Rename "webmap" to the less generic "geodata".

The database has uses beyond the webmap. Cf. ca91a579770c89d25aefae220079bf336fa88dc9 in tools.
author: Guilhem Moulin <guilhem@fripost.org> 2026-03-06 13:50:24 +0100
committer: Guilhem Moulin <guilhem@fripost.org> 2026-03-06 16:08:40 +0100
commit: 1af347391f9f54b370dfc7395464b8ed637a79ca (patch)
tree: f73b1ff30c968763260c0aa0443de572c665350e
parent: 8ee835b7fc9a3e3eac93a74f877b0b040d8dcb03 (diff)
17 files changed, 434 insertions, 432 deletions
diff --git a/files/etc/systemd/system/webmap-download@.service b/files/etc/systemd/system/geodata-download@.service
index d7a49dc..2a8c940 100644
--- a/files/etc/systemd/system/webmap-download@.service
+++ b/files/etc/systemd/system/geodata-download@.service
@@ -1,22 +1,22 @@
 [Unit]
-Description=Webmap updater service (download ‘%I’)
+Description=Geodata updater service (download ‘%I’)
 # Chaining logic from https://serverfault.com/questions/1079993/why-does-my-systemd-timer-only-trigger-once-when-the-unit-is-a-target#answer-1128671
 # XXX Looks like Upholds= prevents running a single unit, as it causes
-# webmap-update@%i.target to start upon `systemctl start webmap-download@foo.service`
-After=network-online.target webmap-update@%i.target
-Upholds=webmap-update@%i.target
+# geodata-update@%i.target to start upon `systemctl start geodata-download@foo.service`
+After=network-online.target geodata-update@%i.target
+Upholds=geodata-update@%i.target
 
 [Service]
-User=_webmap-download
-Group=_webmap
+User=_geodata-download
+Group=_geodata
 
 Nice=15
 IOSchedulingClass=idle
 
 Type=oneshot
-ExecStart=/usr/local/bin/webmap-download \
-    --cachedir=%C/webmap \
-    --lockdir=%t/lock/webmap/cache \
+ExecStart=/usr/local/bin/geodata-download \
+    --cachedir=%C/geodata \
+    --lockdir=%t/lock/geodata/cache \
     --no-exit-code \
     --quiet \
     -- %I
@@ -30,8 +30,8 @@ ProtectControlGroups=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
-ReadWritePaths=%C/webmap
-ReadWritePaths=%t/lock/webmap/cache
+ReadWritePaths=%C/geodata
+ReadWritePaths=%t/lock/geodata/cache
 
 [Install]
-WantedBy=webmap-update@%i.target
+WantedBy=geodata-update@%i.target
diff --git a/files/etc/systemd/system/webmap-import@.service b/files/etc/systemd/system/geodata-import@.service
index e2a6eb4..7d652ea 100644
--- a/files/etc/systemd/system/webmap-import@.service
+++ b/files/etc/systemd/system/geodata-import@.service
@@ -1,12 +1,12 @@
 [Unit]
-Description=Webmap updater service (import ‘%I’ to PostGIS)
-After=postgresql.service webmap-update@%i.target
-After=webmap-download@%i.service
-Upholds=webmap-update@%i.target
+Description=Geodata updater service (import ‘%I’ to PostGIS)
+After=postgresql.service geodata-update@%i.target
+After=geodata-download@%i.service
+Upholds=geodata-update@%i.target
 
 [Service]
-User=_webmap
-Group=_webmap
+User=_geodata
+Group=_geodata
 
 Nice=15
 IOSchedulingClass=idle
@@ -15,10 +15,10 @@ IOSchedulingClass=idle
 Environment=TMPDIR=/var/tmp
 
 Type=oneshot
-ExecStart=/usr/local/bin/webmap-import \
-    --cachedir=%C/webmap \
-    --lockfile=%t/lock/webmap/lock \
-    --lockdir-sources=%t/lock/webmap/cache \
+ExecStart=/usr/local/bin/geodata-import \
+    --cachedir=%C/geodata \
+    --lockfile=%t/lock/geodata/lock \
+    --lockdir-sources=%t/lock/geodata/cache \
     --mvtdir=/var/www/webmap/tiles/%I \
     --mvt-compress \
     --metadata-compress \
@@ -33,9 +33,9 @@ ProtectControlGroups=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
-ReadWritePaths=%t/lock/webmap
+ReadWritePaths=%t/lock/geodata
 ReadWritePaths=/var/www/webmap/tiles
 PrivateTmp=yes
 
 [Install]
-WantedBy=webmap-update@%i.target
+WantedBy=geodata-update@%i.target
diff --git a/files/etc/systemd/system/webmap-raster@.service b/files/etc/systemd/system/geodata-raster@.service
index 42a97cf..aed7930 100644
--- a/files/etc/systemd/system/webmap-raster@.service
+++ b/files/etc/systemd/system/geodata-raster@.service
@@ -1,12 +1,12 @@
 [Unit]
-Description=Webmap updater service (export ‘%I’ to COG)
-After=webmap-update@%i.target
-After=webmap-download@%i.service
-Upholds=webmap-update@%i.target
+Description=Geodata updater service (export ‘%I’ to COG)
+After=geodata-update@%i.target
+After=geodata-download@%i.service
+Upholds=geodata-update@%i.target
 
