Labs engine playbook

group_vars/labs_engine.yml

@@ -0,0 +1,74 @@
+---
+
+# Web server configuration
+# -----------------------------------------------------------------------------
+
+# The domain name that you've registered for the target webserver
+domain_name: "{{ inventory_hostname }}"
+
+# The Labs Engine container name defined in docker-compose.yml
+docker_container_name: labs-engine
+
+docker_install_compose: false
+docker_compose_version: "2.29.2"
+
+# If you don't want SSL certs, just flip this:
+certbot_ssl: true
+certbot_domain: "{{ domain_name }}"
+certbot_renew_email: "{{ vault_labs_admin_email }}"
+
+# 4 web workers should be plenty - increase for machines with >2 CPUs
+gunicorn:
+  web_workers: 4
+
+
+# Labs Engine configuration
+# -----------------------------------------------------------------------------
+
+django_secret_key: "{{ vault_labs_django_secret_key }}"
+
+# For manual manipulation of the database
+skip_database_migration: false
+
+# Git clone here
+project_root: /srv/labs-engine
+
+# This is where server conf files (nginx/gunicorn) will be created
+config_root: "/srv/config"
+
+create_directories:
+  - "{{ config_root }}"
+  - "{{ django_root }}/app/media"
+  - "{{ django_root }}/app/logs"
+  - "{{ temp_dir }}"
+
+# Admin user login for the web admin
+admin_user:
+  first_name: admin
+  last_name: admin
+  email: "{{ vault_labs_admin_email }}"
+  password: "{{ vault_labs_admin_password }}"
+
+smtp:
+  hostname: mail.smtp2go.com
+  port: 587
+  username: "{{ vault_labs_smtp_username }}"
+  password: "{{ vault_labs_smtp_password }}"
+  from_address: [email protected]
+  to_address: [email protected]
+  use_tls: true
+
+slack:
+  api_key: "{{ vault_labs_slack_api_key }}"
+  channel_id: "{{ vault_labs_slack_channel_id }}"
+  mention_user_id: "{{ vault_labs_slack_mention_user_id }}"
+
+github_api_token: "{{ vault_labs_github_api_token }}"
+
+# Override log levels for specific loggers
+# Value must be one of DEBUG, INFO, WARNING, ERROR, CRITICAL
+django_log_levels:
+  console: INFO
+  cache: DEBUG
+
+django_sentry_dns: "{{ vault_labs_sentry_dns }}"

host_vars/dev-labs.gvl.org.au.yml

@@ -0,0 +1 @@
+labs_engine_branch: dev

host_vars/labs.usegalaxy.org.au.yml

@@ -0,0 +1 @@
+labs_engine_branch: main

hosts

@@ -221,3 +221,9 @@ jenkins ansible_ssh_host=115.146.87.250
 ansible_host_key_checking=False
 ansible_user=ubuntu
 ansible_ssh_extra_args='-o StrictHostKeyChecking=no'
+
+[labs_engine]
+labs.usegalaxy.org.au  ansible_connection=ssh  ansible_user=ubuntu
+
+[labs_engine_dev]
+dev-labs.gvl.org.au  ansible_connection=ssh  ansible_user=ubuntu

labs_engine_dev.yml

@@ -0,0 +1,13 @@
+---
+- hosts: labs_engine_dev
+  remote_user: ubuntu
+  become: true
+  vars_files:
+    - group_vars/VAULT
+    - group_vars/labs_engine.yml
+    - host_vars/dev-labs.gvl.org.au.yml
+  roles:
+    - role: geerlingguy.docker
+      tags: init
+    - role: galaxy_labs_engine
+      tags: always

labs_engine_prod.yml

@@ -0,0 +1,13 @@
+---
+- hosts: labs_engine
+  remote_user: ubuntu
+  become: true
+  vars_files:
+    - group_vars/VAULT
+    - group_vars/labs_engine.yml
+    - host_vars/labs.usegalaxy.org.au.yml
+  roles:
+    - role: geerlingguy.docker
+      tags: init
+    - role: galaxy_labs_engine
+      tags: always

