Vanilla Installation

Requirements

The latest stable GNU Health Hospital Management component uses these resources:

• Operating system: GNU/Linux or BSD family (FreeBSD, openBSD, …) for the server.

• RDBMS Database: PostgreSQL >= 12.x

• Python: >= 3.6 (highly recommended => 3.9)

• uWSGI: >= 2.0

• Tryton 6.0

• Bash console

• PIP for Python3

Errata

Before you continue, please read the Errata chapter for the latest issues involved the installation or upgrade procedure.

Installing GNU Health on GNU/Linux and FreeBSD

Operating System requirements

The following table contains the instructions to setup your operating system for a standard GNU Health installation. The operating systems and their version shown in the list have been tested using the instructions for each OS.

The installation instructions for the different operating systems and distributions have been done on a fresh installation. For simplicity’s sake, the server environment was installed without a GUI. No firewall was configured (we will cover this on the security section), and OpenSSH server was installed.

The instructions – written here – have been applied and verified with the following operating systems as shown below.

Warning

Verify that you are using the operating system version documented on the following table

Operating System	Version	Link	Notes
FreeBSD	FreeBSD 14.0	FreeBSD
Debian	12 (Bookworm)	Debian
Void Linux	Rolling	Void Linux
PureOS	10.3 (Byzantium)	PureOS
openSUSE	Leap 15.5	openSUSE
Ubuntu	22.04 LTS	Ubuntu

Encrypting the GNUHealth database and attachment filesystem

The data stored in the database and attachment directory should be encrypted. You can encrypt the filesystems containing the PostreSQL datafiles (PGDATA) and the gnuhealth administrator $HOME directory. The attachment directory is specified by the “path” entry on the trytond.conf file, and it defaults to “/home/gnuhealth/attach”).

It’s advisable that you use block device encryption, such as LUKS in GNU/Linux. If you use ZFS (most BSD systems), it delivers native filesystem encryption.

Setting up Network Time Protocol (NTP)

In order to properly run GNU Health, you need to make sure that the time on both the server (database and central instance) and clients are properly set and in sync. The best way to do this is to keep your clock synchronized with a NTP Server .

This is a critical step, not only for the smooth functioning of GNU Health, but also because many documents will have a timestamp associated with them that can have legal value.

Creating the Operating System User

Warning

Do this step only if you didn’t create the user during the installation of the operating system.

The following steps will create the GNU Health operating system user. Please note that many operating systems give you the option to create a regular user at installation time. If you already created the “gnuhealth” operating system user, you can skip this section, otherwise, create it now.

Run the following command as root:

# adduser gnuhealth

Note

If your Operating System doesn’t include the adduser command, you can use the useradd command:

# useradd -m gnuhealth

Verify PostgreSQL authentication method

Note

You can skip this section if you made a standard installation on FreeBSD

PostgreSQL uses different authentication methods (MD5, ident, trust … ). Depending the Operating System, the postgreSQL server authentication method will vary.

The standard GNU Health installation uses the peer authentication method, so you need to check the postgreSQL authentication file configuration.

Locate the pg_hba.conf file and verify that the peer method is set. The location of this configuration file varies across operating systems; under UNIX/Linux, the full pathname of the file can be obtained with the

following command, to be executed as root:

# su - postgres -c "psql -t -P format=unaligned -c 'show hba_file'"

You may need to start the postgres server at least one time as this file may be created during first startup.

An example configuration file entry specifying use of the peer method is given in the following line:

local all all peer

The following example in particular may address issues with establishing a working database connection as reported in the context of the creation of the GNU Health database upon first use of the Tryton client (see further down; Symptom: the “Create” button is not displayed):

host all all 127.0.0.1/32 peer
host all all ::1/128      peer

Make sure you edit the file as user ‘postgres’, not root. Otherwise, postgres may have trouble reading the changed file. After any changes to the file, the postgreSQL server needs to be restarted.

Many authentication errors (e.g., database connection errors) arise because of not having correctly configured this file. You can use other authentication methods, and you can adapt the tryton / GNU Health configuration file to each of them. For the sake of simplicity, we based the documentation and sample files in this book on one specific method (trust).

Make sure you restart your postgresql server:

# service postgresql restart

Creating the Database User

The following command switches to the postgres administration user and gives permissions to your newly created gnuhealth administrator:

Execute as root:

# su - postgres -c "createuser --createdb --no-createrole --no-superuser gnuhealth"

Downloading and Installing GNU Health

Warning

Do the following steps with your newly created gnuhealth user, do not use root.

