17 files changed, 271 insertions, 132 deletions
diff --git a/ansible.cfg b/ansible.cfg
index a35402e..cf64db8 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -1,5 +1,6 @@
 [defaults]
 inventory = ./hosts.ini
+max_diff_size = 524288
 
 [privilege_escalation]
 become = True
diff --git a/files/etc/nginx/sites-available/webmap b/files/etc/nginx/sites-available/webmap
index 92809e2..24ccdb9 100644
--- a/files/etc/nginx/sites-available/webmap
+++ b/files/etc/nginx/sites-available/webmap
@@ -45,36 +45,80 @@ server {
     ssl_certificate_key /etc/nginx/ssl/webmap.rsa.key;
     include snippets/ssl.conf;
 
+    root /var/www/webmap;
+    index index.html;
+
     add_header Referrer-Policy "no-referrer";
-    add_header X-Frame-Options "SAMEORIGIN";
+    add_header X-Frame-Options "DENY";
     add_header X-Content-Type-Options "nosniff";
     add_header X-XSS-Protection "1; mode=block";
     add_header Strict-Transport-Security "max-age=31557600; includeSubDomains" always;
-    add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' data: https://minkarta.lantmateriet.se/map/; script-src 'self'; style-src 'self'; frame-ancestors 'self'; form-action 'none'; base-uri 'self'";
-
-    root /var/www/webmap;
-    index index.html;
+    add_header Content-Security-Policy "default-src 'none'; frame-ancestors 'none'; form-action 'none'; base-uri 'self'";
+    #add_header Access-Control-Allow-Origin $http_origin always;
+
+    include mime.types;
+    types {
+        # application/protobuf and application/vnd.google.protobuf might be valid types too, cf.
+        # https://stackoverflow.com/questions/30505408/what-is-the-correct-protobuf-content-type
+        application/x-protobuf pbf;
+    }
 
     location ^~ /assets/ {
         expires 7d;
-        gzip_static on;
         try_files $uri =404;
+        location ~ "\.(?:css|js|svg)$" {
+            brotli_static on;
+        }
     }
     location ^~ /tiles/ {
-        expires 1d;
+        expires 30m;
         brotli_static on;
         try_files $uri =404;
+        # service an empty payload to save bandwidth
         error_page 404 /_.txt;
     }
+    location ^~ /raster/ {
+        expires 30m;
+        try_files $uri =404;
+        # service an empty payload to save bandwidth
+        error_page 404 /_.txt;
+    }
+    location = /q {
+        expires epoch;
+        limit_except POST { deny all; }
+        #if ($request_method = OPTIONS) {
+        #    add_header Strict-Transport-Security "max-age=31557600; includeSubDomains";
+        #    add_header Access-Control-Allow-Origin $http_origin;
+        #    add_header Access-Control-Allow-Methods "POST, GET, OPTIONS";
+        #    add_header Access-Control-Allow-Headers "Accept, Content-Type";
+        #    add_header Access-Control-Max-Age 28800;
+        #    return 204;
+        #}
+        client_max_body_size 64k;
+        gzip on;
+        gzip_types application/json text/plain;
+        include uwsgi_params;
+        uwsgi_pass unix:/run/webmap-cgi.socket;
+    }
 
     location = /_.txt {
-        # cache 404 responses
+        # cache 404 responses for 30m like for valid tiles
         add_header Strict-Transport-Security "max-age=31557600; includeSubDomains" always;
-        add_header Cache-Control "public; max-age=86400" always;
+        add_header Cache-Control "public; max-age=1800" always;
+        #add_header Access-Control-Allow-Origin $http_origin always;
         internal;
     }
 
