---
# Postgres
postgresql_objects_users:
  - name: galaxy
    password: null
postgresql_objects_databases:
  - name: galaxy
    owner: galaxy

# Galaxy
galaxy_create_user: true
galaxy_separate_privileges: true
galaxy_manage_paths: true
galaxy_layout: root-dir
galaxy_root: /srv/galaxy
galaxy_file_path: /data
galaxy_user: {name: galaxy, shell: /bin/bash}
galaxy_commit_id: release_18.09
galaxy_config_style: yaml
galaxy_force_checkout: true

galaxy_config:
  galaxy:
    brand: "My Galaxy"
    admin_users: admin@example.org
    database_connection: "postgresql:///galaxy?host=/var/run/postgresql"
    file_path: /data
    check_migrate_tools: false
    ftp_upload_dir: ""
    ftp_upload_site: "ftp://"
  uwsgi:
    socket: 127.0.0.1:8080
    buffer-size: 16384
    processes: 1
    threads: 4
    offload-threads: 2
    static-map:
      - /static/style=/static/style/blue
      - /static=/static
    master: true
    virtualenv: ""
    pythonpath: "/lib"
    module: galaxy.webapps.galaxy.buildapp:uwsgi_app()
    thunder-lock: true
    die-on-term: true
    hook-master-start:
      - unix_signal:2 gracefully_kill_them_all
      - unix_signal:15 gracefully_kill_them_all
    py-call-osafterfork: true
    enable-threads: true
    # Our additions
    mule:
      - lib/galaxy/main.py
      - lib/galaxy/main.py
    farm: job-handlers:1,2

# Supervisord
supervisor_socket_user: 'galaxy'
supervisor_socket_chown: 'galaxy'
galaxy_restart_handler_name: galaxy restart

supervisor_programs:
  - name: galaxy
    state: present
    command: uwsgi --yaml /galaxy.yml
    configuration: |
      autostart=true
      autorestart=true
      startretries=1
      startsecs=10
      user=galaxy
      umask=022
      directory=
      environment=HOME=,VIRTUALENV=,PATH=/bin:%(ENV_PATH)s

# NGINX
nginx_package_name: nginx-full # nginx-galaxy on RHEL/CentOS
nginx_remove_default_vhost: true
nginx_server_names_hash_bucket_size: "128"

nginx_vhosts:
  - listen: "80"
    server_name: ""
    return: "301 https://$request_uri"
    filename: ".80.conf"

  - listen: "443 ssl"
    server_name: ""
    root: "/var/www/"
    index: "index.html"
    access_log: "/var/log/nginx/access.log"
    error_log: "/var/log/nginx/error.log"
    state: "present"
    filename: ".conf"
    extra_parameters: |
        client_max_body_size 10G; # aka max upload size, defaults to 1M
        uwsgi_read_timeout 2400;

        location / {
            uwsgi_pass      127.0.0.1:8080;
            uwsgi_param UWSGI_SCHEME $scheme;
            include         uwsgi_params;
        }

        location /.well-known/ {
            proxy_set_header           Host $host:$server_port;
            proxy_set_header           X-Real-IP $remote_addr;
            proxy_set_header           X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header           X-Forwarded-Proto $scheme;
            proxy_pass                 http://127.0.0.1:8118;
            proxy_pass_request_headers on;
        }

        location /static {
                alias /static;
                expires 24h;
        }

        location /static/style {
                alias /static/style/blue;
                expires 24h;
        }

        location /static/scripts {
                alias /static/scripts;
                expires 24h;
        }

        location /robots.txt {
                alias /static/robots.txt;
        }

        location /favicon.ico {
                alias /static/favicon.ico;
        }

        location /static/welcome.html {
                alias /static/welcome.html.sample;
        }

        ssl_certificate /etc/ssl/certs/cert.pem;
        ssl_certificate_key /etc/ssl/private/privkey-nginx.pem;

        ssl_protocols TLSv1.2;# Requires nginx >= 1.13.0 else use TLSv1.2
        ssl_prefer_server_ciphers on;
        ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
        ssl_ecdh_curve secp384r1;
        ssl_session_timeout  10m;
        ssl_session_cache shared:SSL:10m;
        ssl_session_tickets off;
        #ssl_stapling on;
        #ssl_stapling_verify on;

        resolver 8.8.8.8 8.8.4.4 valid=300s;
        resolver_timeout 5s;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;

# Certbot
certbot_auto_renew: yes
certbot_auto_renew_user: root
certbot_auto_renew_hour: 23
certbot_auto_renew_minute: 15
certbot_auto_renew_extra: "--preferred-challenges http-01 --http-01-port 8118"
certbot_environment: staging
certbot_domains:
  - ""
certbot_agree_tos: --agree-tos
certbot_admin_email: # Put YOUR email here
certbot_share_key_users:
  - nginx
certbot_post_renewal: |
    systemctl restart nginx || true

# ProFTPD
galaxy_ftp_upload_dir: "/ftp"
proftpd_display_connect: |
  Unauthorized access is prohibited
proftpd_galaxy_auth: yes
__galaxy_user_name: galaxy
proftpd_options:
  - User: galaxy
  - Group: galaxy
proftpd_sql_user: galaxy
proftpd_sql_db: galaxy@/var/run/postgresql

proftpd_tls_cipher_suite: AES128+EECDH:AES128+EDH
proftpd_tls_protocol: TLSv1.2
proftpd_conf_ssl_certificate:     "/etc/ssl/certs/cert.pem;"
proftpd_conf_ssl_certificate_key: "/etc/ssl/private/privkey.pem"
proftpd_conf_ssl_ca_certificate:  "/etc/ssl/certs/fullchain.pem"

proftpd_virtualhosts:
  - id: galaxy
    address: ""
    options:
      - ServerAdmin: admin@usegalaxy.eu
      - ServerName: UFR Galaxy FTP
      - TransferLog: "/var/log/proftpd/xfer/"
      - MaxLoginAttempts: 3
      - RequireValidShell: no
      - AllowOverwrite: yes