Skip to content
Snippets Groups Projects
Unverified Commit de8ea728 authored by Todor Kondic's avatar Todor Kondic
Browse files

Add shinyproxy role

Shinyproxy has to be started manually. Why? I don't know. Perhaps I
should wrap this in a script.
parent ae82346f
No related branches found
No related tags found
No related merge requests found
Showing
with 319 additions and 7 deletions
eci_users:
- testuser
- testuser2
- ecitk
- eciae
- ecihmt
- testuser
- testuser2
eci_overseers:
- ecitk
- eciae
- ecihmt
eci_users_uid:
testuser: 61
testuser2: 62
testuser: 71
testuser2: 72
ecitk: 73
eciae: 74
ecihmt: 75
......@@ -4,3 +4,4 @@
roles:
- base
- ftpserver
- shinyproxy
......@@ -69,19 +69,24 @@
mode: '0755'
- name: Create private key.
tags: create-certs
notify: created-certs
community.crypto.openssl_privatekey:
path: /etc/eci-platform/priv/certificate.key
- name: Create certificate signing request (CSR) for self-signed certificate.
community.crypto.openssl_csr_pipe:
privatekey_path: /etc/eci-platform/priv/certificate.key
common_name: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}.uni.lux"
common_name: "{{ ansible_hostname }}.uni.lux"
organization_name: Environmental Cheminformatics
subject_alt_name:
- "DNS:{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}.uni.lux"
- "DNS:{{ ansible_hostname }}.uni.lux"
- "DNS:{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}"
register: csr
- name: Create self-signed certificate from CSR
tags: create-certs
notify: created-certs
community.crypto.x509_certificate:
path: /etc/eci-platform/pub/certificate.key
csr_content: "{{ csr.csr }}"
......
- name: Install packages.
apt:
name: [ "proftpd-basic" ]
name: [ "proftpd-core",
"proftpd-mod-crypto",
"proftpd-mod-wrap" ]
- name: Ensure group auth exists.
file:
......@@ -22,6 +24,13 @@
line: Umask 002 002
path: /etc/proftpd/proftpd.conf
notify: restart-ftp
- name: Configure ProFTPd umask.
ansible.builtin.lineinfile:
regexp: '^#?.LoadModule'
line: ModulePath mod_tls.c
path: /etc/proftpd/modules.conf
notify: restart-ftp
- name: Configure ProFTPd for multiple virtual users.
tags: proftpd-conf-text
......
import yaml
import os
fn_passwd="eci_passwords.yml"
fn_application="application.in.yml"
fn_users="eci_users.yml"
fn_out="application.yml"
names = yaml.safe_load(fn_passwd)
with open(fn_passwd, 'r') as file:
passwd = yaml.safe_load(file)['eci_passwords']
with open(fn_users,'r') as file:
x = yaml.safe_load(file)
users = x['eci_users']
overseers = x['eci_overseers']
all_users = list(set(users+overseers))
with open(fn_application,'r') as file:
appln = yaml.safe_load(file)
def use_group(user):
res=None
if user in users:
res = "eci"
elif user in overseers:
res = "overseers"
return(res)
appln['proxy']['users']=[ { 'name':x,'groups':use_group(x),'password':passwd[x] } for x in all_users ]
with open(fn_out, 'w') as file:
yaml.dump(appln, file, default_flow_style=False,sort_keys=False)
os.remove(fn_passwd)
os.remove(fn_users)
proxy:
title: ECI Platform
logo-url: https://wwwen.uni.lu/var/storage/images/universite/presentation/galerie_de_photos/learning_center_library/1446055-1-fre-FR/learning_center_library.jpg
# logo-url: https://www.openanalytics.eu/shinyproxy/logo.png
landing-page: /
heartbeat-rate: 10000
heartbeat-timeout: 60000
port: 8080
container-wait-time: 600000
container-log-path: /eci-users/proxer/container-logs
bind-address: 127.0.0.1
authentication: simple
admin-groups: overseers
# Example: 'simple' authentication configuration
# proxy[users] will be added later.
# Docker configuration
docker:
url: http://localhost:2375
port-range-start: 15000
specs:
- id: 01_shinyscreen
container-image: r-r-shinyscreen-coreutils-minimal-bash
container-cpu-limit: 4
display-name: Shinyscreen
port: 7777
container-volumes: [ "/eci-users:/scratch" ]
container-cmd: [ "R", "-e", "library(future);future::plan('multisession');usdir=Sys.getenv('SHINYPROXY_USERNAME');indir=file.path('/scratch',usdir);shinyscreen::serve(indir=indir,topuserdir='/scratch',user=usdir)"]
access-groups: [overseers,eci]
logging:
file:
name: shinyproxy.log
eci_passwords: "{{ eci_passwords }}"
overseers:
- ecitk
- ecihmt
- eciae
server {
listen 80;
server_name ___ECI_VM_HOSTNAME___;
rewrite ^(.*) https://$server_name$1 permanent;
}
server {
listen 443;
server_name ___ECI_VM_HOSTNAME___;
access_log /var/log/nginx/shinyproxy.access.log;
error_log /var/log/nginx/shinyproxy.error.log error;
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /eci-users/proxer/certificate.pub.key;
ssl_certificate_key /eci-users/proxer/certificate.key;
location / {
proxy_pass http://127.0.0.1:8080/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 600s;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
[Service]
ExecStart=
ExecStart=/usr/sbin/dockerd -H unix:// -D -H tcp://127.0.0.1:2375
\ No newline at end of file
[Unit]
Description=Manual service for Shinyproxy.