roles/galaxy_labs_engine/defaults/main.yml

@@ -0,0 +1,49 @@
+---
+
+labs_engine_repo: https://github.com/usegalaxy-au/galaxy-labs-engine.git
+labs_engine_branch: main
+labs_engine_docker_image: neoformit/galaxy-labs-engine:latest
+
+# Rate limit requests by IP address to stop bot attacks
+# 10 r/min allows a user to reload a labs page every 6 seconds
+nginx_limit_requests_per_minute: 10
+
+project_root: /home/ubuntu/labs-engine
+config_root: /home/ubuntu/config
+django_root: "{{ project_root }}/app"
+temp_dir: /tmp/labs_engine
+
+labs_engine:
+  templates:
+    - src: "{{ role_path }}/templates/docker-compose.yml.j2"
+      dest: "{{ config_root }}/docker-compose.yml"
+    - src: "{{ role_path }}/templates/gunicorn.py.j2"
+      dest: "{{ config_root }}/gunicorn.py"
+    - src: "{{ role_path }}/templates/labs_engine.service.j2"
+      dest: /etc/systemd/system/labs_engine.service
+    - src: "{{ role_path }}/templates/nginx.conf.j2"
+      dest: "{{ config_root }}/nginx.conf"
+    - src: "{{ role_path }}/templates/.env.j2"
+      dest: "{{ project_root }}/.env"
+
+  files:
+    - src: "{{ role_path }}/files/labs_engine.socket"
+      dest: /etc/systemd/system/labs_engine.socket
+
+certbot_ssl: true
+
+gunicorn:
+  web_workers: 4
+
+skip_database_migration: false
+
+admin_user: null
+
+# Override log levels for specific loggers
+# Value must be one of DEBUG, INFO, WARNING, ERROR, CRITICAL
+django_log_levels:
+  console: INFO
+  cache: INFO
+
+# Set this to enable logging to sentry
+django_sentry_dns: null

roles/galaxy_labs_engine/files/labs_engine.socket

@@ -0,0 +1,6 @@
+[Unit]
+Description=Galaxy Labs Engine socket
+[Socket]
+ListenStream=/run/labs_engine.sock
+[Install]
+WantedBy=sockets.target

roles/galaxy_labs_engine/tasks/certbot.yml

@@ -0,0 +1,65 @@
+---
+
+- block:
+    - name: template certbot webserver configuration
+      # N.B. nginx.conf conditional render on certbot_certificates
+      template:
+        src: "{{ item.src }}"
+        dest: "{{ item.dest }}"
+      loop: "{{ labs_engine.templates }}"
+      tags: certbot
+
+    - name: Stop labs_engine service
+      ansible.builtin.systemd:
+        name: labs_engine
+        enabled: yes
+        state: stopped
+      tags: certbot
+
+    # Ensure no containers running and run container prune -f
+    - name: run docker compose down
+      shell: >
+        docker compose --profile prod down
+      args:
+        chdir: "{{ config_root }}"
+      tags: certbot
+
+    - name: run docker container prune
+      shell: >
+        docker container prune -f
+      tags: certbot
+
+    - name: Request SSL certificate with certbot
+      shell: >
+        docker compose --profile certbot run --rm certbot-init certonly
+        --webroot
+        --webroot-path /var/www/certbot/
+        --agree-tos
+        --non-interactive
+        -d "{{ certbot_domain }}"
+        -m "{{ certbot_renew_email }}"
+      args:
+        chdir: "{{ config_root }}"
+      tags: certbot
+
+    - name: Confirm that SSL certificate is installed
+      stat:
+        path: /etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem
+      register: certbot_certificates
+      tags: certbot
+
+  always:
+    - name: setup certbot renew cron job
+      cron:
+        name: "certbot-renew"
+        minute: "0"
+        hour: "0"
+        job: "sudo certbot renew --webroot --webroot-path /var/www/certbot/"
+      when: certbot_ssl
+
+    - name: run docker compose down
+      shell: >
+        docker compose --profile certbot down
+      args:
+        chdir: "{{ config_root }}"
+      tags: certbot