conf "tile.conf.erb"
end
+apache_conf "renderd" do
+ action :disable
+end
+
ssl_certificate node[:fqdn] do
domains [node[:fqdn], "tile.openstreetmap.org", "render.openstreetmap.org"]
notifies :reload, "service[apache2]"
ignore_failure true
end
-tilecaches = search(:node, "roles:tilecache").sort_by { |n| n[:hostname] }
fastlyips = JSON.parse(IO.read("#{Chef::Config[:file_cache_path]}/fastly-ip-list.json"))
apache_site "default" do
- action [:disable]
+ action :disable
+end
+
+apache_site "tileserver_site" do
+ action :disable
end
apache_site "tile.openstreetmap.org" do
template "apache.erb"
- variables :caches => tilecaches, :fastly => fastlyips["addresses"]
+ variables :fastly => fastlyips["addresses"]
end
template "/etc/logrotate.d/apache2" do
mode "755"
end
+directory "/srv/tile.openstreetmap.org/conf" do
+ owner "tile"
+ group "tile"
+ mode "755"
+end
+
+file "/srv/tile.openstreetmap.org/conf/ip.map" do
+ owner "tile"
+ group "adm"
+ mode "644"
+end
+
package "renderd"
systemd_service "renderd" do
python3-pyproj
]
+gem_package "apachelogregex"
+gem_package "file-tail"
+gem_package "lru_redux"
+
remote_directory "/usr/local/bin" do
source "bin"
owner "root"
files_mode "755"
end
+template "/usr/local/bin/tile-ratelimit" do
+ source "tile-ratelimit.erb"
+ owner "root"
+ group "root"
+ mode "755"
+end
+
+systemd_service "tile-ratelimit" do
+ description "Monitor tile requests and enforce rate limits"
+ after "apache2.service"
+ user "tile"
+ group "adm"
+ exec_start "/usr/local/bin/tile-ratelimit"
+ private_tmp true
+ private_devices true
+ private_network true
+ protect_system "full"
+ protect_home true
+ read_write_paths "/srv/tile.openstreetmap.org/conf"
+ no_new_privileges true
+ restart "on-failure"
+end
+
+service "tile-ratelimit" do
+ action [:enable, :start]
+ subscribes :restart, "file[/usr/local/bin/tile-ratelimit]"
+ subscribes :restart, "systemd_service[tile-ratelimit]"
+end
+
template "/usr/local/bin/expire-tiles" do
source "expire-tiles.erb"
owner "root"