by Chef
+
+T=$(mktemp -d -t -p /var/tmp osm-birthday20.XXXXXXXXXX)
+D=$(date +%Y-%m-%d)
+B=osm-birthday20-$D.tar.gz
+
+mkdir $T/osm-birthday20-$D
+echo '[mysqldump]' > $T/mysqldump.opts
+echo 'user=osm-birthday20-user' >> $T/mysqldump.opts
+echo 'password=<%= @passwords["osm-birthday20-user"] %>' >> $T/mysqldump.opts
+mysqldump --defaults-file=$T/mysqldump.opts --opt --no-tablespaces osm-birthday20 > $T/osm-birthday20-$D/osm-birthday20.sql
+ln -s /srv/birthday20.openstreetmap.org $T/osm-birthday20-$D/www
+
+export RSYNC_RSH="ssh -ax"
+
+nice tar --create --dereference --directory=$T --warning=no-file-changed osm-birthday20-$D | nice gzip --rsyncable -9 > $T/$B
+nice rsync --preallocate --fuzzy $T/$B backup::backup
+
+rm -rf $T

diff --git a/cookbooks/blogs/recipes/default.rb b/cookbooks/blogs/recipes/default.rb
index 6ebe4c2a2e2ffbe084073bcd219ab447aba9cb2b..0fb2cc7aad06dc4739e903125d59de39ec871bdb 100644 (file)
--- a/cookbooks/blogs/recipes/default.rb
+++ b/cookbooks/blogs/recipes/default.rb
@@ -42,22 +42,24 @@ git "/srv/blogs.openstreetmap.org" do
   depth 1
   user "blogs"
   group "blogs"
-  notifies :run, "bundle_install[/srv/blogs.openstreetmap.org]", :immediately
 end
 
 bundle_install "/srv/blogs.openstreetmap.org" do
   action :nothing
-  options "--deployment"
+  options "--deployment --without development test"
+  environment "BUNDLE_PATH" => "vendor/bundle"
   user "blogs"
   group "blogs"
-  notifies :run, "bundle_exec[/srv/blogs.openstreetmap.org]", :immediately
+  subscribes :run, "git[/srv/blogs.openstreetmap.org]", :immediately
 end
 
 bundle_exec "/srv/blogs.openstreetmap.org" do
   action :nothing
   command "pluto build -t osm -o build"
+  environment "BUNDLE_PATH" => "vendor/bundle"
   user "blogs"
   group "blogs"
+  subscribes :run, "git[/srv/blogs.openstreetmap.org]", :immediately
 end
 
 ssl_certificate "blogs.openstreetmap.org" do

diff --git a/cookbooks/blogs/templates/default/blogs-update.erb b/cookbooks/blogs/templates/default/blogs-update.erb
index 15cc82483678222e75d58330689511e8aa9aa99a..a7d02149531690c68f7ad6e96bf6739cbb7d822f 100644 (file)
--- a/cookbooks/blogs/templates/default/blogs-update.erb
+++ b/cookbooks/blogs/templates/default/blogs-update.erb
@@ -2,6 +2,8 @@
 
 cd /srv/blogs.openstreetmap.org
 
+export BUNDLE_PATH="vendor/bundle"
+
 <%= node[:ruby][:bundle] %> exec pluto \
        --quieter \
        --config=/srv/blogs.openstreetmap.org build \

diff --git a/cookbooks/chef/attributes/default.rb b/cookbooks/chef/attributes/default.rb
index 185bc4ad61ecfc6edfb3971dc9ee2f18f54dbdc3..d6284df52d68f502322f83a064189382c761868b 100644 (file)
--- a/cookbooks/chef/attributes/default.rb
+++ b/cookbooks/chef/attributes/default.rb
@@ -2,4 +2,4 @@
 default[:chef][:server][:version] = "15.1.7"
 
 # Set the default client version
-default[:chef][:client][:version] = "18.4.2"
+default[:chef][:client][:version] = "18.4.12"

diff --git a/cookbooks/imagery/recipes/tiler.rb b/cookbooks/imagery/recipes/tiler.rb
index f5eff5c66643f305cfc07561a99e6dd3f48a49da..028e8e34ec334a2178f0bef76e5cd4fdf8a3d129 100644 (file)
--- a/cookbooks/imagery/recipes/tiler.rb
+++ b/cookbooks/imagery/recipes/tiler.rb
@@ -53,6 +53,19 @@ podman_service "titiler" do
               :FORWARDED_ALLOW_IPS                 => "*" # https://docs.gunicorn.org/en/latest/settings.html#forwarded-allow-ips
 end
 
