From 19c0dfb6132e6a63f74e9720f5e21c35d9fb566f Mon Sep 17 00:00:00 2001
From: pwalczysko <p.walczysko@dundee.ac.uk>
Date: Fri, 13 Dec 2024 15:31:42 +0000
Subject: [PATCH 1/5] Adjust protocols and ciphers as per workshop&outreach

---
 playbooks/templates/nginx-confdnestedincludes-ssl-conf.j2 | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/playbooks/templates/nginx-confdnestedincludes-ssl-conf.j2 b/playbooks/templates/nginx-confdnestedincludes-ssl-conf.j2
index cc323a39..940af0e2 100644
--- a/playbooks/templates/nginx-confdnestedincludes-ssl-conf.j2
+++ b/playbooks/templates/nginx-confdnestedincludes-ssl-conf.j2
@@ -10,6 +10,10 @@ ssl_certificate_key {{ ssl_certificate_key_path }};
 # http://nginx.org/en/docs/http/configuring_https_servers.html
 ssl_prefer_server_ciphers on;
 
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+
+
 # HTTP Strict Transport Security (HSTS)
 add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 

From f806daf26d06ed5e97a74dc93ea1ee7d3d7b69fe Mon Sep 17 00:00:00 2001
From: pwalczysko <p.walczysko@dundee.ac.uk>
Date: Fri, 13 Dec 2024 15:36:30 +0000
Subject: [PATCH 2/5] Remove unused jinja files for sls-gallery and learning

---
 playbooks/files/learning-omero-web.conf    | 52 ----------------------
 playbooks/files/sls-gallery-omero-web.conf | 48 --------------------
 2 files changed, 100 deletions(-)
 delete mode 100644 playbooks/files/learning-omero-web.conf
 delete mode 100644 playbooks/files/sls-gallery-omero-web.conf

diff --git a/playbooks/files/learning-omero-web.conf b/playbooks/files/learning-omero-web.conf
deleted file mode 100644
index 9bbf914e..00000000
--- a/playbooks/files/learning-omero-web.conf
+++ /dev/null
@@ -1,52 +0,0 @@
-server {
-    listen      80;
-    server_name learning.openmicroscopy.org;
-    return      301 https://$server_name$request_uri;
-}
-
-server {
-    listen      443 ssl;
-    server_name learning.openmicroscopy.org;
-
-    ssl_certificate     /etc/pki/tls/certs/star_openmicroscopy_org.crt+bundle;
-    ssl_certificate_key /etc/pki/tls/private/star_openmicroscopy_org.key;
-    ssl_protocols       TLSv1.2;
-
-    add_header Strict-Transport-Security "max-age=31536000" always;
-
-    sendfile on;
-    client_max_body_size 0;
-
-    location / {
-        rewrite ^/$ /dundee/ permanent;
-    }
-
-    location /schools {
-        rewrite ^ /dundee/ permanent;
-    }
-
-    location /dundee {
-        error_page 502 @maintenance;
-        # checks for static file, if not found proxy to app
-        try_files $uri @proxy_to_app;
-    }
-
-    location /dundee/static {
-        alias /opt/omero/web/OMERO.web/var/static;
-    }
-
-    location @maintenance {
-        root /opt/omero/server/OMERO.server/etc/templates/error;
-        try_files $uri /maintainance.html =502;
-    }
-
-    location @proxy_to_app {
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header Host $http_host;
-        proxy_redirect off;
-        proxy_buffering off;
-
-        proxy_pass http://127.0.0.1:4080;
-    }
-}
diff --git a/playbooks/files/sls-gallery-omero-web.conf b/playbooks/files/sls-gallery-omero-web.conf
deleted file mode 100644
index e24ec719..00000000
--- a/playbooks/files/sls-gallery-omero-web.conf
+++ /dev/null
@@ -1,48 +0,0 @@
-server {
-    listen      80;
-    server_name sls-repo.openmicroscopy.org;
-    return      301 https://$server_name$request_uri;
-}
-
-server {
-    listen      443 ssl;
-    server_name sls-repo.openmicroscopy.org;
-
-    ssl_certificate     /etc/pki/tls/certs/star_openmicroscopy_org.crt+bundle;
-    ssl_certificate_key /etc/pki/tls/private/star_openmicroscopy_org.key;
-    ssl_protocols       TLSv1.2;
-
-    add_header Strict-Transport-Security "max-age=31536000" always;
-
-    sendfile on;
-    client_max_body_size 0;
-
-    location / {
-        rewrite ^/$ /ome-sls/ permanent;
-    }
-
-    location /ome-sls {
-        error_page 502 @maintenance;
-        # checks for static file, if not found proxy to app
-        try_files $uri @proxy_to_app;
-    }
-
-    location /ome-sls/static {
-        alias /opt/omero/web/OMERO.web/var/static;
-    }
-
-    location @maintenance {
-        root /opt/omero/server/OMERO.server/etc/templates/error;
-        try_files $uri /maintainance.html =502;
-    }
-
-    location @proxy_to_app {
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header Host $http_host;
-        proxy_redirect off;
-        proxy_buffering off;
-
-        proxy_pass http://127.0.0.1:4080;
-    }
-}