 [Service]
-User=_webmap
-Group=_webmap
+User=_geodata
+Group=_geodata
 
 Nice=15
 IOSchedulingClass=idle
@@ -15,10 +15,10 @@ IOSchedulingClass=idle
 Environment=TMPDIR=/var/tmp
 
 Type=oneshot
-ExecStart=/usr/local/bin/webmap-import \
-    --cachedir=%C/webmap \
-    --lockfile=%t/lock/webmap/lock \
-    --lockdir-sources=%t/lock/webmap/cache \
+ExecStart=/usr/local/bin/geodata-import \
+    --cachedir=%C/geodata \
+    --lockfile=%t/lock/geodata/lock \
+    --lockdir-sources=%t/lock/geodata/cache \
     --rasterdir=/var/www/webmap/raster/%I \
     --metadata-compress \
     -- %I
@@ -32,9 +32,9 @@ ProtectControlGroups=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 RestrictAddressFamilies=AF_UNIX
-ReadWritePaths=%t/lock/webmap
+ReadWritePaths=%t/lock/geodata
 ReadWritePaths=/var/www/webmap/raster
 PrivateTmp=yes
 
 [Install]
-WantedBy=webmap-update@%i.target
+WantedBy=geodata-update@%i.target
diff --git a/files/etc/systemd/system/geodata-update@.target b/files/etc/systemd/system/geodata-update@.target
new file mode 100644
index 0000000..e7cdecb
--- /dev/null
+++ b/files/etc/systemd/system/geodata-update@.target
@@ -0,0 +1,3 @@
+[Unit]
+Description=Geodata updater (target unit ‘%I’)
+StopWhenUnneeded=true
diff --git a/files/etc/systemd/system/webmap-update@.timer b/files/etc/systemd/system/geodata-update@.timer
index 74fb848..90fd865 100644
--- a/files/etc/systemd/system/webmap-update@.timer
+++ b/files/etc/systemd/system/geodata-update@.timer
@@ -1,11 +1,11 @@
 [Unit]
-Description=Webmap updater (timer unit)
+Description=Geodata updater (timer unit)
 
 [Timer]
 OnCalendar=*-*-* 01:00:00
 AccuracySec=1s
 RandomizedDelaySec=3599
-Unit=webmap-update@%i.target
+Unit=geodata-update@%i.target
 
 [Install]
 WantedBy=timers.target
diff --git a/files/etc/systemd/system/webmap-update@.target b/files/etc/systemd/system/webmap-update@.target
deleted file mode 100644
index 840de96..0000000
--- a/files/etc/systemd/system/webmap-update@.target
+++ /dev/null
@@ -1,3 +0,0 @@
-[Unit]
-Description=Webmap updater (target unit ‘%I’)
-StopWhenUnneeded=true
diff --git a/files/etc/tmpfiles.d/geodata.conf b/files/etc/tmpfiles.d/geodata.conf
new file mode 100644
index 0000000..a299e0f
--- /dev/null
+++ b/files/etc/tmpfiles.d/geodata.conf
@@ -0,0 +1,8 @@
+d %t/lock/geodata           00755 root root
+
+# for `geodata-download --lockdir` *and* `geodata-import --lockdir-sources`
+# (hence the set-group-ID bit and g+w)
+d %t/lock/geodata/cache     02775 _geodata-download _geodata
+
+# for `geodata-import --lockfile`
+f %t/lock/geodata/lock      00644 _geodata _geodata
diff --git a/files/etc/tmpfiles.d/webmap.conf b/files/etc/tmpfiles.d/webmap.conf
deleted file mode 100644
index 786e6dd..0000000
--- a/files/etc/tmpfiles.d/webmap.conf
+++ /dev/null
@@ -1,8 +0,0 @@
-d %t/lock/webmap            00755 root root
-
-# for `webmap-download --lockdir` *and* `webmap-import --lockdir-sources`
-# (hence the set-group-ID bit and g+w)
-d %t/lock/webmap/cache      02775 _webmap-download _webmap
-
-# for `webmap-import --lockfile`
-f %t/lock/webmap/lock       00644 _webmap _webmap
diff --git a/group_vars/all.yml b/group_vars/all.yml
index 4caa775..3531f04 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -1,7 +1,7 @@
 ---
 # The list of layer groups to process, see
 # webmap-tools/config.yml:layer-groups.
-webmap_layer_groups:
+geodata_layer_groups:
   - adm
   - mrr
   - skydd
@@ -13,15 +13,15 @@ webmap_layer_groups:
   - misc
   - nv
 
-webmap_raster:
+geodata_raster:
   - kskog
 
-webmap_layer_groups_nodownload:
+geodata_layer_groups_nodownload:
   - adm
   - misc
 
 # adjust calendar events for individual units
-webmap_layer_groups_update_calendar:
+geodata_layer_groups_update_calendar:
   mrr: "*-*-* 05:00:00" # updated daily at 04:33 CEST
 
