Use backport of cgi-mapserver

[chef.git] / cookbooks / nominatim / recipes / default.rb
diff --git a/cookbooks/nominatim/recipes/default.rb b/cookbooks/nominatim/recipes/default.rb

index a33fe85c24073c1a6682cde02d8fc8efdc2d2f7d..7eb6a1e749b5cc4f11b90237d41a269dc32f37fa 100644 (file)
--- a/cookbooks/nominatim/recipes/default.rb
+++ b/cookbooks/nominatim/recipes/default.rb
@@ -1,14 +1,14 @@
  #
  #
-# Cookbook Name:: nominatim
-# Recipe:: default
+# Cookbook:: nominatim
+# Recipe:: base
  #
  #
-# Copyright 2012, OpenStreetMap Foundation
+# Copyright:: 2015, OpenStreetMap Foundation
  #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
  #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
-#     http://www.apache.org/licenses/LICENSE-2.0
+#     https://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing, software
  # distributed under the License is distributed on an "AS IS" BASIS,
  #
  # Unless required by applicable law or agreed to in writing, software
  # distributed under the License is distributed on an "AS IS" BASIS,
@@ -17,209 +17,356 @@
  # limitations under the License.
  #
  
  # limitations under the License.
  #
  
-include_recipe "apache"
+include_recipe "accounts"
+include_recipe "prometheus"
  include_recipe "postgresql"
  include_recipe "postgresql"
+include_recipe "python"
+include_recipe "nginx"
  include_recipe "git"
  include_recipe "git"
+include_recipe "fail2ban"
  
  
-package "php5"
-package "php5-cli"
-package "php5-pgsql"
-package "php5-fpm"
-package "php-pear"
-package "php-apc"
+basedir = data_bag_item("accounts", "nominatim")["home"]
+project_directory = "#{basedir}/planet-project"
+bin_directory = "#{basedir}/bin"
+cfg_directory = "#{basedir}/etc"
+ui_directory = "#{basedir}/ui"
+qa_data_directory = "#{basedir}/qa-data"
  
  
-apache_module "rewrite"
-apache_module "fastcgi-handler"
+directory basedir do
+  owner "nominatim"
+  group "nominatim"
+  mode "755"
+  recursive true
+end
  
  
-home_directory = data_bag_item("accounts", "nominatim")["home"]
-source_directory = "#{home_directory}/nominatim"
-email_errors = data_bag_item("accounts", "lonvia")["email"]
+[basedir, bin_directory, cfg_directory, project_directory, ui_directory].each do |path|
+  directory path do
+    owner "nominatim"
+    group "nominatim"
+    mode "755"
+  end
+end
  
  
-service "php5-fpm" do
-  action [ :enable, :start ]
-  supports :status => true, :restart => true, :reload => true
+if node[:nominatim][:flatnode_file]
+  directory File.dirname(node[:nominatim][:flatnode_file]) do
+    recursive true
+  end
  end
  
  end
  
-apache_site "nominatim.openstreetmap.org" do
-  template "apache.erb"
-  directory "/home/lonvia/nominatim"
-  variables :pools => node[:nominatim][:fpm_pools]
+directory "#{bin_directory}/maintenance" do
+  owner "nominatim"
+  group "nominatim"
+  mode "775"
  end
  
  end
  
-node[:nominatim][:fpm_pools].each do |name,data|
+## Log directory setup
  
  
-  template "/etc/php5/fpm/pool.d/#{name}.conf" do
-    source "fpm.conf.erb"
-    owner "root"
-    group "root"
-    mode 0644
-    variables data.merge(:name => name)
-    notifies :reload, resources(:service => "php5-fpm")
-  end
+directory node[:nominatim][:logdir] do
+  owner "nominatim"
+  group "nominatim"
+  mode "755"
+  recursive true
  end
  
  end
  
-postgresql_user "tomh" do
-  cluster "9.1/main"
-  superuser true
+file "#{node[:nominatim][:logdir]}/query.log" do
+  action :create_if_missing
+  owner "www-data"
+  group "adm"
+  mode "664"
  end
  
  end
  
-postgresql_user "lonvia" do
-  cluster "9.1/main"
-  superuser true
-end
+### Postgresql
  
