ansible-taler-exchange

Ansible playbook to deploy a production Taler Exchange
Log | Files | Refs | Submodules | README | LICENSE
commit 606bcef1bc2217913bf018a813c1dc6e66aad79e
parent dc1063d44d9a458ef9c71aca5dd14c3e12d81b2e
Author: Christian Grothoff <christian@grothoff.org>
Date:   Sat,  1 Feb 2025 19:52:31 +0100

unified repo

Diffstat:

MREADME | 4++--


Ddeploy-tops.sh | 10----------


Adeploy.sh | 18++++++++++++++++++


Mextract-borg-key.sh | 5++++-


Mplaybooks/setup.yml | 77++++++++++-------------------------------------------------------------------


Aplaybooks/test-public.yml | 57+++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Aplaybooks/tops-public.yml | 57+++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Mtest.sh | 10++++++++--


8 files changed, 156 insertions(+), 82 deletions(-)

diff --git a/README b/README
@@ -24,7 +24,7 @@ you can pass an inventory file. See `inventories/`, and update accordingly.
 For example, if you are root@taler-ops.ch, you may be able to:
 
 ```
-$ ./deploy-tops tops
+$ ./deploy.sh tops
 ```
 
 For TOPS production, replace the "test" with "tops" to use the actual secrets
@@ -41,7 +41,7 @@ $ cat playbooks/tops-secrets.yml | gpg --encrypt \
     --recipient me@fdold.eu > playbooks/tops-secrets.yml.gpg
 
 
-## Setting up backups
+## Setting up backups (TOPS-only for now)
 
 First run:
 
diff --git a/deploy-tops.sh b/deploy-tops.sh
@@ -1,10 +0,0 @@
-#!/bin/sh
-set -eu
-
-if [ -z ${1:-} ]
-then
-    echo "Call with 'test' or 'prod' to select which secrets to use"
-    exit 1
-fi
-
-ansible-playbook --verbose --inventory inventories/tops --user root playbooks/setup.yml --extra-vars "@playbooks/$1-secrets.yml"
diff --git a/deploy.sh b/deploy.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+set -eu
+
+if [ -z ${1:-} ]
+then
+    echo "Call with 'test' or 'prod' to select which secrets to use"
+    exit 1
+fi
+
+ansible-playbook \
+    --verbose \
+    --inventory inventories/tops \
+    --user root \
+    playbooks/setup.yml \
+    --extra-vars "@playbooks/$1-secrets.yml" \
+    --extra-vars "@playbooks/$1-public.yml"
+
+exit 0
diff --git a/extract-borg-key.sh b/extract-borg-key.sh
@@ -2,7 +2,10 @@
 
