From: Tom Hughes <tom@compton.nu>
Date: Sun, 11 Dec 2022 15:27:10 +0000 (+0000)
Subject: Merge remote-tracking branch 'github/pull/550'
X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/135b0061b49861418cfb01083c1fe42e9f11c1db?hp=f2037533b62941df5c250e7b63e7646bff2a2aa2

Merge remote-tracking branch 'github/pull/550'
---

diff --git a/cookbooks/prometheus/templates/default/alert_rules.yml.erb b/cookbooks/prometheus/templates/default/alert_rules.yml.erb
index 149ff86bc..16496c12d 100644
--- a/cookbooks/prometheus/templates/default/alert_rules.yml.erb
+++ b/cookbooks/prometheus/templates/default/alert_rules.yml.erb
@@ -157,7 +157,7 @@ groups:
   - name: filesystem
     rules:
       - alert: readonly filesystem
-        expr: node_filesystem_readonly == 1
+        expr: node_filesystem_readonly > min_over_time(node_filesystem_readonly[7d])
         for: 0m
         labels:
           alertgroup: "{{ $labels.instance }}"
diff --git a/cookbooks/tile/recipes/default.rb b/cookbooks/tile/recipes/default.rb
index 8c7c63373..d1a394b2f 100644
--- a/cookbooks/tile/recipes/default.rb
+++ b/cookbooks/tile/recipes/default.rb
@@ -29,6 +29,7 @@ include_recipe "ruby"
 include_recipe "tools"
 
 blocks = data_bag_item("tile", "blocks")
+admins = data_bag_item("apache", "admins")
 web_passwords = data_bag_item("web", "passwords")
 
 apache_module "alias"
@@ -59,6 +60,14 @@ end
 
 fastlyips = JSON.parse(IO.read("#{Chef::Config[:file_cache_path]}/fastly-ip-list.json"))
 
+remote_file "#{Chef::Config[:file_cache_path]}/statuscake-locations.json" do
+  source "https://app.statuscake.com/Workfloor/Locations.php?format=json"
+  compile_time true
+  ignore_failure true
+end
+
+statuscakelocations = JSON.parse(IO.read("#{Chef::Config[:file_cache_path]}/statuscake-locations.json"))
+
 apache_site "default" do
   action :disable
 end
@@ -69,7 +78,9 @@ end
 
 apache_site "tile.openstreetmap.org" do
   template "apache.erb"
-  variables :fastly => fastlyips["addresses"]
+  variables :fastly => fastlyips["addresses"] + fastlyips["ipv6_addresses"],
+            :statuscake => statuscakelocations.flat_map { |_, v| [v["ip"], v["ipv6"]] },
+            :admins => admins["hosts"]
 end
 
 template "/etc/logrotate.d/apache2" do
diff --git a/cookbooks/tile/templates/default/apache.erb b/cookbooks/tile/templates/default/apache.erb
index f7cba541b..c24e06e82 100644
--- a/cookbooks/tile/templates/default/apache.erb
+++ b/cookbooks/tile/templates/default/apache.erb
@@ -65,6 +65,33 @@
   # Redirect ACME certificate challenges
   RedirectPermanent /.well-known/acme-challenge/ http://acme.openstreetmap.org/.well-known/acme-challenge/
 
+  # Restrict tile access to CDN nodes and admins
+  <LocationMatch ^/default/\d+/\d+/\d+\.png$>
+    Require expr "%{CONN_REMOTE_ADDR} != %{REMOTE_ADDR}"
+    # Fastly POPs
+<% @fastly.sort.each do |address| -%>
+    Require ip <%= address %>
+<% end -%>
+    # StatusCake monitoring
+<% @statuscake.sort.reject { |address| address.empty? }.each do |address| -%>
+    Require ip <%= address %>
+<% end -%>
+    # Administrators
+<% @admins.sort.each do |address| -%>
+    Require ip <%= address %>
+<% end -%>
+    # OSM Amsterdam Cogent IPv4
+    Require ip 130.117.76.0/27
+    # OSM Amsterdam Cogent IPv6
+    Require ip 2001:978:2:2C::/64
+    # OSM Dublin IPv4
+    Require ip 184.104.226.96/27
+    # OSM Dublin IPv6
+    Require ip 2001:470:1:b3b::/64
+    # OSM UCL IPv4
+    Require ip 193.60.236.0/24
+  </LocationMatch>
+
   # Internal endpoint for blocked users
   <Location /blocked>
     Header always set Cache-Control private