1 files changed, 238 insertions, 5 deletions

diff --git a/tasks/webmap.yml b/tasks/webmap.yml
index 10a6555..5f82d7f 100644
--- a/tasks/webmap.yml
+++ b/tasks/webmap.yml
@@ -1,17 +1,23 @@
 - name: Install gdal-bin
   apt: pkg=gdal-bin install-recommends=true
 
-- name: Install unzip
-  apt: pkg=unzip
+- name: Install unzip and brotli
+  apt: pkg={{ packages }}
+  vars:
+    packages:
+    - unzip
+    - brotli
 
 - name: Install python dependencies
   apt: pkg={{ packages }}
   vars:
     packages:
     - python3
+    - python3-brotli
     - python3-gdal
     - python3-lxml
     - python3-requests
+    - python3-systemd
     - python3-tqdm
     - python3-urllib3
     - python3-xdg
@@ -64,9 +70,13 @@
 - meta: flush_handlers
 
 
+- name: Create system group '_webmap'
+  group: name=_webmap system=true
+         state=present
+
 - name: Create system user '_webmap-download'
   user: name=_webmap-download system=true
-        group=nogroup
+        group=_webmap
         createhome=false
         home=/nonexistent
         shell=/usr/sbin/nologin
@@ -95,9 +105,22 @@
 - name: Create directory /var/cache/webmap
   file: path=/var/cache/webmap
         state=directory
-        owner=_webmap-download group=nogroup
+        owner=_webmap-download group=root
         mode=0755
 
+- name: Create directory /var/cache/webmap/custom
+  file: path=/var/cache/webmap/custom
+        state=directory
+        owner=root group=root
+        mode=0755
+
+- name: Copy custom layers into /var/cache/webmap/custom
+  copy: src=webmap-tools/layers/custom/
+        dest=/var/cache/webmap/custom/
+        owner=root group=root
+        mode=0644
+        directory_mode=0755
+
 - name: Copy webmap-download@.service
   copy: src=etc/systemd/system/webmap-download@.service
         dest=/etc/systemd/system/webmap-download@.service
@@ -108,11 +131,25 @@
 
 - name: Enable webmap-download@.service
   service: name=webmap-download@{{ item }}.service enabled=true
-  with_items: "{{ webmap_layer_groups }}"
+  with_items: "{{ webmap_layer_groups | difference(webmap_layer_groups_nodownload) }}"
+
+- name: Disable some webmap-download@.service
+  service: name=webmap-download@{{ item }}.service enabled=false
+  with_items: "{{ webmap_layer_groups_nodownload }}"
 
 - meta: flush_handlers
 
 
+- name: Create system user '_webmap-import'
+  user: name=_webmap-import system=true
+        group=_webmap
+        createhome=false
+        home=/nonexistent
+        shell=/usr/sbin/nologin
+        comment="Webmap update (extract/import)"
+        password="!"
+        state=present
+
 - name: Install PostgreSQL and PostGIS
   apt: pkg={{ packages }}
   vars:
@@ -133,6 +170,13 @@
 
 - meta: flush_handlers
 
+# Usage: \sudo -u postgres psql </usr/local/share/webmap/schema.sql
+- name: Copy /usr/local/share/webmap/schema.sql
+  copy: src=webmap-tools/schema.sql
+        dest=/usr/local/share/webmap/schema.sql
+        owner=root group=root
+        mode=0644
+
 - name: Create PostgreSQL database
   become: true
   # XXX: this creates /var/lib/postgresql/.ansible/tmp
@@ -148,6 +192,43 @@
     template: template0
     owner: postgres
 
+- name: Create 'webmap_import' and 'webmap_guest' PostgreSQL users (roles)
+  become: true
+  become_user: postgres
+  community.postgresql.postgresql_user:
+    db: webmap
+    name: "{{ item }}"
+  with_items:
+    - webmap_import
+    - webmap_guest
+
+- name: Add a rule for 'webmap_import' user in pg_hba.conf
+  ansible.builtin.lineinfile:
+    path: /etc/postgresql/{{ postgresql.version }}/{{ postgresql.cluster }}/pg_hba.conf
+    regexp: '^local\s+webmap\s'
+    line: 'local   webmap          all                                     peer map=pgmap_webmap'
+    # must come before 'local all all peer', cf.
+    # https://dba.stackexchange.com/questions/177142/postgresql-cannot-peer-authenticate-using-usermap-provided-user-name-dbuser
+    insertbefore: '^local\s+all\s+all\s'
+    create: false
+  notify: Reload PostgreSQL
+
+- name: Add a mapping rule for 'webmap_import' user in pg_ident.conf
+  ansible.builtin.lineinfile:
+    path: /etc/postgresql/{{ postgresql.version }}/{{ postgresql.cluster }}/pg_ident.conf
+    regexp: '^pgmap_webmap\s.*\swebmap_import\s*$'
+    line: 'pgmap_webmap    _webmap-import                          webmap_import'
+    create: false
+  notify: Reload PostgreSQL
+
+- name: Add a mapping rule for 'webmap_guest' user in pg_ident.conf
+  ansible.builtin.lineinfile:
+    path: /etc/postgresql/{{ postgresql.version }}/{{ postgresql.cluster }}/pg_ident.conf
+    regexp: '^pgmap_webmap\s.*\swebmap_guest\s*$'
+    line: 'pgmap_webmap    /^_?[a-zA-Z][a-zA-Z0-9_\-]*[a-zA-Z0-9]$ webmap_guest'
+    create: false
+  notify: Reload PostgreSQL
+
 - name: Create 'postgis' PostgreSQL schema
   become: true
   become_user: postgres
@@ -165,4 +246,156 @@
     schema: postgis
     comment: Geographic objects support for PostgreSQL
 
