commit 5033ad04c2a81b2aaff91f0f9147a141bc9b26df
parent 6f5f1f15a0171aafee5a78223cba5d9f8c5c9a61
Author: Christian Grothoff <christian@grothoff.org>
Date: Sat, 23 Nov 2024 23:13:09 +0100
work on challenger setup
Diffstat:
7 files changed, 167 insertions(+), 5 deletions(-)
diff --git a/playbooks/test-secrets.yml b/playbooks/test-secrets.yml
@@ -12,5 +12,10 @@ LIBEUFIN_NEXUS_EBICS_SYSTEM_ID = PFC00664
# Authorization token for the telesign SMS service
SMS_CHALLENGER_TELESIGN_AUTH_TOKEN = my-auth-token
+# Authorization data for the pingen postal service
+POSTAL_CHALLENGER_PINGEN_CLIENT_ID = myid
+POSTAL_CHALLENGER_PINGEN_CLIENT_SECRET = mysecret
+POSTAL_CHALLENGER_PINGEN_ORG_ID = orgid
+
# KYCaid access token
EXCHANGE_KYCAID_ACCESS_TOKEN = FIXME
diff --git a/roles/challenger/files/etc/systemd/system/email-challenger-httpd.service b/roles/challenger/files/etc/systemd/system/email-challenger-httpd.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=Email Challenger backend
+
+[Service]
+User=challenger-httpd
+Group=challenger-email
+Type=simple
+Restart=always
+RestartMode=direct
+RestartSec=1s
+RestartPreventExitStatus=2 3 4 5 6 9
+RuntimeMaxSec=3600s
+ExecStart=/usr/bin/challenger-httpd -c /etc/challenger/email-challenger.conf -L INFO
+
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/challenger/files/etc/systemd/system/postal-challenger-httpd.service b/roles/challenger/files/etc/systemd/system/postal-challenger-httpd.service
@@ -0,0 +1,19 @@
+[Unit]
+Description=Postal challenger backend
+
+[Service]
+User=challenger-httpd
+Group=challenger-postal
+Type=simple
+Restart=always
+RestartMode=direct
+RestartSec=1s
+RestartPreventExitStatus=2 3 4 5 6 9
+RuntimeMaxSec=3600s
+ExecStart=/usr/bin/challenger-httpd -c /etc/challenger/postal-challenger.conf -L INFO
+# Used to set the credentials for the challenger-send-post.sh script.
+EnvironmentFile=/etc/challenger/postal-challenger.env
+
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/challenger/files/etc/systemd/system/sms-challenger-httpd.service b/roles/challenger/files/etc/systemd/system/sms-challenger-httpd.service
@@ -1,5 +1,5 @@
[Unit]
-Description=Challenger backend
+Description=SMS Challenger backend
[Service]
User=challenger-httpd
diff --git a/roles/challenger/tasks/main.yml b/roles/challenger/tasks/main.yml
@@ -5,6 +5,18 @@
state: stopped
enabled: false
+- name: Ensure email challenger service is stopped before we upgrade
+ ansible.builtin.systemd_service:
+ name: email-challenger
+ state: stopped
+ enabled: false
+
+- name: Ensure postal challenger service is stopped before we upgrade
+ ansible.builtin.systemd_service:
+ name: postal-challenger
+ state: stopped
+ enabled: false
+
- name: Install Challenger package
apt:
name:
@@ -17,6 +29,16 @@
name: challenger-sms
state: present
+- name: Ensure group "challenger-postal" exists
+ ansible.builtin.group:
+ name: challenger-postal
+ state: present
+
+- name: Ensure group "challenger-email" exists
+ ansible.builtin.group:
+ name: challenger-email
+ state: present
+
- name: Place SMS challenger config
ansible.builtin.template:
src: templates/etc/challenger/challenger-sms.conf.j2
@@ -43,17 +65,17 @@
- name: Setup SMS Challenger database
shell:
- cmd: challenger-dbconfig -c /etc/challenger/sms-challenger.conf
+ cmd: challenger-dbconfig -c /etc/challenger/sms-challenger.conf -u challenger-sms -n challenger-sms
chdir: /tmp
- name: Setup Postal Challenger database
shell:
- cmd: challenger-dbconfig -c /etc/challenger/postal-challenger.conf
+ cmd: challenger-dbconfig -c /etc/challenger/postal-challenger.conf -u challenger-postal -n challenger-postal
chdir: /tmp
- name: Setup email Challenger database
shell:
- cmd: challenger-dbconfig -c /etc/challenger/email-challenger.conf
+ cmd: challenger-dbconfig -c /etc/challenger/email-challenger.conf -u challenger-email -n challenger-email
chdir: /tmp
- name: Ensure Ansible facts directory dir exists
@@ -67,12 +89,29 @@
# Ensures we only run when the file does not yet exist
creates: /etc/ansible/facts.d/sms-challenger-client-secret.fact
+# FIXME: these 3 can probably be combined, figure out how...
