ignore_failure true
end
-tilecaches = search(:node, "roles:tilecache").sort_by { |n| n[:hostname] }
fastlyips = JSON.parse(IO.read("#{Chef::Config[:file_cache_path]}/fastly-ip-list.json"))
apache_site "default" do
apache_site "tile.openstreetmap.org" do
template "apache.erb"
- variables :caches => tilecaches, :fastly => fastlyips["addresses"]
+ variables :fastly => fastlyips["addresses"]
end
template "/etc/logrotate.d/apache2" do
mode "755"
end
+directory "/srv/tile.openstreetmap.org/conf" do
+ owner "tile"
+ group "tile"
+ mode "755"
+end
+
+file "/srv/tile.openstreetmap.org/conf/ip.map" do
+ owner "tile"
+ group "adm"
+ mode "644"
+end
+
package "renderd"
systemd_service "renderd" do
- description "Mapnik rendering daemon"
+ dropin "chef"
after "postgresql.service"
wants "postgresql.service"
- user "www-data"
- exec_start "/usr/bin/renderd -f"
- runtime_directory "renderd"
- standard_error "null"
limit_nofile 4096
private_tmp true
private_devices true
restart "on-failure"
end
+systemd_service "renderd" do
+ action :delete
+end
+
service "renderd" do
action [:enable, :start]
subscribes :restart, "systemd_service[renderd]"
details[:tile_directories].each do |directory|
directory directory[:name] do
- owner "www-data"
- group "www-data"
+ owner "_renderd"
+ group "_renderd"
mode "755"
end
directory[:min_zoom].upto(directory[:max_zoom]) do |zoom|
directory "#{directory[:name]}/#{zoom}" do
- owner "www-data"
- group "www-data"
+ owner "_renderd"
+ group "_renderd"
mode "755"
end
cluster node[:tile][:database][:cluster]
end
+postgresql_user "_renderd" do
+ cluster node[:tile][:database][:cluster]
+end
+
postgresql_database "gis" do
cluster node[:tile][:database][:cluster]
owner "tile"
cluster node[:tile][:database][:cluster]
database "gis"
owner "tile"
- permissions "tile" => :all, "www-data" => :select
+ permissions "tile" => :all, "www-data" => :select, "_renderd" => :select
end
end
if node[:tile][:database][:external_data_script]
execute node[:tile][:database][:external_data_script] do
- command "#{node[:tile][:database][:external_data_script]} -R www-data"
+ command "#{node[:tile][:database][:external_data_script]} -R _renderd"
cwd "/srv/tile.openstreetmap.org"
user "tile"
group "tile"
+ ignore_failure true
+ end
+
+ Array(node[:tile][:database][:external_data_tables]).each do |table|
+ postgresql_table table do
+ cluster node[:tile][:database][:cluster]
+ database "gis"
+ owner "tile"
+ permissions "tile" => :all, "www-data" => :select, "_renderd" => :select
+ end
end
end
file node[:tile][:database][:node_file] do
owner "tile"
- group "www-data"
+ group "_renderd"
mode "660"
end
python3-pyproj
]
+gem_package "apachelogregex"
+gem_package "file-tail"
+gem_package "lru_redux"
+
remote_directory "/usr/local/bin" do
source "bin"
owner "root"
files_mode "755"
end
+template "/usr/local/bin/tile-ratelimit" do
+ source "tile-ratelimit.erb"
+ owner "root"
+ group "root"
+ mode "755"
+end
+
+systemd_service "tile-ratelimit" do
+ description "Monitor tile requests and enforce rate limits"
+ after "apache2.service"
+ user "tile"
+ group "adm"
+ exec_start "/usr/local/bin/tile-ratelimit"
+ private_tmp true
+ private_devices true
+ private_network true
+ protect_system "full"
+ protect_home true
+ read_write_paths "/srv/tile.openstreetmap.org/conf"
+ no_new_privileges true
+ restart "on-failure"
+end
+
+service "tile-ratelimit" do
+ action [:enable, :start]
+ subscribes :restart, "file[/usr/local/bin/tile-ratelimit]"
+ subscribes :restart, "systemd_service[tile-ratelimit]"
+end
+
template "/usr/local/bin/expire-tiles" do
source "expire-tiles.erb"
owner "root"
directory "/var/lib/replicate/expire-queue" do
owner "tile"
- group "www-data"
+ group "_renderd"
mode "775"
end
systemd_service "expire-tiles" do
description "Tile dirtying service"
type "simple"
- user "www-data"
+ user "_renderd"
exec_start "/usr/local/bin/expire-tiles"
standard_output "null"
private_tmp true
cron_d "cleanup-tiles#{label}" do
minute "0"
- user "www-data"
+ user "_renderd"
command "ionice -c 3 /usr/local/bin/cleanup-tiles #{directory}"
mailto "admins@openstreetmap.org"
end