 Yeah, so we want to go through the scripts. I know Gerald actually done the installation with the scripts last week. And I got feedback on Telegram channel about a few items that he did at least to check from me. So today, I'm going to do the setup with the installation using Ansible scripts. And I'll kind of have or do that in two steps. One is to give a brief overview of the scripts, at least how they look like, how I have roles and tasks organized, and at least what are we supporting right now and what are we not supporting yet. Yes, and then we go to a server, we do SSH into a server and do an installation together live with the screen shared. So I'm going to share my screen now. And meanwhile, you can, are you able to see my screen? Yes, we can. I'm not window right. So we're going to navigate into the project directory. This is where we have a repository at least for the DHS to tools. So this repository has a structure. It has deploy folder docs folder, and at least I read me file here and Ansible configuration file. We have our deployment script within the deploy folder, and then documentations. Basically, we can check what is in documentation real quick. And then you notice that we have read me files and MD files, McDonnell files. So the end goal is to at least have guide guide dance within this document. For instance, if we talk about monitoring, what are we monitoring and which tools are we using, you know. Yeah, and then also give also more information on Postgres SQL tuning and much stuff. So we aim at having documents on all the documents in this folder and then of course there's a read me file here. This file really has a step by step installation. It looks like this. It's just giving us the step by step guide on how you can go about doing installation. Of the app with Ansible script prerequisite and things that you need to do during the installation process. So within the deploy directory is where we have our deployment code. And we do organize the deployment code into roles Ansible roles. And if I check inside roles, we have DHS to roll firewall role, integration role, and then LXD in need role and down to proxy. So DHS to roll is really used to deploy DHS to work fine. And before that, there are some things that you need to do before you deploy that the work fine, such as setting up Tomcat, you know, installing Java and fixing security, or rather doing security practices for Java installation and even Tomcat installation, you know, and then this firewall firewall is really related to looking the containers that you do create or rather looking the servers that you have to and an opening ports that are really necessary required to be accessible from the network and not even from the, from the network, the old network per se, but only from where they are required to be accessed from, for instance, for the DHS to container or server, you just need to open port 8080 for Tomcat requests, rather connection to the Java application, which is a DHS application. If you're using port 8080 otherwise, you really need to open ports that you're using for Tomcat listening. And then you really if it's a sub server running somewhere else, then you need to open also SSH for for management purposes, and also at the end of the day, if you're deploying your script over SSH, then it means your Ansible will be using the underlying connection being used is going to be SSH. And then we also need to support integration tasks or other integration container, we want to create a container that is reserved for integration purposes. You sometimes one, your DHS to application API be consumed by, by some other application or you once DHS to to be able to work with some other application, and you need some integration scripts or applications to be running within an integration container. So that is going to be handled with this module or other role. And then there's an LXD in it. If you're setting up your Ansible on a single server, then at the end of the day, you're going to have it running within LXD containers, and you want to initiate, you know, that one is automated here. However, you could initiate LXD with with with an interactive kind of session where you just run LXD in it, and then it you will set up the variables manually in an interactive manner. However, that is also can be automated with LXD preceded configuration predefined before and that is what we are doing here. We want user to really not be interactive. And we want this be automated less user interaction. That's why we're using LXD in it. And then monitoring is really doing is really ensuring that all the containers that you have or rather the servers if you're using distributed environment, and it ensures that all those components that you have for for your DHS to instance are being monitored using Munin. And we think also of supporting in future other monitoring tools like Subbix and yeah, and even more and then there is Postgres container that one is really geared towards deploying Postgres container and doing tasks that are related to Postgres setup. And then finally proxy. So proxy is also very important in our deployment process because at the end of the day to access our apps, we go through the proxy and right now, as much as we want to support Apache 2 and Nginx right now, what we have implemented already is Nginx and next is to make sure that we also have support for Apache 2. So those are the roles that we have right now. And as time goes by, we might add other roles depending on the need. And so we will also add if need be custom libraries, but right now we don't have libraries here. So we just have roles and maybe in future we want to take to further organize and have inventories and even the playbooks within their own directories. Yeah, so right now this is how it is set up. But it's, it's going to change if need