     location / {
+        add_header Referrer-Policy "no-referrer";
+        add_header X-Frame-Options "SAMEORIGIN";
+        add_header X-Content-Type-Options "nosniff";
+        add_header X-XSS-Protection "1; mode=block";
+        add_header Strict-Transport-Security "max-age=31557600; includeSubDomains" always;
+        add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' data: https://minkarta.lantmateriet.se/map/; script-src 'self'; style-src 'self'; frame-ancestors 'self'; form-action 'none'; worker-src blob:; base-uri 'self'";
+
+        expires 1h;
+        brotli_static on;
         try_files $uri $uri/ =404;
     }
 }
diff --git a/files/etc/postgresql/postgresql.conf b/files/etc/postgresql/postgresql.conf
new file mode 100644
index 0000000..038438a
--- /dev/null
+++ b/files/etc/postgresql/postgresql.conf
@@ -0,0 +1,4 @@
+shared_buffers = 768MB
+temp_buffers = 128MB
+work_mem = 16MB
+effective_cache_size = 1536MB
diff --git a/files/etc/systemd/system/webmap-cgi.service b/files/etc/systemd/system/webmap-cgi.service
new file mode 100644
index 0000000..88f22e5
--- /dev/null
+++ b/files/etc/systemd/system/webmap-cgi.service
@@ -0,0 +1,36 @@
+[Unit]
+Description=Webmap CGI (Common Gateway Interface)
+After=syslog.target network.target postgresql.service
+
+[Service]
+DynamicUser=yes
+User=_webmap-cgi
+# Note: the "WARNING: you have enabled harakiri without post buffering" can
+# be ignored because body requests are in fact buffered on the nginx side
+ExecStart=/usr/bin/uwsgi -M -p2 \
+    --single-interpreter --die-on-term \
+    --close-on-exec --close-on-exec2 \
+    --max-requests 1000 \
+    --max-worker-lifetime 86400 \
+    --max-worker-lifetime-delta 11 \
+    --harakiri 60 \
+    --lazy-apps \
+    --plugins python3 \
+    --pythonpath /usr/local/share/webmap \
+    --wsgi-file /usr/libexec/webmap-cgi
+Nice=10
+RestartSec=15s
+Restart=always
+
+# Hardening
+NoNewPrivileges=yes
+ProtectHome=yes
+ProtectSystem=strict
+PrivateDevices=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX
+
+[Install]
+WantedBy=multi-user.target
diff --git a/files/etc/systemd/system/webmap-cgi.socket b/files/etc/systemd/system/webmap-cgi.socket
new file mode 100644
index 0000000..2828985
--- /dev/null
+++ b/files/etc/systemd/system/webmap-cgi.socket
@@ -0,0 +1,11 @@
+[Unit]
+Description=Webmap CGI (Common Gateway Interface) activation socket
+After=syslog.target network.target
+
+[Socket]
+ListenStream=%t/webmap-cgi.socket
+SocketUser=www-data
+SocketMode=0666
+
+[Install]
+WantedBy=sockets.target
diff --git a/files/etc/systemd/system/webmap-download@.service b/files/etc/systemd/system/webmap-download@.service
index 2c5a3e4..d7a49dc 100644
--- a/files/etc/systemd/system/webmap-download@.service
+++ b/files/etc/systemd/system/webmap-download@.service
@@ -1,5 +1,5 @@
 [Unit]
-Description=Webmap updater service (download %I)
+Description=Webmap updater service (download ‘%I’)
 # Chaining logic from https://serverfault.com/questions/1079993/why-does-my-systemd-timer-only-trigger-once-when-the-unit-is-a-target#answer-1128671
 # XXX Looks like Upholds= prevents running a single unit, as it causes
 # webmap-update@%i.target to start upon `systemctl start webmap-download@foo.service`
@@ -15,8 +15,8 @@ IOSchedulingClass=idle
 