- name: sms-challenger: force ansible to regather just created fact(s)
setup: filter='sms-challenger-client-secret'
+- name: email-challenger: force ansible to regather just created fact(s)
+ setup: filter='email-challenger-client-secret'
+
+- name: postal-challenger: force ansible to regather just created fact(s)
+ setup: filter='postal-challenger-client-secret'
+
- name: Setup SMS Challenger exchange account
shell:
- cmd: challenger-admin -c /etc/challenger/sms-challenger.conf --quiet --add={{ ansible_local['sms-challenger-client-secret']['sms-challenger']['CLIENT_SECRET'] }} {{ EXCHANGE_BASE_URL }}kyc-proof | awk '{print "[sms-challenger]\nCLIENT_ID="$1"\n\n"}' > /etc/ansible/facts.d/sms-challenger-client-id.fact
+ cmd: challenger-admin -c /etc/challenger/sms-challenger.conf --quiet --add={{ ansible_local['sms-challenger-client-secret']['sms-challenger']['CLIENT_SECRET'] }} {{ EXCHANGE_BASE_URL }}kyc-proof/sms-challenger | awk '{print "[sms-challenger]\nCLIENT_ID="$1"\n\n"}' > /etc/ansible/facts.d/sms-challenger-client-id.fact
+ chdir: /tmp
+
+- name: Setup Email Challenger exchange account
+ shell:
+ cmd: challenger-admin -c /etc/challenger/email-challenger.conf --quiet --add={{ ansible_local['email-challenger-client-secret']['email-challenger']['CLIENT_SECRET'] }} {{ EXCHANGE_BASE_URL }}kyc-proof/email-challenger | awk '{print "[email-challenger]\nCLIENT_ID="$1"\n\n"}' > /etc/ansible/facts.d/email-challenger-client-id.fact
+ chdir: /tmp
+
+- name: Setup Postal Challenger exchange account
+ shell:
+ cmd: challenger-admin -c /etc/challenger/postal-challenger.conf --quiet --add={{ ansible_local['postal-challenger-client-secret']['postal-challenger']['CLIENT_SECRET'] }} {{ EXCHANGE_BASE_URL }}kyc-proof/postal-challenger | awk '{print "[postal-challenger]\nCLIENT_ID="$1"\n\n"}' > /etc/ansible/facts.d/postal-challenger-client-id.fact
chdir: /tmp
- name: Place SMS challenger exchange config
@@ -83,6 +122,22 @@
group: challenger-sms
mode: 0640
+- name: Place email challenger exchange config
+ ansible.builtin.template:
+ src: templates/etc/taler-exchange/config.d/email-challenger.conf.j2
+ dest: "/etc/taler-exchange/config.d/email-challenger.conf"
+ owner: root
+ group: challenger-email
+ mode: 0640
+
+- name: Place postal challenger exchange config
+ ansible.builtin.template:
+ src: templates/etc/taler-exchange/config.d/postal-challenger.conf.j2
+ dest: "/etc/taler-exchange/config.d/postal-challenger.conf"
+ owner: root
+ group: challenger-postal
+ mode: 0640
+
- name: Place SMS challenger environment data
ansible.builtin.template:
src: templates/etc/challenger/sms-challenger.env.j2
@@ -91,11 +146,29 @@
group: challenger-sms
mode: 0640
+- name: Place postal challenger environment data
+ ansible.builtin.template:
+ src: templates/etc/challenger/postal-challenger.env.j2
+ dest: "/etc/challenger/postal-challenger.env
+ owner: root