 set -eu
 
-ansible-playbook --inventory inventories/tops --user root playbooks/borg-ssh-export.yml
+ansible-playbook \
+    --inventory inventories/tops \
+    --user root \
+    playbooks/borg-ssh-export.yml
 cat borg.pub/*/root/.ssh/borg.pub
 rm -rf borg.pub/
 exit 0
diff --git a/playbooks/setup.yml b/playbooks/setup.yml
@@ -2,70 +2,13 @@
 - name: Deploy GNU Taler
   hosts: all
   roles:
-    - common_packages
-    - ansible-pull
-    - webserver
-    - database
-    - libeufin-nexus
-    - challenger
-    - exchange
-    - challenger
-    - auditor
-    - monitoring
-# Note that we ONLY define those variables here that are NOT
-# secrets. For secrets, test-secrets.yml contains a template.
-  vars:
-# Main domain name.
-    DOMAIN_NAME: "taler-ops.ch"
-# Use nightly Taler distro (true/false).
-    USE_NIGHTLY: true
-# Deploy EBICS configuration (true/false).
-    use_ebics: false
-# Our currency.
-    CURRENCY: CHF
-# Smallest unit of the currency for wire transfers.
-    CURRENCY_ROUND_UNIT: "CHF:0.01"
-# Base URL of the exchange REST API
-    EXCHANGE_BASE_URL: "https://exchange.{{ DOMAIN_NAME }}/"
-# Base URL of the auditor REST API
-    AUDITOR_BASE_URL: "https://auditor.{{ DOMAIN_NAME }}/"
-# Exchange offline master public key.
-    EXCHANGE_MASTER_PUB: W91R2NPHGP9TD36EXCAWNTW63QHEED4P12SNTKPE1WD5YM6MVA40
-# Auditor offline public key.
-    AUDITOR_PUB: P6B7ZS7Y1Y12S0VP0PAJ1GQGSHW8RE4NSBTP8PR254J18SK24MH0
-# URL with merchants accepting this exchange.
-    EXCHANGE_SHOPPING_URL: "https://shops.taler-ops.ch/"
-# Name of Terms of service resource file
-    EXCHANGE_TERMS_ETAG: "exchange-tos-v0"
-# Name of Privacy policy resource file
-    EXCHANGE_PP_ETAG: "exchange-pp-v0"
-# Full BIC of exchange account
-    EXCHANGE_BANK_ACCOUNT_BIC: "MAEBCHZZ"
-# Full Payto URI of exchange account (for credit and debit)
-    EXCHANGE_BANK_ACCOUNT_IBAN: "CH6808573105529100001"
-# Full Payto URI of exchange account (for credit and debit)
-    EXCHANGE_BANK_ACCOUNT_PAYTO: "payto://iban/{{ EXCHANGE_BANK_ACCOUNT_IBAN }}?receiver-name=Taler+Operations+AG"
-# Port to be used by libeufin-nexus for the taler-exchange-wire-gateway
-    LIBEUFIN_PORT: 8082
-# Name of the exchange account at libeufin-nexus
-    LIBEUFIN_EXCHANGE_ACCOUNT: "exchange"
-# Name of the bank dialect
-    LIBEUFIN_NEXUS_BANK_DIALECT: "maerki_baumann"
-# SPA dialect (tops, gls, magnet, ...)
-    EXCHANGE_SPA_DIALECT: "tops"
-# Business name of the exchange operator
-    EXCHANGE_OPERATOR_LEGAL_NAME: "Taler Operations AG"
-# Where to send people after they passed KYC.
-    KYC_THANK_YOU_URL: https://taler-ops.ch/thank-you-kyc
-# Template to use for identification of individuals with KYCAID
-    KYCAID_TEMPLATE_INDIVIDUAL: tmpl_xxx
-# Template to use for identification of businesses with KYCAID
-    KYCAID_TEMPLATE_BUSINESS: tmpl_xxx
-# Regex specifying allowed phone numbers for the SMS check
-    EXCHANGE_AML_PROGRAM_TOPS_SMS_REGEX: \+41[0-9]+
-# Limit to lift for withdraw upon SMS registration
-    EXCHANGE_AML_PROGRAM_TOPS_SMS_WITHDRAW_THRESHOLD: CHF:200
-# Limit to lift for merge upon SMS registration
-    EXCHANGE_AML_PROGRAM_TOPS_SMS_MERGE_THRESHOLD: CHF:0
-# Regex specifying allowed country names for the postal address check
