Updated template

This commit is contained in:
Giancarlo Panichi 2021-12-17 17:41:02 +01:00
parent d169537ed9
commit 408d2ba44d
11 changed files with 4036 additions and 176 deletions

View File

@ -1,7 +1,7 @@
Role Name Role Name
========= =========
A role that installs ePAS, electronic Personnel Attendance System. <https://epas.projects.iit.cnr.it> A role that installs ePASMed, a mediator between ePAS and SistemaInformativo ISTI.
Role Variables Role Variables
-------------- --------------
@ -9,56 +9,58 @@ Role Variables
The most important variables are listed below: The most important variables are listed below:
``` yaml ``` yaml
epas_docker_stack_name: 'epas_prod' epasmedmed_docker_stack_name: 'epasmed_prod'
epas_docker_service_server_name: 'epas' epasmed_docker_service_server_name: 'epasmed'
epas_docker_registry: 'docker-registry.services.iit.cnr.it' epasmed_docker_registry: ''
epas_docker_server_image: '{{ epas_docker_registry }}/epas/epas:stable' epasmed_docker_server_image: 'giancarlopanichi/epasmed:latest'
epas_docker_registry_user: 'epas.user' epasmed_docker_registry_user: 'epasmed.user'
epas_docker_registry_pwd: 'use a vault file' epasmed_docker_registry_pwd: 'use a vault file'
epas_docker_network: 'epas_net' epasmed_docker_network: 'epasmed_net'
epas_attachments_node: 'localhost' epasmed_attachments_node: 'localhost'
epas_attachments_volume: 'epas_attachments_data' epasmed_attachments_volume: 'epasmed_attachments_data'
epas_node_constraints: 'node.labels.epas_storage == attachments' epasmed_node_constraints: 'node.labels.epasmed_storage == attachments'
epas_behind_haproxy: True epasmed_behind_haproxy: True
epas_haproxy_public_net: 'haproxy-public' epasmed_haproxy_public_net: 'haproxy-public'
# DB # DB
# Set to true if postgresql must be a container too # Set to true if postgresql must be a container too
epas_dockerized_db: False epasmed_dockerized_db: False
# IMPORTANT. Set it to True for the server that is going to host the DB # IMPORTANT. Set it to True for the server that is going to host the DB
epas_docker_db_node: False epasmed_docker_db_node: False
epas_pg_version: '12' epasmed_pg_version: '12'
epas_db_image: 'postgres:{{ epas_pg_version }}-alpine' epasmed_db_image: 'postgres:{{ epasmed_pg_version }}-alpine'
# The default hostname is the name of the container service # The default hostname is the name of the container service
epas_db_host: 'postgres' epasmed_db_host: 'postgres'
epas_db_name: 'epas_prod_db' epasmed_db_name: 'epasmed_prod_db'
epas_db_allowed_hosts: epasmed_db_allowed_hosts:
- '127.0.0.1' - '127.0.0.1'
#epas_db_pwd: 'set it in a vault file' #epasmed_db_pwd: 'set it in a vault file'
epas_db_user: 'epas_prod_user' epasmed_db_user: 'epasmed_prod_user'
epas_db_volume: 'epas_prod_pg_data' epasmed_db_volume: 'epasmed_prod_pg_data'
epas_db_constraints: '[node.labels.pg_data==epas_db]' epasmed_db_constraints: '[node.labels.pg_data==epasmed_db]'
epas_pg_data_volume: 'epas_db_data' epasmed_pg_data_volume: 'epasmed_db_data'
epas_pg_backups_volume: 'epas_db_data' epasmed_pg_backups_volume: 'epasmed_db_data'
psql_db_data: '{{ epas_psql_pg_data }}' psql_db_data: '{{ epasmed_psql_pg_data }}'
# Environment # Environment
epas_server_hostname: 'epas.example.com' epasmed_server_hostname: 'epasmed.example.com'
## SMTP ## SMTP
epas_smtp_server: 'localhost' epasmed_smtp_server: 'localhost'
epas_smtp_port: 587 epasmed_smtp_port: 587
epas_smtp_channel: 'starttls' epasmed_smtp_channel: 'starttls'
epas_smtp_from: 'epas@cnr.it' epasmed_smtp_from: 'epasmed@cnr.it'
epas_smtp_protocol: 'smtp' epasmed_smtp_protocol: 'smtp'
epas_smtp_authentication: True epasmed_smtp_authentication: True
epas_smtp_user: '' epasmed_smtp_user: ''
epas_smtp_password: 'use a vault file' epasmed_smtp_password: 'use a vault file'
## LDAP
epas_ldap_login: 'false'
epas_ldap_url: 'ldap://ldap.example.org:389'
epas_ldap_timeout: 1000
epas_ldap_base_dn: 'ou=People,dc=example,dc=org'
epas_ldap_login_return_uri: '/.'
epas_ldap_eppn_attribute_name: 'eduPersonPrincipalName'
``` ```
<!-- ## LDAP
epasmed_ldap_login: 'false'
epasmed_ldap_url: 'ldap://ldap.example.org:389'
epasmed_ldap_timeout: 1000
epasmed_ldap_base_dn: 'ou=People,dc=example,dc=org'
epasmed_ldap_login_return_uri: '/.'
epasmed_ldap_eppn_attribute_name: 'eduPersonPrincipalName'
-->
Dependencies Dependencies
------------ ------------
@ -73,4 +75,5 @@ EUPL-1.2
Author Information Author Information
------------------ ------------------
Giancarlo Panichi, <giancarlo.panichi@isti.cnr.it>
Andrea Dell'Amico, <andrea.dellamico@isti.cnr.it> Andrea Dell'Amico, <andrea.dellamico@isti.cnr.it>

