diff --git a/.github/workflows/deploy-prod.yml b/.github/workflows/deploy-prod.yml index ffce46eb4..14f358ced 100644 --- a/.github/workflows/deploy-prod.yml +++ b/.github/workflows/deploy-prod.yml @@ -57,11 +57,19 @@ jobs: cd opencrvs-core git checkout ${{ github.event.inputs.core-image-tag }} + - name: Read known hosts + run: | + cd ${{ github.event.repository.name }} + echo "KNOWN_HOSTS<> $GITHUB_ENV + sed -i -e '$a\' ./infrastructure/.known-hosts + cat ./infrastructure/.known-hosts >> $GITHUB_ENV + echo "EOF" >> $GITHUB_ENV + - name: Install SSH Key uses: shimataro/ssh-key-action@v2 with: key: ${{ secrets.SSH_KEY }} - known_hosts: ${{ secrets.KNOWN_HOSTS }} + known_hosts: ${{ env.KNOWN_HOSTS }} - name: Login to DockerHub uses: docker/login-action@v1 diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 970ff7adc..c7ad664e8 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -1,4 +1,4 @@ -name: Deploy(development) +name: Deploy (development) run-name: Deploy to ${{ github.event.inputs.environment }} with reset=${{ github.event.inputs.reset }} core=${{ github.event.inputs.core-image-tag }} country config=${{ github.event.inputs.countryconfig-image-tag }} on: workflow_dispatch: @@ -11,6 +11,7 @@ on: options: - staging - qa + - development core-image-tag: description: Core DockerHub image tag required: true @@ -60,11 +61,19 @@ jobs: cd opencrvs-core git checkout ${{ github.event.inputs.core-image-tag }} + - name: Read known hosts + run: | + cd ${{ github.event.repository.name }} + echo "KNOWN_HOSTS<> $GITHUB_ENV + sed -i -e '$a\' ./infrastructure/.known-hosts + cat ./infrastructure/.known-hosts >> $GITHUB_ENV + echo "EOF" >> $GITHUB_ENV + - name: Install SSH Key uses: shimataro/ssh-key-action@v2 with: key: ${{ secrets.SSH_KEY }} - known_hosts: ${{ secrets.KNOWN_HOSTS }} + known_hosts: ${{ env.KNOWN_HOSTS }} - name: Login to DockerHub uses: docker/login-action@v1 diff --git a/.github/workflows/provision.yml b/.github/workflows/provision.yml index f5e338886..c9840dd51 100644 --- a/.github/workflows/provision.yml +++ b/.github/workflows/provision.yml @@ -9,6 +9,7 @@ on: default: qa required: true options: + - development - staging - qa - production @@ -51,26 +52,8 @@ jobs: fetch-depth: 0 path: './${{ github.event.repository.name }}' - - name: Set environment type ENV_TYPE - run: | - if [ "${{ github.event.inputs.environment }}" == "production" ]; then - echo "ENV_TYPE=production" >> "$GITHUB_ENV" - else - echo "ENV_TYPE=qa" >> "$GITHUB_ENV" - fi - - - name: Setup PEM file - # Secret didn't work directly in the if condition - env: - SSH_KEY: ${{ secrets.SSH_KEY }} - if: ${{ env.SSH_KEY }} - run: | - echo "${{ secrets.SSH_KEY }}" > /tmp/server.pem - chmod 600 /tmp/server.pem - - name: Set variables for ansible in production environments - id: ansible-production-variables - if: env.ENV_TYPE == 'production' + id: ansible-variables run: | JSON_WITH_NEWLINES=$(cat<> $GITHUB_OUTPUT - env: - encrypted_disk_size: ${{ vars.DISK_SPACE }} - disk_encryption_key: ${{ secrets.ENCRYPTION_KEY }} - dockerhub_username: ${{ secrets.DOCKER_USERNAME }} - dockerhub_password: ${{ secrets.DOCKER_TOKEN }} - mongodb_admin_username: ${{ secrets.MONGODB_ADMIN_USER }} - mongodb_admin_password: ${{ secrets.MONGODB_ADMIN_PASSWORD }} - elasticsearch_superuser_password: ${{ secrets.ELASTICSEARCH_SUPERUSER_PASSWORD }} - - name: Read known hosts run: | cd ${{ github.event.repository.name }} @@ -136,6 +101,6 @@ jobs: directory: ${{ github.event.repository.name }}/infrastructure/server-setup options: | --verbose - --inventory ${{ github.event.inputs.environment }}.ini + --inventory ${{ github.event.inputs.environment }}.yml ${{ inputs.tag != 'all' && format('--tags={0}', inputs.tag) || ''}} --extra-vars ""${{ steps.ansible-variables.outputs.EXTRA_VARS }}"" diff --git a/.gitignore b/.gitignore index 1c033dbcc..9e4d6290d 100644 --- a/.gitignore +++ b/.gitignore @@ -32,3 +32,4 @@ graphql.schema.json *.tar.gz 9. config: Translations *.xlsx +.secrets diff --git a/infrastructure/.known-hosts b/infrastructure/.known-hosts index e1b0c4477..e1ffd7250 100644 --- a/infrastructure/.known-hosts +++ b/infrastructure/.known-hosts @@ -10,3 +10,10 @@ |1|mmWxyVhdNt+9vCZY8YSu/b5T6mI=|oWUySmyU/yK3gMAgrMpcfutjats= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEp49NpGjmoCmYAHnNbZF6dpo0G3L3Z3m++B4Pq3sVUTLwMuNv4WfoebiSJH20tcTq92XbFV5NfCmdnfoksr/1Y= |1|EWKHZMaMYdiCWDSqV8DsOmqFJ3c=|GQ0ApYEAoubxL2n9VFMY5cnN8Yc= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDJkWafUYUyF1eOzj1WqhjwJc+TvMjKmz0bCqtci5BMNUsn+R+Z+CIOPvI8eqYEzXiJ7VGAZq1twRYGSnRTJyCja3eJfvQfxb8hGVz2fkf9rthgYABdoHSJoGMTt4EP2LtTduzvLPCBctiID6bXUFMkM6j2pmLQK/gZGEKNaJb86D7xt1HXQsqV5bAAKCaehgn6LAQ8zee9YZtoP8fwhoorTJEJ3kpsvsneEpV3kiuAPdyfB8zI7E3HHqXgD+ij0eFogK+NSUIMUexFyRZgAtKDBjnNRQLGMEzY1UzM7pojRr8Bb9vT4tGJGBpzfWvWn6WavIpBa3Ht6sXmXHGexGn2X8gyG5rHif2FAmTV7O4M+sBlpxqr7G906BJ8JwOl8qp8T9BnesWiExFdeDwzsRPS49KQOBpxOqfK5OC1ZQlEzVIR1SQpOAGjDgGM1XtR4jsBX6OBlR7hcYSw9F6wCWjrWFrmv6HVNAXZgYsnzXQmJPpDbRQAyHTvIHK9/DobQI8= |1|FuRTlvDs4p17HjsAIGQ7wQml0TM=|qDsBKG5gV6TDM2dw0lykGLS+11M= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO/ZvINySxP0MXtHBbaJ6FqDBaFUl/YVAyUItqfiyeez +# Farajaland development +|1|HDuiYEmDGno6Qcs8u1cpZRhZ2+4=|rOmBlnsU8fhz+rvrhYsxuaxoYdw= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHZVo8Jsqw6akzCRm8ID0zd2OAxU5NeOvS/iE3win98w +|1|Mn/W3dDtZHMVIBfAFoDM2O6imh0=|Xh0YgKB9aMgqwpcW5sGQ7bwaKqw= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHZVo8Jsqw6akzCRm8ID0zd2OAxU5NeOvS/iE3win98w +|1|tAUs/oZqV0DzGk2O5FYIt82cnPk=|MH0OH93IaaS133rnrVg7Iu6H9lU= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDWFbOMgypl/mCjtTbnYQl4CRMxV/pp/7FupLnVnabFFeBv5OECrFTku3zV1n2hmbQZNJdO3gREQeV67olSBg554wp8CLJoE2l0SV1Gg56zz58H79Smhl2dnSZEtEELr5NqZ6cFWa7mwXEfS0Xp+oaWbc+ieLcQcC58l6HE8K/ygBzqNhgHqSJsY7PFmk+UFnbaF6zDqF5I4SJ6LP3299SPtzxrAkxuo4UM/QETDfjj/oc42XqKa3anzbk8rtupVETm/h8akx5D4XzGaSjENpAj9IGFUNg6oiLsw6GeWPTQTf1b7exsWs0y95yTIxWB8o/0XE9vauftICsEgThkmp+XZW81uhLmGKEsKzf9Leil6U3fkYkNeEf4V9DjisEWwq89Q31hOWnilbgEJbb5u+l+aeEK/MKeo2Epx0SZckLwo3YmL6vM00ykIzqrS3ERw/K1GGSmZtBIplDALJWLt0OZR3vwnktR/4oj6+Iy1PuIa9i+bw0OVo8ScolgRHxZok8= +|1|EnE18GaKM2Ymvhe7nzilrncK59o=|gon3Vv+SSHdKpAqvQvtiAxdGG3U= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDWFbOMgypl/mCjtTbnYQl4CRMxV/pp/7FupLnVnabFFeBv5OECrFTku3zV1n2hmbQZNJdO3gREQeV67olSBg554wp8CLJoE2l0SV1Gg56zz58H79Smhl2dnSZEtEELr5NqZ6cFWa7mwXEfS0Xp+oaWbc+ieLcQcC58l6HE8K/ygBzqNhgHqSJsY7PFmk+UFnbaF6zDqF5I4SJ6LP3299SPtzxrAkxuo4UM/QETDfjj/oc42XqKa3anzbk8rtupVETm/h8akx5D4XzGaSjENpAj9IGFUNg6oiLsw6GeWPTQTf1b7exsWs0y95yTIxWB8o/0XE9vauftICsEgThkmp+XZW81uhLmGKEsKzf9Leil6U3fkYkNeEf4V9DjisEWwq89Q31hOWnilbgEJbb5u+l+aeEK/MKeo2Epx0SZckLwo3YmL6vM00ykIzqrS3ERw/K1GGSmZtBIplDALJWLt0OZR3vwnktR/4oj6+Iy1PuIa9i+bw0OVo8ScolgRHxZok8= +|1|12gTsp66sVImqDWOlvPjkcpCQq4=|ETbKnsuLe+4YbTCEC/3P46AN/CE= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC6FQAe/NJr47AbOwedQoK9+pIgaiBte1c66fLTSsNnWiBEvte4JL4ar+DHtbjhE8Huzui+Bn9U/JFo/VzgTWzQ= +|1|f96Se5EQQt03o+9o17PPmpQLaB8=|ao3mjUl8K0VpfL3sLuCYKc7bjV8= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC6FQAe/NJr47AbOwedQoK9+pIgaiBte1c66fLTSsNnWiBEvte4JL4ar+DHtbjhE8Huzui+Bn9U/JFo/VzgTWzQ= \ No newline at end of file diff --git a/infrastructure/create-github-environment.js b/infrastructure/create-github-environment.js index 06f2c9ce4..54b2f295a 100644 --- a/infrastructure/create-github-environment.js +++ b/infrastructure/create-github-environment.js @@ -1,35 +1,45 @@ +const minimist = require('minimist') const sodium = require('libsodium-wrappers') const { Octokit } = require('@octokit/core') const { writeFileSync } = require('fs') +const { existsSync } = require('fs') +const { mkdirSync } = require('fs') + +const args = minimist(process.argv.slice(2), { + string: ['vpn-type'], + boolean: ['sms-enabled', 'configure-vpn', 'dry-run', 'configure-backup'], + alias: {} +}) const config = { environment: '', - repo: { - REPOSITORY_ID: '', - REPOSITORY_ACCOUNT: '', - REPOSITORY_NAME: '', - DOCKERHUB_ACCOUNT: '', // This may be a dockerhub organisation or the same as the username - DOCKERHUB_REPO: '', - DOCKER_USERNAME: process.env.DOCKER_USERNAME, - DOCKER_TOKEN: process.env.DOCKER_TOKEN + dockerhub: { + ORGANISATION: 'opencrvs', // This may be a dockerhub organisation or the same as the username + REPOSITORY: 'opencrvs-farajaland', + USERNAME: process.env.DOCKER_USERNAME, + TOKEN: process.env.DOCKER_TOKEN + }, + github_repository: { + ORGANISATION: 'opencrvs', + REPOSITORY_NAME: 'opencrvs-farajaland' }, ssh: { - KNOWN_HOSTS: process.env.KNOWN_HOSTS, SSH_HOST: process.env.SSH_HOST, // IP address for the manager SSH_USER: process.env.SSH_USER, SSH_KEY: process.env.SSH_KEY // id_rsa }, infrastructure: { DISK_SPACE: '', // e.g. 200g - HOSTNAME: '', // server machine hostname used when provisioning. You would need to adapt to support 3 or 5 replicas DOMAIN: '', // web domain applied after all public subdomains REPLICAS: '1' }, + sms: { + INFOBIP_API_KEY: process.env.INFOBIP_API_KEY, + INFOBIP_GATEWAY_ENDPOINT: process.env.INFOBIP_GATEWAY_ENDPOINT, + INFOBIP_SENDER_ID: process.env.INFOBIP_SENDER_ID // the name of the SMS sender e.g. OpenCRVS + }, services: { - SENTRY_DSN: process.env.SENTRY_DSN || '', - INFOBIP_API_KEY: process.env.INFOBIP_API_KEY || '', - INFOBIP_GATEWAY_ENDPOINT: process.env.INFOBIP_GATEWAY_ENDPOINT || '', - INFOBIP_SENDER_ID: process.env.INFOBIP_SENDER_ID || '' // the name of the SMS sender e.g. OpenCRVS + SENTRY_DSN: process.env.SENTRY_DSN }, seeding: { ACTIVATE_USERS: '', // Must be a string 'true' for QA or 'false' in PRODUCTION! @@ -38,21 +48,27 @@ const config = { GATEWAY_HOST: '' }, smtp: { - SMTP_HOST: process.env.SMTP_HOST || '', - SMTP_USERNAME: process.env.SMTP_USERNAME || '', - SMTP_PASSWORD: process.env.SMTP_PASSWORD || '', - EMAIL_API_KEY: process.env.EMAIL_API_KEY || '', + SMTP_HOST: process.env.SMTP_HOST, + SMTP_USERNAME: process.env.SMTP_USERNAME, + SMTP_PASSWORD: process.env.SMTP_PASSWORD, SMTP_PORT: '', ALERT_EMAIL: '' }, vpn: { // openconnect details for optional VPN - VPN_PROTOCOL: '', // e,g, fortinet, wireguard etc - VPN_HOST: process.env.VPN_HOST || '', - VPN_PORT: process.env.VPN_PORT || '', - VPN_USER: process.env.VPN_USER || '', - VPN_PWD: process.env.VPN_PWD || '', - VPN_SERVERCERT: process.env.VPN_SERVERCERT || '' + type: args['vpn-type'], // e,g, fortinet, wireguard etc + wireguard: { + VPN_HOST_ADDRESS: process.env.VPN_HOST_ADDRESS, // IP address for the VPN server + VPN_ADMIN_PASSWORD: process.env.VPN_ADMIN_PASSWORD + }, + openconnect: { + VPN_PROTOCOL: process.env.VPN_PROTOCOL, + VPN_HOST_ADDRESS: process.env.VPN_HOST_ADDRESS, + VPN_PORT: process.env.VPN_PORT, + VPN_USER: process.env.VPN_USER, + VPN_PWD: process.env.VPN_PWD, + VPN_SERVERCERT: process.env.VPN_SERVERCERT + } }, whitelist: { CONTENT_SECURITY_POLICY_WILDCARD: '*.', // e.g. *. @@ -69,11 +85,11 @@ const octokit = new Octokit({ auth: process.env.GITHUB_TOKEN }) -async function createVariable(environment, name, value) { +async function createVariable(repositoryId, environment, name, value) { await octokit.request( - `POST /repositories/${config.repo.REPOSITORY_ID}/environments/${config.environment}/variables`, + `POST /repositories/${repositoryId}/environments/${config.environment}/variables`, { - repository_id: config.repo.REPOSITORY_ID, + repository_id: repositoryId, environment_name: environment, name: name, value: value, @@ -84,7 +100,27 @@ async function createVariable(environment, name, value) { ) } -async function createSecret(environment, key, keyId, name, secret) { +async function getRepositoryId(owner, repo) { + try { + const response = await octokit.request('GET /repos/{owner}/{repo}', { + owner: owner, + repo: repo + }) + + return response.data.id + } catch (error) { + console.error('Error fetching repository information:', error) + } +} + +async function createSecret( + repositoryId, + environment, + key, + keyId, + name, + secret +) { //Check if libsodium is ready and then proceed. await sodium.ready @@ -102,9 +138,9 @@ async function createSecret(environment, key, keyId, name, secret) { ) await octokit.request( - `PUT /repositories/${config.repo.REPOSITORY_ID}/environments/${environment}/secrets/${name}`, + `PUT /repositories/${repositoryId}/environments/${environment}/secrets/${name}`, { - repository_id: config.repo.REPOSITORY_ID, + repository_id: repositoryId, environment_name: environment, secret_name: name, encrypted_value: encryptedValue, @@ -117,8 +153,13 @@ async function createSecret(environment, key, keyId, name, secret) { } async function getPublicKey(environment) { + const repositoryId = await getRepositoryId( + config.github_repository.ORGANISATION, + config.github_repository.REPOSITORY_NAME + ) + await octokit.request( - `PUT /repos/${config.repo.REPOSITORY_ACCOUNT}/${config.repo.REPOSITORY_NAME}/environments/${environment}`, + `PUT /repos/${config.github_repository.ORGANISATION}/${config.github_repository.REPOSITORY_NAME}/environments/${environment}`, { headers: { 'X-GitHub-Api-Version': '2022-11-28' @@ -127,10 +168,10 @@ async function getPublicKey(environment) { ) const res = await octokit.request( - `GET /repositories/${config.repo.REPOSITORY_ID}/environments/${environment}/secrets/public-key`, + `GET /repositories/${repositoryId}/environments/${environment}/secrets/public-key`, { - owner: config.repo.DOCKERHUB_ACCOUNT, - repo: config.repo.DOCKERHUB_REPO, + owner: config.github_repository.ORGANISATION, + repo: