5 files changed, 50 insertions, 8 deletions
diff --git a/templates/etc/apt/sources.list.d/debian.sources.j2 b/templates/etc/apt/sources.list.d/debian.sources.j2
index 980daaf..c859a4e 100644
--- a/templates/etc/apt/sources.list.d/debian.sources.j2
+++ b/templates/etc/apt/sources.list.d/debian.sources.j2
@@ -1,9 +1,11 @@
 Types: deb
 URIs: https://deb.debian.org/debian
-Suites: {{ ansible_lsb.codename }} {{ ansible_lsb.codename }}-updates
+Suites: {{ ansible_facts.lsb.codename }} {{ ansible_facts.lsb.codename }}-updates
 Components: main non-free-firmware
+Signed-By: /usr/share/keyrings/debian-archive-keyring.pgp
 
 Types: deb
 URIs: https://deb.debian.org/debian-security
-Suites: {{ ansible_lsb.codename }}-security
+Suites: {{ ansible_facts.lsb.codename }}-security
 Components: main non-free-firmware
+Signed-By: /usr/share/keyrings/debian-archive-keyring.pgp
diff --git a/templates/etc/postfix/main.cf.j2 b/templates/etc/postfix/main.cf.j2
index 35a6790..10313b4 100644
--- a/templates/etc/postfix/main.cf.j2
+++ b/templates/etc/postfix/main.cf.j2
@@ -9,8 +9,8 @@ compatibility_level = 3.6
 smtputf8_enable     = no
 
 myorigin            = /etc/mailname
-myhostname          = {{ ansible_fqdn }}
-mydomain            = {{ ansible_domain }}
+myhostname          = {{ ansible_facts.fqdn }}
+mydomain            = {{ ansible_facts.domain }}
 append_dot_mydomain = no
 
 # This server is for internal use only
diff --git a/templates/etc/systemd/network/01-wired.network.j2 b/templates/etc/systemd/network/01-wired.network.j2
index 7be5d21..dc85b2e 100644
--- a/templates/etc/systemd/network/01-wired.network.j2
+++ b/templates/etc/systemd/network/01-wired.network.j2
@@ -1,13 +1,13 @@
 [Match]
-Name={{ ansible_default_ipv4.interface }}
+Name={{ ansible_facts.default_ipv4.interface }}
 
 [Network]
 DHCP=yes
 
-{% if ansible_default_ipv6.get('scope', '') == 'global' %}
+{% if ansible_facts.default_ipv6.get('scope', '') == 'global' %}
 [Address]
-Address={{ ansible_default_ipv6.address }}/{{ ansible_default_ipv6.prefix }}
+Address={{ ansible_facts.default_ipv6.address }}/{{ ansible_facts.default_ipv6.prefix }}
 
 [Route]
-Gateway={{ ansible_default_ipv6.gateway }}
+Gateway={{ ansible_facts.default_ipv6.gateway }}
 {%- endif %}
diff --git a/templates/etc/systemd/system/geodata-update@.timer.d/override.conf.j2 b/templates/etc/systemd/system/geodata-update@.timer.d/override.conf.j2
new file mode 100644
index 0000000..103fbde
--- /dev/null
+++ b/templates/etc/systemd/system/geodata-update@.timer.d/override.conf.j2
@@ -0,0 +1,3 @@
+[Timer]
+OnCalendar=
+OnCalendar={{ geodata_layer_groups_update_calendar[item] }}
diff --git a/templates/etc/systemd/system/webmap-cgi.service b/templates/etc/systemd/system/webmap-cgi.service
new file mode 100644
index 0000000..9c9ffe9
--- /dev/null
+++ b/templates/etc/systemd/system/webmap-cgi.service
@@ -0,0 +1,37 @@
+[Unit]
+Description=Webmap CGI (Common Gateway Interface)
+After=syslog.target network.target postgresql.service
+StopPropagatedFrom=postgresql.service postgresql@{{ postgresql.version }}-{{ postgresql.cluster }}.service
+
+[Service]
+DynamicUser=yes
+User=_webmap-cgi
+# Note: the "WARNING: you have enabled harakiri without post buffering" can
+# be ignored because body requests are in fact buffered on the nginx side
+ExecStart=/usr/bin/uwsgi -M -p2 \
+    --single-interpreter --die-on-term \
+    --close-on-exec --close-on-exec2 \
+    --max-requests 1000 \
+    --max-worker-lifetime 86400 \
+    --max-worker-lifetime-delta 11 \
+    --harakiri 60 \
+    --lazy-apps \
+    --plugins python3 \
+    --pythonpath /usr/local/share/geodata \
+    --wsgi-file /usr/local/libexec/webmap-cgi
+Nice=10
+RestartSec=15s
+Restart=always
+
+# Hardening
+NoNewPrivileges=yes
+ProtectHome=yes
+ProtectSystem=strict
+PrivateDevices=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX
+
+[Install]
+WantedBy=multi-user.target