1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
|
#!/usr/bin/env bash
# This scripts provisions all configuration and
# services for the Taler sandcastle container.
#
# Important: This script needs to be completely
# idempotent, nothing must break if it is executed
# multiple times.
set -eu
set -x
echo "Provisioning sandcastle"
CURRENCY=KUDOS
EXCHANGE_IBAN=DE159593
EXCHANGE_PLAIN_PAYTO=payto://iban/$EXCHANGE_IBAN
EXCHANGE_FULL_PAYTO="payto://iban/$EXCHANGE_IBAN?receiver-name=Sandcastle+Echange+Inc"
EXCHANGE_BANK_PASSWORD=sandbox
# Just make sure the services are stopped
systemctl stop taler-exchange.target
systemctl stop taler-merchant-httpd.service
systemctl stop postgresql.service
systemctl stop taler-demo-landing.service
systemctl stop taler-demo-blog.service
systemctl stop taler-demo-donations.service
systemctl stop taler-demo-survey.service
# We now make sure that some important locations are symlinked to
# the persistent storage volume.
# Files that already exist in this location are moved to the storage volume
# and then symlinked.
# These locations are:
# /etc/taler
# /etc/libeufin-bank
# /var/lib/taler
# postgres DB directory
function lift_dir() {
src=$1
target=$2
if [[ -L "$src" ]]; then
# be idempotent
echo "$src is already a symlink"
elif [[ -d /talerdata/$target ]]; then
echo "symlinking existing /talerdata/$target"
rm -rf "$src"
ln -s "/talerdata/$target" "$src"
else
echo "symlinking new /talerdata/$target"
mv "$src" "/talerdata/$target"
ln -s "/talerdata/$target" "$src"
fi
}
lift_dir /var/lib/taler var-lib-taler
lift_dir /etc/taler etc-taler
lift_dir /etc/libeufin-bank etc-libeufin-bank
lift_dir /var/lib/postgresql var-lib-postgresql
# Caddy configuration.
# We use the caddy reverse proxy with automatic
# internal TLS setup to ensure that the services are
# reachable inside the container without any external
# DNS setup under the same domain name and with TLS
# from inside the container.
systemctl stop caddy.service
MYDOMAIN=demo.taler.net
LANDING_DOMAIN=$MYDOMAIN
BANK_DOMAIN=bank.$MYDOMAIN
EXCHANGE_DOMAIN=exchange.$MYDOMAIN
MERCHANT_DOMAIN=backend.$MYDOMAIN
BLOG_DOMAIN=shop.$MYDOMAIN
DONATIONS_DOMAIN=donations.$MYDOMAIN
SURVEY_DOMAIN=survey.$MYDOMAIN
cat <<EOF > /etc/caddy/Caddyfile
https://$BANK_DOMAIN {
tls internal
reverse_proxy :8080 {
# libeufin-bank should eventually not require this anymore,
# but currently doesn't work without this header.
header_up X-Forwarded-Prefix "/"
}
}
https://$EXCHANGE_DOMAIN {
tls internal
reverse_proxy unix//run/taler/exchange-httpd/exchange-http.sock
}
https://$MERCHANT_DOMAIN {
tls internal
reverse_proxy unix//run/taler/merchant-httpd/merchant-http.sock
}
EOF
cat <<EOF >> /etc/hosts
# Start of Taler Sandcastle Domains
127.0.0.1 $LANDING_DOMAIN
127.0.0.1 $BANK_DOMAIN
127.0.0.1 $EXCHANGE_DOMAIN
127.0.0.1 $MERCHANT_DOMAIN
127.0.0.1 $BLOG_DOMAIN
127.0.0.1 $DONATIONS_DOMAIN
127.0.0.1 $SURVEY_DOMAIN
# End of Taler Sandcastle Domains
EOF
systemctl start caddy.service
# Install local, internal CA certs for caddy
caddy trust
systemctl start postgresql.service
# Set up bank
BANK_DB=libeufinbank
# Use "|| true" to continue if these already exist.
sudo -i -u postgres createuser -d libeufin-bank || true
sudo -i -u postgres createdb -O libeufin-bank $BANK_DB || true
sudo -i -u libeufin-bank libeufin-bank dbinit
systemctl start libeufin-bank.service
# TODO: Wait until service is up and running
# TODO: Create accounts for exchange and merchants
taler-harness deployment wait-taler-service libeufin-bank https://$BANK_DOMAIN/config
taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ --login exchange --exchange --public --payto $EXCHANGE_PLAIN_PAYTO --name Exchange --password sandbox
# Set up exchange
MASTER_PUBLIC_KEY=$(sudo -i -u taler-exchange-offline taler-exchange-offline -LDEBUG setup)