Running the GNU Health Installer

Become user gnuhealth

# su - gnuhealth
$ cd $HOME

Download GNU Health from GNU.org

$ wget https://codeberg.org/gnuhealth/his/releases/download/v4.4.0/gnuhealth-4.4.0.tar.gz

Verify the package signature

First get the signing key if you haven’t done so:

$ gpg --recv-key  --keyserver  keyserver.ubuntu.com 0xC015E1AE00989199

The key is issued by Luis Falcon (meanmicio at GNU) <falcon@gnu.org> and its fingerprint is ACBF C80F C891 631C 68AA 8DC8 C015 E1AE 0098 9199. This information can be seen issuing:

$ gpg --with-fingerprint --list-keys 0xC015E1AE00989199

Then, verify the signature, using the matching version number for the latest. For instance, if latest GNU Health version is 4.4.0, then

Download the detached signature:

$ wget https://codeberg.org/gnuhealth/his/releases/download/v4.4.0/gnuhealth-4.4.0.tar.gz.sig

Verify the package using the detached signature. If the file is correctly validated, the output should be something like:

$ gpg --verify gnuhealth-4.4.0.tar.gz.sig gnuhealth-4.4.0.tar.gz
gpg: Signature made Sat Dec 23 22:45:42 2023 WET
gpg:                using RSA key ACBFC80FC891631C68AA8DC8C015E1AE00989199
gpg: Good signature from "Luis Falcon (PrecisionMed) <falcon@precisionmed.eu>" [ultimate]
gpg:                 aka "Luis Falcon (GNU Health) <falcon@gnuhealth.org>" [ultimate]
gpg:                 aka "Luis Falcon (GNU) <falcon@gnu.org>" [ultimate]
gpg:                 aka "Luis Falcon (GNU Health) <lfalcon@gnusolidario.org>" [ultimate]

The important part is the Good signature from “Luis Falcon ….”. The WARNING means that, even if the file and signature are OK and validated correctly, you aren’t trusting that key; and it’s OK. You can read more about this in The GNU Privacy Handbook, Chapter 3. Key Management.

Uncompress GNU Health HIS package

$ tar xzf gnuhealth-4.4.0.tar.gz

Change to the GNU Health installation directory matching your version

$ cd gnuhealth-4.4.0

Download the latest GNU Health installer

$ wget -qO- https://codeberg.org/gnuhealth/his/releases/download/v4.4.0/gnuhealth-setup-4.4.0.tar.gz | tar -xzvf -

Run the GNU Health Installer

$ bash ./gnuhealth-setup install

Enable the BASH environment for the GNU Health admin

Finally, enable the BASH environment for the gnuhealth user.

$ source ${HOME}/.gnuhealthrc

Activate Network Devices for the JSON-RPC Protocol

The Tryton GNU Health server listens to localhost at port 8000, not allowing direct connections from other workstations. If necessary, enter the following:

$ editconf

You can edit the parameter listen in the [web] section, to activate the network device so workstations in your net can connect. For example, the following block

[web]
listen = *:8000

will allow to connect to the server in the different devices of your system.

Setting up a Local Directory for Attachments

By default, Tryton uses a system-wide directory to store the attachments. It is advisable, in GNUHealth to keep the attachments in the gnuhealth user space.

If necessary, edit the server configuration file trytond.conf and enter the attach directory under the [database] section, for instance:

$ editconf

[database]
path = /home/gnuhealth/attach

Since debian systems connect to database over a UNIX socket, add an extra / under the [database] section, for instance:

[database]
uri = postgresql:///localhost:5432

Configuring the log file (optional)

The way the server logs and tracks events is based on a log configuration file, that resides in the config directory "${GNUHEALTH_DIR}"/tryton/server/config/.

A default version is shipped, called gnuhealth_log.conf. If necessary, enter the following into gnuhealth_log.conf:

[formatters]
keys: simple

[handlers]
keys: rotate, console

[loggers]
keys: root

[formatter_simple]
format: [%(asctime)s] %(levelname)s:%(name)s:%(message)s
datefmt: %a %b %d %H:%M:%S %Y

[handler_rotate]
class: handlers.TimedRotatingFileHandler
args: ('/home/gnuhealth/gnuhealth/logs/gnuhealth.log', 'D', 1, 30)
formatter: simple

[handler_console]
class: StreamHandler
formatter: simple
args: (sys.stdout,)

[logger_root]
level: WARNING
handlers: rotate, console

In this example (and in the standard file) the log file is written in the default logs directory. You can change it to fit your specific installation.