be in future. So I want to also mention that supported Ansible version is 2.11 because we do want also to use community general modules like UFW module. We want to support LXD container module. It's the module that we use to create LXD containers. If I can just display one of the one of the Ansible script that we have that creates container, you would notice that the roles this one even you notice that we are using a community general LXD container. This module comes with with community general modules. You need to have community general modules installed with your Ansible for it to work. And one of this is just one of them, but there are other modules like UFW, UFW module also is also a member of that. Or it's included within community general module. So for community general module to be able to work, you would need Ansible version 2.11 and above. So that means in your setup environment, you really have to make sure that you have that version of Ansible or even newer version. And for instance on Ubuntu 18.04, even if you install Ansible with private package, PPR, I mean, at least from the official Ansible repository, it will get you 2.9, at least the most version, the latest version supported there is 2.9, 9.0. So that means if you are running on an Ubuntu 18.04 server, then you need to think of other ways of installing Ansible that will give you the very latest version, like using PPR3. However, on Ubuntu 20.04 and 20.04, official PPR for Ansible is just going to give you the latest version of Ansible out of the box. So, yeah. So we're going to set it up. I want us to set up Ansible, sorry, I want us to set up VHS to a fresh on a server somewhere. And for you to be able to do that, first thing that you need is the server, of course, either 18.04, 20.04 or 20.04. And then number two is your ability to connect to that server. You can use, if you have physical console, if you have SSH, then you need to at least have connection to that server. And then at least the server for now needs to have internet because to install Ansible, to make it easier. There are other ways that you could install packages with our internet, but right now we are using internet to pull our packages to install Ansible. And even at the end of the day, when you run Ansible, it pulls data as to image, data as to what file from the official site that needs internet. And yeah. So, number three is what let's just do a follow, follow the installation script. Sorry, read me file. This is it. That means we need a fully qualified domain name and then at least an Ubuntu server. Well, SSL certificate is not a requirement. You don't need to have that file physically on the server, because you can as well use that script. And then the internet access on the servers, of course, and if you're going to install Ansible this way, you're not using P3, then you're going to need Ubuntu 20.04 and 20.04 version of Ubuntu server. So let's SSH to the server. And right now, there are no, there's no container running. It's, it's a, it's not very sour, but it's not the HHS to install here. So I want to delete this. So that we can just follow and do a fresh installation completely. So we're going to delete this folder. And then we want to first of all, before you do installation, you need to pull the deployment script from GitHub. And that is done with GitHub. And this is the project from GitHub. It's a findable online. So that basically pulls the project into the server that you want to do deployment into. And you need to navigate to the deployment that I mean the HHS to server tools directory. That's where that's where you're going to have read me file. This is a file that is a findable also online that you could follow during the installation process. So for deployment, if you want to start deployment, you need to do it from the deployment folder. And you need to fast edit inventory file, inventory host file. It has the very first 10 lines are really the containers or other how your, your, your, your script will be deploying your containers, it will have proxy. And then it will have databases group and then instances group and then monitoring group. Instances are the, the container instance that are going to be, they're going to be hosting Java or other Tom cut instances of the HHS to. And here, it means we're going to have to two instances of the HHS to going to have one called the HHS to another one called training. If in your environment, you just need to run one instance of HHS to then you don't need to have to, you just need to have one, and you can rename it to something else like HMS for instance. That means it's going to deploy HHS to with that name. And then you're going to, you're going to have another line. That creates monitoring container called monitor, and that is going to be hosting union that at the end of today you're going to monitor your containers or even servers it depends on the environment. So, one of the variables that we would need before installation is the fully qualified domain name, you would need to have a domain name that dissolves to your servers public IP address. Here, the one that I have already is the highest. And you need to have an email for less encrypt notification, for instance, if your certificate is expiring, then you need to get notified. So that is the email that you will need to key in here. It's used for less encrypt notification when certificate is expiring. That is, that is, that is its main reason. So just put a damn email like to at home. Yeah, but in production environment it needs to be a working emails, otherwise you would need to get those notification in case your, your server certificate is expiring. So these are the variables down here. And that you, you don't have to change them if you want to say half moon in monitoring your, your infrastructure, and you want to access