 Type=oneshot
 ExecStart=/usr/local/bin/webmap-download \
-    --cachedir=/var/cache/webmap \
-    --lockdir=%t/lock/webmap/download \
+    --cachedir=%C/webmap \
+    --lockdir=%t/lock/webmap/cache \
     --no-exit-code \
     --quiet \
     -- %I
@@ -30,8 +30,8 @@ ProtectControlGroups=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
-ReadWritePaths=/var/cache/webmap
-ReadWritePaths=%t/lock/webmap/download
+ReadWritePaths=%C/webmap
+ReadWritePaths=%t/lock/webmap/cache
 
 [Install]
 WantedBy=webmap-update@%i.target
diff --git a/files/etc/systemd/system/webmap-import@.service b/files/etc/systemd/system/webmap-import@.service
index 06d204c..964c37d 100644
--- a/files/etc/systemd/system/webmap-import@.service
+++ b/files/etc/systemd/system/webmap-import@.service
@@ -1,17 +1,11 @@
 [Unit]
-Description=Webmap updater service (import %I to PostgreSQL)
+Description=Webmap updater service (import ‘%I’ to PostGIS)
 After=postgresql.service webmap-update@%i.target
 After=webmap-download@%i.service
 Upholds=webmap-update@%i.target
 
-# XXX webmap-download write cached files atomatically but there is no
-# guarantee that GDAL/OGR opens them atomically.  It'd therefore make
-# sense to use the following Conflict= directive, however systemd skips
-# webmap-download@%i.service in that case.
-#Conflicts=webmap-download@%i.service
-
 [Service]
-User=_webmap-import
+User=_webmap
 Group=_webmap
 
 Nice=15
@@ -19,8 +13,11 @@ IOSchedulingClass=idle
 
 Type=oneshot
 ExecStart=/usr/local/bin/webmap-import \
-    --cachedir=/var/cache/webmap \
+    --cachedir=%C/webmap \
     --lockfile=%t/lock/webmap/lock \
+    --lockdir-sources=%t/lock/webmap/cache \
+    --mvtdir=/var/www/webmap/tiles/%I \
+    --mvt-compress \
     -- %I
 
 # Hardening
@@ -33,6 +30,7 @@ ProtectKernelModules=yes
 ProtectKernelTunables=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 ReadWritePaths=%t/lock/webmap
+ReadWritePaths=/var/www/webmap/tiles
 PrivateTmp=yes
 
 [Install]
diff --git a/files/etc/systemd/system/webmap-publish@.service b/files/etc/systemd/system/webmap-publish@.service
deleted file mode 100644
index e2f8e6b..0000000
--- a/files/etc/systemd/system/webmap-publish@.service
+++ /dev/null
@@ -1,40 +0,0 @@
-[Unit]
-Description=Webmap updater service (publish %I as MVT)
-#After=postgresql.service webmap-update@%i.target
-#After=webmap-download@%i.service
-#After=webmap-import@%i.service
-#Upholds=webmap-update@%i.target
-
-[Service]
-User=_webmap-publish
-Group=_webmap
-
-Nice=15
-IOSchedulingClass=idle
-
-Type=oneshot
-ExecStart=/usr/local/bin/webmap-publish \
-    --lockfile=%t/lock/webmap/lock \
-    --destdir=/var/www/webmap/tiles/%i \
-    --name=%I \
-    --webroot=/var/www/webmap \
-    --metadata=/var/www/webmap/tiles/metadata.json \
-    --metadata-lockfile=%t/lock/webmap/tiles.lock \
-    --compress \
-    -- %I
-
-# Hardening
-NoNewPrivileges=yes
-ProtectHome=yes
-ProtectSystem=strict
-PrivateDevices=yes
-ProtectControlGroups=yes
-ProtectKernelModules=yes
-ProtectKernelTunables=yes
-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
-ReadWritePaths=/var/www/webmap/tiles
-ReadWritePaths=%t/lock/webmap
-PrivateTmp=yes
-
-#[Install]
-#WantedBy=webmap-update@%i.target
diff --git a/files/etc/systemd/system/webmap-update@.target b/files/etc/systemd/system/webmap-update@.target
index 3d9fb7f..840de96 100644
--- a/files/etc/systemd/system/webmap-update@.target
+++ b/files/etc/systemd/system/webmap-update@.target
@@ -1,3 +1,3 @@
 [Unit]
-Description=Webmap updater (target unit %I)
+Description=Webmap updater (target unit ‘%I’)
 StopWhenUnneeded=true
diff --git a/files/etc/tmpfiles.d/webmap.conf b/files/etc/tmpfiles.d/webmap.conf
index 620cd24..786e6dd 100644
--- a/files/etc/tmpfiles.d/webmap.conf
+++ b/files/etc/tmpfiles.d/webmap.conf
@@ -1,11 +1,8 @@
-d %t/lock/webmap            0755 root root
+d %t/lock/webmap            00755 root root
 