+systemd_service "titiler-restart" do
+  type "simple"
+  user "root"
+  exec_start "/bin/systemctl try-restart titiler.service"
+  sandbox true
+  restrict_address_families "AF_UNIX"
+end
+
+systemd_timer "titiler-restart" do
+  on_boot_sec "6h"
+  on_unit_inactive_sec "12h"
+end
+
 directory "/var/cache/nginx-cache" do
   owner "www-data"
   group "www-data"

diff --git a/cookbooks/imagery/templates/default/nginx_imagery_layer_fragment.conf.erb b/cookbooks/imagery/templates/default/nginx_imagery_layer_fragment.conf.erb
index 44078b2e240b13e87661b4eff8ed5ce59b429be7..e72a6d7e9c4049052027cd24235e11380eee3a87 100644 (file)
--- a/cookbooks/imagery/templates/default/nginx_imagery_layer_fragment.conf.erb
+++ b/cookbooks/imagery/templates/default/nginx_imagery_layer_fragment.conf.erb
@@ -24,6 +24,7 @@ location ~* "^/layer/<%= @layer %>/(\d+)/(\d+)/(\d+)\.(png|jpg|jpeg)$" {
   proxy_cache_background_update on;
   proxy_next_upstream error timeout invalid_header http_500 http_503;
   proxy_next_upstream_tries 3;
+  proxy_intercept_errors on;
   proxy_next_upstream_timeout 30s;
 
 <% else -%>

diff --git a/cookbooks/nominatim/recipes/default.rb b/cookbooks/nominatim/recipes/default.rb
index 2cf17d821e907763be3f380b4374222b0e96fcf8..ab1c5aaa2690382b4c545043569d9c9f205472f8 100644 (file)
--- a/cookbooks/nominatim/recipes/default.rb
+++ b/cookbooks/nominatim/recipes/default.rb
@@ -314,6 +314,14 @@ template "#{project_directory}/.env" do
             :request_timeout => node[:nominatim][:api_request_timeout]
 end
 
+remote_file "#{project_directory}/secondary_importance.sql.gz" do
+  action :create_if_missing
+  source "https://nominatim.org/data/wikimedia-secondary-importance.sql.gz"
+  owner "nominatim"
+  group "nominatim"
+  mode "644"
+end
+
 remote_file "#{project_directory}/wikimedia-importance.sql.gz" do
   action :create_if_missing
   source "https://nominatim.org/data/wikimedia-importance.sql.gz"

diff --git a/cookbooks/otrs/recipes/debian.rb b/cookbooks/otrs/recipes/debian.rb
index 35bdc148e5cf216820e1f44aef1a6ba8589422f5..2d683b17e6d6ea38c3466f2dd8cb588224cb3710 100644 (file)
--- a/cookbooks/otrs/recipes/debian.rb
+++ b/cookbooks/otrs/recipes/debian.rb
@@ -62,10 +62,14 @@ template "/etc/dbconfig-common/otrs2.conf" do
             :database_password => database_password
 end
 
-apt_package "otrs2" do
-  options "-t #{node[:lsb][:codename]}-backports"
+# Ensure the OTRS package in backports has a priority preference.
+apt_preference "otrs2" do
+  pin "release o=Debian Backports"
+  pin_priority "600"
 end
 
+apt_package "otrs2"
+
 # Ensure debconf is repopulated on a dbconfig change
 execute "dpkg-reconfigure-otrs2" do
   action :nothing
@@ -94,7 +98,7 @@ systemd_service "otrs" do
   private_tmp true
   protect_system "strict"
   protect_home true
-  read_write_paths ["/var/lib/otrs", "/var/log/exim4", "/var/spool/exim4"]
+  read_write_paths ["/var/lib/otrs", "/run/otrs", "/var/log/exim4", "/var/spool/exim4"]
 end
 
