OpenCRVS
v1.5
v1.5
  • 👋Welcome!
  • CRVS Systems
    • Understanding CRVS
    • Effective digital CRVS systems
    • OpenCRVS within a government systems architecture
    • OpenCRVS Value Proposition
  • Product Specifications
    • Functional Architecture
    • Workflow management
    • Status Flow Diagram
    • Users
      • Examples
    • Core functions
      • 1. Notify event
      • 2. Declare event
      • 3. Validate event
      • 4. Register event
      • 5. Print certificate
      • 6. Issue certificate
      • 7. Search for a record
      • 8. View record
      • 9. Correct record
      • 10. Verify record
      • 11. Archive record
      • 12. Vital statistics export
    • Support functions
      • 13. Login
      • 14. Audit
      • 15. Deduplication
      • 16. Performance management
      • 17. Payment
      • 18. Learning
      • 19. User support
      • 20. User onboarding
    • Admin functions
      • 21. User management
      • 22. Comms management
      • 23. Content management
      • 24. Config management
    • Data functions
      • 25. Legacy data import
      • 26. Legacy paper import
  • Technology
    • Architecture
      • Performance tests
    • Standards
      • FHIR Documents
        • Event Composition
        • Person
        • Registration Task
        • Event Observations
        • Locations
    • Security
    • Interoperability
      • Create a client
      • Authenticate a client
      • Event Notification clients
      • Record Search clients
      • Webhook clients
      • National ID client
      • FHIR Location REST API
      • Other ways to interoperate
  • Default configuration
    • Intro to Farajaland
    • Civil registration in Farajaland
    • OpenCRVS configuration in Farajaland
      • Application settings
      • User / role mapping
      • Declaration forms
      • Certificate templates
    • Business process flows in Farajaland
  • Setup
    • 1. Planning an OpenCRVS Implementation
    • 2. Establish project and team
    • 3. Gather requirements
      • 3.1 Mapping business processes
      • 3.2 Mapping offices and user types
      • 3.3 Define your application settings
      • 3.4 Designing event declaration forms
      • 3.5 Designing a certificate template
    • 4. Installation
      • 4.1 Set-up a local development environment
        • 4.1.1 Install the required dependencies
        • 4.1.2 Install OpenCRVS locally
        • 4.1.3 Starting and stopping OpenCRVS
        • 4.1.4 Log in to OpenCRVS locally
        • 4.1.5 Tooling
          • 4.1.5.1 WSL Support
      • 4.2 Set-up your own, local, country configuration
        • 4.2.1 Fork your own country configuration repository
        • 4.2.2 Set up administrative address divisions
          • 4.2.2.1 Prepare source file for administrative structure
          • 4.2.2.2 Prepare source file for statistics
        • 4.2.3 Set up CR offices and Health facilities
          • 4.2.3.1 Prepare source file for CRVS Office facilities
          • 4.2.3.2 Prepare source file for health facilities
        • 4.2.4 Set up employees & roles for testing or production
          • 4.2.3.1 Prepare source file for employees
          • 4.2.3.2 Configure role titles
        • 4.2.5 Set up application settings
          • 4.2.5.1 Managing language content
            • 4.2.5.1.1 Informant and staff notifications
          • 4.2.5.2 Configuring Metabase Dashboards
        • 4.2.6 Configure certificate templates
        • 4.2.7 Configure declaration forms
          • 4.2.7.1 Configuring an event form
        • 4.2.8 Seeding & clearing your local databases
        • 4.2.9 Countryconfig API endpoints explained
      • 4.3 Set-up a server-hosted environment
        • 4.3.1 Verify servers & create a "provision" user
        • 4.3.2 TLS / SSL & DNS
          • 4.3.2.1 LetsEncrypt https challenge in development environments
          • 4.3.2.2 LetsEncrypt DNS challenge in production
          • 4.3.2.3 Static TLS certificates
        • 4.3.3 Configure inventory files
        • 4.3.4 Create a Github environment
          • 4.3.4.1 Environment secrets and variables explained
          • 4.3.4.2 VPN Recipes
        • 4.3.5 Provisioning servers
          • 4.3.5.1 SSH access
          • 4.3.5.2 Building, pushing & releasing your countryconfig code
          • 4.3.5.3 Ansible tasks when provisioning
        • 4.3.6 Deploy
          • 4.3.6.1 Running a deployment
          • 4.3.6.2 Seeding a server environment
          • 4.3.6.3 Login to an OpenCRVS server
          • 4.3.6.5 Resetting a server environment
        • 4.3.7 Backup & Restore
          • 4.3.7.1 Restoring a backup
          • 4.3.7.2 Off-boarding from OpenCRVS
    • 5. Functional configuration
      • 5.1 Configure application settings
      • 5.2 Configure registration periods and fees
      • 5.3 Managing system users
    • 6. Quality assurance testing
    • 7. Go-live
      • 7.1 Pre-Deployment Checklist
    • 8. Operational Support
    • 9. Monitoring
      • 9.1 Application logs
      • 9.2 Infrastructure health
      • 9.3 Routine monitoring checklist
      • 9.4 Setting up alerts
      • 9.5 Managing a Docker Swarm
  • General
    • Community
    • Contributing
    • Releases
      • v1.5.1: Release notes
      • v1.5.0: Release notes
      • v1.4.1: Release notes
      • v1.4.0 to v1.4.1 Migration notes
      • v1.4.0 Release notes
      • v1.3.* to v1.4.* Migration notes
      • v1.3.5: Release notes
      • v1.3.4: Release notes
      • v1.3.3: Release notes
      • v1.3.1: Release notes
      • v1.3.0: Release notes
      • v1.2.1: Release notes
      • Patch: Elasticsearch 7.10.2
      • v1.2.0: Release notes
      • v.1.1.2: Release notes
      • v.1.1.1: Release notes
      • v1.1.0: Release notes
    • Roadmap
Powered by GitBook
On this page
  1. Setup
  2. 4. Installation
  3. 4.3 Set-up a server-hosted environment
  4. 4.3.5 Provisioning servers

