summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2024-06-10 06:02:45 +0200
committerGuilhem Moulin <guilhem@fripost.org>2024-09-25 18:44:19 +0200
commit5f9605745f4f8e59d5aba78da18b8a50bc4a5d88 (patch)
treed8994616e44319f927d228d2256c0b15d2d47711
parentf2d133b81d98eb84acabef11b0bd919a98d5d13d (diff)
Copy webmap-import.
-rw-r--r--files/etc/systemd/system/webmap-import@.service41
-rw-r--r--tasks/webmap.yml139
m---------webmap-tools0
3 files changed, 180 insertions, 0 deletions
diff --git a/files/etc/systemd/system/webmap-import@.service b/files/etc/systemd/system/webmap-import@.service
new file mode 100644
index 0000000..540e7de
--- /dev/null
+++ b/files/etc/systemd/system/webmap-import@.service
@@ -0,0 +1,41 @@
+[Unit]
+Description=Webmap updater service (import %I to PostgreSQL)
+After=postgresql.service webmap-update@%i.target
+After=webmap-download@%i.service
+Upholds=webmap-update@%i.target
+
+# XXX webmap-download write cached files atomatically but there is no
+# guarantee that GDAL/OGR opens them atomically. It'd therefore make
+# sense to use the following Conflict= directive, however systemd skips
+# webmap-download@%i.service in that case.
+#Conflicts=webmap-download@%i.service
+
+[Service]
+User=_webmap-import
+Group=_webmap
+
+Nice=15
+IOSchedulingClass=idle
+
+Type=oneshot
+ExecStart=/usr/local/bin/webmap-import \
+ --cachedir=/var/cache/webmap \
+ --lockfile=%t/webmap/lock \
+ -- %I
+
+RuntimeDirectory=webmap
+RuntimeDirectoryPreserve=yes
+
+# Hardening
+NoNewPrivileges=yes
+ProtectHome=yes
+ProtectSystem=strict
+PrivateDevices=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+PrivateTmp=yes
+
+[Install]
+WantedBy=webmap-update@%i.target
diff --git a/tasks/webmap.yml b/tasks/webmap.yml
index ff212e5..053b744 100644
--- a/tasks/webmap.yml
+++ b/tasks/webmap.yml
@@ -12,6 +12,7 @@
- python3-gdal
- python3-lxml
- python3-requests
+ - python3-systemd
- python3-tqdm
- python3-urllib3
- python3-xdg
@@ -117,6 +118,16 @@
- meta: flush_handlers
+- name: Create system user '_webmap-import'
+ user: name=_webmap-import system=true
+ group=_webmap
+ createhome=false
+ home=/nonexistent
+ shell=/usr/sbin/nologin
+ comment="Webmap update (extract/import)"
+ password="!"
+ state=present
+
- name: Install PostgreSQL and PostGIS
apt: pkg={{ packages }}
vars:
@@ -137,6 +148,13 @@
- meta: flush_handlers
+# Usage: \sudo -u postgres psql </usr/local/share/webmap/schema.sql
+- name: Copy /usr/local/share/webmap/schema.sql
+ copy: src=webmap-tools/schema.sql
+ dest=/usr/local/share/webmap/schema.sql
+ owner=root group=root
+ mode=0644
+
- name: Create PostgreSQL database
become: true
# XXX: this creates /var/lib/postgresql/.ansible/tmp
@@ -152,6 +170,43 @@
template: template0
owner: postgres
+- name: Create 'webmap_import' and 'webmap_guest' PostgreSQL users (roles)
+ become: true
+ become_user: postgres
+ community.postgresql.postgresql_user:
+ db: webmap
+ name: "{{ item }}"
+ with_items:
+ - webmap_import
+ - webmap_guest
+
+- name: Add a rule for 'webmap_import' user in pg_hba.conf
+ ansible.builtin.lineinfile:
+ path: /etc/postgresql/{{ postgresql.version }}/{{ postgresql.cluster }}/pg_hba.conf
+ regexp: '^local\s+webmap\s'
+ line: 'local webmap all peer map=pgmap_webmap'
+ # must come before 'local all all peer', cf.
