From 3ccc29ca12c7c60d86ca6cdf99078c4d4be7bc28 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Sat, 1 Jun 2024 16:05:01 +0200
Subject: Add webmap task.

---
 .gitmodules                                       |   3 +
 files/etc/systemd/system/webmap-download@.service |  38 ++++++++
 files/etc/systemd/system/webmap-update@.target    |   3 +
 files/etc/systemd/system/webmap-update@.timer     |  10 ++
 group_vars/all.yml                                |   9 ++
 setup.yml                                         |   1 +
 tasks/webmap.yml                                  | 110 ++++++++++++++++++++++
 webmap-tools                                      |   1 +
 8 files changed, 175 insertions(+)
 create mode 100644 .gitmodules
 create mode 100644 files/etc/systemd/system/webmap-download@.service
 create mode 100644 files/etc/systemd/system/webmap-update@.target
 create mode 100644 files/etc/systemd/system/webmap-update@.timer
 create mode 100644 group_vars/all.yml
 create mode 100644 tasks/webmap.yml
 create mode 160000 webmap-tools

diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 0000000..a9b9b64
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,3 @@
+[submodule "webmap-tools"]
+	path = webmap-tools
+	url = https://git.guilhem.org/KlimatanalysNorr/tools.git
diff --git a/files/etc/systemd/system/webmap-download@.service b/files/etc/systemd/system/webmap-download@.service
new file mode 100644
index 0000000..a928a13
--- /dev/null
+++ b/files/etc/systemd/system/webmap-download@.service
@@ -0,0 +1,38 @@
+[Unit]
+Description=Webmap updater service (download %I)
+# Chaining logic from https://serverfault.com/questions/1079993/why-does-my-systemd-timer-only-trigger-once-when-the-unit-is-a-target#answer-1128671
+# XXX Looks like Upholds= prevents running a single unit, as it causes
+# webmap-update@%i.target to start upon `systemctl start webmap-download@foo.service`
+After=network-online.target webmap-update@%i.target
+Upholds=webmap-update@%i.target
+
+[Service]
+User=_webmap-download
+Group=nogroup
+
+Nice=15
+IOSchedulingClass=idle
+
+Type=oneshot
+ExecStart=/usr/local/bin/webmap-download \
+    --cachedir=/var/cache/webmap \
+    --lockdir=%t/webmap-download \
+    --no-exit-code \
+    --quiet \
+    -- %I
+
+# Hardening
+NoNewPrivileges=yes
+ProtectHome=yes
+ProtectSystem=strict
+PrivateDevices=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+ReadWritePaths=/var/cache/webmap
+RuntimeDirectory=webmap-download
+RuntimeDirectoryPreserve=yes
+
+[Install]
+WantedBy=webmap-update@%i.target
diff --git a/files/etc/systemd/system/webmap-update@.target b/files/etc/systemd/system/webmap-update@.target
new file mode 100644
index 0000000..3d9fb7f
--- /dev/null
+++ b/files/etc/systemd/system/webmap-update@.target
@@ -0,0 +1,3 @@
+[Unit]
+Description=Webmap updater (target unit %I)
+StopWhenUnneeded=true
diff --git a/files/etc/systemd/system/webmap-update@.timer b/files/etc/systemd/system/webmap-update@.timer
new file mode 100644
index 0000000..8f62502
--- /dev/null
+++ b/files/etc/systemd/system/webmap-update@.timer
@@ -0,0 +1,10 @@
+[Unit]
+Description=Webmap updater (timer unit)
+
+[Timer]
+OnCalendar=*-*-* 02:00:00
+RandomizedDelaySec=3600
+Unit=webmap-update@%i.target
+
+[Install]
+WantedBy=timers.target
diff --git a/group_vars/all.yml b/group_vars/all.yml
new file mode 100644
index 0000000..a0d35c6
--- /dev/null
+++ b/group_vars/all.yml
@@ -0,0 +1,9 @@
+---
+# The list of layer groups to process, see
+# webmap-tools/config.yml:layer-groups.
