diff options
Diffstat (limited to 'files/etc')
| -rw-r--r-- | files/etc/nginx/sites-available/webmap | 34 | ||||
| -rw-r--r-- | files/etc/systemd/system/webmap-download@.service | 9 | ||||
| -rw-r--r-- | files/etc/systemd/system/webmap-import@.service | 39 | ||||
| -rw-r--r-- | files/etc/systemd/system/webmap-publish@.service | 39 | ||||
| -rw-r--r-- | files/etc/systemd/system/webmap-update@.target | 2 | ||||
| -rw-r--r-- | files/etc/tmpfiles.d/webmap.conf | 11 |
6 files changed, 118 insertions, 16 deletions
diff --git a/files/etc/nginx/sites-available/webmap b/files/etc/nginx/sites-available/webmap index d16ab60..6921c2c 100644 --- a/files/etc/nginx/sites-available/webmap +++ b/files/etc/nginx/sites-available/webmap @@ -45,36 +45,50 @@ server { ssl_certificate_key /etc/nginx/ssl/webmap.rsa.key; include snippets/ssl.conf; + root /var/www/webmap; + index index.html; + add_header Referrer-Policy "no-referrer"; - add_header X-Frame-Options "SAMEORIGIN"; + add_header X-Frame-Options "DENY"; add_header X-Content-Type-Options "nosniff"; add_header X-XSS-Protection "1; mode=block"; add_header Strict-Transport-Security "max-age=31557600; includeSubDomains" always; - add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' data: https://minkarta.lantmateriet.se/map/; script-src 'self'; style-src 'self'; frame-ancestors 'self'; form-action 'none'; base-uri 'self'"; - - root /var/www/webmap; - index index.html; + add_header Content-Security-Policy "default-src 'none'; frame-ancestors 'none'; form-action 'none'; base-uri 'self'"; + #add_header Access-Control-Allow-Origin "*" always; location ^~ /assets/ { expires 7d; - gzip_static on; + brotli_static on; try_files $uri =404; } location ^~ /tiles/ { - expires 1d; - gzip_static on; + expires 8h; + brotli_static on; try_files $uri =404; error_page 404 /_.txt; } + location = /tiles/metadata.json { + expires epoch; + brotli_static on; + try_files $uri =404; + } location = /_.txt { - # cache 404 responses + # cache 404 responses for 8h like for valid tiles add_header Strict-Transport-Security "max-age=31557600; includeSubDomains" always; - add_header Cache-Control "public; max-age=86400" always; + add_header Cache-Control "public; max-age=28800" always; + #add_header Access-Control-Allow-Origin "*" always; internal; } location / { + add_header Referrer-Policy "no-referrer"; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-Content-Type-Options "nosniff"; + add_header X-XSS-Protection "1; mode=block"; + add_header Strict-Transport-Security "max-age=31557600; includeSubDomains" always; + add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' data: https://minkarta.lantmateriet.se/map/; script-src 'self'; style-src 'self'; frame-ancestors 'self'; form-action 'none'; base-uri 'self'"; + try_files $uri $uri/ =404; } } diff --git a/files/etc/systemd/system/webmap-download@.service b/files/etc/systemd/system/webmap-download@.service index a928a13..e6b7f44 100644 --- a/files/etc/systemd/system/webmap-download@.service +++ b/files/etc/systemd/system/webmap-download@.service @@ -1,5 +1,5 @@ [Unit] -Description=Webmap updater service (download %I) +Description=Webmap updater service (download ‘%I’) # Chaining logic from https://serverfault.com/questions/1079993/why-does-my-systemd-timer-only-trigger-once-when-the-unit-is-a-target#answer-1128671 # XXX Looks like Upholds= prevents running a single unit, as it causes # webmap-update@%i.target to start upon `systemctl start webmap-download@foo.service` @@ -8,7 +8,7 @@ Upholds=webmap-update@%i.target [Service] User=_webmap-download -Group=nogroup +Group=_webmap Nice=15 IOSchedulingClass=idle @@ -16,7 +16,7 @@ IOSchedulingClass=idle Type=oneshot