From d0cc325ce3bcfbe456383c6f488a19d4d92e601d Mon Sep 17 00:00:00 2001
From: Martin Demko <325073@mail.muni.cz>
Date: Mon, 12 Jan 2026 14:57:38 +0100
Subject: [PATCH 1/5] removes rabbitmq dep on docker and cleans certs usage

---
 galaxy.yml                   |  2 +-
 group_vars/galaxyservers.yml | 69 +++++++++++++++++++-----------------
 requirements.yml             |  4 +--
 3 files changed, 39 insertions(+), 36 deletions(-)

diff --git a/galaxy.yml b/galaxy.yml
index 4982a5f..4f92c7e 100644
--- a/galaxy.yml
+++ b/galaxy.yml
@@ -206,7 +206,7 @@
     - galaxyproject.nginx
     - galaxyproject.proftpd
     - geerlingguy.docker
-    - usegalaxy_eu.rabbitmqserver
+    - galaxyproject.rabbitmq
     - galaxyproject.gxadmin
     - galaxyproject.cvmfs
     - role: dj-wasabi.telegraf
diff --git a/group_vars/galaxyservers.yml b/group_vars/galaxyservers.yml
index 724eb98..b9cbdb1 100644
--- a/group_vars/galaxyservers.yml
+++ b/group_vars/galaxyservers.yml
@@ -295,12 +295,11 @@ certbot_well_known_root: /srv/nginx/_well-known_root
 certbot_share_key_users:
   - www-data
   - proftpd
-certbot_share_key_ids:
-  - "999:999"
+  - rabbitmq
 certbot_post_renewal: |
     systemctl restart nginx || true
-    docker restart rabbit_hole || true
     systemctl restart proftpd || true
+    systemctl restart rabbitmq-server || true
 # the order in domain names matter, rabbitMQ role takes the first entry for path to letsencrypt certificates
 certbot_domains: "{{ [ inventory_hostname ] + (extra_certbot_domains | default([]) ) }}"
 certbot_expand: true
@@ -341,36 +340,23 @@ nginx_conf_http:
 
 # default Let's encrypt, override in host_vars eventually
 nginx_ssl_role: usegalaxy_eu.certbot
-nginx_conf_ssl_certificate: /etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem
-nginx_conf_ssl_certificate_key: /etc/letsencrypt/live/{{ inventory_hostname }}/privkey.pem
+nginx_conf_ssl_certificate: /etc/ssl/certs/fullchain.pem
+nginx_conf_ssl_certificate_key: /etc/ssl/user/privkey-www-data.pem
 
-#Install pip docker package for ansible
-pip_install_packages:
-  - name: docker
 
 # RabbitMQ
 rabbitmq_hostname: "{{ inventory_hostname }}"
-rabbitmq_container:
-  name: rabbit_hole
-  image: rabbitmq:3.13-management
-  hostname: "{{ inventory_hostname }}"
-
 rabbitmq_plugins:
-  - rabbitmq_management
-
-# ok for noletsencrypt
-#rabbitmq_conf_ssl_certificate: /etc/ssl/certs/cert.pem
+  - names: rabbitmq_management
 
 rabbitmq_conf_ssl_certificate: /etc/ssl/certs/fullchain.pem
-rabbitmq_conf_ssl_certificate_key: /etc/ssl/user/privkey-999:999.pem
-
-rabbitmq_container_pause: 60
+rabbitmq_conf_ssl_certificate_key: /etc/ssl/user/privkey-rabbitmq.pem
 
 rabbitmq_config:
   listeners:
     tcp: none
-  ssl_listeners:
-    default: 5671
+    ssl:
+      default: 5671
   ssl_options:
     verify: verify_peer
     cacertfile: /etc/ssl/certs/ca-certificates.crt
@@ -387,25 +373,42 @@ rabbitmq_config:
   consumer_timeout: 21600000 # 6 hours in milliseconds
 
 rabbitmq_vhosts:
-  - pulsar
-  - galaxy_gpu
-  - galaxy_internal
+  - name: pulsar
+  - name: galaxy_internal
 
