commit 9d257ec78cf601f259c533f12bed444ae0702889 parent ddabadfe0284ea02936fd55561fca4ef1ebe0f58 Author: Christian Grothoff <christian@grothoff.org> Date: Sat, 23 Nov 2024 22:46:40 +0100 more work on exchange and auditor configs Diffstat:
14 files changed, 117 insertions(+), 101 deletions(-)
diff --git a/playbooks/setup.yml b/playbooks/setup.yml @@ -15,12 +15,18 @@ vars: # Our currency. CURRENCY = CHF +# Smallest unit of the currency for wire transfers. + CURRENCY_ROUND_UNIT = CHF:0.01 # Main domain name. DOMAIN_NAME = taler-ops.ch # Base URL of the exchange REST API EXCHANGE_BASE_URL="https://exchange.{{ $DOMAIN_NAME }}/" +# Base URL of the auditor REST API + AUDITOR_BASE_URL="https://auditor.{{ $DOMAIN_NAME }}/" # Exchange offline master public key. EXCHANGE_MASTER_PUB= +# Auditor offline public key. + AUDITOR_PUB= # Name of Terms of service resource file EXCHANGE_TERMS_ETAG="exchange-tos-v0" # Name of Privacy policy resource file diff --git a/roles/auditor/files/etc/taler-auditor/taler-auditor.conf b/roles/auditor/files/etc/taler-auditor/taler-auditor.conf @@ -1,45 +0,0 @@ -# Main entry point for the GNU Taler configuration. -# -# Structure: -# - taler.conf is the main configuration entry point -# used by all Taler components (the file you are currently -# looking at. -# - overrides.conf contains configuration overrides that are -# set by some tools that help with the configuration, -# and should not be edited by humans. Comments in this file -# are not preserved. -# - conf.d/ contains configuration files for -# Taler components, which can be read by all -# users of the system and are included by the main -# configuration. -# - secrets/ contains configuration snippets -# with secrets for particular services. -# These files should have restrictive permissions -# so that only users of the relevant services -# can read it. All files in it should end with -# ".secret.conf". - -[paths] - -TALER_HOME = /var/lib/taler-auditor/ -TALER_RUNTIME_DIR = /run/taler-auditor/ -TALER_CACHE_HOME = /var/cache/taler-auditor/ -TALER_CONFIG_HOME = /etc/taler-auditor/ -TALER_DATA_HOME = /var/lib/taler-auditor/ - -[exchange] - -# Currency of the Taler deployment. This setting applies to all Taler -# components that only support a single currency. -currency = CHF - -# Smallest currency unit handled by the underlying bank system. Taler payments -# can make payments smaller than this units, but interactions with external -# systems is always rounded to this unit. -currency_round_unit = CHF:0.01 - -# Inline configurations from all Taler components. -@inline-matching@ conf.d/*.conf - -# Overrides from tools that help with configuration. -@inline@ overrides.conf diff --git a/roles/auditor/tasks/main.yml b/roles/auditor/tasks/main.yml @@ -1,23 +1,49 @@ --- + +- name: Ensure taler-auditor service is stopped before upgrading + service: + name: taler-auditor.target + state: stopped + enabled: false + - name: Install Taler auditor package apt: name: - taler-auditor state: latest - update_cache: true + when: ansible_os_family == 'Debian' - name: Ensure Taler auditor config dir exists from installation file: path: "/etc/taler-auditor" state: directory -- name: Place taler-auditor config - copy: - src: etc/taler-auditor/taler-auditor.conf - dest: "/etc/taler-auditor/taler-auditor.conf" +- name: Ensure Taler exchange virtualhost configuration file exists + template: + src: templates/etc/nginx/sites-available/auditor-nginx.conf.j2 + dest: "/etc/nginx/sites-available/auditor-nginx.conf" owner: root group: root mode: 0644 + notify: restart nginx + +- name: Enable Taler auditor reverse proxy configuration + file: + src: /etc/nginx/sites-available/auditor-nginx.conf + dest: /etc/nginx/sites-enabled/auditor-nginx.conf + state: link + notify: restart nginx + +- name: Place taler-auditor master config + template: + src: templates/etc/taler-auditor/conf.d/taler-auditor-master.conf.j2 + dest: "/etc/taler-auditor/conf.d/taler-auditor-master.conf" + owner: root + group: root + mode: 0644 + +# FIXME: copy over configs for exchange-database, +# exchange-bank account and denominations to auditor/config.d/! - name: Setup Taler Auditor database shell: @@ -28,4 +54,4 @@ service: name: taler-auditor.target state: started - enabled: yes + enabled: true diff --git a/roles/auditor/templates/etc/nginx/sites-available/auditor-nginx.conf.j2 b/roles/auditor/templates/etc/nginx/sites-available/auditor-nginx.conf.j2 @@ -0,0 +1,18 @@ +server { + + listen 80; + listen [::]:80; + + server_name auditor.{{ DOMAIN_NAME }}; + + # Bigger than default timeout to support long polling + proxy_read_timeout 6500s; + keepalive_requests 1000000; + keepalive_timeout 6500s; + +# TODO: setup access control! + + location / { + proxy_pass http://unix:/var/run/taler/auditor-httpd/auditor-http.sock; + } +} diff --git a/roles/auditor/templates/etc/taler-auditor/conf.d/taler-auditor-master.conf.j2 b/roles/auditor/templates/etc/taler-auditor/conf.d/taler-auditor-master.conf.j2 @@ -0,0 +1,9 @@ +[auditor] +PUBLIC_KEY = {{ AUDITOR_PUB }} +BASE_URL = {{ AUDITOR_BASE_URL }} +SERVE = unix + +[exchange] +CURRENCY = {{ CURRENCY }} +CURRENCY_ROUND_UNIT = {{ CURRENCY_ROUND_UNIT }} +DB = postgres diff --git a/roles/auditor/templates/taler-auditor.conf b/roles/auditor/templates/taler-auditor.conf @@ -1,2 +0,0 @@ -[auditor] -PUBLIC_KEY = $AUDITOR_PUB diff --git a/roles/auditor/vars/main.yml b/roles/auditor/vars/main.yml @@ -1,3 +0,0 @@ -BANK_EXCHANGE_PASSWORD: xxxx -BANK_PORT: xxxx - diff --git a/roles/common_packages/tasks/main.yml b/roles/common_packages/tasks/main.yml @@ -1,13 +1,16 @@ --- # Role: Install dependencies -- name: Install packages required by Ansible +- name: Install packages required by Ansible and deploy current base distro apt: name: - python3-debian - python3-psycopg2 - state: present + state: latest update_cache: true + autoclean: true + autoremove: true + upgrade: safe when: ansible_os_family == 'Debian' - name: Install Taler dependencies on Debian/Ubuntu @@ -18,6 +21,5 @@ - sudo - uuid-runtime - wget - state: present - update_cache: true + state: latest when: ansible_os_family == 'Debian' diff --git a/roles/exchange/tasks/main.yml b/roles/exchange/tasks/main.yml @@ -1,15 +1,30 @@ --- -- name: Install Taler exchange package +- name: Ensure taler-exchange service is stopped before we upgrade + service: + name: taler-exchange.target + state: stopped + enabled: false + +- name: Install latest Taler exchange package apt: name: - taler-exchange state: latest - update_cache: true + when: ansible_os_family == 'Debian' - name: Ensure Taler exchange virtualhost configuration file exists template: - src: exchange-nginx.conf + src: templates/etc/nginx/sites-available/exchange-nginx.conf.j2 dest: "/etc/nginx/sites-available/exchange-nginx.conf" + owner: root + group: root + mode: 0644 + +- name: Enable Taler exchange reverse proxy configuration + file: + src: /etc/nginx/sites-available/exchange-nginx.conf + dest: /etc/nginx/sites-enabled/exchange-nginx.conf + state: link notify: restart nginx - name: Place taler-exchange business config @@ -49,17 +64,9 @@ cmd: taler-exchange-dbconfig -c /etc/taler-exchange/taler-exchange.conf chdir: /tmp -# FIXME: change to templating, set proper virtual host from -# EXCHANGE_BASE_URL or similar variables! -- name: Enable Taler exchange virtual host by creating symlink - file: - src: "/etc/nginx/sites-available/exchange-nginx.conf" - dest: "/etc/nginx/sites-enabled/exchange-nginx.conf" - state: link - notify: restart nginx - - name: Ensure taler-exchange service is enabled and started service: + deamon_reload: true name: taler-exchange.target state: started - enabled: yes + enabled: true diff --git a/roles/webserver/templates/exchange-nginx.conf b/roles/exchange/templates/etc/nginx/sites-available/exchange-nginx.conf.j2 diff --git a/roles/exchange/templates/etc/taler-exchange/conf.d/exchange-business.conf.j2 b/roles/exchange/templates/etc/taler-exchange/conf.d/exchange-business.conf.j2 @@ -4,6 +4,8 @@ # Currency of this exchange. CURRENCY = {{ CURRENCY }} +CURRENCY_ROUND_UNIT = {{ CURRENCY_ROUND_UNIT }} +TINY_AMOUNT = {{ CURRENCY_ROUND_UNIT }} # Here you MUST add the master public key of the offline system # which you can get using `taler-exchange-offline setup`. @@ -41,3 +43,8 @@ PAYTO_URI = {{ EXCHANGE_BANK_ACCOUNT_PAYTO }} # Credentials to access the account are in a separate # config file with restricted permissions. @inline-secret@ exchange-accountcredentials-primary ../secrets/exchange-accountcredentials-primary.secret.conf + +# Credentials to access KYC providers are in separate +# config files with restricted permissions. +@inline-secret@ kyc-provider-kycaid-individual ../secrets/exchange-kyc-providers.conf.j2 +@inline-secret@ kyc-provider-kycaid-business ../secrets/exchange-kyc-providers.conf.j2 diff --git a/roles/libeufin-nexus/tasks/main.yml b/roles/libeufin-nexus/tasks/main.yml @@ -1,16 +1,24 @@ --- +- name: Ensure libeufin-nexus service is stopped before we upgrade + service: + deamon_reload: true + name: libeufin-nexus.target + state: stopped + enabled: false + - name: Install libeufin-nexus package apt: name: - libeufin-nexus state: latest - update_cache: true + when: ansible_os_family == 'Debian' - name: Ensure libeufin config dir exists from installation file: path: "/etc/libeufin" state: directory +# FIXME: is this needed or always there in Ansible? - name: Ensure Ansible facts directory dir exists file: path: "/etc/ansible/facts.d/" @@ -44,12 +52,9 @@ shell: cmd: libeufin-nexus ebics-setup -# FIXME: make sure we launch et {{ http://localhost:LIBEUFIN_PORT/ }}! -# FIXME: create '{{ LIBEUFIN_EXCHANGE_ACCOUNT }}' account and -# set fact for EXCHANGE_WIRE_GATEWAY_ACCESS_TOKEN - - name: Ensure libeufin-nexus service is enabled and started service: + deamon_reload: true name: libeufin-nexus.target state: started - enabled: yes + enabled: true diff --git a/roles/sms-challenger/tasks/main.yml b/roles/sms-challenger/tasks/main.yml @@ -1,10 +1,16 @@ --- +- name: Ensure SMS challenger service is stopped before we upgrade + ansible.builtin.systemd_service: + name: sms-challenger + state: stopped + enabled: false + - name: Install Challenger package apt: name: - challenger state: latest - update_cache: true + when: ansible_os_family == 'Debian' - name: Ensure group "challenger-sms" exists ansible.builtin.group: @@ -84,8 +90,4 @@ src: /etc/nginx/sites-available/sms-challenger-nginx.conf dest: /etc/nginx/sites-enabled/sms-challenger-nginx.conf state: link - -- name: Reload NGINX after challenger configuration deployment - service: - name: nginx - state: reloaded + notify: restart nginx diff --git a/roles/webserver/templates/auditor-nginx.conf b/roles/webserver/templates/auditor-nginx.conf @@ -1,16 +0,0 @@ -server { - - listen 80; - listen [::]:80; - - server_name auditor.{{ DOMAIN_NAME }}; - - # Bigger than default timeout to support long polling - proxy_read_timeout 6500s; - keepalive_requests 1000000; - keepalive_timeout 6500s; - - location / { - proxy_pass http://unix:/var/run/taler/auditor-httpd/auditor-http.sock; - } -}