forked from usegalaxy-eu/infrastructure-playbook
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathgalaxy.yml
171 lines (160 loc) · 7.65 KB
/
galaxy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
---
- name: UseGalaxy.eu
hosts: galaxy
become: true
become_user: root
vars:
# The full internal name.
hostname: sn04.bi.uni-freiburg.de
# This server has multiple CNAMEs that are important. Additionally it
# provides proxying for many of the other services run by Galaxy Europe.
# These server_names are passed to certbot. They generally should not need
# to be updated unless you add a new domain. They *only* work with the
# route53 provider, so if we want to do usegalaxy.xy, it may require
# refactoring / multiple certbot runs.
#
#
# The best way to expand them is to run the playbook, it will leave a message with the command it would have run (look for `skipped, since /etc/letsencrypt/renewal/usegalaxy.eu.conf exists`)
#
# Then take this command to the command line (root@sn04) and run it with `--expand`. E.g. (DO NOT COPY PASTE (in case the config changes))
#
# $ /opt/certbot/bin/certbot certonly --non-interactive --dns-route53 \
# -m security@usegalaxy.eu --agree-tos -d 'usegalaxy.eu,*.usegalaxy.eu,galaxyproject.eu,*.galaxyproject.eu,*.interactivetoolentrypoint.interactivetool.usegalaxy.eu,*.interactivetoolentrypoint.interactivetool.live.usegalaxy.eu,*.interactivetoolentrypoint.interactivetool.test.usegalaxy.eu' --expand
# Saving debug log to /var/log/letsencrypt/letsencrypt.log
# Credentials found in config file: ~/.aws/config
# ....
# IMPORTANT NOTES:
# - Congratulations! Your certificate and chain have been saved at:
#
# And you're done expanding the certs.
#
# The nginx user needed into the galaxyproject.nginx role
nginx_conf_user: galaxy
server_names:
- 'usegalaxy.eu'
- '*.usegalaxy.eu'
- 'galaxyproject.eu'
- '*.galaxyproject.eu'
- '*.interactivetoolentrypoint.interactivetool.usegalaxy.eu'
- '*.interactivetoolentrypoint.interactivetool.live.usegalaxy.eu'
- '*.interactivetoolentrypoint.interactivetool.test.usegalaxy.eu'
vars_files:
- group_vars/tiaas.yml # All of the training infrastructure
- group_vars/custom-sites.yml # Subdomains are listed here
- group_vars/gxconfig.yml # The base galaxy configuration
- group_vars/toolbox.yml # User controlled toolbox
- secret_group_vars/aws.yml # AWS creds
- secret_group_vars/pulsar.yml # Pulsar + MQ Connections
- secret_group_vars/elixir_aai.yml # Elixir AAI private key
- secret_group_vars/db-main.yml # DB URL + some postgres stuff
- secret_group_vars/all.yml # All of the other assorted secrets...
handlers:
- name: Restart Galaxy
shell: |
echo 'Manual zergling restart required' && cd /opt/galaxy/ && source /opt/galaxy/.bashrc && sudo -u galaxy /usr/bin/galaxy-sync-to-nfs && systemctl restart galaxy-handler@* && systemctl restart galaxy-workflow-scheduler@*
pre_tasks:
- name: Install Dependencies
package:
name: ['git', 'python-psycopg2', 'python-virtualenv', 'bc']
become: yes
roles:
# Normally we set hostname here, but we get an error so it is commented out:
# err=Could not get property: Failed to activate service 'org.freedesktop.hostname1': timed out
#- hostname
- usegalaxy-eu.dynmotd
## Dependencies
- geerlingguy.repo-epel # Install EPEL
# We want to exclude a couple of packages as we will fetch those
# dependencies from other repos: condor, node/npm
- hxr.exclude-repo
- linuxhq.yum_cron # keep all of our packages up to date
- hxr.admin-tools # Some extra admin tools (*top, vim, etc)
- influxdata.chrony # Keep our time in sync.