ExecStart=/usr/local/bin/webmap-download \ --cachedir=/var/cache/webmap \ - --lockdir=%t/webmap-download \ + --lockdir=%t/lock/webmap/download \ --no-exit-code \ --quiet \ -- %I @@ -31,8 +31,7 @@ ProtectKernelModules=yes ProtectKernelTunables=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 ReadWritePaths=/var/cache/webmap -RuntimeDirectory=webmap-download -RuntimeDirectoryPreserve=yes +ReadWritePaths=%t/lock/webmap/download [Install] WantedBy=webmap-update@%i.target diff --git a/files/etc/systemd/system/webmap-import@.service b/files/etc/systemd/system/webmap-import@.service new file mode 100644 index 0000000..30300a5 --- /dev/null +++ b/files/etc/systemd/system/webmap-import@.service @@ -0,0 +1,39 @@ +[Unit] +Description=Webmap updater service (import ‘%I’ to PostGIS) +After=postgresql.service webmap-update@%i.target +After=webmap-download@%i.service +Upholds=webmap-update@%i.target + +# XXX webmap-download write cached files atomatically but there is no +# guarantee that GDAL/OGR opens them atomically. It'd therefore make +# sense to use the following Conflict= directive, however systemd skips +# webmap-download@%i.service in that case. +#Conflicts=webmap-download@%i.service + +[Service] +User=_webmap-import +Group=_webmap + +Nice=15 +IOSchedulingClass=idle + +Type=oneshot +ExecStart=/usr/local/bin/webmap-import \ + --cachedir=/var/cache/webmap \ + --lockfile=%t/lock/webmap/lock \ + -- %I + +# Hardening +NoNewPrivileges=yes +ProtectHome=yes +ProtectSystem=strict +PrivateDevices=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +ReadWritePaths=%t/lock/webmap +PrivateTmp=yes + +[Install] +WantedBy=webmap-update@%i.target diff --git a/files/etc/systemd/system/webmap-publish@.service b/files/etc/systemd/system/webmap-publish@.service new file mode 100644 index 0000000..9d138da --- /dev/null +++ b/files/etc/systemd/system/webmap-publish@.service @@ -0,0 +1,39 @@ +[Unit] +Description=Webmap updater service (publish ‘%I’ as MVT) +#After=postgresql.service webmap-update@%i.target +#After=webmap-download@%i.service +#After=webmap-import@%i.service +#Upholds=webmap-update@%i.target + +[Service] +User=_webmap-publish +Group=_webmap + +Nice=15 +IOSchedulingClass=idle + +Type=oneshot +ExecStart=/usr/local/bin/webmap-publish \ + --lockfile=%t/lock/webmap/lock \ + --destdir=/var/www/webmap/tiles/%I \ + --webroot=/var/www/webmap \ + --metadata=/var/www/webmap/tiles/metadata.json \ + --metadata-lockfile=%t/lock/webmap/tiles.lock \ + --compress \ + -- %I + +# Hardening +NoNewPrivileges=yes +ProtectHome=yes +ProtectSystem=strict +PrivateDevices=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +ReadWritePaths=/var/www/webmap/tiles +ReadWritePaths=%t/lock/webmap +PrivateTmp=yes + +#[Install] +#WantedBy=webmap-update@%i.target diff --git a/files/etc/systemd/system/webmap-update@.target b/files/etc/systemd/system/webmap-update@.target index 3d9fb7f..840de96 100644 --- a/files/etc/systemd/system/webmap-update@.target +++ b/files/etc/systemd/system/webmap-update@.target @@ -1,3 +1,3 @@ [Unit] -Description=Webmap updater (target unit %I) +Description=Webmap updater (target unit ‘%I’) StopWhenUnneeded=true diff --git a/files/etc/tmpfiles.d/webmap.conf b/files/etc/tmpfiles.d/webmap.conf new file mode 100644 index 0000000..620cd24 --- /dev/null +++ b/files/etc/tmpfiles.d/webmap.conf @@ -0,0 +1,11 @@ +d %t/lock/webmap 0755 root root + +# for webmap-download's --lockdir +d %t/lock/webmap/download 0755 _webmap-download _webmap + +# for webmap-import's *and* webmap-publish's --lockfile (hence the +# ownership and g+w) +f %t/lock/webmap/lock 0664 root _webmap + +# for webmap-publish's --metadata-lockfile +f %t/lock/webmap/tiles.lock 0644 _webmap-publish _webmap |