]> git.openstreetmap.org Git - chef.git/blobdiff - cookbooks/web/recipes/rails.rb
Merge remote-tracking branch 'github/pull/711'
[chef.git] / cookbooks / web / recipes / rails.rb
index 90bd16c0abbb9e62797a485a5347909af948d90a..e46f9d52b2506d7e1bff1e30b56f597579cc588e 100644 (file)
@@ -21,7 +21,6 @@ include_recipe "apache"
 include_recipe "apt"
 include_recipe "git"
 include_recipe "geoipupdate"
-include_recipe "munin"
 include_recipe "nodejs"
 include_recipe "passenger"
 include_recipe "ruby"
@@ -32,11 +31,11 @@ web_passwords = data_bag_item("web", "passwords")
 db_passwords = data_bag_item("db", "passwords")
 
 ssl_certificate "www.openstreetmap.org" do
-  domains ["www.openstreetmap.org", "www.osm.org",
+  domains ["www.openstreetmap.org", "www.osm.org", "www.openstreetmap.com",
            "api.openstreetmap.org", "api.osm.org",
            "maps.openstreetmap.org", "maps.osm.org",
            "mapz.openstreetmap.org", "mapz.osm.org",
-           "openstreetmap.org", "osm.org"]
+           "openstreetmap.org", "osm.org", "openstreetmap.com"]
   notifies :reload, "service[apache2]"
 end
 
@@ -123,13 +122,14 @@ rails_port "www.openstreetmap.org" do
   google_openid_realm "https://www.openstreetmap.org"
   facebook_auth_id "427915424036881"
   facebook_auth_secret web_passwords["facebook_auth_secret"]
-  microsoft_auth_id "45ef48fb-6a13-4239-b842-133608b8edd7"
+  microsoft_auth_id "e34f14f1-f790-40f3-9fa4-3c5f1a027c38"
   microsoft_auth_secret web_passwords["microsoft_auth_secret"]
   github_auth_id "acf7da34edee99e35499"
   github_auth_secret web_passwords["github_auth_secret"]
   wikipedia_auth_id "e4fe0c2c5855d23ed7e1f1c0fa1f1c58"
   wikipedia_auth_secret web_passwords["wikipedia_auth_secret"]
   thunderforest_key web_passwords["thunderforest_key"]
+  tracestrack_key web_passwords["tracestrack_key"]
   totp_key web_passwords["totp_key"]
   csp_enforce true
   trace_use_job_queue true
@@ -147,6 +147,9 @@ rails_port "www.openstreetmap.org" do
   signup_ip_max_burst 48
   signup_email_per_day 1
   signup_email_max_burst 2
+  doorkeeper_signing_key web_passwords["openid_connect_key"].join("\n")
+  user_account_deletion_delay 7 * 24
+  # Requests to modify the imagery blacklist should come from the DWG only
   imagery_blacklist [
     # Current Google imagery URLs have google or googleapis in the domain
     ".*\\.google(apis)?\\..*/.*",
@@ -155,14 +158,22 @@ rails_port "www.openstreetmap.org" do
     # Blacklist here
     ".*\\.here\\.com[/:].*",
     # Blacklist Mapy.cz
-    ".*\\.mapy\\.cz.*"
+    ".*\\.mapy\\.cz.*",
+    # Blacklist Yandex
+    ".*\\.api-maps\\.yandex\\.ru/.*",
+    ".*\\.maps\\.yandex\\.net/.*",
+    # Blacklist 2gis
+    ".*\\.maps\\.2gis\\.com/.*"
   ]
 end
 
 systemd_service "rails-jobs@" do
   description "Rails job queue runner"
   type "simple"
-  environment "RAILS_ENV" => "production", "QUEUE" => "%I", "SLEEP_DELAY" => "60"
+  environment "RAILS_ENV" => "production",
+              "QUEUE" => "%I",
+              "SLEEP_DELAY" => "60",
+              "SECRET_KEY_BASE" => web_passwords["secret_key_base"]
   user "rails"
   working_directory rails_directory
   exec_start "#{node[:ruby][:bundle]} exec rails jobs:work"
@@ -221,14 +232,3 @@ end
 gem_package "hpricot" do
   gem_binary node[:ruby][:gem]
 end
-
-munin_plugin "api_calls_status"
-munin_plugin "api_calls_num"
-
-munin_plugin "api_calls_#{node[:hostname]}" do
-  target "api_calls_"
-end
-
-munin_plugin "api_waits_#{node[:hostname]}" do
-  target "api_waits_"
-end