--- /dev/null
+#
+# Cookbook:: imagery
+# Recipe:: tiler
+#
+# Copyright:: 2023, OpenStreetMap Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include_recipe "imagery"
+include_recipe "podman"
+
+# FIXME: until upstream supports arm64 images: https://github.com/developmentseed/titiler/pull/740
+container_image = if arm?
+ "ghcr.io/firefishy/titiler:latest"
+ else
+ "ghcr.io/developmentseed/titiler:latest"
+ end
+
+podman_service "titiler" do
+ description "Container service for titiler"
+ image container_image
+ ports 8080 => 8080
+ environment :PORT => 8080, :WORKERS_PER_CORE => 1, :GDAL_INGESTED_BYTES_AT_OPEN => 32768, :GDAL_DISABLE_READDIR_ON_OPEN => "EMPTY_DIR", :GDAL_HTTP_MERGE_CONSECUTIVE_RANGES => "YES", :GDAL_HTTP_MULTIPLEX => "YES", :GDAL_HTTP_VERSION => 2
+end
+
+ssl_certificate "tiler.openstreetmap.org" do
+ domains "tiler.openstreetmap.org"
+ notifies :reload, "service[nginx]"
+end
+
+nginx_site "tiler.openstreetmap.org" do
+ template "nginx_titiler.conf.erb"
+ variables :aliases => ["tiler.osm.org"]
+end
--- /dev/null
+server {
+ listen 80;
+ listen [::]:80;
+ server_name <%= @name %> <% @aliases.each do |alias_name| %> <%= alias_name %><%- end -%>;
+
+ rewrite ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 permanent;
+ return 301 https://$host$request_uri;
+}
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name <%= @name %> <% @aliases.each do |alias_name| %> <%= alias_name %><%- end -%>;
+
+ ssl_certificate /etc/ssl/certs/<%= @name %>.pem;
+ ssl_certificate_key /etc/ssl/private/<%= @name %>.key;
+<% if node[:ssl][:strict_transport_security] -%>
+
+ add_header Strict-Transport-Security "<%= node[:ssl][:strict_transport_security] %>" always;
+<% end -%>
+
+ # Requests sent within early data are subject to replay attacks.
+ # See: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data
+ ssl_early_data on;
+
+ # root "/srv/<%= @name %>";
+
+ gzip on;
+ gzip_types text/plain text/css application/json application/javascript application/x-javascript text/javascript text/xml application/xml application/rss+xml application/atom+xml application/rdf+xml image/svg+xml; # text/html is implicit
+ gzip_min_length 512;
+ gzip_http_version 1.0;
+ gzip_proxied any;
+ gzip_comp_level 9;
+ gzip_vary on;
+
+ location /api/v1/titiler {
+ rewrite ^/api/v1/titiler(.*)$ $1 break;
+ proxy_pass http://localhost:8080;
+ proxy_set_header HOST $host;
+ proxy_set_header Referer $http_referer;
+ proxy_set_header X-Forwarded-For $remote_addr;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ }
+}
projects / chef.git / commitdiff