ansible-taler-exchange

Ansible playbook to deploy a production Taler Exchange
Log | Files | Refs | Submodules | README | LICENSE
commit 4379129df1092902b4f17fa6150325be55008acb
parent a521f3edc7f12bcc90b6eed2d530f6e55eda7302
Author: Christian Grothoff <christian@grothoff.org>
Date:   Sat, 23 Nov 2024 21:50:09 +0100

more work on challenger config

Diffstat:

Mplaybooks/test-secrets.yml | 5++++-


Aroles/sms-challenger/files/etc/systemd/system/sms-challenger-httpd.service | 18++++++++++++++++++


Mroles/sms-challenger/tasks/main.yml | 41+++++++++++++++++++++++++++++++++++++++--


Aroles/sms-challenger/templates/etc/challenger/sms-challenger.env | 4++++


Rroles/sms-challenger/templates/sms-challenger-nginx.conf -> roles/sms-challenger/templates/etc/nginx/sites-available/sms-challenger-nginx.conf.j2 | 0


Mroles/sms-challenger/templates/etc/taler-exchange/config.d/sms-challenger.conf.j2 | 11++---------


Mroles/webserver/tasks/main.yml | 11+++++------


7 files changed, 72 insertions(+), 18 deletions(-)

diff --git a/playbooks/test-secrets.yml b/playbooks/test-secrets.yml
@@ -2,9 +2,12 @@
 EXCHANGE_SMS_CHALLENGER_TOKEN=SECRET1 => fact?
 # Symmetric encryption secret for KYC attribute encryption.
 EXCHANGE_ATTRIBUTE_ENCRYPTION_KEY=SECRET2
-# EBICS ccess details
+# EBICS access details
 LIBEUFIN_NEXUS_EBICS_HOST_BASE_URL = https://isotest.postfinance.ch/ebicsweb/ebicsweb
 LIBEUFIN_NEXUS_EBICS_HOST_ID = PFEBICS
 LIBEUFIN_NEXUS_EBICS_USER_ID = PFC00664
 LIBEUFIN_NEXUS_EBICS_PARTNER_ID = PFC00664
 LIBEUFIN_NEXUS_EBICS_SYSTEM_ID = PFC00664
+
+# Authorization token for the telesign SMS service
+SMS_CHALLENGER_TELESIGN_AUTH_TOKEN = my-auth-token
diff --git a/roles/sms-challenger/files/etc/systemd/system/sms-challenger-httpd.service b/roles/sms-challenger/files/etc/systemd/system/sms-challenger-httpd.service
@@ -0,0 +1,18 @@
+[Unit]
+Description=Challenger backend
+
+[Service]
+User=challenger-httpd
+Group=challenger-sms
+Type=simple
+Restart=always
+RestartMode=direct
+RestartSec=1s
+RestartPreventExitStatus=2 3 4 5 6 9
+RuntimeMaxSec=3600s
+ExecStart=/usr/bin/challenger-httpd -c /etc/challenger/sms-challenger.conf -L INFO
+# Used to set the AUTH_TOKEN for the challenger-send-sms.sh script.
+EnvironmentFile=/etc/challenger/sms-challenger.env
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/sms-challenger/tasks/main.yml b/roles/sms-challenger/tasks/main.yml
@@ -6,6 +6,11 @@
     state: latest
     update_cache: true
 
+- name: Ensure group "challenger-sms" exists
+  ansible.builtin.group:
+    name: challenger-sms
+    state: present
+
 - name: Place SMS challenger config
   ansible.builtin.template:
     src: templates/etc/challenger/challenger-sms.conf.j2
@@ -46,9 +51,41 @@
     group: challenger-sms
     mode: 0640
 
