include_recipe "tools"
blocks = data_bag_item("tile", "blocks")
+web_passwords = data_bag_item("web", "passwords")
apache_module "alias"
apache_module "cgi"
private_network true
protect_system "full"
protect_home true
+ no_new_privileges true
restart "on-failure"
end
service "renderd" do
action [:enable, :start]
+ subscribes :restart, "systemd_service[renderd]"
end
directory "/srv/tile.openstreetmap.org/tiles" do
package "python-cairo"
package "python-mapnik"
+package "python-setuptools"
+
+easy_install_package "pyotp"
package "fonts-noto-cjk"
package "fonts-noto-hinted"
owner "tile"
group "tile"
mode 0o755
- variables :blocks => blocks
+ variables :blocks => blocks, :totp_key => web_passwords["totp_key"]
end
template "/srv/tile.openstreetmap.org/cgi-bin/debug" do
nodejs_package "carto"
nodejs_package "millstone"
+systemd_service "update-lowzoom@" do
+ description "Low zoom tile update service for %i layer"
+ user "tile"
+ exec_start "/usr/local/bin/update-lowzoom-%i"
+ private_tmp true
+ private_devices true
+ private_network true
+ protect_system "full"
+ protect_home true
+ no_new_privileges true
+ restart "on-failure"
+end
+
directory "/srv/tile.openstreetmap.org/styles" do
owner "tile"
group "tile"
variables :style => name
end
- template "/etc/init.d/update-lowzoom-#{name}" do
- source "update-lowzoom.init.erb"
- owner "root"
- group "root"
- mode 0o755
- variables :style => name
- end
-
- service "update-lowzoom-#{name}" do
+ service "update-lowzoom@#{name}" do
action :disable
supports :restart => true
end
group "tile"
subscribes :run, "git[#{style_directory}]"
notifies :restart, "service[renderd]", :immediately
- notifies :restart, "service[update-lowzoom-#{name}]"
+ notifies :restart, "service[update-lowzoom@#{name}]"
end
end
private_devices true
protect_system "full"
protect_home true
+ no_new_privileges true
restart "on-failure"
end
projects / chef.git / blobdiff