diff options
| -rw-r--r-- | ansible.cfg | 1 | ||||
| -rw-r--r-- | files/etc/nginx/sites-available/webmap | 32 | ||||
| -rw-r--r-- | files/etc/systemd/system/webmap-download@.service | 2 | ||||
| -rw-r--r-- | files/etc/systemd/system/webmap-import@.service | 2 | ||||
| -rw-r--r-- | files/etc/systemd/system/webmap-publish@.service | 5 | ||||
| -rw-r--r-- | files/etc/systemd/system/webmap-update@.target | 2 | ||||
| -rw-r--r-- | group_vars/all.yml | 8 | ||||
| -rw-r--r-- | tasks/apt.yml | 9 | ||||
| -rw-r--r-- | tasks/network.yml | 1 | ||||
| -rw-r--r-- | tasks/webmap.yml | 35 | ||||
| m--------- | webmap-tools | 0 |
11 files changed, 78 insertions, 19 deletions
diff --git a/ansible.cfg b/ansible.cfg index a35402e..cf64db8 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,5 +1,6 @@ [defaults] inventory = ./hosts.ini +max_diff_size = 524288 [privilege_escalation] become = True diff --git a/files/etc/nginx/sites-available/webmap b/files/etc/nginx/sites-available/webmap index 92809e2..6921c2c 100644 --- a/files/etc/nginx/sites-available/webmap +++ b/files/etc/nginx/sites-available/webmap @@ -45,36 +45,50 @@ server { ssl_certificate_key /etc/nginx/ssl/webmap.rsa.key; include snippets/ssl.conf; + root /var/www/webmap; + index index.html; + add_header Referrer-Policy "no-referrer"; - add_header X-Frame-Options "SAMEORIGIN"; + add_header X-Frame-Options "DENY"; add_header X-Content-Type-Options "nosniff"; add_header X-XSS-Protection "1; mode=block"; add_header Strict-Transport-Security "max-age=31557600; includeSubDomains" always; - add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' data: https://minkarta.lantmateriet.se/map/; script-src 'self'; style-src 'self'; frame-ancestors 'self'; form-action 'none'; base-uri 'self'"; - - root /var/www/webmap; - index index.html; + add_header Content-Security-Policy "default-src 'none'; frame-ancestors 'none'; form-action 'none'; base-uri 'self'"; + #add_header Access-Control-Allow-Origin "*" always; location ^~ /assets/ { expires 7d; - gzip_static on; + brotli_static on; try_files $uri =404; } location ^~ /tiles/ { - expires 1d; + expires 8h; brotli_static on; try_files $uri =404; error_page 404 /_.txt; } + location = /tiles/metadata.json { + expires epoch; + brotli_static on; + try_files $uri =404; + } location = /_.txt { - # cache 404 responses + # cache 404 responses for 8h like for valid tiles add_header Strict-Transport-Security "max-age=31557600; includeSubDomains" always; - add_header Cache-Control "public; max-age=86400" always; + add_header Cache-Control "public; max-age=28800" always; + #add_header Access-Control-Allow-Origin "*" always; internal; } location / { + add_header Referrer-Policy "no-referrer"; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-Content-Type-Options "nosniff"; + add_header X-XSS-Protection "1; mode=block"; + add_header Strict-Transport-Security "max-age=31557600; includeSubDomains" always; + add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' data: https://minkarta.lantmateriet.se/map/; script-src 'self'; style-src 'self'; frame-ancestors 'self'; form-action 'none'; base-uri 'self'"; + try_files $uri $uri/ =404; } } diff --git a/files/etc/systemd/system/webmap-download@.service b/files/etc/systemd/system/webmap-download@.service index 2c5a3e4..e6b7f44 100644 --- a/files/etc/systemd/system/webmap-download@.service +++ b/files/etc/systemd/system/webmap-download@.service @@ -1,5 +1,5 @@ [Unit] -Description=Webmap updater service (download %I) +Description=Webmap updater service (download ‘%I’) # Chaining logic from https://serverfault.com/questions/1079993/why-does-my-systemd-timer-only-trigger-once-when-the-unit-is-a-target#answer-1128671 # XXX Looks like Upholds= prevents running a single unit, as it causes # webmap-update@%i.target to start upon `systemctl start webmap-download@foo.service` diff --git a/files/etc/systemd/system/webmap-import@.service b/files/etc/systemd/system/webmap-import@.service index 06d204c..30300a5 100644 --- a/files/etc/systemd/system/webmap-import@.service +++ b/files/etc/systemd/system/webmap-import@.service @@ -1,5 +1,5 @@ [Unit] -Description=Webmap updater service (import %I to PostgreSQL) +Description=Webmap updater service (import ‘%I’ to PostGIS) After=postgresql.service webmap-update@%i.target After=webmap-download@%i.service Upholds=webmap-update@%i.target