From 02723b461745dfa2b3510fc94bb40276e2867a5e Mon Sep 17 00:00:00 2001
From: pwalczysko <p.walczysko@dundee.ac.uk>
Date: Fri, 13 Dec 2024 15:39:15 +0000
Subject: [PATCH 3/5] Introduce nginx_version: 1.26.2 variable in demo playbook

---
 playbooks/ome-demoserver.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/playbooks/ome-demoserver.yml b/playbooks/ome-demoserver.yml
index 2548c499..386116fe 100644
--- a/playbooks/ome-demoserver.yml
+++ b/playbooks/ome-demoserver.yml
@@ -209,6 +209,7 @@
         force: true
 
   vars:
+    nginx_version: 1.26.2
     omero_figure_release: >-
       {{ omero_figure_release_override | default('7.2.0') }}
     omero_figure_script_release: >-

From 9005c5f4316567eb42f97625c5129d1531a0e1d8 Mon Sep 17 00:00:00 2001
From: pwalczysko <p.walczysko@dundee.ac.uk>
Date: Mon, 16 Dec 2024 16:08:02 +0000
Subject: [PATCH 4/5] Bump web and server on demo

---
 playbooks/ome-demoserver.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/playbooks/ome-demoserver.yml b/playbooks/ome-demoserver.yml
index 386116fe..bcfc7d42 100644
--- a/playbooks/ome-demoserver.yml
+++ b/playbooks/ome-demoserver.yml
@@ -228,8 +228,8 @@
       {{ omero_signup_release_override | default('0.3.3') }}
 
     omero_server_release: >-
-      {{ omero_server_release_override | default('5.6.13') }}
-    omero_web_release: "{{ omero_web_release_override | default('5.27.2') }}"
+      {{ omero_server_release_override | default('5.6.14') }}
+    omero_web_release: "{{ omero_web_release_override | default('5.28.0') }}"
     omero_py_release: "{{ omero_py_release_override | default('5.19.5') }}"
     # For https://github.com/openmicroscopy/ansible-role-java,
     # which is a dependency.

From 57171f3d0680984c2e38b1a12b7fbba46750c9a9 Mon Sep 17 00:00:00 2001
From: pwalczysko <p.walczysko@dundee.ac.uk>
Date: Mon, 16 Dec 2024 16:34:54 +0000
Subject: [PATCH 5/5] Change the target owner of the figure_scripts dir to be
 omero-server

---
 playbooks/ome-demoserver.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/playbooks/ome-demoserver.yml b/playbooks/ome-demoserver.yml
index bcfc7d42..cdbc699a 100644
--- a/playbooks/ome-demoserver.yml
+++ b/playbooks/ome-demoserver.yml
@@ -193,7 +193,8 @@
         state: directory
         mode: 0755
         recurse: true
-        owner: root
+        owner: "omero-server"
+        group: "omero-server"
 
     - name: Download the Figure_To_Pdf.py script
       become: true