This repository describes how to set up everything that is needed to run the Aam Digital case management system in production. This includes deploying the app, deploying and connecting the database and optionally deploying and connecting the permission backend and keycloak.
The source code of the actual application, as well as instructions to run it on your local machine during development, can be found in the Aam-Digital/ndb-core repository.
(!) copy the example.* files (e.g. setup.example.env) and add your actual variables and config
The deployment works with minimal requirements. All you need is a system that runs Docker and allows to reach endpoints through a public URL. For a single instance a server with 2GB RAM, a single CPU and 20GB disc space is sufficient. With more data and/or more deployments more RAM and CPU power might be necessary or the sync could start to become very slow. The required disc space scales with the amount of data and especially images and attachments that are saved in the application.
To monitor the hardware usage this repo contains a Prometheus setup. This can be connected with Grafana to create a system dashboard and trigger alerts on critical performance.
The interactive script interactive_setup.sh walks you through the process of setting up new applications.
Running the setup script will create a new folder in the same parent folder, next to the cloned repo. You can use the script multiple times to create new instances.
- Clone this repository
- Set up local environment by copying setup.example.env file and editing the
setup.envandkeyloak/.env - Then run the script and follow the questions in the console to generate the required .env and other files:
./interactive_setup.sh
The following things can be automatically done
- Deploy the application
- (optional) add the permission backend
- (optional) connect with a running Keycloak
- (optional) migrate users from CouchDB to Keycloak
To log errors with Sentry, simply set the variable SENTRY_DSN in the .env file to you sentry DSN.
Some things have to be set for the interactive setup script through environment variables.
Have a look at interactive_setup.sh to see which .env files are loaded there.
- Domain name for the final applications (variable
domain) - Prefix for created folders (variable
prefix) - the
.envfile of the keycloak deployment (see section User management in Keycloak)
The scripts folder provides utilities to enable the backend and its specific API modules. Check the documentation in the comments at the top of each file for usage instructions.
In order to make the application's docker container accessible under a public URL, you need to expose it using a tool of your choice. The system works well with the swag-proxy. This allows to automatically configure things so that the app is reachable under a specific domain name (including automatic setup of SSL certificates through letsencrypt).
This setup repository comes with a docker compose for setting up the swag-proxy. (we have multiple production instances, so as an example the aam-prod-2 config)
- Create the required network
docker network create external_web
- In
swag-proxy/docker-compose.ymlsetEMAILto a valid email address and adapt the DOMAINS config to match your setup. - Start the required containers (this is only needed once on a server)
cd nginx-proxy && docker-compose up -d
The system uses the Keycloak identity management system.
All the required configuration can be found in the keycloak folder.
We use a custom build of Keycloak that includes certain plugins required for 2-Factor-Auth. Plugin versions are managed within that custom docker image in Aam-Digital/aam-cloud-infrastructure.
To start the required docker containers execute the following (this is only needed once on a server, you can skip these steps if you just want to add another Aam Digital instance to an existing keycloak server):
- Open the file
keycloak/.env - Set the password variables to secure passwords and assign valid urls for the Keycloak (without
https://) - Start the required containers
cd keycloak && docker-compose up -d
Once done, applications can be connected with Keycloak through the interactive_setup.sh.
keycloak/realm_config.json provides a sample configuration that the interactive setup script uses (replacing some placeholders automatically).
You can create a custom realm_config.json in each baseConfig folder to overwrite this.
Keycloak supports a second login factor through the methods described below:
- Authenticator App
- E-Mail OTP
The only built-in second factor ist OTP using a Authenticator app.
This can be enabled by editing a specific user in the Keycloak "Administration Console" and adding the Configure OTP in the "Required user actions".
It can also be activated for everyone by changing the Browser - Conditional OTP in the used Browser flow from Conditional to Required.
Through 3rd party libraries OTP via Email is supported. This also comes with the option to trust the device for a configured time period (during which you do not have to enter the OTP when logging in).
To enable this feature visit <KEYCLOAK_URL>/admin/master/console/#/<REALM>/authentication/ (i.e. open the "Authentication" section of the Keycloak realm) and follow the described steps below ("Activating Email 2FA").
If you created this realm using a recent version of the realm_config.json then you should find a flow with the name Email 2FA,
otherwise see the steps below in the next section ("Setting up Email OTP manually").
To activate 2FA over email, click on the 3 dot menu on the right of the Email 2FA flow and select Bind flow and select Browser flow.
After saving, when trying to log in to the app you should be asked to enter the OTP which has been sent to the email that is associated with the username.