View File

@ -1,126 +0,0 @@
version: '3.2'
networks:
{{ epas_haproxy_public_net }}:
external: true
{{ epas_docker_network }}:
volumes:
{{ epas_attachments_volume }}:
{% if epas_dockerized_db %}
{{ epas_pg_backups_volume }}:
{{ epas_db_volume }}:
{% endif %}
services:
{{ epas_docker_service_server_name }}:
image: {{ epas_docker_server_image }}
networks:
- {{ epas_docker_network }}
- {{ epas_haproxy_public_net }}
volumes:
- {{ epas_attachments_volume }}:/home/epas/epas/data/attachments
- /etc/localtime:/etc/localtime:ro
- /etc/timezone:/etc/timezone:ro
environment:
- VIRTUAL_HOST={{ epas_server_hostname }}
- PROTOCOL=https # default: http -- (http,https)
# - EPAS_SHIB_LOGIN= # default: false -- (true,false)
- JOBS_ACTIVE=true # default: false -- (true,false) -- Se forzato a true abilita l'esecuzione di tutti i job
# - SKIP_IP_CHECK= # default: false -- (true,false) -- Disabilita il controllo sugli indirizzi ip delle richieste
######## LOGS ###########
- LOG_LEVEL={{ epas_log_level }} # Opzionale. default: INFO -- (OFF,FATAL,ERROR,WARN,INFO,DEBUG,TRACE,ALL)
- APPENDERS={{ epas_log_appenders }} # Opzionale. default: stdout, stderr -- (stdout, stderr, file, graylog2). Abilita i log sulla console, file e server graylog
# - GRAYLOG_HOST= # Obbligatorio se attivato log sull'appender graylog2. default: null
# - GRAYLOG_PORT= # Opzionale. default: 3514
# - GRAYLOG_ORIGIN_HOST= # Opzionale. default: valore in VIRTUAL_HOST
###### Container ########
# - BACKUP_CRON= # default: disattivato. (utilizzare il format del crontab. Es. 0 0 * * *)
# - CERT_NAME= # default: valore specificato in VIRTUAL_HOST -- Specifica un nome diverso per i file del certificato SSL
- TZ=Europe/Rome
#### Connessione DB ####
- DB_HOST={{ epas_db_host }} # default: indirizzo assegnato al container postgres linkato
- DB_NAME={{ epas_db_name }} # default: epas
- DB_PASS={{ epas_db_pwd }} # default: "non necessaria"
- DB_PORT=5432 # default: 5432
- DB_USER={{ epas_db_user }} # default: postgres
#### server SMTP ####
- SMTP_HOST={{ epas_smtp_server }} # default: smtp.cnr.it
- SMTP_PORT={{ epas_smtp_port }} # default: 25 se SMTP_CHANNEL è impostato clear o starttls; 465 se impostato su ssl
- SMTP_CHANNEL={{ epas_smtp_channel }} # default: clear -- (clear, ssl ,starttls)
- SMTP_FROM={{ epas_smtp_from }} # default: epas@cnr.it -- Indirizzo utilizzato per il campo mittente delle mail inviate dal sistema
- SMTP_PROTOCOL={{ epas_smtp_protocol}} # default: smtp -- (smtp, smtps)
{% if epas_smtp_authentication %}
- SMTP_USER={{ epas_smtp_user }} # user utilizzato per l'autenticazione sul server smtp (se necessario)
