Regional currency Sandcastle.regio

12 files changed, 270 insertions, 357 deletions

diff --git a/regional-currency/config_libeufin_bank.sh b/regional-currency/config_libeufin_bank.sh
index 5a32844..c579263 100755
--- a/regional-currency/config_libeufin_bank.sh
+++ b/regional-currency/config_libeufin_bank.sh
@@ -55,6 +55,7 @@ FIAT_CURRENCY=${FIAT_CURRENCY}
 TAN_SMS=libeufin-tan-sms.sh
 TAN_EMAIL=libeufin-tan-email.sh
 ALLOW_EDIT_CASHOUT_PAYTO_URI=yes
+ALLOW_REGISTRATIONS=no
 
 [CURRENCY-NETZBON]
 enabled=yes
diff --git a/regional-currency/setup-exchange.sh b/regional-currency/setup-exchange.sh
index 2c4c06f..52153ba 100755
--- a/regional-currency/setup-exchange.sh
+++ b/regional-currency/setup-exchange.sh
@@ -59,7 +59,6 @@ function die() {
 # Just try if sudo works for diagnostics
 sudo -i -u taler-exchange-offline id >/dev/null || die "Error: Unable to switch to taler-exchange-offline user"
 
-
 chmod a+r /etc/taler/taler.conf # FIXME-CG: Debian installation should set this
 
