FF-RGB/ansible
4
2
Fork 1
Code Issues 3 Pull Requests Activity

tileserver: move from internal network to internet

Browse Source
This commit is contained in:
Markus 2024-10-04 23:11:27 +02:00
parent d717dbe5d5
commit 14217927ca
12 changed files with 136 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
group_vars/all/vars.yml
View File

@ -78,5 +78,4 @@ pve_targets:
site: ffrgb site: ffrgb
site_domain: regensburg.freifunk.net site_domain: regensburg.freifunk.net
web_services: tileserver_domain: tiles.regensburg.freifunk.net
- { id: tiles, domain: tiles.regensburg.freifunk.net }

2
hosts
View File

@ -6,7 +6,7 @@ netbox.regensburg.freifunk.net
ns1.regensburg.freifunk.net ns1.regensburg.freifunk.net
resolver.regensburg.freifunk.net resolver.regensburg.freifunk.net
stats.regensburg.freifunk.net stats.regensburg.freifunk.net
tiles.regensburg.freifunk.net
web.regensburg.freifunk.net web.regensburg.freifunk.net
unms.ffrgb ansible_host=10.90.224.101 unms.ffrgb ansible_host=10.90.224.101
unifi.ffrgb ansible_host=10.90.224.102 unifi.ffrgb ansible_host=10.90.224.102
tiles.ffrgb ansible_host=10.90.224.103

11
roles/tileserver/README.md Normal file
View File

@ -0,0 +1,11 @@
# Notes
To generate a current .mbtiles file:
# apt install tilemaker
# cd /tmp
# wget https://download.geofabrik.de/europe/germany-latest.osm.pbf
# mount -o remount,size=24G /dev/shm
# # tilemaker --input /tmp/germany-latest.osm.pbf --output /tmp/germany-latest.mbtiles --config /usr/share/doc/tilemaker/examples/config-openmaptiles.json --process /usr/share/doc/tilemaker/examples/process-openmaptiles.lua --store /dev/shm/

3
roles/tileserver/defaults/main.yml Normal file
View File

@ -0,0 +1,3 @@
---
tileserver_version: 5.0.0

11
roles/tileserver/handlers/main.yml
View File

@ -1,4 +1,13 @@
--- ---
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart nginx
service: name=nginx state=restarted
- name: Restart tileserver - name: Restart tileserver
command: docker restart tileserver service: name=tileserver state=restarted
- name: Run acertmgr
command: /usr/bin/acertmgr

3
roles/tileserver/meta/main.yml
View File

@ -1,4 +1,5 @@
--- ---
dependencies: dependencies:
- { role: docker } - { role: acertmgr }
- { role: nginx, nginx_anonymize: True, nginx_ssl: True }

68
roles/tileserver/tasks/main.yml
View File

@ -1,33 +1,63 @@
--- ---
- name: Create data directories - name: Install packages
apt:
name:
- docker-compose
- name: Create tileserver group
group: name=tileserver
- name: Create tileserver user
user:
name: tileserver
home: /opt/tileserver
shell: /bin/bash
group: tileserver
groups: docker
- name: Configure tileserver container
template: src=docker-compose.yml.j2 dest=/opt/tileserver/docker-compose.yml
notify: Restart tileserver
- name: Create style directory
file: file:
path: "{{ item }}" path: /opt/tileserver/data/styles
recurse: yes
state: directory state: directory
with_items:
- /opt/tileserver
- /opt/tileserver/styles
- name: Configre tileserver - name: Configre tileserver
copy: copy:
src: "{{ item }}" src: "{{ item }}"
dest: /opt/tileserver/{{ item }} dest: /opt/tileserver/data/{{ item }}
with_items: with_items:
- config.json - config.json
- styles/day.json - styles/day.json
- styles/night.json - styles/night.json
notify: Restart tileserver notify: Restart tileserver
- name: Run tileserver container - name: Ensure certificates are available
docker_container: command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ tileserver_domain }}.key -out /etc/nginx/ssl/{{ tileserver_domain }}.crt -days 730 -subj "/CN={{ tileserver_domain }}" creates=/etc/nginx/ssl/{{ tileserver_domain }}.crt
name: tileserver notify: Restart nginx
image: maptiler/tileserver-gl:v5.0.0
interactive: yes - name: Configure certificate manager for tileserver
ports: template: src=certs.j2 dest=/etc/acertmgr/{{ tileserver_domain }}.conf
- "80:8080" notify: Run acertmgr
pull: yes
restart_policy: unless-stopped - name: Configure vhost
state: started template: src=vhost.j2 dest=/etc/nginx/sites-available/tileserver
tty: yes notify: Restart nginx
volumes:
- "/opt/tileserver:/data" - name: Enable vhost
file: src=/etc/nginx/sites-available/tileserver dest=/etc/nginx/sites-enabled/tileserver state=link
notify: Restart nginx
- name: Systemd unit for tileserver
template: src=tileserver.service.j2 dest=/etc/systemd/system/tileserver.service
notify:
- Reload systemd
- Restart tileserver
- name: Start the tileserver service
service: name=tileserver state=started enabled=yes