  
-postgresql_user "twain" do
-  cluster "9.1/main"
-  superuser true
+postgresql_version = node[:nominatim][:dbcluster].split("/").first
+postgis_version = node[:nominatim][:postgis]
+
+package "postgresql-#{postgresql_version}-postgis-#{postgis_version}"
+
+node[:nominatim][:dbadmins].each do |user|
+  postgresql_user user do
+    cluster node[:nominatim][:dbcluster]
+    superuser true
+  end
  end
  
  postgresql_user "nominatim" do
  end
  
  postgresql_user "nominatim" do
-  cluster "9.1/main"
+  cluster node[:nominatim][:dbcluster]
    superuser true
  end
  
  postgresql_user "www-data" do
    superuser true
  end
  
  postgresql_user "www-data" do
-  cluster "9.1/main"
+  cluster node[:nominatim][:dbcluster]
  end
  
  end
  
-postgresql_munin "nominatim" do
-  cluster "9.1/main"
-  database "nominatim"
-end
+### Nominatim
  
  
-directory "/var/log/nominatim" do
-  owner "nominatim"
-  group "nominatim"
-  mode 0755
-end
-
-package "osmosis"
-package "gcc"
-package "proj-bin"
-package "libgeos-c1"
-package "postgresql-9.1-postgis"
-package "postgresql-server-dev-9.1"
-package "build-essential"
-package "libxml2-dev"
-package "libgeos-dev"
-package "libgeos++-dev"
-package "libpq-dev"
-package "libbz2-dev"
-package "libtool"
-package "automake"
-package "libproj-dev"
-package "libprotobuf-c0-dev"
-package "protobuf-c-compiler"
-
-execute "php-pear-db" do
-  command "pear install DB"
-  not_if { File.exists?("/usr/share/php/DB") }
-end
-
-execute "compile_nominatim" do
-  action :nothing
-  command "cd #{source_directory} && ./autogen.sh && ./configure && make"
-  user "nominatim"
-end
+python_directory = "#{basedir}/venv"
  
  
-git source_directory do
-  action :checkout
-  repository node[:nominatim][:repository]
-  enable_submodules true
-  user "nominatim"
-  group "nominatim"
-  notifies :run, "execute[compile_nominatim]"
-end
+package %w[
+  build-essential
+  libicu-dev
+  python3-dev
+  pkg-config
+  osm2pgsql
+  ruby
+  ruby-file-tail
+  ruby-pg
+  ruby-webrick
+]
  
  
-directory "#{source_directory}/log" do
-  owner "nominatim"
-  group "nominatim"
-  mode 0755
+python_virtualenv python_directory do
+  interpreter "/usr/bin/python3"
  end
  
  end
  
+# These are updated during the database update.
+python_package "nominatim-db" do
+  python_virtualenv python_directory
+  extra_index_url node[:nominatim][:pip_index]
+end
  
  
-template "#{source_directory}/.git/hooks/post-merge" do
-  source "update_source.erb"
-  owner  "nominatim"
-  group  "nominatim"
-  mode   0755
-  variables :source_directory => source_directory
+python_package "nominatim-api" do
+  python_virtualenv python_directory
+  extra_index_url node[:nominatim][:pip_index]
  end
  
  end
  
-template "#{source_directory}/settings/local.php" do
-  source "nominatim.erb"
+remote_directory "#{project_directory}/static-website" do
+  source "website"
    owner "nominatim"
    group "nominatim"
    owner "nominatim"
    group "nominatim"
-  mode 0664
+  mode "755"
+  files_owner "nominatim"
+  files_group "nominatim"
+  files_mode "644"
+  purge false
  end
  
  end
  
-template "#{source_directory}/settings/ip_blocks.conf" do
-  action :create_if_missing
-  source "ipblocks.erb"
+template "#{project_directory}/.env" do
+  source "nominatim.env.erb"
    owner "nominatim"
    group "nominatim"
    owner "nominatim"
    group "nominatim"
-  mode 0664
+  mode "664"
+  variables :base_url => "nominatim.openstreetmap.org",
+            :dbname => node[:nominatim][:dbname],
+            :flatnode_file => node[:nominatim][:flatnode_file],
+            :log_file => "#{node[:nominatim][:logdir]}/query.log",
+            :pool_size => node[:nominatim][:api_pool_size],
+            :query_timeout => node[:nominatim][:api_query_timeout],
+            :request_timeout => node[:nominatim][:api_request_timeout]
  end
  