+ group: challenger-postal
+ mode: 0640
+
- name: Place sms-challenger systemd service file
copy:
src: etc/systemd/system/sms-challenger-httpd.service
dest: "/etc/systemd/system/sms-challenger-httpd.service
+- name: Place postal-challenger systemd service file
+ copy:
+ src: etc/systemd/system/poastal-challenger-httpd.service
+ dest: "/etc/systemd/system/postal-challenger-httpd.service
+
+- name: Place email-challenger systemd service file
+ copy:
+ src: etc/systemd/system/email-challenger-httpd.service
+ dest: "/etc/systemd/system/email-challenger-httpd.service
+
- name: Ensure SMS challenger service is enabled and started
ansible.builtin.systemd_service:
deamon_reload: true
@@ -103,6 +176,18 @@
state: started
enabled: true
+- name: Ensure email challenger service is enabled and started
+ ansible.builtin.systemd_service:
+ name: email-challenger
+ state: started
+ enabled: true
+
+- name: Ensure postal challenger service is enabled and started
+ ansible.builtin.systemd_service:
+ name: postal-challenger
+ state: started
+ enabled: true
+
- name: Place SMS challenger Nginx configuration
ansible.builtin.template:
src: templates/etc/nginx/sites-available/sms-challenger-nginx.conf.j2
@@ -117,3 +202,33 @@
dest: /etc/nginx/sites-enabled/sms-challenger-nginx.conf
state: link
notify: restart nginx
+
+- name: Place email challenger Nginx configuration
+ ansible.builtin.template:
+ src: templates/etc/nginx/sites-available/email-challenger-nginx.conf.j2
+ dest: "/etc/nginx/sites-available/email-challenger-nginx.conf
+ owner: root
+ group: root
+ mode: 0644
+
+- name: Enable email challenger reverse proxy configuration
+ file:
+ src: /etc/nginx/sites-available/email-challenger-nginx.conf
+ dest: /etc/nginx/sites-enabled/email-challenger-nginx.conf
+ state: link
+ notify: restart nginx
+
+- name: Place postal challenger Nginx configuration
+ ansible.builtin.template:
+ src: templates/etc/nginx/sites-available/postal-challenger-nginx.conf.j2
+ dest: "/etc/nginx/sites-available/postal-challenger-nginx.conf
+ owner: root
+ group: root
+ mode: 0644
+
+- name: Enable postal challenger reverse proxy configuration
+ file:
+ src: /etc/nginx/sites-available/postal-challenger-nginx.conf
+ dest: /etc/nginx/sites-enabled/postal-challenger-nginx.conf
+ state: link
+ notify: restart nginx
diff --git a/roles/challenger/templates/etc/challenger/postal-challenger.env.j2 b/roles/challenger/templates/etc/challenger/postal-challenger.env.j2
@@ -0,0 +1,6 @@
+# systemd environment file for challenger-httpd
+# Provides secrets needed.
+# Set to pingen.ch auth token!
+CLIENT_ID={{ POSTAL_CHALLENGER_PINGEN_CLIENT_ID }}
+CLIENT_SECRET={{ POSTAL_CHALLENGER_PINGEN_CLIENT_SECRET }}
+ORG_ID={{ POSTAL_CHALLENGER_PINGEN_ORG_ID }}
diff --git a/roles/challenger/templates/etc/challenger/sms-challenger.env b/roles/challenger/templates/etc/challenger/sms-challenger.env.j2