4.3.5.3 Ansible tasks when provisioning

Previous4.3.5.2 Building, pushing & releasing your countryconfig codeNext4.3.6 Deploy

Last updated 5 months ago

A number of automated tasks are run on your servers when the Ansible Provision action runs. It can be important to understand exactly what Ansible is doing to your servers to help you debug any issues or contribute any improvements to the process.

The Ansible tasks are located in

Task file
Purpose

application.yml

Creates a directory on your server with the right permissions and manages application logs:

This directory will store all OpenCRVS related application files required for deployment such as the "infrastructure" folder containing docker-compose files for example. The Deploy process copies these files to this location.

checks.yml

Validates that some variables are defined properly in inventory files and Github Secrets

data-partition.yml

Using the DISK_SPACE secret and the ENCRYPTION_KEY secret, a LUKS encrypted directory partition is created to store all OpenCRVS data. The directory is:

decrypt-on-boot.yml

If your server reboots, the encrypted directory above must be de-crypted and mounted. This file allows you to configure this and the location of the ENCRYPTION_KEY which you could decide to place within a Hardware Security Module for best practice.

deployment-user.yml

Adds the provision user to the "docker" group to all it to be the deployment user used in the Deploy step

docker.yml

Installs Docker on the server. Logs into Dockerhub using the secret credentials and provisions cron jobs to delete stale Docker images from your server to save disk space.

elasticsearch.yml

max_map_count on many systems is 65536. However, Elasticsearch recommends setting it to at least 262144 to prevent out-of-memory exceptions.

fail2ban.yml

Fail2Ban is an intrusion prevention software framework. Written in the Python programming language, it is designed to prevent brute-force attacks. Fail2Ban scans log files like /var/log/auth.log and bans IP addresses conducting too many failed login attempts. It does this by updating system firewall

mongodb.yml

These steps prepare MongoDB for replication across multiple server nodes. It is used when your server cluster REPLICAS secret is higher than 1.

swap.yml

Swap space is the area on a hard disk. It is a part of your machine's Virtual Memory, which is a combination of accessible physical memory (RAM) and the swap space. Swap holds memory pages that are temporarily inactive. Swap space is used when your operating system decides that it needs physical memory for active processes and the amount of available (unused) physical memory is insufficient. Swap must be configured and this step does the task for you.

swarm.yml

This task sets up Docker Swarm to load balance across a server cluster. It is taken advantage of when your server cluster REPLICAS secret is higher than 1.

tools.yml

Some of our Bash (shell) scripts for deployment, backing up and restoring OpenCRVS for example require some libraries to be installed such as Python pip and jq.

traefik.yml

Traefik is a bit like NGNIX. It is the main ingress controller in our stack and therefore requires access to some directories where the TLS/SSL cert files will be stored. This task creates the directories with the correct permissions. When installing / refreshing static TLS certs, this task needs to be edited.

ufw.yml

This installs and configures your server firewall using ufw, closing all ports and only opening those required for Docker Swarm and SSH

updates.yml

This task installs and configures the following package with the intention of keeping your current version of Ubuntu automatically up-to-date. We dont guarantee that this works but it should help you. You should always manually check that zero-day security vulnerabilities are applied on Ubuntu. Maintianing your Ubuntu installation is outside the scope of OpenCRVS.

users.yml

This task creates all the user accounts as listed in your inventory files, disables password & root access, installs and configures SSH key authentication mechanisms with Google Authenticator 2FA.

backups/crontab.yml

Configures the scheduled cron jobs to backup and restore OpenCRVS in production.

/opt/opencrvs
/data
unattended-upgrades
infrastructure/server-setup/tasks