6 files changed, 118 insertions, 16 deletions
diff --git a/files/etc/nginx/sites-available/webmap b/files/etc/nginx/sites-available/webmap
index d16ab60..6921c2c 100644
--- a/files/etc/nginx/sites-available/webmap
+++ b/files/etc/nginx/sites-available/webmap
@@ -45,36 +45,50 @@ server {
     ssl_certificate_key /etc/nginx/ssl/webmap.rsa.key;
     include snippets/ssl.conf;
 
+    root /var/www/webmap;
+    index index.html;
+
     add_header Referrer-Policy "no-referrer";
-    add_header X-Frame-Options "SAMEORIGIN";
+    add_header X-Frame-Options "DENY";
     add_header X-Content-Type-Options "nosniff";
     add_header X-XSS-Protection "1; mode=block";
     add_header Strict-Transport-Security "max-age=31557600; includeSubDomains" always;
-    add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' data: https://minkarta.lantmateriet.se/map/; script-src 'self'; style-src 'self'; frame-ancestors 'self'; form-action 'none'; base-uri 'self'";
-
-    root /var/www/webmap;
-    index index.html;
+    add_header Content-Security-Policy "default-src 'none'; frame-ancestors 'none'; form-action 'none'; base-uri 'self'";
+    #add_header Access-Control-Allow-Origin "*" always;
 
     location ^~ /assets/ {
         expires 7d;
-        gzip_static on;
+        brotli_static on;
         try_files $uri =404;
     }
     location ^~ /tiles/ {
-        expires 1d;
-        gzip_static on;
+        expires 8h;
+        brotli_static on;
         try_files $uri =404;
         error_page 404 /_.txt;
     }
+    location = /tiles/metadata.json {
+        expires epoch;
+        brotli_static on;
+        try_files $uri =404;
+    }
 
     location = /_.txt {
-        # cache 404 responses
+        # cache 404 responses for 8h like for valid tiles
         add_header Strict-Transport-Security "max-age=31557600; includeSubDomains" always;
-        add_header Cache-Control "public; max-age=86400" always;
+        add_header Cache-Control "public; max-age=28800" always;
+        #add_header Access-Control-Allow-Origin "*" always;
         internal;
     }
 
     location / {
+        add_header Referrer-Policy "no-referrer";
+        add_header X-Frame-Options "SAMEORIGIN";
+        add_header X-Content-Type-Options "nosniff";
+        add_header X-XSS-Protection "1; mode=block";
+        add_header Strict-Transport-Security "max-age=31557600; includeSubDomains" always;
+        add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' data: https://minkarta.lantmateriet.se/map/; script-src 'self'; style-src 'self'; frame-ancestors 'self'; form-action 'none'; base-uri 'self'";
+
         try_files $uri $uri/ =404;
     }
 }
diff --git a/files/etc/systemd/system/webmap-download@.service b/files/etc/systemd/system/webmap-download@.service
index a928a13..e6b7f44 100644
--- a/files/etc/systemd/system/webmap-download@.service
+++ b/files/etc/systemd/system/webmap-download@.service
@@ -1,5 +1,5 @@
 [Unit]
-Description=Webmap updater service (download %I)
+Description=Webmap updater service (download ‘%I’)
 # Chaining logic from https://serverfault.com/questions/1079993/why-does-my-systemd-timer-only-trigger-once-when-the-unit-is-a-target#answer-1128671
 # XXX Looks like Upholds= prevents running a single unit, as it causes
 # webmap-update@%i.target to start upon `systemctl start webmap-download@foo.service`
@@ -8,7 +8,7 @@ Upholds=webmap-update@%i.target
 
 [Service]
 User=_webmap-download
-Group=nogroup
+Group=_webmap
 
 Nice=15
 IOSchedulingClass=idle
@@ -16,7 +16,7 @@ IOSchedulingClass=idle
 Type=oneshot
 ExecStart=/usr/local/bin/webmap-download \
     --cachedir=/var/cache/webmap \
-    --lockdir=%t/webmap-download \
+    --lockdir=%t/lock/webmap/download \
     --no-exit-code \
     --quiet \
     -- %I
@@ -31,8 +31,7 @@ ProtectKernelModules=yes
 ProtectKernelTunables=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 ReadWritePaths=/var/cache/webmap
-RuntimeDirectory=webmap-download
-RuntimeDirectoryPreserve=yes
+ReadWritePaths=%t/lock/webmap/download
 
