From 7dd781ed384d94e46418d766059db351e76fd348 Mon Sep 17 00:00:00 2001
From: Grant Slater <github@firefishy.com>
Date: Tue, 9 Jan 2024 16:54:30 +0000
Subject: [PATCH] imager: add tiler cookbook

---
 .github/workflows/test-kitchen.yml            |  1 +
 .kitchen.yml                                  |  3 ++
 cookbooks/imagery/metadata.rb                 |  6 ++-
 cookbooks/imagery/recipes/default.rb          |  1 +
 cookbooks/imagery/recipes/tiler.rb            | 45 +++++++++++++++++++
 .../templates/default/nginx_titiler.conf.erb  | 44 ++++++++++++++++++
 .../imagery-tiler/inspec/nginx_spec.rb        |  8 ++++
 .../imagery-tiler/inspec/tiler_spec.rb        |  8 ++++
 8 files changed, 114 insertions(+), 2 deletions(-)
 create mode 100644 cookbooks/imagery/recipes/tiler.rb
 create mode 100644 cookbooks/imagery/templates/default/nginx_titiler.conf.erb
 create mode 100644 test/integration/imagery-tiler/inspec/nginx_spec.rb
 create mode 100644 test/integration/imagery-tiler/inspec/tiler_spec.rb

diff --git a/.github/workflows/test-kitchen.yml b/.github/workflows/test-kitchen.yml
index 12502a628..343564cc6 100644
--- a/.github/workflows/test-kitchen.yml
+++ b/.github/workflows/test-kitchen.yml
@@ -58,6 +58,7 @@ jobs:
           - hardware
           - hot
           - ideditor
+          - imagery-tiler
           - irc
           - kibana
           - letsencrypt
diff --git a/.kitchen.yml b/.kitchen.yml
index cb1c2ffde..39fbc4de2 100644
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -209,6 +209,9 @@ suites:
   - name: ideditor
     run_list:
       - recipe[ideditor::default]
+  - name: imagery-tiler
+    run_list:
+      - recipe[imagery::tiler]
   - name: irc
     run_list:
       - recipe[irc::default]
diff --git a/cookbooks/imagery/metadata.rb b/cookbooks/imagery/metadata.rb
index 9b091a89e..85dbc657c 100644
--- a/cookbooks/imagery/metadata.rb
+++ b/cookbooks/imagery/metadata.rb
@@ -6,7 +6,9 @@ description       "Installs and configures imagery"
 
 version           "1.0.0"
 supports          "ubuntu"
-depends           "nginx"
+depends           "accounts"
 depends           "git"
-depends           "systemd"
+depends           "nginx"
+depends           "podman"
 depends           "ssl"
+depends           "systemd"
diff --git a/cookbooks/imagery/recipes/default.rb b/cookbooks/imagery/recipes/default.rb
index 316406e13..6b4cbe9db 100644
--- a/cookbooks/imagery/recipes/default.rb
+++ b/cookbooks/imagery/recipes/default.rb
@@ -17,6 +17,7 @@
 # limitations under the License.
 #
 
+include_recipe "accounts"
 include_recipe "nginx"
 include_recipe "git"
 
