include_recipe "postgresql"
include_recipe "prometheus"
include_recipe "python"
+include_recipe "ruby"
include_recipe "tools"
blocks = data_bag_item("tile", "blocks")
conf "tile.conf.erb"
end
+apache_conf "renderd" do
+ action :disable
+end
+
ssl_certificate node[:fqdn] do
domains [node[:fqdn], "tile.openstreetmap.org", "render.openstreetmap.org"]
notifies :reload, "service[apache2]"
ignore_failure true
end
-tilecaches = search(:node, "roles:tilecache").sort_by { |n| n[:hostname] }
fastlyips = JSON.parse(IO.read("#{Chef::Config[:file_cache_path]}/fastly-ip-list.json"))
apache_site "default" do
- action [:disable]
+ action :disable
+end
+
+apache_site "tileserver_site" do
+ action :disable
end
apache_site "tile.openstreetmap.org" do
template "apache.erb"
- variables :caches => tilecaches, :fastly => fastlyips["addresses"]
+ variables :fastly => fastlyips["addresses"]
end
template "/etc/logrotate.d/apache2" do
mode "755"
end
+directory "/srv/tile.openstreetmap.org/conf" do
+ owner "tile"
+ group "tile"
+ mode "755"
+end
+
+file "/srv/tile.openstreetmap.org/conf/ip.map" do
+ owner "tile"
+ group "adm"
+ mode "644"
+end
+
package "renderd"
systemd_service "renderd" do
- description "Mapnik rendering daemon"
+ dropin "chef"
after "postgresql.service"
wants "postgresql.service"
- user "www-data"
- exec_start "/usr/bin/renderd -f"
- runtime_directory "renderd"
- standard_error "null"
limit_nofile 4096
private_tmp true
private_devices true
restart "on-failure"
end
+systemd_service "renderd" do
+ action :delete
+end
+
service "renderd" do
action [:enable, :start]
subscribes :restart, "systemd_service[renderd]"
python_version "3"
end
-package %w[
+unifont = if node[:lsb][:release].to_f < 22.04
+ "ttf-unifont"
+ else
+ "fonts-unifont"
+ end
+
+package %W[
fonts-noto-cjk
fonts-noto-hinted
fonts-noto-unhinted
fonts-hanazono
- ttf-unifont
+ #{unifont}
]
["NotoSansArabicUI-Regular.ttf", "NotoSansArabicUI-Bold.ttf"].each do |font|
details[:tile_directories].each do |directory|
directory directory[:name] do
- owner "www-data"
- group "www-data"
+ owner "_renderd"
+ group "_renderd"
mode "755"
end
directory[:min_zoom].upto(directory[:max_zoom]) do |zoom|
directory "#{directory[:name]}/#{zoom}" do
- owner "www-data"
- group "www-data"
+ owner "_renderd"
+ group "_renderd"
mode "755"
end
cluster node[:tile][:database][:cluster]
end
+postgresql_user "_renderd" do
+ cluster node[:tile][:database][:cluster]
+end
+
postgresql_database "gis" do
cluster node[:tile][:database][:cluster]
owner "tile"
cluster node[:tile][:database][:cluster]
database "gis"
owner "tile"
- permissions "tile" => :all, "www-data" => :select
+ permissions "tile" => :all, "www-data" => :select, "_renderd" => :select
end
end
if node[:tile][:database][:external_data_script]
execute node[:tile][:database][:external_data_script] do
- command node[:tile][:database][:external_data_script]
+ command "#{node[:tile][:database][:external_data_script]} -R _renderd"
cwd "/srv/tile.openstreetmap.org"
user "tile"
group "tile"
+ ignore_failure true
end
Array(node[:tile][:database][:external_data_tables]).each do |table|
cluster node[:tile][:database][:cluster]
database "gis"
owner "tile"
- permissions "tile" => :all, "www-data" => :select
+ permissions "tile" => :all, "www-data" => :select, "_renderd" => :select
end
end
end
file node[:tile][:database][:node_file] do
owner "tile"
- group "www-data"
+ group "_renderd"
mode "660"
end
package %w[
osm2pgsql
- ruby
osmium-tool
pyosmium
python3-pyproj
]
+gem_package "apachelogregex" do
+ gem_binary node[:ruby][:gem]
+end
+
+gem_package "file-tail" do
+ gem_binary node[:ruby][:gem]
+end
+
+gem_package "lru_redux" do
+ gem_binary node[:ruby][:gem]
+end
+
remote_directory "/usr/local/bin" do
source "bin"
owner "root"
files_mode "755"
end
+template "/usr/local/bin/tile-ratelimit" do
+ source "tile-ratelimit.erb"
+ owner "root"
+ group "root"
+ mode "755"
+end
+
+systemd_service "tile-ratelimit" do
+ description "Monitor tile requests and enforce rate limits"
+ after "apache2.service"
+ user "tile"
+ group "adm"
+ exec_start "/usr/local/bin/tile-ratelimit"
+ private_tmp true
+ private_devices true
+ private_network true
+ protect_system "full"
+ protect_home true
+ read_write_paths "/srv/tile.openstreetmap.org/conf"
+ no_new_privileges true
+ restart "on-failure"
+end
+
+service "tile-ratelimit" do
+ action [:enable, :start]
+ subscribes :restart, "file[/usr/local/bin/tile-ratelimit]"
+ subscribes :restart, "systemd_service[tile-ratelimit]"
+end
+
template "/usr/local/bin/expire-tiles" do
source "expire-tiles.erb"
owner "root"
directory "/var/lib/replicate/expire-queue" do
owner "tile"
- group "www-data"
+ group "_renderd"
mode "775"
end
systemd_service "expire-tiles" do
description "Tile dirtying service"
type "simple"
- user "www-data"
+ user "_renderd"
exec_start "/usr/local/bin/expire-tiles"
standard_output "null"
private_tmp true
cron_d "cleanup-tiles#{label}" do
minute "0"
- user "www-data"
+ user "_renderd"
command "ionice -c 3 /usr/local/bin/cleanup-tiles #{directory}"
mailto "admins@openstreetmap.org"
end
munin_plugin "replication_delay"
+package "ruby-webrick"
+
prometheus_exporter "modtile" do
port 9494
end