 rabbitmq_users:
+  - user: guest
+    state: absent
   - user: debian
     password: "{{ rabbitmq_users_password.mqadmin }}"
     tags: administrator
-    vhost: /
+    permissions:
+          - vhost: /
+            configure_priv: .*
+            read_priv: .*
+            write_priv: .*
   - user: "{{ pulsar.user_name }}"
     password: "{{ rabbitmq_users_password.pulsar }}"
-    vhost: pulsar
+    permissions:
+          - vhost: pulsar
+            configure_priv: .*
+            read_priv: .*
+            write_priv: .*
   - user: galaxy
     password: "{{ vault_rabbitmq_password_galaxy }}"
-    vhost: galaxy_internal
+    permissions:
+          - vhost: galaxy_internal
+            configure_priv: .*
+            read_priv: .*
+            write_priv: .*
   - user: flower
     password: "{{ vault_rabbitmq_password_flower }}"
     tags: administrator
-    vhost: galaxy_internal
+    permissions:
+          - vhost: galaxy_internal
+            configure_priv: .*
+            read_priv: .*
+            write_priv: .*
 
 
 # TUS
@@ -481,10 +484,10 @@ proftpd_options:
   - Port: 21
 proftpd_sql_db: galaxy@/var/run/postgresql
 proftpd_sql_user: galaxy
-#proftpd_conf_ssl_certificate: /etc/ssl/certs/cert.pem
-#proftpd_conf_ssl_certificate_key: /etc/ssl/user/privkey-proftpd.pem
-proftpd_conf_ssl_certificate: /etc/letsencrypt/live/{{ inventory_hostname }}/cert.pem
-proftpd_conf_ssl_certificate_key: /etc/letsencrypt/live/{{ inventory_hostname }}/privkey.pem
+proftpd_conf_ssl_certificate: /etc/ssl/certs/cert.pem
+proftpd_conf_ssl_certificate_key: /etc/ssl/user/privkey-proftpd.pem
+#proftpd_conf_ssl_certificate: /etc/letsencrypt/live/{{ inventory_hostname }}/cert.pem
+#proftpd_conf_ssl_certificate_key: /etc/letsencrypt/live/{{ inventory_hostname }}/privkey.pem
 proftpd_global_options:
   - PassivePorts: 56000 60000
 proftpd_use_mod_tls_shmcache: false
diff --git a/requirements.yml b/requirements.yml
index d442504..53dd1d3 100644
--- a/requirements.yml
+++ b/requirements.yml
@@ -18,8 +18,8 @@
   version: 0.4.4
 - src: geerlingguy.docker
   version: 7.4.4
-- src: usegalaxy_eu.rabbitmqserver
-  version: 1.4.5
+- src: galaxyproject.rabbitmq
+  version: 1.0.1
 - src: geerlingguy.redis
   version: 1.9.0
 - src: galaxyproject.gxadmin

From 4595fca6d21709202fe4ee8b408ff8e06ea7cad8 Mon Sep 17 00:00:00 2001
From: Martin Demko <325073@mail.muni.cz>
Date: Mon, 12 Jan 2026 15:34:27 +0100
Subject: [PATCH 2/5] removes docker role from playbook

---
 galaxy.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/galaxy.yml b/galaxy.yml
index 4f92c7e..3720b58 100644
--- a/galaxy.yml
+++ b/galaxy.yml
@@ -205,7 +205,6 @@
       when: enable_tiaas | bool
     - galaxyproject.nginx
     - galaxyproject.proftpd
-    - geerlingguy.docker
     - galaxyproject.rabbitmq
     - galaxyproject.gxadmin
     - galaxyproject.cvmfs

From 2444eb892d9e789003a9c2ca0da7a18c87a684b1 Mon Sep 17 00:00:00 2001
From: Martin Cech <marten@bx.psu.edu>
Date: Thu, 15 Jan 2026 13:20:57 +0100
Subject: [PATCH 3/5] update qa1 to 25.1