+- name: Place SMS challenger environment data
+  ansible.builtin.template:
+    src: templates/etc/challenger/sms-challenger.env.j2
+    dest: "/etc/challenger/sms-challenger.env
+    owner: root
+    group: challenger-sms
+    mode: 0640
+
+- name: Place sms-challenger systemd service file
+  copy:
+    src: etc/systemd/system/sms-challenger-httpd.service
+    dest: "/etc/systemd/system/sms-challenger-httpd.service
 
 - name: Ensure SMS challenger service is enabled and started
-  service:
+  ansible.builtin.systemd_service:
+    deamon_reload: true
     name: sms-challenger
     state: started
-    enabled: yes
+    enabled: true
+
+- name: Place SMS challenger Nginx configuration
+  ansible.builtin.template:
+    src: templates/etc/nginx/sites-available/sms-challenger-nginx.conf.j2
+    dest: "/etc/nginx/sites-available/sms-challenger-nginx.conf
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Enable SMS challenger reverse proxy configuration
+  file:
+    src: /etc/nginx/sites-available/sms-challenger-nginx.conf
+    dest: /etc/nginx/sites-enabled/sms-challenger-nginx.conf
+    state: link
+
+- name: Reload NGINX after challenger configuration deployment
+  service:
+    name: nginx
+    state: reloaded
diff --git a/roles/sms-challenger/templates/etc/challenger/sms-challenger.env b/roles/sms-challenger/templates/etc/challenger/sms-challenger.env
@@ -0,0 +1,4 @@
+# systemd environment file for challenger-httpd
+# Provides secrets needed.
+# Set to telesign.com auth token!
+AUTH_TOKEN={{ SMS_CHALLENGER_TELESIGN_AUTH_TOKEN }}
diff --git a/roles/sms-challenger/templates/sms-challenger-nginx.conf b/roles/sms-challenger/templates/etc/nginx/sites-available/sms-challenger-nginx.conf.j2
diff --git a/roles/sms-challenger/templates/etc/taler-exchange/config.d/sms-challenger.conf.j2 b/roles/sms-challenger/templates/etc/taler-exchange/config.d/sms-challenger.conf.j2
@@ -1,20 +1,13 @@
 [kyc-provider-sms-challenger]
 LOGIC = oauth2
-
 KYC_OAUTH2_VALIDITY = 2 years
-
 KYC_OAUTH2_AUTHORIZE_URL = https://sms.challenger.{{ DOMAIN_NAME }}/authorize#setup
-
 KYC_OAUTH2_TOKEN_URL = https://sms.challenger.{{ DOMAIN_NAME }}/token
-
 KYC_OAUTH2_INFO_URL = https://sms.challenger.{{ DOMAIN_NAME }}/info
-
 KYC_OAUTH2_CLIENT_ID = {{ ansible_local['sms-challenger-client-id']['sms-challenger']['CLIENT_ID'] }}
-
 KYC_OAUTH2_CLIENT_SECRET = {{ ansible_local['sms-challenger-client-secret']['sms-challenger']['CLIENT_SECRET'] }}
-
 KYC_OAUTH2_POST_URL = {{ KYC_THANK_YOU_URL }}
-
+# FIXME: check this is OK...
 KYC_OAUTH2_CONVERTER_HELPER = /usr/bin/cat
-
+# FIXME: change in production?
 KYC_OAUTH2_DEBUG_MODE = YES
diff --git a/roles/webserver/tasks/main.yml b/roles/webserver/tasks/main.yml
@@ -8,12 +8,6 @@
     update_cache: yes
   when: ansible_os_family == 'Debian'
 
-- name: Ensure Nginx service is enabled and started
-  service:
-    name: nginx
-    state: started
-    enabled: yes
-
     #- name: Install Certbot and Certbot Nginx plugin
     #  package:
     #    name: "{{ item }}"
@@ -33,6 +27,11 @@
     #    state: restarted
     #  when: certbot_result.changed
 
+- name: Remove default nginx configuration
+  file:
+  path: /etc/nginx/sites-enabled/default
+    state: absent
+
 - name: Ensure Nginx service is enabled and started
   service:
     name: nginx