+webmap_layer_groups:
+  - mrr
+  - nvr
+  - sks
+  - st
+  - vbk
diff --git a/setup.yml b/setup.yml
index fd85241..0d27ec7 100644
--- a/setup.yml
+++ b/setup.yml
@@ -12,6 +12,7 @@
     - import_tasks: ./tasks/ssh.yml
     - import_tasks: ./tasks/base.yml
     - import_tasks: ./tasks/mail.yml
+    - import_tasks: ./tasks/webmap.yml
     - import_tasks: ./tasks/httpd.yml
   handlers:
     - import_tasks: ./handlers/main.yml
diff --git a/tasks/webmap.yml b/tasks/webmap.yml
new file mode 100644
index 0000000..2fff3bc
--- /dev/null
+++ b/tasks/webmap.yml
@@ -0,0 +1,110 @@
+- name: Install gdal-bin
+  apt: pkg=gdal-bin install-recommends=true
+
+- name: Install python dependencies
+  apt: pkg={{ packages }}
+  vars:
+    packages:
+    - python3
+    - python3-gdal
+    - python3-lxml
+    - python3-requests
+    - python3-tqdm
+    - python3-urllib3
+    - python3-xdg
+    - python3-yaml
+
+- name: Create directory /etc/webmap
+  file: path=/etc/webmap
+        state=directory
+        owner=root group=root
+        mode=0755
+
+- name: Copy /etc/webmap/config.yml
+  copy: src=webmap-tools/config.yml
+        dest=/etc/webmap/config.yml
+        owner=root group=root
+        mode=0644
+
+- name: Create directory /usr/local/share/webmap
+  file: path=/usr/local/share/webmap
+        state=directory
+        owner=root group=root
+        mode=0755
+
+- name: Copy /usr/local/share/webmap/common.py
+  copy: src=webmap-tools/common.py
+        dest=/usr/local/share/webmap/common.py
+        owner=root group=root
+        mode=0644
+
+- name: Copy webmap-update@.target
+  copy: src=etc/systemd/system/webmap-update@.target
+        dest=/etc/systemd/system/webmap-update@.target
+        owner=root group=root
+        mode=0644
+  notify:
+    - systemctl daemon-reload
+
+- name: Copy webmap-update@.timer
+  copy: src=etc/systemd/system/webmap-update@.timer
+        dest=/etc/systemd/system/webmap-update@.timer
+        owner=root group=root
+        mode=0644
+  notify:
+    - systemctl daemon-reload
+
+- name: Enable webmap-update.timer
+  service: name=webmap-update@{{ item }}.timer state=started enabled=true
+  with_items: "{{ webmap_layer_groups }}"
+
+- meta: flush_handlers
+
+
+- name: Create system user '_webmap-download'
+  user: name=_webmap-download system=true
+        group=nogroup
+        createhome=false
+        home=/nonexistent
+        shell=/usr/sbin/nologin
+        comment="Webmap update (download)"
+        password="!"
+        state=present
+
+- name: Copy /usr/local/share/webmap/download.py
+  copy: src=webmap-tools/webmap-download
+        dest=/usr/local/share/webmap/download.py
+        owner=root group=root
+        mode=0755
+
+- name: Create /usr/local/bin/webmap-download
+  file: src=../share/webmap/download.py
+        dest=/usr/local/bin/webmap-download
+        owner=root group=root
+        state=link force=yes
+
+- name: Copy /usr/local/share/webmap/webmap-download-mrr.py
+  copy: src=webmap-tools/webmap-download-mrr.py
+        dest=/usr/local/share/webmap/webmap-download-mrr.py
+        owner=root group=root
+        mode=0644
+
+- name: Create directory /var/cache/webmap
+  file: path=/var/cache/webmap
+        state=directory
+        owner=_webmap-download group=nogroup
+        mode=0755
+
+- name: Copy webmap-download@.service
+  copy: src=etc/systemd/system/webmap-download@.service
+        dest=/etc/systemd/system/webmap-download@.service
+        owner=root group=root
+        mode=0644
+  notify:
+    - systemctl daemon-reload
+
+- name: Enable webmap-download@.service
+  service: name=webmap-download@{{ item }}.service enabled=true
+  with_items: "{{ webmap_layer_groups }}"
+
+- meta: flush_handlers
diff --git a/webmap-tools b/webmap-tools
new file mode 160000
index 0000000..729a5df
--- /dev/null
+++ b/webmap-tools
@@ -0,0 +1 @@
+Subproject commit 729a5df4ba9889aebcd51787ec11a4d0d1ea5477
-- 
cgit v1.2.3