diff options
Diffstat (limited to 'files')
| -rw-r--r-- | files/etc/systemd/system/webmap-import@.service | 12 | ||||
| -rw-r--r-- | files/etc/systemd/system/webmap-publish@.service | 39 | ||||
| -rw-r--r-- | files/etc/tmpfiles.d/webmap.conf | 8 |
3 files changed, 7 insertions, 52 deletions
diff --git a/files/etc/systemd/system/webmap-import@.service b/files/etc/systemd/system/webmap-import@.service index 30300a5..40c4c5e 100644 --- a/files/etc/systemd/system/webmap-import@.service +++ b/files/etc/systemd/system/webmap-import@.service @@ -4,12 +4,6 @@ After=postgresql.service webmap-update@%i.target After=webmap-download@%i.service Upholds=webmap-update@%i.target -# XXX webmap-download write cached files atomatically but there is no -# guarantee that GDAL/OGR opens them atomically. It'd therefore make -# sense to use the following Conflict= directive, however systemd skips -# webmap-download@%i.service in that case. -#Conflicts=webmap-download@%i.service - [Service] User=_webmap-import Group=_webmap @@ -19,8 +13,11 @@ IOSchedulingClass=idle Type=oneshot ExecStart=/usr/local/bin/webmap-import \ - --cachedir=/var/cache/webmap \ + --cachedir=%C/webmap \ --lockfile=%t/lock/webmap/lock \ + --lockdir-sources=%t/lock/webmap/cache \ + --mvtdir=/var/www/webmap/tiles/%I \ + --mvt-compress \ -- %I # Hardening @@ -33,6 +30,7 @@ ProtectKernelModules=yes ProtectKernelTunables=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 ReadWritePaths=%t/lock/webmap +ReadWritePaths=/var/www/webmap/tiles PrivateTmp=yes [Install] diff --git a/files/etc/systemd/system/webmap-publish@.service b/files/etc/systemd/system/webmap-publish@.service deleted file mode 100644 index 9d138da..0000000 --- a/files/etc/systemd/system/webmap-publish@.service +++ /dev/null @@ -1,39 +0,0 @@ -[Unit] -Description=Webmap updater service (publish ā%Iā as MVT) -#After=postgresql.service webmap-update@%i.target -#After=webmap-download@%i.service -#After=webmap-import@%i.service -#Upholds=webmap-update@%i.target - -[Service] -User=_webmap-publish -Group=_webmap - -Nice=15 -IOSchedulingClass=idle - -Type=oneshot -ExecStart=/usr/local/bin/webmap-publish \ - --lockfile=%t/lock/webmap/lock \ - --destdir=/var/www/webmap/tiles/%I \ - --webroot=/var/www/webmap \ - --metadata=/var/www/webmap/tiles/metadata.json \ - --metadata-lockfile=%t/lock/webmap/tiles.lock \ - --compress \ - -- %I - -# Hardening -NoNewPrivileges=yes -ProtectHome=yes -ProtectSystem=strict -PrivateDevices=yes -ProtectControlGroups=yes -ProtectKernelModules=yes -ProtectKernelTunables=yes -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 -ReadWritePaths=/var/www/webmap/tiles -ReadWritePaths=%t/lock/webmap -PrivateTmp=yes - -#[Install] -#WantedBy=webmap-update@%i.target diff --git a/files/etc/tmpfiles.d/webmap.conf b/files/etc/tmpfiles.d/webmap.conf index b6fa8be..c9c86d5 100644 --- a/files/etc/tmpfiles.d/webmap.conf +++ b/files/etc/tmpfiles.d/webmap.conf @@ -4,9 +4,5 @@ d %t/lock/webmap 00755 root root # (hence the set-group-ID bit and g+w) d %t/lock/webmap/cache 02775 _webmap-download _webmap -# for webmap-import's *and* webmap-publish's --lockfile (hence the -# ownership and g+w) -f %t/lock/webmap/lock 0664 root _webmap - -# for webmap-publish's --metadata-lockfile -f %t/lock/webmap/tiles.lock 0644 _webmap-publish _webmap +# for `webmap-import --lockfile` +f %t/lock/webmap/lock 00644 _webmap-import _webmap |