-    EXCHANGE_AML_PROGRAM_TOPS_POSTAL_COUNTRY_REGEX: "CH|Ch|ch"
+    - role: common_packages
+    - role: ansible-pull
+    - role: webserver
+    - role: database
+    - role: libeufin-nexus
+    - role: challenger
+      when: DEPLOY_CHALLENGER | bool
+    - role: exchange
+    - role: auditor
+    - role: monitoring
diff --git a/playbooks/test-public.yml b/playbooks/test-public.yml
@@ -0,0 +1,57 @@
+# Public variables for a "test" deployment
+# Deploy challenger?
+DEPLOY_CHALLENGER: true
+# Main domain name.
+DOMAIN_NAME: "taler-ops.ch"
+# Use nightly Taler distro (true/false).
+USE_NIGHTLY: true
+# Deploy EBICS configuration (true/false).
+use_ebics: false
+# Our currency.
+CURRENCY: CHF
+# Smallest unit of the currency for wire transfers.
+CURRENCY_ROUND_UNIT: "CHF:0.01"
+# Base URL of the exchange REST API
+EXCHANGE_BASE_URL: "https://exchange.{{ DOMAIN_NAME }}/"
+# Base URL of the auditor REST API
+AUDITOR_BASE_URL: "https://auditor.{{ DOMAIN_NAME }}/"
+# Exchange offline master public key.
+EXCHANGE_MASTER_PUB: W91R2NPHGP9TD36EXCAWNTW63QHEED4P12SNTKPE1WD5YM6MVA40
+# Auditor offline public key.
+AUDITOR_PUB: P6B7ZS7Y1Y12S0VP0PAJ1GQGSHW8RE4NSBTP8PR254J18SK24MH0
+# URL with merchants accepting this exchange.
+EXCHANGE_SHOPPING_URL: "https://shops.taler-ops.ch/"
+# Name of Terms of service resource file
+EXCHANGE_TERMS_ETAG: "exchange-tos-v0"
+# Name of Privacy policy resource file
+EXCHANGE_PP_ETAG: "exchange-pp-v0"
+# Full BIC of exchange account
+EXCHANGE_BANK_ACCOUNT_BIC: "MAEBCHZZ"
+# Full Payto URI of exchange account (for credit and debit)
+EXCHANGE_BANK_ACCOUNT_IBAN: "CH6808573105529100001"
+# Full Payto URI of exchange account (for credit and debit)
+EXCHANGE_BANK_ACCOUNT_PAYTO: "payto://iban/{{ EXCHANGE_BANK_ACCOUNT_IBAN }}?receiver-name=Taler+Operations+AG"
+# Port to be used by libeufin-nexus for the taler-exchange-wire-gateway
+LIBEUFIN_PORT: 8082
+# Name of the exchange account at libeufin-nexus
+LIBEUFIN_EXCHANGE_ACCOUNT: "exchange"
+# Name of the bank dialect
+LIBEUFIN_NEXUS_BANK_DIALECT: "maerki_baumann"
+# SPA dialect (tops, gls, magnet, ...)
+EXCHANGE_SPA_DIALECT: "tops"
+# Business name of the exchange operator
+EXCHANGE_OPERATOR_LEGAL_NAME: "Taler Operations AG"
+# Where to send people after they passed KYC.
+KYC_THANK_YOU_URL: https://taler-ops.ch/thank-you-kyc
+# Template to use for identification of individuals with KYCAID
+KYCAID_TEMPLATE_INDIVIDUAL: tmpl_xxx
+# Template to use for identification of businesses with KYCAID
+KYCAID_TEMPLATE_BUSINESS: tmpl_xxx
+# Regex specifying allowed phone numbers for the SMS check
+EXCHANGE_AML_PROGRAM_TOPS_SMS_REGEX: \+41[0-9]+
+# Limit to lift for withdraw upon SMS registration
+EXCHANGE_AML_PROGRAM_TOPS_SMS_WITHDRAW_THRESHOLD: CHF:200
+# Limit to lift for merge upon SMS registration
+EXCHANGE_AML_PROGRAM_TOPS_SMS_MERGE_THRESHOLD: CHF:0
+# Regex specifying allowed country names for the postal address check
+EXCHANGE_AML_PROGRAM_TOPS_POSTAL_COUNTRY_REGEX: "CH|Ch|ch"
diff --git a/playbooks/tops-public.yml b/playbooks/tops-public.yml
@@ -0,0 +1,57 @@
+# Public variables for the Taler Operations AG (TOPS) deployment
+# Deploy challenger?
+DEPLOY_CHALLENGER: true
+# Main domain name.
+DOMAIN_NAME: "taler-ops.ch"
+# Use nightly Taler distro (true/false).
