From bc7fc08cd5fd7a9914fe3619019ac17dd2d69f53 Mon Sep 17 00:00:00 2001
From: Daniel afx <daniel@deflax.net>
Date: Fri, 4 Feb 2022 01:35:39 +0200
Subject: [PATCH] add tileserver and load balancer

---
 data/certbot/etc/.placeholder |  0
 data/certbot/var/.placeholder |  0
 data/db/.gitkeep              |  0
 data/osmtile/.placeholder     |  0
 gen-selfsigned-cert.sh        |  8 ++++
 issue-certificate.sh          | 12 ++++++
 lb/haproxy.cfg                | 69 +++++++++++++++++++++++++++++++++++
 tileserver/Dockerfile         | 13 +++++++
 8 files changed, 102 insertions(+)
 create mode 100644 data/certbot/etc/.placeholder
 create mode 100644 data/certbot/var/.placeholder
 create mode 100644 data/db/.gitkeep
 create mode 100644 data/osmtile/.placeholder
 create mode 100755 gen-selfsigned-cert.sh
 create mode 100755 issue-certificate.sh
 create mode 100644 lb/haproxy.cfg
 create mode 100644 tileserver/Dockerfile

diff --git a/data/certbot/etc/.placeholder b/data/certbot/etc/.placeholder
new file mode 100644
index 0000000..e69de29
diff --git a/data/certbot/var/.placeholder b/data/certbot/var/.placeholder
new file mode 100644
index 0000000..e69de29
diff --git a/data/db/.gitkeep b/data/db/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/data/osmtile/.placeholder b/data/osmtile/.placeholder
new file mode 100644
index 0000000..e69de29
diff --git a/gen-selfsigned-cert.sh b/gen-selfsigned-cert.sh
new file mode 100755
index 0000000..7316302
--- /dev/null
+++ b/gen-selfsigned-cert.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+mkdir -p data/certificates
+cd data/certificates
+openssl genrsa -out default.key 2048
+openssl req -new -key default.key -out default.csr
+openssl x509 -req -days 3650 -in default.csr -signkey default.key -out default.crt
+cat default.key default.crt >> default.pem
diff --git a/issue-certificate.sh b/issue-certificate.sh
new file mode 100755
index 0000000..fbacc65
--- /dev/null
+++ b/issue-certificate.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+CB=`docker ps --format='{{.Names}}' --filter=label=meta.role=certbot`
+
+EMAIL=$2
+
+CERTNAME=$1
+DOMAIN=$1
+
+docker exec $CB certbot certonly --non-interactive --standalone --email $2 --agree-tos --keep --preferred-challenges http --cert-name "$CERTNAME" -d "$DOMAIN"
+
+cat ./data/certbot/etc/live/$CERTNAME/privkey.pem ./data/certbot/etc/live/$CERTNAME/fullchain.pem > /certificates/$CERTNAME.pem"
diff --git a/lb/haproxy.cfg b/lb/haproxy.cfg
new file mode 100644
index 0000000..920804b
--- /dev/null
+++ b/lb/haproxy.cfg
@@ -0,0 +1,69 @@
+global
+    maxconn 4096
+    user root
+    group root
+    daemon
+
+    tune.ssl.default-dh-param       2048
+    ssl-default-bind-options no-sslv3 no-tls-tickets
+    ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
+
+defaults
+    log global
+    mode http
+    balance roundrobin
+    maxconn 1024
+
+#   This breaks HTTP2
+#    option abortonclose
+    option httpclose
+    option forwardfor
+
+    retries 3
+    option redispatch
+
+    timeout client  30s
+    timeout connect 30s
+    timeout server  30s
+
+    #option httpchk HEAD /haproxy?monitor HTTP/1.0
+    #timeout check 5s
+    #stats enable
+    #stats uri     /haproxy?stats
+    #stats realm   Haproxy\ Statistics
+    #stats auth    admin:yourpasswordhere
+    #stats refresh 5s
+
+cache mapscache
+    total-max-size 1023   # MB
+    max-object-size 10000 # bytes
+    max-age 30            # seconds
+
+frontend http
+    bind :80
+    option http-server-close
+    redirect scheme https if ! { path_beg -i /.well-known/acme-challenge }
+    default_backend certbot
+
+frontend https
+    bind :443 ssl crt /certificates alpn http/1.1
+
+    # CORS
+    http-response set-header Access-Control-Allow-Origin "*"
+    http-response set-header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization, JSNLog-RequestId, activityId, applicationId, applicationUserId, channelId, senderId, sessionId"
+    http-response set-header Access-Control-Max-Age 3628800
+    http-response set-header Access-Control-Allow-Methods "GET"
+
+    use_backend osmtile
+
+backend certbot
+    server c1 certbot:80
+
+backend osmtile
+    # Get from cache / put in cache
+    http-request cache-use mapscache
+    http-response cache-store mapscache
+
+    # server list
+    server o1 osmtile:80 check
+
diff --git a/tileserver/Dockerfile b/tileserver/Dockerfile
new file mode 100644
index 0000000..3ea57f3
--- /dev/null
+++ b/tileserver/Dockerfile
@@ -0,0 +1,13 @@
+FROM overv/openstreetmap-tile-server:1.7.4
+EXPOSE 80
+# Remove all original style files
+RUN rm -rf /home/renderer/src/openstreetmap-carto/style/*.mss
+RUN rm -fr /home/renderer/src/openstreetmap-carto/project.mml
+# Add custom style files
+ADD carto-style /home/renderer/src/openstreetmap-carto
+# Recompile the stylesheet
+RUN cd /home/renderer/src/openstreetmap-carto \
+ && carto project.mml > mapnik.xml \
+ && scripts/get-external-data.py
+
+##TODO ADD map-data/