ome-demoserver.yml

# Install OMERO.server, OMERO.web and prepare the OME (UoD/SLS) prerequisites

# To allow the OMERO.web plugins to upgrade, also pass `--extra-vars upgrade_webapps=True`

- hosts: ome-demoservers
  pre_tasks:
    - name: Install open-vm-tools if system is a VMware vm
      become: yes
      yum:
        name: open-vm-tools
        state: installed
      when: >
           ((ansible_virtualization_type is defined)
           and (ansible_virtualization_type == "VMware"))

    # Perhaps alter the role at https://github.com/openmicroscopy/ansible-role-lvm-partition/
    # to make some of the variables non-required.
    - name: Resize root FS without altering mount options
      tags: lvm
      become: yes
      lvol:
        lv: root
        vg: VolGroup00
        size: "{{ provision_root_lvsize }}"
        shrink: no

    - name: Install Make Movie script Prerequisite | MEncoder - Repo
      become: yes
      yum:
        name:  http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm
        state: present

    - name: Install Make Movie script Prerequisite | MEncoder - Package
      become: yes
      yum:
        name: mencoder
        state: present

    - name: OMERO.figure server-side prerequisites, script prerequisites
      become: yes
      yum:
        name: "{{ item }}"
        state: present
      with_items:
        # For OMERO.figure
        - python-reportlab
        - python-markdown
        - mencoder # For the 'make movie' script

    # Set desired state of webapps (upgrade v.s. install/keep current version)
    - name: OMERO.web plugin upgrade | set default state "installed"
      set_fact:
        webapps_state: present
    - name: OMERO.web plugin upgrade | if --extra-vars upgrade_webapps == True, allow web plugin(s) to upgrade.
      set_fact:
        webapps_state: latest
      when: upgrade_webapps is defined and upgrade_webapps == "True"

  roles:
    # Now OME are using RHEL without Spacewalk, the current best-method of
    # checking `is server deployed in Dundee/SLS` is checking for the SLS nameservers.
    - role: openmicroscopy.system-monitor-agent
      tags: monitoring
      when: "'10.1.255.216' in ansible_dns.nameservers"

    # Disk Layout - PostgreSQL | data dir on separate VG (SSD)
    - role: openmicroscopy.lvm-partition
      tags: lvm
      lvm_lvname: pgdata
      lvm_vgname: "{{ provision_postgres_vgname }}"
      lvm_lvmount: /var/lib/pgsql
      lvm_lvsize: "{{ provision_postgres_lvsize }}"
      lvm_lvfilesystem: "{{ filesystem }}"
      lvm_shrink: False

    # Disk Layout - OMERO | VG and LV (separate disk) for Binary Repository
    - role: openmicroscopy.lvm-partition
      tags: lvm
      lvm_lvname: datadir
      lvm_vgname: "{{ provision_omero_server_datadir_vgname }}"
      lvm_lvmount: "{{ omero_server_datadir }}"
      lvm_lvsize: "{{ provision_omero_server_datadir_lvsize }}"
      lvm_lvfilesystem: "{{ filesystem }}"
      lvm_shrink: False

    # Disk Layout - OMERO.server | LV for dist & logs
    - role: openmicroscopy.lvm-partition
      tags: lvm
      lvm_lvname: omero_server_basedir
      lvm_vgname: VolGroup00
      lvm_lvmount: "{{ omero_server_basedir }}"
      lvm_lvsize: "{{ provision_omero_server_basedir_lvsize }}"
      lvm_lvfilesystem: "{{ filesystem }}"
      lvm_shrink: False

    # Disk Layout - OMERO.web | LV for dist & logs
    - role: openmicroscopy.lvm-partition
      tags: lvm
      lvm_lvname: omero_web_basedir
      lvm_vgname: VolGroup00
      lvm_lvmount: "{{ omero_web_basedir }}"
      lvm_lvsize: "{{ provision_omero_web_basedir_lvsize }}"
      lvm_lvfilesystem: "{{ filesystem }}"
      lvm_shrink: False

    - role: openmicroscopy.postgresql
      no_log: true
      postgresql_users_databases:
      - user: "{{ vault.omero_server_db_user }}"
        password: "{{ vault.omero_server_dbpassword }}"
        databases: ["{{ vault.omero_server_dbname }}"]

    - role: openmicroscopy.omero-server
      omero_server_release: "{{ omero_server_release_desired | default('5.4.9') }}"
      omero_server_dbuser: "{{ vault.omero_server_db_user }}"
      omero_server_dbname:  "{{ vault.omero_server_dbname }}"
      omero_server_dbpassword: "{{ vault.omero_server_dbpassword }}"
      omero_server_rootpassword: "{{ vault.omero_server_rootpassword }}"
      omero_server_systemd_limit_nofile: 16384

    - role: openmicroscopy.omero-web
      omero_web_release: "{{ omero_web_release_desired | default('5.4.9') }}"
      omero_web_systemd_limit_nofile: 16384

