diff --git a/galaxy.yml b/galaxy.yml index 4982a5f..3720b58 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -205,8 +205,7 @@ when: enable_tiaas | bool - galaxyproject.nginx - galaxyproject.proftpd - - geerlingguy.docker - - usegalaxy_eu.rabbitmqserver + - galaxyproject.rabbitmq - galaxyproject.gxadmin - galaxyproject.cvmfs - role: dj-wasabi.telegraf diff --git a/group_vars/galaxyservers.yml b/group_vars/galaxyservers.yml index 724eb98..e93a4a0 100644 --- a/group_vars/galaxyservers.yml +++ b/group_vars/galaxyservers.yml @@ -295,12 +295,11 @@ certbot_well_known_root: /srv/nginx/_well-known_root certbot_share_key_users: - www-data - proftpd -certbot_share_key_ids: - - "999:999" + - rabbitmq certbot_post_renewal: | systemctl restart nginx || true - docker restart rabbit_hole || true systemctl restart proftpd || true + systemctl restart rabbitmq-server || true # the order in domain names matter, rabbitMQ role takes the first entry for path to letsencrypt certificates certbot_domains: "{{ [ inventory_hostname ] + (extra_certbot_domains | default([]) ) }}" certbot_expand: true @@ -341,36 +340,40 @@ nginx_conf_http: # default Let's encrypt, override in host_vars eventually nginx_ssl_role: usegalaxy_eu.certbot -nginx_conf_ssl_certificate: /etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem -nginx_conf_ssl_certificate_key: /etc/letsencrypt/live/{{ inventory_hostname }}/privkey.pem +nginx_conf_ssl_certificate: /etc/ssl/certs/fullchain.pem +nginx_conf_ssl_certificate_key: /etc/ssl/user/privkey-www-data.pem -#Install pip docker package for ansible -pip_install_packages: - - name: docker # RabbitMQ rabbitmq_hostname: "{{ inventory_hostname }}" -rabbitmq_container: - name: rabbit_hole - image: rabbitmq:3.13-management - hostname: "{{ inventory_hostname }}" - rabbitmq_plugins: - - rabbitmq_management - -# ok for noletsencrypt -#rabbitmq_conf_ssl_certificate: /etc/ssl/certs/cert.pem + - names: rabbitmq_management + +rabbitmq_apt_keys: + ## Team RabbitMQ's main signing key + - url: https://github.com/rabbitmq/signing-keys/releases/download/3.0/rabbitmq-release-signing-key.asc + file: rabbitmq-release-signing-key.asc + +rabbitmq_apt_repositories: + ## Provides modern Erlang/OTP releases + - url: "https://deb1.rabbitmq.com/rabbitmq-erlang/{{ rabbitmq_apt_dist }}/{{ rabbitmq_apt_dist_rel }}" + signed_by: "{{ rabbitmq_apt_key_dir }}/rabbitmq-release-signing-key.asc" + - url: "https://deb2.rabbitmq.com/rabbitmq-erlang/{{ rabbitmq_apt_dist }}/{{ rabbitmq_apt_dist_rel }}" + signed_by: "{{ rabbitmq_apt_key_dir }}/rabbitmq-release-signing-key.asc" + ## Provides RabbitMQ + - url: "https://deb1.rabbitmq.com/rabbitmq-server/{{ rabbitmq_apt_dist }}/{{ rabbitmq_apt_dist_rel }}" + signed_by: "{{ rabbitmq_apt_key_dir }}/rabbitmq-release-signing-key.asc" + - url: "https://deb2.rabbitmq.com/rabbitmq-server/{{ rabbitmq_apt_dist }}/{{ rabbitmq_apt_dist_rel }}" + signed_by: "{{ rabbitmq_apt_key_dir }}/rabbitmq-release-signing-key.asc" rabbitmq_conf_ssl_certificate: /etc/ssl/certs/fullchain.pem -rabbitmq_conf_ssl_certificate_key: /etc/ssl/user/privkey-999:999.pem - -rabbitmq_container_pause: 60 +rabbitmq_conf_ssl_certificate_key: /etc/ssl/user/privkey-rabbitmq.pem rabbitmq_config: listeners: tcp: none - ssl_listeners: - default: 5671 + ssl: + default: 5671 ssl_options: verify: verify_peer cacertfile: /etc/ssl/certs/ca-certificates.crt @@ -387,25 +390,42 @@ rabbitmq_config: consumer_timeout: 21600000 # 6 hours in milliseconds rabbitmq_vhosts: - - pulsar - - galaxy_gpu - - galaxy_internal + - name: pulsar + - name: galaxy_internal rabbitmq_users: + - user: guest + state: absent - user: debian password: "{{ rabbitmq_users_password.mqadmin }}" tags: administrator - vhost: / + permissions: + - vhost: / + configure_priv: .* + read_priv: .* + write_priv: .* - user: "{{ pulsar.user_name }}" password: "{{ rabbitmq_users_password.pulsar }}" - vhost: pulsar + permissions: + - vhost: pulsar + configure_priv: .* + read_priv: .* + write_priv: .* - user: galaxy password: "{{ vault_rabbitmq_password_galaxy }}" - vhost: galaxy_internal + permissions: + - vhost: galaxy_internal + configure_priv: .* + read_priv: .* + write_priv: .* - user: flower password: "{{ vault_rabbitmq_password_flower }}" tags: administrator - vhost: galaxy_internal + permissions: + - vhost: galaxy_internal + configure_priv: .* + read_priv: .* + write_priv: .* # TUS @@ -481,10 +501,8 @@ proftpd_options: - Port: 21 proftpd_sql_db: galaxy@/var/run/postgresql proftpd_sql_user: galaxy -#proftpd_conf_ssl_certificate: /etc/ssl/certs/cert.pem -#proftpd_conf_ssl_certificate_key: /etc/ssl/user/privkey-proftpd.pem -proftpd_conf_ssl_certificate: /etc/letsencrypt/live/{{ inventory_hostname }}/cert.pem -proftpd_conf_ssl_certificate_key: /etc/letsencrypt/live/{{ inventory_hostname }}/privkey.pem +proftpd_conf_ssl_certificate: /etc/ssl/certs/cert.pem +proftpd_conf_ssl_certificate_key: /etc/ssl/user/privkey-proftpd.pem proftpd_global_options: - PassivePorts: 56000 60000 proftpd_use_mod_tls_shmcache: false diff --git a/host_vars/galaxy-qa1.galaxy.cloud.e-infra.cz/vars.yml b/host_vars/galaxy-qa1.galaxy.cloud.e-infra.cz/vars.yml index d27d196..07b998c 100644 --- a/host_vars/galaxy-qa1.galaxy.cloud.e-infra.cz/vars.yml +++ b/host_vars/galaxy-qa1.galaxy.cloud.e-infra.cz/vars.yml @@ -1,8 +1,8 @@ -galaxy_commit_id: release_25.0 +galaxy_commit_id: release_25.1 galaxy_build_client: false galaxy_client_make_target: client-production -csnt_brand: QA1-TEST-25.0 +csnt_brand: QA1-TEST-25.1 csnt_log_level: DEBUG csnt_enable_notification_system: true csnt_edam_panel_views: operations,topics diff --git a/requirements.yml b/requirements.yml index d442504..53dd1d3 100644 --- a/requirements.yml +++ b/requirements.yml @@ -18,8 +18,8 @@ version: 0.4.4 - src: geerlingguy.docker version: 7.4.4 -- src: usegalaxy_eu.rabbitmqserver - version: 1.4.5 +- src: galaxyproject.rabbitmq + version: 1.0.1 - src: geerlingguy.redis version: 1.9.0 - src: galaxyproject.gxadmin