config.github_repository.REPOSITORY_NAME, headers: { 'X-GitHub-Api-Version': '2022-11-28' } @@ -150,12 +191,23 @@ function generateLongPassword() { } async function main() { + if (!config.environment) { + console.error('Please specify an environment in config.environment') + process.exit(1) + } + const { key, key_id } = await getPublicKey(config.environment) + const repositoryId = await getRepositoryId( + config.github_repository.ORGANISATION, + config.github_repository.REPOSITORY_NAME + ) + let backupSecrets = {} let backupVariables = {} let vpnSecrets = {} + let smsSecrets = {} - if (process.argv.includes('--configure-backup')) { + if (args['configure-backup']) { backupSecrets = { BACKUP_HOST: config.backup.BACKUP_HOST } @@ -165,9 +217,19 @@ async function main() { } } - if (process.argv.includes('--configure-vpn')) { + if (args['configure-vpn']) { + if (!config.vpn.type) { + console.error('Please specify a VPN type with --vpn-type') + process.exit(1) + } vpnSecrets = { - ...config.vpn + ...config.vpn[config.vpn.type] + } + } + + if (args['sms-enabled']) { + smsSecrets = { + ...config.sms } } @@ -185,15 +247,17 @@ async function main() { } const SECRETS = { - DOCKERHUB_ACCOUNT: config.repo.DOCKERHUB_ACCOUNT, - DOCKERHUB_REPO: config.repo.DOCKERHUB_REPO, - DOCKER_TOKEN: config.repo.DOCKER_TOKEN, + DOCKERHUB_ACCOUNT: config.dockerhub.ORGANISATION, + DOCKERHUB_REPO: config.dockerhub.REPOSITORY, + DOCKER_TOKEN: config.dockerhub.TOKEN, + DOCKER_USERNAME: config.dockerhub.USERNAME, ...SECRETS_TO_SAVE_IN_PASSWORD_MANAGER, ...config.ssh, ...config.smtp, ...config.services, ...backupSecrets, - ...vpnSecrets + ...vpnSecrets, + ...smsSecrets } const VARIABLES = { ...config.infrastructure, @@ -201,30 +265,67 @@ async function main() { ...config.whitelist, ...backupVariables } - writeFileSync( - '../.secrets/SECRETS_TO_SAVE_IN_PASSWORD_MANAGER_FOR_ENV_' + - config.environment + - '.json', - JSON.stringify([SECRETS_TO_SAVE_IN_PASSWORD_MANAGER], null, 2) - ) - if (process.argv.includes('--dry-run')) { - console.log('Dry run. Not creating secrets or variables.') - process.exit(0) - } else { - for (const [secretName, secretValue] of Object.entries(SECRETS)) { - await createSecret( - config.environment, - key, - key_id, - secretName, - secretValue + + const errors = [] + for (const [secretName, secretValue] of Object.entries(SECRETS)) { + if (secretValue === undefined || secretValue === '') { + errors.push( + `Secret ${secretName} is empty. Please set the value in the config.` ) } + } - for (const [variableName, variableValue] of Object.entries(VARIABLES)) { - await createVariable(config.environment, variableName, variableValue) + for (const [variableName, variableValue] of Object.entries(VARIABLES)) { + if (variableValue === undefined || variableValue === '') { + errors.push( + `Variable ${variableName} is empty. Please set the value in the config.` + ) } } + + if (args['dry-run']) { + console.log('Dry run. Not creating secrets or variables.') + console.log(SECRETS) + console.log(VARIABLES) + console.log('Errors:', errors) + process.exit(0) + } + + if (errors.length > 0) { + console.error(errors) + process.exit(1) + } + + for (const [secretName, secretValue] of Object.entries(SECRETS)) { + await createSecret( + repositoryId, + config.environment, + key, + key_id, + secretName, + secretValue + ) + } + + for (const [variableName, variableValue] of Object.entries(VARIABLES)) { + await createVariable( + repositoryId, + config.environment, + variableName, + variableValue + ) + } + + if (!existsSync('.secrets')) { + mkdirSync('.secrets') + } + + writeFileSync( + '.secrets/SECRETS_TO_SAVE_IN_PASSWORD_MANAGER_FOR_ENV_' + + config.environment + + '.json', + JSON.stringify([SECRETS_TO_SAVE_IN_PASSWORD_MANAGER], null, 2) + ) } main() diff --git a/infrastructure/deploy.sh b/infrastructure/deploy.sh index f68a1102b..d8b37ba6b 100755 --- a/infrastructure/deploy.sh +++ b/infrastructure/deploy.sh @@ -75,7 +75,7 @@ function trapint { print_usage_and_exit () { echo 'Usage: ./deploy.sh --clear_data=yes|no --host --environment --ssh_host --ssh_user --version --country_config_version --replicas' echo " --clear_data must have a value of 'yes' or 'no' set e.g. --clear_data=yes" - echo " --environment can be 'production' or 'development' or 'qa' or 'demo'" + echo " --environment can be 'production', 'development', 'qa' or similar" echo ' --host is the server to deploy to' echo " --version can be any OpenCRVS Core docker image tag or 'latest'" echo " --country_config_version can be any OpenCRVS Country Configuration docker image tag or 'latest'" @@ -413,8 +413,7 @@ docker_stack_deploy() { CORE_COMPOSE_FILES_WITH_LOCAL_PATHS=$(echo "$COMPOSE_FILED_FROM_CORE" | sed "s|docker-compose|/tmp/docker-compose|g") COMMON_COMPOSE_FILES_WITH_LOCAL_PATHS="$BASEDIR/docker-compose.deploy.yml $CORE_COMPOSE_FILES_WITH_LOCAL_PATHS" - ENV_VARIABLES="HOSTNAME=$HOST - VERSION=$VERSION + ENV_VARIABLES="VERSION=$VERSION COUNTRY_CONFIG_VERSION=$COUNTRY_CONFIG_VERSION PAPERTRAIL=$PAPERTRAIL USER_MGNT_MONGODB_PASSWORD=$USER_MGNT_MONGODB_PASSWORD @@ -483,22 +482,8 @@ docker_stack_deploy() { FILES_TO_ROTATE="/opt/opencrvs/docker-compose.deploy.yml" # Deploy the OpenCRVS stack onto the swarm -if [[ "$ENV" = "staging" ]]; then - ENVIRONMENT_COMPOSE="docker-compose.staging-deploy.yml" - FILES_TO_ROTATE="${FILES_TO_ROTATE} /opt/opencrvs/docker-compose.staging-deploy.yml" -elif [[ "$ENV" = "qa" ]]; then - ENVIRONMENT_COMPOSE="docker-compose.qa-deploy.yml" - FILES_TO_ROTATE="${FILES_TO_ROTATE} /opt/opencrvs/docker-compose.qa-deploy.yml" -elif [[ "$ENV" = "production" ]]; then - ENVIRONMENT_COMPOSE="docker-compose.production-deploy.yml" - FILES_TO_ROTATE="${FILES_TO_ROTATE} /opt/opencrvs/docker-compose.production-deploy.yml" -elif [[ "$ENV" = "demo" ]]; then - ENVIRONMENT_COMPOSE="docker-compose.production-deploy.yml" - FILES_TO_ROTATE="${FILES_TO_ROTATE} /opt/opencrvs/docker-compose.production-deploy.yml" -else - echo "Unknown error running docker-compose on server as ENV is not staging, qa, demo or production." - exit 1 -fi +ENVIRONMENT_COMPOSE="docker-compose.$ENV-deploy.yml" +FILES_TO_ROTATE="${FILES_TO_ROTATE} /opt/opencrvs/docker-compose.