diff --git a/cookbooks/imagery/recipes/tiler.rb b/cookbooks/imagery/recipes/tiler.rb
new file mode 100644
index 000000000..12c6999d1
--- /dev/null
+++ b/cookbooks/imagery/recipes/tiler.rb
@@ -0,0 +1,45 @@
+#
+# Cookbook:: imagery
+# Recipe:: tiler
+#
+# Copyright:: 2023, OpenStreetMap Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include_recipe "imagery"
+include_recipe "podman"
+
+# FIXME: until upstream supports arm64 images: https://github.com/developmentseed/titiler/pull/740
+container_image = if arm?
+                    "ghcr.io/firefishy/titiler:latest"
+                  else
+                    "ghcr.io/developmentseed/titiler:latest"
+                  end
+
+podman_service "titiler" do
+  description "Container service for titiler"
+  image container_image
+  ports 8080 => 8080
+  environment :PORT => 8080, :WORKERS_PER_CORE => 1, :GDAL_INGESTED_BYTES_AT_OPEN => 32768, :GDAL_DISABLE_READDIR_ON_OPEN => "EMPTY_DIR", :GDAL_HTTP_MERGE_CONSECUTIVE_RANGES => "YES", :GDAL_HTTP_MULTIPLEX => "YES", :GDAL_HTTP_VERSION => 2
+end
+
+ssl_certificate "tiler.openstreetmap.org" do
+  domains "tiler.openstreetmap.org"
+  notifies :reload, "service[nginx]"
+end
+
+nginx_site "tiler.openstreetmap.org" do
+  template "nginx_titiler.conf.erb"
+  variables :aliases => ["tiler.osm.org"]
+end
diff --git a/cookbooks/imagery/templates/default/nginx_titiler.conf.erb b/cookbooks/imagery/templates/default/nginx_titiler.conf.erb
new file mode 100644
index 000000000..2ce67a36b
--- /dev/null
+++ b/cookbooks/imagery/templates/default/nginx_titiler.conf.erb
@@ -0,0 +1,44 @@
+server {
+    listen 80;
+    listen [::]:80;
+    server_name <%= @name %> <% @aliases.each do |alias_name| %> <%= alias_name %><%- end -%>;
+
+    rewrite ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 permanent;
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name <%= @name %> <% @aliases.each do |alias_name| %> <%= alias_name %><%- end -%>;
+
+    ssl_certificate /etc/ssl/certs/<%= @name %>.pem;
+    ssl_certificate_key /etc/ssl/private/<%= @name %>.key;
+<% if node[:ssl][:strict_transport_security] -%>
+
+    add_header Strict-Transport-Security "<%= node[:ssl][:strict_transport_security] %>" always;
+<% end -%>
+
+    # Requests sent within early data are subject to replay attacks.
+    # See: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data
+    ssl_early_data on;
+
+    # root "/srv/<%= @name %>";
+
+    gzip on;
+    gzip_types text/plain text/css application/json application/javascript application/x-javascript text/javascript text/xml application/xml application/rss+xml application/atom+xml application/rdf+xml image/svg+xml; # text/html is implicit
+    gzip_min_length 512;
+    gzip_http_version 1.0;
+    gzip_proxied any;
+    gzip_comp_level 9;
+    gzip_vary on;
+
+    location /api/v1/titiler {
+      rewrite ^/api/v1/titiler(.*)$ $1 break;
+      proxy_pass http://localhost:8080;
+      proxy_set_header HOST $host;
+      proxy_set_header Referer $http_referer;
+      proxy_set_header X-Forwarded-For $remote_addr;
+      proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
diff --git a/test/integration/imagery-tiler/inspec/nginx_spec.rb b/test/integration/imagery-tiler/inspec/nginx_spec.rb
new file mode 100644
index 000000000..366cecb74
--- /dev/null
+++ b/test/integration/imagery-tiler/inspec/nginx_spec.rb
@@ -0,0 +1,8 @@
+describe package("nginx") do
+  it { should be_installed }
+end
+
+describe service("nginx") do
+  it { should be_enabled }
+  it { should be_running }
+end
diff --git a/test/integration/imagery-tiler/inspec/tiler_spec.rb b/test/integration/imagery-tiler/inspec/tiler_spec.rb
new file mode 100644
index 000000000..366cecb74
--- /dev/null
+++ b/test/integration/imagery-tiler/inspec/tiler_spec.rb
@@ -0,0 +1,8 @@
+describe package("nginx") do
+  it { should be_installed }
+end
+
+describe service("nginx") do
+  it { should be_enabled }
+  it { should be_running }
+end
-- 
2.45.1