mode "755"
end
-package "mapnik-utils"
+package %w[
+ mapnik-utils
+ tar
+ unzip
+]
node[:tile][:data].each_value do |data|
url = data[:url]
end
if file =~ /\.tgz$/
- package "tar"
-
execute file do
action :nothing
command "tar -zxf #{file} -C #{directory}"
group "tile"
end
elsif file =~ /\.tar\.bz2$/
- package "tar"
-
execute file do
action :nothing
command "tar -jxf #{file} -C #{directory}"
group "tile"
end
elsif file =~ /\.zip$/
- package "unzip"
-
execute file do
action :nothing
command "unzip -qq -o #{file} -d #{directory}"
systemd_service "update-lowzoom@" do
description "Low zoom tile update service for %i layer"
- conflicts "render-lowzoom.service"
user "tile"
+ exec_start_pre "+/bin/systemctl stop render-lowzoom.service"
exec_start "/bin/bash /usr/local/bin/update-lowzoom-%i"
runtime_directory "update-lowzoom-%i"
private_tmp true
private_devices true
private_network true
- protect_system "full"
+ protect_system "strict"
protect_home true
+ read_write_paths [
+ "/srv/tile.openstreetmap.org/tiles/%i",
+ "/var/log/tile"
+ ]
no_new_privileges true
restart "on-failure"
end
execute "#{style_directory}/project.mml" do
action :nothing
- command "carto -a 3.0.0 project.mml > project.xml"
+ command "carto -a 3.0.22 project.mml > project.xml"
cwd style_directory
user "tile"
group "tile"
private_tmp true
private_devices true
private_network true
- protect_system "full"
+ protect_system "strict"
protect_home true
read_write_paths "/srv/tile.openstreetmap.org/conf"
no_new_privileges true
standard_output "null"
private_tmp true
private_devices true
- protect_system "full"
+ protect_system "strict"
protect_home true
+ read_write_paths [
+ "/store/database/nodes",
+ "/store/tiles/%i",
+ "/var/lib/replicate/expire-queue",
+ "/var/log/tile"
+ ]
no_new_privileges true
end
exec_start "/usr/local/bin/replicate"
private_tmp true
private_devices true
- protect_system "full"
+ protect_system "strict"
protect_home true
+ read_write_paths [
+ "/store/database/nodes",
+ "/var/lib/replicate",
+ "/var/log/tile"
+ ]
no_new_privileges true
restart "on-failure"
end
private_tmp true
private_devices true
private_network true
- protect_system "full"
+ protect_system "strict"
protect_home true
+ read_write_paths "/var/log/tile"
no_new_privileges true
end