+- name: GRANT CONNECT ON DATABASE webmap TO webmap_import, webmap_guest
+  become: true
+  become_user: postgres
+  community.postgresql.postgresql_privs:
+    database: webmap
+    privs: CONNECT
+    type: database
+    role: webmap_import,webmap_guest
+
+- name: GRANT USAGE ON SCHEMA postgis TO webmap_import, webmap_guest
+  become: true
+  become_user: postgres
+  community.postgresql.postgresql_privs:
+    database: webmap
+    privs: USAGE
+    type: schema
+    obj: postgis
+    role: webmap_import,webmap_guest
+
+# webmap-import should TRUNCATE existing output layers
+- name: REVOKE CREATE ON SCHEMA postgis FROM webmap_import
+  become: true
+  become_user: postgres
+  community.postgresql.postgresql_privs:
+    database: webmap
+    privs: CREATE
+    type: schema
+    obj: postgis
+    role: webmap_import
+    state: absent
+
+- name: GRANT SELECT ON TABLES IN SCHEMA postgis TO webmap_guest
+  become: true
+  become_user: postgres
+  community.postgresql.postgresql_privs:
+    database: webmap
+    privs: SELECT
+    type: table
+    obj: ALL_IN_SCHEMA
+    schema: postgis
+    role: webmap_guest
+
+- name: GRANT USAGE, SELECT ON SEQUENCES IN SCHEMA postgis TO webmap_guest
+  become: true
+  become_user: postgres
+  community.postgresql.postgresql_privs:
+    database: webmap
+    privs: USAGE,SELECT
+    type: sequence
+    obj: ALL_IN_SCHEMA
+    schema: postgis
+    role: webmap_guest
+
+- name: Copy /usr/local/share/webmap/import.py
+  copy: src=webmap-tools/webmap-import
+        dest=/usr/local/share/webmap/import.py
+        owner=root group=root
+        mode=0755
+
+- name: Create /usr/local/bin/webmap-import
+  file: src=../share/webmap/import.py
+        dest=/usr/local/bin/webmap-import
+        owner=root group=root
+        state=link force=yes
+
+- name: Copy webmap-import@.service
+  copy: src=etc/systemd/system/webmap-import@.service
+        dest=/etc/systemd/system/webmap-import@.service
+        owner=root group=root
+        mode=0644
+  notify:
+    - systemctl daemon-reload
+
+- name: Enable webmap-import@.service
+  service: name=webmap-import@{{ item }}.service enabled=true
+  with_items: "{{ webmap_layer_groups }}"
+
+
+- name: Build administrative-codes.json*
+  become: false
+  local_action:
+    module: community.general.make
+    chdir: ./webmap-tools/administrative-codes
+    target: all
+
+- name: Create directory /var/www/webmap/data
+  file: path=/var/www/webmap/data
+        state=directory
+        owner=root group=root
+        mode=0755
+
+- name: Copy /var/www/webmap/data/administrative-codes.json*
+  copy: src=./webmap-tools/administrative-codes/{{ item }}
+        dest=/var/www/webmap/data/{{ item }}
+        owner=root group=root
+        mode=0644
+  with_items:
+    - administrative-codes.json
+    - administrative-codes.json.br
+
+- meta: flush_handlers
+
+
+- name: Create system user '_webmap-publish'
+  user: name=_webmap-publish system=true
+        group=_webmap
+        createhome=false
+        home=/nonexistent
+        shell=/usr/sbin/nologin
+        comment="Webmap update (publication as MVT)"
+        password="!"
+        state=present
+
+- name: Copy /usr/local/share/webmap/publish.py
+  copy: src=webmap-tools/webmap-publish
+        dest=/usr/local/share/webmap/publish.py
+        owner=root group=root
+        mode=0755
+
+- name: Create /usr/local/bin/webmap-publish
+  file: src=../share/webmap/publish.py
+        dest=/usr/local/bin/webmap-publish
+        owner=root group=root
+        state=link force=yes
+
+- name: Create directory /var/www/webmap/tiles
+  file: path=/var/www/webmap/tiles
+        state=directory
+        owner=_webmap-publish group=root
+        mode=0755
+
+- name: Copy webmap-publish@.service
+  copy: src=etc/systemd/system/webmap-publish@.service
+        dest=/etc/systemd/system/webmap-publish@.service
+        owner=root group=root
+        mode=0644
+  notify:
+    - systemctl daemon-reload
+
+#- name: Enable webmap-publish@.service
+#  service: name=webmap-publish@{{ item }}.service enabled=true
+#  with_items: "{{ webmap_layer_groups }}"
+
+
+- name: Copy /etc/tmpfiles.d/webmap.conf
+  copy: src=etc/tmpfiles.d/webmap.conf
+        dest=/etc/tmpfiles.d/webmap.conf
+        owner=root group=root
+        mode=0644
+  notify:
+    - systemd-tmpfiles --create
+
 - meta: flush_handlers