also you want to access to at least monitor your application with then you need to have these left grates and then unstable connection. This is another very important variables that you, you would change if, if you are your host up here are physical servers that you will be connecting to them via SSH then you need to change connection to to SSH from LXD supported connections are LXD and SSH. And as I mentioned, LXD is if you want to set up and the HX2 environment within single server using LXD connection, however, SSH is supported also. So options for proxy in GeneX and Apache 2. So in GeneX if you want to use in GeneX reverse proxy and Apache 2, your reverse proxy is going to be Apache 2. Right now, we have implemented in GeneX. I'm going to write scripts for Apache 2 very soon. I've also started doing that. And also SSL type supported options are less encrypt. It's the default. There's also custom SSL. For custom SSL you really need to have your PEM files and key within a directory for, you know, you've procured your SSS certificate somewhere and you want to just use it. You don't want to use less encrypt than you're going to use custom SSL. And then there is AppStream. AppStream is when you, you do not want SSL termination than here, you're doing it, maybe you're doing it somewhere else. You just want to set up HX2 and you don't want to do anything SSL at this point. And then there's also self signed. No, there's a small suggestion while I'm looking at this. I wonder if the time zone, whether you should push that up higher in the file, because most of the stuff down there you will just leave the defaults. But time zones, what are the ones that you probably almost always going to change. So maybe stick it up with FQDN in the email. Okay. Otherwise people might miss it in the file. Yeah, yeah. That's a small suggestion. It's also one of the variables that changes most of the time because people set up HX2 will be sitting at different time zones. Yeah, so it's a good idea to give everything that's got sensible defaults, leave them at the bottom. Everything that's almost always going to change, put it near the top. Something else that we have on the list of the variables is time zone as Bob has mentioned, you want to set it to your time zone. And the command that you can use to list the supported time zones is this one here at least. And also there is an LSD network. So we've noticed in the past that sometimes your host network would overlap with this network. That means that your setup is going to have errors because the network that you want your LSD container is overlapping with the network that you are sitting on on your host. So that that is when you would almost need to change. You definitely need to change this to something else, at least some other private IP address range network. However, most of the time we chose this, sorry we chose this kind of address block. And then we hope it's going to not overlap at most of the times with the network that users will be having. And then this is just an LSD bridge interface. And it's defaulting, we are using LSD bridge zero right now, but you can change that also say you have an older, an older, an older the existing LSD LSD network, say LSD bridge zero and he wants to set up a fresh network for your DHS to environment and you change this to something else so that it will not overlap with the older the existing network if you want to have completely different separate network for your DHS to deployment. And then there is guest OS, this is the OS that your containers will be running right now it's open Ubuntu 20.04, but you can also do Ubuntu 20.04. We don't support 18 at this point. And also, there's an architecture of your, your guest OS MD4, this is the Intel version and then there's also ARM based systems so you want to change these two to that architecture. So if we quickly list images, LXC list or the LXC image list Ubuntu, then you notice that the images support different architectures. This times 8664 architecture, there's this ARM 71. And then, so it depends on your system really the host that you are running. And most of the hosts are running this kind of architecture times 8664. This is, this is really the default, the one that we are supporting by default and it is AMD. Yeah, so you might also want your instances, or rather, you might have two different instances writing to different databases. So, if you have two databases for instance you have Postgres and something else, then the default is Postgres but you can also change it to something else if you have two databases up here. If you have for instance, Postgres one on on a different IP address, say 30. So you're going to have another instance of get is to say. It's a nice tool. And you want it to write to a different database say Postgres one. Yeah, like this. So that's also possible so that you can, you can have different DHS to instances writing to different databases. So that comes in when people would want to separate production databases and training instances of the databases. And then at the very line 46 is the DHS to work file. Because at the end of the day you want to deploy a work file, either from a file if you have your work file within a directory then you can just give the path to that directory. Or if you want to download it online when you're doing the deployment then you just need to give the URL to that offer link. And then yeah, of course the Java version that you want to run right now we are defaulting to Java 11, and we want to create databases during the deployment. We want also to, at least if you don't define this databases host up there, it defaults to Postgres, but that means you need to have a host defined there for the database. So after that, if you are on on on if you're doing your installation on a single server, then you need to