 # Create master key as taler-exchange-offline *unless* user already
diff --git a/sandcastle-ng/README b/sandcastle-ng/README
new file mode 100644
index 0000000..f522f8d
--- /dev/null
+++ b/sandcastle-ng/README
@@ -0,0 +1,141 @@
+Introduction
+============
+
+The Sandcastle is a containerized deployment of GNU Taler.
+
+It uses podman to build an image and run a single container that
+has systemd running inside.  In this version, Sandcastle is equipped
+with the regional currency feature.
+
+Prerequisites
+=============
+
+You need (on your host system):
+
+- podman
+- bash
+
+How to build the Regio-Sandcastle
+=================================
+
+Change buildconfig/$component.tag to the right git tag, if you do
+not plan to build with the default tag.
+
+To build the Sandcastle, run:
+
+$ ./sandcastle-build 
+
+The resulting container is tagged as taler-base-all
+
+How to pass run-time values
+===========================
+
+They should be set via an environment file, like in the following example:
+
+# Regional currency name:
+CURRENCY=NETZBON
+
+# The services will be subdomains of this one:
+MYDOMAIN=regio.example.com
+
+# Password for the exchange to login at the bank
+# (username is always 'exchange'), defaults to 'sandbox':
+EXCHANGE_BANK_PASSWORD=my-exchange-bank-password
+
+# Passowrd of the bank administrator, defaults to 'sandbox':
+BANK_ADMIN_PASSWORD=my-bank-admin-password
+
+How to run the Regio-Sandcastle
+===============================
+
+Before running the Regio-Sandcastle, do the EBICS keying like it is
+explained at the following link:
+
+https://docs.taler.net/libeufin/nexus-manual.html#setting-up-the-ebics-subscriber
+
+Note: to kill any previously running container and remove its related
+data volume, run:
+
+$ podman kill taler-sandcastle && podman volume rm talerdata --force
+
+At this point, you can run the Regio-Sandcastle like it is explained
+in the following example.  Note: the config-examples/ directory may
+help to get started.
+
+$ export SANDCASTLE_SETUP_NAME=demo
+
+# Config file with the banking details.  Note: the
+# BANK_PUBLIC_KEYS_FILE and CLIENT_PRIVATE_KEYS_FILE configuration
+# values are not meaningful anymore, since the Podman wiring will
+# acquire the keys from the host (see next env variables) and internally
+# set their path to the nexus configuration.  The database connection
+# string is also not needed, since the database name must match the
+# one used by the bank, and the Podman wiring solves this transparently.
+# In case of logging directories being used, make sure to specify /ebicslogs
+# as the top-most directory.  The logs will then be stored in a Podman
+# volume named 'ebicslogs'.
+$ export NEXUS_CONFIG_FILE=/path/to/nexus.conf
+
+# Location on the host system where the bank EBICS keys are stored:
+$ export NEXUS_BANK_KEY_FILE=/path/to/bank-keys.json
+
+# Location on the host system where the client EBICS keys are stored:
+$ export NEXUS_CLIENT_KEY_FILE=/path/to/client-keys.json
+
+# Location on the host system where the secrets are set as
+# environment variables:
+$ export SANDCASTLE_RUNTIME_ENV_FILE=/path/to/runtime-env-file
+
+$ ./sandcastle-run
+
+And now?
+========
+
+If the launching was successful, the taler-sandcastle container should be running,
+and the HTTP services should be serving at:
+
+bank -> localhost:16007
+exchange -> localhost:16001
+merchant backend -> localhost:16000
+
+Typically, those services are served via a reverse proxy under the
+names: ${exchange,bank,backend}.$MYDOMAIN.
+
+To use other port numbers, you can also export those environment
+variables before running the Sandcastle:
+
+SANDCASTLE_PORT_MERCHANT
+SANDCASTLE_PORT_EXCHANGE
+SANDCASTLE_PORT_LIBEUFIN_BANK
+
+At this point, if all the services are correctly running, you
+can configure the merchant, and also use the wallet.
+
+See here the instructions to configure the merchant:
+https://docs.taler.net/libeufin/regional-manual.html#configuring-the-merchant
+
+The following page explains how to use the wallet:
+https://docs.taler.net/libeufin/regional-manual.html#wallet-setup
+
+Poking Around
+=============
+
+You can poke around in a running sandcastle instance by running
+
+$ podman exec -it taler-sandcastle /bin/bash
+
+Or, as a shortcut:
+
+$ ./sandcastle-enter
+
+This will drop you into a shell inside the running container,
+where you have access to systemd, journalctl, etc.
+
+Data Storage
+============
+
+All persistent data is stored in a podman volume called talerdata
+and (if logging is enabled) also in ebicslogs.  You can see where
+it is in your filesystem by running ``podman volume inspect $volumeName``.
+
+The talerdata volume also contains the postgres database files.
diff --git a/sandcastle-ng/README.md b/sandcastle-ng/README.md
deleted file mode 100644
index 01339d0..0000000
--- a/sandcastle-ng/README.md
+++ /dev/null
@@ -1,137 +0,0 @@
-# Introduction
-
-The sandcastle is a containerized deployment of GNU Taler
-
-It uses podman to build an image and run a single container that
-has systemd running inside.
-
-
-# Prerequisites
-
-You need (on your host system):
-* podman
-* bash
-
-
-# Building the Container Image
-
-1. Set buildconfig/$component.tag to the right git tag you want to build
-2. Run ./sandcastle-build to build the Taler container.  The resulting container
-   is tagged as taler-base-all
-
-
-# Configuring the Deployment
-
-It is recommended that for each deployment, you clone the deployment.git
-repository and create a branch with deployment-specific changes.
-
-Currently there is not much configuration.
-
-The main adjustments to be made are:
-
-* scripts/demo/setup-sandcastle.sh has the currency on top of the file