 [Install]
 WantedBy=webmap-update@%i.target
diff --git a/files/etc/systemd/system/webmap-import@.service b/files/etc/systemd/system/webmap-import@.service
new file mode 100644
index 0000000..30300a5
--- /dev/null
+++ b/files/etc/systemd/system/webmap-import@.service
@@ -0,0 +1,39 @@
+[Unit]
+Description=Webmap updater service (import ‘%I’ to PostGIS)
+After=postgresql.service webmap-update@%i.target
+After=webmap-download@%i.service
+Upholds=webmap-update@%i.target
+
+# XXX webmap-download write cached files atomatically but there is no
+# guarantee that GDAL/OGR opens them atomically.  It'd therefore make
+# sense to use the following Conflict= directive, however systemd skips
+# webmap-download@%i.service in that case.
+#Conflicts=webmap-download@%i.service
+
+[Service]
+User=_webmap-import
+Group=_webmap
+
+Nice=15
+IOSchedulingClass=idle
+
+Type=oneshot
+ExecStart=/usr/local/bin/webmap-import \
+    --cachedir=/var/cache/webmap \
+    --lockfile=%t/lock/webmap/lock \
+    -- %I
+
+# Hardening
+NoNewPrivileges=yes
+ProtectHome=yes
+ProtectSystem=strict
+PrivateDevices=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+ReadWritePaths=%t/lock/webmap
+PrivateTmp=yes
+
+[Install]
+WantedBy=webmap-update@%i.target
diff --git a/files/etc/systemd/system/webmap-publish@.service b/files/etc/systemd/system/webmap-publish@.service
new file mode 100644
index 0000000..9d138da
--- /dev/null
+++ b/files/etc/systemd/system/webmap-publish@.service
@@ -0,0 +1,39 @@
+[Unit]
+Description=Webmap updater service (publish ‘%I’ as MVT)
+#After=postgresql.service webmap-update@%i.target
+#After=webmap-download@%i.service
+#After=webmap-import@%i.service
+#Upholds=webmap-update@%i.target
+
+[Service]
+User=_webmap-publish
+Group=_webmap
+
+Nice=15
+IOSchedulingClass=idle
+
+Type=oneshot
+ExecStart=/usr/local/bin/webmap-publish \
+    --lockfile=%t/lock/webmap/lock \
+    --destdir=/var/www/webmap/tiles/%I \
+    --webroot=/var/www/webmap \
+    --metadata=/var/www/webmap/tiles/metadata.json \
+    --metadata-lockfile=%t/lock/webmap/tiles.lock \
+    --compress \
+    -- %I
+
+# Hardening
+NoNewPrivileges=yes
+ProtectHome=yes
+ProtectSystem=strict
+PrivateDevices=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+ReadWritePaths=/var/www/webmap/tiles
+ReadWritePaths=%t/lock/webmap
+PrivateTmp=yes
+
+#[Install]
+#WantedBy=webmap-update@%i.target
diff --git a/files/etc/systemd/system/webmap-update@.target b/files/etc/systemd/system/webmap-update@.target
index 3d9fb7f..840de96 100644
--- a/files/etc/systemd/system/webmap-update@.target
+++ b/files/etc/systemd/system/webmap-update@.target
@@ -1,3 +1,3 @@
 [Unit]
-Description=Webmap updater (target unit %I)
+Description=Webmap updater (target unit ‘%I’)
 StopWhenUnneeded=true
diff --git a/files/etc/tmpfiles.d/webmap.conf b/files/etc/tmpfiles.d/webmap.conf
new file mode 100644
index 0000000..620cd24
--- /dev/null
+++ b/files/etc/tmpfiles.d/webmap.conf
@@ -0,0 +1,11 @@
+d %t/lock/webmap            0755 root root
+
+# for webmap-download's --lockdir
+d %t/lock/webmap/download   0755 _webmap-download _webmap
+
+# for webmap-import's *and* webmap-publish's --lockfile (hence the
+# ownership and g+w)
+f %t/lock/webmap/lock       0664 root _webmap
+
+# for webmap-publish's --metadata-lockfile
+f %t/lock/webmap/tiles.lock 0644 _webmap-publish _webmap