diff --git a/files/etc/systemd/system/webmap-publish@.service b/files/etc/systemd/system/webmap-publish@.service index e2f8e6b..9d138da 100644 --- a/files/etc/systemd/system/webmap-publish@.service +++ b/files/etc/systemd/system/webmap-publish@.service @@ -1,5 +1,5 @@ [Unit] -Description=Webmap updater service (publish %I as MVT) +Description=Webmap updater service (publish ‘%I’ as MVT) #After=postgresql.service webmap-update@%i.target #After=webmap-download@%i.service #After=webmap-import@%i.service @@ -15,8 +15,7 @@ IOSchedulingClass=idle Type=oneshot ExecStart=/usr/local/bin/webmap-publish \ --lockfile=%t/lock/webmap/lock \ - --destdir=/var/www/webmap/tiles/%i \ - --name=%I \ + --destdir=/var/www/webmap/tiles/%I \ --webroot=/var/www/webmap \ --metadata=/var/www/webmap/tiles/metadata.json \ --metadata-lockfile=%t/lock/webmap/tiles.lock \ diff --git a/files/etc/systemd/system/webmap-update@.target b/files/etc/systemd/system/webmap-update@.target index 3d9fb7f..840de96 100644 --- a/files/etc/systemd/system/webmap-update@.target +++ b/files/etc/systemd/system/webmap-update@.target @@ -1,3 +1,3 @@ [Unit] -Description=Webmap updater (target unit %I) +Description=Webmap updater (target unit ‘%I’) StopWhenUnneeded=true diff --git a/group_vars/all.yml b/group_vars/all.yml index 5d4474a..e90c73e 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -5,8 +5,14 @@ webmap_layer_groups: - mrr - nvr - sks - - st + - ren - vbk + - ri + - svk + - misc + +webmap_layer_groups_nodownload: + - misc # PostgreSQL's version number and cluster name postgresql: diff --git a/tasks/apt.yml b/tasks/apt.yml index 1023908..f17a2e4 100644 --- a/tasks/apt.yml +++ b/tasks/apt.yml @@ -5,8 +5,13 @@ - apt - lsb-release -- name: Remove /etc/apt/sources.list - file: path=/etc/apt/sources.list state=absent +# something keeps recreating (without content) it if we delete it, so we +# leave it instead but ensure it's empty instead +- name: Create empty /etc/apt/sources.list + copy: content="" + dest=/etc/apt/sources.list + owner=root group=root + mode=0644 notify: - apt-get update diff --git a/tasks/network.yml b/tasks/network.yml index 1551f82..a02b07c 100644 --- a/tasks/network.yml +++ b/tasks/network.yml @@ -32,6 +32,7 @@ packages: - systemd-resolved - libnss-resolve + - libnss-myhostname - name: Create directory /etc/systemd/resolved.conf.d file: path=/etc/systemd/resolved.conf.d diff --git a/tasks/webmap.yml b/tasks/webmap.yml index 9e2c2f6..5f82d7f 100644 --- a/tasks/webmap.yml +++ b/tasks/webmap.yml @@ -108,6 +108,19 @@ owner=_webmap-download group=root mode=0755 +- name: Create directory /var/cache/webmap/custom + file: path=/var/cache/webmap/custom + state=directory + owner=root group=root + mode=0755 + +- name: Copy custom layers into /var/cache/webmap/custom + copy: src=webmap-tools/layers/custom/ + dest=/var/cache/webmap/custom/ + owner=root group=root + mode=0644 + directory_mode=0755 + - name: Copy webmap-download@.service copy: src=etc/systemd/system/webmap-download@.service dest=/etc/systemd/system/webmap-download@.service @@ -118,7 +131,11 @@ - name: Enable webmap-download@.service service: name=webmap-download@{{ item }}.service enabled=true - with_items: "{{ webmap_layer_groups }}" + with_items: "{{ webmap_layer_groups | difference(webmap_layer_groups_nodownload) }}" + +- name: Disable some webmap-download@.service + service: name=webmap-download@{{ item }}.service enabled=false + with_items: "{{ webmap_layer_groups_nodownload }}" - meta: flush_handlers @@ -306,6 +323,7 @@ service: name=webmap-import@{{ item }}.service enabled=true with_items: "{{ webmap_layer_groups }}" + - name: Build administrative-codes.json* become: false local_action: @@ -313,6 +331,21 @@ chdir: ./webmap-tools/administrative-codes target: all +- name: Create directory /var/www/webmap/data + file: path=/var/www/webmap/data + state=directory + owner=root group=root + mode=0755 + +- name: Copy /var/www/webmap/data/administrative-codes.json* + copy: src=./webmap-tools/administrative-codes/{{ item }} + dest=/var/www/webmap/data/{{ item }} + owner=root group=root + mode=0644 + with_items: + - administrative-codes.json + - administrative-codes.json.br + - meta: flush_handlers diff --git a/webmap-tools b/webmap-tools -Subproject 7cda119879cf48ba72ba34522fa9cdf9ef6d9b4 +Subproject 98a2d184f3795822c4a61587ef57a6ad66f7237 |