EXCHANGE_DB=talerexchange
# Use "|| true" to continue if these already exist.
sudo -i -u postgres createuser -d taler-exchange-httpd || true
sudo -i -u postgres createuser taler-exchange-wire || true
sudo -i -u postgres createuser taler-exchange-closer || true
sudo -i -u postgres createuser taler-exchange-aggregator || true
sudo -i -u postgres createdb -O taler-exchange-httpd $EXCHANGE_DB || true
# Generate /etc/taler/conf.d/setup.conf
cat <<EOF > /etc/taler/conf.d/setup.conf
[taler]
CURRENCY = $CURRENCY
CURRENCY_ROUND_UNIT = $CURRENCY:0.01
[exchange]
AML_THRESHOLD = $CURRENCY:1000000
MASTER_PUBLIC_KEY = $MASTER_PUBLIC_KEY
BASE_URL = https://$EXCHANGE_DOMAIN/
[exchange-account-default]
PAYTO_URI = $EXCHANGE_FULL_PAYTO
ENABLE_DEBIT = YES
ENABLE_CREDIT = YES
@inline-secret@ exchange-accountcredentials-default ../secrets/exchange-accountcredentials-default.secret.conf
EOF
cat <<EOF >/etc/taler/secrets/exchange-db.secret.conf
[exchangedb-postgres]
CONFIG=postgres:///${EXCHANGE_DB}
EOF
chmod 440 /etc/taler/secrets/exchange-db.secret.conf
chown root:taler-exchange-db /etc/taler/secrets/exchange-db.secret.conf
cat <<EOF > /etc/taler/secrets/exchange-accountcredentials-default.secret.conf
[exchange-accountcredentials-default]
WIRE_GATEWAY_URL = https://$BANK_DOMAIN/accounts/exchange/taler-wire-gateway/
WIRE_GATEWAY_AUTH_METHOD = basic
USERNAME = exchange
PASSWORD = ${EXCHANGE_BANK_PASSWORD}
EOF
chmod 400 /etc/taler/secrets/exchange-accountcredentials-default.secret.conf
chown taler-exchange-wire:taler-exchange-db /etc/taler/secrets/exchange-accountcredentials-default.secret.conf
if [[ ! -e /etc/taler/conf.d/$CURRENCY-coins.conf ]]; then
# Only create if necessary, as each [COIN-...] section
# has a unique name with a timestamp.
taler-harness deployment gen-coin-config \
--min-amount "${CURRENCY}:0.01" \
--max-amount "${CURRENCY}:100" \
>"/etc/taler/conf.d/$CURRENCY-coins.conf"
fi
echo "Initializing exchange database"
sudo -u taler-exchange-httpd taler-exchange-dbinit -c /etc/taler/taler.conf
echo 'GRANT USAGE ON SCHEMA exchange TO "taler-exchange-wire";' | sudo -i -u postgres psql -f - ${EXCHANGE_DB}
echo 'GRANT SELECT,INSERT,UPDATE,DELETE ON ALL TABLES IN SCHEMA exchange TO "taler-exchange-wire";' | sudo -i -u postgres psql -f - ${EXCHANGE_DB}
echo 'GRANT USAGE ON SCHEMA _v TO "taler-exchange-wire";' | sudo -i -u postgres psql -f - ${EXCHANGE_DB}
echo 'GRANT SELECT ON ALL TABLES IN SCHEMA _v TO "taler-exchange-wire";' | sudo -i -u postgres psql -f - ${EXCHANGE_DB}
echo 'GRANT USAGE ON SCHEMA exchange TO "taler-exchange-closer";' | sudo -i -u postgres psql -f - ${EXCHANGE_DB}
echo 'GRANT SELECT,INSERT,UPDATE,DELETE ON ALL TABLES IN SCHEMA exchange TO "taler-exchange-closer";' | sudo -i -u postgres psql -f - ${EXCHANGE_DB}
echo 'GRANT USAGE ON SCHEMA _v TO "taler-exchange-closer";' | sudo -i -u postgres psql -f - ${EXCHANGE_DB}
echo 'GRANT SELECT ON ALL TABLES IN SCHEMA _v TO "taler-exchange-closer";' | sudo -i -u postgres psql -f - ${EXCHANGE_DB}
echo 'GRANT USAGE ON SCHEMA exchange TO "taler-exchange-aggregator";' | sudo -i -u postgres psql -f - ${EXCHANGE_DB}
echo 'GRANT SELECT,INSERT,UPDATE,DELETE ON ALL TABLES IN SCHEMA exchange TO "taler-exchange-aggregator";' | sudo -i -u postgres psql -f - ${EXCHANGE_DB}
echo 'GRANT USAGE ON SCHEMA _v TO "taler-exchange-aggregator";' | sudo -i -u postgres psql -f - ${EXCHANGE_DB}
echo 'GRANT SELECT ON ALL TABLES IN SCHEMA _v TO "taler-exchange-aggregator";' | sudo -i -u postgres psql -f - ${EXCHANGE_DB}
