ls1intum · ole-ve · Jan 13, 2025 · Jan 13, 2025 · Jan 13, 2025 · Jan 13, 2025
@@ -63,6 +63,7 @@ Artemis components are installed on different hosts. Currently the following com
 - Artemis application servers (1..n - Also referred to as "Artemis node")
 - Reverse Proxy (1)
 - Message Broker (1)
+- JHipster API Gateway (1))
 - JHipster registry (1)
 - Shared Storage Provider (1)
 - Database (1)

@@ -62,6 +62,12 @@ servers:
 firewall_hostgroup: default
 proxy_forward_ssh: true
 
+##############################################################################
+# (API) Gateway
+##############################################################################
+gateway_build_version: # FIXME
+gateway_url: "[fcfe:0:0:0:0:0:b:1]" # Your gateway VM hostname (e.g., Wireguard IP)
+
 ##############################################################################
 # Broker and Registry Configuration
 ##############################################################################
@@ -70,7 +76,7 @@ is_multinode_install: true
 activemq_version: 2.31.2
 
 broker:
-  url: "[fcfe:0:0:0:0:0:b:1]" # Your broker VM hostname (e.g., Wireguard IP)
+  url: "[fcfe:0:0:0:0:0:b:2]" # Your broker VM hostname (e.g., Wireguard IP)
   username: brokeruser
   password: # FIXME: Set a secure password
   proxy:
@@ -79,7 +85,7 @@ broker:
     ssl_certificate_key_path: #FIXME privkey.pem
 
 registry:
-  url: "[fcfe:0:0:0:0:0:b:2]" # Your registry VM hostname (e.g., Wireguard IP)
+  url: "[fcfe:0:0:0:0:0:b:3]" # Your registry VM hostname (e.g., Wireguard IP)
   proxy:
     generate_dh_param: false
     ssl_certificate_path: # FIXME fullchain.pem

@@ -3,6 +3,9 @@ artemis-cluster-node1.example.com
 artemis-cluster-node2.example.com
 artemis-cluster-node3.example.com
 
+[artemis_api_gateway]
+artemis-api-gateway.example.com
+
 [artemis_cluster_broker]
 artemis-cluster-broker.example.com
 

@@ -19,3 +19,6 @@
 
 # Cluster Artemis Nodes
 - import_playbook: artemis-cluster-nodes.yml
+
+# Cluster (API) Gateway
+- import_playbook: artemis-cluster-gateway.yml
@@ -0,0 +1,8 @@
+---
+
+- name: Setup API-Gateway
+  hosts: artemis_api_gateway
+
+  roles:
+    - role: ls1intum.artemis.gateway
+      tags: gateway
@@ -7,17 +7,13 @@
     - role: ls1intum.artemis.proxy
       vars:
         proxy_available_nodes:
-          - hostname: "[fcfe::a:1]"
-            weight: 1
-          - hostname: "[fcfe::a:2]"
-            weight: 1
-          - hostname: "[fcfe::a:3]"
+          - hostname: artemis-api-gateway.example.com # FIXME
             weight: 1
 
     - role: ls1intum.artemis.firewall
       tags: firewall
       vars:
-        firewall_hostgroup: proxy
+        firewall_hostgroup: proxy_gateway
         # Management Networks - used to allow SSH / HTTP access to Hosts and services
         management_network_ipv4: "{{ firewall_management_network_ipv4 }}"
         management_network_ipv6: "{{ firewall_management_network_ipv6 }}"

@@ -2,6 +2,7 @@
 artemis_version: 6.9.0
 is_testserver: false
 is_multinode_install: false
+is_multinode_docker_gateway_install: false
 
 artemis_server_url: https://artemis.ase.in.tum.de
 artemis_server_port: 8080

@@ -98,6 +98,17 @@
   register: config
   notify: restart docker artemis
 
+- name: Copy gateway env files
+  when: is_multinode_docker_gateway_install
+  become: true
+  template:
+    src: "templates/gateway.env.j2"
+    dest: "{{ artemis_working_directory }}/gateway.env"
+    owner: "{{ artemis_user_name }}"
+    group: "{{ artemis_user_group }}"
+    mode: 0660
+  register: config
+
 - include_tasks: generate_ssh_keys.yml
   when:
     - version_control.localvc is defined and version_control.localvc is not none

