summaryrefslogtreecommitdiffstats
path: root/files
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2024-09-25 19:18:15 +0200
committerGuilhem Moulin <guilhem@fripost.org>2024-09-25 21:44:41 +0200
commitf0feb7c74ca2252ef2513da12fc85be9684a54b4 (patch)
tree301152d43426ab8f242ab835fdc04e6f3ba21196 /files
parent5f9605745f4f8e59d5aba78da18b8a50bc4a5d88 (diff)
Copy webmap-publish.
We also replace persistent/shared RuntimeDirectory settings with directories defined as tmpfiles.d(5) entries. This gives more control over access control. We also change static compression from gzip to brotli on the HTTPd.
Diffstat (limited to 'files')
-rw-r--r--files/etc/nginx/sites-available/webmap2
-rw-r--r--files/etc/systemd/system/webmap-download@.service6
-rw-r--r--files/etc/systemd/system/webmap-import@.service6
-rw-r--r--files/etc/systemd/system/webmap-publish@.service40
-rw-r--r--files/etc/tmpfiles.d/webmap.conf11
5 files changed, 56 insertions, 9 deletions
diff --git a/files/etc/nginx/sites-available/webmap b/files/etc/nginx/sites-available/webmap
index d16ab60..92809e2 100644
--- a/files/etc/nginx/sites-available/webmap
+++ b/files/etc/nginx/sites-available/webmap
@@ -62,7 +62,7 @@ server {
}
location ^~ /tiles/ {
expires 1d;
- gzip_static on;
+ brotli_static on;
try_files $uri =404;
error_page 404 /_.txt;
}
diff --git a/files/etc/systemd/system/webmap-download@.service b/files/etc/systemd/system/webmap-download@.service
index c0e826f..2c5a3e4 100644
--- a/files/etc/systemd/system/webmap-download@.service
+++ b/files/etc/systemd/system/webmap-download@.service
@@ -16,14 +16,11 @@ IOSchedulingClass=idle
Type=oneshot
ExecStart=/usr/local/bin/webmap-download \
--cachedir=/var/cache/webmap \
- --lockdir=%t/webmap-download \
+ --lockdir=%t/lock/webmap/download \
--no-exit-code \
--quiet \
-- %I
-RuntimeDirectory=webmap-download
-RuntimeDirectoryPreserve=yes
-
# Hardening
NoNewPrivileges=yes
ProtectHome=yes
@@ -34,6 +31,7 @@ ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
ReadWritePaths=/var/cache/webmap
+ReadWritePaths=%t/lock/webmap/download
[Install]
WantedBy=webmap-update@%i.target
diff --git a/files/etc/systemd/system/webmap-import@.service b/files/etc/systemd/system/webmap-import@.service
index 540e7de..06d204c 100644
--- a/files/etc/systemd/system/webmap-import@.service
+++ b/files/etc/systemd/system/webmap-import@.service
@@ -20,12 +20,9 @@ IOSchedulingClass=idle
Type=oneshot
ExecStart=/usr/local/bin/webmap-import \
--cachedir=/var/cache/webmap \
- --lockfile=%t/webmap/lock \
+ --lockfile=%t/lock/webmap/lock \
-- %I
-RuntimeDirectory=webmap
-RuntimeDirectoryPreserve=yes
-
# Hardening
NoNewPrivileges=yes
ProtectHome=yes
@@ -35,6 +32,7 @@ ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+ReadWritePaths=%t/lock/webmap
PrivateTmp=yes
[Install]
diff --git a/files/etc/systemd/system/webmap-publish@.service b/files/etc/systemd/system/webmap-publish@.service
new file mode 100644
index 0000000..e2f8e6b
--- /dev/null
+++ b/files/etc/systemd/system/webmap-publish@.service
@@ -0,0 +1,40 @@
+[Unit]
+Description=Webmap updater service (publish %I as MVT)
+#After=postgresql.service webmap-update@%i.target
+#After=webmap-download@%i.service
+#After=webmap-import@%i.service
+#Upholds=webmap-update@%i.target
+
+[Service]
+User=_webmap-publish
+Group=_webmap
+
+Nice=15
+IOSchedulingClass=idle
+
+Type=oneshot
+ExecStart=/usr/local/bin/webmap-publish \
+ --lockfile=%t/lock/webmap/lock \
+ --destdir=/var/www/webmap/tiles/%i \
+ --name=%I \
+ --webroot=/var/www/webmap \
+ --metadata=/var/www/webmap/tiles/metadata.json \
+ --metadata-lockfile=%t/lock/webmap/tiles.lock \
+ --compress \
+ -- %I
+
+# Hardening
+NoNewPrivileges=yes
+ProtectHome=yes
+ProtectSystem=strict
+PrivateDevices=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+ReadWritePaths=/var/www/webmap/tiles
+ReadWritePaths=%t/lock/webmap
+PrivateTmp=yes
+
+#[Install]
+#WantedBy=webmap-update@%i.target
diff --git a/files/etc/tmpfiles.d/webmap.conf b/files/etc/tmpfiles.d/webmap.conf
new file mode 100644
index 0000000..620cd24
--- /dev/null
+++ b/files/etc/tmpfiles.d/webmap.conf
@@ -0,0 +1,11 @@
+d %t/lock/webmap 0755 root root
+
+# for webmap-download's --lockdir
+d %t/lock/webmap/download 0755 _webmap-download _webmap
+
+# for webmap-import's *and* webmap-publish's --lockfile (hence the
+# ownership and g+w)
+f %t/lock/webmap/lock 0664 root _webmap
+
+# for webmap-publish's --metadata-lockfile
+f %t/lock/webmap/tiles.lock 0644 _webmap-publish _webmap