- SMTP_PASS={{ epas_smtp_password }} # password utilizzato per l'autenticazione sul server smtp (se necessaria)
{% endif %}
#### Autenticazione LDAP ####
- LDAP_LOGIN={{ epas_ldap_login }} # default: false. Impostare a true per attivare l'autenticazione tramite LDAP
- LDAP_URL={{ epas_ldap_url }} # url del server LDAP, per esempio ldap://ldap.cnr.it:389
- LDAP_STARTTLS={{ epas_ldap_starttls_enabled }} # Deve valere true quando è richiesto TLS sulla porta 389. False quando viene usato ldaps sulla 636
- LDAP_TIMEOUT={{ epas_ldap_timeout }} # default: 1000. Time in millisecondi della connessione LDAP.
- LDAP_DN_BASE={{ epas_ldap_base_dn }} # DN per la ricerca degli utenti su LDAP, per esempio ou=People,dc=iit,dc=cnr,dc=it
- LDAP_LOGIN_RETURN={{ epas_ldap_login_return_uri }} # default: /. Indirizzo relativo di reindirizzamento dopo il login LDAP.
- LDAP_EPPN_ATTRIBUTE_NAME={{ epas_ldap_eppn_attribute_name }} # default: eduPersonPrincipalName. Campo LDAP utilizzato per il mapping con il campo eppn presente in ePAS.
{% if epas_ldap_authenticated_bind %}
- LDAP_BIND_DN={{ epas_ldap_bind_dn }}
- LDAP_BIND_CREDENTIALS={{ epas_ldap_bind_credentials }}
- LDAP_AUTHENTICATE_USER_SEARCH_DN={{ epas_ldap_authenticate_user_search_dn }}
{% endif %}
{% if epas_flows_enabled %}
- FLOWS_ACTIVE=true # defalut: false --(true,false) -- se impostato a true abilita l'utilizzo dei flussi interni a ePAS
- URL_ATTESTATI={{ epas_attestati_url }} # default: https://attestativ2.rm.cnr.it
- URL_USER={{ epas_attestati_user }}
- URL_PASS={{ epas_attestati_password }}
{% endif %}
#### Invio Segnalazioni via email
#- REPORT_TO=${REPORT_TO} # default: epas@iit.cnr.it
#- REPORT_FROM=${REPORT_FROM} # default: segnalazioni@epas.tools.iit.cnr.it
#- REPORT_SUBJECT=${REPORT_SUBJECT} # default: Segnalazione ePAS
deploy:
mode: replicated
replicas: 1
endpoint_mode: dnsrr
placement:
constraints:
- node.role == worker
- {{ epas_node_constraints }}
restart_policy:
condition: on-failure
delay: 5s
max_attempts: 3
window: 120s
logging:
driver: 'journald'
{% if epas_dockerized_db %}
postgres:
image: {{ epas_db_image }}
environment:
POSTGRES_PASSWORD: {{ epas_db_pwd }}
POSTGRES_DB: postgres
POSTGRES_USER: postgres
POSTGRES_PORT: 5432
PGDATA: /var/lib/postgresql/data/pg_data
networks:
- {{ epas_docker_network }}
volumes:
- {{ epas_pg_data_volume }}:/var/lib/postgresql/data/pg_data
- {{ epas_pg_backups_volume }}:/tmp:ro
- /etc/localtime:/etc/localtime:ro
- /etc/timezone:/etc/timezone:ro
deploy:
mode: replicated
replicas: 1
endpoint_mode: dnsrr
placement:
constraints: {{ epas_db_constraints }}
restart_policy:
condition: on-failure
delay: 5s
max_attempts: 3
window: 120s
logging:
driver: 'journald'
{% endif %}