@@ -3,6 +3,9 @@ ARTEMIS_SSH_KEY_PATH='{{ artemis_ssh_key_path }}'
 
 ARTEMIS_ENV_FILE='{{ artemis_working_directory }}/artemis.env'
 {% if is_multinode_install %}
+{% if is_multinode_docker_gateway_install %}
+GATEWAY_ENV_FILE='{{ artemis_working_directory }}/gateway.env'
+{% endif %}
 {% for node_id in range(1, artemis_node_count + 1) %}
 ARTEMIS_NODE_{{ node_id }}_ENV_FILE='{{ artemis_working_directory }}/node{{ node_id }}.env'
 {% endfor %}

@@ -0,0 +1,4 @@
+EUREKA_CLIENT_ENABLED='true'
+EUREKA_CLIENT_SERVICEURL_DEFAULTZONE='{{ artemis_eureka_urls }}'
+EUREKA_INSTANCE_APPNAME='API-Gateway'
+EUREKA_INSTANCE_PREFERIPADDRESS='true'
@@ -23,7 +23,7 @@ monitoring_host_ipv6: "2a09:80c0:89:1::32"
 You have to configure a special varaible to select the firewall rule set which is applied:
 
 ```
-firewall_hostgroup:  # Can be 'registry', 'nodes', 'proxy' or left blank for default rules
+firewall_hostgroup:  # Can be 'registry', 'nodes', 'proxy' 'proxy_gateway' or left blank for default rules
 ```
 
 ## Example usage:

@@ -1,6 +1,6 @@
 wireguard_port: 51820
 
-firewall_hostgroup:  # Can be 'registry', 'nodes', 'proxy' or left blank for default rules
+firewall_hostgroup:  # Can be 'registry', 'nodes', 'proxy', 'proxy_gateway' or left blank for default rules
 
 # Management Networks - used to allow SSH / HTTP access to Hosts and services
 management_network_ipv4: "172.24.152.0/24"