---
 host_vars/galaxy-qa1.galaxy.cloud.e-infra.cz/vars.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/host_vars/galaxy-qa1.galaxy.cloud.e-infra.cz/vars.yml b/host_vars/galaxy-qa1.galaxy.cloud.e-infra.cz/vars.yml
index d27d196..07b998c 100644
--- a/host_vars/galaxy-qa1.galaxy.cloud.e-infra.cz/vars.yml
+++ b/host_vars/galaxy-qa1.galaxy.cloud.e-infra.cz/vars.yml
@@ -1,8 +1,8 @@
-galaxy_commit_id: release_25.0
+galaxy_commit_id: release_25.1
 galaxy_build_client: false
 galaxy_client_make_target: client-production
 
-csnt_brand: QA1-TEST-25.0
+csnt_brand: QA1-TEST-25.1
 csnt_log_level: DEBUG
 csnt_enable_notification_system: true
 csnt_edam_panel_views: operations,topics

From 0a4c8099b405d80504575e025254cdb5b4954c3f Mon Sep 17 00:00:00 2001
From: martindemko <325073@mail.muni.cz>
Date: Thu, 15 Jan 2026 13:55:49 +0100
Subject: [PATCH 4/5] updates apt keys and repo links for rabbitmq

---
 group_vars/galaxyservers.yml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/group_vars/galaxyservers.yml b/group_vars/galaxyservers.yml
index b9cbdb1..8a3252a 100644
--- a/group_vars/galaxyservers.yml
+++ b/group_vars/galaxyservers.yml
@@ -372,6 +372,22 @@ rabbitmq_config:
     disable_stats: 'false'
   consumer_timeout: 21600000 # 6 hours in milliseconds
 
+rabbitmq_apt_keys:
+  ## Team RabbitMQ's main signing key
+  - url: https://github.com/rabbitmq/signing-keys/releases/download/3.0/rabbitmq-release-signing-key.asc
+    file: rabbitmq-release-signing-key.asc
+rabbitmq_apt_repositories:
+  ## Provides modern Erlang/OTP releases
+  - url: "https://deb1.rabbitmq.com/rabbitmq-erlang/{{ rabbitmq_apt_dist }}/{{ rabbitmq_apt_dist_rel }}"
+    signed_by: "{{ rabbitmq_apt_key_dir }}/rabbitmq-release-signing-key.asc"
+  - url: "https://deb2.rabbitmq.com/rabbitmq-erlang/{{ rabbitmq_apt_dist }}/{{ rabbitmq_apt_dist_rel }}"
+    signed_by: "{{ rabbitmq_apt_key_dir }}/rabbitmq-release-signing-key.asc"
+  ## Provides RabbitMQ
+  - url: "https://deb1.rabbitmq.com/rabbitmq-server/{{ rabbitmq_apt_dist }}/{{ rabbitmq_apt_dist_rel }}"
+    signed_by: "{{ rabbitmq_apt_key_dir }}/rabbitmq-release-signing-key.asc"
+  - url: "https://deb2.rabbitmq.com/rabbitmq-server/{{ rabbitmq_apt_dist }}/{{ rabbitmq_apt_dist_rel }}"
+    signed_by: "{{ rabbitmq_apt_key_dir }}/rabbitmq-release-signing-key.asc"
+
 rabbitmq_vhosts:
   - name: pulsar
   - name: galaxy_internal

From 4c2090da8825f397c81bee48a61e8aa1061e99b9 Mon Sep 17 00:00:00 2001
From: martindemko <325073@mail.muni.cz>
Date: Thu, 15 Jan 2026 14:15:40 +0100
Subject: [PATCH 5/5] refactoring of the galaxyservers config file

---
 group_vars/galaxyservers.yml | 35 +++++++++++++++++------------------
 1 file changed, 17 insertions(+), 18 deletions(-)

diff --git a/group_vars/galaxyservers.yml b/group_vars/galaxyservers.yml
index 8a3252a..e93a4a0 100644
--- a/group_vars/galaxyservers.yml
+++ b/group_vars/galaxyservers.yml
@@ -349,6 +349,23 @@ rabbitmq_hostname: "{{ inventory_hostname }}"
 rabbitmq_plugins:
   - names: rabbitmq_management
 