16
roles/web_svc/templates/tiles_certs.j2 → roles/tileserver/templates/certs.j2
View File

@ -1,15 +1,15 @@
--- ---
{{ domain }}: {{ tileserver_domain }}:
- path: /etc/nginx/ssl/{{ domain }}.crt - path: /etc/nginx/ssl/{{ tileserver_domain }}.key
user: root
group: root
perm: '400'
format: crt,ca
action: '/usr/sbin/service nginx restart'
- path: /etc/nginx/ssl/{{ domain }}.key
user: root user: root
group: root group: root
perm: '400' perm: '400'
format: key format: key
action: '/usr/sbin/service nginx restart' action: '/usr/sbin/service nginx restart'
- path: /etc/nginx/ssl/{{ tileserver_domain }}.crt
user: root
group: root
perm: '400'
format: crt,ca
action: '/usr/sbin/service nginx restart'

11
roles/tileserver/templates/docker-compose.yml.j2 Normal file
View File

@ -0,0 +1,11 @@
---
version: "3.4"
services:
tileserver:
image: maptiler/tileserver-gl:v{{ tileserver_version }}
restart: unless-stopped
command: server
volumes:
- ./data:/data
ports:
- "127.0.0.1:8080:8080"

28
roles/tileserver/templates/tileserver.service.j2 Normal file
View File

@ -0,0 +1,28 @@
[Unit]
Description=tileserver service using docker compose
Requires=docker.service
After=docker.service
Before=nginx.service
[Service]
Type=simple
User=tileserver
Group=tileserver
Restart=always
TimeoutStartSec=1200
WorkingDirectory=/opt/tileserver
# Make sure no old containers are running
ExecStartPre=/usr/bin/docker-compose down -v
# Compose up
ExecStart=/usr/bin/docker-compose up
# Compose down, remove containers and volumes
ExecStop=/usr/bin/docker-compose down -v
[Install]
WantedBy=multi-user.target

14
roles/web_svc/templates/tiles_vhost.j2 → roles/tileserver/templates/vhost.j2
View File

@ -2,7 +2,7 @@ server {
listen 80; listen 80;
listen [::]:80; listen [::]:80;
server_name {{ domain }}; server_name {{ tileserver_domain }};
location /.well-known/acme-challenge { location /.well-known/acme-challenge {
default_type "text/plain"; default_type "text/plain";
@ -10,7 +10,7 @@ server {
} }
location / { location / {
return 301 https://$host$request_uri; return 301 https://{{ tileserver_domain }}$request_uri;
} }
} }
@ -20,13 +20,13 @@ server {
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
server_name {{ domain }}; server_name {{ tileserver_domain }};
ssl_certificate_key /etc/nginx/ssl/{{ domain }}.key; ssl_certificate_key /etc/nginx/ssl/{{ tileserver_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ domain }}.crt; ssl_certificate /etc/nginx/ssl/{{ tileserver_domain }}.crt;
location ~ /d/(.*\.png|.*\.webp) { location ~ /d/(.*\.png|.*\.webp) {
proxy_pass http://10.90.224.103/styles/day/$1; proxy_pass http://127.0.0.1:8080/styles/day/$1;
proxy_cache tilecache; proxy_cache tilecache;
proxy_cache_background_update on; proxy_cache_background_update on;
@ -41,7 +41,7 @@ server {
} }
location ~ /n/(.*\.png|.*\.webp) { location ~ /n/(.*\.png|.*\.webp) {
proxy_pass http://10.90.224.103/styles/night/$1; proxy_pass http://127.0.0.1:8080/styles/night/$1;
proxy_cache tilecache; proxy_cache tilecache;
proxy_cache_background_update on; proxy_cache_background_update on;

10
site.yml
View File

@ -40,6 +40,11 @@
- yanic - yanic
- web_stats - web_stats
- name: Setup tile server
hosts: tiles.regensburg.freifunk.net
roles:
- tileserver
- name: Setup name servers - name: Setup name servers
hosts: ns1.regensburg.freifunk.net hosts: ns1.regensburg.freifunk.net
roles: roles:
@ -69,8 +74,3 @@
hosts: unifi.ffrgb hosts: unifi.ffrgb
roles: roles:
- unifi - unifi
- name: Setup tile server
hosts: tiles.ffrgb
roles:
- tileserver