-* sandcastle-run has variables for the port that'll be exposed ("published") on
-  the host.  They can be overwritten with environment variables
-  (``TALER_SANDCASTLE_PORT_$COMPONENT``).
-
-
-# Running the Deployment
-
-Run ``./sandcastle-run`` to run the single container.  The container will be
-named taler-sandcastle.
-
-You can run the container in the background by passing ``-d``.  Note that ``./sandcastle-run`` is just
-a wrapper around ``podman run``.
-
-The running container publishes ports to the host as defined in ``./sandcastle-run``.
-You can manually verify these port mappings via ``podman port taler-sandcastle``.
-
-# Stopping the deployment
-
-```
-podman stop taler-sandcastle
-```
-
-
-# Poking Around
-
-You can poke around in a running sandcastle instance by running
-
-```
-podman exec -it taler-sandcastle /bin/bash
-```
-
-Or, as a shortcut:
-
-```
-./sandcastle-enter
-```
-
-This will drop you into a shell inside the running container,
-where you have access to systemd, journalctl, etc.
-
-
-# Data Storage
-
-All persistent data is stored in a podman volume called
-talerdata.  You can see where it is in your filesystem
-by running ``podman volume inspect talerdata``.
-
-That volume also contains the postgres database files.
-
-
-# Provisioning Details
-
-The whole deployment is configured by the script ``/provision/setup-sandcastle.sh``.
-This script will be run as a oneshot systemd service and will disable itself after
-the first success.
-
-To troubleshoot, run ``journalctl -u setup-sandcastle.service``.
-
-There are different setup scripts in the ``scripts/$SANDCASTLE_SETUP_NAME``
-folders. Specifically:
-
-* ``none`` does no setup at all
-* ``demo`` is the usual Taler demo
-* TBD: ``regio`` is a currency conversion setup
-
-By default, ``demo`` is used.  To mount a different provision script, set ``$SANDCASTLE_SETUP_NAME``
-when running ``./sandcastle-run``.
-
-You can always manually run the provisioning script inside the container as
-``/scripts/$SANDCASTLE_SETUP_NAME/setup-sandcastle.sh``.
-
-
-# Neat Things That Already Work
-
-* Rebulding the base image is incremental, since we use layers.  If the tag
-  of the exchange is changed, only the exchange and components that depend
-  on it are rebuilt.
-* Inside the container, the service names resolve to localhost,
-  and on localhost a reverse proxy with locally signed certificates
-  ensures that services can talk to each other *within* the container
-  by using their *public* base URL.
-
-
-# Future Extensions
-
-* Fix rewards by deploying Javier's reward topup script inside the container via a systemd timer!
-* Variant where credentials use proper secret management instead of hard-coding all
-  passwords to "sandbox".
-* Better way to access logs, better way to expose errors during provisioning
-* The Dockerfile should introduce nightly tags for debian packages it builds.
-  Currently it just uses the latest defined version, which is confusing.
-* Deploy the Taler woocommerce plugin, wordpress plugin, Joomla plugin
-* Do self-tests of the deployment using the wallet CLI
-* Running the auditor
-* Running a currency conversion setup with multiple libeufin-bank instances
-* Allow a localhost-only, non-tls setup for being able to access a non-tls
-  Taler deployment on the podman host.
-* Instead of exposing HTTP ports, we could expose everything via unix domain sockets,
-  avoiding port collision problems.
-* Instead of requiring the reverse proxy to handle TLS,
-  the sandcastle container itself could do TLS termination with caddy.
-* To improve performance, allow connecting to an external database
-* Make it easy to import and export the persistent data
-* Extra tooling to checkpoint images/containers to revert to a previous
-  state quickly.
diff --git a/sandcastle-ng/config-examples/nexus.conf b/sandcastle-ng/config-examples/nexus.conf
new file mode 100644
index 0000000..7c04ac7
--- /dev/null
+++ b/sandcastle-ng/config-examples/nexus.conf
@@ -0,0 +1,22 @@
+[nexus-submit]
+FREQUENCY = 15m
+
+[nexus-fetch]
+FREQUENCY = 15m
+
+[nexus-ebics]
+CURRENCY = CHF
+
+# Bank
+HOST_BASE_URL = https://bank.example.com
+BANK_DIALECT = postfinance
+
+# EBICS IDs
+HOST_ID = HOST_ID_EXAMPLE
+USER_ID = USER_ID_EXAMPLE
+PARTNER_ID = PARTNER_ID_EXAMPLE
+
+IBAN = CH8189144452223984999
+BIC = SANDBOXX
+# Following needs URL-encoding
+NAME = NAME+EXAMPLE
diff --git a/sandcastle-ng/config-examples/runtime.env b/sandcastle-ng/config-examples/runtime.env
new file mode 100644
index 0000000..8107659
--- /dev/null
+++ b/sandcastle-ng/config-examples/runtime.env
@@ -0,0 +1,11 @@
+CURRENCY=NETZBON
+
+# This value prepares the services to serve under
+# {bank,exchange,backend}.$MYDOMAIN:
+MYDOMAIN=example.com
+# Password for the exchange to login at the bank
+# (username is always 'exchange'), defaults to 'sandbox':
+EXCHANGE_BANK_PASSWORD=my-exchange-bank-password
+
+# Passowrd of the bank administrator, defaults to 'sandbox':
+BANK_ADMIN_PASSWORD=my-bank-admin-password
diff --git a/sandcastle-ng/keys-examples/bank-key.json b/sandcastle-ng/keys-examples/bank-key.json
new file mode 100755
index 0000000..e69de29
--- /dev/null
+++ b/sandcastle-ng/keys-examples/bank-key.json
diff --git a/sandcastle-ng/keys-examples/client-key.json b/sandcastle-ng/keys-examples/client-key.json
new file mode 100755
index 0000000..e69de29
--- /dev/null
+++ b/sandcastle-ng/keys-examples/client-key.json
diff --git a/sandcastle-ng/sandcastle-run b/sandcastle-ng/sandcastle-run
index 7b5ccd1..59a0049 100755
--- a/sandcastle-ng/sandcastle-run
+++ b/sandcastle-ng/sandcastle-run
@@ -6,22 +6,12 @@ set -exou
 