+rabbitmq_apt_keys:
+  ## Team RabbitMQ's main signing key
+  - url: https://github.com/rabbitmq/signing-keys/releases/download/3.0/rabbitmq-release-signing-key.asc
+    file: rabbitmq-release-signing-key.asc
+
+rabbitmq_apt_repositories:
+  ## Provides modern Erlang/OTP releases
+  - url: "https://deb1.rabbitmq.com/rabbitmq-erlang/{{ rabbitmq_apt_dist }}/{{ rabbitmq_apt_dist_rel }}"
+    signed_by: "{{ rabbitmq_apt_key_dir }}/rabbitmq-release-signing-key.asc"
+  - url: "https://deb2.rabbitmq.com/rabbitmq-erlang/{{ rabbitmq_apt_dist }}/{{ rabbitmq_apt_dist_rel }}"
+    signed_by: "{{ rabbitmq_apt_key_dir }}/rabbitmq-release-signing-key.asc"
+  ## Provides RabbitMQ
+  - url: "https://deb1.rabbitmq.com/rabbitmq-server/{{ rabbitmq_apt_dist }}/{{ rabbitmq_apt_dist_rel }}"
+    signed_by: "{{ rabbitmq_apt_key_dir }}/rabbitmq-release-signing-key.asc"
+  - url: "https://deb2.rabbitmq.com/rabbitmq-server/{{ rabbitmq_apt_dist }}/{{ rabbitmq_apt_dist_rel }}"
+    signed_by: "{{ rabbitmq_apt_key_dir }}/rabbitmq-release-signing-key.asc"
+
 rabbitmq_conf_ssl_certificate: /etc/ssl/certs/fullchain.pem
 rabbitmq_conf_ssl_certificate_key: /etc/ssl/user/privkey-rabbitmq.pem
 
@@ -372,22 +389,6 @@ rabbitmq_config:
     disable_stats: 'false'
   consumer_timeout: 21600000 # 6 hours in milliseconds
 
-rabbitmq_apt_keys:
-  ## Team RabbitMQ's main signing key
-  - url: https://github.com/rabbitmq/signing-keys/releases/download/3.0/rabbitmq-release-signing-key.asc
-    file: rabbitmq-release-signing-key.asc
-rabbitmq_apt_repositories:
-  ## Provides modern Erlang/OTP releases
-  - url: "https://deb1.rabbitmq.com/rabbitmq-erlang/{{ rabbitmq_apt_dist }}/{{ rabbitmq_apt_dist_rel }}"
-    signed_by: "{{ rabbitmq_apt_key_dir }}/rabbitmq-release-signing-key.asc"
-  - url: "https://deb2.rabbitmq.com/rabbitmq-erlang/{{ rabbitmq_apt_dist }}/{{ rabbitmq_apt_dist_rel }}"
-    signed_by: "{{ rabbitmq_apt_key_dir }}/rabbitmq-release-signing-key.asc"
-  ## Provides RabbitMQ
-  - url: "https://deb1.rabbitmq.com/rabbitmq-server/{{ rabbitmq_apt_dist }}/{{ rabbitmq_apt_dist_rel }}"
-    signed_by: "{{ rabbitmq_apt_key_dir }}/rabbitmq-release-signing-key.asc"
-  - url: "https://deb2.rabbitmq.com/rabbitmq-server/{{ rabbitmq_apt_dist }}/{{ rabbitmq_apt_dist_rel }}"
-    signed_by: "{{ rabbitmq_apt_key_dir }}/rabbitmq-release-signing-key.asc"
-
 rabbitmq_vhosts:
   - name: pulsar
   - name: galaxy_internal
@@ -502,8 +503,6 @@ proftpd_sql_db: galaxy@/var/run/postgresql
 proftpd_sql_user: galaxy
 proftpd_conf_ssl_certificate: /etc/ssl/certs/cert.pem
 proftpd_conf_ssl_certificate_key: /etc/ssl/user/privkey-proftpd.pem
-#proftpd_conf_ssl_certificate: /etc/letsencrypt/live/{{ inventory_hostname }}/cert.pem
-#proftpd_conf_ssl_certificate_key: /etc/letsencrypt/live/{{ inventory_hostname }}/privkey.pem
 proftpd_global_options:
   - PassivePorts: 56000 60000
 proftpd_use_mod_tls_shmcache: false