galaxy-test.yml

---
- name: Test.UseGalaxy.eu
  hosts: galaxy-test
  become: true
  become_user: root
  vars:
    # The full internal name.
    hostname: test.internal.usegalaxy.eu
  vars_files:
    - group_vars/tiaas-test.yml        # All of the training infrastructure
    - group_vars/custom-sites.yml      # Subdomains are listed here
    - group_vars/gxconfig-test.yml     # The base galaxy configuration
    - group_vars/toolbox.yml           # User controlled toolbox
    - group_vars/cron-test.yml         # Cron configuration for handlers restart
    - secret_group_vars/aws.yml        # AWS creds
    - secret_group_vars/pulsar.yml     # Pulsar + MQ Connections
    - secret_group_vars/elixir_aai.yml # Elixir AAI private key
    - secret_group_vars/db-test.yml    # DB URL + some postgres stuff
    - secret_group_vars/all.yml        # All of the other assorted secrets...
  handlers:
    - name: Restart Galaxy
      shell: |
        echo 'Manual zergling restart required' && cd /opt/galaxy/ && source /opt/galaxy/.bashrc  && sudo -u galaxy /usr/bin/galaxy-sync-to-nfs && systemctl restart galaxy-handler@* && systemctl restart galaxy-zergling@*
  pre_tasks:
    - name: Install Dependencies
      package:
        name: ['git', 'python-psycopg2', 'python-virtualenv', 'bc', 'python36']
      become: yes
    - name: Disable SELinux
      selinux:
        state: disabled
      become: yes
  post_tasks:
    - name: Enable SELinux
      selinux:
        policy: targeted
        state: enforcing
      become: yes
  roles:
    # Normally we set hostname here, but we get an error so it is commented out:
    #     err=Could not get property: Failed to activate service 'org.freedesktop.hostname1': timed out
    #- hostname
    - usegalaxy-eu.dynmotd

    ## Dependencies
    - geerlingguy.repo-epel # Install EPEL
    # We want to exclude a couple of packages as we will fetch those
    # dependencies from other repos: condor, node/npm
    - hxr.exclude-repo
    - linuxhq.yum_cron # keep all of our packages up to date
    - hxr.admin-tools # Some extra admin tools (*top, vim, etc)
    - influxdata.chrony # Keep our time in sync.

    ## Filesystems
    - hxr.autofs # Setup the mount points which will be needed later
    - galaxyproject.cvmfs # Galaxy datasets

    ## Monitoring
    - hxr.monitor-cluster
    - hxr.monitor-email
    - hxr.monitor-uwsgi
    - hxr.monitor-galaxy-journalctl
    - dj-wasabi.telegraf

    ## remap user
    - hxr.remap-user

    # Setup Galaxy user
    - role: galaxyproject.galaxy
      vars:
        galaxy_create_user: yes
        galaxy_manage_clone: no
        galaxy_manage_paths: yes
        galaxy_manage_static_setup: no
        galaxy_manage_mutable_setup: no
        galaxy_manage_database: no
        galaxy_fetch_dependencies: no
        galaxy_build_client: no
    # The bashrc needs to be created for several later features.
    - role: usegalaxy-eu.bashrc
      become_user: galaxy

    ## Setup docker
    - geerlingguy.docker

    # HTCondor Cluster setup
    - htcondor

    # Misc.
    - role: hxr.galaxy-cron
      become: yes
      become_user: galaxy
    - role: hxr.galaxy-nonreproducible-tools
      become: yes
      become_user: galaxy
    - hxr.galaxy-misc
    - usegalaxy-eu.dynmotd      # nicer MOTD/welcome message
    - usegalaxy-eu.rsync-to-nfs # sync codebase to NFS
    - usegalaxy-eu.webhooks     # Clone webhook repository
    - usegalaxy-eu.tours        # Clone tour repository

    ## SSL / Security
    - ssh-host-sign # Sign the server host key to prevent TOFU for SSH

    ## GALAXY
    - role: hxr.postgres-connection
      become_user: galaxy
    - usegalaxy-eu.gxadmin
    # TODO move under monitoring + telegraf.
    - usegalaxy-eu.galaxy-slurp

    - usegalaxy-eu.google-verification
    - galaxyproject.nginx
    # The REAL galaxy role
    - role: galaxyproject.galaxy
      vars:
        galaxy_create_user: yes
        galaxy_manage_clone: yes
        galaxy_manage_static_setup: yes
        galaxy_manage_mutable_setup: yes
        galaxy_manage_database: yes
        galaxy_fetch_dependencies: yes
        galaxy_build_client: yes

    # Extras!
    - hxr.install-to-venv           # Some extra packages our site needs.
    - usegalaxy-eu.galaxy-systemd   # Manage the Galaxy processes with SystemD
    - usegalaxy-eu.gie-node-proxy   # Setup the NodeJS proxy (depends on NodeJS being already available)
    - usegalaxy-eu.gie-deployer     # Deploy the GIE configuration
    - usegalaxy-eu.subdomain-themes # Custom subdomain themes
    - usegalaxy-eu.limits           # Prevent out of control processes
    - usegalaxy-eu.galaxy-cleanup   # Cleanup purged datasets/histories/etc >60 days old
    # Various ugly fixes
    - usegalaxy-eu.fix-unscheduled-jobs      # Workaround for ???
    - usegalaxy-eu.fix-oidc                  # Workaround for https://github.com/galaxyproject/galaxy/issues/8244
    - usegalaxy-eu.fix-unscheduled-workflows # Workaround for https://github.com/galaxyproject/galaxy/issues/8209
    - usegalaxy-eu.fix-failing-to-fail-jobs  # Workaround for https://github.com/galaxyproject/galaxy/issues/8171, maybe can be removed in 19.09?
    - usegalaxy-eu.fix-stuck-handlers        # Restart handlers to prevent several classes of issues
    - usegalaxy-eu.log-cleaner               # do not retain logs, they are unnecessary/risky under GDPR

    #- dev-sec.os-hardening
    #- dev-sec.ssh-hardening