 # PostgreSQL's version number and cluster name
diff --git a/setup.yml b/setup.yml
index 33780a8..00adee4 100644
--- a/setup.yml
+++ b/setup.yml
@@ -22,6 +22,10 @@
       tags:
         - mail
         - postfix
+    - import_tasks: ./tasks/geodata.yml
+      tags: geodata
+    - import_tasks: ./tasks/postgis.yml
+      tags: postgis
     - import_tasks: ./tasks/webmap.yml
       tags: webmap
     - import_tasks: ./tasks/httpd.yml
diff --git a/tasks/geodata.yml b/tasks/geodata.yml
new file mode 100644
index 0000000..fcf3471
--- /dev/null
+++ b/tasks/geodata.yml
@@ -0,0 +1,211 @@
+- name: Install gdal-bin
+  apt: pkg=gdal-bin install-recommends=true
+
+- name: Install unzip
+  apt: pkg=unzip
+
+- name: Install python dependencies
+  apt: pkg={{ packages }}
+  vars:
+    packages:
+    - python3
+    - python3-brotli
+    - python3-gdal
+    - python3-requests
+    - python3-systemd
+    - python3-tqdm
+    - python3-urllib3
+    - python3-xdg
+    - python3-yaml
+
+- name: Create directory /etc/geodata
+  file: path=/etc/geodata
+        state=directory
+        owner=root group=root
+        mode=0755
+
+- name: Copy /etc/geodata/config.yml
+  copy: src=webmap-tools/config.yml
+        dest=/etc/geodata/config.yml
+        owner=root group=root
+        mode=0644
+
+- name: Create directory /usr/local/share/geodata
+  file: path=/usr/local/share/geodata
+        state=directory
+        owner=root group=root
+        mode=0755
+
+- name: Copy /usr/local/share/geodata/*.py modules
+  copy: src=webmap-tools/{{ item }}
+        dest=/usr/local/share/geodata/{{ item }}
+        owner=root group=root
+        mode=0644
+  with_items:
+    # TODO these should be compiled
+    - common.py
+    - common_gdal.py
+    - import_source.py
+    - export_mvt.py
+    - export_raster.py
+    - rename_exchange.py
+
+- name: Copy geodata-update@.target
+  copy: src=etc/systemd/system/geodata-update@.target
+        dest=/etc/systemd/system/geodata-update@.target
+        owner=root group=root
+        mode=0644
+  notify:
+    - systemctl daemon-reload
+
+- name: Copy geodata-update@.timer
+  copy: src=etc/systemd/system/geodata-update@.timer
+        dest=/etc/systemd/system/geodata-update@.timer
+        owner=root group=root
+        mode=0644
+  notify:
+    - systemctl daemon-reload
+
+- name: Create directory /etc/systemd/system/geodata-update@*.timer.d
+  file: path=/etc/systemd/system/geodata-update@{{ item }}.timer.d
+        state=directory
+        owner=root group=root
+        mode=0755
+  with_items: "{{ geodata_layer_groups_update_calendar.keys() | list }}"
+
+- name: Copy /etc/systemd/system/geodata-update@*.timer.d/override.conf
+  template: src=etc/systemd/system/geodata-update@.timer.d/override.conf.j2
+            dest=/etc/systemd/system/geodata-update@{{ item }}.timer.d/override.conf
+            owner=root group=root
+            mode=0644
+  with_items: "{{ geodata_layer_groups_update_calendar.keys() | list }}"
+  notify:
+    - systemctl daemon-reload
+
+- name: Enable geodata-update.timer
+  service: name=geodata-update@{{ item }}.timer state=started enabled=true
+  with_items: "{{ geodata_layer_groups | union(geodata_raster) }}"
+
+- meta: flush_handlers
+
+
+- name: Create system group '_geodata'
+  group: name=_geodata system=true
+         state=present
+
+- name: Create system user '_geodata-download'
+  user: name=_geodata-download system=true
+        group=_geodata
+        createhome=false
+        home=/nonexistent
+        shell=/usr/sbin/nologin
+        comment="geodata update (download)"
+        password="!"
+        state=present
+
+- name: Copy /usr/local/share/geodata/download.py
+  copy: src=webmap-tools/geodata-download
+        dest=/usr/local/share/geodata/download.py
+        owner=root group=root
+        mode=0755
+
+- name: Create /usr/local/bin/geodata-download
+  file: src=../share/geodata/download.py
+        dest=/usr/local/bin/geodata-download
+        owner=root group=root
+        state=link force=yes
+
+- name: Create directory /var/cache/geodata
+  file: path=/var/cache/geodata
+        state=directory
+        owner=_geodata-download group=root
+        mode=0755
+
+- name: Create directory /var/cache/geodata/custom
+  file: path=/var/cache/geodata/custom
+        state=directory
+        owner=root group=root
+        mode=0755
+
+- name: Copy custom layers into /var/cache/geodata/custom
+  copy: src=webmap-tools/layers/custom/
+        dest=/var/cache/geodata/custom/
+        owner=root group=root
+        mode=0644
+        directory_mode=0755
+
+- name: Copy geodata-download@.service
+  copy: src=etc/systemd/system/geodata-download@.service
+        dest=/etc/systemd/system/geodata-download@.service
+        owner=root group=root