  end
  
-file "#{source_directory}/settings/apache_blocks.conf" do
+remote_file "#{project_directory}/secondary_importance.sql.gz" do
    action :create_if_missing
    action :create_if_missing
+  source "https://nominatim.org/data/wikimedia-secondary-importance.sql.gz"
    owner "nominatim"
    group "nominatim"
    owner "nominatim"
    group "nominatim"
-  mode 0664
+  mode "644"
  end
  
  end
  
-file "#{source_directory}/settings/ip_blocks.map" do
+remote_file "#{project_directory}/wikimedia-importance.csv.gz" do
    action :create_if_missing
    action :create_if_missing
+  source "https://nominatim.org/data/wikimedia-importance.csv.gz"
    owner "nominatim"
    group "nominatim"
    owner "nominatim"
    group "nominatim"
-  mode 0664
+  mode "644"
  end
  
  end
  
-cron "nominatim_logrotate" do
-  hour "5"
-  minute "30"
-  weekday "0"
-  command "#{source_directory}/utils/cron_logrotate.sh"
-  user "nominatim"
-  mailto email_errors
+%w[gb_postcodes.csv.gz us_postcodes.csv.gz].each do |fname|
+  remote_file "#{project_directory}/#{fname}" do
+    action :create
+    source "https://nominatim.org/data/#{fname}"
+    owner "nominatim"
+    group "nominatim"
+    mode "644"
+  end
+end
+
+# Webserver + frontend
+
+%w[user_agent referrer email generic].each do |name|
+  file "#{cfg_directory}/nginx_blocked_#{name}.conf" do
+    action :create_if_missing
+    owner "nominatim"
+    group "adm"
+    mode "664"
+  end
+end
+
+systemd_service "nominatim" do
+  description "Nominatim running as a gunicorn application"
+  user "www-data"
+  group "www-data"
+  working_directory project_directory
+  standard_output "append:#{node[:nominatim][:logdir]}/gunicorn.log"
+  standard_error "inherit"
+  exec_start "#{python_directory}/bin/gunicorn --max-requests 200000 -b unix:/run/gunicorn-nominatim.openstreetmap.org.sock -w #{node[:nominatim][:api_workers]} -k uvicorn.workers.UvicornWorker 'nominatim_api.server.falcon.server:run_wsgi()'"
+  exec_reload "/bin/kill -s HUP $MAINPID"
+  kill_mode "mixed"
+  timeout_stop_sec 5
+  private_tmp true
+  requires "nominatim.socket"
+  after "network.target"
  end
  
  end
  
-cron "nominatim_banip" do
-  command "#{source_directory}/utils/cron_banip.sh"
+systemd_socket "nominatim" do
+  description "Gunicorn socket for Nominatim"
+  listen_stream "/run/gunicorn-nominatim.openstreetmap.org.sock"
+  socket_user "www-data"
+end
+
+ssl_certificate node[:fqdn] do
+  domains [node[:fqdn],
+           "nominatim.openstreetmap.org",
+           "nominatim.osm.org",
+           "nominatim.openstreetmap.com",
+           "nominatim.openstreetmap.net",
+           "nominatim.openstreetmaps.org",
+           "nominatim.openmaps.org",
+           "nominatim.qgis.org"]
+  notifies :reload, "service[nginx]"
+end
+
+nginx_site "default" do
+  action [:delete]
+end
+
+frontends = search(:node, "recipes:web\\:\\:frontend").sort_by(&:name)
+
+nginx_site "nominatim" do
+  template "nginx.erb"
+  directory project_directory
+  variables :pools => node[:nominatim][:fpm_pools],
+            :frontends => frontends,
+            :confdir => "#{basedir}/etc",
+            :ui_directory => ui_directory
+end
+
+template "/etc/logrotate.d/nginx" do
+  source "logrotate.nginx.erb"
+  owner "root"
+  group "root"
+  mode "644"
+end
+
+### Import, update and maintenance scripts
+
+%w[nominatim-update
+   nominatim-update-data
+   nominatim-update-refresh-db
+   nominatim-daily-maintenance].each do |fname|
+  template "#{bin_directory}/#{fname}" do
+    source "#{fname}.erb"
+    owner "nominatim"
+    group "nominatim"
+    mode "554"
+    variables :bindir => bin_directory,
+              :projectdir => project_directory,
+              :venvprefix => "#{python_directory}/bin/",
+              :qadatadir => qa_data_directory
+  end
+end
+
+systemd_service "nominatim-update" do
+  description "Update the Nominatim database"
+  exec_start "#{bin_directory}/nominatim-update"
+  restart "on-success"
+  standard_output "journal"
+  standard_error "inherit"
+  working_directory project_directory
+end
+
+systemd_service "nominatim-update-maintenance-trigger" do
+  description "Trigger daily maintenance tasks for Nominatim DB"
+  exec_start "ln -sf #{bin_directory}/nominatim-daily-maintenance #{bin_directory}/maintenance/"
    user "nominatim"
    user "nominatim"
-  mailto email_errors
  end
  