View File

@ -0,0 +1,81 @@
version: '3.2'
networks:
{{ epasmed_haproxy_public_net }}:
external: true
{{ epasmed_docker_network }}:
volumes:
{{ epasmed_attachments_volume }}:
{% if epasmed_dockerized_db %}
{{ epasmed_pg_backups_volume }}:
{{ epasmed_db_volume }}:
{% endif %}
services:
{{ epasmed_docker_service_server_name }}:
image: {{ epasmed_docker_server_image }}
environment:
- _JAVA_OPTIONS=-Xmx512m -Xms256m
- SPRING_PROFILES_ACTIVE=prod,swagger
- MANAGEMENT_METRICS_EXPORT_PROMETHEUS_ENABLED=true
- APPLICATION_DATASOURCEEPASMED_DATASOURCE_URL=jdbc:postgresql://epasmed-postgresql:5432/epasmed
- JHIPSTER_SLEEP=30 # gives time for other services to boot before the application
ports:
- 80:80
networks:
- {{ epasmed_docker_network }}
- {{ epasmed_haproxy_public_net }}
volumes:
- {{ epasmed_attachments_volume }}:/home/epasmed/epasmed/data/attachments
- /etc/localtime:/etc/localtime:ro
- /etc/timezone:/etc/timezone:ro
deploy:
mode: replicated
replicas: 1
endpoint_mode: dnsrr
placement:
constraints:
- node.role == worker
- {{ epasmed_node_constraints }}
restart_policy:
condition: on-failure
delay: 5s
max_attempts: 3
window: 120s
logging:
driver: 'journald'
{% if epasmed_dockerized_db %}
epasmed-postgresql:
image: {{ epasmed_db_image }}
environment:
- POSTGRES_PASSWORD: {{ epasmed_db_pwd }}
- POSTGRES_DB: epasmed
- POSTGRES_USER: epasmed
- POSTGRES_PORT: 5432
- POSTGRES_HOST_AUTH_METHOD=trust
- PGDATA: /var/lib/postgresql/data/pg_data
networks:
- {{ epasmed_docker_network }}
volumes:
- {{ epasmed_pg_data_volume }}:/var/lib/postgresql/data/pg_data
- {{ epasmed_pg_backups_volume }}:/tmp:ro
- /etc/localtime:/etc/localtime:ro
- /etc/timezone:/etc/timezone:ro
deploy:
mode: replicated
replicas: 1
endpoint_mode: dnsrr
placement:
constraints: {{ epasmed_db_constraints }}
restart_policy:
condition: on-failure
delay: 5s
max_attempts: 3
window: 120s
logging:
driver: 'journald'
{% endif %}

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,11 @@
apiVersion: 1
providers:
- name: 'Prometheus'
orgId: 1
folder: ''
type: file
disableDeletion: false
editable: true
options:
path: /etc/grafana/provisioning/dashboards

View File

@ -0,0 +1,50 @@
apiVersion: 1
# list of datasources that should be deleted from the database
deleteDatasources:
- name: Prometheus
orgId: 1
# list of datasources to insert/update depending
# whats available in the database
datasources:
# <string, required> name of the datasource. Required
- name: Prometheus
# <string, required> datasource type. Required
type: prometheus
# <string, required> access mode. direct or proxy. Required
access: proxy
# <int> org id. will default to orgId 1 if not specified
orgId: 1
# <string> url
# On MacOS, replace localhost by host.docker.internal
url: http://localhost:9090
# <string> database password, if used
password:
# <string> database user, if used
user:
# <string> database name, if used
database:
# <bool> enable/disable basic auth
basicAuth: false
# <string> basic auth username
basicAuthUser: admin
# <string> basic auth password
basicAuthPassword: admin
# <bool> enable/disable with credentials headers
withCredentials:
# <bool> mark as default datasource. Max one per org
isDefault: true
# <map> fields that will be converted to json and stored in json_data
jsonData:
graphiteVersion: '1.1'
tlsAuth: false
tlsAuthWithCACert: false
# <string> json object of data that will be encrypted.
secureJsonData:
tlsCACert: '...'
tlsClientCert: '...'
tlsClientKey: '...'
version: 1
# <bool> allow users to edit datasources from the UI.
editable: true