After=docker.service nginx.service
BindsTo=docker.service nginx.service
ReloadPropagatedFrom=docker.service nginx.service
[Service]
Type=simple
ExecStart=/usr/bin/java -jar shinyproxy.jar
Restart=on-failure
User=proxer
WorkingDirectory=/eci_users/proxer
[Install]
WantedBy=multi-user.target
- name: Reload systemd.
listen:
- docker-reconf
ansible.builtin.systemd:
daemon_reload: yes
- name: Restart nginx.
listen:
- update-www-conf
ansible.builtin.service:
name: nginx
state: restarted
- name: Change application.yml permissions.
listen:
- shinyproxy-application
ansible.builtin.file:
path: /eci-users/proxer/application.yml
owner: proxer
mode: '0600'
- name: Restart shinyproxy.
listen:
- update-www-conf
- shinyproxy-service
ansible.builtin.service:
name: shinyproxy
state: restarted
enabled: yes
- name: Install docker.
apt:
name: [ 'docker.io',
'nginx',
'python3-yaml' ]
- name: Create service user 'proxer'.
user:
name: proxer
system: yes
groups:
- docker
- eci
- name: Create /eci-users/proxer.
ansible.builtin.file:
path: /eci-users/proxer
owner: proxer
state: directory
mode: '0711'
- name: Copy TLS keys for use here (priv).
ansible.builtin.copy:
remote_src: yes
src: /etc/eci-platform/priv/certificate.key
dest: /eci-users/proxer/certificate.key
owner: proxer
mode: 0600
- name: Copy TLS keys for use here(pub).
ansible.builtin.copy:
remote_src: yes
src: /etc/eci-platform/pub/certificate.key
dest: /eci-users/proxer/certificate.pub.key
owner: proxer
mode: 0644
- name: Copy configuration file for nginx (shinyproxy).
notify: update-www-conf
ansible.builtin.copy:
src: files/etc/nginx/conf.d/shinyproxy.conf
dest: /etc/nginx/conf.d/shinyproxy.conf
mode: '0644'
- name: Write the hostname/IP address to the shinyproxy.conf file.
notify: update-www-conf
ansible.builtin.replace:
path: /etc/nginx/conf.d/shinyproxy.conf
regexp: '___ECI_VM_HOSTNAME___'
replace: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}"
- name: Get Shinyproxy.
get_url:
url: https://www.shinyproxy.io/downloads/shinyproxy-2.6.0.jar
dest: /eci-users/proxer/shinyproxy.jar
owner: proxer
mode: '0700'
- name: Get Shinyscreen docker container.
get_url:
url: https://zenodo.org/record/6362024/files/docker-shinyscreen.tar.gz?download=1
dest: /eci-users/proxer/docker-shinyscreen.tar.gz
owner: proxer
mode: '0700'
- name: Create docker config directory.
ansible.builtin.file:
path: /etc/systemd/system/docker.service.d
state: directory
mode: '0744'
- name: Copy configuration file for docker (shinyproxy).
notify:
- docker-reconf
ansible.builtin.copy:
src: files/etc/systemd/system/docker.service.d/override.conf
dest: /etc/systemd/system/docker.service.d/override.conf
mode: '0644'
- name: Load docker image.
ansible.builtin.shell:
cmd: docker load -i docker-shinyscreen.tar.gz && touch loaded.shinyscreen
creates: loaded.shinyscreen
chdir: /eci-users/proxer
- name: Copy config file for shinyproxy.
tags: shinyproxy-conf
ansible.builtin.copy:
src: files/eci-users/proxer/application.in.yml
dest: /eci-users/proxer/application.in.yml
owner: proxer
mode: '0600'
- name: Copy users file for shinyproxy.
tags: shinyproxy-conf
ansible.builtin.template:
src: "eci-users/proxer/{{ item }}.tmpl.yml"
dest: "/eci-users/proxer/{{ item }}.yml"
owner: proxer
mode: '0600'
loop:
- eci_passwords
- eci_users
- name: Generate application.yml.
tags: shinyproxy-conf
notify:
- shinyproxy-application
ansible.builtin.script:
cmd: files/eci-users/proxer/addusers.py
chdir: /eci-users/proxer
executable: python3
- name: Copy service file for shinyproxy.
tags: shinyproxy-conf
notify: shinyproxy-service
ansible.builtin.copy:
src: files/etc/systemd/system/shinyproxy.service
dest: /etc/systemd/system/shinyproxy.service
mode: '0644'
eci_passwords: {{ eci_passwords }}
eci_users: {{ eci_users }}
eci_overseers: {{ eci_overseers }}
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment