Skip to main content

Deployment in HKT (Production)

Requirements

Hardware

  • CPU: 16 cores
  • RAM: 32GB
  • Storage: 1TB
  • OS: Redhat 9 CIS level 1 settings

Network

  • DNS: HKT apply the router’s DNS to the server
  • ASTRI’s account shall have sudo right
  • Allow SSH from ASTRI CSA team’s IP range: 118.140.170.251/29
  • Allow external access to the server’s port 80 and 443
  • Domain name pointing to the server’s public IP
  • Reverse Proxy Setup with auto SSL Certificate Renewal (e.g., using Let's Encrypt)

Software

  • Tmux
  • Docker 28+ (with docker-compose)
sudo dnf install tmux

Release Package preparation

in ASTRI environment

mkdir -p repo
cd repo
git clone https://gitlab.astricsa.cf/hkt-idps/backend-server
cd backend-server/api-server
git clone https://gitlab.astricsa.cf/hkt-idps/rules-generation
export API_IMAGE=idps-api-server:$(date --iso-8601=date | tr -d "-")
export API_IMAGE_FILE=$(echo $API_IMAGE | tr ":" "-").tgz
docker build -t $API_IMAGE .
docker save  $API_IMAGE | gzip > $API_IMAGE_FILE

git clone https://gitlab.astricsa.cf/hkt-idps/deployment-server
cd deployment-server
git archive main -o deployment-server.tgz

# scp `$API_IMAGE_FILE` and `deployment-server.tgz` to HKT Server

Backend Deployment

ssh astri@218.102.61.16

# allow access to 80 and 443
sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --add-service=https --permanent
sudo firewall-cmd --reload

docker load < ~/$API_IMAGE_FILE

mkdir -p /opt/deployment-server/
cd /opt/deployment-server/
tar zxf ~/deployment-server.tgz

cp .env.example .env
# Update the Environment Variables in .env file
sudo docker compose -p idps-backend up -d
sudo docker compose -p idps-backend down

SSH tunneling for Postgres

Setup a connection to server at local to access remote's service.
These steps are executed on local machine.

# local port forwarding
# `localhost:5432` is the remote `127.0.0.1:5432`
ssh -fNT4 -L 5432:127.0.0.1:5432 astri@218.102.61.16

# DB available at
# postgres://{user}:{password}@localhost:5432/adaptive_idps?sslmode=disable

# stop local port forwarding
ps aux | grep 'ssh -fNT4 -L '
# kill the ssh process