+systemd_service "tile-ratelimit" do
+ description "Monitor tile requests and enforce rate limits"
+ after "apache2.service"
+ user "tile"
+ group "adm"
+ exec_start "/usr/local/bin/tile-ratelimit"
+ private_tmp true
+ private_devices true
+ private_network true
+ protect_system "full"
+ protect_home true
+ read_write_paths "/srv/tile.openstreetmap.org/conf"
+ no_new_privileges true
+ restart "on-failure"
+end
+
+service "tile-ratelimit" do
+ action [:enable, :start]
+ subscribes :restart, "file[/usr/local/bin/tile-ratelimit]"
+ subscribes :restart, "systemd_service[tile-ratelimit]"
+end
+
+template "/usr/local/bin/expire-tiles" do
+ source "expire-tiles.erb"
+ owner "root"
+ group "root"
+ mode "755"