## Filesystems
- hxr.autofs # Setup the mount points which will be needed later
- galaxyproject.cvmfs # Galaxy datasets
## Monitoring
- hxr.monitor-cluster
- hxr.monitor-email
- hxr.monitor-uwsgi
- hxr.monitor-galaxy-journalctl
- usegalaxy-eu.monitor-disk-access-time
# Setup Galaxy user
- role: galaxyproject.galaxy
vars:
galaxy_create_user: yes
galaxy_manage_clone: no
galaxy_manage_paths: yes
galaxy_manage_static_setup: no
galaxy_manage_mutable_setup: no
galaxy_manage_database: no
galaxy_fetch_dependencies: no
galaxy_build_client: no
# The bashrc needs to be created for several later features.
- role: usegalaxy-eu.bashrc
become_user: galaxy
## Setup docker
- geerlingguy.docker
# HTCondor Cluster setup
- htcondor
# Misc.
- role: hxr.galaxy-cron
become: yes
become_user: galaxy
- role: hxr.galaxy-nonreproducible-tools
become: yes
become_user: galaxy
- hxr.galaxy-misc
- usegalaxy-eu.dynmotd # nicer MOTD/welcome message
- usegalaxy-eu.rsync-to-nfs # sync codebase to NFS
- usegalaxy-eu.webhooks # Clone webhook repository
- usegalaxy-eu.tours # Clone tour repository
## SSL / Security
- ssh-host-sign # Sign the server host key to prevent TOFU for SSH
- hxr.aws-cli # Setup the AWS client that will be needed for route53 authentication of certbot. MUST come before nginx role
## GALAXY
- role: hxr.postgres-connection
become_user: galaxy
- usegalaxy-eu.gxadmin
# TODO move under monitoring + telegraf.
- usegalaxy-eu.galaxy-slurp
# TODO(hxr): nginx role doesn't create nginx_proxy_cache_path
- galaxyproject.nginx
- usegalaxy_eu.tiaas2
- usegalaxy-eu.gapars-galaxy
# The REAL galaxy role
- role: galaxyproject.galaxy
vars:
galaxy_create_user: yes
galaxy_manage_clone: yes
galaxy_manage_static_setup: yes
galaxy_manage_mutable_setup: yes
galaxy_manage_database: yes
galaxy_fetch_dependencies: yes
galaxy_build_client: yes
# Extras!
- hxr.install-to-venv # Some extra packages our site needs.
- usegalaxy-eu.galaxy-systemd # Manage the Galaxy processes with SystemD
- usegalaxy-eu.gie-node-proxy # Setup the NodeJS proxy (depends on NodeJS being already available)
- usegalaxy-eu.gie-deployer # Deploy the GIE configuration
- usegalaxy-eu.subdomain-themes # Custom subdomain themes
- usegalaxy-eu.limits # Prevent out of control processes
- usegalaxy-eu.grt-export # Export data for GRT
- usegalaxy-eu.galaxy-cleanup # Cleanup purged datasets/histories/etc >60 days old
- usegalaxy-eu.error-pages # Copy the NGINX error pages
- usegalaxy-eu.fs-maintenance # Filesystems maintenance
# Various ugly fixes
- usegalaxy-eu.fix-unscheduled-jobs # Workaround for ???
- usegalaxy-eu.fix-oidc # Workaround for https://github.com/galaxyproject/galaxy/issues/8244
- usegalaxy-eu.fix-unscheduled-workflows # Workaround for https://github.com/galaxyproject/galaxy/issues/8209
- usegalaxy-eu.fix-failing-to-fail-jobs # Workaround for https://github.com/galaxyproject/galaxy/issues/8171, maybe can be removed in 19.09?
- usegalaxy-eu.fix-stuck-handlers # Restart handlers to prevent several classes of issues
- usegalaxy-eu.log-cleaner # do not retain logs, they are unnecessary/risky under GDPR
- usegalaxy-eu.fix-ancient-ftp-data # Remove FTP data older than 3 months
- usegalaxy-eu.galaxy-procstat # Some custom telegraf monitoring that's templated
- usegalaxy-eu.fix-user-quotas # Automatically recalculate user quotas on a regular basis
- usegalaxy-eu.fix-missing-api-keys # Workaround for IE users not have a key set.
# Some of our 'cleanups' also generate telegraf format so this goes at end.
- dj-wasabi.telegraf
#- dev-sec.os-hardening
#- dev-sec.ssh-hardening