    # This role only works on OMERO 5.3+
    - role: openmicroscopy.omero-user
      no_log: true
      omero_user_bin_omero: /opt/omero/server/OMERO.server/bin/omero
      omero_user_system: omero-server
      omero_user_admin_user: root
      omero_user_admin_pass: "{{ vault.omero_server_rootpassword }}"
      omero_group_create:
      - name: public
        type: read-only
      - name: "My Data"
        type: private
      omero_user_create:
      - login: "{{ vault.omero_web_public_user }}"
        firstname: Public
        lastname: User
        password: "{{ vault.omero_web_public_password }}"
        groups: "--group-name public"

    - role: openmicroscopy.ssl-certificate
      tags: ssl
      # Configuration for this role in `vars`

  post_tasks:
    - name: Omero.web plugins | plugin install via pip & pypi
      become: yes
      pip:
        name:
        - "omero-figure{{ omero_figure_version_req | default('') }}"
        - "omero-fpbioimage"
        - "omero-webtagging-autotag"
        - "omero-webtagging-tagsearch"
        - "omero-iviewer"
        - "omero-parade"
        - "django-cors-headers"
        editable: False
        state: "{{ webapps_state }}"
        # variable comes from role openmicroscopy.omero-web
        virtualenv: "{{ omero_web_basedir }}/venv"
        virtualenv_site_packages: yes
      notify:
        - restart omero-web

    - name: NGINX - Performance tuning - worker processes
      become: yes
      replace:
        path: "/etc/nginx/nginx.conf"
        regexp: '^worker_processes\s+\d+;'
        replace: "worker_processes {{ ((ansible_processor_count * ansible_processor_cores) / 2) |round|int }};"

    # cf https://www.digitalocean.com/community/tutorials/how-to-optimize-nginx-configuration
    - name: NGINX - Performance tuning - worker connections
      become: yes
      replace:
        path: "/etc/nginx/nginx.conf"
        regexp: 'worker_connections\s+\d+;'
        replace: "worker_connections 65000;"

    # TODO: Move this to /etc/nginx/conf.d-nested-includes/omero-web-ssl.conf
    - name: NGINX - SSL Configuration - Additional listen port
      become: yes
      lineinfile:
        path: /etc/nginx/conf.d/omero-web.conf
        insertafter: '    listen 80;'
        line: '    listen 443 ssl;'

    # TODO: Move this to /etc/nginx/conf.d-nested-includes/omero-web-ssl.conf
    - name: NGINX - SSL Configuration - Rest of SSL section to omero-web.conf
      become: yes
      blockinfile:
        path: /etc/nginx/conf.d/omero-web.conf
        insertbefore: '.*sendfile.*'
        block: |2+

              ssl_certificate {{ ssl_certificate_bundled_path }};
              ssl_certificate_key {{ ssl_certificate_key_path }};
              ssl_protocols  {{ nginx_ssl_protocols }}

              if ($ssl_protocol = "") {
                  rewrite ^/(.*) https://$host/$1 permanent;
              }
      notify:
        - restart nginx

    - name: NGINX - create nested includes directory
      become: yes
      file:
        path: /etc/nginx/conf.d-nested-includes
        state: directory

    - name: NGINX - omero-web.conf nested includes
      become: yes
      lineinfile:
        destfile: /etc/nginx/conf.d/omero-web.conf
        insertafter: 'server {'
        line: '    include /etc/nginx/conf.d-nested-includes/*.conf;'
      notify:
      - restart nginx

    # Config for OMERO.web plugins, loaded into OMERO.web by the
    # omero.web systemd restart.
    - name:
      become: yes
      template:
        src: templates/omero-web-config-for-webapps.j2
        dest: "{{ omero_web_basedir }}/config/omero-web-config-for-webapps.omero"
        owner: "root"
        group: "root"
        mode: "u=rw,go=r"
      notify:
        - restart omero-web

    # OMERO.web config for CORS
    - name:
      become: yes
      template:
        src: templates/omero-web-config-for-cors.j2
        dest: "{{ omero_web_basedir }}/config/omero-web-config-for-cors.omero"
        owner: "root"
        group: "root"
        mode: "u=rw,go=r"
      notify:
        - restart omero-web

    - name: Check_MK postgres plugin | check for plugin existence
      tags: monitoring
      stat:
        path: "{{ check_mk_agent_plugin_path }}/mk_postgres"
      register: check_mk_postgres_plugin_st

    - name: Check_MK postgres plugin | activate the plugin
      tags: monitoring
      become: yes
      command: cp "{{ check_mk_agent_plugin_path }}/mk_postgres" /usr/share/check-mk-agent/plugins/ creates=/usr/share/check-mk-agent/plugins/mk_postgres
      when: check_mk_postgres_plugin_st.stat.exists

    - name: Check_MK logwatch plugin | check for plugin existence
      tags: monitoring
      stat:
        path: "{{ check_mk_agent_plugin_path }}/mk_logwatch"
      register: check_mk_logwatch_plugin_st