+ # https://dba.stackexchange.com/questions/177142/postgresql-cannot-peer-authenticate-using-usermap-provided-user-name-dbuser
+ insertbefore: '^local\s+all\s+all\s'
+ create: false
+ notify: Reload PostgreSQL
+
+- name: Add a mapping rule for 'webmap_import' user in pg_ident.conf
+ ansible.builtin.lineinfile:
+ path: /etc/postgresql/{{ postgresql.version }}/{{ postgresql.cluster }}/pg_ident.conf
+ regexp: '^pgmap_webmap\s.*\swebmap_import\s*$'
+ line: 'pgmap_webmap _webmap-import webmap_import'
+ create: false
+ notify: Reload PostgreSQL
+
+- name: Add a mapping rule for 'webmap_guest' user in pg_ident.conf
+ ansible.builtin.lineinfile:
+ path: /etc/postgresql/{{ postgresql.version }}/{{ postgresql.cluster }}/pg_ident.conf
+ regexp: '^pgmap_webmap\s.*\swebmap_guest\s*$'
+ line: 'pgmap_webmap /^_?[a-zA-Z][a-zA-Z0-9_\-]*[a-zA-Z0-9]$ webmap_guest'
+ create: false
+ notify: Reload PostgreSQL
+
- name: Create 'postgis' PostgreSQL schema
become: true
become_user: postgres
@@ -169,4 +224,88 @@
schema: postgis
comment: Geographic objects support for PostgreSQL
+- name: GRANT CONNECT ON DATABASE webmap TO webmap_import, webmap_guest
+ become: true
+ become_user: postgres
+ community.postgresql.postgresql_privs:
+ database: webmap
+ privs: CONNECT
+ type: database
+ role: webmap_import,webmap_guest
+
+- name: GRANT USAGE ON SCHEMA postgis TO webmap_import, webmap_guest
+ become: true
+ become_user: postgres
+ community.postgresql.postgresql_privs:
+ database: webmap
+ privs: USAGE
+ type: schema
+ obj: postgis
+ role: webmap_import,webmap_guest
+
+# webmap-import should TRUNCATE existing output layers
+- name: REVOKE CREATE ON SCHEMA postgis FROM webmap_import
+ become: true
+ become_user: postgres
+ community.postgresql.postgresql_privs:
+ database: webmap
+ privs: CREATE
+ type: schema
+ obj: postgis
+ role: webmap_import
+ state: absent
+
+- name: GRANT SELECT ON TABLES IN SCHEMA postgis TO webmap_guest
+ become: true
+ become_user: postgres
+ community.postgresql.postgresql_privs:
+ database: webmap
+ privs: SELECT
+ type: table
+ obj: ALL_IN_SCHEMA
+ schema: postgis
+ role: webmap_guest
+
+- name: GRANT USAGE, SELECT ON SEQUENCES IN SCHEMA postgis TO webmap_guest
+ become: true
+ become_user: postgres
+ community.postgresql.postgresql_privs:
+ database: webmap
+ privs: USAGE,SELECT
+ type: sequence
+ obj: ALL_IN_SCHEMA
+ schema: postgis
+ role: webmap_guest
+
+- name: Copy /usr/local/share/webmap/import.py
+ copy: src=webmap-tools/webmap-import
+ dest=/usr/local/share/webmap/import.py
+ owner=root group=root
+ mode=0755
+
+- name: Create /usr/local/bin/webmap-import
+ file: src=../share/webmap/import.py
+ dest=/usr/local/bin/webmap-import
+ owner=root group=root
+ state=link force=yes
+
+- name: Copy webmap-import@.service
+ copy: src=etc/systemd/system/webmap-import@.service
+ dest=/etc/systemd/system/webmap-import@.service
+ owner=root group=root
+ mode=0644
+ notify:
+ - systemctl daemon-reload
+
+- name: Enable webmap-import@.service
+ service: name=webmap-import@{{ item }}.service enabled=true
+ with_items: "{{ webmap_layer_groups }}"
+
+- name: Build administrative-codes.json*
+ become: false
+ local_action:
+ module: community.general.make
+ chdir: ./webmap-tools/administrative-codes
+ target: all
+
- meta: flush_handlers
diff --git a/webmap-tools b/webmap-tools
-Subproject 729a5df4ba9889aebcd51787ec11a4d0d1ea547
+Subproject 54db31b0df41e397438d860ec8014b7100f72eb