X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/ab47927c016597f8602b81dcdc168ad5c335389d..cfa0fe92774c9dfcf0a0085d7772319550066ed7:/cookbooks/web/recipes/rails.rb diff --git a/cookbooks/web/recipes/rails.rb b/cookbooks/web/recipes/rails.rb index caf20279f..b28e19ba7 100644 --- a/cookbooks/web/recipes/rails.rb +++ b/cookbooks/web/recipes/rails.rb @@ -24,6 +24,7 @@ include_recipe "geoipupdate" include_recipe "munin" include_recipe "nodejs" include_recipe "passenger" +include_recipe "ruby" include_recipe "tools" include_recipe "web::base" @@ -49,13 +50,12 @@ template "/etc/cron.hourly/passenger" do mode "755" end -ruby_version = node[:passenger][:ruby_version] rails_directory = "#{node[:web][:base_directory]}/rails" -piwik = data_bag_item("web", "piwik") +matomo = data_bag_item("web", "matomo") storage = { - "aws" => { + "avatars" => { "service" => "S3", "access_key_id" => "AKIASQUXHPE7AMJQRFOS", "secret_access_key" => web_passwords["aws_key"], @@ -66,34 +66,63 @@ storage = { "acl" => "public-read", "cache_control" => "public, max-age=31536000, immutable" } + }, + "gps_traces" => { + "service" => "S3", + "access_key_id" => "AKIASQUXHPE7AMJQRFOS", + "secret_access_key" => web_passwords["aws_key"], + "region" => "eu-west-1", + "bucket" => "openstreetmap-gps-traces", + "use_dualstack_endpoint" => true, + "upload" => { + "acl" => "public-read", + "cache_control" => "public, max-age=31536000, immutable" + } + }, + "gps_images" => { + "service" => "S3", + "access_key_id" => "AKIASQUXHPE7AMJQRFOS", + "secret_access_key" => web_passwords["aws_key"], + "region" => "eu-west-1", + "bucket" => "openstreetmap-gps-images", + "use_dualstack_endpoint" => true, + "upload" => { + "acl" => "public-read", + "cache_control" => "public, max-age=31536000, immutable" + } } } +db_host = if node[:web][:status] == "database_readonly" + node[:web][:readonly_database_host] + else + node[:web][:database_host] + end + rails_port "www.openstreetmap.org" do - ruby ruby_version directory rails_directory user "rails" group "rails" repository "https://git.openstreetmap.org/public/rails.git" revision "live" - database_host node[:web][:database_host] + database_host db_host database_name "openstreetmap" database_username "rails" database_password db_passwords["rails"] email_from "OpenStreetMap " status node[:web][:status] messages_domain "messages.openstreetmap.org" - gpx_dir "/store/rails/gpx" - attachments_dir "/store/rails/attachments" log_path "#{node[:web][:log_directory]}/rails.log" logstash_path "#{node[:web][:log_directory]}/rails-logstash.log" memcache_servers node[:web][:memcached_servers] potlatch2_key web_passwords["potlatch2_key"] id_key web_passwords["id_key"] + id_application web_passwords["id_application"] oauth_key web_passwords["oauth_key"] - piwik_configuration "location" => piwik[:location], - "site" => piwik[:site], - "goals" => piwik[:goals].to_hash + oauth_application web_passwords["oauth_application"] + matomo_configuration "location" => matomo[:location], + "site" => matomo[:site], + "goals" => matomo[:goals].to_hash google_auth_id "651529786092-6c5ahcu0tpp95emiec8uibg11asmk34t.apps.googleusercontent.com" google_auth_secret web_passwords["google_auth_secret"] google_openid_realm "https://www.openstreetmap.org" @@ -111,35 +140,28 @@ rails_port "www.openstreetmap.org" do trace_use_job_queue true diary_feed_delay 12 storage_configuration storage - storage_service "aws" - storage_url "https://openstreetmap-user-avatars.s3.dualstack.eu-west-1.amazonaws.com" + avatar_storage "avatars" + trace_file_storage "gps_traces" + trace_image_storage "gps_images" + trace_icon_storage "gps_images" + avatar_storage_url "https://openstreetmap-user-avatars.s3.dualstack.eu-west-1.amazonaws.com" + trace_image_storage_url "https://openstreetmap-gps-images.s3.dualstack.eu-west-1.amazonaws.com" + overpass_url "https://query.openstreetmap.org/query-features" + overpass_credentials true end -gem_package "bundler#{ruby_version}" do - package_name "bundler" - gem_binary "gem#{ruby_version}" - options "--format-executable" -end - -bundle = if File.exist?("/usr/bin/bundle#{ruby_version}") - "/usr/bin/bundle#{ruby_version}" - else - "/usr/local/bin/bundle#{ruby_version}" - end - systemd_service "rails-jobs@" do description "Rails job queue runner" type "simple" - environment "RAILS_ENV" => "production", "QUEUE" => "%I" + environment "RAILS_ENV" => "production", "QUEUE" => "%I", "SLEEP_DELAY" => "60" user "rails" working_directory rails_directory - exec_start "#{bundle} exec rake jobs:work" + exec_start "#{node[:ruby][:bundle]} exec rails jobs:work" restart "on-failure" - private_tmp true - private_devices true - protect_system "full" - protect_home true - no_new_privileges true + nice 10 + sandbox :enable_network => true + memory_deny_write_execute false + read_write_paths "/var/log/web" end package "libjson-xs-perl" @@ -151,8 +173,13 @@ template "/usr/local/bin/cleanup-rails-assets" do mode "755" end -gem_package "apachelogregex" -gem_package "file-tail" +gem_package "apachelogregex" do + gem_binary node[:ruby][:gem] +end + +gem_package "file-tail" do + gem_binary node[:ruby][:gem] +end template "/usr/local/bin/api-statistics" do source "api-statistics.erb" @@ -166,12 +193,12 @@ systemd_service "api-statistics" do user "rails" group "adm" exec_start "/usr/local/bin/api-statistics" - private_tmp true - private_devices true - private_network true - protect_system "full" - protect_home true - no_new_privileges true + nice 10 + sandbox true + read_write_paths [ + "/srv/www.openstreetmap.org/rails/tmp", + "/var/lib/prometheus/node-exporter" + ] restart "on-failure" end @@ -182,7 +209,9 @@ service "api-statistics" do subscribes :restart, "systemd_service[api-statistics]" end -gem_package "hpricot" +gem_package "hpricot" do + gem_binary node[:ruby][:gem] +end munin_plugin "api_calls_status" munin_plugin "api_calls_num"