summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2024-09-25 19:18:15 +0200
committerGuilhem Moulin <guilhem@fripost.org>2024-09-25 21:44:41 +0200
commitf0feb7c74ca2252ef2513da12fc85be9684a54b4 (patch)
tree301152d43426ab8f242ab835fdc04e6f3ba21196
parent5f9605745f4f8e59d5aba78da18b8a50bc4a5d88 (diff)
Copy webmap-publish.
We also replace persistent/shared RuntimeDirectory settings with directories defined as tmpfiles.d(5) entries. This gives more control over access control. We also change static compression from gzip to brotli on the HTTPd.
-rw-r--r--files/etc/nginx/sites-available/webmap2
-rw-r--r--files/etc/systemd/system/webmap-download@.service6
-rw-r--r--files/etc/systemd/system/webmap-import@.service6
-rw-r--r--files/etc/systemd/system/webmap-publish@.service40
-rw-r--r--files/etc/tmpfiles.d/webmap.conf11
-rw-r--r--handlers/main.yml3
-rw-r--r--tasks/httpd.yml6
-rw-r--r--tasks/webmap.yml61
m---------webmap-tools0
9 files changed, 124 insertions, 11 deletions
diff --git a/files/etc/nginx/sites-available/webmap b/files/etc/nginx/sites-available/webmap
index d16ab60..92809e2 100644
--- a/files/etc/nginx/sites-available/webmap
+++ b/files/etc/nginx/sites-available/webmap
@@ -62,7 +62,7 @@ server {
}
location ^~ /tiles/ {
expires 1d;
- gzip_static on;
+ brotli_static on;
try_files $uri =404;
error_page 404 /_.txt;
}
diff --git a/files/etc/systemd/system/webmap-download@.service b/files/etc/systemd/system/webmap-download@.service
index c0e826f..2c5a3e4 100644
--- a/files/etc/systemd/system/webmap-download@.service
+++ b/files/etc/systemd/system/webmap-download@.service
@@ -16,14 +16,11 @@ IOSchedulingClass=idle
Type=oneshot
ExecStart=/usr/local/bin/webmap-download \
--cachedir=/var/cache/webmap \
- --lockdir=%t/webmap-download \
+ --lockdir=%t/lock/webmap/download \
--no-exit-code \
--quiet \
-- %I
-RuntimeDirectory=webmap-download
-RuntimeDirectoryPreserve=yes
-
# Hardening
NoNewPrivileges=yes
ProtectHome=yes
@@ -34,6 +31,7 @@ ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
ReadWritePaths=/var/cache/webmap
+ReadWritePaths=%t/lock/webmap/download
[Install]
WantedBy=webmap-update@%i.target
diff --git a/files/etc/systemd/system/webmap-import@.service b/files/etc/systemd/system/webmap-import@.service
index 540e7de..06d204c 100644
--- a/files/etc/systemd/system/webmap-import@.service
+++ b/files/etc/systemd/system/webmap-import@.service
@@ -20,12 +20,9 @@ IOSchedulingClass=idle
Type=oneshot
ExecStart=/usr/local/bin/webmap-import \
--cachedir=/var/cache/webmap \
- --lockfile=%t/webmap/lock \
+ --lockfile=%t/lock/webmap/lock \
-- %I
-RuntimeDirectory=webmap
-RuntimeDirectoryPreserve=yes
-
# Hardening
NoNewPrivileges=yes
ProtectHome=yes
@@ -35,6 +32,7 @@ ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+ReadWritePaths=%t/lock/webmap
PrivateTmp=yes
[Install]
diff --git a/files/etc/systemd/system/webmap-publish@.service b/files/etc/systemd/system/webmap-publish@.service
new file mode 100644
index 0000000..e2f8e6b
--- /dev/null
+++ b/files/etc/systemd/system/webmap-publish@.service
@@ -0,0 +1,40 @@
+[Unit]
+Description=Webmap updater service (publish %I as MVT)
+#After=postgresql.service webmap-update@%i.target
+#After=webmap-download@%i.service
+#After=webmap-import@%i.service
+#Upholds=webmap-update@%i.target
+
+[Service]
+User=_webmap-publish
+Group=_webmap
+
+Nice=15
+IOSchedulingClass=idle
+
+Type=oneshot
+ExecStart=/usr/local/bin/webmap-publish \
+ --lockfile=%t/lock/webmap/lock \
+ --destdir=/var/www/webmap/tiles/%i \
+ --name=%I \
+ --webroot=/var/www/webmap \
+ --metadata=/var/www/webmap/tiles/metadata.json \
+ --metadata-lockfile=%t/lock/webmap/tiles.lock \