-# for webmap-download's --lockdir
-d %t/lock/webmap/download   0755 _webmap-download _webmap
+# for `webmap-download --lockdir` *and* `webmap-import --lockdir-sources`
+# (hence the set-group-ID bit and g+w)
+d %t/lock/webmap/cache      02775 _webmap-download _webmap
 
-# for webmap-import's *and* webmap-publish's --lockfile (hence the
-# ownership and g+w)
-f %t/lock/webmap/lock       0664 root _webmap
-
-# for webmap-publish's --metadata-lockfile
-f %t/lock/webmap/tiles.lock 0644 _webmap-publish _webmap
+# for `webmap-import --lockfile`
+f %t/lock/webmap/lock       00644 _webmap _webmap
diff --git a/group_vars/all.yml b/group_vars/all.yml
index 5d4474a..29ad0b9 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -3,10 +3,21 @@
 # webmap-tools/config.yml:layer-groups.
 webmap_layer_groups:
   - mrr
-  - nvr
-  - sks
-  - st
+  - skydd
+  - avverk
+  - ren
   - vbk
+  - ri
+  - svk
+  - misc
+  - nv
+
+webmap_layer_groups_nodownload:
+  - misc
+
+# adjust calendar events for individual units
+webmap_layer_groups_update_calendar:
+  mrr: "*-*-* 05:00:00" # updated daily at 04:33 CEST
 
 # PostgreSQL's version number and cluster name
 postgresql:
diff --git a/handlers/main.yml b/handlers/main.yml
index 281951b..b6ee548 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -55,3 +55,6 @@
 
 - name: Reload PostgreSQL
   service: name=postgresql.service state=reloaded
+
+- name: Stop webmap-cgi.service
+  service: name=webmap-cgi.service state=stopped
diff --git a/tasks/apt.yml b/tasks/apt.yml
index 1023908..f17a2e4 100644
--- a/tasks/apt.yml
+++ b/tasks/apt.yml
@@ -5,8 +5,13 @@
     - apt
     - lsb-release
 
-- name: Remove /etc/apt/sources.list
-  file: path=/etc/apt/sources.list state=absent
+# something keeps recreating (without content) it if we delete it, so we
+# leave it instead but ensure it's empty instead
+- name: Create empty /etc/apt/sources.list
+  copy: content=""
+        dest=/etc/apt/sources.list
+        owner=root group=root
+        mode=0644
   notify:
     - apt-get update
 
diff --git a/tasks/network.yml b/tasks/network.yml
index 1551f82..a02b07c 100644
--- a/tasks/network.yml
+++ b/tasks/network.yml
@@ -32,6 +32,7 @@
     packages:
     - systemd-resolved
     - libnss-resolve
+    - libnss-myhostname
 
 - name: Create directory /etc/systemd/resolved.conf.d
   file: path=/etc/systemd/resolved.conf.d
diff --git a/tasks/webmap.yml b/tasks/webmap.yml
index 9e2c2f6..de320d4 100644
--- a/tasks/webmap.yml
+++ b/tasks/webmap.yml
@@ -15,7 +15,6 @@
     - python3
     - python3-brotli
     - python3-gdal
-    - python3-lxml
     - python3-requests
     - python3-systemd
     - python3-tqdm
@@ -41,11 +40,18 @@
         owner=root group=root
         mode=0755
 
