diff options
Diffstat (limited to 'files/etc/systemd/system')
| -rw-r--r-- | files/etc/systemd/system/geodata-download@.service (renamed from files/etc/systemd/system/webmap-download@.service) | 24 | ||||
| -rw-r--r-- | files/etc/systemd/system/geodata-import@.service | 41 | ||||
| -rw-r--r-- | files/etc/systemd/system/geodata-raster@.service | 40 | ||||
| -rw-r--r-- | files/etc/systemd/system/geodata-update@.target | 3 | ||||
| -rw-r--r-- | files/etc/systemd/system/geodata-update@.timer (renamed from files/etc/systemd/system/webmap-update@.timer) | 4 | ||||
| -rw-r--r-- | files/etc/systemd/system/webmap-cgi.socket | 11 | ||||
| -rw-r--r-- | files/etc/systemd/system/webmap-import@.service | 39 | ||||
| -rw-r--r-- | files/etc/systemd/system/webmap-publish@.service | 40 | ||||
| -rw-r--r-- | files/etc/systemd/system/webmap-update@.target | 3 |
9 files changed, 109 insertions, 96 deletions
diff --git a/files/etc/systemd/system/webmap-download@.service b/files/etc/systemd/system/geodata-download@.service index 2c5a3e4..2a8c940 100644 --- a/files/etc/systemd/system/webmap-download@.service +++ b/files/etc/systemd/system/geodata-download@.service @@ -1,22 +1,22 @@ [Unit] -Description=Webmap updater service (download %I) +Description=Geodata updater service (download ‘%I’) # Chaining logic from https://serverfault.com/questions/1079993/why-does-my-systemd-timer-only-trigger-once-when-the-unit-is-a-target#answer-1128671 # XXX Looks like Upholds= prevents running a single unit, as it causes -# webmap-update@%i.target to start upon `systemctl start webmap-download@foo.service` -After=network-online.target webmap-update@%i.target -Upholds=webmap-update@%i.target +# geodata-update@%i.target to start upon `systemctl start geodata-download@foo.service` +After=network-online.target geodata-update@%i.target +Upholds=geodata-update@%i.target [Service] -User=_webmap-download -Group=_webmap +User=_geodata-download +Group=_geodata Nice=15 IOSchedulingClass=idle Type=oneshot -ExecStart=/usr/local/bin/webmap-download \ - --cachedir=/var/cache/webmap \ - --lockdir=%t/lock/webmap/download \ +ExecStart=/usr/local/bin/geodata-download \ + --cachedir=%C/geodata \ + --lockdir=%t/lock/geodata/cache \ --no-exit-code \ --quiet \ -- %I @@ -30,8 +30,8 @@ ProtectControlGroups=yes ProtectKernelModules=yes ProtectKernelTunables=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 -ReadWritePaths=/var/cache/webmap -ReadWritePaths=%t/lock/webmap/download +ReadWritePaths=%C/geodata +ReadWritePaths=%t/lock/geodata/cache [Install] -WantedBy=webmap-update@%i.target +WantedBy=geodata-update@%i.target diff --git a/files/etc/systemd/system/geodata-import@.service b/files/etc/systemd/system/geodata-import@.service new file mode 100644 index 0000000..7d652ea --- /dev/null +++ b/files/etc/systemd/system/geodata-import@.service @@ -0,0 +1,41 @@ +[Unit] +Description=Geodata updater service (import ‘%I’ to PostGIS) +After=postgresql.service geodata-update@%i.target +After=geodata-download@%i.service +Upholds=geodata-update@%i.target + +[Service] +User=_geodata +Group=_geodata + +Nice=15 +IOSchedulingClass=idle + +# Point TMPDIR to something that is not a tmpfs as we need to unpack large archives +Environment=TMPDIR=/var/tmp + +Type=oneshot +ExecStart=/usr/local/bin/geodata-import \ + --cachedir=%C/geodata \ + --lockfile=%t/lock/geodata/lock \ + --lockdir-sources=%t/lock/geodata/cache \ + --mvtdir=/var/www/webmap/tiles/%I \ + --mvt-compress \ + --metadata-compress \ + -- %I + +# Hardening +NoNewPrivileges=yes +ProtectHome=yes +ProtectSystem=strict +PrivateDevices=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +ReadWritePaths=%t/lock/geodata +ReadWritePaths=/var/www/webmap/tiles +PrivateTmp=yes + +[Install] +WantedBy=geodata-update@%i.target diff --git a/files/etc/systemd/system/geodata-raster@.service b/files/etc/systemd/system/geodata-raster@.service new file mode 100644 index 0000000..aed7930 --- /dev/null +++ b/files/etc/systemd/system/geodata-raster@.service @@ -0,0 +1,40 @@ +[Unit] +Description=Geodata updater service (export ‘%I’ to COG) +After=geodata-update@%i.target +After=geodata-download@%i.service +Upholds=geodata-update@%i.target + +[Service] +User=_geodata +Group=_geodata + +Nice=15 +IOSchedulingClass=idle + +# Point TMPDIR to something that is not a tmpfs as we need to unpack large archives +Environment=TMPDIR=/var/tmp + +Type=oneshot +ExecStart=/usr/local/bin/geodata-import \ + --cachedir=%C/geodata \ + --lockfile=%t/lock/geodata/lock \ + --lockdir-sources=%t/lock/geodata/cache \ + --rasterdir=/var/www/webmap/raster/%I \ + --metadata-compress \ + -- %I + +# Hardening +NoNewPrivileges=yes +ProtectHome=yes +ProtectSystem=strict +PrivateDevices=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_UNIX +ReadWritePaths=%t/lock/geodata +ReadWritePaths=/var/www/webmap/raster +PrivateTmp=yes + +[Install] +WantedBy=geodata-update@%i.target diff --git a/files/etc/systemd/system/geodata-update@.target b/files/etc/systemd/system/geodata-update@.target new file mode 100644 index 0000000..e7cdecb --- /dev/null +++ b/files/etc/systemd/system/geodata-update@.target @@ -0,0 +1,3 @@ +[Unit] +Description=Geodata updater (target unit ‘%I’) +StopWhenUnneeded=true diff --git a/files/etc/systemd/system/webmap-update@.timer b/files/etc/systemd/system/geodata-update@.timer index 74fb848..90fd865 100644 --- a/files/etc/systemd/system/webmap-update@.timer +++ b/files/etc/systemd/system/geodata-update@.timer @@ -1,11 +1,11 @@ [Unit] -Description=Webmap updater (timer unit) +Description=Geodata updater (timer unit) [Timer] OnCalendar=*-*-* 01:00:00 AccuracySec=1s RandomizedDelaySec=3599 -Unit=webmap-update@%i.target +Unit=geodata-update@%i.target [Install] WantedBy=timers.target diff --git a/files/etc/systemd/system/webmap-cgi.socket b/files/etc/systemd/system/webmap-cgi.socket new file mode 100644 index 0000000..2828985 --- /dev/null +++ b/files/etc/systemd/system/webmap-cgi.socket @@ -0,0 +1,11 @@ +[Unit] +Description=Webmap CGI (Common Gateway Interface) activation socket +After=syslog.target network.target + +[Socket] +ListenStream=%t/webmap-cgi.socket +SocketUser=www-data +SocketMode=0666 + +[Install] +WantedBy=sockets.target diff --git a/files/etc/systemd/system/webmap-import@.service b/files/etc/systemd/system/webmap-import@.service deleted file mode 100644 index 06d204c..0000000 --- a/files/etc/systemd/system/webmap-import@.service +++ /dev/null @@ -1,39 +0,0 @@ -[Unit] -Description=Webmap updater service (import %I to PostgreSQL) -After=postgresql.service webmap-update@%i.target -After=webmap-download@%i.service -Upholds=webmap-update@%i.target - -# XXX webmap-download write cached files atomatically but there is no -# guarantee that GDAL/OGR opens them atomically. It'd therefore make -# sense to use the following Conflict= directive, however systemd skips -# webmap-download@%i.service in that case. -#Conflicts=webmap-download@%i.service - -[Service] -User=_webmap-import -Group=_webmap - -Nice=15 -IOSchedulingClass=idle - -Type=oneshot -ExecStart=/usr/local/bin/webmap-import \ - --cachedir=/var/cache/webmap \ - --lockfile=%t/lock/webmap/lock \ - -- %I - -# Hardening -NoNewPrivileges=yes -ProtectHome=yes -ProtectSystem=strict -PrivateDevices=yes -ProtectControlGroups=yes -ProtectKernelModules=yes -ProtectKernelTunables=yes -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 -ReadWritePaths=%t/lock/webmap -PrivateTmp=yes - -[Install] -WantedBy=webmap-update@%i.target diff --git a/files/etc/systemd/system/webmap-publish@.service b/files/etc/systemd/system/webmap-publish@.service deleted file mode 100644 index e2f8e6b..0000000 --- a/files/etc/systemd/system/webmap-publish@.service +++ /dev/null @@ -1,40 +0,0 @@ -[Unit] -Description=Webmap updater service (publish %I as MVT) -#After=postgresql.service webmap-update@%i.target -#After=webmap-download@%i.service -#After=webmap-import@%i.service -#Upholds=webmap-update@%i.target - -[Service] -User=_webmap-publish -Group=_webmap - -Nice=15 -IOSchedulingClass=idle - -Type=oneshot -ExecStart=/usr/local/bin/webmap-publish \ - --lockfile=%t/lock/webmap/lock \ - --destdir=/var/www/webmap/tiles/%i \ - --name=%I \ - --webroot=/var/www/webmap \ - --metadata=/var/www/webmap/tiles/metadata.json \ - --metadata-lockfile=%t/lock/webmap/tiles.lock \ - --compress \ - -- %I - -# Hardening -NoNewPrivileges=yes -ProtectHome=yes -ProtectSystem=strict -PrivateDevices=yes -ProtectControlGroups=yes -ProtectKernelModules=yes -ProtectKernelTunables=yes -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 -ReadWritePaths=/var/www/webmap/tiles -ReadWritePaths=%t/lock/webmap -PrivateTmp=yes - -#[Install] -#WantedBy=webmap-update@%i.target diff --git a/files/etc/systemd/system/webmap-update@.target b/files/etc/systemd/system/webmap-update@.target deleted file mode 100644 index 3d9fb7f..0000000 --- a/files/etc/systemd/system/webmap-update@.target +++ /dev/null @@ -1,3 +0,0 @@ -[Unit] -Description=Webmap updater (target unit %I) -StopWhenUnneeded=true |