+        mode=0644
+  notify:
+    - systemctl daemon-reload
+
+- name: Enable geodata-download@.service
+  service: name=geodata-download@{{ item }}.service enabled=true
+  with_items: "{{ geodata_layer_groups | union(geodata_raster) | difference(geodata_layer_groups_nodownload) }}"
+
+- name: Disable some geodata-download@.service
+  service: name=geodata-download@{{ item }}.service enabled=false
+  with_items: "{{ geodata_layer_groups_nodownload }}"
+
+- meta: flush_handlers
+
+
+- name: Copy /etc/tmpfiles.d/geodata.conf
+  copy: src=etc/tmpfiles.d/geodata.conf
+        dest=/etc/tmpfiles.d/geodata.conf
+        owner=root group=root
+        mode=0644
+  notify:
+    - systemd-tmpfiles --create
+
+- meta: flush_handlers
+
+
+- name: Create system user '_geodata'
+  user: name=_geodata system=true
+        group=_geodata
+        createhome=false
+        home=/nonexistent
+        shell=/usr/sbin/nologin
+        comment="geodata update (extract/import)"
+        password="!"
+        state=present
+
+- name: Copy /usr/local/share/geodata/import.py
+  copy: src=webmap-tools/geodata-import
+        dest=/usr/local/share/geodata/import.py
+        owner=root group=root
+        mode=0755
+
+- name: Create /usr/local/bin/geodata-import
+  file: src=../share/geodata/import.py
+        dest=/usr/local/bin/geodata-import
+        owner=root group=root
+        state=link force=yes
+
+- name: Copy geodata-import@.service
+  copy: src=etc/systemd/system/geodata-import@.service
+        dest=/etc/systemd/system/geodata-import@.service
+        owner=root group=root
+        mode=0644
+  notify:
+    - systemctl daemon-reload
+
+- name: Enable geodata-import@.service
+  service: name=geodata-import@{{ item }}.service enabled=true
+  with_items: "{{ geodata_layer_groups }}"
+
+- name: Copy geodata-raster@.service
+  copy: src=etc/systemd/system/geodata-raster@.service
+        dest=/etc/systemd/system/geodata-raster@.service
+        owner=root group=root
+        mode=0644
+  notify:
+    - systemctl daemon-reload
+
+- name: Enable geodata-raster@.service
+  service: name=geodata-raster@{{ item }}.service enabled=true
+  with_items: "{{ geodata_raster }}"
diff --git a/tasks/postgis.yml b/tasks/postgis.yml
new file mode 100644
index 0000000..3e156a9
--- /dev/null
+++ b/tasks/postgis.yml
@@ -0,0 +1,158 @@
+- name: Install PostgreSQL and PostGIS
+  apt: pkg={{ packages }}
+  vars:
+    packages:
+    - postgresql
+    - postgresql-postgis
+    - postgis
+    # for ansible
+    - python3-psycopg
+
+- name: Generate sv_SE.UTF-8 locales
+  locale_gen: name=sv_SE.UTF-8 state=present
+  # PostgreSQL needs to be restarted to see the new locale
+  notify: Restart PostgreSQL
+
+- name: Configure PostgreSQL
+  copy: src=etc/postgresql/postgresql.conf
+        dest=/etc/postgresql/{{ postgresql.version }}/{{ postgresql.cluster }}/conf.d/local.conf
+        owner=postgres group=postgres
+        mode=0644
+  notify: Restart PostgreSQL
+
+- name: Start PostgreSQL
+  service: name=postgresql@{{ postgresql.version }}-{{ postgresql.cluster }}.service state=started
+
+- meta: flush_handlers
+
+# Usage: \sudo -u postgres psql </usr/local/share/geodata/schema.sql
+- name: Copy /usr/local/share/geodata/schema.sql
+  copy: src=webmap-tools/schema.sql
+        dest=/usr/local/share/geodata/schema.sql
+        owner=root group=root
+        mode=0644
+
+- name: Create PostgreSQL database
+  become: true
+  # XXX: this creates /var/lib/postgresql/.ansible/tmp
+  become_user: postgres
+  community.postgresql.postgresql_db:
+    name: geodata
+    comment: Backend PostGIS database for KlimatanalysNorr tooling
+    encoding: UTF-8
+    lc_collate: sv_SE.UTF-8
+    lc_ctype: sv_SE.UTF-8
+    locale_provider: icu
+    icu_locale: sv-SE-x-icu
+    template: template0
+    owner: postgres
+
+- name: Create 'geodata' and 'guest' PostgreSQL users (roles)
+  become: true
+  become_user: postgres
+  community.postgresql.postgresql_user:
+    login_db: geodata
+    name: "{{ item }}"
+  with_items:
+    - geodata
+    - guest
+
+- name: Add a rule for 'geodata' user in pg_hba.conf
+  ansible.builtin.lineinfile:
+    path: /etc/postgresql/{{ postgresql.version }}/{{ postgresql.cluster }}/pg_hba.conf
+    regexp: '^local\s+geodata\s'
+    line: 'local   geodata         all                                     peer map=pgmap_geodata'
+    # must come before 'local all all peer', cf.
+    # https://dba.stackexchange.com/questions/177142/postgresql-cannot-peer-authenticate-using-usermap-provided-user-name-dbuser
+    insertbefore: '^local\s+all\s+all\s'
+    create: false
+  notify: Reload PostgreSQL
+
+- name: Add a mapping rule for 'geodata' user in pg_ident.conf
+  ansible.builtin.lineinfile:
