forked from ome/prod-playbooks
-
Notifications
You must be signed in to change notification settings - Fork 1
/
ome-dundeeomero.yml
289 lines (255 loc) · 10.6 KB
/
ome-dundeeomero.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
# Install OMERO.server and prepare the OME (UoD/SLS) prerequisites
- hosts: ome-dundeeomero.openmicroscopy.org
pre_tasks:
- name: Install open-vm-tools if system is a VMware vm
become: yes
yum:
name: open-vm-tools
state: present
when: >
((ansible_virtualization_type is defined)
and (ansible_virtualization_type == "VMware"))
# Not required for an OMERO server install - UoD specific implementation
- name: NGOM mount point | Install NFS prerequisites
become: yes
yum:
name: nfs-utils
state: present
# Not required for an OMERO server install - UoD specific implementation
# Before Ansible 2.3, option 'name' was used instead of 'path'
- name: NGOM mount point | Create the fstab entry and mount the fs
tags: lvm
become: yes
mount:
name: /ngom
state: mounted
fstype: nfs
src: "{{ngom_nfs_server_addr}}:/uod/lfs/ngom"
opts: tcp,rsize=16384,wsize=16384
dump: 0
passno: 0
# Perhaps alter the role at https://github.com/openmicroscopy/ansible-role-lvm-partition/
# to make some of the variables non-required.
- name: Resize root FS without altering mount options
tags: lvm
become: yes
lvol:
lv: root
vg: rhel
size: "{{ provision_root_lvsize }}"
- name: Install Make Movie script Prerequisite | MEncoder - Repo
become: yes
yum:
name: http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm
state: present
- name: Install Make Movie script Prerequisite | MEncoder - Package
become: yes
yum:
name: mencoder
state: present
- name: OMERO.figure server-side prerequisites, script prerequisites + web server for decoupled OMERO.web
become: yes
yum:
name: "{{ item }}"
state: present
with_items:
# For OMERO.figure
- python-reportlab
- python-markdown
- mencoder # For the 'make movie' script
# Current server proxies to a decoupled OMERO.web server
# Initially replicate this setup, to minimise changes.
- nginx
roles:
# Now OME are using RHEL without Spacewalk, the current best-method of
# checking `is server SLS` is checking for the SLS nameservers.
- role: openmicroscopy.system-monitor-agent
when: "'10.1.255.216' in ansible_dns.nameservers"
# Disk Layout - PostgreSQL | data dir
- role: openmicroscopy.lvm-partition
tags: lvm
lvm_lvname: pgdata
lvm_vgname: postgresql
lvm_lvmount: /var/lib/pgsql
lvm_lvsize: "{{ provision_postgres_lvsize }}"
lvm_lvfilesystem: "{{ filesystem }}"
# Disk Layout - OMERO | data dir
- role: openmicroscopy.lvm-partition
tags: lvm
lvm_lvname: basedir
lvm_vgname: omero
lvm_lvmount: "{{ omero_common_basedir }}"
lvm_lvsize: "{{ provision_omero_basedir_lvsize }}"
lvm_lvfilesystem: "{{ filesystem }}"
# Mock database user & creds, to allow Playbook to install
# OMERO, and allow for a manual PostgresSQL dump/restore.
- role: openmicroscopy.postgresql
postgresql_users_databases:
- user: install-mock
password: install-mock
databases: [install-mock]
# Note - had to have these set to `install-mock` to progress role
# installation before changing config to restored DB from other system.
- role: openmicroscopy.omero-server
omero_server_release: 5.4.9
# install-mock set for inital provision, then playbook re-run with correct accounts.
#omero_server_dbuser: install-mock
#omero_server_dbname: install-mock
#omero_server_dbpassword: install-mock
omero_server_dbuser: "{{ vault.omero_server_os_user }}"
omero_server_dbname: "{{ vault.omero_server_dbname }}"
omero_server_dbpassword: "{{ vault.omero_server_dbpassword }}"
# Active Directory users not working with role.
# Role requires to be manually modified to make it work with an AD user
omero_server_system_user: "{{ vault.omero_server_os_user }}"