-- name: Copy /usr/local/share/webmap/common.py
-  copy: src=webmap-tools/common.py
-        dest=/usr/local/share/webmap/common.py
+- name: Copy /usr/local/share/webmap/*.py modules
+  copy: src=webmap-tools/{{ item }}
+        dest=/usr/local/share/webmap/{{ item }}
         owner=root group=root
         mode=0644
+  with_items:
+    # TODO these should be compiled
+    - common.py
+    - common_gdal.py
+    - import_source.py
+    - export_mvt.py
+    - rename_exchange.py
 
 - name: Copy webmap-update@.target
   copy: src=etc/systemd/system/webmap-update@.target
@@ -63,6 +69,22 @@
   notify:
     - systemctl daemon-reload
 
+- name: Create directory /etc/systemd/system/webmap-update@*.timer.d
+  file: path=/etc/systemd/system/webmap-update@{{ item }}.timer.d
+        state=directory
+        owner=root group=root
+        mode=0755
+  with_items: "{{ webmap_layer_groups_update_calendar.keys() | list }}"
+
+- name: Copy /etc/systemd/system/webmap-update@*.timer.d/override.conf
+  template: src=etc/systemd/system/webmap-update@.timer.d/override.conf.j2
+            dest=/etc/systemd/system/webmap-update@{{ item }}.timer.d/override.conf
+            owner=root group=root
+            mode=0644
+  with_items: "{{ webmap_layer_groups_update_calendar.keys() | list }}"
+  notify:
+    - systemctl daemon-reload
+
 - name: Enable webmap-update.timer
   service: name=webmap-update@{{ item }}.timer state=started enabled=true
   with_items: "{{ webmap_layer_groups }}"
@@ -96,18 +118,25 @@
         owner=root group=root
         state=link force=yes
 
-- name: Copy /usr/local/share/webmap/webmap-download-mrr.py
-  copy: src=webmap-tools/webmap-download-mrr.py
-        dest=/usr/local/share/webmap/webmap-download-mrr.py
-        owner=root group=root
-        mode=0644
-
 - name: Create directory /var/cache/webmap
   file: path=/var/cache/webmap
         state=directory
         owner=_webmap-download group=root
         mode=0755
 
+- name: Create directory /var/cache/webmap/custom
+  file: path=/var/cache/webmap/custom
+        state=directory
+        owner=root group=root
+        mode=0755
+
+- name: Copy custom layers into /var/cache/webmap/custom
+  copy: src=webmap-tools/layers/custom/
+        dest=/var/cache/webmap/custom/
+        owner=root group=root
+        mode=0644
+        directory_mode=0755
+
 - name: Copy webmap-download@.service
   copy: src=etc/systemd/system/webmap-download@.service
         dest=/etc/systemd/system/webmap-download@.service
@@ -118,13 +147,17 @@
 
 - name: Enable webmap-download@.service
   service: name=webmap-download@{{ item }}.service enabled=true
-  with_items: "{{ webmap_layer_groups }}"
+  with_items: "{{ webmap_layer_groups | difference(webmap_layer_groups_nodownload) }}"
+
+- name: Disable some webmap-download@.service
+  service: name=webmap-download@{{ item }}.service enabled=false
+  with_items: "{{ webmap_layer_groups_nodownload }}"
 
 - meta: flush_handlers
 
 
-- name: Create system user '_webmap-import'
-  user: name=_webmap-import system=true
+- name: Create system user '_webmap'
+  user: name=_webmap system=true
         group=_webmap
         createhome=false
         home=/nonexistent
@@ -148,6 +181,13 @@
   # PostgreSQL needs to be restarted to see the new locale
   notify: Restart PostgreSQL
 