$ENV-deploy.yml" rotate_secrets "$FILES_TO_ROTATE" docker_stack_deploy "$ENVIRONMENT_COMPOSE" diff --git a/infrastructure/docker-compose.demo-deploy.yml b/infrastructure/docker-compose.demo-deploy.yml new file mode 100644 index 000000000..6969d0285 --- /dev/null +++ b/infrastructure/docker-compose.demo-deploy.yml @@ -0,0 +1,234 @@ +version: '3.3' + +services: + gateway: + environment: + - NODE_ENV=production + - LANGUAGES=en,fr + - SENTRY_DSN=${SENTRY_DSN} + deploy: + replicas: 2 + + workflow: + environment: + - NODE_ENV=production + - LANGUAGES=en,fr + - SENTRY_DSN=${SENTRY_DSN} + deploy: + replicas: 2 + + search: + environment: + - NODE_ENV=production + - SENTRY_DSN=${SENTRY_DSN} + deploy: + replicas: 2 + + metrics: + environment: + - NODE_ENV=production + - SENTRY_DSN=${SENTRY_DSN} + - MONGO_URL=mongodb://metrics:${METRICS_MONGODB_PASSWORD}@mongo1,mongo2,mongo3/metrics?replicaSet=rs0 + - HEARTH_MONGO_URL=mongodb://hearth:${HEARTH_MONGODB_PASSWORD}@mongo1,mongo2,mongo3/hearth-dev?replicaSet=rs0 + - DASHBOARD_MONGO_URL=mongodb://performance:${PERFORMANCE_MONGODB_PASSWORD}@mongo1,mongo2,mongo3/performance?replicaSet=rs0 + + auth: + environment: + - NODE_ENV=production + - SENTRY_DSN=${SENTRY_DSN} + deploy: + replicas: 2 + + user-mgnt: + environment: + - NODE_ENV=production + - SENTRY_DSN=${SENTRY_DSN} + - MONGO_URL=mongodb://user-mgnt:${USER_MGNT_MONGODB_PASSWORD}@mongo1,mongo2,mongo3/user-mgnt?replicaSet=rs0 + deploy: + replicas: 2 + + notification: + environment: + - NODE_ENV=production + - LANGUAGES=en,fr + - SENTRY_DSN=${SENTRY_DSN} + deploy: + replicas: 2 + + webhooks: + environment: + - NODE_ENV=production + - SENTRY_DSN=${SENTRY_DSN} + - MONGO_URL=mongodb://webhooks:${WEBHOOKS_MONGODB_PASSWORD}@mongo1,mongo2,mongo3/webhooks?replicaSet=rs0 + deploy: + replicas: 2 + + config: + environment: + - NODE_ENV=production + - SENTRY_DSN=${SENTRY_DSN} + - MONGO_URL=mongodb://config:${CONFIG_MONGODB_PASSWORD}@mongo1,mongo2,mongo3/application-config?replicaSet=rs0 + deploy: + replicas: 2 + + scheduler: + environment: + - NODE_ENV=production + - OPENHIM_MONGO_URL=mongodb://openhim:${OPENHIM_MONGODB_PASSWORD}@mongo1,mongo2,mongo3/openhim-dev?replicaSet=rs0 + + documents: + environment: + - NODE_ENV=production + + countryconfig: + image: ${DOCKERHUB_ACCOUNT}/${DOCKERHUB_REPO}:${COUNTRY_CONFIG_VERSION:-latest} + restart: unless-stopped + secrets: + - jwt-public-key.{{ts}} + environment: + - NODE_ENV=production + - FHIR_URL=http://hearth:3447/fhir + - AUTH_URL=http://auth:4040 + - APPLICATION_CONFIG_URL=http://config:2021 + - OPENHIM_URL=http://openhim-core:5001/fhir + - CONFIRM_REGISTRATION_URL=http://openhim-core:5001/confirm/registration + - CHECK_INVALID_TOKEN=true + - EMAIL_API_KEY=${EMAIL_API_KEY} + - INFOBIP_GATEWAY_ENDPOINT=${INFOBIP_GATEWAY_ENDPOINT} + - INFOBIP_API_KEY=${INFOBIP_API_KEY} + - INFOBIP_SENDER_ID=${INFOBIP_SENDER_ID} + - SENDER_EMAIL_ADDRESS=${SENDER_EMAIL_ADDRESS} + - SENTRY_DSN=${SENTRY_DSN} + deploy: + replicas: 2 + + client: + environment: + - DECLARED_DECLARATION_SEARCH_QUERY_COUNT=100 + deploy: + replicas: 2 + + logstash: + deploy: + replicas: 2 + + apm-server: + deploy: + replicas: 2 + + components: + deploy: + replicas: 2 + + login: + deploy: + replicas: 2 + + hearth: + environment: + - mongodb__url=mongodb://hearth:${HEARTH_MONGODB_PASSWORD}@mongo1,mongo2,mongo3/hearth-dev?replicaSet=rs0 + depends_on: + - mongo1 + - mongo2 + - mongo3 + deploy: + replicas: 2 + + migration: + environment: + - USER_MGNT_MONGO_URL=mongodb://user-mgnt:${USER_MGNT_MONGODB_PASSWORD}@mongo1,mongo2,mongo3/user-mgnt?replicaSet=rs0 + - APPLICATION_CONFIG_MONGO_URL=mongodb://config:${CONFIG_MONGODB_PASSWORD}@mongo1,mongo2,mongo3/application-config?replicaSet=rs0 + - PERFORMANCE_MONGO_URL=mongodb://performance:${PERFORMANCE_MONGODB_PASSWORD}@mongo1,mongo2,mongo3/performance?replicaSet=rs0 + - HEARTH_MONGO_URL=mongodb://hearth:${HEARTH_MONGODB_PASSWORD}@mongo1,mongo2,mongo3/hearth-dev?replicaSet=rs0 + - OPENHIM_MONGO_URL=mongodb://openhim:${OPENHIM_MONGODB_PASSWORD}@mongo1,mongo2,mongo3/openhim-dev?replicaSet=rs0 + - WAIT_HOSTS=mongo1:27017,mongo2:27017,mongo3:27017,influxdb:8086,minio:9000,elasticsearch:9200 + depends_on: + - mongo1 + - mongo2 + - mongo3 + + openhim-core: + environment: + - mongo_url=mongodb://openhim:${OPENHIM_MONGODB_PASSWORD}@mongo1,mongo2,mongo3/openhim-dev?replicaSet=rs0 + - mongo_atnaUrl=mongodb://openhim:${OPENHIM_MONGODB_PASSWORD}@mongo1,mongo2,mongo3/openhim-dev?replicaSet=rs0 + depends_on: + - mongo1 + - mongo2 + - mongo3 + deploy: + replicas: 2 + + openhim-console: + deploy: + replicas: 2 + + mongo2: + image: mongo:4.4 + hostname: 'mongo2' + container_name: 'mongo2' + restart: unless-stopped + command: mongod --auth --replSet rs0 --keyFile /etc/mongodb-keyfile + volumes: + - '/data/mongo:/data/db' + - '/mongodb-keyfile:/mongodb-keyfile' + entrypoint: + - bash + - -c + - | + cp /mongodb-keyfile /etc/mongodb-keyfile + chmod 400 /etc/mongodb-keyfile + chown 999:999 /etc/mongodb-keyfile + exec docker-entrypoint.sh $$@ + environment: + - MONGO_INITDB_ROOT_USERNAME=${MONGODB_ADMIN_USER} + - MONGO_INITDB_ROOT_PASSWORD=${MONGODB_ADMIN_PASSWORD} + deploy: + labels: + - 'traefik.enable=false' + replicas: 1 + placement: + constraints: + - node.labels.data2 == true + networks: + - overlay_net + + mongo3: + image: mongo:4.4 + hostname: 'mongo3' + container_name: 'mongo3' + restart: unless-stopped + command: mongod --auth --replSet rs0 --keyFile /etc/mongodb-keyfile + volumes: + - '/data/mongo:/data/db' + - '/mongodb-keyfile:/mongodb-keyfile' + entrypoint: + - bash + - -c + - | + cp /mongodb-keyfile /etc/mongodb-keyfile + chmod 400 /etc/mongodb-keyfile + chown 999:999 /etc/mongodb-keyfile + exec docker-entrypoint.sh $$@ + environment: + - MONGO_INITDB_ROOT_USERNAME=${MONGODB_ADMIN_USER} + - MONGO_INITDB_ROOT_PASSWORD=${MONGODB_ADMIN_PASSWORD} + deploy: + labels: + - 'traefik.enable=false' + replicas: 1 + placement: + constraints: + - node.labels.data3 == true + networks: + - overlay_net + + mongo-on-update: + depends_on: + - mongo1 + - mongo2 + - mongo3 + environment: + - REPLICAS=3 + +networks: + overlay_net: {} diff --git a/infrastructure/docker-compose.deploy.yml b/infrastructure/docker-compose.deploy.yml index 8c1a6c033..7bd2a7ee1 100644 --- a/infrastructure/docker-compose.deploy.yml +++ b/infrastructure/docker-compose.deploy.yml @@ -15,12 +15,8 @@ services: traefik: image: 'traefik:v2.9' ports: - - target: 80 - published: 80 - mode: host - - target: 443 - published: 443 - mode: host + - '${VPN_HOST_ADDRESS:-0.0.0.0}:80:80' + - '${VPN_HOST_ADDRESS:-0.0.0.0}:443:443' volumes: - /var/run/docker.sock:/var/run/docker.sock - /data/traefik/acme.json:/acme.json diff --git a/infrastructure/docker-compose.development-deploy.yml b/infrastructure/docker-compose.development-deploy.yml new file mode 100644 index 000000000..6aaf94076 --- /dev/null +++ b/infrastructure/docker-compose.development-deploy.yml @@ -0,0 +1,97 @@ +version: '3.3' + +services: + notification: + environment: + - LANGUAGES=en,fr + - SENTRY_DSN=${SENTRY_DSN} + - QA_ENV=true + - NODE_ENV=production + + countryconfig: + image: ${DOCKERHUB_ACCOUNT}/${DOCKERHUB_REPO}:${COUNTRY_CONFIG_VERSION:-latest} + restart: unless-stopped + secrets: + - jwt-public-key.