Similar to the steps of activating the 2FA flow, to disable it you need to re-activate the normal "browser" flow:
Click on the 3 dot menu on the right of the browser flow, select Bind flow and then select Browser flow.
Disabling 2FA for a specific account can be configured but is not part of default setup yet. Please check with existing sample systems for the setup to make the following instructions work:
To disable email 2FA for only one individually user assign the Keycloak User Role "no-email-2fa" to that user account to skip 2FA for that person. If the role does not exist yet, create it in the Keycloak Admin interface. (The logic of this special role is configured within the
Email 2FAAuthentication flow as a condition)
If the Email 2FA flow is not available in the realm (section "Authentication"), you can configure it manually:
- Click on the 3 dot menu of the
browserflow and select duplicate - Enter
Email 2FAas name - Delete the last two steps (
Condition - user configuredandOTP form) - Click on the
+button in the last row (Email 2FA Browser - Conditional OTP) - Select
Add condition, there selectCondition - Device Trustedand clickAdd - On the new step (
Condition - Device Trusted) click onDisabledand change it toRequired - Click on the cog icon next to
Requiredand entertrusted-configasAliasand clickSave - Again click on the
+icon forEmail 2FA Browser - Conditional OTP - Select
Add step, there selectEmail OTPand clickAdd - Change
DisabledtoRequiredforEmail OTP - Again click on the
+icon forEmail 2FA Browser - Conditional OTP - Select
Add step, there selectRegister Trusted Deviceand clickAdd - Change
DisabledtoRequiredforRegister Trusted Device
Now the flow is configured correctly, and you can start using it the same way it has been described above.
In the step Email OTP you can configure the amount of seconds for which an OTP is valid and in the Register Trusted Device step you can configure how long a device will be trusted (e.g. P30d for 30 days or PT24h for 24 hours).
There are many ways in which the authentication flow can be configured. For example, you could also add the trust device step to the OTP with authenticator app, or you could make the user decide which OTP (email or app) should be used. Consult the Keycloak docs for ways to edit flows or configure new ones.
It is possible to calculate reports for the app's data using SQL queries. For details information, check our Report documentation
(e.g. with TolaData)
- Enable the reporting backend:
- add
aam-backend-serviceto you COMPOSE_PROFILES .env variable to activate that container in the docker compose:COMPOSE_PROFILES=replication-backend,aam-backend-service - add
AAM_BACKEND_SERVICE_URL=http://aam-backend-service:3000to the .env file that feeds into the docker-compose.yml
- add
- Set up Reporting API according to aam-services README
- (re-up the docker compose and confirm the new containers are running)
- follow instructions there to set up an auth client to access results via API
Basic backup scripts are available in the "scripts" folder.
Set the setup.env variables for the backup root folder and passphrase (to encrypt backups).
Then run the backup.sh script to create a current backup.
You can set up the script to run via cron:
Start the new cron job
crontab -e
# then enter the following (adjusted to your actual file locations)
0 2 * * * /var/docker/ndb-setup/backup.sh
# the above runs every day at 2 am Under /var/docker run the interactive script backup-recover.sh to load a backup for a certain client from a certain date.
To manually load a backup follow these steps:
- Find the passphrase in the
/var/docker/backup.shfile. - Go to
mnt/<backup-volume>/backups - Decrypt a backup using
gpg --passphrase \<passphrase\> -o output -d \<backup-file\>
- Decompress the backup
mkdir ./unpacked && tar -xzvf output --directory ./unpacked - Go to application where backups should be applied and stop docker container
cd /var/docker/ndb-\<instance\> docker compose down
- Load the backup
mv couchdb couchdb_old && mv ~/backups/unpacked/var/docker/ndb-\<instance\>/couchdb ./couchdb
- Start the docker containers
docker compose up -d
- After everything works as expected, delete all temporary data
rm -rf couchdb_old ~/backups/output ~/backups/unpacked
When applying a backup, do not forget to clear you browser cache before opening the application again. Otherwise the previously corrupted data will be synced from the browser to the DB that has just been backed up. To delete all local data go to https://<instance>.aam-digital.com/support and press Reset Application. All users, which have corrupted data will need to do this.
More information on CouchDB backups can be found here.
If you just want to use ndb-core through docker, you should not have to build the image yourself. Use the pre-built image on Docker Hub aamdigital/ndb-server.
The Dockerfile to build the image are part of the ndb-core repository.
See the /build sub folder there.
The image builds upon a simple nginx webserver and modifies the configuration to include a reverse proxy for the domain.com/db URLs to access the CouchDB database from the same domain, avoiding CORS issues.