+ --compress \
+ -- %I
+
+# Hardening
+NoNewPrivileges=yes
+ProtectHome=yes
+ProtectSystem=strict
+PrivateDevices=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+ReadWritePaths=/var/www/webmap/tiles
+ReadWritePaths=%t/lock/webmap
+PrivateTmp=yes
+
+#[Install]
+#WantedBy=webmap-update@%i.target
diff --git a/files/etc/tmpfiles.d/webmap.conf b/files/etc/tmpfiles.d/webmap.conf
new file mode 100644
index 0000000..620cd24
--- /dev/null
+++ b/files/etc/tmpfiles.d/webmap.conf
@@ -0,0 +1,11 @@
+d %t/lock/webmap 0755 root root
+
+# for webmap-download's --lockdir
+d %t/lock/webmap/download 0755 _webmap-download _webmap
+
+# for webmap-import's *and* webmap-publish's --lockfile (hence the
+# ownership and g+w)
+f %t/lock/webmap/lock 0664 root _webmap
+
+# for webmap-publish's --metadata-lockfile
+f %t/lock/webmap/tiles.lock 0644 _webmap-publish _webmap
diff --git a/handlers/main.yml b/handlers/main.yml
index 189b880..281951b 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -5,6 +5,9 @@
- name: systemctl daemon-reload
command: /usr/bin/systemctl daemon-reload
+- name: systemd-tmpfiles --create
+ command: /usr/bin/systemd-tmpfiles --create
+
- name: Refresh hostname
command: /usr/bin/hostnamectl hostname {{ inventory_hostname_short }}
diff --git a/tasks/httpd.yml b/tasks/httpd.yml
index 22757d5..2e1fa98 100644
--- a/tasks/httpd.yml
+++ b/tasks/httpd.yml
@@ -2,6 +2,12 @@
- name: Install nginx
apt: pkg=nginx-light
+- name: Install nginx modules
+ apt: pkg={{ packages }}
+ vars:
+ packages:
+ - libnginx-mod-http-brotli-static
+
- name: Start nginx
service: name=nginx enabled=true state=started
diff --git a/tasks/webmap.yml b/tasks/webmap.yml
index 053b744..9e2c2f6 100644
--- a/tasks/webmap.yml
+++ b/tasks/webmap.yml
@@ -1,14 +1,19 @@
- name: Install gdal-bin
apt: pkg=gdal-bin install-recommends=true
-- name: Install unzip
- apt: pkg=unzip
+- name: Install unzip and brotli
+ apt: pkg={{ packages }}
+ vars:
+ packages:
+ - unzip
+ - brotli
- name: Install python dependencies
apt: pkg={{ packages }}
vars:
packages:
- python3
+ - python3-brotli
- python3-gdal
- python3-lxml
- python3-requests
@@ -309,3 +314,55 @@
target: all
- meta: flush_handlers
+
+
+- name: Create system user '_webmap-publish'
+ user: name=_webmap-publish system=true
+ group=_webmap
+ createhome=false
+ home=/nonexistent
+ shell=/usr/sbin/nologin
+ comment="Webmap update (publication as MVT)"
+ password="!"
+ state=present
+
+- name: Copy /usr/local/share/webmap/publish.py
+ copy: src=webmap-tools/webmap-publish
+ dest=/usr/local/share/webmap/publish.py
+ owner=root group=root
+ mode=0755
+
+- name: Create /usr/local/bin/webmap-publish
+ file: src=../share/webmap/publish.py
+ dest=/usr/local/bin/webmap-publish
+ owner=root group=root
+ state=link force=yes
+
+- name: Create directory /var/www/webmap/tiles
+ file: path=/var/www/webmap/tiles
+ state=directory
+ owner=_webmap-publish group=root
+ mode=0755
+
+- name: Copy webmap-publish@.service
+ copy: src=etc/systemd/system/webmap-publish@.service
+ dest=/etc/systemd/system/webmap-publish@.service
+ owner=root group=root
+ mode=0644
+ notify:
+ - systemctl daemon-reload
+
+#- name: Enable webmap-publish@.service
+# service: name=webmap-publish@{{ item }}.service enabled=true
+# with_items: "{{ webmap_layer_groups }}"
+
+
+- name: Copy /etc/tmpfiles.d/webmap.conf
+ copy: src=etc/tmpfiles.d/webmap.conf
+ dest=/etc/tmpfiles.d/webmap.conf
+ owner=root group=root
+ mode=0644
+ notify:
+ - systemd-tmpfiles --create
+
+- meta: flush_handlers
diff --git a/webmap-tools b/webmap-tools
-Subproject 54db31b0df41e397438d860ec8014b7100f72eb
+Subproject 7cda119879cf48ba72ba34522fa9cdf9ef6d9b4