From c4159cf8d2940157b646d129993f76aebce5de72 Mon Sep 17 00:00:00 2001 From: pwalczysko Date: Wed, 13 Nov 2024 18:59:58 +0000 Subject: [PATCH] add playbook --- ome-demoserver.yml | 456 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 456 insertions(+) create mode 100644 ome-demoserver.yml diff --git a/ome-demoserver.yml b/ome-demoserver.yml new file mode 100644 index 00000000..6b727b3f --- /dev/null +++ b/ome-demoserver.yml @@ -0,0 +1,456 @@ +# Install OMERO.server, OMERO.web and prepare the OME (UoD/SLS) prerequisites + +# To allow the OMERO.web plugins to upgrade +# also pass `--extra-vars upgrade_webapps=True` + +- name: Demo server playbook + hosts: ome-demoservers + pre_tasks: + - name: Install open-vm-tools if system is a VMware vm + become: true + ansible.builtin.dnf: + name: open-vm-tools + state: installed + when: > + ((ansible_virtualization_type is defined) + and (ansible_virtualization_type == "VMware")) + + # # Perhaps alter the role at + # # https://github.com/openmicroscopy/ansible-role-lvm-partition/ + # # to make some of the variables non-required. + # - name: Resize root FS without altering mount options + # tags: lvm + # become: true + # lvol: + # lv: root + # vg: VolGroup00 + # size: "{{ provision_root_lvsize }}" + # shrink: false + + # - name: Install Make Movie script Prerequisite | MEncoder - Repo + # become: true + # ansible.builtin.yum: + # name: "http://li.nux.ro/download/nux/dextop/el7\ + # /x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm" + # state: present + + # - name: Install Make Movie script Prerequisite | MEncoder - Package + # become: true + # ansible.builtin.yum: + # name: mencoder + # state: present + + # - name: Server-side script prerequisites + # become: true + # ansible.builtin.yum: + # name: "{{ item }}" + # state: present + # with_items: + # - mencoder # For the 'make movie' script + + roles: + # Now OME are using RHEL without Spacewalk, the current best-method of + # checking `is server deployed in Dundee/SLS` is + # checking for the SLS nameservers. + # - role: ome.system_monitor_agent + # tags: monitoring + # when: "'10.1.255.216' in ansible_dns.nameservers" + + # Disk Layout - PostgreSQL | data dir on separate VG (SSD) + # - role: ome.lvm_partition + # tags: lvm + # lvm_lvname: pgdata + # lvm_vgname: "{{ provision_postgres_vgname }}" + # lvm_lvmount: /var/lib/pgsql + # lvm_lvsize: "{{ provision_postgres_lvsize }}" + # lvm_lvfilesystem: "{{ filesystem }}" + # lvm_shrink: false + + # # Disk Layout - OMERO | VG and LV (separate disk) for Binary Repository + # - role: ome.lvm_partition + # tags: lvm + # lvm_lvname: datadir + # lvm_vgname: "{{ provision_omero_server_datadir_vgname }}" + # lvm_lvmount: "{{ omero_server_datadir }}" + # lvm_lvsize: "{{ provision_omero_server_datadir_lvsize }}" + # lvm_lvfilesystem: "{{ filesystem }}" + # lvm_shrink: false + + # # Disk Layout - OMERO.server | LV for dist & logs + # - role: ome.lvm_partition + # tags: lvm + # lvm_lvname: omero_server_basedir + # lvm_vgname: VolGroup00 + # lvm_lvmount: "{{ omero_server_basedir }}" + # lvm_lvsize: "{{ provision_omero_server_basedir_lvsize }}" + # lvm_lvfilesystem: "{{ filesystem }}" + # lvm_shrink: false + + # # Disk Layout - OMERO.web | LV for dist & logs + # - role: ome.lvm_partition + # tags: lvm + # lvm_lvname: omero_web_basedir + # lvm_vgname: VolGroup00 + # lvm_lvmount: "{{ omero_web_basedir }}" + # lvm_lvsize: "{{ provision_omero_web_basedir_lvsize }}" + # lvm_lvfilesystem: "{{ filesystem }}" + # lvm_shrink: false + + # nginx_version: 1.16.1 + + - role: ome.postgresql + # no_log: true + postgresql_databases: + - name: omero + owner: demo + postgresql_users: + - user: "{{ omero_server_dbuser | default('omero') }}" + password: "{{ omero_server_dbpassword | default('omero') }}" + databases: [] + + - role: ome.omero_server + # Defaults overridden in private configuration + # omero_server_dbuser: + # omero_server_dbpassword: + # omero_server_rootpassword: + omero_server_dbname: omero + omero_server_systemd_limit_nofile: 16384 + + - role: ome.nginx + + - role: ome.omero_web + # Defaults overridden in private configuration + omero_web_systemd_limit_nofile: 16384 + omero_web_python_addons: + - "omero-figure=={{ omero_figure_release }}" + - "omero-fpbioimage=={{ omero_fpbioimage_release }}" + - "omero-autotag=={{ omero_autotag_release }}" + - "omero-tagsearch==\ + {{ omero_tagsearch_release }}" + - "omero-iviewer=={{ omero_iviewer_release }}" + - "omero-parade=={{ omero_parade_release }}" + - "omero-signup=={{ omero_signup_release }}" + - "omero-py>={{ omero_py_release }}" + + - role: ome.omero_user + no_log: true + omero_user_system: omero-server + omero_user_admin_user: root + omero_user_admin_pass: "{{ omero_server_rootpassword }}" + omero_group_create: + - name: public + type: read-only + - name: "My Data" + type: private + omero_user_create: + - login: "{{ secret_omero_web_public_user | default('public') }}" + firstname: Public + lastname: User + password: >- + {{ secret_omero_web_public_password | default('public') }} + groups: "--group-name public" + + - role: ome.ssl_certificate + tags: ssl + + - role: ome.postgresql_backup + postgresql_backup_compress: true + postgresql_backup_dir: /OMERO/pgbackup + postgresql_backup_filename_format: "nightly-omero-%a.pgdump.gz" + + handlers: + - name: Reload web server + listen: ssl certificate changed + become: true + ansible.builtin.service: + name: nginx + state: reloaded + + post_tasks: + + - name: Allow nginx to connect to omero-web + become: yes + command: setsebool -P httpd_can_network_connect on + + - name: NGINX - Performance tuning - worker processes + become: true + ansible.builtin.replace: + path: "/etc/nginx/nginx.conf" + regexp: '^worker_processes\s+\d+;' + replace: >- + worker_processes {{ ((ansible_processor_count * + ansible_processor_cores) / 2) | round | int }}; + + # cf https://www.digitalocean.com/community/tutorials/ + # how-to-optimize-nginx-configuration + - name: NGINX - Performance tuning - worker connections + become: true + ansible.builtin.replace: + path: "/etc/nginx/nginx.conf" + regexp: 'worker_connections\s+\d+;' + replace: "worker_connections 65000;" + + - name: NGINX - create nested includes directory + become: true + ansible.builtin.file: + path: /etc/nginx/conf.d-nested-includes + state: directory + mode: 0755 + + - name: NGINX - SSL Configuration + become: true + template: + src: templates/nginx-confdnestedincludes-ssl-conf.j2 + dest: /etc/nginx/conf.d-nested-includes/ssl.conf + mode: 0644 + notify: + - restart nginx + + - name: NGINX - OMERO websockets + become: true + template: + src: templates/nginx-confdnestedincludes-omerows-conf.j2 + dest: /etc/nginx/conf.d-nested-includes/omerows.conf + mode: 0644 + notify: + - restart nginx + + - name: NGINX - websocket proxy support + become: true + template: + src: templates/nginx-confd-websockets-conf.j2 + dest: /etc/nginx/conf.d/websockets.conf + mode: 0644 + notify: + - restart nginx + + - name: Config for OMERO.web plugins + become: true + template: + src: templates/omero-web-config-for-webapps.j2 + dest: >- + {{ omero_web_basedir }}/config/omero-web-config-for-webapps.omero + owner: "root" + group: "root" + mode: "u=rw,go=r" + notify: + - restart omero-web + + - name: OMERO.web config for CORS + become: true + template: + src: templates/omero-web-config-for-cors.j2 + dest: "{{ omero_web_basedir }}/config/omero-web-config-for-cors.omero" + owner: "root" + group: "root" + mode: "u=rw,go=r" + notify: + - restart omero-web + + - name: OMERO.web config for signup app + become: true + template: + src: templates/omero-web-config-signup.j2 + dest: "{{ omero_web_basedir }}/config/omero-web-config-signup.omero" + # Contains sensitive info + owner: "root" + group: "omero-web" + mode: "0640" + notify: + - restart omero-web + no_log: true + + # - name: Check_MK postgres plugin | check for plugin existence + # tags: monitoring + # ansible.builtin.stat: + # path: "{{ check_mk_agent_plugin_path }}/mk_postgres" + # register: check_mk_postgres_plugin_st + + # - name: Check_MK postgres plugin | activate the plugin + # tags: monitoring + # become: true + # command: > + # cp "{{ check_mk_agent_plugin_path }}/mk_postgres" + # /usr/share/check-mk-agent/plugins/ + # creates=/usr/share/check-mk-agent/plugins/mk_postgres + # when: check_mk_postgres_plugin_st.stat.exists + + # - name: Check_MK logwatch plugin | check for plugin existence + # tags: monitoring + # ansible.builtin.stat: + # path: "{{ check_mk_agent_plugin_path }}/mk_logwatch" + # register: check_mk_logwatch_plugin_st + + # - name: Check_MK logwatch plugin | activate the plugin + # tags: monitoring + # become: true + # command: > + # cp "{{ check_mk_agent_plugin_path }}/mk_logwatch" + # /usr/share/check-mk-agent/plugins/ + # creates=/usr/share/check-mk-agent/plugins/mk_logwatch + # when: check_mk_logwatch_plugin_st.stat.exists + + # - name: Check_MK logwatch plugin | check for default config file + # tags: monitoring + # ansible.builtin.stat: + # path: "{{ check_mk_agent_config_example_path }}/logwatch.cfg" + # register: check_mk_logwatch_plugin_conf_st + + # - name: Check_MK logwatch plugin | copy the default config + # tags: monitoring + # become: true + # command: > + # cp "{{ check_mk_agent_config_example_path }}/logwatch.cfg" + # "{{ check_mk_agent_config_path }}/logwatch.cfg" + # creates="{{ check_mk_agent_config_path }}/logwatch.cfg" + # when: check_mk_logwatch_plugin_conf_st.stat.exists + + - name: PostgreSQL Nightly Backups | Remove old cron job + become: true + ansible.builtin.file: + path: /etc/cron.daily/nightly-pg_dump-omero.sh + state: absent + + - name: Create a figure scripts directory + become: true + ansible.builtin.file: + path: "{{ omero_server_basedir }}/OMERO.server/lib/\ + scripts/omero/figure_scripts" + state: directory + mode: 0755 + recurse: true + owner: root + + - name: Download the Figure_To_Pdf.py script + become: true + ansible.builtin.get_url: + url: "https://raw.githubusercontent.com/ome/omero-figure/\ + {{ omero_figure_script_release }}/omero_figure/scripts/omero/\ + figure_scripts/Figure_To_Pdf.py" + dest: "{{ omero_server_basedir }}/OMERO.server/lib/\ + scripts/omero/figure_scripts/Figure_To_Pdf.py" + mode: 0755 + owner: "omero-server" + group: "omero-server" + force: true + + vars: + omero_figure_release: >- + {{ omero_figure_release_override | default('6.2.2') }} + omero_figure_script_release: >- + {{ omero_figure_script_release_override | default('v6.2.2') }} + omero_fpbioimage_release: >- + {{ omero_fpbioimage_release_override | default('0.4.1') }} + omero_iviewer_release: >- + {{ omero_iviewer_release_override | default('0.14.0') }} + omero_parade_release: >- + {{ omero_parade_release_override | default('0.2.4') }} + omero_autotag_release: >- + {{ omero_autotag_release_override | default('4.0.1') }} + omero_tagsearch_release: >- + {{ omero_tagsearch_release_override | default('4.1.1') }} + omero_signup_release: >- + {{ omero_signup_release_override | default('0.3.3') }} + + omero_server_release: >- + {{ omero_server_release_override | default('5.6.11') }} + omero_web_release: "{{ omero_web_release_override | default('5.26.0') }}" + omero_py_release: "{{ omero_py_release_override | default('5.19.2') }}" + # For https://github.com/openmicroscopy/ansible-role-java, + # which is a dependency. + java_jdk_install: true + + # Check_MK (system monitoring) paths + check_mk_agent_plugin_path: /usr/share/check-mk-agent/available-plugins + check_mk_agent_config_example_path: /usr/share/check_mk/agents/cfg_examples + check_mk_agent_config_path: /etc/check-mk-agent + + # Pip versions + omero_cli_duplicate_release: >- + {{ omero_cli_duplicate_release_override | default('0.4.0') }} + omero_cli_render_release: >- + {{ omero_cli_render_release_override | default('0.8.0') }} + omero_metadata_release: >- + {{ omero_cli_metadata_release_override | default('0.10.0') }} + + # Signup + omero_signup_email_body: >- + 'Thank you for creating an account on demo.openmicroscopy.org server.\n + Your login details are \n\n + username: {username}\n + password: {password}\n\n + Use these login details as follows\n + 1. In your browser, go to demo.openmicroscopy.org and log in.\n + 2. Download the OMERO.insight [1] desktop application to import\n + your first data into OMERO.\n + 3. Once OMERO.insight is started, following the steps in the\n omero-guide [1], change the server address to\n + demo.openmicroscopy.org\n + and connect using the login details as above to import your data.\n + 4. Use the walkthrough example [1] to get further ideas about how + to start using OMERO.\n + OME Team\n\n + [1] In your browser, go to omero-guides.readthedocs.io/en/latest + and click on OMERO walkthrough example under Getting started.' + + postgresql_version: "16" + filesystem: "xfs" + + omero_server_config_set: + omero.certificates.owner: "/C=UK/ST=Scotland/L=Dundee/O=OME" + omero.client.icetransports: ssl,wss,tcp + omero.db.poolsize: 60 + omero.glacier2.IceSSL.Ciphers: "ADH:HIGH" + omero.glacier2.IceSSL.DefaultDir: "{{ omero_server_basedir }}/selfsigned" + omero.glacier2.IceSSL.CAs: server.pem + omero.glacier2.IceSSL.CertFile: server.p12 + # This password doesn't need to be secret + omero.glacier2.IceSSL.Password: secret + omero.jvmcfg.percent.blitz: 50 + omero.jvmcfg.percent.indexer: 20 + omero.jvmcfg.percent.pixeldata: 20 + omero.jvmcfg.system_memory: 30000 + omero.mail.config: true + omero.mail.from: "{{ omero_server_mail_from }}" + omero.mail.host: "{{ omero_server_mail_host }}" + omero.new_user_group: "My Data" + omero.server.nodedescriptors: >- + master:Blitz-0,Indexer-0,Processor-0,Storm,Tables-0 + omero.search.batch: 100 + omero.throttling.method_time.error: 60000 + + omero_server_python_addons: + - "omero-cli-duplicate=={{ omero_cli_duplicate_release }}" + - "omero-cli-render=={{ omero_cli_render_release }}" + - "omero-metadata=={{ omero_metadata_release }}" + - "omero-demo-cleanup==0.2.1" + # For OMERO.figure script + - "reportlab<3.6" + - markdown + - "omero-py>={{ omero_py_release }}" + + omero_server_selfsigned_certificates: true + + omero_web_config_set: + omero.mail.config: true + omero.mail.from: "{{ omero_server_mail_from }}" + omero.mail.host: "{{ omero_server_mail_host }}" + # https://www.openmicroscopy.org/site/support + # /omero5.3/sysadmins/public.html + omero.web.public.user: >- + {{ secret_omero_web_public_user | default('public') }} + omero.web.public.password: >- + {{ secret_omero_web_public_password | default('public') }} + omero.web.public.enabled: true + omero.web.public.server_id: 1 + omero.web.public.url_filter: "^/(webgateway/(?!(archived_files|down\ + load_as))|webclient/annotation/([0-9]+)/)" + omero.web.server_list: [["localhost", 4064, "omero"]] + # Advice is (2*cores + 1) from OME docs. + omero.web.wsgi_workers: >- + {{ (2 * (ansible_processor_count * + ansible_processor_cores)) + 1 }} + # omero.web.admins: "{{ omero_web_admins }}" + # https://pypi.org/project/omero-iviewer/ - set iviewer to default viewer + omero.web.viewer.view: omero_iviewer.views.index + omero.web.nginx_server_extra_config: + - 'include /etc/nginx/conf.d-nested-includes/*.conf;'