In order to use logging, you need to provide the –logconf option, along with the path to the log configuration file gnuhealth_log.conf as argument, when invoking the Tryton server in the next section (e.g. trytond --logconf "${GNUHEALTH_DIR}"/tryton/server/config/gnuhealth_log.conf).

For more information, check the following resources:

• Python logging facility logging tutorial: https://docs.python.org/3/howto/logging.html#.logging-basic-tutorial

• Tryton Server logging documentation: https://trytond.readthedocs.org/en/latest/topics/logs.html

Initialize the database instance

Create the database

$ createdb health

Note

We use “health” as an example, choose the name of your database, but keep it short and only alphanumeric chars

Change to your newly installed system (use the alias cdexe):

$ cdexe

and initialize the instance:

$ python3 ./trytond-admin --all --database=health -vv

You will be asked to provide a password for the “admin” user.

If everything goes well, you are ready to start the GNU Health HIS node server.

Start the GNU Health HIS node

$ cd
$ ./start_gnuhealth.sh

Note

As mentioned in the previous section, use the ‘’–logconf [path]’’ option to specify the path of the logging configuration

You can execute the GNU Health server in the background (using nohup ./start_gnuhealth.sh &) and check the output in the file nohup.out.

Creating a Systemd service for the GNU Health server

If you use the standard installation method, you can use the following scripts to automate the startup/stop of the GNU Health instance using systemd services.

GNU Health service unit file

Create the GNU Health Unit file under /usr/lib/systemd/system/gnuhealth.service:

For Ubuntu 18.04 LTS users: /etc/systemd/system/gnuhealth.service:

[Unit]
Description=GNU Health Server
After=network.target

[Service]
Type=simple
User=gnuhealth
WorkingDirectory=/home/gnuhealth
ExecStart=/home/gnuhealth/start_gnuhealth.sh
Restart=on-abort

[Install]
WantedBy=multi-user.target

Starting and Stopping the GNU Health service

You can issue the commands:

# systemctl start gnuhealth

or:

# systemctl stop gnuhealth

Enable the service to start at boot time

If you want to automatically start the GNU Health server whenever you start the operating system, you can enable the service with the following command:

# systemctl enable gnuhealth

Using a WSGI Server for GNU Health Hospital Management Component

GNU Health HIS uses by default the werkzeug server. This should be valid only for development scenarios. For production servers, GNU Health HIS will benefit from a Web Server Gateway Interface (WSGI), such as uWSGI and a web server that supports reverse proxy, as NGINX.

Your Trytond configuration file

Edit your trytond.conf file to meet the requirements. You can edit this file directly using the alias editconf with the gnuhealth user.

This sample enables access both to the GTK and webclient.

[database]
uri = postgresql://localhost:5432
path = /home/gnuhealth/attach

[web]
listen = localhost:8000
root = /home/gnuhealth/sao/package

uWSGI configuration file

This is a sample for the gnuhealth uwsgi .ini (gh.ini) file. Make sure NINGX user has the appropriate permissions to the uwsgi socket.

[uwsgi]

master = true
processes = 5
plugins = python3

socket = /tmp/uwsgi.sock
chmod-socket=660

module=trytond.application:app

Configuring NGINX as a reverse proxy for GNU Health HIS

In this sample, NINGX will listen to 8100 in HTTPS mode, to requests coming from the web clients. It also listens to port 8000 for the native GTK client.

# Virtual host for demo web client using TLS and listening in 8100
    server {
        listen       8100 ssl;
        server_name  your_hostname;

        ssl_certificate      /path/to/your/gnuhealth.crt;
        ssl_certificate_key  /path/to/your/gnuhealth.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
            include         uwsgi_params;
            uwsgi_pass      unix:/tmp/uwsgi.sock;
        }
    }
    # Virtual host for GNU Health GTK Client on 8000
    server {
        listen       8000;

        location / {
            include         uwsgi_params;
            uwsgi_pass      unix:/tmp/uwsgi.sock;
        }
    }

Putting everything together and booting the GNU Health Server

Once you have configured the three elements (Trytond server, uwsgi and NGINX) is time to put in into production

• Make sure your NGINX server is running:

• Start uWSGI with the corresponding gnuhealth .ini file:

