conf "tile.conf.erb"
end
+apache_conf "renderd" do
+ action :disable
+end
+
ssl_certificate node[:fqdn] do
domains [node[:fqdn], "tile.openstreetmap.org", "render.openstreetmap.org"]
notifies :reload, "service[apache2]"
ignore_failure true
end
-tilecaches = search(:node, "roles:tilecache").sort_by { |n| n[:hostname] }
fastlyips = JSON.parse(IO.read("#{Chef::Config[:file_cache_path]}/fastly-ip-list.json"))
apache_site "default" do
- action [:disable]
+ action :disable
+end
+
+apache_site "tileserver_site" do
+ action :disable
end
apache_site "tile.openstreetmap.org" do
template "apache.erb"
- variables :caches => tilecaches, :fastly => fastlyips["addresses"]
+ variables :fastly => fastlyips["addresses"]
end
template "/etc/logrotate.d/apache2" do
mode "755"
end
+directory "/srv/tile.openstreetmap.org/conf" do
+ owner "tile"
+ group "tile"
+ mode "755"
+end
+
+file "/srv/tile.openstreetmap.org/conf/ip.map" do
+ owner "tile"
+ group "adm"
+ mode "644"
+end
+
package "renderd"
systemd_service "renderd" do
systemd_service "update-lowzoom@" do
description "Low zoom tile update service for %i layer"
+ conflicts "render-lowzoom.service"
user "tile"
exec_start "/bin/bash /usr/local/bin/update-lowzoom-%i"
+ runtime_directory "update-lowzoom-%i"
private_tmp true
private_devices true
private_network true
if node[:tile][:database][:external_data_script]
execute node[:tile][:database][:external_data_script] do
- command node[:tile][:database][:external_data_script]
+ command "#{node[:tile][:database][:external_data_script]} -R www-data"
cwd "/srv/tile.openstreetmap.org"
user "tile"
group "tile"
end
-
- Array(node[:tile][:database][:external_data_tables]).each do |table|
- postgresql_table table do
- cluster node[:tile][:database][:cluster]
- database "gis"
- owner "tile"
- permissions "tile" => :all, "www-data" => :select
- end
- end
end
postgresql_munin "gis" do
python3-pyproj
]
+gem_package "apachelogregex"
+gem_package "file-tail"
+gem_package "lru_redux"
+
remote_directory "/usr/local/bin" do
source "bin"
owner "root"
files_mode "755"
end
+template "/usr/local/bin/tile-ratelimit" do
+ source "tile-ratelimit.erb"
+ owner "root"
+ group "root"
+ mode "755"
+end
+
+systemd_service "tile-ratelimit" do
+ description "Monitor tile requests and enforce rate limits"
+ after "apache2.service"
+ user "tile"
+ group "adm"
+ exec_start "/usr/local/bin/tile-ratelimit"
+ private_tmp true
+ private_devices true
+ private_network true
+ protect_system "full"
+ protect_home true
+ read_write_paths "/srv/tile.openstreetmap.org/conf"
+ no_new_privileges true
+ restart "on-failure"
+end
+
+service "tile-ratelimit" do
+ action [:enable, :start]
+ subscribes :restart, "file[/usr/local/bin/tile-ratelimit]"
+ subscribes :restart, "systemd_service[tile-ratelimit]"
+end
+
template "/usr/local/bin/expire-tiles" do
source "expire-tiles.erb"
owner "root"
systemd_service "render-lowzoom" do
description "Render low zoom tiles"
+ condition_path_exists_glob "!/run/update-lowzoom-*"
user "tile"
exec_start "/usr/local/bin/render-lowzoom"
private_tmp true