8 files changed, 157 insertions, 18 deletions

diff --git a/files/etc/nginx/sites-available/webmap b/files/etc/nginx/sites-available/webmap
index d16ab60..24ccdb9 100644
--- a/files/etc/nginx/sites-available/webmap
+++ b/files/etc/nginx/sites-available/webmap
@@ -45,36 +45,80 @@ server {
     ssl_certificate_key /etc/nginx/ssl/webmap.rsa.key;
     include snippets/ssl.conf;
 
+    root /var/www/webmap;
+    index index.html;
+
     add_header Referrer-Policy "no-referrer";
-    add_header X-Frame-Options "SAMEORIGIN";
+    add_header X-Frame-Options "DENY";
     add_header X-Content-Type-Options "nosniff";
     add_header X-XSS-Protection "1; mode=block";
     add_header Strict-Transport-Security "max-age=31557600; includeSubDomains" always;
-    add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' data: https://minkarta.lantmateriet.se/map/; script-src 'self'; style-src 'self'; frame-ancestors 'self'; form-action 'none'; base-uri 'self'";
-
-    root /var/www/webmap;
-    index index.html;
+    add_header Content-Security-Policy "default-src 'none'; frame-ancestors 'none'; form-action 'none'; base-uri 'self'";
+    #add_header Access-Control-Allow-Origin $http_origin always;
+
+    include mime.types;
+    types {
+        # application/protobuf and application/vnd.google.protobuf might be valid types too, cf.
+        # https://stackoverflow.com/questions/30505408/what-is-the-correct-protobuf-content-type
+        application/x-protobuf pbf;
+    }
 
     location ^~ /assets/ {
         expires 7d;
-        gzip_static on;
         try_files $uri =404;
+        location ~ "\.(?:css|js|svg)$" {
+            brotli_static on;
+        }
     }
     location ^~ /tiles/ {
-        expires 1d;
-        gzip_static on;
+        expires 30m;
+        brotli_static on;
         try_files $uri =404;
+        # service an empty payload to save bandwidth
         error_page 404 /_.txt;
     }
+    location ^~ /raster/ {
+        expires 30m;
+        try_files $uri =404;
+        # service an empty payload to save bandwidth
+        error_page 404 /_.txt;
+    }
+    location = /q {
+        expires epoch;
+        limit_except POST { deny all; }
+        #if ($request_method = OPTIONS) {
+        #    add_header Strict-Transport-Security "max-age=31557600; includeSubDomains";
+        #    add_header Access-Control-Allow-Origin $http_origin;
+        #    add_header Access-Control-Allow-Methods "POST, GET, OPTIONS";
+        #    add_header Access-Control-Allow-Headers "Accept, Content-Type";
+        #    add_header Access-Control-Max-Age 28800;
+        #    return 204;
+        #}
+        client_max_body_size 64k;
+        gzip on;
+        gzip_types application/json text/plain;
+        include uwsgi_params;
+        uwsgi_pass unix:/run/webmap-cgi.socket;
+    }
 
     location = /_.txt {
-        # cache 404 responses
+        # cache 404 responses for 30m like for valid tiles
         add_header Strict-Transport-Security "max-age=31557600; includeSubDomains" always;
-        add_header Cache-Control "public; max-age=86400" always;
+        add_header Cache-Control "public; max-age=1800" always;
+        #add_header Access-Control-Allow-Origin $http_origin always;
         internal;
     }
 
