From: Tom Hughes <tom@compton.nu>
Date: Sun, 26 Jun 2022 19:27:56 +0000 (+0100)
Subject: Merge remote-tracking branch 'github/pull/501'
X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/f90f3de7232aea6fb8f26c906645d98cf603e565?hp=537037d57a597aee1cbddb7699c17a71fc20d4c1

Merge remote-tracking branch 'github/pull/501'
---

diff --git a/cookbooks/accounts/files/default/matt/.ssh/authorized_keys b/cookbooks/accounts/files/default/matt/.ssh/authorized_keys
index a5f67e78a..de66ccbbc 100644
--- a/cookbooks/accounts/files/default/matt/.ssh/authorized_keys
+++ b/cookbooks/accounts/files/default/matt/.ssh/authorized_keys
@@ -1,2 +1,3 @@
 # DO NOT EDIT - This file is being maintained by Chef - use authorized_keys2 instead
 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyBrnrkjzAJqXtRP0MFKlc3v4fTnrRzzebIFH8YpFRCaLKpIXWVbg5BqXuxHB/vqf/1Gknycb7bgLPbhWr+b50D+nnodiJ35HPqrQVLG6nsqxnbbVXO1IR7KsctL+Wr3GW5pBeWct9GAALn8ACAR8zZ/4V6qXDgUvh0inefcqpks1YgdPdyAGLMFy7hzI5lY8kGh58kVPXMpyJLVnGX0yUjrip9IkPrGBvMDiGDiPwLOfKGDR0s1An1GK2i4k2rPxkZzdQSbqZXaaCw3MNJkDvwSmQNQp4Rprfy5BqptwJg4PLnGGePfYbzsqYA0/Pq4ccO+NPCDxZxb2XuVjgXEg8Q== matt@horntail.openstreetmap.org
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDntpfnmWsP/9nh3JvT/AuNz3t4azrH54vKLrdtovYQ14QC66GA9EyAJel2eamyhevHQw5JU3Ic6H0ycXZus6QNn5vZKBn72/HXc/mvfRO2F5PvWVVF5LROoe1YBmYJugqpRwFekt9pIs49bbu3lZolnmmVT/uQP3sTFgErc/eqBtzgB+0OYijddQl3otzOZaZh1o4YaUvyutVb8ND3D1xgPxavWKW8B3BTDLF/Lr0wyh+CTWc1LtXVifIWpe9Muv+l+iww8AScyryLdMfcrUY+k76HwmkLbNV01hWMbfnB+4KoshFHnpmFN/Q4maoEXQpwP1II3iEKVs6QWFc4dImREtpiUJm5XeznlmfBuMac2gZPyPqSQPoUmxDTV7+umbcpw5IMGKFom6GJJJN2Az40TqNoQBAwnrJrmxzvLU8POpfYdZZfPLUB8l9nELGvIMhbRTBVpq6t99AxqvHlk3hc6yPTBFfltiBDB62QyOIEggbecnMaD1VvAkrthRITNJ9h0zdvrXM+X0pMo1QM8dBqRvrbBD7fr3gy2Oo+/XMsxf6Q8Fd7iu8oU8HYCwDexqZ8y9Nb54dOglWzSEPsTBAWf6PtBtZaXZ/VnNy3zjnJuOA99STQmqH5OPCY0eg6yRE6TILj9J4wWAXytXL9lF5YAW8JIT4+8pa4WhJoUGQz1w== zerebubuth@gmail.com
diff --git a/cookbooks/planet/recipes/replication.rb b/cookbooks/planet/recipes/replication.rb
index 5c07ae231..629186fe2 100644
--- a/cookbooks/planet/recipes/replication.rb
+++ b/cookbooks/planet/recipes/replication.rb
@@ -155,6 +155,40 @@ template "/etc/replication/users-agreed.conf" do
   variables :password => db_passwords["planetdiff"]
 end
 
+systemd_service "users-agreed" do
+  description "Update list of users accepting CTs"
+  user "planet"
+  exec_start "/usr/local/bin/users-agreed"
+  private_tmp true
+  private_devices true
+  protect_system "full"
+  protect_home true
+  restrict_address_families %w[AF_INET AF_INET6]
+  no_new_privileges true
+end
+
+systemd_timer "users-agreed" do
+  description "Update list of users accepting CTs"
+  on_calendar "7:00"
+end
+
+systemd_service "users-deleted" do
+  description "Update list of deleted users"
+  user "planet"
+  exec_start "/usr/local/bin/users-deleted"
+  private_tmp true
+  private_devices true
+  protect_system "full"
+  protect_home true
+  restrict_address_families %w[AF_INET AF_INET6]
+  no_new_privileges true
+end
+
+systemd_timer "users-deleted" do
+  description "Update list of deleted users"
+  on_calendar "17:00"
+end
+
 ## Changeset replication
 
 directory "/store/planet/replication/changesets" do
@@ -171,6 +205,25 @@ template "/etc/replication/changesets.conf" do
   variables :password => db_passwords["planetdiff"]
 end
 
+systemd_service "replication-changesets" do
+  description "Changesets replication"
+  user "planet"
+  exec_start "/usr/local/bin/replicate-changesets /etc/replication/changesets.conf"
+  private_tmp true
+  private_devices true
+  protect_system "full"
+  protect_home true
+  restrict_address_families %w[AF_INET AF_INET6]
+  no_new_privileges true
+end
+
+systemd_timer "replication-changesets" do
+  description "Changesets replication"
+  on_boot_sec 60
+  on_unit_active_sec 60
+  accuracy_sec 5
+end
+
 ## Minutely replication
 
 directory "/store/planet/replication/minute" do
@@ -342,26 +395,16 @@ end
 ## Enable/disable feeds
 
 if node[:planet][:replication] == "enabled"
-  cron_d "users-agreed" do
-    minute "0"
-    hour "7"
-    user "planet"
-    command "/usr/local/bin/users-agreed"
-    mailto "zerebubuth@gmail.com"
+  service "users-agreed.timer" do
+    action [:enable, :start]
   end
 
-  cron_d "users-deleted" do
-    minute "0"
-    hour "17"
-    user "planet"
-    command "/usr/local/bin/users-deleted"
-    mailto "zerebubuth@gmail.com"
+  service "users-deleted.timer" do
+    action [:enable, :start]
   end
 
-  cron_d "replication-changesets" do
-    user "planet"
-    command "/usr/local/bin/replicate-changesets /etc/replication/changesets.conf"
-    mailto "zerebubuth@gmail.com"
+  service "replication-changesets.timer" do
+    action [:enable, :start]
   end
 
   service "replication-minutely.timer" do
@@ -380,16 +423,16 @@ if node[:planet][:replication] == "enabled"
     action [:enable, :start]
   end
 else
-  cron_d "users-agreed" do
-    action :delete
+  service "users-agreed.timer" do
+    action [:stop, :disable]
   end
 
-  cron_d "users-deleted" do
-    action :delete
+  service "users-deleted.timer" do
+    action [:stop, :disable]
   end
 
-  cron_d "replication-changesets" do
-    action :delete
+  service "replication-changesets.timer" do
+    action [:stop, :disable]
   end
 
   service "replication-minutely.timer" do