26
templates/monitoring.yml Normal file
View File

@ -0,0 +1,26 @@
version: '2'
services:
epasmed-prometheus:
image: prom/prometheus:v2.18.1
volumes:
- ./prometheus/:/etc/prometheus/
command:
- '--config.file=/etc/prometheus/prometheus.yml'
ports:
- 9090:9090
# On MacOS, remove next line and replace localhost by host.docker.internal in prometheus/prometheus.yml and
# grafana/provisioning/datasources/datasource.yml
network_mode: 'host' # to test locally running service
epasmed-grafana:
image: grafana/grafana:7.0.1
volumes:
- ./grafana/provisioning/:/etc/grafana/provisioning/
environment:
- GF_SECURITY_ADMIN_PASSWORD=admin
- GF_USERS_ALLOW_SIGN_UP=false
- GF_INSTALL_PLUGINS=grafana-piechart-panel
ports:
- 3000:3000
# On MacOS, remove next line and replace localhost by host.docker.internal in prometheus/prometheus.yml and
# grafana/provisioning/datasources/datasource.yml
network_mode: 'host' # to test locally running service

View File

@ -3,10 +3,10 @@
set -e set -e
psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
CREATE USER {{ epas_db_user }} password '{{ epas_db_pwd }}'; CREATE USER {{ epasmed_db_user }} password '{{ epasmed_db_pwd }}';
CREATE DATABASE {{ epas_db_name }} CREATE DATABASE {{ epasmed_db_name }}
OWNER {{ epas_db_user }} OWNER {{ epasmed_db_user }}
ENCODING UTF8 LC_COLLATE 'en_US.UTF-8' LC_CTYPE 'en_US.UTF-8' ENCODING UTF8 LC_COLLATE 'en_US.UTF-8' LC_CTYPE 'en_US.UTF-8'
TEMPLATE template0; TEMPLATE template0;
GRANT ALL PRIVILEGES ON DATABASE {{ epas_db_name }} TO {{ epas_db_user }}; GRANT ALL PRIVILEGES ON DATABASE {{ epasmed_db_name }} TO {{ epasmed_db_user }};
EOSQL EOSQL

View File

@ -0,0 +1,31 @@
# Sample global config for monitoring JHipster applications
global:
scrape_interval: 15s # By default, scrape targets every 15 seconds.
evaluation_interval: 15s # By default, scrape targets every 15 seconds.
# scrape_timeout is set to the global default (10s).
# Attach these labels to any time series or alerts when communicating with
# external systems (federation, remote storage, Alertmanager).
external_labels:
monitor: 'epasmed'
# A scrape configuration containing exactly one endpoint to scrape:
# Here it's Prometheus itself.
scrape_configs:
# The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
- job_name: 'prometheus'
# Override the global default and scrape targets from this job every 5 seconds.
scrape_interval: 5s
# scheme defaults to 'http' enable https in case your application is server via https
#scheme: https
# basic auth is not needed by default. See https://www.jhipster.tech/monitoring/#configuring-metrics-forwarding for details
#basic_auth:
# username: admin
# password: admin
metrics_path: /management/prometheus
static_configs:
- targets:
# On MacOS, replace localhost by host.docker.internal
- localhost:8080

View File

@ -0,0 +1,6 @@
version: '2'
services:
swagger-editor:
image: swaggerapi/swagger-editor:latest
ports:
- 7742:8080

View File

@ -1,5 +1,5 @@
--- ---
epas_compose_dir: '/srv/epas_stack' epasmed_compose_dir: '/srv/epasmed_stack'
epas_psql_pg_data: epasmed_psql_pg_data:
- { db_host: '{{ epas_db_host }}', pgsql_version: '{{ epas_pg_version }}', name: '{{ epas_db_name }}', encoding: 'UTF8', user: '{{ epas_db_user }}', roles: 'NOCREATEDB,NOSUPERUSER', pwd: '{{ epas_db_pwd }}', managedb: True, allowed_hosts: '{{ epas_db_allowed_hosts }}' } - { db_host: '{{ epasmed_db_host }}', pgsql_version: '{{ epasmed_pg_version }}', name: '{{ epasmed_db_name }}', encoding: 'UTF8', user: '{{ epasmed_db_user }}', roles: 'NOCREATEDB,NOSUPERUSER', pwd: '{{ epasmed_db_pwd }}', managedb: True, allowed_hosts: '{{ epasmed_db_allowed_hosts }}' }