From: Tom Hughes <tom@compton.nu>
Date: Tue, 15 Nov 2022 20:41:08 +0000 (+0000)
Subject: Derive tile directories for sanboxing from attributes
X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/10b1e5bbc72ae497f41b911af431cbb757a12f36

Derive tile directories for sanboxing from attributes
---

diff --git a/cookbooks/tile/recipes/default.rb b/cookbooks/tile/recipes/default.rb
index 963c3dd2f..e06df4f45 100644
--- a/cookbooks/tile/recipes/default.rb
+++ b/cookbooks/tile/recipes/default.rb
@@ -97,6 +97,10 @@ file "/srv/tile.openstreetmap.org/conf/ip.map" do
   mode "644"
 end
 
+tile_directories = node[:tile][:styles].collect do |_, style|
+  style[:tile_directories].collect { |directory| directory[:name] }
+end.flatten.sort.uniq
+
 package "renderd"
 
 systemd_service "renderd" do
@@ -106,7 +110,7 @@ systemd_service "renderd" do
   limit_nofile 4096
   sandbox true
   restrict_address_families "AF_UNIX"
-  read_write_paths "/store/tiles"
+  read_write_paths tile_directories
   restart "on-failure"
 end
 
@@ -584,9 +588,8 @@ systemd_service "expire-tiles" do
   nice 10
   standard_output "null"
   sandbox true
-  read_write_paths [
+  read_write_paths tile_directories + [
     "/store/database/nodes",
-    "/store/tiles/%i",
     "/var/lib/replicate/expire-queue",
     "/var/log/tile"
   ]
@@ -667,10 +670,6 @@ template "/usr/local/bin/cleanup-tiles" do
   mode "755"
 end
 
-tile_directories = node[:tile][:styles].collect do |_, style|
-  style[:tile_directories].collect { |directory| directory[:name] }
-end.flatten.sort.uniq
-
 tile_directories.each do |directory|
   label = directory.gsub("/", "-")