+USE_NIGHTLY: true
+# Deploy EBICS configuration (true/false).
+use_ebics: false
+# Our currency.
+CURRENCY: CHF
+# Smallest unit of the currency for wire transfers.
+CURRENCY_ROUND_UNIT: "CHF:0.01"
+# Base URL of the exchange REST API
+EXCHANGE_BASE_URL: "https://exchange.{{ DOMAIN_NAME }}/"
+# Base URL of the auditor REST API
+AUDITOR_BASE_URL: "https://auditor.{{ DOMAIN_NAME }}/"
+# Exchange offline master public key.
+EXCHANGE_MASTER_PUB: W91R2NPHGP9TD36EXCAWNTW63QHEED4P12SNTKPE1WD5YM6MVA40
+# Auditor offline public key.
+AUDITOR_PUB: P6B7ZS7Y1Y12S0VP0PAJ1GQGSHW8RE4NSBTP8PR254J18SK24MH0
+# URL with merchants accepting this exchange.
+EXCHANGE_SHOPPING_URL: "https://shops.taler-ops.ch/"
+# Name of Terms of service resource file
+EXCHANGE_TERMS_ETAG: "exchange-tos-v0"
+# Name of Privacy policy resource file
+EXCHANGE_PP_ETAG: "exchange-pp-v0"
+# Full BIC of exchange account
+EXCHANGE_BANK_ACCOUNT_BIC: "MAEBCHZZ"
+# Full Payto URI of exchange account (for credit and debit)
+EXCHANGE_BANK_ACCOUNT_IBAN: "CH6808573105529100001"
+# Full Payto URI of exchange account (for credit and debit)
+EXCHANGE_BANK_ACCOUNT_PAYTO: "payto://iban/{{ EXCHANGE_BANK_ACCOUNT_IBAN }}?receiver-name=Taler+Operations+AG"
+# Port to be used by libeufin-nexus for the taler-exchange-wire-gateway
+LIBEUFIN_PORT: 8082
+# Name of the exchange account at libeufin-nexus
+LIBEUFIN_EXCHANGE_ACCOUNT: "exchange"
+# Name of the bank dialect
+LIBEUFIN_NEXUS_BANK_DIALECT: "maerki_baumann"
+# SPA dialect (tops, gls, magnet, ...)
+EXCHANGE_SPA_DIALECT: "tops"
+# Business name of the exchange operator
+EXCHANGE_OPERATOR_LEGAL_NAME: "Taler Operations AG"
+# Where to send people after they passed KYC.
+KYC_THANK_YOU_URL: https://taler-ops.ch/thank-you-kyc
+# Template to use for identification of individuals with KYCAID
+KYCAID_TEMPLATE_INDIVIDUAL: tmpl_xxx
+# Template to use for identification of businesses with KYCAID
+KYCAID_TEMPLATE_BUSINESS: tmpl_xxx
+# Regex specifying allowed phone numbers for the SMS check
+EXCHANGE_AML_PROGRAM_TOPS_SMS_REGEX: \+41[0-9]+
+# Limit to lift for withdraw upon SMS registration
+EXCHANGE_AML_PROGRAM_TOPS_SMS_WITHDRAW_THRESHOLD: CHF:200
+# Limit to lift for merge upon SMS registration
+EXCHANGE_AML_PROGRAM_TOPS_SMS_MERGE_THRESHOLD: CHF:0
+# Regex specifying allowed country names for the postal address check
+EXCHANGE_AML_PROGRAM_TOPS_POSTAL_COUNTRY_REGEX: "CH|Ch|ch"
diff --git a/test.sh b/test.sh
@@ -10,7 +10,7 @@ podman run \
 	--name ansible-taler-test \
 	-p 127.0.0.1:8022:22 \
 	--systemd=always \
-	-d localhost/ansible-taler-test sh -c "exec /usr/sbin/init --show-status"  
+	-d localhost/ansible-taler-test sh -c "exec /usr/sbin/init --show-status"
 
 # Print to log that container is running
 podman ps
@@ -20,4 +20,10 @@ ssh-keygen -f "$HOME/.ssh/known_hosts" -R "[127.0.0.1]:8022"
 
 # Run our playbook(s)
 # NOTE: Trailing comma is correct (and required) in agument for -i flag
-ansible-playbook --verbose -i 127.0.0.1:8022, --user root playbooks/setup.yml --extra-vars "@playbooks/test-secrets.yml"
+ansible-playbook \
+    --verbose \
+    -i 127.0.0.1:8022, \
+    --user root \
+    playbooks/setup.yml \
+    --extra-vars "@playbooks/test-secrets.yml" \
+    --extra-vars "@playbooks/test-public.yml"