 service "otrs" do

diff --git a/cookbooks/prometheus/templates/default/alert_rules.yml.erb b/cookbooks/prometheus/templates/default/alert_rules.yml.erb
index 7afa799e8ad2b234f9537b2c01ef80ff4be8aa86..a0cea579289fde937a6e5947704aa618a1b5b65d 100644 (file)
--- a/cookbooks/prometheus/templates/default/alert_rules.yml.erb
+++ b/cookbooks/prometheus/templates/default/alert_rules.yml.erb
@@ -25,14 +25,14 @@ groups:
         annotations:
           current: "{{ $value | humanize }}kVA"
       - alert: site temperature
-        expr: min(rPDU2SensorTempHumidityStatusTempC{site="amsterdam"}) / 10 < 18 or min(rPDU2SensorTempHumidityStatusTempC{site="amsterdam"}) / 10 > 26
+        expr: min(rPDU2SensorTempHumidityStatusTempC{site="amsterdam"}) / 10 < 15 or min(rPDU2SensorTempHumidityStatusTempC{site="amsterdam"}) / 10 > 32
         for: 6m
         labels:
           alertgroup: "amsterdam"
         annotations:
           temperature: "{{ $value | humanize }}C"
       - alert: site humidity
-        expr: max(rPDU2SensorTempHumidityStatusRelativeHumidity{site="amsterdam"}) / 100 < 0.25 or max(rPDU2SensorTempHumidityStatusRelativeHumidity{site="amsterdam"}) / 100 > 0.65
+        expr: max(rPDU2SensorTempHumidityStatusRelativeHumidity{site="amsterdam"}) / 100 < 0.08 or max(rPDU2SensorTempHumidityStatusRelativeHumidity{site="amsterdam"}) / 100 > 0.8
         for: 6m
         labels:
           alertgroup: "amsterdam"

diff --git a/cookbooks/web/recipes/rails.rb b/cookbooks/web/recipes/rails.rb
index 1f3236caa8da777b22e98d602bf6889d2a97d599..ee24dbd8da207273ed82d0f0b0bf3dabf1928058 100644 (file)
--- a/cookbooks/web/recipes/rails.rb
+++ b/cookbooks/web/recipes/rails.rb
@@ -31,11 +31,11 @@ web_passwords = data_bag_item("web", "passwords")
 db_passwords = data_bag_item("db", "passwords")
 
 ssl_certificate "www.openstreetmap.org" do
-  domains ["www.openstreetmap.org", "www.osm.org",
+  domains ["www.openstreetmap.org", "www.osm.org", "www.openstreetmap.com",
            "api.openstreetmap.org", "api.osm.org",
            "maps.openstreetmap.org", "maps.osm.org",
            "mapz.openstreetmap.org", "mapz.osm.org",
-           "openstreetmap.org", "osm.org"]
+           "openstreetmap.org", "osm.org", "openstreetmap.com"]
   notifies :reload, "service[apache2]"
 end
 

diff --git a/roles/birthday20.rb b/roles/birthday20.rb
new file mode 100644 (file)
index 0000000..5513242
--- /dev/null
+++ b/roles/birthday20.rb
@@ -0,0 +1,19 @@
+name "birthday20"
+description "Role applied to birthday20 servers"
+
+default_attributes(
+  :accounts => {
+    :users => {
+      :mikel => { :status => :administrator },
+      :wordpress => {
+        :status => :role,
+        :members => [:mikel]
+      }
+    },
+  }
+)
+
+# FIXME: Disable while site under development
+# run_list(
+#   "recipe[blog::birthday]"
+# )

diff --git a/roles/dev.rb b/roles/dev.rb
index 84d29716dd90c51ea609d83fb92482c02165e360..f85849e888b70116b1a02cd232e55a273664316d 100644 (file)
--- a/roles/dev.rb
+++ b/roles/dev.rb
@@ -13,6 +13,7 @@ default_attributes(
       :bsupnik => { :status => :user },
       :chippy => { :status => :user },
       :cobra => { :status => :user },
+      :contrapunctus => { :status => :user },
       :csmale => { :status => :user },
       :dan => { :status => :user },
       :daveh => { :status => :user },

diff --git a/roles/fume.rb b/roles/fume.rb
index 5b4c5a670ac12ea6d5d06a36866e2c5be272fe44..6af2333b4d6de6ef766451a3a56843c001eacd31 100644 (file)
--- a/roles/fume.rb
+++ b/roles/fume.rb
@@ -33,5 +33,6 @@ default_attributes(
 
 run_list(
   "role[equinix-dub]",
-  "role[blog-staging]"
+  "role[blog-staging]",
+  "role[birthday20]"
 )