+    path: /etc/postgresql/{{ postgresql.version }}/{{ postgresql.cluster }}/pg_ident.conf
+    regexp: '^pgmap_geodata\s.*\sgeodata\s*$'
+    line: 'pgmap_geodata   _geodata                                geodata'
+    create: false
+  notify: Reload PostgreSQL
+
+- name: Add a mapping rule for 'guest' user in pg_ident.conf
+  ansible.builtin.lineinfile:
+    path: /etc/postgresql/{{ postgresql.version }}/{{ postgresql.cluster }}/pg_ident.conf
+    regexp: '^pgmap_geodata\s.*\sguest\s*$'
+    line: 'pgmap_geodata   /^_?[a-zA-Z][a-zA-Z0-9_\-]*[a-zA-Z0-9]$ guest'
+    create: false
+  notify: Reload PostgreSQL
+
+- name: Create PostgreSQL schemas
+  become: true
+  become_user: postgres
+  community.postgresql.postgresql_schema:
+    login_db: geodata
+    name: "{{ item.name }}"
+    owner: postgres
+    comment: "{{ item.comment }}"
+  with_items: "{{ postgis_schemas }}"
+
+- name: Install 'postgis' PostgreSQL extension to the geodata database
+  become: true
+  become_user: postgres
+  community.postgresql.postgresql_ext:
+    name: postgis
+    login_db: geodata
+    comment: Geographic objects support for PostgreSQL
+
+- name: GRANT CONNECT ON DATABASE geodata TO geodata, guest
+  become: true
+  become_user: postgres
+  community.postgresql.postgresql_privs:
+    login_db: geodata
+    privs: CONNECT
+    type: database
+    role: geodata,guest
+
+- name: GRANT USAGE ON SCHEMA * TO geodata, guest
+  become: true
+  become_user: postgres
+  community.postgresql.postgresql_privs:
+    login_db: geodata
+    privs: USAGE
+    type: schema
+    objs: "{{ (['public'] + (postgis_schemas | map(attribute='name'))) | join(',') }}"
+    role: geodata,guest
+
+# tooling should TRUNCATE existing output layers instead
+- name: REVOKE CREATE ON SCHEMA * FROM geodata
+  become: true
+  become_user: postgres
+  community.postgresql.postgresql_privs:
+    login_db: geodata
+    privs: CREATE
+    type: schema
+    objs: "{{ (['public'] + (postgis_schemas | map(attribute='name'))) | join(',') }}"
+    role: geodata
+    state: absent
+
+- name: GRANT SELECT ON TABLES IN SCHEMA * TO guest
+  become: true
+  become_user: postgres
+  community.postgresql.postgresql_privs:
+    login_db: geodata
+    privs: SELECT
+    type: table
+    obj: ALL_IN_SCHEMA
+    schema: "{{ item }}"
+    role: guest
+  with_items: "{{ ['public'] + (postgis_schemas | map(attribute='name')) }}"
+
+- name: GRANT USAGE, SELECT ON SEQUENCES IN SCHEMA * TO guest
+  become: true
+  become_user: postgres
+  community.postgresql.postgresql_privs:
+    login_db: geodata
+    privs: USAGE,SELECT
+    type: sequence
+    obj: ALL_IN_SCHEMA
+    schema: "{{ item }}"
+    role: guest
+  with_items: "{{ ['public'] + (postgis_schemas | map(attribute='name')) }}"
diff --git a/tasks/webmap.yml b/tasks/webmap.yml
index 1ff8ea3..682e785 100644
--- a/tasks/webmap.yml
+++ b/tasks/webmap.yml
@@ -1,367 +1,5 @@
-- name: Install gdal-bin
-  apt: pkg=gdal-bin install-recommends=true
-
-- name: Install unzip and brotli
-  apt: pkg={{ packages }}
-  vars:
-    packages:
-    - unzip
-    - brotli
-
-- name: Install python dependencies
-  apt: pkg={{ packages }}
-  vars:
-    packages:
-    - python3
-    - python3-brotli
-    - python3-gdal
-    - python3-requests
-    - python3-systemd
-    - python3-tqdm
-    - python3-urllib3
-    - python3-xdg
-    - python3-yaml
-
-- name: Create directory /etc/webmap
-  file: path=/etc/webmap
-        state=directory
-        owner=root group=root
-        mode=0755
-
-- name: Copy /etc/webmap/config.yml
-  copy: src=webmap-tools/config.yml
-        dest=/etc/webmap/config.yml
-        owner=root group=root
-        mode=0644
-
-- name: Create directory /usr/local/share/webmap
-  file: path=/usr/local/share/webmap
-        state=directory
-        owner=root group=root
-        mode=0755
-
-- name: Copy /usr/local/share/webmap/*.py modules
-  copy: src=webmap-tools/{{ item }}
-        dest=/usr/local/share/webmap/{{ item }}
-        owner=root group=root
-        mode=0644
-  with_items:
-    # TODO these should be compiled
-    - common.py
-    - common_gdal.py
-    - import_source.py
-    - export_mvt.py
-    - export_raster.py
-    - rename_exchange.py
-
-- name: Copy webmap-update@.target
-  copy: src=etc/systemd/system/webmap-update@.target
-        dest=/etc/systemd/system/webmap-update@.target
-        owner=root group=root
-        mode=0644
-  notify:
-    - systemctl daemon-reload
-
-- name: Copy webmap-update@.timer
-  copy: src=etc/systemd/system/webmap-update@.timer
-        dest=/etc/systemd/system/webmap-update@.timer
-        owner=root group=root
-        mode=0644
-  notify:
-    - systemctl daemon-reload
-
-- name: Create directory /etc/systemd/system/webmap-update@*.timer.d
-  file: path=/etc/systemd/system/webmap-update@{{ item }}.timer.d