     location / {
+        add_header Referrer-Policy "no-referrer";
+        add_header X-Frame-Options "SAMEORIGIN";
+        add_header X-Content-Type-Options "nosniff";
+        add_header X-XSS-Protection "1; mode=block";
+        add_header Strict-Transport-Security "max-age=31557600; includeSubDomains" always;
+        add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' data: https://minkarta.lantmateriet.se/map/; script-src 'self'; style-src 'self'; frame-ancestors 'self'; form-action 'none'; worker-src blob:; base-uri 'self'";
+
+        expires 1h;
+        brotli_static on;
         try_files $uri $uri/ =404;
     }
 }
diff --git a/files/etc/postgresql/postgresql.conf b/files/etc/postgresql/postgresql.conf
new file mode 100644
index 0000000..038438a
--- /dev/null
+++ b/files/etc/postgresql/postgresql.conf
@@ -0,0 +1,4 @@
+shared_buffers = 768MB
+temp_buffers = 128MB
+work_mem = 16MB
+effective_cache_size = 1536MB
diff --git a/files/etc/systemd/system/webmap-cgi.service b/files/etc/systemd/system/webmap-cgi.service
new file mode 100644
index 0000000..88f22e5
--- /dev/null
+++ b/files/etc/systemd/system/webmap-cgi.service
@@ -0,0 +1,36 @@
+[Unit]
+Description=Webmap CGI (Common Gateway Interface)
+After=syslog.target network.target postgresql.service
+
+[Service]
+DynamicUser=yes
+User=_webmap-cgi
+# Note: the "WARNING: you have enabled harakiri without post buffering" can
+# be ignored because body requests are in fact buffered on the nginx side
+ExecStart=/usr/bin/uwsgi -M -p2 \
+    --single-interpreter --die-on-term \
+    --close-on-exec --close-on-exec2 \
+    --max-requests 1000 \
+    --max-worker-lifetime 86400 \
+    --max-worker-lifetime-delta 11 \
+    --harakiri 60 \
+    --lazy-apps \
+    --plugins python3 \
+    --pythonpath /usr/local/share/webmap \
+    --wsgi-file /usr/libexec/webmap-cgi
+Nice=10
+RestartSec=15s
+Restart=always
+
+# Hardening
+NoNewPrivileges=yes
+ProtectHome=yes
+ProtectSystem=strict
+PrivateDevices=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX
+
+[Install]
+WantedBy=multi-user.target
diff --git a/files/etc/systemd/system/webmap-cgi.socket b/files/etc/systemd/system/webmap-cgi.socket
new file mode 100644
index 0000000..2828985
--- /dev/null
+++ b/files/etc/systemd/system/webmap-cgi.socket
@@ -0,0 +1,11 @@
+[Unit]
+Description=Webmap CGI (Common Gateway Interface) activation socket
+After=syslog.target network.target
+
+[Socket]
+ListenStream=%t/webmap-cgi.socket
+SocketUser=www-data
+SocketMode=0666
+
+[Install]
+WantedBy=sockets.target
diff --git a/files/etc/systemd/system/webmap-download@.service b/files/etc/systemd/system/webmap-download@.service
index a928a13..d7a49dc 100644
--- a/files/etc/systemd/system/webmap-download@.service
+++ b/files/etc/systemd/system/webmap-download@.service
@@ -1,5 +1,5 @@
 [Unit]
-Description=Webmap updater service (download %I)
+Description=Webmap updater service (download ‘%I’)
 # Chaining logic from https://serverfault.com/questions/1079993/why-does-my-systemd-timer-only-trigger-once-when-the-unit-is-a-target#answer-1128671
 # XXX Looks like Upholds= prevents running a single unit, as it causes
 # webmap-update@%i.target to start upon `systemctl start webmap-download@foo.service`
@@ -8,15 +8,15 @@ Upholds=webmap-update@%i.target
 
 [Service]
 User=_webmap-download
-Group=nogroup
+Group=_webmap
 
 Nice=15
 IOSchedulingClass=idle
 
 Type=oneshot
 ExecStart=/usr/local/bin/webmap-download \
-    --cachedir=/var/cache/webmap \
-    --lockdir=%t/webmap-download \
+    --cachedir=%C/webmap \
+    --lockdir=%t/lock/webmap/cache \
     --no-exit-code \
     --quiet \
     -- %I
@@ -30,9 +30,8 @@ ProtectControlGroups=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
-ReadWritePaths=/var/cache/webmap
-RuntimeDirectory=webmap-download
-RuntimeDirectoryPreserve=yes
+ReadWritePaths=%C/webmap
+ReadWritePaths=%t/lock/webmap/cache
 
 [Install]
 WantedBy=webmap-update@%i.target
diff --git a/files/etc/systemd/system/webmap-import@.service b/files/etc/systemd/system/webmap-import@.service
new file mode 100644
index 0000000..964c37d
--- /dev/null
+++ b/files/etc/systemd/system/webmap-import@.service
@@ -0,0 +1,37 @@
+[Unit]
+Description=Webmap updater service (import ‘%I’ to PostGIS)
+After=postgresql.service webmap-update@%i.target
+After=webmap-download@%i.service
+Upholds=webmap-update@%i.target
+
+[Service]
+User=_webmap
+Group=_webmap
+
+Nice=15
+IOSchedulingClass=idle
+
+Type=oneshot
+ExecStart=/usr/local/bin/webmap-import \
+    --cachedir=%C/webmap \
+    --lockfile=%t/lock/webmap/lock \
+    --lockdir-sources=%t/lock/webmap/cache \
+    --mvtdir=/var/www/webmap/tiles/%I \
+    --mvt-compress \
+    -- %I
+
+# Hardening
+NoNewPrivileges=yes
+ProtectHome=yes
+ProtectSystem=strict
+PrivateDevices=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+ReadWritePaths=%t/lock/webmap
+ReadWritePaths=/var/www/webmap/tiles
+PrivateTmp=yes
+
+[Install]
+WantedBy=webmap-update@%i.target
diff --git a/files/etc/systemd/system/webmap-update@.target b/files/etc/systemd/system/webmap-update@.target
index 3d9fb7f..840de96 100644
--- a/files/etc/systemd/system/webmap-update@.target
+++ b/files/etc/systemd/system/webmap-update@.target
@@ -1,3 +1,3 @@
 [Unit]
-Description=Webmap updater (target unit %I)
+Description=Webmap updater (target unit ‘%I’)
 StopWhenUnneeded=true
diff --git a/files/etc/tmpfiles.d/webmap.conf b/files/etc/tmpfiles.d/webmap.conf
new file mode 100644
index 0000000..786e6dd
--- /dev/null
+++ b/files/etc/tmpfiles.d/webmap.conf
@@ -0,0 +1,8 @@
+d %t/lock/webmap            00755 root root
+
+# for `webmap-download --lockdir` *and* `webmap-import --lockdir-sources`
+# (hence the set-group-ID bit and g+w)
+d %t/lock/webmap/cache      02775 _webmap-download _webmap
+
+# for `webmap-import --lockfile`
+f %t/lock/webmap/lock       00644 _webmap _webmap