tileserver: move from internal network to internet

2024-10-04 23:11:27 +02:00 · 2024-10-04 23:11:27 +02:00 · 14217927ca
commit 14217927ca
parent d717dbe5d5
12 changed files with 136 additions and 44 deletions
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@ -78,5 +78,4 @@ pve_targets:
 site: ffrgb
 site_domain: regensburg.freifunk.net

-web_services:
- { id: tiles, domain: tiles.regensburg.freifunk.net }
+tileserver_domain: tiles.regensburg.freifunk.net
--- a/2
+++ b/2
@ -6,7 +6,7 @@ netbox.regensburg.freifunk.net
 ns1.regensburg.freifunk.net
 resolver.regensburg.freifunk.net
 stats.regensburg.freifunk.net
+tiles.regensburg.freifunk.net
 web.regensburg.freifunk.net
 unms.ffrgb ansible_host=10.90.224.101
 unifi.ffrgb ansible_host=10.90.224.102
-tiles.ffrgb ansible_host=10.90.224.103
--- a/roles/tileserver/README.md
+++ b/roles/tileserver/README.md
@ -0,0 +1,11 @@
+# Notes
+
+To generate a current .mbtiles file:
+
+   
+# apt install tilemaker
+# cd /tmp
+# wget https://download.geofabrik.de/europe/germany-latest.osm.pbf
+# mount -o remount,size=24G /dev/shm                              
+# # tilemaker --input /tmp/germany-latest.osm.pbf --output /tmp/germany-latest.mbtiles --config /usr/share/doc/tilemaker/examples/config-openmaptiles.json --process /usr/share/doc/tilemaker/examples/process-openmaptiles.lua --store /dev/shm/
+   
--- a/roles/tileserver/defaults/main.yml
+++ b/roles/tileserver/defaults/main.yml
@ -0,0 +1,3 @@
+---
+
+tileserver_version: 5.0.0
--- a/roles/tileserver/handlers/main.yml
+++ b/roles/tileserver/handlers/main.yml
@ -1,4 +1,13 @@
 ---

+- name: Reload systemd
+  systemd: daemon_reload=yes
+
+- name: Restart nginx
+  service: name=nginx state=restarted
+
 - name: Restart tileserver
-  command: docker restart tileserver
+  service: name=tileserver state=restarted
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr
--- a/roles/tileserver/meta/main.yml
+++ b/roles/tileserver/meta/main.yml
@ -1,4 +1,5 @@
 ---

 dependencies:
- { role: docker }
+- { role: acertmgr }
+- { role: nginx, nginx_anonymize: True, nginx_ssl: True }
--- a/roles/tileserver/tasks/main.yml
+++ b/roles/tileserver/tasks/main.yml
@ -1,33 +1,63 @@
 ---

- name: Create data directories
+- name: Install packages
+  apt:
+    name:
+    - docker-compose
+
+- name: Create tileserver group
+  group: name=tileserver
+
+- name: Create tileserver user
+  user:
+    name: tileserver
+    home: /opt/tileserver
+    shell: /bin/bash
+    group: tileserver
+    groups: docker
+
+- name: Configure tileserver container
+  template: src=docker-compose.yml.j2 dest=/opt/tileserver/docker-compose.yml
+  notify: Restart tileserver
+
+- name: Create style directory
  file:
-    path: "{{ item }}"
+    path: /opt/tileserver/data/styles
+    recurse: yes
    state: directory
-  with_items:
-  - /opt/tileserver
-  - /opt/tileserver/styles

 - name: Configre tileserver
  copy:
    src: "{{ item }}"
-    dest: /opt/tileserver/{{ item }}
+    dest: /opt/tileserver/data/{{ item }}
  with_items:
  - config.json
  - styles/day.json
  - styles/night.json
  notify: Restart tileserver

- name: Run tileserver container
-  docker_container:
-    name: tileserver
-    image: maptiler/tileserver-gl:v5.0.0
-    interactive: yes
-    ports:
-    - "80:8080"
-    pull: yes
-    restart_policy: unless-stopped
-    state: started
-    tty: yes
-    volumes:
-    - "/opt/tileserver:/data"
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ tileserver_domain }}.key -out /etc/nginx/ssl/{{ tileserver_domain }}.crt -days 730 -subj "/CN={{ tileserver_domain }}" creates=/etc/nginx/ssl/{{ tileserver_domain }}.crt
+  notify: Restart nginx
+
+- name: Configure certificate manager for tileserver
+  template: src=certs.j2 dest=/etc/acertmgr/{{ tileserver_domain }}.conf
+  notify: Run acertmgr
+
+- name: Configure vhost
+  template: src=vhost.j2 dest=/etc/nginx/sites-available/tileserver
+  notify: Restart nginx
+
+- name: Enable vhost
+  file: src=/etc/nginx/sites-available/tileserver dest=/etc/nginx/sites-enabled/tileserver state=link
+  notify: Restart nginx
+
+
+- name: Systemd unit for tileserver
+  template: src=tileserver.service.j2 dest=/etc/systemd/system/tileserver.service
+  notify:
+  - Reload systemd
+  - Restart tileserver
+
+- name: Start the tileserver service
+  service: name=tileserver state=started enabled=yes
--- a/roles/web_svc/templates/tiles_certs.j2
+++ b/roles/web_svc/templates/tiles_certs.j2
@ -1,15 +1,15 @@
 ---