 SANDCASTLE_PORT_MERCHANT=16000
 SANDCASTLE_PORT_EXCHANGE=16001
-SANDCASTLE_PORT_BLOG=16002
-SANDCASTLE_PORT_DONATIONS=16003
-SANDCASTLE_PORT_SURVEY=16004
-SANDCASTLE_PORT_LANDING=16005
 SANDCASTLE_PORT_LIBEUFIN_BANK=16007
-SANDCASTLE_PORT_BANK_SPA=16009
 
 # Container-internal ports, should by synced with scripts/setup-sandcastle.sh
 PORT_INTERNAL_EXCHANGE=8201
 PORT_INTERNAL_MERCHANT=8301
 PORT_INTERNAL_LIBEUFIN_BANK=8080
-PORT_INTERNAL_LANDING=8501
-PORT_INTERNAL_BLOG=8502
-PORT_INTERNAL_DONATIONS=8503
-PORT_INTERNAL_SURVEY=8504
-PORT_INTERNAL_BANK_SPA=8505
 
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 cd $SCRIPT_DIR
@@ -47,18 +37,19 @@ podman run \
   -p=$SANDCASTLE_PORT_MERCHANT:$PORT_INTERNAL_MERCHANT \
   -p=$SANDCASTLE_PORT_EXCHANGE:$PORT_INTERNAL_EXCHANGE \
   -p=$SANDCASTLE_PORT_LIBEUFIN_BANK:$PORT_INTERNAL_LIBEUFIN_BANK \
-  -p=$SANDCASTLE_PORT_LANDING:$PORT_INTERNAL_LANDING \
-  -p=$SANDCASTLE_PORT_BLOG:$PORT_INTERNAL_BLOG \
-  -p=$SANDCASTLE_PORT_DONATIONS:$PORT_INTERNAL_DONATIONS \
-  -p=$SANDCASTLE_PORT_SURVEY:$PORT_INTERNAL_SURVEY \
-  -p=$SANDCASTLE_PORT_BANK_SPA:$PORT_INTERNAL_BANK_SPA \
   --name taler-sandcastle \
   --systemd=always \
-  --env "SANDCASTLE_OVERRIDE_NAME=${SANDCASTLE_OVERRIDE_NAME:=none}" \
+  --env "SANDCASTLE_OVERRIDE_NAME=${SANDCASTLE_OVERRIDE_NAME:-none}" \
   -v talerdata:/talerdata:Z \
+  -v ebicslogs:/ebicslogs:Z \
   $OVERRIDES \
   -v $PWD/scripts:/scripts:Z \
   -v $PWD/scripts/$SETUP_NAME:/provision:Z \
+  -v $NEXUS_CONFIG_FILE:/provision/nexus.conf:Z \
+  -v $NEXUS_BANK_KEY_FILE:/provision/bank-key.json:Z \
+  -v $NEXUS_CLIENT_KEY_FILE:/provision/client-key.json:Z \
+  -v $SANDCASTLE_RUNTIME_ENV_FILE:/provision/runtime.env:Z \
+  --network slirp4netns:enable_ipv6=true \
   --entrypoint /sbin/init \
   "$@" \
   taler-base-all
diff --git a/sandcastle-ng/scripts/demo/nexus.conf b/sandcastle-ng/scripts/demo/nexus.conf
new file mode 100755
index 0000000..e69de29
--- /dev/null
+++ b/sandcastle-ng/scripts/demo/nexus.conf
diff --git a/sandcastle-ng/scripts/demo/setup-sandcastle.sh b/sandcastle-ng/scripts/demo/setup-sandcastle.sh
index c2c25a1..62ee50f 100755
--- a/sandcastle-ng/scripts/demo/setup-sandcastle.sh
+++ b/sandcastle-ng/scripts/demo/setup-sandcastle.sh
@@ -21,53 +21,25 @@ echo "Provisioning sandcastle"
 # Might eventually be moved to an external file.
 