$ uwsgi $HOME/gh.ini --enable-threads &

Installation of the GNU Health Client

Requirements

openSUSE

Tested on openSUSE Leap 15.1 and Tumbleweed

• Disable Non-OSS repositoriess

• Desktop with KDE Plasma

• Create user “gnuhealth”

• Login as “gnuhealth” user

• Get the required packages / dependencies

$ sudo zypper install cairo-devel pkg-config python3-devel gcc gobject-introspection-devel python3-cairo python3-gobject-cairo python3-gobject-Gdk typelib-1_0-Gtk-3_0

GNU Health Client installation with pip3

• Update PATH. To make changes permanent, add this line in $HOME/.bashrc

$ export PATH=$HOME/.local/bin:$PATH

• Update pip3

$ pip3 install --upgrade --user pip

• Install GNU Health client

$ pip3 install --user --upgrade gnuhealth-client

The following command will boot your GNU Health client:

$ gnuhealth-client

Alternative Methods

System Packages

Instead from source as described above, you can install the GNU Health Client from pre-build packages as well. openSUSE offer packages that you can install with your systems package manager. Make sure you get the current gnuhealth-client version 4.4.

Microsoft Windows and macOS

Note

As GNU Health is free/libre software, developed primarily for free/libre operating systems and with the philosophy of free software in mind, it is recommended to use free/libre software with GNU Health, and GNU/Linux or other free/libre operating system for the client. The development of all GNU Health components (server, client, plugins, Thalamus, GNU Health Federation) is done and focused on Free / Libre operating systems.

If you use Microsoft Windows or macOS, you can try using the Tryton 6.0 client, which may be compatible with GNU Health 4.4. Keep in mind that the windows client does not have the GNU Health commands, nor the plugins like GNU Health GNUPG crypto or GNU Health Camera and Federation Resource Locator.

Download the Tryton client executable (Windows) and follow the instructions.

Logging into the Application

Now that you’re back at the login screen, you’ll notice that the selected profile is the one you’ve just created. Fill in the login form:

• User name: the one you used previously (usually admin)

• Password: the one entered twice in the previous section

Login credentials for The Demo database: Connection to the GNU Health HIS and LIMS

Installing the Default Modules

From this point on, you will use the client for almost every process. Start with the installation of the basic functionality:

#. After you’ve created the database, the system will ask you to create some new users. You can skip this step for now.

#. You are then presented with a list of modules that will provide the functionality you desire. If you don’t see the Modules window, navigate to it on the left side: Administration → Modules → Modules.

1. Select the health_profile module, and click on Mark for installation.

2. Click on the Action icon and select Perform Pending Installation/Upgrade:

3. Tryton will automatically select all the dependent modules required for the installation:

#. Click on Start Upgrade. This process will take a while, depending on the computer where GNU Health is being installed on. Once it’s done, the following message appears.

Creating a Company

The next thing you need to do is to create the initial company, that will be your health center. You will be presented with a wizard to create it.

Press F3 to create a new company.

Note

At the party form, please make sure you set the institution attribute. You will link this company to your main health institution later on. Please refer to the screenshot provided in this section for details.

Disabling demo users in production environments

Warning

For security reasons, you must deactivate demo users in production environments.

GNU Health comes with a set of pre-defined users for demo purposes. They all have the prefix demo_ (demo_doctor, demo_front_desk, demo_nurse… ).

To deactivate the users:

1. Navigate to Administration > Users > Users in the sidebar.

2. In filters, choose Login: demo_ and Active: True

3. Unset the “active” flag of each of them (untick the “Active” boxes).

The demo users are now de-activated in your environment.

Look at the screenshot captioned Deactivation of demo users in production environments for an example (the Active checkboxes haven’t been unticked).

Customizing the GNU Health Client

For GNU/Linux and other free operating systems, the GNU Health GTK client configuration file can be found at:

$HOME/.config/gnuhealth/<VERSION>/gnuhealth-client.conf

For example:

$HOME/.config/gnuhealth/4.4/gnuhealth-client.conf

Using a custom greeter / banner

You can customize the login greeter banner to fit your institution.

In the section [client], include the banner parameter with the absolute path of the png file.

Something like:

[client]
banner = /home/yourlogin/myhospitalbanner.png

The default resolution of the banner is 500 x 128 pixels. Adjust yours to approximately this size.

Completion

Congratulations! You have completed the initial installation of GNU Health. In the next chapter we will discuss how to add functionality by installing additional modules.