7 files changed, 109 insertions, 18 deletions

diff --git a/files/etc/systemd/system/webmap-download@.service b/files/etc/systemd/system/geodata-download@.service
index a928a13..2a8c940 100644
--- a/files/etc/systemd/system/webmap-download@.service
+++ b/files/etc/systemd/system/geodata-download@.service
@@ -1,22 +1,22 @@
 [Unit]
-Description=Webmap updater service (download %I)
+Description=Geodata updater service (download ‘%I’)
 # Chaining logic from https://serverfault.com/questions/1079993/why-does-my-systemd-timer-only-trigger-once-when-the-unit-is-a-target#answer-1128671
 # XXX Looks like Upholds= prevents running a single unit, as it causes
-# webmap-update@%i.target to start upon `systemctl start webmap-download@foo.service`
-After=network-online.target webmap-update@%i.target
-Upholds=webmap-update@%i.target
+# geodata-update@%i.target to start upon `systemctl start geodata-download@foo.service`
+After=network-online.target geodata-update@%i.target
+Upholds=geodata-update@%i.target
 
 [Service]
-User=_webmap-download
-Group=nogroup
+User=_geodata-download
+Group=_geodata
 
 Nice=15
 IOSchedulingClass=idle
 
 Type=oneshot
-ExecStart=/usr/local/bin/webmap-download \
-    --cachedir=/var/cache/webmap \
-    --lockdir=%t/webmap-download \
+ExecStart=/usr/local/bin/geodata-download \
+    --cachedir=%C/geodata \
+    --lockdir=%t/lock/geodata/cache \
     --no-exit-code \
     --quiet \
     -- %I
@@ -30,9 +30,8 @@ ProtectControlGroups=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
-ReadWritePaths=/var/cache/webmap
-RuntimeDirectory=webmap-download
-RuntimeDirectoryPreserve=yes
+ReadWritePaths=%C/geodata
+ReadWritePaths=%t/lock/geodata/cache
 
 [Install]
-WantedBy=webmap-update@%i.target
+WantedBy=geodata-update@%i.target
diff --git a/files/etc/systemd/system/geodata-import@.service b/files/etc/systemd/system/geodata-import@.service
new file mode 100644
index 0000000..7d652ea
--- /dev/null
+++ b/files/etc/systemd/system/geodata-import@.service
@@ -0,0 +1,41 @@
+[Unit]
+Description=Geodata updater service (import ‘%I’ to PostGIS)
+After=postgresql.service geodata-update@%i.target
+After=geodata-download@%i.service
+Upholds=geodata-update@%i.target
+
+[Service]
+User=_geodata
+Group=_geodata
+
+Nice=15
+IOSchedulingClass=idle
+
+# Point TMPDIR to something that is not a tmpfs as we need to unpack large archives
+Environment=TMPDIR=/var/tmp
+
+Type=oneshot
+ExecStart=/usr/local/bin/geodata-import \
+    --cachedir=%C/geodata \
+    --lockfile=%t/lock/geodata/lock \
+    --lockdir-sources=%t/lock/geodata/cache \
+    --mvtdir=/var/www/webmap/tiles/%I \
+    --mvt-compress \
+    --metadata-compress \
+    -- %I
+
+# Hardening
+NoNewPrivileges=yes
+ProtectHome=yes
+ProtectSystem=strict
+PrivateDevices=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+ReadWritePaths=%t/lock/geodata
+ReadWritePaths=/var/www/webmap/tiles
+PrivateTmp=yes
+
+[Install]
+WantedBy=geodata-update@%i.target
diff --git a/files/etc/systemd/system/geodata-raster@.service b/files/etc/systemd/system/geodata-raster@.service
new file mode 100644
index 0000000..aed7930
--- /dev/null
+++ b/files/etc/systemd/system/geodata-raster@.service
@@ -0,0 +1,40 @@
+[Unit]
+Description=Geodata updater service (export ‘%I’ to COG)
+After=geodata-update@%i.target
+After=geodata-download@%i.service
+Upholds=geodata-update@%i.target
+
+[Service]
+User=_geodata
+Group=_geodata
+
+Nice=15
+IOSchedulingClass=idle
+
+# Point TMPDIR to something that is not a tmpfs as we need to unpack large archives
+Environment=TMPDIR=/var/tmp
+
+Type=oneshot
+ExecStart=/usr/local/bin/geodata-import \
+    --cachedir=%C/geodata \
+    --lockfile=%t/lock/geodata/lock \
+    --lockdir-sources=%t/lock/geodata/cache \
+    --rasterdir=/var/www/webmap/raster/%I \
+    --metadata-compress \
+    -- %I
+
+# Hardening
+NoNewPrivileges=yes
+ProtectHome=yes
+ProtectSystem=strict
+PrivateDevices=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX
+ReadWritePaths=%t/lock/geodata
+ReadWritePaths=/var/www/webmap/raster
+PrivateTmp=yes
+
+[Install]
+WantedBy=geodata-update@%i.target
diff --git a/files/etc/systemd/system/geodata-update@.target b/files/etc/systemd/system/geodata-update@.target
new file mode 100644
index 0000000..e7cdecb
--- /dev/null
+++ b/files/etc/systemd/system/geodata-update@.target
@@ -0,0 +1,3 @@
+[Unit]
+Description=Geodata updater (target unit ‘%I’)
+StopWhenUnneeded=true
diff --git a/files/etc/systemd/system/webmap-update@.timer b/files/etc/systemd/system/geodata-update@.timer
index 74fb848..90fd865 100644
--- a/files/etc/systemd/system/webmap-update@.timer
+++ b/files/etc/systemd/system/geodata-update@.timer
@@ -1,11 +1,11 @@
 [Unit]
-Description=Webmap updater (timer unit)
+Description=Geodata updater (timer unit)
 
 [Timer]
 OnCalendar=*-*-* 01:00:00
 AccuracySec=1s
 RandomizedDelaySec=3599
-Unit=webmap-update@%i.target
+Unit=geodata-update@%i.target
 
 [Install]
 WantedBy=timers.target
diff --git a/files/etc/systemd/system/webmap-cgi.socket b/files/etc/systemd/system/webmap-cgi.socket
new file mode 100644
index 0000000..2828985
--- /dev/null
+++ b/files/etc/systemd/system/webmap-cgi.socket
@@ -0,0 +1,11 @@
+[Unit]
+Description=Webmap CGI (Common Gateway Interface) activation socket
+After=syslog.target network.target
+
+[Socket]
+ListenStream=%t/webmap-cgi.socket
+SocketUser=www-data
+SocketMode=0666
+
+[Install]
+WantedBy=sockets.target
diff --git a/files/etc/systemd/system/webmap-update@.target b/files/etc/systemd/system/webmap-update@.target
deleted file mode 100644
index 3d9fb7f..0000000
--- a/files/etc/systemd/system/webmap-update@.target
+++ /dev/null
@@ -1,3 +0,0 @@
-[Unit]
-Description=Webmap updater (target unit %I)
-StopWhenUnneeded=true