-        state=directory
-        owner=root group=root
-        mode=0755
-  with_items: "{{ webmap_layer_groups_update_calendar.keys() | list }}"
-
-- name: Copy /etc/systemd/system/webmap-update@*.timer.d/override.conf
-  template: src=etc/systemd/system/webmap-update@.timer.d/override.conf.j2
-            dest=/etc/systemd/system/webmap-update@{{ item }}.timer.d/override.conf
-            owner=root group=root
-            mode=0644
-  with_items: "{{ webmap_layer_groups_update_calendar.keys() | list }}"
-  notify:
-    - systemctl daemon-reload
-
-- name: Enable webmap-update.timer
-  service: name=webmap-update@{{ item }}.timer state=started enabled=true
-  with_items: "{{ webmap_layer_groups | union(webmap_raster) }}"
-
-- meta: flush_handlers
-
-
-- name: Create system group '_webmap'
-  group: name=_webmap system=true
-         state=present
-
-- name: Create system user '_webmap-download'
-  user: name=_webmap-download system=true
-        group=_webmap
-        createhome=false
-        home=/nonexistent
-        shell=/usr/sbin/nologin
-        comment="Webmap update (download)"
-        password="!"
-        state=present
-
-- name: Copy /usr/local/share/webmap/download.py
-  copy: src=webmap-tools/webmap-download
-        dest=/usr/local/share/webmap/download.py
-        owner=root group=root
-        mode=0755
-
-- name: Create /usr/local/bin/webmap-download
-  file: src=../share/webmap/download.py
-        dest=/usr/local/bin/webmap-download
-        owner=root group=root
-        state=link force=yes
-
-- name: Create directory /var/cache/webmap
-  file: path=/var/cache/webmap
-        state=directory
-        owner=_webmap-download group=root
-        mode=0755
-
-- name: Create directory /var/cache/webmap/custom
-  file: path=/var/cache/webmap/custom
-        state=directory
-        owner=root group=root
-        mode=0755
-
-- name: Copy custom layers into /var/cache/webmap/custom
-  copy: src=webmap-tools/layers/custom/
-        dest=/var/cache/webmap/custom/
-        owner=root group=root
-        mode=0644
-        directory_mode=0755
-
-- name: Copy webmap-download@.service
-  copy: src=etc/systemd/system/webmap-download@.service
-        dest=/etc/systemd/system/webmap-download@.service
-        owner=root group=root
-        mode=0644
-  notify:
-    - systemctl daemon-reload
-
-- name: Enable webmap-download@.service
-  service: name=webmap-download@{{ item }}.service enabled=true
-  with_items: "{{ webmap_layer_groups | union(webmap_raster) | difference(webmap_layer_groups_nodownload) }}"
-
-- name: Disable some webmap-download@.service
-  service: name=webmap-download@{{ item }}.service enabled=false
-  with_items: "{{ webmap_layer_groups_nodownload }}"
-
-- meta: flush_handlers
-
-
-- name: Create system user '_webmap'
-  user: name=_webmap system=true
-        group=_webmap
-        createhome=false
-        home=/nonexistent
-        shell=/usr/sbin/nologin
-        comment="Webmap update (extract/import)"
-        password="!"
-        state=present
-
-- name: Install PostgreSQL and PostGIS
-  apt: pkg={{ packages }}
-  vars:
-    packages:
-    - postgresql
-    - postgresql-postgis
-    - postgis
-    # for ansible
-    - python3-psycopg
-
-- name: Generate sv_SE.UTF-8 locales
-  locale_gen: name=sv_SE.UTF-8 state=present
-  # PostgreSQL needs to be restarted to see the new locale
-  notify: Restart PostgreSQL
-
-- name: Configure PostgreSQL
-  copy: src=etc/postgresql/postgresql.conf
-        dest=/etc/postgresql/{{ postgresql.version }}/{{ postgresql.cluster }}/conf.d/local.conf
-        owner=postgres group=postgres
-        mode=0644
-  notify: Restart PostgreSQL
-
-- name: Start PostgreSQL
-  service: name=postgresql@{{ postgresql.version }}-{{ postgresql.cluster }}.service state=started
-
-- meta: flush_handlers
-
-# Usage: \sudo -u postgres psql </usr/local/share/webmap/schema.sql
-- name: Copy /usr/local/share/webmap/schema.sql
-  copy: src=webmap-tools/schema.sql
-        dest=/usr/local/share/webmap/schema.sql
-        owner=root group=root
-        mode=0644
-
-- name: Create PostgreSQL database
-  become: true
-  # XXX: this creates /var/lib/postgresql/.ansible/tmp
-  become_user: postgres
-  community.postgresql.postgresql_db:
-    name: webmap
-    comment: Backend PostGIS database for KlimatanalysNorr tooling
-    encoding: UTF-8
-    lc_collate: sv_SE.UTF-8
-    lc_ctype: sv_SE.UTF-8
-    locale_provider: icu
-    icu_locale: sv-SE-x-icu
-    template: template0
-    owner: postgres
-
-- name: Create 'webmap_import' and 'webmap_guest' PostgreSQL users (roles)
-  become: true
-  become_user: postgres
-  community.postgresql.postgresql_user:
-    login_db: webmap
-    name: "{{ item }}"
-  with_items:
-    - webmap_import