-{{ domain }}:
- path: /etc/nginx/ssl/{{ domain }}.crt
-  user: root
-  group: root
-  perm: '400'
-  format: crt,ca
-  action: '/usr/sbin/service nginx restart'
- path: /etc/nginx/ssl/{{ domain }}.key
+{{ tileserver_domain }}:
+- path: /etc/nginx/ssl/{{ tileserver_domain }}.key
  user: root
  group: root
  perm: '400'
  format: key
  action: '/usr/sbin/service nginx restart'
+- path: /etc/nginx/ssl/{{ tileserver_domain }}.crt
+  user: root
+  group: root
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service nginx restart'
--- a/roles/tileserver/templates/docker-compose.yml.j2
+++ b/roles/tileserver/templates/docker-compose.yml.j2
@ -0,0 +1,11 @@
+---
+version: "3.4"
+services:
+  tileserver:
+    image: maptiler/tileserver-gl:v{{ tileserver_version }}
+    restart: unless-stopped
+    command: server
+    volumes:
+      - ./data:/data
+    ports:
+      - "127.0.0.1:8080:8080"
--- a/roles/tileserver/templates/tileserver.service.j2
+++ b/roles/tileserver/templates/tileserver.service.j2
@ -0,0 +1,28 @@
+[Unit]
+Description=tileserver service using docker compose
+Requires=docker.service
+After=docker.service
+Before=nginx.service
+
+[Service]
+Type=simple
+
+User=tileserver
+Group=tileserver
+
+Restart=always
+TimeoutStartSec=1200
+
+WorkingDirectory=/opt/tileserver
+
+# Make sure no old containers are running
+ExecStartPre=/usr/bin/docker-compose down -v
+
+# Compose up
+ExecStart=/usr/bin/docker-compose up
+
+# Compose down, remove containers and volumes
+ExecStop=/usr/bin/docker-compose down -v
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/web_svc/templates/tiles_vhost.j2
+++ b/roles/web_svc/templates/tiles_vhost.j2
@ -2,7 +2,7 @@ server {
 	listen 80;
 	listen [::]:80;

-	server_name {{ domain }};
+	server_name {{ tileserver_domain }};

 	location /.well-known/acme-challenge {
 		default_type "text/plain";
@ -10,7 +10,7 @@ server {
 	}

 	location / {
-		return 301 https://$host$request_uri;
+		return 301 https://{{ tileserver_domain }}$request_uri;
 	}
 }

@ -20,13 +20,13 @@ server {
 	listen 443 ssl http2;
 	listen [::]:443 ssl http2;

-	server_name {{ domain }};
+	server_name {{ tileserver_domain }};

-	ssl_certificate_key /etc/nginx/ssl/{{ domain }}.key;
-	ssl_certificate /etc/nginx/ssl/{{ domain }}.crt;
+	ssl_certificate_key /etc/nginx/ssl/{{ tileserver_domain }}.key;
+	ssl_certificate /etc/nginx/ssl/{{ tileserver_domain }}.crt;

 	location ~ /d/(.*\.png|.*\.webp) {
-		proxy_pass http://10.90.224.103/styles/day/$1;
+		proxy_pass http://127.0.0.1:8080/styles/day/$1;

 		proxy_cache tilecache;
 		proxy_cache_background_update on;
@ -41,7 +41,7 @@ server {
 	}

 	location ~ /n/(.*\.png|.*\.webp) {
-		proxy_pass http://10.90.224.103/styles/night/$1;
+		proxy_pass http://127.0.0.1:8080/styles/night/$1;

 		proxy_cache tilecache;
 		proxy_cache_background_update on;
--- a/site.yml
+++ b/site.yml
@ -40,6 +40,11 @@
  - yanic
  - web_stats

+- name: Setup tile server
+  hosts: tiles.regensburg.freifunk.net
+  roles:
+  - tileserver
+
 - name: Setup name servers
  hosts: ns1.regensburg.freifunk.net
  roles:
@ -69,8 +74,3 @@
  hosts: unifi.ffrgb
  roles:
  - unifi
-
- name: Setup tile server
-  hosts: tiles.ffrgb
-  roles:
-  - tileserver