use LXD connection. And at the end of the day, either way, if you are on on the multiple server environment or single server environment, then you need to set up Ansible. So to set up Ansible is, is just you need to on a fresh server environment you just need to update your server. You need to supply your server password. So this is going to just do install I mean, at least update your packages, and then you need to upgrade on a very fresh environment if you don't have, you might be you will be having packages that needs to be upgraded. One of the errors that the warning errors that we are getting here is because on Ubuntu 20.04 that the deprecated the support for custom PPS like this one's key store legacy trusted bg and deprecated that's why you're getting these errors. Warning, sorry, warning. And after that, you need to add software properties common. So, I mean, just following this deployment guideline is that you need to add software properties common. This is the package that helps you add custom repositories. Yeah, so we'll install of course you know in my environment it's already set up so they are also already installed. That's why we get that this is already existing. Next is setting up Ansible and we are adding official PPA because we want to install latest version of Ansible. 2.11, 2.11 and above. That's why we are using this official repo PPA. Otherwise, if you just do install Ansible without adding that PPA then you will get, you might get a version that you don't want. And after that, after adding the repo then you need to install Ansible and on this environment it is installed. And if you check Ansible version, you notice that the version that we have is 2.13. So it's over, it's 2.11 above. So we are okay, we can now proceed with our installation. After you've set up Ansible in your system, remember if you are on a multiple server environment then you're going to do this on a deployment server, on a deployment instance. However, on a single server environment then you're going to do this within that single server. So after you've set up Ansible then you need to get these community general modules. So Super Ansible Galaxy Collection installed community general modules. So this will just pull latest community general modules. Minus F mean it's forcing if this module is existing it will delete and get the new version. So this is also using internet connections at the end of the day. You need to have good internet in your server. Yeah, so and then after that we now proceed to deploying data. So we need to go to the deploy folder and then from there we run Ansible scripts. This is taking a while. Well, that is taking a while. Let's just do through this document. So we have also already edited the inventory host file and the very important things that you need to change that are actually the domain, fully qualified domain name, email address and Ansible connection and time zone as Bob mentioned. After that you're good to go. Yeah, so when this finishes here. We have now community general 6.10 modules if they're installed successfully, then we need to now proceed with the installation and on on LSD environment where you set up Ansible on a single server environment. You need to set up LSD environment with LSD proceed. Let's just go to the install the installation. We have our connection. It's the defaults on LSD. So we just need to run our playbook and let's go to the installation bit Ansible connection. After we are in the in the in the in the in the install directory. Yeah, so we need to get to the install directory. And then from there, we run the LSD setup playbook. So this playbook has a few components. Let's just check up. It has it has firewall. This one sets up rules on the host, ensuring that anything that hits port 80 is forwarded to port 80 on them on the on the proxy container or anything that hits 443 is proxy forwarded to your proxy container 443. And then LSD in its module or roles for it is going to set up your LSD automatically. You don't have to do that interactively. So it has two rules. One is firewall and the next one is the next unit. So if we run these pseudo LSD pseudo Ansible playbook and LSD setup.yaml then it's going to run the task within those two roles. And you're noticing that it's not changing anything because I had run this before and things that we need to note is that it's first of all, checking if your firewall is running. If it is not, this script is going to fail. I just let me just disable firewall and demonstrate that pseudo app pseudo UFW disabled and then run this script again. You know, it's failing because firewall is disabled. You need to at least have firewall running and and your SSH connection enabled. So I would enable firewall once more. So that means firewall is enabled and our LSD setup is now going to succeed. Another thing is that after it checks the firewall status, it checks, it sets the default forward policy because you want your forwarding be enabled. Because traffic that are going to hit port 80 on your host are going to be forwarded to the proxy container. So you want forwarding enabled in your in your firewall. And then you want also traffic to the LSD bridge not not blocked by the firewall that is that is the work of this task. And then you want to configure that from the host to the proxy container. And next is installed LSD because your containers are going to run on LSD engine. So this task is going to install LSD. This cannot get the setup info after it installed LSD. And then this line initiates LSD with proceed configuration and then and then it will restart LSD engine to to make sure that those configuration that you had on your proceed at taking effect. And finally, your your environment will be set up. Yeah. So right now, everything is green because I have done the setup before. But on a fresh