-    - webmap_guest
-
-- name: Add a rule for 'webmap_import' user in pg_hba.conf
-  ansible.builtin.lineinfile:
-    path: /etc/postgresql/{{ postgresql.version }}/{{ postgresql.cluster }}/pg_hba.conf
-    regexp: '^local\s+webmap\s'
-    line: 'local   webmap          all                                     peer map=pgmap_webmap'
-    # must come before 'local all all peer', cf.
-    # https://dba.stackexchange.com/questions/177142/postgresql-cannot-peer-authenticate-using-usermap-provided-user-name-dbuser
-    insertbefore: '^local\s+all\s+all\s'
-    create: false
-  notify: Reload PostgreSQL
-
-- name: Add a mapping rule for 'webmap_import' user in pg_ident.conf
-  ansible.builtin.lineinfile:
-    path: /etc/postgresql/{{ postgresql.version }}/{{ postgresql.cluster }}/pg_ident.conf
-    regexp: '^pgmap_webmap\s.*\swebmap_import\s*$'
-    line: 'pgmap_webmap    _webmap                                 webmap_import'
-    create: false
-  notify: Reload PostgreSQL
-
-- name: Add a mapping rule for 'webmap_guest' user in pg_ident.conf
-  ansible.builtin.lineinfile:
-    path: /etc/postgresql/{{ postgresql.version }}/{{ postgresql.cluster }}/pg_ident.conf
-    regexp: '^pgmap_webmap\s.*\swebmap_guest\s*$'
-    line: 'pgmap_webmap    /^_?[a-zA-Z][a-zA-Z0-9_\-]*[a-zA-Z0-9]$ webmap_guest'
-    create: false
-  notify: Reload PostgreSQL
-
-- name: Create PostgreSQL schemas
-  become: true
-  become_user: postgres
-  community.postgresql.postgresql_schema:
-    login_db: webmap
-    name: "{{ item.name }}"
-    owner: postgres
-    comment: "{{ item.comment }}"
-  with_items: "{{ postgis_schemas }}"
-
-- name: Install 'postgis' PostgreSQL extension to the webmap database
-  become: true
-  become_user: postgres
-  community.postgresql.postgresql_ext:
-    name: postgis
-    login_db: webmap
-    comment: Geographic objects support for PostgreSQL
-
-- name: GRANT CONNECT ON DATABASE webmap TO webmap_import, webmap_guest
-  become: true
-  become_user: postgres
-  community.postgresql.postgresql_privs:
-    login_db: webmap
-    privs: CONNECT
-    type: database
-    role: webmap_import,webmap_guest
-
-- name: GRANT USAGE ON SCHEMA * TO webmap_import, webmap_guest
-  become: true
-  become_user: postgres
-  community.postgresql.postgresql_privs:
-    login_db: webmap
-    privs: USAGE
-    type: schema
-    objs: "{{ (['public'] + (postgis_schemas | map(attribute='name'))) | join(',') }}"
-    role: webmap_import,webmap_guest
-
-# tooling should TRUNCATE existing output layers instead
-- name: REVOKE CREATE ON SCHEMA * FROM webmap_import
-  become: true
-  become_user: postgres
-  community.postgresql.postgresql_privs:
-    login_db: webmap
-    privs: CREATE
-    type: schema
-    objs: "{{ (['public'] + (postgis_schemas | map(attribute='name'))) | join(',') }}"
-    role: webmap_import
-    state: absent
-
-- name: GRANT SELECT ON TABLES IN SCHEMA * TO webmap_guest
-  become: true
-  become_user: postgres
-  community.postgresql.postgresql_privs:
-    login_db: webmap
-    privs: SELECT
-    type: table
-    obj: ALL_IN_SCHEMA
-    schema: "{{ item }}"
-    role: webmap_guest
-  with_items: "{{ ['public'] + (postgis_schemas | map(attribute='name')) }}"
-
-- name: GRANT USAGE, SELECT ON SEQUENCES IN SCHEMA * TO webmap_guest
-  become: true
-  become_user: postgres
-  community.postgresql.postgresql_privs:
-    login_db: webmap
-    privs: USAGE,SELECT
-    type: sequence
-    obj: ALL_IN_SCHEMA
-    schema: "{{ item }}"
-    role: webmap_guest
-  with_items: "{{ ['public'] + (postgis_schemas | map(attribute='name')) }}"
-
-- name: Copy /usr/local/share/webmap/import.py
-  copy: src=webmap-tools/webmap-import
-        dest=/usr/local/share/webmap/import.py
-        owner=root group=root
-        mode=0755
-
-- name: Create /usr/local/bin/webmap-import
-  file: src=../share/webmap/import.py
-        dest=/usr/local/bin/webmap-import
-        owner=root group=root
-        state=link force=yes
-
-- name: Copy webmap-import@.service
-  copy: src=etc/systemd/system/webmap-import@.service
-        dest=/etc/systemd/system/webmap-import@.service
-        owner=root group=root
-        mode=0644
-  notify:
-    - systemctl daemon-reload
-
-- name: Enable webmap-import@.service
-  service: name=webmap-import@{{ item }}.service enabled=true
-  with_items: "{{ webmap_layer_groups }}"
-
-- name: Copy webmap-raster@.service
-  copy: src=etc/systemd/system/webmap-raster@.service
-        dest=/etc/systemd/system/webmap-raster@.service
-        owner=root group=root
-        mode=0644
-  notify:
-    - systemctl daemon-reload
-
-- name: Enable webmap-raster@.service
-  service: name=webmap-raster@{{ item }}.service enabled=true
-  with_items: "{{ webmap_raster }}"
-
+- name: Install brotli
+  apt: pkg=brotli
 
