Copy webmap-publish.

We also replace persistent/shared RuntimeDirectory settings with
directories defined as tmpfiles.d(5) entries.  This gives more control
over access control.

We also change static compression from gzip to brotli on the HTTPd.

1 files changed, 40 insertions, 0 deletions

diff --git a/files/etc/systemd/system/webmap-publish@.service b/files/etc/systemd/system/webmap-publish@.service
new file mode 100644
index 0000000..e2f8e6b
--- /dev/null
+++ b/files/etc/systemd/system/webmap-publish@.service
@@ -0,0 +1,40 @@
+[Unit]
+Description=Webmap updater service (publish %I as MVT)
+#After=postgresql.service webmap-update@%i.target
+#After=webmap-download@%i.service
+#After=webmap-import@%i.service
+#Upholds=webmap-update@%i.target
+
+[Service]
+User=_webmap-publish
+Group=_webmap
+
+Nice=15
+IOSchedulingClass=idle
+
+Type=oneshot
+ExecStart=/usr/local/bin/webmap-publish \
+    --lockfile=%t/lock/webmap/lock \
+    --destdir=/var/www/webmap/tiles/%i \
+    --name=%I \
+    --webroot=/var/www/webmap \
+    --metadata=/var/www/webmap/tiles/metadata.json \
+    --metadata-lockfile=%t/lock/webmap/tiles.lock \
+    --compress \
+    -- %I
+
+# Hardening
+NoNewPrivileges=yes
+ProtectHome=yes
+ProtectSystem=strict
+PrivateDevices=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+ReadWritePaths=/var/www/webmap/tiles
+ReadWritePaths=%t/lock/webmap
+PrivateTmp=yes
+
+#[Install]
+#WantedBy=webmap-update@%i.target