Install ECIS on Azure

In this document the process is explained to install ECIS on Azure. To run ECIS the following services will be installed

Service	Role
App Service	App service in which the Docker container will run
Worker VM	Microsoft VM to run CLI processes and to host SOLR
MySQL	Azure Database for MySQL Flexible Server

App Service

The system will be deployed using GitHub Actions. Therefore, an action is created in .github/workflows/deploy.yml

name: Build and deploy container app to Azure Web App

on:
  push:
    branches:
      - main
  workflow_dispatch:

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2

      - name: Log in to registry
        uses: docker/login-action@v2
        with:
          registry: https://yourregistry.azurecr.io/
          username: ${{ secrets.AZURE_CONTAINER_REGISTRY_USERNAME }}
          password: ${{ secrets.AZURE_CONTAINER_REGISTRY_PASSWORD }}

      - name: Build and push container image to registry
        uses: docker/build-push-action@v4
        with:
          push: true
          tags: yourregistry.azurecr.io/ECIS/app:${{ github.sha }}
          file: ./.docker/php-nginx/prod/Dockerfile

  deploy:
    runs-on: ubuntu-latest
    needs: build
    environment:
      name: 'production'
      url: ${{ steps.deploy-to-webapp.outputs.webapp-url }}

    steps:
      - name: Deploy to Azure Web App
        id: deploy-to-webapp
        uses: azure/webapps-deploy@v2
        with:
          app-name: 'ecis-prod'
          slot-name: 'production'
          publish-profile: ${{ secrets.AZURE_PUBLISH_PROFILE }}
          images: 'yourregistry.azurecr.io/ecis/app:${{ github.sha }}'

Download the Publish profile from App service and save it as a secret in GitHub. The secret is called AZURE_PUBLISH_PROFILE, do the same for the Container registry username and password.

Make sure you connect the app service to the Virtual network and set the connection setting of SOLR_HOST to the internal IP of the worker VM

Worker VM

The worker VM is a Microsoft Virtual machine with the following specifications Choose Debian 11 as OS and let Azure choose the other default settings. The name can be ECIS-worker but any other name can be chosen as well. Let Azure also create a default VM user. The VM will be created in the same resource

Make sure "Delete public IP and NIC when VM is deleted" is checked. This will make sure the IP is deleted when the VM is removed

Networking and monitoring is not needed Make sure you download the key and save it in a safe place. This key will be used to connect to the VM. The following entry can be created in your .ssh/config

HOST ECIS
        HostName x.y.z.a
        IdentityFile ~/.ssh/your_key.pem
        LocalForward 8005 localhost:8983
        LocalForward 3007 database-server.mysql.database.azure.com:3306
        Port 22
        User azureuser

The database can now be connected via sql -u databasename -h 127.0.0.1 -P 3006 -p --ssl-ca=/users/username/.ssh/DigiCertGlobalRootCA.crt.pem

Install GIT, PHP (CLI), NGINX and Redis

sudo apt-get update && sudo apt-get upgrade

sudo apt-get install \
    git \
    ca-certificates \
    curl \
    gnupg2 \
    wget \
    lsb-release

Set timezone on CET

sudo timedatectl set-timezone Europe/Amsterdam

Install SOLR (version number might be higher, can be checked on the Solr Download page)

wget https:///dyn/closer.lua/solr/solr/9.8.7/solr-9.8.7.tgz?action=download
mv solr-9.8.7.tgz?action=download solr-9.8.7.tgz
sudo tar xzf solr-9.8.7.tgz solr-9.8.7/bin/install_solr_service.sh --strip-components=2
sudo ./install_solr_service.sh solr-9.8.7.tgz

Change SOLR, so it listens to all interfaces (and not only to localhost)

sudo nano /etc/default/solr.in.sh

Change the following settings

# Increase Java Heap as needed to support your indexing / query needs
SOLR_HEAP="4g"

# By default the start script uses "localhost"; override the hostname here
# for production SolrCloud environments to control the hostname exposed to cluster state
SOLR_HOST="0.0.0.0"

# Sets the network interface the Solr binds to. To prevent administrators from
# accidentally exposing Solr more widely than intended, this defaults to 127.0.0.1.
# Administrators should think carefully about their deployment environment and
# set this value as narrowly as required before going to production. In
# environments where security is not a concern, 0.0.0.0 can be used to allow
# Solr to accept connections on all network interfaces.
SOLR_JETTY_HOST="0.0.0.0"

Reboot the machine to reload all changes and to test if everything is working

sudo reboot

Prevent remote access from non-trusted IP addresses

Clone ECIS SOLR docker repository and reload SOLR (as solr user). Make sure you have set the SSH key as deploy key on the repository

sudo su && su solr
ssh-keygen #Upload the key as deploy key in Github to prevent API rate limits
cd /var/solr/data
git clone git@github.com:iteaoffice/solr.git
exit
sudo service solr restart

Install source code

Clone the Source code in /home/azureuser/ecis as azureuser

azureuser@ECIS-worker:~$ ssh-keygen #Upload the key as deploy key in Github grant access
azureuser@ECIS-worker:~$ mkdir /home/azureuser/ecis
azureuser@ECIS-worker:~$ cd /home/azureuser/ecis
azureuser@ECIS-worker:~$ git clone git@github.com:iteaoffice/main.git .
azureuser@ECIS-worker:~$ cd ecis
azureuser@ECIS-worker:~$ git checkout main
azureuser@ECIS-worker:~$ php composer.phar install --no-dev --prefer-dist

Create a config file /home/azureuser/ecis/config/autoload/production.local.php with the following content

<?php

declare(strict_types=1);

use Doctrine\DBAL\Driver\PDO\MySQL\Driver;

return [
    'doctrine' => [
        'connection' => [
            'orm_default' => [
                'driverClass' => Driver::class,
                'params' => [
                    'host' => 'host',
                    'port' => '3306',
                    'user' => 'user',
                    'password' => 'password',
                    'dbname' => 'database',
                    'driverOptions' => [
                        PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'",
                    ],
                ],
            ],
        ],
    ],
    'solr' => [
        'host' => 'localhost',
    ],
    'cache' => [
        'options' => [
            'server' => [
                'host' => 'localhost',
                'port' => 6379,
            ],
            'database' => 1,
            'namespace' => 'ECIS-worker',
        ],
    ],
    'application_options' => [
        'serverUrl' => 'https://path-to-server.net',
    ],
    'zfctwig' => [
        'environment_options' => [
            'cache' => false,
            'debug' => true,
        ],
    ],
];

Setup daily backup using file in backup script

Mysql

Choose Azure Database for MySQL Flexible Server and let Azure choose the default settings. The name can be ecis-prod

Connect the Database as extra service to the VLAN

14 July 2025