 - name: Build administrative-codes.json*
   become: false
@@ -391,24 +29,15 @@
 - name: Create directory /var/www/webmap/tiles
   file: path=/var/www/webmap/tiles
         state=directory
-        owner=_webmap group=root
+        owner=_geodata group=root
         mode=0755
 
 - name: Create directory /var/www/webmap/raster
   file: path=/var/www/webmap/raster
         state=directory
-        owner=_webmap group=root
+        owner=_geodata group=root
         mode=0755
 
-
-- name: Copy /etc/tmpfiles.d/webmap.conf
-  copy: src=etc/tmpfiles.d/webmap.conf
-        dest=/etc/tmpfiles.d/webmap.conf
-        owner=root group=root
-        mode=0644
-  notify:
-    - systemd-tmpfiles --create
-
 - meta: flush_handlers
 
 
diff --git a/templates/etc/systemd/system/geodata-update@.timer.d/override.conf.j2 b/templates/etc/systemd/system/geodata-update@.timer.d/override.conf.j2
new file mode 100644
index 0000000..103fbde
--- /dev/null
+++ b/templates/etc/systemd/system/geodata-update@.timer.d/override.conf.j2
@@ -0,0 +1,3 @@
+[Timer]
+OnCalendar=
+OnCalendar={{ geodata_layer_groups_update_calendar[item] }}
diff --git a/templates/etc/systemd/system/webmap-cgi.service b/templates/etc/systemd/system/webmap-cgi.service
index 809d104..9c9ffe9 100644
--- a/templates/etc/systemd/system/webmap-cgi.service
+++ b/templates/etc/systemd/system/webmap-cgi.service
@@ -17,7 +17,7 @@ ExecStart=/usr/bin/uwsgi -M -p2 \
     --harakiri 60 \
     --lazy-apps \
     --plugins python3 \
-    --pythonpath /usr/local/share/webmap \
+    --pythonpath /usr/local/share/geodata \
     --wsgi-file /usr/local/libexec/webmap-cgi
 Nice=10
 RestartSec=15s
diff --git a/templates/etc/systemd/system/webmap-update@.timer.d/override.conf.j2 b/templates/etc/systemd/system/webmap-update@.timer.d/override.conf.j2
deleted file mode 100644
index 795ee20..0000000
--- a/templates/etc/systemd/system/webmap-update@.timer.d/override.conf.j2
+++ /dev/null
@@ -1,3 +0,0 @@
-[Timer]
-OnCalendar=
-OnCalendar={{ webmap_layer_groups_update_calendar[item] }}
diff --git a/webmap-tools b/webmap-tools
-Subproject dac98568efd76dea7e7149c55a841218ea73378
+Subproject ca91a579770c89d25aefae220079bf336fa88dc
author	Guilhem Moulin <guilhem@fripost.org>	2026-03-06 13:50:24 +0100
committer	Guilhem Moulin <guilhem@fripost.org>	2026-03-06 16:08:40 +0100
commit	1af347391f9f54b370dfc7395464b8ed637a79ca (patch)
tree	f73b1ff30c968763260c0aa0443de572c665350e
parent	8ee835b7fc9a3e3eac93a74f877b0b040d8dcb03 (diff)