+- name: Configure PostgreSQL
+  copy: src=etc/postgresql/postgresql.conf
+        dest=/etc/postgresql/{{ postgresql.version }}/{{ postgresql.cluster }}/conf.d/local.conf
+        owner=postgres group=postgres
+        mode=0644
+  notify: Restart PostgreSQL
+
 - name: Start PostgreSQL
   service: name=postgresql@{{ postgresql.version }}-{{ postgresql.cluster }}.service state=started
 
@@ -179,7 +219,7 @@
   become: true
   become_user: postgres
   community.postgresql.postgresql_user:
-    db: webmap
+    login_db: webmap
     name: "{{ item }}"
   with_items:
     - webmap_import
@@ -200,7 +240,7 @@
   ansible.builtin.lineinfile:
     path: /etc/postgresql/{{ postgresql.version }}/{{ postgresql.cluster }}/pg_ident.conf
     regexp: '^pgmap_webmap\s.*\swebmap_import\s*$'
-    line: 'pgmap_webmap    _webmap-import                          webmap_import'
+    line: 'pgmap_webmap    _webmap                                 webmap_import'
     create: false
   notify: Reload PostgreSQL
 
@@ -217,7 +257,7 @@
   become_user: postgres
   community.postgresql.postgresql_schema:
     name: postgis
-    db: webmap
+    login_db: webmap
     owner: postgres
 
 - name: Install 'postgis' PostgreSQL extension to the webmap database in the postgis schema
@@ -225,7 +265,7 @@
   become_user: postgres
   community.postgresql.postgresql_ext:
     name: postgis
-    db: webmap
+    login_db: webmap
     schema: postgis
     comment: Geographic objects support for PostgreSQL
 
@@ -233,7 +273,7 @@
   become: true
   become_user: postgres
   community.postgresql.postgresql_privs:
-    database: webmap
+    login_db: webmap
     privs: CONNECT
     type: database
     role: webmap_import,webmap_guest
@@ -242,7 +282,7 @@
   become: true
   become_user: postgres
   community.postgresql.postgresql_privs:
-    database: webmap
+    login_db: webmap
     privs: USAGE
     type: schema
     obj: postgis
@@ -253,7 +293,7 @@
   become: true
   become_user: postgres
   community.postgresql.postgresql_privs:
-    database: webmap
+    login_db: webmap
     privs: CREATE
     type: schema
     obj: postgis
@@ -264,7 +304,7 @@
   become: true
   become_user: postgres
   community.postgresql.postgresql_privs:
-    database: webmap
+    login_db: webmap
     privs: SELECT
     type: table
     obj: ALL_IN_SCHEMA
@@ -275,7 +315,7 @@
   become: true
   become_user: postgres
   community.postgresql.postgresql_privs:
-    database: webmap
+    login_db: webmap
     privs: USAGE,SELECT
     type: sequence
     obj: ALL_IN_SCHEMA
@@ -306,6 +346,7 @@
   service: name=webmap-import@{{ item }}.service enabled=true
   with_items: "{{ webmap_layer_groups }}"
 
+
 - name: Build administrative-codes.json*
   become: false
   local_action:
@@ -313,56 +354,80 @@
     chdir: ./webmap-tools/administrative-codes
     target: all
 
-- meta: flush_handlers
-
-
-- name: Create system user '_webmap-publish'
-  user: name=_webmap-publish system=true
-        group=_webmap
-        createhome=false
-        home=/nonexistent
-        shell=/usr/sbin/nologin
-        comment="Webmap update (publication as MVT)"
-        password="!"
-        state=present
-
-- name: Copy /usr/local/share/webmap/publish.py
-  copy: src=webmap-tools/webmap-publish
-        dest=/usr/local/share/webmap/publish.py
+- name: Create directory /var/www/webmap/data
+  file: path=/var/www/webmap/data
+        state=directory
         owner=root group=root
         mode=0755
 
