This repository describes how to set up everything that is needed to run the Aam Digital case management system in production. This includes deploying the app, deploying and connecting the database and optionally deploying and connecting the permission backend and keycloak.
The source code of the actual application, as well as instructions to run it on your local machine during development, can be found in the Aam-Digital/ndb-core repository.
(!) copy the example.* files (e.g. setup.example.env) and add your actual variables and config
The deployment works with minimal requirements. All you need is a system that runs Docker and allows to reach endpoints through a public URL. For a single instance a server with 2GB RAM, a single CPU and 20GB disc space is sufficient. With more data and/or more deployments more RAM and CPU power might be necessary or the sync could start to become very slow. The required disc space scales with the amount of data and especially images and attachments that are saved in the application.
To monitor the hardware usage this repo contains a Prometheus setup. This can be connected with Grafana to create a system dashboard and trigger alerts on critical performance.
The interactive script interactive_setup.sh walks you through the process of setting up new applications.
Running the setup script will create a new folder in the same parent folder, next to the cloned repo. You can use the script multiple times to create new instances.
- Clone this repository
- Set up local environment by copying setup.example.env file and editing the
setup.envandkeyloak/.env - Then run the script and follow the questions in the console to generate the required .env and other files:
./interactive_setup.sh
The following things can be automatically done
- Deploy the application
- (optional) add the permission backend
- (optional) connect with a running Keycloak
- (optional) migrate users from CouchDB to Keycloak
To log errors with Sentry, simply set the variable SENTRY_DSN in the .env file to you sentry DSN.
Some things have to be set for the interactive setup script through environment variables.
Have a look at interactive_setup.sh to see which .env files are loaded there.
- Domain name for the final applications (variable
domain) - Prefix for created folders (variable
prefix) - the
.envfile of the keycloak deployment (see section User management in Keycloak)
In order to make the application's docker container accessible under a public URL, you need to expose it using a tool of your choice. The system works well with the nginx-proxy docker. This allows to automatically configure things so that the app is reachable under a specific domain name (including automatic setup of SSL certificates through letsencrypt).
This setup repository comes with a docker compose for setting up the nginx-proxy.
- Create the required network
docker network create nginx-proxy_default
- In
nginx-proxy/docker-compose.ymlsetDEFAULT_EMAILto a valid email address - Start the required containers (this is only needed once on a server)
cd nginx-proxy && docker-compose up -d
- Set the
VIRTUAL_HOSTandLETSENCRYPT_HOSTas environment variables on new docker containers to define under which URL they should be reachable
The system uses the Keycloak identity management system.
All the required configuration can be found in the keycloak folder.
To start the required docker containers execute the following (this is only needed once on a server, you can skip these steps if you just want to add another Aam Digital instance to an existing keycloak server):
- Open the file
keycloak/.env - Set the password variables to secure passwords and assign valid urls for the Keycloak and account backend (without
https://) - Open
keykloak/realm_config.jsonand add the required settings for you email server to enable Keycloak to send emails in your name - Start the required containers
cd keycloak && docker-compose up -d
Once done, applications can be connected with Keycloak through the interactive_setup.sh.
Keycloak supports a second login factor.
The only built-in second factor ist OTP using a Authenticator app.
This can be enabled by editing a specific user in the Keycloak "Administration Console" and adding the Configure OTP in the "Required user actions".
It can also be activated for everyone by changing the Browser - Conditional OTP in the used Browser flow from Conditional to Required.
Through 3rd party libraries OTP via Email is supported. This also comes with the option to trust the device for a configured time period (during which you do not have to enter the OTP when logging in).
To enable this feature visit <KEYCLOAK_URL>/admin/master/console/#/<REALM>/authentication/.
If you created this realm using a recent version of the realm_config.json then you should find a flow with the name Email 2FA.
Click on the 3 dot menu on the right of this flow and select Bind flow and select Browser flow.
After saving, when trying to log in to the app you should be asked to enter the OTP which has been sent to the email that is associated with the username.
If you don't see the Email 2FA flow you have to configure it manually.
- Click on the 3 dot menu of the
browserflow and select duplicate - Enter
Email 2FAas name - Delete the last two steps (
Condition - user configuredandOTP form) - Click on the
+button in the last row (Email 2FA Browser - Conditional OTP) - Select
Add condition, there selectCondition - Device Trustedand clickAdd - On the new step (
Condition - Device Trsuted) click onDisabledand change it toRequired - Click on the cog icon next to
Requiredand entertrusted-configasAliasand clickSave - Again click on the
+icon forEmail 2FA Browser - Conditional OTP - Select
Add step, there selectEmail OTPand clickAdd - Change
DisabledtoRequiredforEmail OTP - Again click on the
+icon forEmail 2FA Browser - Conditional OTP - Select
Add step, there selectRegister Trusted Deviceand clickAdd - Change
DisabledtoRequiredforRegister Trusted Device
Now the flow is configured correctly, and you can start using it the same way it has been described above.
In the step Email OTP you can configure the amount of seconds for which an OTP is valid and in the Register Trusted Device step you can configure how long a device will be trusted (e.g. P30d for 30 days or PT24h for 24 hours).
There are many ways in which the authentication flow can be configured. For example, you could also add the trust device step to the OTP with authenticator app, or you could make the user decide which OTP (email or app) should be used. Consult the Keycloak docs for ways to edit flows or configure new ones.
It is possible to calculate reports for the app's data using SQL queries. For details information, check our Report documentation
(e.g. with TolaData)
- Enable the reporting backend:
- add
aam-backend-serviceto you COMPOSE_PROFILES .env variable to activate that container in the docker compose:COMPOSE_PROFILES=replication-backend,aam-backend-service - add
AAM_BACKEND_SERVICE_URL=http://aam-backend-service:3000to the .env file that feeds into the docker-compose.yml - add an
application.envfor the backend (config/aam-backend-service/application.env) --> see aam-services README - (re-up the docker compose and confirm the new containers are running)
- add
- Create a "client" in Keycloak for login credentials:
- Log into Keycloak and open the "Clients" section of the realm
- Create a new client (type: OpenID Connect; Client authentication: On)
- In the "Credentials" tab of the new client, copy the client secret
- For integration with TolaData:
- In TolaData, navigate to Data Tables or User Profile and add Aam Digital credentials (customer_id: the realm / url prefix of the Aam Digital system; client id/secret: from Keycloak)
- Create
ReportConfig:entities- the API / backend reports only support the
"mode": "sql" - for details on report definitions, see https://aam-digital.github.io/ndb-core/documentation/additional-documentation/how-to-guides/create-a-report.html
- the API / backend reports only support the
If you just want to use ndb-core through docker, you should not have to build the image yourself. Use the pre-built image on Docker Hub aamdigital/ndb-server.
The Dockerfile to build the image are part of the ndb-core repository.
See the /build sub folder there.
The image builds upon a simple nginx webserver and modifies the configuration to include a reverse proxy for the domain.com/db URLs to access the CouchDB database from the same domain, avoiding CORS issues.