sysadmin/openfreemap
1
0
Fork 0
mirror of https://github.com/hyperknot/openfreemap.git synced 2026-05-21 14:02:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

certbot

Browse Source
This commit is contained in:
Zsolt Ero
2024-02-24 20:44:06 +01:00
parent 4e29f51b13
commit 08fbfa01a8
3 changed files with 18 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
README.md
View File

@@ -114,12 +114,6 @@ There are three public buckets:
- https://planet.openfreemap.com - full planet runs. index: [dirs](https://planet.openfreemap.com/dirs.txt), [files](https://planet.openfreemap.com/index.txt) - https://planet.openfreemap.com - full planet runs. index: [dirs](https://planet.openfreemap.com/dirs.txt), [files](https://planet.openfreemap.com/index.txt)
- https://monaco.openfreemap.com - identical runs to the full planet, but only for Monaco area. Very tiny, ideal for development. index: [dirs](https://monaco.openfreemap.com/dirs.txt), [files](https://monaco.openfreemap.com/index.txt) - https://monaco.openfreemap.com - identical runs to the full planet, but only for Monaco area. Very tiny, ideal for development. index: [dirs](https://monaco.openfreemap.com/dirs.txt), [files](https://monaco.openfreemap.com/index.txt)
### HTTPS certs
The current HTTPS system is made to use long term Cloudflare origin certificates. The same certificates are uploaded to all the servers. This is only possible because CF certs are valid for 15 years.
Once Load Balancing on CF is working, next step will be to integrate Let's Encrypt. If you know how to do this, please comment in the Discussions.
### Domains and Cloudflare ### Domains and Cloudflare
The project has two domains: .org and .com. Currently, both are on Cloudflare. The project has two domains: .org and .com. Currently, both are on Cloudflare.
@@ -143,7 +137,7 @@ Contributors welcome!
Smaller tasks: Smaller tasks:
- Add tilemaker, so we see the difference between planetiler and tilemaker and they can both validate their output based on this comparison. - Add tilemaker, so we see the difference between planetiler and tilemaker and they can both validate their output based on this comparison.
- Figure out how to use Let's Encrypt on multiple servers with Round Robin DNS. - Round Robin load balancer
- Cloudflare worker for indexing the public buckets, instead of generating index.txt files. - Cloudflare worker for indexing the public buckets, instead of generating index.txt files.
- Some of the POI icons are missing in the styles. - Some of the POI icons are missing in the styles.
@@ -163,7 +157,7 @@ See [dev setup docs](docs/dev_setup.md).
## Changelog ## Changelog
v0.1 - everything works. 1 server for tile gen, 1 server for HTTP host. <- we are here! v0.1 - everything works. 1 server for tile gen, 2 servers for HTTP host. <- we are here!
## Attribution ## Attribution

43
docs/self_hosting.md
View File

@@ -14,27 +14,19 @@ note: Tile generation is 100% optional, as we are providing the processed full p
##### Disk space ##### Disk space
**http-host**: 300 GB for hosting a single run **http-host**: 300 GB for hosting a single run
**tile-gen**: 500 GB for **tile-gen**: 500 GB for
##### RAM ##### RAM
**http-host**: 4 GB **http-host**: 4 GB
**tile-gen**: 64 GB+ RAM. **tile-gen**: 64 GB+ RAM.
##### OS ##### OS
**Ubuntu 22+** **Ubuntu 22+**
### Limitations
There are two limitations in the current beta version:
- You have to set up Let's Encrypt manually or supply your certs.
- The domain is hard-coded to `tiles.openfreemap.org` - you have to edit this.
--- ---
@@ -52,19 +44,15 @@ It's recommended to use [direnv](https://direnv.net/), to have automatic venv ac
#### 1. Prepare `config` folder #### 1. Prepare `config` folder
1. If you are not using SSH keys, copy `.env.sample` to `.env` and set the password. 1. Copy `.env.sample` to `.env` and set the values.
1. `certs` - The contents of this folder gets uploaded to `/data/nginx/certs`.
DOMAIN_LE - Use this to specify a domain to be used with Let's Encrypt. Recommended.
DOMAIN_CF - Use this if you want to use long term CloudFlare Origin certificates. You have to upload the certs into `config/certs`
1. If you want to run tile generation and upload via rclone, you can copy the `rclone.conf.sample` file as well. For simple self-hosting there is no need for this. 1. If you want to run tile generation and upload via rclone, you can copy the `rclone.conf.sample` file as well. For simple self-hosting there is no need for this.
#### 2. Certs and domains #### 2. Deploy a http-host
Currently the domain is hard coded to `tiles.openfreemap.org`. Please search & replace this.
The script is made with long expiry CloudFlare origin certificates in mind, which are placed in the `config/certs` folder. For self-hosting you may want to use Let's Encrypt or similar automated tool.
If you know how to make Let's Encrypt work with Round Robin DNS, please comment in the Discussions.
#### 3. Deploy a http-host
You run the deploy script locally. It'll connect to an SSH server, like this You run the deploy script locally. It'll connect to an SSH server, like this
@@ -72,14 +60,9 @@ You run the deploy script locally. It'll connect to an SSH server, like this
After this, go for a walk and by the time you come back it should be up and running with the latest planet tiles deployed. Don't worry about the "Download aborted" lines in the meanwhile, it's a bug in CloudFlare. After this, go for a walk and by the time you come back it should be up and running with the latest planet tiles deployed. Don't worry about the "Download aborted" lines in the meanwhile, it's a bug in CloudFlare.
#### 4. Deploy tile-gen server (optional) #### 3. Deploy tile-gen server (optional)
If you have a really beefy machine (see above) and you want to generate tiles yourself, you can run `./init-server.py tile-gen HOSTNAME`. If you have a really beefy machine (see above) and you want to generate tiles yourself, you can run `./init-server.py tile-gen HOSTNAME`.
Trigger a run manually, by running `planetiler_{area}.sh`. Recommended to use tmux or similar, as it can take days. Trigger a run manually, by running `planetiler_{area}.sh`. Recommended to use tmux or similar, as it can take days.
### HTTPS certs
The current HTTPS system is made to use long term Cloudflare origin certificates. The same certificates are uploaded to all the servers. This is only possible because CF certs are valid for 15 years.
Once Load Balancing on CF is working, next step will be to integrate Let's Encrypt. If you know how to do this, please comment in the Discussions.

3
ssh_lib/tasks.py
View File

@@ -193,11 +193,14 @@ def setup_le_dns_manager(c):
permissions=400, permissions=400,
) )
# TODO change to /data/ofm/config, owner root
sudo_cmd( sudo_cmd(
c, c,
'certbot certonly ' 'certbot certonly '
'--dns-cloudflare ' '--dns-cloudflare '
'--dns-cloudflare-credentials /root/.secrets/ofm_le_dns_cloudflare.ini ' '--dns-cloudflare-credentials /root/.secrets/ofm_le_dns_cloudflare.ini '
'--dns-cloudflare-propagation-seconds 60 '
'--staging ' '--staging '
f'--noninteractive -m {le_email} ' f'--noninteractive -m {le_email} '
f'--agree-tos ' f'--agree-tos '