]> git.openstreetmap.org Git - chef.git/blobdiff - cookbooks/web/recipes/rails.rb
Update microsoft authentication ID
[chef.git] / cookbooks / web / recipes / rails.rb
index c60655f9e74a797856a4d09211781f891b099250..dd0086b70a5e9f21854f9dde79d7fb80fae43a9d 100644 (file)
@@ -42,14 +42,6 @@ end
 
 nodejs_package "svgo"
 
 
 nodejs_package "svgo"
 
-template "/etc/cron.hourly/passenger" do
-  cookbook "web"
-  source "passenger.cron.erb"
-  owner "root"
-  group "root"
-  mode "755"
-end
-
 rails_directory = "#{node[:web][:base_directory]}/rails"
 
 matomo = data_bag_item("web", "matomo")
 rails_directory = "#{node[:web][:base_directory]}/rails"
 
 matomo = data_bag_item("web", "matomo")
@@ -122,19 +114,23 @@ rails_port "www.openstreetmap.org" do
   oauth_application web_passwords["oauth_application"]
   matomo_configuration "location" => matomo[:location],
                        "site" => matomo[:site],
   oauth_application web_passwords["oauth_application"]
   matomo_configuration "location" => matomo[:location],
                        "site" => matomo[:site],
+                       "visitor_cookie_timeout" => matomo[:visitor_cookie_timeout],
+                       "referral_cookie_timeout" => matomo[:referral_cookie_timeout],
+                       "session_cookie_timeout" => matomo[:session_cookie_timeout],
                        "goals" => matomo[:goals].to_hash
   google_auth_id "651529786092-6c5ahcu0tpp95emiec8uibg11asmk34t.apps.googleusercontent.com"
   google_auth_secret web_passwords["google_auth_secret"]
   google_openid_realm "https://www.openstreetmap.org"
   facebook_auth_id "427915424036881"
   facebook_auth_secret web_passwords["facebook_auth_secret"]
                        "goals" => matomo[:goals].to_hash
   google_auth_id "651529786092-6c5ahcu0tpp95emiec8uibg11asmk34t.apps.googleusercontent.com"
   google_auth_secret web_passwords["google_auth_secret"]
   google_openid_realm "https://www.openstreetmap.org"
   facebook_auth_id "427915424036881"
   facebook_auth_secret web_passwords["facebook_auth_secret"]
-  windowslive_auth_id "0000000040153C51"
-  windowslive_auth_secret web_passwords["windowslive_auth_secret"]
+  microsoft_auth_id "e34f14f1-f790-40f3-9fa4-3c5f1a027c38"
+  microsoft_auth_secret web_passwords["microsoft_auth_secret"]
   github_auth_id "acf7da34edee99e35499"
   github_auth_secret web_passwords["github_auth_secret"]
   wikipedia_auth_id "e4fe0c2c5855d23ed7e1f1c0fa1f1c58"
   wikipedia_auth_secret web_passwords["wikipedia_auth_secret"]
   thunderforest_key web_passwords["thunderforest_key"]
   github_auth_id "acf7da34edee99e35499"
   github_auth_secret web_passwords["github_auth_secret"]
   wikipedia_auth_id "e4fe0c2c5855d23ed7e1f1c0fa1f1c58"
   wikipedia_auth_secret web_passwords["wikipedia_auth_secret"]
   thunderforest_key web_passwords["thunderforest_key"]
+  tracestrack_key web_passwords["tracestrack_key"]
   totp_key web_passwords["totp_key"]
   csp_enforce true
   trace_use_job_queue true
   totp_key web_passwords["totp_key"]
   csp_enforce true
   trace_use_job_queue true
@@ -147,21 +143,40 @@ rails_port "www.openstreetmap.org" do
   avatar_storage_url "https://openstreetmap-user-avatars.s3.dualstack.eu-west-1.amazonaws.com"
   trace_image_storage_url "https://openstreetmap-gps-images.s3.dualstack.eu-west-1.amazonaws.com"
   overpass_url "https://query.openstreetmap.org/query-features"
   avatar_storage_url "https://openstreetmap-user-avatars.s3.dualstack.eu-west-1.amazonaws.com"
   trace_image_storage_url "https://openstreetmap-gps-images.s3.dualstack.eu-west-1.amazonaws.com"
   overpass_url "https://query.openstreetmap.org/query-features"
+  overpass_credentials true
+  signup_ip_per_day 24
+  signup_ip_max_burst 48
+  signup_email_per_day 1
+  signup_email_max_burst 2
+  doorkeeper_signing_key web_passwords["openid_connect_key"].join("\n")
+  # Requests to modify the imagery blacklist should come from the DWG only
+  imagery_blacklist [
+    # Current Google imagery URLs have google or googleapis in the domain
+    ".*\\.google(apis)?\\..*/.*",
+    # Blacklist VWorld
+    "http://xdworld\\.vworld\\.kr:8080/.*",
+    # Blacklist here
+    ".*\\.here\\.com[/:].*",
+    # Blacklist Mapy.cz
+    ".*\\.mapy\\.cz.*"
+  ]
 end
 
 systemd_service "rails-jobs@" do
   description "Rails job queue runner"
   type "simple"
 end
 
 systemd_service "rails-jobs@" do
   description "Rails job queue runner"
   type "simple"
-  environment "RAILS_ENV" => "production", "QUEUE" => "%I"
+  environment "RAILS_ENV" => "production",
+              "QUEUE" => "%I",
+              "SLEEP_DELAY" => "60",
+              "SECRET_KEY_BASE" => web_passwords["secret_key_base"]
   user "rails"
   working_directory rails_directory
   exec_start "#{node[:ruby][:bundle]} exec rails jobs:work"
   restart "on-failure"
   user "rails"
   working_directory rails_directory
   exec_start "#{node[:ruby][:bundle]} exec rails jobs:work"
   restart "on-failure"
-  private_tmp true
-  private_devices true
-  protect_system "full"
-  protect_home true
-  no_new_privileges true
+  nice 10
+  sandbox :enable_network => true
+  memory_deny_write_execute false
+  read_write_paths "/var/log/web"
 end
 
 package "libjson-xs-perl"
 end
 
 package "libjson-xs-perl"
@@ -193,12 +208,12 @@ systemd_service "api-statistics" do
   user "rails"
   group "adm"
   exec_start "/usr/local/bin/api-statistics"
   user "rails"
   group "adm"
   exec_start "/usr/local/bin/api-statistics"
-  private_tmp true
-  private_devices true
-  private_network true
-  protect_system "full"
-  protect_home true
-  no_new_privileges true
+  nice 10
+  sandbox true
+  read_write_paths [
+    "/srv/www.openstreetmap.org/rails/tmp",
+    "/var/lib/prometheus/node-exporter"
+  ]
   restart "on-failure"
 end
 
   restart "on-failure"
 end