 # Source any ovverrides from external file
-if [[ "${SANDCASTLE_OVERRIDE_NAME:-}" != "none" ]]; then
+if [[ "${SANDCASTLE_OVERRIDE_NAME:-none}" != "none" ]]; then
 	cat /overrides
 	source "/overrides" || true
 fi
-CURRENCY=${CURRENCY:="KUDOS"}
-EXCHANGE_IBAN=DE159593
-EXCHANGE_PLAIN_PAYTO=payto://iban/$EXCHANGE_IBAN
-EXCHANGE_FULL_PAYTO="payto://iban/$EXCHANGE_IBAN?receiver-name=Sandcastle+Echange+Inc"
-EXCHANGE_BANK_PASSWORD=sandbox
-
-# Randomly generated IBANs for the merchants
-MERCHANT_IBAN_DEFAULT=DE5135717
-MERCHANT_IBAN_POS=DE4218710
-MERCHANT_IBAN_BLOG=DE8292195
-MERCHANT_IBAN_GNUNET=DE9709960
-MERCHANT_IBAN_TALER=DE1740597
-MERCHANT_IBAN_TOR=DE2648777
-MERCHANT_IBAN_SURVEY=DE0793060
-
-MYDOMAIN=${MYDOMAIN:="demo.taler.net"}
-LANDING_DOMAIN=$MYDOMAIN
+
 BANK_DOMAIN=bank.$MYDOMAIN
 EXCHANGE_DOMAIN=exchange.$MYDOMAIN
 MERCHANT_DOMAIN=backend.$MYDOMAIN
-BLOG_DOMAIN=shop.$MYDOMAIN
-DONATIONS_DOMAIN=donations.$MYDOMAIN
-SURVEY_DOMAIN=survey.$MYDOMAIN
 
 # Ports of the services running inside the container.
 # Should be synchronized with the sandcastle-run script.
 PORT_INTERNAL_EXCHANGE=8201
 PORT_INTERNAL_MERCHANT=8301
 PORT_INTERNAL_LIBEUFIN_BANK=8080
-PORT_INTERNAL_LANDING=8501
-PORT_INTERNAL_BLOG=8502
-PORT_INTERNAL_DONATIONS=8503
-PORT_INTERNAL_SURVEY=8504
-PORT_INTERNAL_BANK_SPA=8505
 
 # Just make sure the services are stopped
 systemctl stop taler-exchange.target
 systemctl stop taler-merchant-httpd.service
 systemctl stop postgresql.service
-systemctl stop taler-demo-landing.service
-systemctl stop taler-demo-blog.service
-systemctl stop taler-demo-donations.service
-systemctl stop taler-demo-survey.service
 systemctl stop libeufin-bank.service
 
 # We now make sure that some important locations are symlinked to
@@ -146,22 +118,13 @@ https://$MERCHANT_DOMAIN {
   }
 }
 
-:$PORT_INTERNAL_BANK_SPA {
-  root * /usr/share/libeufin/spa
-  root /settings.json /etc/libeufin/
-  file_server
-}
 EOF
 
 cat <<EOF >> /etc/hosts
 # Start of Taler Sandcastle Domains
-127.0.0.1 $LANDING_DOMAIN
 127.0.0.1 $BANK_DOMAIN
 127.0.0.1 $EXCHANGE_DOMAIN
 127.0.0.1 $MERCHANT_DOMAIN
-127.0.0.1 $BLOG_DOMAIN
-127.0.0.1 $DONATIONS_DOMAIN
-127.0.0.1 $SURVEY_DOMAIN
 # End of Taler Sandcastle Domains
 EOF
 
@@ -172,31 +135,59 @@ caddy trust
 
 systemctl start postgresql.service
 
-# Set up bank
-
-
-# FIXME: user libeufin-dbconf instead of manual setup
-
-BANK_DB=libeufinbank
-# Use "|| true" to continue if these already exist.
-sudo -i -u postgres createuser -d libeufin-bank || true
-sudo -i -u postgres createdb -O libeufin-bank $BANK_DB || true
+LIBEUFIN_DB=libeufin
+BANK_KEY_FILE=/provision/bank-key.json
+CLIENT_KEY_FILE=/provision/client-key.json
+cat /provision/nexus.conf > /etc/libeufin/libeufin-nexus.conf
+
+echo "INFO: overriding nexus DB name to ${LIBEUFIN_DB}"
+# Setting Nexus DB to constant name.
+taler-config \
+  -c /etc/libeufin/libeufin-nexus.conf \
+  -s NEXUS-POSTGRES \
+  -o CONFIG \
+  -V "postgres:///$LIBEUFIN_DB"
+echo "INFO: overriding bank EBICS key file location to ${BANK_KEY_FILE}"
+# Setting key files to the locations mounted by Podman
+taler-config \
+  -c /etc/libeufin/libeufin-nexus.conf \
+  -s NEXUS-EBICS \
+  -o BANK_PUBLIC_KEYS_FILE \
+  -V $BANK_KEY_FILE
+echo "INFO: overriding client EBICS key file location to ${CLIENT_KEY_FILE}"
+# Setting key files to the locations mounted by Podman
+taler-config \
+  -c /etc/libeufin/libeufin-nexus.conf \
+  -s NEXUS-EBICS \
+  -o CLIENT_PRIVATE_KEYS_FILE \
+  -V $CLIENT_KEY_FILE
+
+FIAT_IBAN=$(taler-config -c /etc/libeufin/libeufin-nexus.conf -s NEXUS-EBICS -o IBAN)
+FIAT_NAME=$(taler-config -c /etc/libeufin/libeufin-nexus.conf -s NEXUS-EBICS -o NAME)
+FIAT_CURRENCY=$(taler-config -c /etc/libeufin/libeufin-nexus.conf -s NEXUS-EBICS -o CURRENCY)
 
