diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2024-09-25 19:18:15 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2024-09-25 21:44:41 +0200 |
commit | f0feb7c74ca2252ef2513da12fc85be9684a54b4 (patch) | |
tree | 301152d43426ab8f242ab835fdc04e6f3ba21196 /files | |
parent | 5f9605745f4f8e59d5aba78da18b8a50bc4a5d88 (diff) |
Copy webmap-publish.
We also replace persistent/shared RuntimeDirectory settings with
directories defined as tmpfiles.d(5) entries. This gives more control
over access control.
We also change static compression from gzip to brotli on the HTTPd.
Diffstat (limited to 'files')
-rw-r--r-- | files/etc/nginx/sites-available/webmap | 2 | ||||
-rw-r--r-- | files/etc/systemd/system/webmap-download@.service | 6 | ||||
-rw-r--r-- | files/etc/systemd/system/webmap-import@.service | 6 | ||||
-rw-r--r-- | files/etc/systemd/system/webmap-publish@.service | 40 | ||||
-rw-r--r-- | files/etc/tmpfiles.d/webmap.conf | 11 |
5 files changed, 56 insertions, 9 deletions
diff --git a/files/etc/nginx/sites-available/webmap b/files/etc/nginx/sites-available/webmap index d16ab60..92809e2 100644 --- a/files/etc/nginx/sites-available/webmap +++ b/files/etc/nginx/sites-available/webmap @@ -62,7 +62,7 @@ server { } location ^~ /tiles/ { expires 1d; - gzip_static on; + brotli_static on; try_files $uri =404; error_page 404 /_.txt; } diff --git a/files/etc/systemd/system/webmap-download@.service b/files/etc/systemd/system/webmap-download@.service index c0e826f..2c5a3e4 100644 --- a/files/etc/systemd/system/webmap-download@.service +++ b/files/etc/systemd/system/webmap-download@.service @@ -16,14 +16,11 @@ IOSchedulingClass=idle Type=oneshot ExecStart=/usr/local/bin/webmap-download \ --cachedir=/var/cache/webmap \ - --lockdir=%t/webmap-download \ + --lockdir=%t/lock/webmap/download \ --no-exit-code \ --quiet \ -- %I -RuntimeDirectory=webmap-download -RuntimeDirectoryPreserve=yes - # Hardening NoNewPrivileges=yes ProtectHome=yes @@ -34,6 +31,7 @@ ProtectKernelModules=yes ProtectKernelTunables=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 ReadWritePaths=/var/cache/webmap +ReadWritePaths=%t/lock/webmap/download [Install] WantedBy=webmap-update@%i.target diff --git a/files/etc/systemd/system/webmap-import@.service b/files/etc/systemd/system/webmap-import@.service index 540e7de..06d204c 100644 --- a/files/etc/systemd/system/webmap-import@.service +++ b/files/etc/systemd/system/webmap-import@.service @@ -20,12 +20,9 @@ IOSchedulingClass=idle Type=oneshot ExecStart=/usr/local/bin/webmap-import \ --cachedir=/var/cache/webmap \ - --lockfile=%t/webmap/lock \ + --lockfile=%t/lock/webmap/lock \ -- %I -RuntimeDirectory=webmap -RuntimeDirectoryPreserve=yes - # Hardening NoNewPrivileges=yes ProtectHome=yes @@ -35,6 +32,7 @@ ProtectControlGroups=yes ProtectKernelModules=yes ProtectKernelTunables=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +ReadWritePaths=%t/lock/webmap PrivateTmp=yes [Install] diff --git a/files/etc/systemd/system/webmap-publish@.service b/files/etc/systemd/system/webmap-publish@.service new file mode 100644 index 0000000..e2f8e6b --- /dev/null +++ b/files/etc/systemd/system/webmap-publish@.service @@ -0,0 +1,40 @@ +[Unit] +Description=Webmap updater service (publish %I as MVT) +#After=postgresql.service webmap-update@%i.target +#After=webmap-download@%i.service +#After=webmap-import@%i.service +#Upholds=webmap-update@%i.target + +[Service] +User=_webmap-publish +Group=_webmap + +Nice=15 +IOSchedulingClass=idle + +Type=oneshot +ExecStart=/usr/local/bin/webmap-publish \ + --lockfile=%t/lock/webmap/lock \ + --destdir=/var/www/webmap/tiles/%i \ + --name=%I \ + --webroot=/var/www/webmap \ + --metadata=/var/www/webmap/tiles/metadata.json \ + --metadata-lockfile=%t/lock/webmap/tiles.lock \ + --compress \ + -- %I + +# Hardening +NoNewPrivileges=yes +ProtectHome=yes +ProtectSystem=strict +PrivateDevices=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +ReadWritePaths=/var/www/webmap/tiles +ReadWritePaths=%t/lock/webmap +PrivateTmp=yes + +#[Install] +#WantedBy=webmap-update@%i.target diff --git a/files/etc/tmpfiles.d/webmap.conf b/files/etc/tmpfiles.d/webmap.conf new file mode 100644 index 0000000..620cd24 --- /dev/null +++ b/files/etc/tmpfiles.d/webmap.conf @@ -0,0 +1,11 @@ +d %t/lock/webmap 0755 root root + +# for webmap-download's --lockdir +d %t/lock/webmap/download 0755 _webmap-download _webmap + +# for webmap-import's *and* webmap-publish's --lockfile (hence the +# ownership and g+w) +f %t/lock/webmap/lock 0664 root _webmap + +# for webmap-publish's --metadata-lockfile +f %t/lock/webmap/tiles.lock 0644 _webmap-publish _webmap |