@@ -0,0 +1,35 @@
+{{ ansible_managed | comment }}
+
+# Generated by iptables-save v1.6.1 on Thu Jun 20 10:00:00 2020
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -p udp -m udp --dport 443 -j ACCEPT
+-A INPUT -i lo -m comment --comment "Allow lo interface" -j ACCEPT
+-A INPUT -i wg0 -m comment --comment "Allow wg0 interface" -j ACCEPT
+-A INPUT -p icmp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m comment --comment "Allow icmp" -j ACCEPT
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Allow existing connections" -j ACCEPT
+-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -m comment --comment "Allow SSH" -j ACCEPT
+{% if wireguard_port is not none %}
+-A INPUT -p udp -m conntrack --ctstate NEW -m udp --dport {{ wireguard_port }} -m comment --comment "Allow wireguard" -j ACCEPT
+{% endif %}
+{% if monitoring_host_ipv4 is not none %}
+-A INPUT -s {{ monitoring_host_ipv4 }} -p udp --dport 161 -m comment --comment "Allow Monitoring" -j ACCEPT
+-A INPUT -s {{ monitoring_host_ipv4 }} -p tcp --dport 9100 -m comment --comment "Allow Monitoring" -j ACCEPT
+-A INPUT -s {{ monitoring_host_ipv4 }} -p tcp --dport 9104 -m comment --comment "Allow Monitoring MySQL" -j ACCEPT
+-A INPUT -s {{ monitoring_host_ipv4 }} -p tcp --dport 8080 -m comment --comment "Allow Monitoring Gateway" -j ACCEPT
+{% endif %}
+-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 80 -m comment --comment "Allow HTTP" -j ACCEPT
+-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 443 -m comment --comment "Allow HTTPS" -j ACCEPT
+-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 7921 -m comment --comment "Allow git SSH" -j ACCEPT
+COMMIT
+# Completed on Thu Jun 20 10:00:00 2020
+# Generated by iptables-save v1.6.1 on Thu Jun 20 10:00:00 2020
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+COMMIT
+# Completed on Thu Jun 20 10:00:00 2020
@@ -0,0 +1,35 @@
+{{ ansible_managed | comment }}
+
+# Generated by ip6tables-save v1.6.1 on Thu Jun 20 10:00:00 2020
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -p udp -m udp --dport 443 -j ACCEPT
+-A INPUT -i lo -m comment --comment "Allow lo interface" -j ACCEPT
+-A INPUT -i wg0 -m comment --comment "Allow wg0 interface" -j ACCEPT
+-A INPUT -p ipv6-icmp -m comment --comment "Allow icmpv6" -j ACCEPT
+-A INPUT -p udp -d fe80::/64 -m conntrack --ctstate NEW --dport 546 -m comment --comment "Allow DHCPv6" -j ACCEPT
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Allow existing connections" -j ACCEPT
+-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -m comment --comment "Allow SSH" -j ACCEPT
+{% if wireguard_port is not none %}
+-A INPUT -p udp -m conntrack --ctstate NEW -m udp --dport {{ wireguard_port }} -m comment --comment "Allow wireguard" -j ACCEPT
+{% endif %}
+{% if monitoring_host_ipv6 is not none %}
+-A INPUT -s {{ monitoring_host_ipv6 }} -p udp --dport 161 -m comment --comment "Allow Monitoring" -j ACCEPT
+-A INPUT -s {{ monitoring_host_ipv6 }} -p tcp --dport 9100 -m comment --comment "Allow Monitoring" -j ACCEPT
+-A INPUT -s {{ monitoring_host_ipv6 }} -p tcp --dport 8080 -m comment --comment "Allow Monitoring" -j ACCEPT
+{% endif %}
+-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 80 -m comment --comment "Allow HTTP" -j ACCEPT
+-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 443 -m comment --comment "Allow HTTPS" -j ACCEPT
+-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 7921 -m comment --comment "Allow git SSH" -j ACCEPT
+COMMIT
+# Completed on Thu Jun 20 10:00:00 2020
+# Generated by ip6tables-save v1.6.1 on Thu Jun 20 10:00:00 2020
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+COMMIT
+# Completed on Thu Jun 20 10:00:00 2020
@@ -0,0 +1,28 @@
+---
+artemis_jhipster_jwt: # FIXME
+artemis_jhipster_registry_password: #FIXME Multinode
+
+gateway_eureka_urls: "{% if registry.url is defined and registry.url is not none %}http://admin:${jhipster.registry.password}@{{ registry.url }}:8761/eureka/{% endif %}"
+
+gateway_build_version: # FIXME: Adjust to newest version
+gateway_url: # FIXME
+
+gateway_user_name: gateway
+gateway_user_gid: 1337
+gateway_user_group: gateway
+
+gateway_create_deployment_user: false
+gateway_deployment_user_name: deployment
+gateway_deployment_user_uid: 1338
+gateway_deployment_user_public_key: "" # FIXME
+gateway_deployment_user_comment: "User to deploy the gateway to this host"
+
+gateway_working_directory: /opt/gateway
+gateway_war_version: "{{ gateway_build_version }}"
+gateway_war_url: "https://github.com/ls1intum/API-Gateway/releases/download/{{ gateway_war_version }}/Gateway.war"
+
+##############################################################################
+# Java Setup
+##############################################################################
+
+openjdk_version: 21
@@ -0,0 +1,7 @@
+---
+- name: Restart Gateway
+  become: true
+  service:
+    name: "gateway"
+    state: "restarted"
+    enabled: true
@@ -0,0 +1,8 @@
+---
+- name: Download API-Gateway.war to {{ gateway_working_directory }}
+  become: true
+  get_url:
+    url: "{{ gateway_war_url }}"
+    dest: "{{ gateway_working_directory }}/gateway.war"
+    mode: '0644'
+  notify: Restart Gateway
@@ -0,0 +1,35 @@
+---
+- name: Create Gateway working directory
+  become: true
+  file:
+    state: directory
+    path: "{{ gateway_working_directory }}"
+    owner: "{{ gateway_user_name }}"
+    group: "{{ gateway_user_group }}"
+    mode: '0775'
+
+- name: Copy gateway.service systemd configuration
+  become: true
+  template:
+    src: gateway.service.j2
+    dest: "/etc/systemd/system/gateway.service"
+    mode: 0644
+  register: service
+  notify: Restart Gateway
+
+- name: Enable gateway service
+  become: true
+  systemd:
+    daemon_reload: yes
+    name: gateway
+    enabled: yes
+    masked: no
+  notify: Restart Gateway
+
+- name: Copy application.yml
+  become: true
+  template:
+    src: application.yml.j2
+    dest: "{{ gateway_working_directory }}/application.yml"
+    mode: 0644
+  notify: Restart Gateway
@@ -0,0 +1,7 @@
+
+- name: Install openjdk-{{ openjdk_version }}-jdk
+  become: true
+  apt:
+    name: "openjdk-{{ openjdk_version }}-jdk"
+    state: latest
+    update_cache: yes
@@ -0,0 +1,8 @@
+---
+- include_tasks: users.yml
+
+- include_tasks: jdk.yml
+
+- include_tasks: deploy_gateway.yml
+
+- include_tasks: gateway_configuration.yml
@@ -0,0 +1,42 @@
+---
+- name: Ensure gateway group {{ gateway_user_group }} exists
+  become: yes
+  group:
+    name: "{{ gateway_user_group }}"
+    gid: "{{ gateway_user_gid }}"
+    state: present
+
+- name: Ensure gateway user {{ gateway_user_name }} exists
+  become: yes
+  user:
+    name: "{{ gateway_user_name }}"
+    state: present
+    group: "{{ gateway_user_group }}"
+    uid: "{{ gateway_user_gid }}"
+
+- name: Ensure deployment user {{ gateway_deployment_user_name }} exists
+  become: yes
+  user:
+    name: "{{ gateway_deployment_user_name }}"
+    comment: "{{ gateway_deployment_user_comment }}"
+    state: present
+    uid: "{{ gateway_deployment_user_uid }}"
+    group: "{{ gateway_user_group }}"
+  when: (gateway_create_deployment_user | bool)
+
+- name: Ensure (limited) sudo privileges for user {{ gateway_deployment_user_name }}
+  become: yes
+  template:
+    src: gateway_deployment_sudoers.j2
+    dest: /etc/sudoers.d/gateway_deployment
+    validate: 'visudo -cf %s'
+    mode: 0440
+  when: (gateway_create_deployment_user | bool)
+
+- name: Authorize ssh-key for deployment user
+  become: yes
+  authorized_key:
+    user: "{{ gateway_deployment_user_name }}"
+    state: present
+    key: "{{ gateway_deployment_user_public_key }}"
+  when: (gateway_create_deployment_user | bool)
@@ -0,0 +1,25 @@
+eureka:
+  client:
+    enabled: true
+    service-url:
+      defaultZone: "{{ gateway_eureka_urls }}"
+  instance:
+    appname: API-Gateway
+    preferIpAddress: true
+    instanceId: Gateway:1
+    ip-address: "{{ gateway_url }}"
+
+jhipster:
+  security:
+    authentication:
+      jwt:
+        base64-secret: {{ artemis_jhipster_jwt }}
+        token-validity-in-seconds: 259200                   # Token is valid 3 days
+        token-validity-in-seconds-for-remember-me: 2592000  # Token is valid 30 days
+  registry:
+    password: {{ artemis_jhipster_registry_password }}
+
+management:
+  endpoint:
+    gateway:
+      access: unrestricted # change to ADMIN (requires username and password)