{{ts}} + environment: + - NODE_ENV=production + - FHIR_URL=http://hearth:3447/fhir + - AUTH_URL=http://auth:4040 + - APPLICATION_CONFIG_URL=http://config:2021 + - OPENHIM_URL=http://openhim-core:5001/fhir + - CONFIRM_REGISTRATION_URL=http://openhim-core:5001/confirm/registration + - CHECK_INVALID_TOKEN=true + - MONGO_URL=mongodb://mongo1/user-mgnt?replicaSet=rs0 + - SENTRY_DSN=${SENTRY_DSN} + deploy: + replicas: 1 + networks: + - overlay_net + + client: + environment: + - DECLARED_DECLARATION_SEARCH_QUERY_COUNT=100 + + gateway: + environment: + - LANGUAGES=en,fr + - SENTRY_DSN=${SENTRY_DSN} + - COUNTRY=FAR + - QA_ENV=true + - NODE_ENV=production + + workflow: + environment: + - LANGUAGES=en,fr + - SENTRY_DSN=${SENTRY_DSN} + - QA_ENV=true + - NODE_ENV=production + + search: + environment: + - SENTRY_DSN=${SENTRY_DSN} + - QA_ENV=true + - NODE_ENV=production + + metrics: + environment: + - SENTRY_DSN=${SENTRY_DSN} + - QA_ENV=true + - NODE_ENV=production + + auth: + environment: + - SENTRY_DSN=${SENTRY_DSN} + - QA_ENV=true + - NODE_ENV=production + + user-mgnt: + environment: + - SENTRY_DSN=${SENTRY_DSN} + - QA_ENV=true + - NODE_ENV=production + + webhooks: + environment: + - SENTRY_DSN=${SENTRY_DSN} + - QA_ENV=true + - NODE_ENV=production + + config: + environment: + - SENTRY_DSN=${SENTRY_DSN} + - QA_ENV=true + - NODE_ENV=production + + documents: + environment: + - QA_ENV=true + - NODE_ENV=production + + scheduler: + environment: + - QA_ENV=true + - NODE_ENV=production + +networks: + overlay_net: {} diff --git a/infrastructure/docker-compose.production-deploy.yml b/infrastructure/docker-compose.production-deploy.yml index a3531063f..6969d0285 100644 --- a/infrastructure/docker-compose.production-deploy.yml +++ b/infrastructure/docker-compose.production-deploy.yml @@ -93,7 +93,6 @@ services: - OPENHIM_URL=http://openhim-core:5001/fhir - CONFIRM_REGISTRATION_URL=http://openhim-core:5001/confirm/registration - CHECK_INVALID_TOKEN=true - - HOSTNAME=${HOSTNAME} - EMAIL_API_KEY=${EMAIL_API_KEY} - INFOBIP_GATEWAY_ENDPOINT=${INFOBIP_GATEWAY_ENDPOINT} - INFOBIP_API_KEY=${INFOBIP_API_KEY} diff --git a/infrastructure/docker-compose.qa-deploy.yml b/infrastructure/docker-compose.qa-deploy.yml index fa1f084f9..f8b2cc967 100644 --- a/infrastructure/docker-compose.qa-deploy.yml +++ b/infrastructure/docker-compose.qa-deploy.yml @@ -23,7 +23,6 @@ services: - CONFIRM_REGISTRATION_URL=http://openhim-core:5001/confirm/registration - CHECK_INVALID_TOKEN=true - MONGO_URL=mongodb://mongo1/user-mgnt?replicaSet=rs0 - - HOSTNAME=${HOSTNAME} - SENTRY_DSN=${SENTRY_DSN} deploy: replicas: 1 @@ -95,5 +94,46 @@ services: - QA_ENV=true - NODE_ENV=production + wg-easy: + image: weejewel/wg-easy:7 + environment: + - WG_HOST=vpn.{{hostname}} + - PASSWORD=${WIREGUARD_ADMIN_PASSWORD} + - WG_DEFAULT_ADDRESS=10.13.13.x + - WG_ALLOWED_IPS=0.0.0.0/0 + - WG_PORT=51822 + - WG_POST_UP=iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE + - WG_POST_DOWN=iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE + volumes: + - /data/wireguard:/etc/wireguard + ports: + - '51822:51820/udp' + cap_add: + - NET_ADMIN + - SYS_MODULE + sysctls: + - net.ipv4.conf.all.src_valid_mark=1 + - net.ipv4.ip_forward=1 + deploy: + labels: + - 'traefik.enable=true' + - 'traefik.http.routers.vpn.rule=Host(`vpn.{{hostname}}`)' + - 'traefik.http.services.vpn.loadbalancer.server.port=51821' + - 'traefik.http.routers.vpn.tls=true' + - 'traefik.http.routers.vpn.entrypoints=web,websecure' + - 'traefik.docker.network=opencrvs_vpn' + - 'traefik.http.middlewares.vpn.headers.customresponseheaders.Pragma=no-cache' + - 'traefik.http.middlewares.vpn.headers.customresponseheaders.Cache-control=no-store' + - 'traefik.http.middlewares.vpn.headers.customresponseheaders.X-Robots-Tag=none' + - 'traefik.http.middlewares.vpn.headers.stsseconds=31536000' + - 'traefik.http.middlewares.vpn.headers.stsincludesubdomains=true' + - 'traefik.http.middlewares.vpn.headers.stspreload=true' + restart: unless-stopped + networks: + - vpn + networks: overlay_net: {} + vpn: + driver: overlay + attachable: false diff --git a/infrastructure/docker-compose.staging-deploy.yml b/infrastructure/docker-compose.staging-deploy.yml index 9cf66cf17..6aaf94076 100644 --- a/infrastructure/docker-compose.staging-deploy.yml +++ b/infrastructure/docker-compose.staging-deploy.yml @@ -22,7 +22,6 @@ services: - CONFIRM_REGISTRATION_URL=http://openhim-core:5001/confirm/registration - CHECK_INVALID_TOKEN=true - MONGO_URL=mongodb://mongo1/user-mgnt?replicaSet=rs0 - - HOSTNAME=${HOSTNAME} - SENTRY_DSN=${SENTRY_DSN} deploy: replicas: 1 diff --git a/infrastructure/server-setup/development.yml b/infrastructure/server-setup/development.yml new file mode 100644 index 000000000..23609f4e1 --- /dev/null +++ b/infrastructure/server-setup/development.yml @@ -0,0 +1,41 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at https://mozilla.org/MPL/2.0/. +# +# OpenCRVS is also distributed under the terms of the Civil Registration +# & Healthcare Disclaimer located at http://opencrvs.org/license. +# +# Copyright (C) The OpenCRVS Authors located at https://github.com/opencrvs/opencrvs-core/blob/master/AUTHORS. +all: + vars: + users: + # If you need to remove access from someone, do not remove them from this list, but instead set their state: absent + - name: pyry + ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDH6qZgtXhWf+xKwpWmHez6F44VRWrUJPF/aa+qdAc+EUNcUUNq8a/KflVthI15GW83VdHSgOCqrqnZTl/shfjOlq9FxsCDI9BY1Zt2+Dc/YMiY4519jM8QEUpZllJTAsBbaz3MSfqda67lEY8sQp9Jk5hw3vUOYxPBtHLSBehwnj4rNnobRrQ4YeOPnLry+cwf8tuQ1ftaxmsKeSKc8blToj2zJHe5t2a5CkOmCOCjAoToVVHWtUZwZ8E3Xrwdyod1q3vnNjofHPr8TFYpuJlAaIAtko4w8XaeQAbfz+iWGpOSYjbaMhG3gq05kfTm3XUEUsbwSeWhZ8d7F0XDESjHDELQYcikHgm6ywnUtpMht16rbjnZ+h8mDlE/Ftz9N9gkzn7bTTMYRRUrjJUTppH9opNbzlcr38zAhNDEeRvGIhxx6/jRZ0xk1SqQhYh08M3URpvIDbh/Umm7NO/cN6ZX8ogrrMSRfoYvk2u4gioX5qfyIDSVwiVztMjkPdZ/rhU= pyry@opencrvs.org + state: present + sudoer: true + - name: tameem + ssh_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGUprcQyUFYwRto0aRpgriR95C1pgNxrQ0lEWEe1D8he haidertameem@gmail.com + state: present + sudoer: true + - name: riku + ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDWIF63S4f3z9wQMvWibmvl7MPuJ6EVrkP0HuvgNhcs/4DZYMcR/GRBvV4ldOSYMlBevIXycgGzNDxKJgENUuwIWanjBu7uVAHyD6+cIRD1h63qq7Cjv/2HYTfBDKOrKzPOhA6zWvKO0ZGWsjRXk5LWMCbKOkvKJCxOpj/NVBxeE4FTK5YADYPV3OSsmBtqTHrVLm2sMmShU/2hMYYswWkobidjX65+nK/X+3C+yJbHwiydVvn+QCrFlFfCLPWKe8rUpOxyxofPqWVQh6CHhHfT8okaOc9sOE8Qeip9ljo84DftJh3Xm3ynOdWK1hH2BvRvxNadWqcE1qECbkg4tx2x riku.rouvila@gmail.com + state: present + sudoer: true + - name: euan + ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDECqHO65UpyrrO8uueD06RxGaVVq22f152Rf8qVQQAAIGAMu6gCs7ztlZ8a3yQgSEIjM/Jl1/RqIVs6CziTEef74nLFTZ5Ufz3CLRVgdebBeSBEmhTfTUV0HLkSyNzwKFpuzJxucGd72ulPvEp6eHvyJAPJz37YcU8cjaL1v05T6s2ee99li35GlDDtCzfjVV4ZPAg5JdfWuTj41RAVC0LQhk2/NB4qEu37UxGGjhRFSjBEsS5LxI9QfvgrsHpl/VOn+soH7ZkK7kS6qRgNP/uYsXRWXhHaamcl5OX68gJWTbrW6c7PCqlbCWGnsHJswCmqPIthwXXMfC7ULDNLSKG6mslAt5Dyc8/MCr3vTW7pDyr2d0FvvY86SMQUggxv3qF7TZewqfX1bhK0fMLarIxVMQ1RFo//wN9QGA+2we8rxd2Y1Kr1DBuJyuwXPfv+Exo8yNYQ+x/AYH5k6UVcSYuaB8eYmplG2KQCxt8RBFtoChrwOKNRWLqXdKyfpdp5XmnnWxPvR95gf3h3yLocVYkF0i0uvKKJ0vt8J0Ezfkdfow0B1kUg5bPXKJROX7PwbaCPdYcxyDaO6wwOigRnSmoFvkH1pLb4j1RQAXcX531CHgfN6Izi/h0mpMS4bnyIUcv2GQr+h4z4TxcCtj7qpH2y6yw7XG12jVh7TfeesXG2Q== euanmillar77@gmail.com + state: present + sudoer: true + - name: tahmid + ssh_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINUml9O5ySwPtEMD1yGEYHlf9Z3jro97NWAnM9+ew9gn tahmidrahman.dsi@gmail.com + state: present + sudoer: true + +docker-manager-first: + hosts: + farajaland-dev: + ansible_host: '104.248.36.17' + data_label: data1 + +# QA and staging servers are not configured to use workers. +docker-workers: {} diff --git a/infrastructure/server-setup/group_vars/all.yml b/infrastructure/server-setup/group_vars/all.yml index 6ccfbda44..5f3abb73d 100644 --- a/infrastructure/server-setup/group_vars/all.yml +++ b/infrastructure/server-setup/group_vars/all.yml @@ -7,7 +7,6 @@ # # Copyright (C) The OpenCRVS Authors located at https://github.com/opencrvs/opencrvs-core/blob/master/AUTHORS. ansible_python_interpreter: /usr/bin/python3 -ansible_user: root encrypt_data: False swap_file_path: /swapfile swap_file_size_mb: 8000 diff --git a/infrastructure/server-setup/production.ini b/infrastructure/server-setup/production.ini deleted file mode 100644 index b8cb40e35..000000000 --- a/infrastructure/server-setup/production.ini +++ /dev/null @@ -1,21 +0,0 @@ -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at https://mozilla.org/MPL/2.0/. -; -; OpenCRVS is also distributed under the terms of the Civil Registration -; & Healthcare Disclaimer located at http://opencrvs.org/license. -; -; Copyright (C) The OpenCRVS Authors located at https://github.com/opencrvs/opencrvs-core/blob/master/AUTHORS. - -[docker-manager-first] -farajaland-prod ansible_host="165.22.205.62" data_label=data1 - -[docker-workers] -farajaland-prod-02 ansible_host="178.128.245.255" data_label=data2 -farajaland-prod-03 ansible_host="165.22.198.21" data_label=data3 -; We recommend you add 2-4 workers for a scaled production deployment -; This should depend on the size of your country and the number of end users. -; ENTER_HOSTNAME_4 ansible_host="ENTER YOUR WORKER 3 HOST IP" data_label=data4 -; ENTER_HOSTNAME_5 ansible_host="ENTER YOUR WORKER 4 HOST IP" data_label=data5 - - diff --git a/infrastructure/server-setup/production.yml b/infrastructure/server-setup/production.yml new file mode 100644 index 000000000..44613ee3e --- /dev/null +++ b/infrastructure/server-setup/production.yml @@ -0,0 +1,43 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at https://mozilla.org/MPL/2.0/. +# +# OpenCRVS is also distributed under the terms of the Civil Registration +# & Healthcare Disclaimer located at http://opencrvs.org/license. +# +# Copyright (C) The OpenCRVS Authors located at https://github.com/opencrvs/opencrvs-core/blob/master/AUTHORS. + +all: + vars: + # This configuration variable blocks all access to the server, including SSH, except from the IP addresses specified below. + # This should always be set when configuring a production server if there is no other firewall in front of the server. + # SSH and other services should never be exposed to the public internet. + only_allow_access_from_addresses: + - 165.22.110.53 + users: + # If you need to remove access from someone, do not remove them from this list, but instead set their state: absent + - name: riku + ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDWIF63S4f3z9wQMvWibmvl7MPuJ6EVrkP0HuvgNhcs/4DZYMcR/GRBvV4ldOSYMlBevIXycgGzNDxKJgENUuwIWanjBu7uVAHyD6+cIRD1h63qq7Cjv/2HYTfBDKOrKzPOhA6zWvKO0ZGWsjRXk5LWMCbKOkvKJCxOpj/NVBxeE4FTK5YADYPV3OSsmBtqTHrVLm2sMmShU/2hMYYswWkobidjX65+nK/X+3C+yJbHwiydVvn+QCrFlFfCLPWKe8rUpOxyxofPqWVQh6CHhHfT8okaOc9sOE8Qeip9ljo84DftJh3Xm3ynOdWK1hH2BvRvxNadWqcE1qECbkg4tx2x riku.rouvila@gmail.com + state: present + sudoer: true + - name: euan + ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDECqHO65UpyrrO8uueD06RxGaVVq22f152Rf8qVQQAAIGAMu6gCs7ztlZ8a3yQgSEIjM/Jl1/RqIVs6CziTEef74nLFTZ5Ufz3CLRVgdebBeSBEmhTfTUV0HLkSyNzwKFpuzJxucGd72ulPvEp6eHvyJAPJz37YcU8cjaL1v05T6s2ee99li35GlDDtCzfjVV4ZPAg5JdfWuTj41RAVC0LQhk2/NB4qEu37UxGGjhRFSjBEsS5LxI9QfvgrsHpl/VOn+soH7ZkK7kS6qRgNP/uYsXRWXhHaamcl5OX68gJWTbrW6c7PCqlbCWGnsHJswCmqPIthwXXMfC7ULDNLSKG6mslAt5Dyc8/MCr3vTW7pDyr2d0FvvY86SMQUggxv3qF7TZewqfX1bhK0fMLarIxVMQ1RFo//wN9QGA+2we8rxd2Y1Kr1DBuJyuwXPfv+Exo8yNYQ+x/AYH5k6UVcSYuaB8eYmplG2KQCxt8RBFtoChrwOKNRWLqXdKyfpdp5XmnnWxPvR95gf3h3yLocVYkF0i0uvKKJ0vt8J0Ezfkdfow0B1kUg5bPXKJROX7PwbaCPdYcxyDaO6wwOigRnSmoFvkH1pLb4j1RQAXcX531CHgfN6Izi/h0mpMS4bnyIUcv2GQr+h4z4TxcCtj7qpH2y6yw7XG12jVh7TfeesXG2Q== euanmillar77@gmail.com + state: present + sudoer: true + +docker-manager-first: + hosts: + farajaland-prod: + ansible_host: '165.22.205.62' + data_label: data1 + +# We recommend you add 2-4 workers for a scaled production deployment +# This should depend on the size of your country and the number of end users. +docker-workers: + hosts: + farajaland-prod-02: + ansible_host: '178.128.245.255' + data_label: data2 + farajaland-prod-03: + ansible_host: '165.22.198.21' + data_label: data3 diff --git a/infrastructure/server-setup/qa.ini b/infrastructure/server-setup/qa.ini deleted file mode 100644 index 3c861a3bf..000000000 --- a/infrastructure/server-setup/qa.ini +++ /dev/null @@ -1,14 +0,0 @@ -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at https://mozilla.org/MPL/2.0/. -; -; OpenCRVS is also distributed under the terms of the Civil Registration -; & Healthcare Disclaimer located at http://opencrvs.org/license. -; -; Copyright (C) The OpenCRVS Authors located at https://github.com/opencrvs/opencrvs-core/blob/master/AUTHORS. - -[docker-manager-first] -farajaland-qa ansible_host="165.22.110.53" data_label=data1 - -[docker-workers] -; QA and staging servers are not configured to use workers. \ No newline at end of file diff --git a/infrastructure/server-setup/qa.yml b/infrastructure/server-setup/qa.yml new file mode 100644 index 000000000..3f110cd6e --- /dev/null +++ b/infrastructure/server-setup/qa.yml @@ -0,0 +1,41 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at https://mozilla.org/MPL/2.0/. +# +# OpenCRVS is also distributed under the terms of the Civil Registration +# & Healthcare Disclaimer located at http://opencrvs.org/license. +# +# Copyright (C) The OpenCRVS Authors located at https://github.com/opencrvs/opencrvs-core/blob/master/AUTHORS. +all: + vars: + users: + # If you need to remove access from someone, do not remove them from this list, but instead set their state: absent + - name: pyry + ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDH6qZgtXhWf+xKwpWmHez6F44VRWrUJPF/aa+qdAc+EUNcUUNq8a/KflVthI15GW83VdHSgOCqrqnZTl/shfjOlq9FxsCDI9BY1Zt2+Dc/YMiY4519jM8QEUpZllJTAsBbaz3MSfqda67lEY8sQp9Jk5hw3vUOYxPBtHLSBehwnj4rNnobRrQ4YeOPnLry+cwf8tuQ1ftaxmsKeSKc8blToj2zJHe5t2a5CkOmCOCjAoToVVHWtUZwZ8E3Xrwdyod1q3vnNjofHPr8TFYpuJlAaIAtko4w8XaeQAbfz+iWGpOSYjbaMhG3gq05kfTm3XUEUsbwSeWhZ8d7F0XDESjHDELQYcikHgm6ywnUtpMht16rbjnZ+h8mDlE/Ftz9N9gkzn7bTTMYRRUrjJUTppH9opNbzlcr38zAhNDEeRvGIhxx6/jRZ0xk1SqQhYh08M3URpvIDbh/Umm7NO/cN6ZX8ogrrMSRfoYvk2u4gioX5qfyIDSVwiVztMjkPdZ/rhU= pyry@opencrvs.org + state: present + sudoer: true + - name: tameem + ssh_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGUprcQyUFYwRto0aRpgriR95C1pgNxrQ0lEWEe1D8he haidertameem@gmail.com + state: present + sudoer: true + - name: riku + ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDWIF63S4f3z9wQMvWibmvl7MPuJ6EVrkP0HuvgNhcs/4DZYMcR/GRBvV4ldOSYMlBevIXycgGzNDxKJgENUuwIWanjBu7uVAHyD6+cIRD1h63qq7Cjv/2HYTfBDKOrKzPOhA6zWvKO0ZGWsjRXk5LWMCbKOkvKJCxOpj/NVBxeE4FTK5YADYPV3OSsmBtqTHrVLm2sMmShU/2hMYYswWkobidjX65+nK/X+3C+yJbHwiydVvn+QCrFlFfCLPWKe8rUpOxyxofPqWVQh6CHhHfT8okaOc9sOE8Qeip9ljo84DftJh3Xm3ynOdWK1hH2BvRvxNadWqcE1qECbkg4tx2x riku.rouvila@gmail.com + state: present + sudoer: true + - name: euan + ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDECqHO65UpyrrO8uueD06RxGaVVq22f152Rf8qVQQAAIGAMu6gCs7ztlZ8a3yQgSEIjM/Jl1/RqIVs6CziTEef74nLFTZ5Ufz3CLRVgdebBeSBEmhTfTUV0HLkSyNzwKFpuzJxucGd72ulPvEp6eHvyJAPJz37YcU8cjaL1v05T6s2ee99li35GlDDtCzfjVV4ZPAg5JdfWuTj41RAVC0LQhk2/NB4qEu37UxGGjhRFSjBEsS5LxI9QfvgrsHpl/VOn+soH7ZkK7kS6qRgNP/uYsXRWXhHaamcl5OX68gJWTbrW6c7PCqlbCWGnsHJswCmqPIthwXXMfC7ULDNLSKG6mslAt5Dyc8/MCr3vTW7pDyr2d0FvvY86SMQUggxv3qF7TZewqfX1bhK0fMLarIxVMQ1RFo//wN9QGA+2we8rxd2Y1Kr1DBuJyuwXPfv+Exo8yNYQ+x/AYH5k6UVcSYuaB8eYmplG2KQCxt8RBFtoChrwOKNRWLqXdKyfpdp5XmnnWxPvR95gf3h3yLocVYkF0i0uvKKJ0vt8J0Ezfkdfow0B1kUg5bPXKJROX7PwbaCPdYcxyDaO6wwOigRnSmoFvkH1pLb4j1RQAXcX531CHgfN6Izi/h0mpMS4bnyIUcv2GQr+h4z4TxcCtj7qpH2y6yw7XG12jVh7TfeesXG2Q== euanmillar77@gmail.com + state: present + sudoer: true + - name: tahmid + ssh_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINUml9O5ySwPtEMD1yGEYHlf9Z3jro97NWAnM9+ew9gn tahmidrahman.dsi@gmail.com + state: present + sudoer: true + +docker-manager-first: + hosts: + farajaland-qa: + ansible_host: '165.22.110.53' + data_label: data1 + +# QA and staging servers are not configured to use workers. +docker-workers: {} diff --git a/infrastructure/server-setup/staging.ini b/infrastructure/server-setup/staging.ini deleted file mode 100644 index 536a36cd6..000000000 --- a/infrastructure/server-setup/staging.ini +++ /dev/null @@ -1,14 +0,0 @@ -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at https://mozilla.org/MPL/2.0/. -; -; OpenCRVS is also distributed under the terms of the Civil Registration -; & Healthcare Disclaimer located at http://opencrvs.org/license. -; -; Copyright (C) The OpenCRVS Authors located at https://github.com/opencrvs/opencrvs-core/blob/master/AUTHORS. - -[docker-manager-first] -farajaland-staging ansible_host="64.226.80.191" data_label=data1 - -[docker-workers] -; QA and staging servers are not configured to use workers. diff --git a/infrastructure/server-setup/staging.yml b/infrastructure/server-setup/staging.yml new file mode 100644 index 000000000..de0059956 --- /dev/null +++ b/infrastructure/server-setup/staging.yml @@ -0,0 +1,34 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at https://mozilla.org/MPL/2.0/. +# +# OpenCRVS is also distributed under the terms of the Civil Registration +# & Healthcare Disclaimer located at http://opencrvs.org/license. +# +# Copyright (C) The OpenCRVS Authors located at https://github.com/opencrvs/opencrvs-core/blob/master/AUTHORS. +all: + vars: + # This configuration variable blocks all access to the server, including SSH, except from the IP addresses specified below. + # This should always be set when configuring a production server if there is no other firewall in front of the server. + # SSH and other services should never be exposed to the public internet. + only_allow_access_from_addresses: + - 165.22.110.53 + users: + # If you need to remove access from someone, do not remove them from this list, but instead set their state: absent + - name: riku + ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDWIF63S4f3z9wQMvWibmvl7MPuJ6EVrkP0HuvgNhcs/4DZYMcR/GRBvV4ldOSYMlBevIXycgGzNDxKJgENUuwIWanjBu7uVAHyD6+cIRD1h63qq7Cjv/2HYTfBDKOrKzPOhA6zWvKO0ZGWsjRXk5LWMCbKOkvKJCxOpj/NVBxeE4FTK5YADYPV3OSsmBtqTHrVLm2sMmShU/2hMYYswWkobidjX65+nK/X+3C+yJbHwiydVvn+QCrFlFfCLPWKe8rUpOxyxofPqWVQh6CHhHfT8okaOc9sOE8Qeip9ljo84DftJh3Xm3ynOdWK1hH2BvRvxNadWqcE1qECbkg4tx2x riku.rouvila@gmail.com + state: present + sudoer: true + - name: euan + ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDECqHO65UpyrrO8uueD06RxGaVVq22f152Rf8qVQQAAIGAMu6gCs7ztlZ8a3yQgSEIjM/Jl1/RqIVs6CziTEef74nLFTZ5Ufz3CLRVgdebBeSBEmhTfTUV0HLkSyNzwKFpuzJxucGd72ulPvEp6eHvyJAPJz37YcU8cjaL1v05T6s2ee99li35GlDDtCzfjVV4ZPAg5JdfWuTj41RAVC0LQhk2/NB4qEu37UxGGjhRFSjBEsS5LxI9QfvgrsHpl/VOn+soH7ZkK7kS6qRgNP/uYsXRWXhHaamcl5OX68gJWTbrW6c7PCqlbCWGnsHJswCmqPIthwXXMfC7ULDNLSKG6mslAt5Dyc8/MCr3vTW7pDyr2d0FvvY86SMQUggxv3qF7TZewqfX1bhK0fMLarIxVMQ1RFo//wN9QGA+2we8rxd2Y1Kr1DBuJyuwXPfv+Exo8yNYQ+x/AYH5k6UVcSYuaB8eYmplG2KQCxt8RBFtoChrwOKNRWLqXdKyfpdp5XmnnWxPvR95gf3h3yLocVYkF0i0uvKKJ0vt8J0Ezfkdfow0B1kUg5bPXKJROX7PwbaCPdYcxyDaO6wwOigRnSmoFvkH1pLb4j1RQAXcX531CHgfN6Izi/h0mpMS4bnyIUcv2GQr+h4z4TxcCtj7qpH2y6yw7XG12jVh7TfeesXG2Q== euanmillar77@gmail.com + state: present + sudoer: true + +docker-manager-first: + hosts: + farajaland-staging: + ansible_host: '64.226.80.191' + data_label: data1 + +# QA and staging servers are not configured to use workers. +docker-workers: {} diff --git a/infrastructure/server-setup/tasks/ufw.yml b/infrastructure/server-setup/tasks/ufw.yml index f91f5b962..67b644523 100644 --- a/infrastructure/server-setup/tasks/ufw.yml +++ b/infrastructure/server-setup/tasks/ufw.yml @@ -3,10 +3,27 @@ name: ufw state: present -- name: 'Allow OpenSSH through UFW' +- name: Allow OpenSSH for IPv4 from specific addresses + ufw: + rule: allow + port: 22 + proto: tcp + src: '{{ item }}' + loop: '{{ only_allow_access_from_addresses }}' + when: only_allow_access_from_addresses is defined and only_allow_access_from_addresses | length > 0 + +- name: Remove general OpenSSH allow rule + ufw: + rule: allow + name: OpenSSH + delete: yes + when: only_allow_access_from_addresses