    - name: Check_MK logwatch plugin | activate the plugin
      tags: monitoring
      become: yes
      command: cp "{{ check_mk_agent_plugin_path }}/mk_logwatch" /usr/share/check-mk-agent/plugins/ creates=/usr/share/check-mk-agent/plugins/mk_logwatch
      when: check_mk_logwatch_plugin_st.stat.exists

    - name: Check_MK logwatch plugin | check for default config file
      tags: monitoring
      stat:
        path: "{{ check_mk_agent_config_example_path }}/logwatch.cfg"
      register: check_mk_logwatch_plugin_conf_st

    - name: Check_MK logwatch plugin | copy the default config
      tags: monitoring
      become: yes
      command: cp "{{ check_mk_agent_config_example_path }}/logwatch.cfg" "{{ check_mk_agent_config_path }}/logwatch.cfg" creates="{{ check_mk_agent_config_path }}/logwatch.cfg"
      when: check_mk_logwatch_plugin_conf_st.stat.exists

    - name: PostgreSQL Nightly Backups | Create the backups directory
      become: yes
      file:
        path: "{{ omero_server_db_dumpdir_parent }}/{{ omero_server_db_dumpdir_name }}"
        state: directory
        owner: postgres
        group: postgres
        mode: "u=rwx,go="

    - name: PostgreSQL Nightly Backups | send the backup script
      become: yes
      template:
        src: nightly-pg_dump-omero.sh.j2
        dest: /etc/cron.daily/nightly-pg_dump-omero.sh
        mode: "u=rwx,go="

    - name: Create a figure scripts directory
      become: yes
      file:
        path: /opt/omero/server/OMERO.server/lib/scripts/omero/figure_scripts
        state: directory
        mode: 0755
        recurse: yes
        owner: root

    - name: Download the Figure_To_Pdf.py script
      become: yes
      get_url:
        url: https://raw.githubusercontent.com/ome/omero-figure/{{ omero_figure_tag | default("master") }}/omero_figure/scripts/omero/figure_scripts/Figure_To_Pdf.py
        dest: /opt/omero/server/OMERO.server/lib/scripts/omero/figure_scripts/Figure_To_Pdf.py
        mode: 0644
        owner: root
        checksum: "{{ omero_figure_pdfscript_checksum | default(omit) }}"

  vars:
    # For https://github.com/openmicroscopy/ansible-role-java, which is a dependency.
    java_jdk_install: True

    # Check_MK (system monitoring) paths
    check_mk_agent_plugin_path: /usr/share/check-mk-agent/available-plugins
    check_mk_agent_config_example_path: /usr/share/check_mk/agents/cfg_examples
    check_mk_agent_config_path: /etc/check-mk-agent

    # Backup folder for PostgreSQL 'folder' format dump
    omero_server_db_dumpdir_parent: /tmp
    omero_server_db_dumpdir_name: nightly-pg_dump_omero.dir

    postgresql_version: "9.6"
    filesystem: "xfs"

    omero_server_config_set:
      omero.db.poolsize: 60
      omero.jvmcfg.percent.blitz: 50
      omero.jvmcfg.percent.indexer: 20
      omero.jvmcfg.percent.pixeldata: 20
      omero.jvmcfg.system_memory: 30000
      omero.mail.config: true
      omero.mail.from: "{{ omero_server_mail_from }}"
      omero.mail.host: "{{ omero_server_mail_host }}"
      omero.new_user_group: "My Data"
      omero.search.batch: 100
      omero.throttling.method_time.error: 60000

    omero_web_config_set:
      omero.mail.config: true
      omero.mail.from: "{{ omero_server_mail_from }}"
      omero.mail.host: "{{ omero_server_mail_host }}"
      # https://www.openmicroscopy.org/site/support/omero5.3/sysadmins/public.html
      omero.web.public.user: "{{ vault.omero_web_public_user }}"
      omero.web.public.password: "{{ vault.omero_web_public_password }}"
      omero.web.public.enabled: True
      omero.web.public.server_id: 1
      omero.web.public.url_filter: "^/(webgateway/(?!(archived_files|download_as))|webclient/annotation/([0-9]+)/)"
      omero.web.server_list: [["localhost", 4064, "omero"]]
      # Advice is (2*cores + 1) from OME docs.
      omero.web.wsgi_workers: "{{ (2 * (ansible_processor_count * ansible_processor_cores)) + 1 }}"
      omero.web.admins:  "{{ omero_web_admins }}"
      # https://pypi.org/project/omero-iviewer/ - set iviewer to default viewer
      omero.web.viewer.view: omero_iviewer.views.index

    # Server path to SSL public certificate
    ssl_certificate_public_path: /etc/nginx/ssl/server.crt
    # Server path to SSL intermediate certificate(s)
    ssl_certificate_intermediate_path: /etc/nginx/ssl/intermediate.crt
    # Server path to SSL bundled public and intermediate certificates
    ssl_certificate_bundled_path: /etc/nginx/ssl/bundled.crt
    # Server path to SSL certificate key
    ssl_certificate_key_path: /etc/nginx/ssl/server.key
    # Server path to SSL combined certificate and key, set to empty to disable
    ssl_certificate_combined_path: ''