+# Set up bank
 cat <<EOF >/etc/libeufin/libeufin-bank.conf
 [libeufin-bankdb-postgres]
 # DB connection string
-CONFIG = postgresql:///$BANK_DB
+CONFIG = postgresql:///$LIBEUFIN_DB
 
 [libeufin-bank]
 CURRENCY = $CURRENCY
-DEFAULT_DEBT_LIMIT = $CURRENCY:500
-REGISTRATION_BONUS = $CURRENCY:100
+DEFAULT_DEBT_LIMIT = $CURRENCY:0
+REGISTRATION_BONUS = $CURRENCY:0
 SPA_CAPTCHA_URL = https://$BANK_DOMAIN/webui/#/operation/{woid}
 SUGGESTED_WITHDRAWAL_EXCHANGE = https://$EXCHANGE_DOMAIN/
-ALLOW_REGISTRATION = yes
+ALLOW_REGISTRATION = no
 SERVE = tcp
 PORT = 8080
 
+ALLOW_CONVERSION=yes
+FIAT_CURRENCY=${FIAT_CURRENCY} 
+TAN_SMS=libeufin-tan-sms.sh
+TAN_EMAIL=libeufin-tan-email.sh
+ALLOW_EDIT_CASHOUT_PAYTO_URI=yes
+
 [currency-$CURRENCY]
 ENABLED = YES
 name = "$CURRENCY (Taler Demonstrator)"
@@ -212,76 +203,54 @@ EOF
 cat <<EOF >/etc/libeufin/settings.json
 {
   "topNavSites": {
-    "Landing": "https://$LANDING_DOMAIN/",
-    "Bank": "https://$BANK_DOMAIN",
-    "Essay Shop": "https://$BLOG_DOMAIN",
-    "Donations": "https://$DONATIONS_DOMAIN",
-    "Survey": "https://$SURVEY_DOMAIN"
+    "Bank": "https://$BANK_DOMAIN"
   }
 }
 EOF
 
-sudo -i -u libeufin-bank libeufin-bank dbinit
+#FIXME: temporary workaround
+sleep 1
+ln -s /var/run/postgresql/.s.PGSQL.5433 /var/run/postgresql/.s.PGSQL.5432 || true
+ln -s /var/run/postgresql/.s.PGSQL.5432 /var/run/postgresql/.s.PGSQL.5433 || true
 
-systemctl enable --now libeufin-bank.service
+libeufin-dbconfig -d $LIBEUFIN_DB # includes dbinit for nexus and bank
 
-taler-harness deployment wait-taler-service libeufin-bank https://$BANK_DOMAIN/config
+#FIXME: "|| true" is temporary workaround until the command becomes idempotent
+echo "Create exchange account..."
+EXCHANGE_FULL_PAYTO="$(sudo -u libeufin-bank libeufin-bank create-account -c /etc/libeufin/libeufin-bank.conf --username exchange --password $EXCHANGE_BANK_PASSWORD --name Exchange --exchange)?receiver-name=Exchange" || true
 
-taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \
-  --login exchange --exchange --public \
-  --payto $EXCHANGE_PLAIN_PAYTO \
-  --name Exchange \
-  --password sandbox
-
-taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \
-  --login merchant-default --public \
-  --payto "payto://iban/$MERCHANT_IBAN_DEFAULT" \
-  --name "Default Demo Merchant" \
-  --password sandbox
-
-taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \
-  --login merchant-pos --public \
-  --payto "payto://iban/$MERCHANT_IBAN_POS" \
-  --name "PoS Merchant" \
-  --password sandbox
-
-taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \
-  --login merchant-blog --public \
-  --payto "payto://iban/$MERCHANT_IBAN_BLOG" \
-  --name "Blog Merchant" \
-  --password sandbox
-
-taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \
-  --login merchant-gnunet --public \
-  --payto "payto://iban/$MERCHANT_IBAN_GNUNET" \
-  --name "GNUnet Donations Merchant" \
-  --password sandbox
-
-taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \
-  --login merchant-taler --public \
-  --payto "payto://iban/$MERCHANT_IBAN_TALER" \
-  --name "Taler Donations Merchant" \
-  --password sandbox
-
-taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \
-  --login merchant-tor --public \
-  --payto "payto://iban/$MERCHANT_IBAN_TOR" \
-  --name "Tor Donations Merchant" \
-  --password sandbox
-
-taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \
-  --login merchant-survey --public \
-  --payto "payto://iban/$MERCHANT_IBAN_SURVEY" \
-  --name "Tor Survey Merchant" \
-  --password sandbox
+systemctl enable --now libeufin-bank.service
+chown libeufin-nexus:libeufin-nexus /ebicslogs
+systemctl enable --now libeufin-nexus-ebics-fetch
+systemctl enable --now libeufin-nexus-ebics-submit
 
+taler-harness deployment wait-taler-service libeufin-bank https://$BANK_DOMAIN/config
 sudo -i -u libeufin-bank libeufin-bank edit-account admin --debit_threshold=$CURRENCY:1000000
-sudo -i -u libeufin-bank libeufin-bank passwd admin sandbox
+sudo -i -u libeufin-bank libeufin-bank passwd admin $BANK_ADMIN_PASSWORD
+
+# Enabling currency conversion
+# FIXME: import this into taler-harness
+curl -u "admin:${BANK_ADMIN_PASSWORD}" \
+  -H 'Content-Type: application/json; charset=utf-8' \
+  https://$BANK_DOMAIN/conversion-info/conversion-rate \
+--data-binary @- << EOF
+{
+    "cashin_ratio": "1",
+    "cashin_fee": "${CURRENCY}:0",
+    "cashin_tiny_amount": "${CURRENCY}:2",
+    "cashin_rounding_mode": "nearest",
+    "cashin_min_amount": "${FIAT_CURRENCY}:1",
+    "cashout_ratio": "1",
+    "cashout_fee": "${FIAT_CURRENCY}:0",
+    "cashout_tiny_amount": "${FIAT_CURRENCY}:2",
+    "cashout_rounding_mode": "zero",
+    "cashout_min_amount": "${CURRENCY}:1"
+}
+EOF
 
 # Set up exchange
 
 MASTER_PUBLIC_KEY=$(sudo -i -u taler-exchange-offline taler-exchange-offline -LDEBUG setup)
-
 EXCHANGE_DB=talerexchange
 # Use "|| true" to continue if these already exist.
 sudo -i -u postgres createuser -d taler-exchange-httpd || true
@@ -311,6 +280,8 @@ alt_unit_names = {"0":"$CURRENCY"}
 AML_THRESHOLD = $CURRENCY:1000000
 MASTER_PUBLIC_KEY = $MASTER_PUBLIC_KEY
 BASE_URL = https://$EXCHANGE_DOMAIN/
+STEFAN_ABS=$CURRENCY:0
+STEFAN_LOG=$CURRENCY:0
 
 [exchange-account-default]
 PAYTO_URI = $EXCHANGE_FULL_PAYTO
@@ -396,6 +367,13 @@ sudo -i -u taler-exchange-offline \
   global-fee now "${CURRENCY}":0 "${CURRENCY}":0 "${CURRENCY}":0 1h 6a 0 \
   upload
 
+sudo -i -u taler-exchange-offline \
+  taler-exchange-offline \
+    enable-account \
+    "payto://iban/$FIAT_IBAN?receiver-name=$FIAT_NAME" \
+    conversion-url "https://$BANK_DOMAIN" \
+    upload
+
 # Set up merchant backend
 