is defined and only_allow_access_from_addresses | length > 0 + +- name: Allow OpenSSH through UFW universally ufw: rule: allow name: OpenSSH + when: only_allow_access_from_addresses is undefined or only_allow_access_from_addresses | length == 0 # Docker swarm ports - Note: all published docker container port will override UFW rules! - name: 'Allow secure docker client communication' diff --git a/infrastructure/server-setup/tasks/users.yml b/infrastructure/server-setup/tasks/users.yml index 16f1d1a92..080f6b106 100644 --- a/infrastructure/server-setup/tasks/users.yml +++ b/infrastructure/server-setup/tasks/users.yml @@ -1,24 +1,3 @@ -- name: Define all users - set_fact: - users: - # If you need to remove access from someone, do not remove them from this list, but instead set their state: absent - - name: pyry - ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDH6qZgtXhWf+xKwpWmHez6F44VRWrUJPF/aa+qdAc+EUNcUUNq8a/KflVthI15GW83VdHSgOCqrqnZTl/shfjOlq9FxsCDI9BY1Zt2+Dc/YMiY4519jM8QEUpZllJTAsBbaz3MSfqda67lEY8sQp9Jk5hw3vUOYxPBtHLSBehwnj4rNnobRrQ4YeOPnLry+cwf8tuQ1ftaxmsKeSKc8blToj2zJHe5t2a5CkOmCOCjAoToVVHWtUZwZ8E3Xrwdyod1q3vnNjofHPr8TFYpuJlAaIAtko4w8XaeQAbfz+iWGpOSYjbaMhG3gq05kfTm3XUEUsbwSeWhZ8d7F0XDESjHDELQYcikHgm6ywnUtpMht16rbjnZ+h8mDlE/Ftz9N9gkzn7bTTMYRRUrjJUTppH9opNbzlcr38zAhNDEeRvGIhxx6/jRZ0xk1SqQhYh08M3URpvIDbh/Umm7NO/cN6ZX8ogrrMSRfoYvk2u4gioX5qfyIDSVwiVztMjkPdZ/rhU= pyry@opencrvs.org - state: present - sudoer: true - - name: tameem - ssh_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGUprcQyUFYwRto0aRpgriR95C1pgNxrQ0lEWEe1D8he haidertameem@gmail.com - state: present - sudoer: true - - name: riku - ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDWIF63S4f3z9wQMvWibmvl7MPuJ6EVrkP0HuvgNhcs/4DZYMcR/GRBvV4ldOSYMlBevIXycgGzNDxKJgENUuwIWanjBu7uVAHyD6+cIRD1h63qq7Cjv/2HYTfBDKOrKzPOhA6zWvKO0ZGWsjRXk5LWMCbKOkvKJCxOpj/NVBxeE4FTK5YADYPV3OSsmBtqTHrVLm2sMmShU/2hMYYswWkobidjX65+nK/X+3C+yJbHwiydVvn+QCrFlFfCLPWKe8rUpOxyxofPqWVQh6CHhHfT8okaOc9sOE8Qeip9ljo84DftJh3Xm3ynOdWK1hH2BvRvxNadWqcE1qECbkg4tx2x riku.rouvila@gmail.com - state: present - sudoer: true - - name: euan - ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDECqHO65UpyrrO8uueD06RxGaVVq22f152Rf8qVQQAAIGAMu6gCs7ztlZ8a3yQgSEIjM/Jl1/RqIVs6CziTEef74nLFTZ5Ufz3CLRVgdebBeSBEmhTfTUV0HLkSyNzwKFpuzJxucGd72ulPvEp6eHvyJAPJz37YcU8cjaL1v05T6s2ee99li35GlDDtCzfjVV4ZPAg5JdfWuTj41RAVC0LQhk2/NB4qEu37UxGGjhRFSjBEsS5LxI9QfvgrsHpl/VOn+soH7ZkK7kS6qRgNP/uYsXRWXhHaamcl5OX68gJWTbrW6c7PCqlbCWGnsHJswCmqPIthwXXMfC7ULDNLSKG6mslAt5Dyc8/MCr3vTW7pDyr2d0FvvY86SMQUggxv3qF7TZewqfX1bhK0fMLarIxVMQ1RFo//wN9QGA+2we8rxd2Y1Kr1DBuJyuwXPfv+Exo8yNYQ+x/AYH5k6UVcSYuaB8eYmplG2KQCxt8RBFtoChrwOKNRWLqXdKyfpdp5XmnnWxPvR95gf3h3yLocVYkF0i0uvKKJ0vt8J0Ezfkdfow0B1kUg5bPXKJROX7PwbaCPdYcxyDaO6wwOigRnSmoFvkH1pLb4j1RQAXcX531CHgfN6Izi/h0mpMS4bnyIUcv2GQr+h4z4TxcCtj7qpH2y6yw7XG12jVh7TfeesXG2Q== euanmillar77@gmail.com - state: present - sudoer: true - - name: Ensure users are present user: name: '{{ item.name }}' @@ -133,12 +112,13 @@ line: 'PubkeyAuthentication yes' state: present -- name: Set PermitRootLogin to no +- name: Disable SSH root login so all maintainers log in as their own user lineinfile: path: /etc/ssh/sshd_config regexp: '^#?PermitRootLogin' - line: 'PermitRootLogin yes' + line: 'PermitRootLogin no' state: present + when: ansible_user != "root" - name: Enable KbdInteractiveAuthentication in SSHD Config lineinfile: @@ -161,14 +141,14 @@ line: 'PermitEmptyPasswords no' state: present -- name: Only require public key from the user "root" +- name: Only require public key from the user "{{ ansible_user }}" blockinfile: path: /etc/ssh/sshd_config block: | - Match User root + Match User {{ ansible_user }} PasswordAuthentication no AuthenticationMethods publickey - marker: '# {mark} ANSIBLE MANAGED BLOCK FOR USER ROOT' + marker: '# {mark} ANSIBLE MANAGED BLOCK FOR USER {{ ansible_user }}' become: yes - name: Check SSH config syntax diff --git a/package.json b/package.json index d67d14936..56ba79698 100644 --- a/package.json +++ b/package.json @@ -59,6 +59,7 @@ "jsonwebtoken": "^9.0.0", "libsodium-wrappers": "^0.7.13", "lint-staged": "^7.1.0", + "minimist": "^1.2.8", "niceware": "^2.0.2", "nodemon": "^2.0.22", "prettier": "^2.8.8", diff --git a/src/constants.ts b/src/constants.ts index aa68b652f..ed24d917f 100644 --- a/src/constants.ts +++ b/src/constants.ts @@ -9,7 +9,7 @@ * Copyright (C) The OpenCRVS Authors located at https://github.com/opencrvs/opencrvs-core/blob/master/AUTHORS. */ export const TEST_SOURCE = `${process.cwd()}/src/tests/` -export const HOSTNAME = process.env.DOMAIN || '*' +export const DOMAIN = process.env.DOMAIN || '*' export const LOGIN_URL = process.env.LOGIN_URL || 'http://localhost:3020/' export const CLIENT_APP_URL = process.env.CLIENT_APP_URL || 'http://localhost:3000/' diff --git a/src/index.ts b/src/index.ts index 4b633fd81..bdfbaa8d7 100644 --- a/src/index.ts +++ b/src/index.ts @@ -18,7 +18,7 @@ import * as inert from '@hapi/inert' import * as Sentry from 'hapi-sentry' import { CLIENT_APP_URL, - HOSTNAME, + DOMAIN, LOGIN_URL, SENTRY_DSN } from '@countryconfig/constants' @@ -176,8 +176,8 @@ async function getPublicKey(): Promise { } export async function createServer() { - let whitelist: string[] = [HOSTNAME] - if (HOSTNAME[0] !== '*') { + let whitelist: string[] = [DOMAIN] + if (DOMAIN[0] !== '*') { whitelist = [LOGIN_URL, CLIENT_APP_URL] } logger.info(`Whitelist: ${JSON.stringify(whitelist)}`) diff --git a/start-prod.sh b/start-prod.sh index fa9d4c970..24ea6e997 100755 --- a/start-prod.sh +++ b/start-prod.sh @@ -9,8 +9,8 @@ set -e -sed -i "s/{{hostname}}/$HOSTNAME/g" src/client-config.prod.js -sed -i "s/{{hostname}}/$HOSTNAME/g" src/login-config.prod.js +sed -i "s/{{hostname}}/$DOMAIN/g" src/client-config.prod.js +sed -i "s/{{hostname}}/$DOMAIN/g" src/login-config.prod.js sed -i "s={{sentry}}=$SENTRY_DSN=g" src/client-config.prod.js sed -i "s={{sentry}}=$SENTRY_DSN=g" src/login-config.prod.js diff --git a/yarn.lock b/yarn.lock index d12295f21..05a790119 100644 --- a/yarn.lock +++ b/yarn.lock @@ -7920,6 +7920,11 @@ minimist@^1.1.1, minimist@^1.2.0, minimist@^1.2.2, minimist@^1.2.5, minimist@^1. resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.7.tgz#daa1c4d91f507390437c6a8bc01078e7000c4d18" integrity sha512-bzfL1YUZsP41gmu/qjrEk0Q6i2ix/cVeAhbCbqH9u3zYutS1cLg00qhrD0M2MVdCcx4Sc0UpP2eBWo9rotpq6g== +minimist@^1.2.8: + version "1.2.8" + resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.8.tgz#c1a464e7693302e082a075cee0c057741ac4772c" + integrity sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA== + mixin-deep@^1.2.0: version "1.3.2" resolved "https://registry.yarnpkg.com/mixin-deep/-/mixin-deep-1.3.2.tgz#1120b43dc359a785dce65b55b82e257ccf479566"