ansible-taler-exchange

Ansible playbook to deploy a production Taler Exchange
Log | Files | Refs | Submodules | README | LICENSE
commit 3d9921098ce6457fc7b208649b3685fe2bc810a0
parent c45f8ac76cff7aeeeacfc465f9d452dab98abf13
Author: Florian Dold <florian@dold.me>
Date:   Fri, 29 May 2026 14:29:24 +0200

expose prepared transfer API

Diffstat:

Minventories/group_vars/all/defaults.yml | 10++++++++++


Minventories/host_vars/rusty/vars.yml | 3+--


Minventories/host_vars/taler-gls-test-01/config.yml | 2--


Mroles/libeufin-nexus/tasks/main.yml | 43++++++++++++++++++++++++++++++++++++++++++-


Aroles/libeufin-nexus/templates/etc/nginx/sites-available/nexus-http.conf.j2 | 14++++++++++++++


Aroles/libeufin-nexus/templates/etc/nginx/sites-available/nexus-nginx.conf.j2 | 35+++++++++++++++++++++++++++++++++++


6 files changed, 102 insertions(+), 5 deletions(-)

diff --git a/inventories/group_vars/all/defaults.yml b/inventories/group_vars/all/defaults.yml
@@ -28,3 +28,12 @@ configure_ebics: false
 # Clicksend defaults that should be overridden by the host config.
 sms_challenger_clicksend_username: anonymous
 sms_challenger_clicksend_api_key: anonymous
+
+# Domain name of the Taler exchange
+exchange_domain: "exchange.{{ domain_name }}"
+# Domain name of the libeufin-nexus service
+nexus_domain: "nexus.{{ domain_name }}"
+
+# Use letsencrypt by default
+exchange_use_letsencrypt: true
+nexus_use_letsencrypt: true
+\ No newline at end of file
diff --git a/inventories/host_vars/rusty/vars.yml b/inventories/host_vars/rusty/vars.yml
@@ -10,9 +10,8 @@ deploy_challenger: true
 # system and this option is 'false', then a backup must have been provided
 # at the originating host (you get get it using the 'restore.sh' script).
 DISABLE_RESTORE_BACKUP: true
-# Main domain name.
+# Main external domain name.
 domain_name: "stage.taler-ops.ch"
-exchange_domain: "exchange.{{ domain_name }}"
 # Our internal hostname
 TARGET_HOST_NAME: "rusty.taler-ops.ch"
 # Suite for taler packages.
diff --git a/inventories/host_vars/taler-gls-test-01/config.yml b/inventories/host_vars/taler-gls-test-01/config.yml
@@ -12,8 +12,6 @@ ebics_keys_external: true
 # Main domain name.
 domain_name: "gls.de"
 exchange_domain: "test.exchange.gls.de"
-# We bring our own certificates
-exchange_use_letsencrypt: true
 # High-level kind of deployment.
 # Other customizations depend on this.
 # Can be "gls" or "tops" (later: "magnet")
diff --git a/roles/libeufin-nexus/tasks/main.yml b/roles/libeufin-nexus/tasks/main.yml
@@ -31,7 +31,48 @@
     owner: root
     group: root
 
-# FIXME: is this needed or always there in Ansible?
+- name: Ensure nexus virtualhost configuration file exists
+  ansible.builtin.template:
+    src: templates/etc/nginx/sites-available/nexus-nginx.conf.j2
+    dest: /etc/nginx/sites-available/nexus-nginx.conf
+    owner: root
+    group: root
+    mode: "0644"
+
+- name: Ensure nexus HTTP virtualhost configuration file exists
+  ansible.builtin.template:
+    src: templates/etc/nginx/sites-available/nexus-http.conf.j2
+    dest: /etc/nginx/sites-available/nexus-http.conf
+    owner: root
+    group: root
+    mode: "0644"
+
+- name: Secure the libeufin with Letsencrypt
+  when: nexus_use_letsencrypt
+  ansible.builtin.include_role:
+    name: cert
+  vars:
+    cert_name: nexus
+    wanted_cert_domains:
+      - "{{ nexus_domain }}"
+    nginx_sites:
+      - nexus-http.conf
+      - nexus-nginx.conf
+
+- name: Enable Taler nexus HTTP reverse proxy configuration
+  ansible.builtin.file:
+    src: /etc/nginx/sites-available/nexus-http.conf
+    dest: /etc/nginx/sites-enabled/nexus-http.conf
+    state: link
+  notify: Restart nginx
+
+- name: Enable Taler nexus reverse proxy configuration
+  ansible.builtin.file:
+    src: /etc/nginx/sites-available/nexus-nginx.conf
+    dest: /etc/nginx/sites-enabled/nexus-nginx.conf
+    state: link
+  notify: Restart nginx
+
 - name: Ensure Ansible facts directory dir exists
   file:
     path: "/etc/ansible/facts.d/"
diff --git a/roles/libeufin-nexus/templates/etc/nginx/sites-available/nexus-http.conf.j2 b/roles/libeufin-nexus/templates/etc/nginx/sites-available/nexus-http.conf.j2
@@ -0,0 +1,14 @@
+server {
+
+  listen 80;
+  listen [::]:80;
+
+  server_name {{ nexus_domain }};
+
+  error_log /var/log/nginx/{{ nexus_domain }}-http.err;
+  access_log /var/log/nginx/{{ nexus_domain }}-http.log;
+
+  location / {
+     return 301 https://$host$request_uri;
+  }
+}
diff --git a/roles/libeufin-nexus/templates/etc/nginx/sites-available/nexus-nginx.conf.j2 b/roles/libeufin-nexus/templates/etc/nginx/sites-available/nexus-nginx.conf.j2
@@ -0,0 +1,35 @@
+server {
+
+  include conf.d/listen.conf.inc;
+
+  server_name {{ nexus_domain }};
+
+{%if nexus_use_letsencrypt %}
+  ssl_certificate /etc/letsencrypt/live/nexus/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/nexus/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/nexus/chain.pem;
+{% else %}
+  ssl_certificate /etc/nginx/ssl/nexus.crt;
+  ssl_certificate_key /etc/nginx/ssl/nexus.key;
+{% endif %}
+
+  # Bigger than default timeout to support long polling
+  proxy_read_timeout 6500s;
+  keepalive_requests 1000000;
+  keepalive_timeout 6500s;
+
+  error_log /var/log/nginx/{{ nexus_domain }}.err;
+  access_log /var/log/nginx/{{ nexus_domain }}.log;
+
+  access_log /var/log/nginx/{{ nexus_domain }}.tal taler if=$log_perf;
+
+  // We only expose this one API for now.
+  // The wire transfer API is protected by an
+  // access token but very sensitive, so
+  // we don't expose it.
+  // Other nexus APIs might be allowed
+  // in the future.
+  location /taler-prepared-transfer/ {
+     proxy_pass http://localhost:8082/taler-prepared-transfer/;
+  }
+}