environment, this will be changes here will be changes, a lot of changes here. And next is we do run data is to set up now. And it's running roles roles. And the first one is Postgres because we want to set up our database first before we do set up other other things like data is to web app web application, even new need and in the next. So we are starting with the Postgres. And these the task inside this playbook is creating Postgres container. And then it will also include other tasks that are related to installing Postgres within the container. So we are adding Postgres 13 in our case. And we are adding custom app repository from official postgres because for with that we're going to get the fashion that we really want. Otherwise with Ubuntu systems, if you have Ubuntu 18.0.04, then you will get Postgres 10. If you are on Ubuntu 20.0.04, you get Postgres 12. If you are on Ubuntu 20.0.04, which is latest, you get Postgres 14. So if you want Postgres 13, which is the currently supported version of VHS, so then you need to add official app repository from Postgres. And with that you can install any version that you want, including even the very old versions like Postgres 9. That is why we do because we did with this now we can get the Postgres 13 version. After that, it ensures that Postgres is running the service and then this is a warning because checks Postgres version module is switching user behind the scenes. It's switching to Postgres user and then it checks version without the need for password. It's what Ansible scripts is doing here is switching to Postgres user within the container and then it checks Postgres version. And that is why it's creating this temp directory. This is the working directory of Ansible on the remote host. And this is the warning that maybe it's permission is 0700, meaning it is very strict. It's allowing only access by that user, Postgres user. And you might want to say have other users be able to write to that file. That's why you're getting this one. And that the created Postgres. Postgres container is locked to being only accessible on local host. So what's happening here it's editing that file ensuring that it's open to access from the DHS to instance. It reads the instances from the director from them from the inventory file, and it knows that we have one instance, and we need to allow its IP at least to be to be able to access Postgres from the from the network. And then you want your your Postgres instance to be able to listen on LSD network also otherwise it will be to it will not be accessible from the network. Then this is another line that ensures that Postgres is running firewall. Let me just log into the server and we can check that as we are talking about it. This is true. Yes, true. It ensures that Postgres has firewall running and it's allow it's allowing access from HMI is only. And then it's, it's starting Postgres service. That is to make sure that the configuration changes here because they need others need restart of Postgres. It ensures that those configuration changes take effect. Next is creating now LSD containers for the instances. We are not being just this quickly the instances that we have. It's this LSD list. You notice that now we have HMI running we have Postgres running. It's creating this. It's on progress. And if I get into LSD Postgres container, you notice that we have firewall running. And it's only allowing access from the from the from HMI instance. If we had two instances, we would see two lines here. Yeah, so that is what I was talking about here. And then this script also will is going to create. The next module now. The next module is DHS2. This is related to creating DHS2 containers and running tasks that are specifically for DHS2, like installing Tomcat, installing Java and now deploying the into those containers running firewall going to go through those tasks one by one. This is just creating LSD container. And then this is now running tasks inside that LSD container. First, it checks if the DHS2.com file exists. If it is not existing, then it means it's a fresh install. And that is why it needs to generate random Postgres password and creates instant database role. So you notice that this is delegated to Postgres container. So it's connecting to Postgres container and creating DHS2 database role, creating DHS2 database, and then and creating even the extensions, database extension, both GIS and GIN and TRGM. Yeah. After that, now it's installing Java and Tomcat and Zip. We need Zip for for us to be able to extract Wifi into the web apps directory. We need also to clean web apps directory, ensuring that we don't have defaults. You know, when you install Tomcat, it come with the defaults like root default site. So we're cleaning it to ensure that it's having nothing completely. And then we will create, we are creating here those directories again. And then we're creating opt DHS2 directory and even adding the DHS2.com file, you know, with the password and stuff, and even the database we are connecting to. So if you're noticing the database that DHS2.com that we're going to have will reflect all those configurations that we want, because this is a Ginge2 file, text variable from whatever they were defined, and then also server.xml. So this is a custom to ensure that they meet the best security parties that we want, even the LSD Tomcat 9 system D service. There are some things that we are overwriting to ensure that we are getting to the best security. And then, yeah, so these are mostly security practices, hardening, so to speak. Just a quick time check, you don't your last eight minutes now, I think if you want to leave a little bit of time for questions. Yeah, okay. So and this is an archive thing now at the end of the day, it will finish installation. Go to the next role, which is now proxy, setting