+%w[backup-nominatim vacuum-db-nominatim].each do |fname|
+ template "/usr/local/bin/#{fname}" do
+ source "#{fname}.erb"
+ owner "root"
+ group "root"
+ mode "755"
+ variables :db => node[:nominatim][:dbname]
+ end
+end
+
+## webserver frontend
+
+directory "#{basedir}/etc" do
+ owner "nominatim"
+ group "adm"
+ mode "775"
+end
+
+%w[user_agent referrer email generic].each do |name|
+ file "#{basedir}/etc/nginx_blocked_#{name}.conf" do
+ action :create_if_missing
+ owner "nominatim"
+ group "adm"
+ mode "664"
+ end
+end
+
+node[:nominatim][:fpm_pools].each do |name, data|
+ php_fpm name do
+ port data[:port]
+ pm data[:pm]
+ pm_max_children data[:max_children]
+ pm_start_servers 20
+ pm_min_spare_servers 10
+ pm_max_spare_servers 20
+ pm_max_requests 10000
+ prometheus_port data[:prometheus_port]
+ end
+end
+
+ssl_certificate node[:fqdn] do
+ domains [node[:fqdn],
+ "nominatim.openstreetmap.org",
+ "nominatim.osm.org",
+ "nominatim.openstreetmap.com",
+ "nominatim.openstreetmap.net",
+ "nominatim.openstreetmaps.org",
+ "nominatim.openmaps.org"]
+ notifies :reload, "service[nginx]"
+end
+
+package "apache2" do
+ action :remove
+end
+
+include_recipe "nginx"
+
+nginx_site "default" do
+ action [:delete]
+end
+
+frontends = search(:node, "recipes:web\\:\\:frontend").sort_by(&:name)
+
+nginx_site "nominatim" do
+ template "nginx.erb"
+ directory build_directory
+ variables :pools => node[:nominatim][:fpm_pools],
+ :frontends => frontends,
+ :confdir => "#{basedir}/etc",
+ :ui_directory => ui_directory
+end
+
+template "/etc/logrotate.d/nginx" do
+ source "logrotate.nginx.erb"
+ owner "root"
+ group "root"
+ mode "644"
+end
+
+munin_plugin_conf "nominatim" do
+ template "munin.erb"
+ variables :db => node[:nominatim][:dbname],
+ :querylog => "#{node[:nominatim][:logdir]}/query.log"
+end
+
+munin_plugin "nominatim_importlag" do
+ target "#{source_directory}/munin/nominatim_importlag"
+end
+
+munin_plugin "nominatim_query_speed" do
+ target "#{source_directory}/munin/nominatim_query_speed_querylog"
+end
+
+munin_plugin "nominatim_requests" do
+ target "#{source_directory}/munin/nominatim_requests_querylog"
+end
+
+directory "#{basedir}/status" do
+ owner "nominatim"
+ group "postgres"
+ mode "775"
+end
+
+include_recipe "fail2ban"
+
+frontend_addresses = frontends.collect { |f| f.ipaddresses(:role => :external) }
+
+fail2ban_jail "nominatim_limit_req" do
+ filter "nginx-limit-req"
+ logpath "#{node[:nominatim][:logdir]}/nominatim.openstreetmap.org-error.log"
+ ports [80, 443]
+ maxretry 5
+ ignoreips frontend_addresses.flatten.sort
+end