6 files changed, 60 insertions, 55 deletions

diff --git a/files/etc/systemd/system/webmap-cgi.service b/files/etc/systemd/system/webmap-cgi.service
new file mode 100644
index 0000000..88f22e5
--- /dev/null
+++ b/files/etc/systemd/system/webmap-cgi.service
@@ -0,0 +1,36 @@
+[Unit]
+Description=Webmap CGI (Common Gateway Interface)
+After=syslog.target network.target postgresql.service
+
+[Service]
+DynamicUser=yes
+User=_webmap-cgi
+# Note: the "WARNING: you have enabled harakiri without post buffering" can
+# be ignored because body requests are in fact buffered on the nginx side
+ExecStart=/usr/bin/uwsgi -M -p2 \
+    --single-interpreter --die-on-term \
+    --close-on-exec --close-on-exec2 \
+    --max-requests 1000 \
+    --max-worker-lifetime 86400 \
+    --max-worker-lifetime-delta 11 \
+    --harakiri 60 \
+    --lazy-apps \
+    --plugins python3 \
+    --pythonpath /usr/local/share/webmap \
+    --wsgi-file /usr/libexec/webmap-cgi
+Nice=10
+RestartSec=15s
+Restart=always
+
+# Hardening
+NoNewPrivileges=yes
+ProtectHome=yes
+ProtectSystem=strict
+PrivateDevices=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX
+
+[Install]
+WantedBy=multi-user.target
diff --git a/files/etc/systemd/system/webmap-cgi.socket b/files/etc/systemd/system/webmap-cgi.socket
new file mode 100644
index 0000000..2828985
--- /dev/null
+++ b/files/etc/systemd/system/webmap-cgi.socket
@@ -0,0 +1,11 @@
+[Unit]
+Description=Webmap CGI (Common Gateway Interface) activation socket
+After=syslog.target network.target
+
+[Socket]
+ListenStream=%t/webmap-cgi.socket
+SocketUser=www-data
+SocketMode=0666
+
+[Install]
+WantedBy=sockets.target
diff --git a/files/etc/systemd/system/webmap-download@.service b/files/etc/systemd/system/webmap-download@.service
index 2c5a3e4..d7a49dc 100644
--- a/files/etc/systemd/system/webmap-download@.service
+++ b/files/etc/systemd/system/webmap-download@.service
@@ -1,5 +1,5 @@
 [Unit]
-Description=Webmap updater service (download %I)
+Description=Webmap updater service (download ‘%I’)
 # Chaining logic from https://serverfault.com/questions/1079993/why-does-my-systemd-timer-only-trigger-once-when-the-unit-is-a-target#answer-1128671
 # XXX Looks like Upholds= prevents running a single unit, as it causes
 # webmap-update@%i.target to start upon `systemctl start webmap-download@foo.service`
@@ -15,8 +15,8 @@ IOSchedulingClass=idle
 
 Type=oneshot
 ExecStart=/usr/local/bin/webmap-download \
-    --cachedir=/var/cache/webmap \
-    --lockdir=%t/lock/webmap/download \
+    --cachedir=%C/webmap \
+    --lockdir=%t/lock/webmap/cache \
     --no-exit-code \
     --quiet \
     -- %I
@@ -30,8 +30,8 @@ ProtectControlGroups=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
-ReadWritePaths=/var/cache/webmap
-ReadWritePaths=%t/lock/webmap/download
+ReadWritePaths=%C/webmap
+ReadWritePaths=%t/lock/webmap/cache
 
 [Install]
 WantedBy=webmap-update@%i.target
diff --git a/files/etc/systemd/system/webmap-import@.service b/files/etc/systemd/system/webmap-import@.service
index 06d204c..964c37d 100644
--- a/files/etc/systemd/system/webmap-import@.service
+++ b/files/etc/systemd/system/webmap-import@.service
@@ -1,17 +1,11 @@
 [Unit]
-Description=Webmap updater service (import %I to PostgreSQL)
+Description=Webmap updater service (import ‘%I’ to PostGIS)
 After=postgresql.service webmap-update@%i.target
 After=webmap-download@%i.service
 Upholds=webmap-update@%i.target
 
-# XXX webmap-download write cached files atomatically but there is no
-# guarantee that GDAL/OGR opens them atomically.  It'd therefore make
-# sense to use the following Conflict= directive, however systemd skips
-# webmap-download@%i.service in that case.
-#Conflicts=webmap-download@%i.service
-
 [Service]
-User=_webmap-import
+User=_webmap
 Group=_webmap
 
 Nice=15
@@ -19,8 +13,11 @@ IOSchedulingClass=idle
 
 Type=oneshot
 ExecStart=/usr/local/bin/webmap-import \
-    --cachedir=/var/cache/webmap \
+    --cachedir=%C/webmap \
     --lockfile=%t/lock/webmap/lock \
+    --lockdir-sources=%t/lock/webmap/cache \
+    --mvtdir=/var/www/webmap/tiles/%I \
+    --mvt-compress \
     -- %I
 
 # Hardening
@@ -33,6 +30,7 @@ ProtectKernelModules=yes
 ProtectKernelTunables=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 ReadWritePaths=%t/lock/webmap
+ReadWritePaths=/var/www/webmap/tiles
 PrivateTmp=yes
 
 [Install]
diff --git a/files/etc/systemd/system/webmap-publish@.service b/files/etc/systemd/system/webmap-publish@.service
deleted file mode 100644
index e2f8e6b..0000000
--- a/files/etc/systemd/system/webmap-publish@.service
+++ /dev/null
@@ -1,40 +0,0 @@
-[Unit]
-Description=Webmap updater service (publish %I as MVT)
-#After=postgresql.service webmap-update@%i.target
-#After=webmap-download@%i.service
-#After=webmap-import@%i.service
-#Upholds=webmap-update@%i.target
-
-[Service]
-User=_webmap-publish
-Group=_webmap
-
-Nice=15
-IOSchedulingClass=idle
-
-Type=oneshot
-ExecStart=/usr/local/bin/webmap-publish \
-    --lockfile=%t/lock/webmap/lock \
-    --destdir=/var/www/webmap/tiles/%i \
-    --name=%I \
-    --webroot=/var/www/webmap \
-    --metadata=/var/www/webmap/tiles/metadata.json \
-    --metadata-lockfile=%t/lock/webmap/tiles.lock \
-    --compress \
-    -- %I
-
-# Hardening
-NoNewPrivileges=yes
-ProtectHome=yes
-ProtectSystem=strict
-PrivateDevices=yes
-ProtectControlGroups=yes
-ProtectKernelModules=yes
-ProtectKernelTunables=yes
-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
-ReadWritePaths=/var/www/webmap/tiles
-ReadWritePaths=%t/lock/webmap
-PrivateTmp=yes
-
-#[Install]
-#WantedBy=webmap-update@%i.target
diff --git a/files/etc/systemd/system/webmap-update@.target b/files/etc/systemd/system/webmap-update@.target
index 3d9fb7f..840de96 100644
--- a/files/etc/systemd/system/webmap-update@.target
+++ b/files/etc/systemd/system/webmap-update@.target
@@ -1,3 +1,3 @@
 [Unit]
-Description=Webmap updater (target unit %I)
+Description=Webmap updater (target unit ‘%I’)
 StopWhenUnneeded=true