  end
  
-cron "nominatim_vacuum" do
-  hour "2"
-  minute "00"
-  command "#{source_directory}/utils/cron_vacuum.sh"
+systemd_timer "nominatim-update-maintenance-trigger" do
+  action :create
+  description "Schedule daily maintenance tasks for Nominatim DB"
+  on_calendar "*-*-* 02:03:00 UTC"
+end
+
+service "nominatim-update-maintenance-trigger" do
+  action :enable
+end
+
+## Nominatim UI
+
+git ui_directory do
+  action :sync
+  repository node[:nominatim][:ui_repository]
+  revision node[:nominatim][:ui_revision]
    user "nominatim"
    user "nominatim"
-  mailto email_errors
+  group "nominatim"
+end
+
+template "#{ui_directory}/dist/theme/config.theme.js" do
+  source "ui-config.js.erb"
+  owner "nominatim"
+  group "nominatim"
+  mode "664"
  end
  
  end
  
-['search', 'reverse'].each do |filename|
-  ['phpj', 'phpx'].each do |ext|
-    link "#{source_directory}/website/#{filename}.#{ext}" do
-      to "#{source_directory}/website/#{filename}.php"
-      user "nominatim"
-      group "nominatim"
-    end
+## Nominatim QA
+
+if node[:nominatim][:enable_qa_tiles]
+  python_package "nominatim-data-analyser" do
+    python_virtualenv python_directory
+    extra_index_url node[:nominatim][:pip_index]
+  end
+
+  directory qa_data_directory do
+    owner "nominatim"
+    group "nominatim"
+    mode "755"
+    recursive true
+  end
+
+  template "#{project_directory}/qa-config.yaml" do
+    source "qa_config.erb"
+    owner "nominatim"
+    group "nominatim"
+    mode "755"
+    variables :outputdir => "#{qa_data_directory}/new"
+  end
+
+  ssl_certificate "qa-tile.nominatim.openstreetmap.org" do
+    domains ["qa-tile.nominatim.openstreetmap.org"]
+    notifies :reload, "service[nginx]"
+  end
+
+  nginx_site "qa-tiles.nominatim" do
+    template "nginx-qa-tiles.erb"
+    directory qa_data_directory
+    variables :qa_data_directory => qa_data_directory
    end
  end
  
    end
  end
  
-template "#{source_directory}/utils/nominatim-update" do
-  source "updater.erb"
-  user   "nominatim"
-  group  "nominatim"
-  mode   0755
+## Logging and monitoring
+
+template "/etc/logrotate.d/nominatim" do
+  source "logrotate.nominatim.erb"
+  owner "root"
+  group "root"
+  mode "644"
  end
  
  end
  
-template "/etc/init.d/nominatim-update" do
-  source "updater.init.erb"
-  user   "nominatim"
-  group  "nominatim"
-  mode   0755
-  variables :source_directory => source_directory
+prometheus_exporter "nominatim" do
+  port 8082
+  user "www-data"
+  restrict_address_families "AF_UNIX"
+  options [
+    "--nominatim.query-log=#{node[:nominatim][:logdir]}/query.log",
+    "--nominatim.database-name=#{node[:nominatim][:dbname]}"
+  ]
  end
  
  end
  
+frontend_addresses = frontends.collect { |f| f.ipaddresses(:role => :external) }
+
+fail2ban_jail "nominatim_limit_req" do
+  filter "nginx-limit-req"
+  logpath "#{node[:nominatim][:logdir]}/nominatim.openstreetmap.org-error.log"
+  ports [80, 443]
+  maxretry 20
+  ignoreips frontend_addresses.flatten.sort
+end