# Mocking omero_server_datadir for the first run.
# Prod value to come from host vars
# omero_server_datadir: "/tmp/install-mock_omero-server-datadir"
# omero_server_datadir: overridden after inital role run via host vars
omero_server_datadir_manage: False
omero_server_systemd_limit_nofile: 16384
omero_server_systemd_after:
- gpfs.service
omero_server_systemd_requires:
- gpfs.service
omero_server_system_user_manage: False
- role: openmicroscopy.ssl-certificate
# Configuration for this role in `vars`
post_tasks:
- name: NGINX - enable service / start on boot
become: yes
systemd:
name: nginx
enabled: yes
# post 2.3 'dest' should be renamed 'path'
- name: NGINX - Performance tuning - worker processes
become: yes
replace:
dest: "/etc/nginx/nginx.conf"
regexp: '^worker_processes\s+\d+;'
replace: "worker_processes 1;"
# post 2.3 'dest' should be renamed 'path'
# cf https://www.digitalocean.com/community/tutorials/how-to-optimize-nginx-configuration
- name: NGINX - Performance tuning - worker connections
become: yes
replace:
dest: "/etc/nginx/nginx.conf"
regexp: 'worker_connections\s+\d+;'
replace: "worker_connections 65000;"
- name: NGINX - create nested includes directory
become: yes
file:
path: /etc/nginx/conf.d-nested-includes
state: directory
# post 2.3 'destfile' should be renamed 'path'
- name: NGINX - Configuration
become: yes
template:
src: nginx-omero.conf.j2
dest: /etc/nginx/conf.d/omero-web.conf
notify:
- restart nginx
- name: Check_MK postgres plugin | check for plugin existence
tags: monitoring
stat:
path: "{{ check_mk_agent_plugin_path }}/mk_postgres"
register: check_mk_postgres_plugin_st
- name: Check_MK postgres plugin | activate the plugin
tags: monitoring
become: yes
command: cp "{{ check_mk_agent_plugin_path }}/mk_postgres" /usr/share/check-mk-agent/plugins/ creates=/usr/share/check-mk-agent/plugins/mk_postgres
when: check_mk_postgres_plugin_st.stat.exists
- name: Check_MK logwatch plugin | check for plugin existence
tags: monitoring
stat:
path: "{{ check_mk_agent_plugin_path }}/mk_logwatch"
register: check_mk_logwatch_plugin_st
- name: Check_MK logwatch plugin | activate the plugin
tags: monitoring
become: yes
command: cp "{{ check_mk_agent_plugin_path }}/mk_logwatch" /usr/share/check-mk-agent/plugins/ creates=/usr/share/check-mk-agent/plugins/mk_logwatch
when: check_mk_logwatch_plugin_st.stat.exists
- name: Check_MK logwatch plugin | check for default config file
tags: monitoring
stat:
path: "{{ check_mk_agent_config_example_path }}/logwatch.cfg"
register: check_mk_logwatch_plugin_conf_st
- name: Check_MK logwatch plugin | copy the default config
tags: monitoring
become: yes
command: cp "{{ check_mk_agent_config_example_path }}/logwatch.cfg" "{{ check_mk_agent_config_path }}/logwatch.cfg" creates="{{ check_mk_agent_config_path }}/logwatch.cfg"
when: check_mk_logwatch_plugin_conf_st
- name: PostgreSQL Nightly Backups | Create the backups directory
tags: backups
become: yes
file:
path: "{{ omero_server_db_dumpdir_parent }}/{{ omero_server_db_dumpdir_name }}"
state: directory
owner: postgres
group: postgres
mode: "u=rwx,go="
- name: PostgreSQL Nightly Backups | send the backup script
tags: backups
become: yes
template:
src: nightly-pg_dump-omero.sh.j2
dest: /etc/cron.daily/nightly-pg_dump-omero.sh
mode: "u=rwx,go="
- name: Create a figure scripts directory
become: yes
file:
path: /opt/omero/server/OMERO.server/lib/scripts/omero/figure_scripts
state: directory
mode: 0755
recurse: yes
owner: root
- name: Download the Figure_To_Pdf.py script
become: yes
get_url:
url: https://raw.githubusercontent.com/ome/omero-figure/{{ omero_figure_tag | default("master") }}/omero_figure/scripts/omero/figure_scripts/Figure_To_Pdf.py
dest: /opt/omero/server/OMERO.server/lib/scripts/omero/figure_scripts/Figure_To_Pdf.py
mode: 0644
owner: root
checksum: "{{ omero_figure_pdfscript_checksum | default(omit) }}"
vars:
# For https://github.com/openmicroscopy/ansible-role-java, which is a dependency.
java_jdk_install: True
# Check_MK (system monitoring) paths
check_mk_agent_plugin_path: /usr/share/check-mk-agent/available-plugins
check_mk_agent_config_example_path: /usr/share/check_mk/agents/cfg_examples
check_mk_agent_config_path: /etc/check-mk-agent
# Backup folder for PostgreSQL 'folder' format dump
# Overriden by host vars, example values:
#omero_server_db_dumpdir_parent: /tmp
#omero_server_db_dumpdir_name: nightly-pg_dump_omero.dir
postgresql_version: "9.6"
filesystem: "xfs"
omero_server_config_set:
omero.db.poolsize: 60
omero.jvmcfg.percent.blitz: 50
omero.jvmcfg.percent.indexer: 20
omero.jvmcfg.percent.pixeldata: 20
omero.jvmcfg.system_memory: 17000
omero.ldap.base: "{{ omero_server_ldap_base }}"
omero.ldap.config: true
omero.ldap.urls: "{{ omero_server_ldap_urls }}"
omero.mail.config: true
omero.mail.from: "{{ omero_server_mail_from }}"
omero.mail.host: "{{ omero_server_mail_host }}"
omero.ldap.new_user_group: "My Data"
omero.search.batch: 100
omero.security.password_provider: chainedPasswordProvider431
omero.throttling.method_time.error: 60000
omero.Ice.Default.Host: "{{ omero_server_ice_default_host }}"
Ice.Admin.Endpoints: "{{ omero_server_ice_admin_endpoints }}"
omero.data.dir: "{{ omero_server_datadir }}"
# Server path to SSL public certificate
ssl_certificate_public_path: /etc/nginx/ssl/server.crt
# Server path to SSL intermediate certificate(s)
ssl_certificate_intermediate_path: /etc/nginx/ssl/intermediate.crt
# Server path to SSL bundled public and intermediate certificates
ssl_certificate_bundled_path: /etc/nginx/ssl/bundled.crt
# Server path to SSL certificate key
ssl_certificate_key_path: /etc/nginx/ssl/server.key
# Server path to SSL combined certificate and key, set to empty to disable
ssl_certificate_combined_path: ''