a proxy, and the roles that are related, like the sideboard, in the next site. And finally, it's working on monitoring because we want to monitor our environment with muni, you know, so and yeah, so there are things that are that they are repeatable like firewall. We want to have firewall running in all our containers. We also wants to ensure that we have configurations so those those things are repeatable and and and so there are some other tasks that are specifically related to. Some containers like, like things to do with proxy engine next are going to be only running on engine next proxy on proxy. And yeah, so, yes, so if we get to the server and check the containers that we have right now. We're going to have HMI this is the disaster instance monitor is the monitoring instance and postgres is the database and proxy is is now the entry points. And right now it's finishing. This is this even a table so it's finished it set up those four containers. And the way it's set up you means that you when you go to them cut inventory host when you go to your domain, then you should have service running there. Right now. Tico, good morning. Morning. Just one quick question. Will it not be possible like just with one command when you create when you enter the command install all these things for you directly the letter you can do your own configuration. Yes, that is what I'm working on. If you check these deploy.sh in deploy.sh file. It's going to do that behind the scenes like it's going to set up these multiple environment and then install the community general module, and then it transfer the playbooks. And you don't have to do that manually. So this is what I'm working on I'm actually right now testing, ensuring that it support this first part is it's okay. I'm working on testing the second part which is going to be using SSH connection if you your environment is is on a multiple server environment. So this is what I'm working on right now. Yeah. Yeah, and also I'm confused one thing, like this port A22, what is different between the two is it that when you are port A22 hackers cannot hack you, or they can still hack you what is different. You mean as a such port. Yeah, like A22 and also 22. Okay, so normally, we want to avoid defaults when when when we're exposing ports to them to the internet. The SSH default port is 22. So, when somebody wants to hack you, then they have another information already if you're using default ports like 22. And then they'll now start trying their computation and yeah, you know, they already have the port. However, if you do different ports say 8022 then they need to first figure out where the port is before they start, you know, lead us to your default. Yeah. There's a very big caveat there. I think it's a good idea to move to port. I just reduces the number of color drive biotechs, but you're going to be really careful not to change the port to something above 1024. The ports below 1024 are privileged points. If you listen to your, your, your SSH on court 8000. Then it does mean that an unprivileged user could be could masquerade as your SSH service and in theory could, could, I don't know, collect credentials or what have you. So yeah, by all means change the port, but never change it above 1024. Okay, all right. Thank you. But it's not necessary. I mean, they did the degree of acting. You're not really getting any extra protection by moving the port. You're just gonna, you're going to get less noise in your log file, you're less likely to be hit by a casual bot. But anyone who really wants to find you will find you. Yeah. Yeah. Sorry. Sorry, Tito. So my question actually rely on after you put the domain. I don't want to actually put it. That you have not demonstrated that. Yeah, right now. That is a feature that you want to add in future. And if you have two applications, HM is and say training, then that means first of all, before you think about that you need to have two sub domains. Right. You need to have two domains that are going to both listen on route. Otherwise, if you have two applications, say HM is on something else. And he wants to ask that that then if you redirect everything for HM is access then the other application that you have will not be accessible within this with the same sub domain. So, if you have two applications running, you need to have two sub domains for that to be supported. However, if it's just one, then you can you can just edit in the next file or a package to file and we want also to automate that with Ansible. And we list the containers we have this proxy so you want to LXC exact proxy bash, sorry, and go to the in the next configuration. It's the next thing it's in conflict. Yeah, so this is the site configuration. And she wants to have a redirect somewhere here. We just do that right now. Right. Everything that goes to to be HM is so the next just reload. If you hit HM is dot, sorry, my domain name. Just see if you hit. Yeah, it should be directed to HM is let's see. So there's just a line that you need to add. However, that means if I had another application here, it will just be redirecting everything to HMI so you need to have two sub domains for different if you want to support two different applications. No, understand. Yeah. Yes. So any other question. It's 13 hours. Yeah, it's the top of the of the hour. So if we do not have other questions then where maybe you can call it a day. I think for me I'm fine. I don't know if there are others probably look at the chat. Probably the questions. Yeah, yeah, yeah. Yeah, yeah. I'll take the the comments on the on the on the chat and also thank you for the feedback. Bob, I think Bob had to leave. Okay, I think we are good. Thanks everybody. Bye. Bye. Thanks very much. If you have any questions you can return to me. Okay. Okay. On the on the on the telegram here.