-- name: Create /usr/local/bin/webmap-publish
-  file: src=../share/webmap/publish.py
-        dest=/usr/local/bin/webmap-publish
+- name: Copy /var/www/webmap/data/administrative-codes.json*
+  copy: src=./webmap-tools/administrative-codes/{{ item }}
+        dest=/var/www/webmap/data/{{ item }}
         owner=root group=root
-        state=link force=yes
+        mode=0644
+  with_items:
+    - administrative-codes.json
+    - administrative-codes.json.br
+
+- meta: flush_handlers
+
 
 - name: Create directory /var/www/webmap/tiles
   file: path=/var/www/webmap/tiles
         state=directory
-        owner=_webmap-publish group=root
+        owner=_webmap group=root
         mode=0755
 
-- name: Copy webmap-publish@.service
-  copy: src=etc/systemd/system/webmap-publish@.service
-        dest=/etc/systemd/system/webmap-publish@.service
+
+- name: Copy /etc/tmpfiles.d/webmap.conf
+  copy: src=etc/tmpfiles.d/webmap.conf
+        dest=/etc/tmpfiles.d/webmap.conf
         owner=root group=root
         mode=0644
   notify:
-    - systemctl daemon-reload
+    - systemd-tmpfiles --create
 
-#- name: Enable webmap-publish@.service
-#  service: name=webmap-publish@{{ item }}.service enabled=true
-#  with_items: "{{ webmap_layer_groups }}"
+- meta: flush_handlers
 
 
-- name: Copy /etc/tmpfiles.d/webmap.conf
-  copy: src=etc/tmpfiles.d/webmap.conf
-        dest=/etc/tmpfiles.d/webmap.conf
+- name: Install Python/WSGI dependencies
+  apt: pkg={{ packages }}
+  vars:
+    packages:
+    - uwsgi-core
+    - uwsgi-plugin-python3
+    # TODO[trixie]: install python3-psycopg-c instead
+    - python3-psycopg
+
+- name: Copy webmap-cgi.socket
+  copy: src=etc/systemd/system/webmap-cgi.socket
+        dest=/etc/systemd/system/webmap-cgi.socket
         owner=root group=root
         mode=0644
   notify:
-    - systemd-tmpfiles --create
+    - systemctl daemon-reload
+
+- name: Copy webmap-cgi.service
+  copy: src=etc/systemd/system/webmap-cgi.service
+        dest=/etc/systemd/system/webmap-cgi.service
+        owner=root group=root
+        mode=0644
+  notify:
+    - systemctl daemon-reload
+    - Stop webmap-cgi.service
+
+- name: Copy /usr/libexec/webmap-cgi
+  copy: src=./webmap-tools/webmap-cgi
+        dest=/usr/libexec/webmap-cgi
+        owner=root group=root
+        mode=0755
+  notify:
+    - Stop webmap-cgi.service
 
 - meta: flush_handlers
+
+- name: Enable webmap-cgi.socket
+  service: name=webmap-cgi.socket state=started enabled=true
+
+- name: Disable webmap-cgi.service
+  service: name=webmap-cgi.service enabled=false
diff --git a/templates/etc/systemd/system/webmap-update@.timer.d/override.conf.j2 b/templates/etc/systemd/system/webmap-update@.timer.d/override.conf.j2
new file mode 100644
index 0000000..795ee20
--- /dev/null
+++ b/templates/etc/systemd/system/webmap-update@.timer.d/override.conf.j2
@@ -0,0 +1,3 @@
+[Timer]
+OnCalendar=
+OnCalendar={{ webmap_layer_groups_update_calendar[item] }}
diff --git a/webmap-tools b/webmap-tools
-Subproject 7cda119879cf48ba72ba34522fa9cdf9ef6d9b4
+Subproject 4263125c9bc8f23cf5ef6f3257b575537e3cad7