 MERCHANT_DB=talermerchant
@@ -425,97 +403,3 @@ EOF
 
 systemctl enable --now taler-merchant-httpd
 taler-harness deployment wait-taler-service taler-merchant https://$MERCHANT_DOMAIN/config
-
-taler-harness deployment provision-merchant-instance \
-  https://$MERCHANT_DOMAIN/ \
-  --management-token secret-token:sandbox \
-  --instance-token secret-token:sandbox \
-  --name Merchant \
-  --id default \
-  --payto "payto://iban/$MERCHANT_IBAN_DEFAULT?receiver-name=Merchant"
-
-taler-harness deployment provision-merchant-instance \
-  https://$MERCHANT_DOMAIN/ \
-  --management-token secret-token:sandbox \
-  --instance-token secret-token:sandbox \
-  --name "POS Merchant" \
-  --id pos \
-  --payto "payto://iban/$MERCHANT_IBAN_POS?receiver-name=POS+Merchant"
-
-taler-harness deployment provision-merchant-instance \
-  https://$MERCHANT_DOMAIN/ \
-  --management-token secret-token:sandbox \
-  --instance-token secret-token:sandbox \
-  --name "Blog Merchant" \
-  --id blog \
-  --payto "payto://iban/$MERCHANT_IBAN_BLOG?receiver-name=Blog+Merchant"
-
-taler-harness deployment provision-merchant-instance \
-  https://$MERCHANT_DOMAIN/ \
-  --management-token secret-token:sandbox \
-  --instance-token secret-token:sandbox \
-  --name "GNUnet Merchant" \
-  --id gnunet \
-  --payto "payto://iban/$MERCHANT_IBAN_GNUNET?receiver-name=GNUnet+Merchant"
-
-taler-harness deployment provision-merchant-instance \
-  https://$MERCHANT_DOMAIN/ \
-  --management-token secret-token:sandbox \
-  --instance-token secret-token:sandbox \
-  --name "Taler Merchant" \
-  --id taler \
-  --payto "payto://iban/$MERCHANT_IBAN_TALER?receiver-name=Taler+Merchant"
-
-taler-harness deployment provision-merchant-instance \
-  https://$MERCHANT_DOMAIN/ \
-  --management-token secret-token:sandbox \
-  --instance-token secret-token:sandbox \
-  --name "Tor Merchant" \
-  --id tor \
-  --payto "payto://iban/$MERCHANT_IBAN_TOR?receiver-name=Tor+Merchant"
-
-
-# Now we set up the taler-merchant-demos
-
-cat <<EOF >/etc/taler/taler-merchant-frontends.conf
-# Different entry point, we need to repeat some settings.
-# In the future, taler-merchant-demos should become
-# robust enough to read from the main config.
-[taler]
-CURRENCY = $CURRENCY
-[frontends]
-BACKEND = https://$MERCHANT_DOMAIN/
-BACKEND_APIKEY = secret-token:sandbox
-[landing]
-SERVE = http
-HTTP_PORT = $PORT_INTERNAL_LANDING
-[blog]
-SERVE = http
-HTTP_PORT = $PORT_INTERNAL_BLOG
-[donations]
-SERVE = http
-HTTP_PORT = $PORT_INTERNAL_DONATIONS
-[survey]
-SERVE = http
-HTTP_PORT = $PORT_INTERNAL_SURVEY
-EOF
-
-# This really should not exist, the taler-merchant-frontends
-# should be easier to configure!
-cat <<EOF >/etc/taler/taler-merchant-frontends.env
-TALER_ENV_URL_INTRO=https://$LANDING_DOMAIN/
-TALER_ENV_URL_LANDING=https://$LANDING_DOMAIN/
-TALER_ENV_URL_BANK=https://$BANK_DOMAIN/
-TALER_ENV_URL_MERCHANT_BLOG=https://$BLOG_DOMAIN/
-TALER_ENV_URL_MERCHANT_DONATIONS=https://$DONATIONS_DOMAIN/
-TALER_ENV_URL_MERCHANT_SURVEY=https://$SURVEY_DOMAIN/
-EOF
-
-systemctl enable --now taler-demo-landing
-systemctl enable --now taler-demo-blog
-systemctl enable --now taler-demo-donations
-systemctl enable --now taler-demo-survey
-
-
-# FIXME: Maybe do some taler-wallet-cli test?
-# FIXME: How do we report errors occurring during the setup script?
diff --git a/sandcastle-ng/systemd/setup-sandcastle.service b/sandcastle-ng/systemd/setup-sandcastle.service
index 31ff233..8549c75 100644
--- a/sandcastle-ng/systemd/setup-sandcastle.service
+++ b/sandcastle-ng/systemd/setup-sandcastle.service
@@ -5,6 +5,7 @@ ConditionPathExists=/provision/setup-sandcastle.sh
 [Service]
 Type=oneshot
 ExecStart=/provision/setup-sandcastle.sh
+EnvironmentFile=/provision/runtime.env
 RemainAfterExit=yes
 
 [Install]