diff options
| -rw-r--r-- | files/etc/systemd/system/webmap-import@.service | 12 | ||||
| -rw-r--r-- | files/etc/systemd/system/webmap-publish@.service | 39 | ||||
| -rw-r--r-- | files/etc/tmpfiles.d/webmap.conf | 8 | ||||
| -rw-r--r-- | tasks/webmap.yml | 56 |
4 files changed, 18 insertions, 97 deletions
diff --git a/files/etc/systemd/system/webmap-import@.service b/files/etc/systemd/system/webmap-import@.service index 30300a5..40c4c5e 100644 --- a/files/etc/systemd/system/webmap-import@.service +++ b/files/etc/systemd/system/webmap-import@.service @@ -4,12 +4,6 @@ After=postgresql.service webmap-update@%i.target After=webmap-download@%i.service Upholds=webmap-update@%i.target -# XXX webmap-download write cached files atomatically but there is no -# guarantee that GDAL/OGR opens them atomically. It'd therefore make -# sense to use the following Conflict= directive, however systemd skips -# webmap-download@%i.service in that case. -#Conflicts=webmap-download@%i.service - [Service] User=_webmap-import Group=_webmap @@ -19,8 +13,11 @@ IOSchedulingClass=idle Type=oneshot ExecStart=/usr/local/bin/webmap-import \ - --cachedir=/var/cache/webmap \ + --cachedir=%C/webmap \ --lockfile=%t/lock/webmap/lock \ + --lockdir-sources=%t/lock/webmap/cache \ + --mvtdir=/var/www/webmap/tiles/%I \ + --mvt-compress \ -- %I # Hardening @@ -33,6 +30,7 @@ ProtectKernelModules=yes ProtectKernelTunables=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 ReadWritePaths=%t/lock/webmap +ReadWritePaths=/var/www/webmap/tiles PrivateTmp=yes [Install] diff --git a/files/etc/systemd/system/webmap-publish@.service b/files/etc/systemd/system/webmap-publish@.service deleted file mode 100644 index 9d138da..0000000 --- a/files/etc/systemd/system/webmap-publish@.service +++ /dev/null @@ -1,39 +0,0 @@ -[Unit] -Description=Webmap updater service (publish ā%Iā as MVT) -#After=postgresql.service webmap-update@%i.target -#After=webmap-download@%i.service -#After=webmap-import@%i.service -#Upholds=webmap-update@%i.target - -[Service] -User=_webmap-publish -Group=_webmap - -Nice=15 -IOSchedulingClass=idle - -Type=oneshot -ExecStart=/usr/local/bin/webmap-publish \ - --lockfile=%t/lock/webmap/lock \ - --destdir=/var/www/webmap/tiles/%I \ - --webroot=/var/www/webmap \ - --metadata=/var/www/webmap/tiles/metadata.json \ - --metadata-lockfile=%t/lock/webmap/tiles.lock \ - --compress \ - -- %I - -# Hardening -NoNewPrivileges=yes -ProtectHome=yes -ProtectSystem=strict -PrivateDevices=yes -ProtectControlGroups=yes -ProtectKernelModules=yes -ProtectKernelTunables=yes -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 -ReadWritePaths=/var/www/webmap/tiles -ReadWritePaths=%t/lock/webmap -PrivateTmp=yes - -#[Install] -#WantedBy=webmap-update@%i.target diff --git a/files/etc/tmpfiles.d/webmap.conf b/files/etc/tmpfiles.d/webmap.conf index b6fa8be..c9c86d5 100644 --- a/files/etc/tmpfiles.d/webmap.conf +++ b/files/etc/tmpfiles.d/webmap.conf @@ -4,9 +4,5 @@ d %t/lock/webmap 00755 root root # (hence the set-group-ID bit and g+w) d %t/lock/webmap/cache 02775 _webmap-download _webmap -# for webmap-import's *and* webmap-publish's --lockfile (hence the -# ownership and g+w) -f %t/lock/webmap/lock 0664 root _webmap - -# for webmap-publish's --metadata-lockfile -f %t/lock/webmap/tiles.lock 0644 _webmap-publish _webmap +# for `webmap-import --lockfile` +f %t/lock/webmap/lock 00644 _webmap-import _webmap diff --git a/tasks/webmap.yml b/tasks/webmap.yml index a417dbd..905aa73 100644 --- a/tasks/webmap.yml +++ b/tasks/webmap.yml @@ -15,7 +15,6 @@ - python3 - python3-brotli - python3-gdal - - python3-lxml - python3-requests - python3-systemd - python3-tqdm @@ -41,11 +40,18 @@ owner=root group=root mode=0755 -- name: Copy /usr/local/share/webmap/common.py - copy: src=webmap-tools/common.py - dest=/usr/local/share/webmap/common.py +- name: Copy /usr/local/share/webmap/*.py modules + copy: src=webmap-tools/{{ item }} + dest=/usr/local/share/webmap/{{ item }} owner=root group=root mode=0644 + with_items: + # TODO these should be compiled + - common.py + - common_gdal.py + - import_source.py + - export_mvt.py + - rename_exchange.py - name: Copy webmap-update@.target copy: src=etc/systemd/system/webmap-update@.target @@ -96,12 +102,6 @@ owner=root group=root state=link force=yes -- name: Copy /usr/local/share/webmap/webmap-download-mrr.py - copy: src=webmap-tools/webmap-download-mrr.py - dest=/usr/local/share/webmap/webmap-download-mrr.py - owner=root group=root - mode=0644 - - name: Create directory /var/cache/webmap file: path=/var/cache/webmap state=directory @@ -356,46 +356,12 @@ - meta: flush_handlers -- name: Create system user '_webmap-publish' - user: name=_webmap-publish system=true - group=_webmap - createhome=false - home=/nonexistent - shell=/usr/sbin/nologin - comment="Webmap update (publication as MVT)" - password="!" - state=present - -- name: Copy /usr/local/share/webmap/publish.py - copy: src=webmap-tools/webmap-publish - dest=/usr/local/share/webmap/publish.py - owner=root group=root - mode=0755 - -- name: Create /usr/local/bin/webmap-publish - file: src=../share/webmap/publish.py - dest=/usr/local/bin/webmap-publish - owner=root group=root - state=link force=yes - - name: Create directory /var/www/webmap/tiles file: path=/var/www/webmap/tiles state=directory - owner=_webmap-publish group=root + owner=_webmap-import group=root mode=0755 -- name: Copy webmap-publish@.service - copy: src=etc/systemd/system/webmap-publish@.service - dest=/etc/systemd/system/webmap-publish@.service - owner=root group=root - mode=0644 - notify: - - systemctl daemon-reload - -#- name: Enable webmap-publish@.service -# service: name=webmap-publish@{{ item }}.service enabled=true -# with_items: "{{ webmap_layer_groups }}" - - name: Copy /etc/tmpfiles.d/webmap.conf copy: src=etc/tmpfiles.d/webmap.conf |