# # The ToS generator is currently borked, we don't generated ToS until that's fixed.
TOS_PATH=/usr/share/taler/terms
if [[ ! -e "$TOS_PATH/stamp-generated" ]]; then
# ToS generator is picky about the path that it is being run from
cd $TOS_PATH
taler-terms-generator -i exchange-tos-v0 -a "Taler Systems SA" -C "Taler Systems SA" -p a4 -o $TOS_PATH -l en
taler-terms-generator -i exchange-pp-v0 -a "Taler Systems SA" -C "Taler Systems SA" -p a4 -o $TOS_PATH -l en
touch "$TOS_PATH/stamp-generated"
cd -
fi
systemctl enable --now taler-exchange.target
taler-harness deployment wait-taler-service taler-exchange https://$EXCHANGE_DOMAIN/config
taler-harness deployment wait-endpoint https://$EXCHANGE_DOMAIN/management/keys
sudo -i -u taler-exchange-offline \
taler-exchange-offline \
-c /etc/taler/taler.conf \
download \
sign \
upload
sudo -i -u taler-exchange-offline \
taler-exchange-offline \
enable-account "${EXCHANGE_FULL_PAYTO}" \
wire-fee now iban "${CURRENCY}":0 "${CURRENCY}":0 \
global-fee now "${CURRENCY}":0 "${CURRENCY}":0 "${CURRENCY}":0 1h 6a 0 \
upload
# Set up merchant backend
MERCHANT_DB=talermerchant
# Use "|| true" to continue if these already exist.
sudo -i -u postgres createuser -d taler-merchant-httpd || true
sudo -i -u postgres createdb -O taler-merchant-httpd $MERCHANT_DB || true
cat <<EOF >/etc/taler/secrets/merchant-db.secret.conf
[merchantdb-postgres]
CONFIG=postgres:///${MERCHANT_DB}
EOF
chmod 440 /etc/taler/secrets/merchant-db.secret.conf
chown taler-merchant-httpd:root /etc/taler/secrets/merchant-db.secret.conf
sudo -u taler-merchant-httpd taler-merchant-dbinit -c /etc/taler/taler.conf
systemctl enable --now taler-merchant-httpd
taler-harness deployment wait-taler-service taler-merchant https://$MERCHANT_DOMAIN/config
# merchant passwd
# taler-harness deployment provision-merchant-instance https://$MERCHANT_DOMAIN/
taler-harness deployment provision-merchant-instance \
https://backend.demo.taler.net/ \
--management-token secret-token:sandbox \
--instance-token secret-token:sandbox \
--name Merchant \
--id default \
--payto 'payto://iban/DE5135717?receiver-name=Merchant'
# Now we set up the taler-merchant-demos
cat <<EOF >/etc/taler/taler-merchant-frontends.conf
# Different entry point, we need to repeat some settings.
# In the future, taler-merchant-demos should become
# robust enough to read from the main config.
[taler]
CURRENCY = $CURRENCY
[frontends]
BACKEND = https://backend.demo.taler.net/
BACKEND_APIKEY = secret-token:sandbox
[landing]
SERVE = http
HTTP_PORT = 8501
[blog]
SERVE = http
HTTP_PORT = 8502
[donations]
SERVE = http
HTTP_PORT = 8503
[survey]
SERVE = http
HTTP_PORT = 8504
EOF
systemctl enable --now taler-demo-landing
systemctl enable --now taler-demo-blog
systemctl enable --now taler-demo-donations
systemctl enable --now taler-demo-survey
# FIXME: Maybe do some taler-wallet-cli test?
# FIXME: How do we report errors occurring during the setup script?
|
