Copy webmap-publish.

We also replace persistent/shared RuntimeDirectory settings with
directories defined as tmpfiles.d(5) entries.  This gives more control
over access control.

We also change static compression from gzip to brotli on the HTTPd.

5 files changed, 56 insertions, 9 deletions

diff --git a/files/etc/nginx/sites-available/webmap b/files/etc/nginx/sites-available/webmap
index d16ab60..92809e2 100644
--- a/files/etc/nginx/sites-available/webmap
+++ b/files/etc/nginx/sites-available/webmap
@@ -62,7 +62,7 @@ server {
     }
     location ^~ /tiles/ {
         expires 1d;
-        gzip_static on;
+        brotli_static on;
         try_files $uri =404;
         error_page 404 /_.txt;
     }
diff --git a/files/etc/systemd/system/webmap-download@.service b/files/etc/systemd/system/webmap-download@.service
index c0e826f..2c5a3e4 100644
--- a/files/etc/systemd/system/webmap-download@.service
+++ b/files/etc/systemd/system/webmap-download@.service
@@ -16,14 +16,11 @@ IOSchedulingClass=idle
 Type=oneshot
 ExecStart=/usr/local/bin/webmap-download \
     --cachedir=/var/cache/webmap \
-    --lockdir=%t/webmap-download \
+    --lockdir=%t/lock/webmap/download \
     --no-exit-code \
     --quiet \
     -- %I
 
-RuntimeDirectory=webmap-download
-RuntimeDirectoryPreserve=yes
-
 # Hardening
 NoNewPrivileges=yes
 ProtectHome=yes
@@ -34,6 +31,7 @@ ProtectKernelModules=yes
 ProtectKernelTunables=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 ReadWritePaths=/var/cache/webmap
+ReadWritePaths=%t/lock/webmap/download
 
 [Install]
 WantedBy=webmap-update@%i.target
diff --git a/files/etc/systemd/system/webmap-import@.service b/files/etc/systemd/system/webmap-import@.service
index 540e7de..06d204c 100644
--- a/files/etc/systemd/system/webmap-import@.service
+++ b/files/etc/systemd/system/webmap-import@.service
@@ -20,12 +20,9 @@ IOSchedulingClass=idle
 Type=oneshot
 ExecStart=/usr/local/bin/webmap-import \
     --cachedir=/var/cache/webmap \
-    --lockfile=%t/webmap/lock \
+    --lockfile=%t/lock/webmap/lock \
     -- %I
 
-RuntimeDirectory=webmap
-RuntimeDirectoryPreserve=yes
-
 # Hardening
 NoNewPrivileges=yes
 ProtectHome=yes
@@ -35,6 +32,7 @@ ProtectControlGroups=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+ReadWritePaths=%t/lock/webmap
 PrivateTmp=yes
 
 [Install]
diff --git a/files/etc/systemd/system/webmap-publish@.service b/files/etc/systemd/system/webmap-publish@.service
new file mode 100644
index 0000000..e2f8e6b
--- /dev/null
+++ b/files/etc/systemd/system/webmap-publish@.service
@@ -0,0 +1,40 @@
+[Unit]
+Description=Webmap updater service (publish %I as MVT)
+#After=postgresql.service webmap-update@%i.target
+#After=webmap-download@%i.service
+#After=webmap-import@%i.service
+#Upholds=webmap-update@%i.target
+
+[Service]
+User=_webmap-publish
+Group=_webmap
+
+Nice=15
+IOSchedulingClass=idle
+
+Type=oneshot
+ExecStart=/usr/local/bin/webmap-publish \
+    --lockfile=%t/lock/webmap/lock \
+    --destdir=/var/www/webmap/tiles/%i \
+    --name=%I \
+    --webroot=/var/www/webmap \
+    --metadata=/var/www/webmap/tiles/metadata.json \
+    --metadata-lockfile=%t/lock/webmap/tiles.lock \
+    --compress \
+    -- %I
+
+# Hardening
+NoNewPrivileges=yes
+ProtectHome=yes
+ProtectSystem=strict
+PrivateDevices=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+ReadWritePaths=/var/www/webmap/tiles
+ReadWritePaths=%t/lock/webmap
+PrivateTmp=yes
+
+#[Install]
+#WantedBy=webmap-update@%i.target
diff --git a/files/etc/tmpfiles.d/webmap.conf b/files/etc/tmpfiles.d/webmap.conf
new file mode 100644
index 0000000..620cd24
--- /dev/null
+++ b/files/etc/tmpfiles.d/webmap.conf
@@ -0,0 +1,11 @@
+d %t/lock/webmap            0755 root root
+
+# for webmap-download's --lockdir
+d %t/lock/webmap/download   0755 _webmap-download _webmap
+
+# for webmap-import's *and* webmap-publish's --lockfile (hence the
+# ownership and g+w)
+f %t/lock/webmap/lock       0664 root _webmap
+
+# for webmap-publish's --metadata-lockfile
+f %t/lock/webmap/tiles.lock 0644 _webmap-publish _webmap