commit 622740a190ac2aa8b3ee614079efeed92f3e9fd6 parent 9c4e3f3ba3e26a56d04739f34ec04f1aa0d8c34e Author: Christian Grothoff <christian@grothoff.org> Date: Sun, 24 Nov 2024 16:05:12 +0100 misc playbook fixes Diffstat:
18 files changed, 204 insertions(+), 115 deletions(-)
diff --git a/playbooks/setup.yml b/playbooks/setup.yml @@ -2,18 +2,21 @@ - name: Deploy GNU Taler hosts: all roles: - - common_packages - - ansible-pull - - webserver - - database - - libeufin-nexus - - exchange +# - common_packages +# - ansible-pull +# - webserver +# - database +# - libeufin-nexus + - challenger +# - exchange - auditor # Note that we ONLY define those variables here that are NOT # secrets. For secrets, test-secrets.yml contains a template. vars: # Use nightly Taler distro (true/false). USE_NIGHTLY: false +# Use nightly Taler distro (true/false). + use_ebics: false # Our currency. CURRENCY: CHF # Smallest unit of the currency for wire transfers. @@ -21,9 +24,9 @@ # Main domain name. DOMAIN_NAME: "taler-ops.ch" # Base URL of the exchange REST API - EXCHANGE_BASE_URL: "https://exchange.{{ $DOMAIN_NAME }}/" + EXCHANGE_BASE_URL: "https://exchange.{{ DOMAIN_NAME }}/" # Base URL of the auditor REST API - AUDITOR_BASE_URL: "https://auditor.{{ $DOMAIN_NAME }}/" + AUDITOR_BASE_URL: "https://auditor.{{ DOMAIN_NAME }}/" # Exchange offline master public key. EXCHANGE_MASTER_PUB: # Auditor offline public key. @@ -32,7 +35,7 @@ EXCHANGE_TERMS_ETAG: "exchange-tos-v0" # Name of Privacy policy resource file EXCHANGE_PP_ETAG: "exchange-pp-v0" -# Full Payto URI of exchange account (for credit and debit) +# Full BIC of exchange account EXCHANGE_BANK_ACCOUNT_BIC: "POFICHBEXXX" # Full Payto URI of exchange account (for credit and debit) EXCHANGE_BANK_ACCOUNT_IBAN: "CH9889144237951612671" @@ -58,3 +61,5 @@ EXCHANGE_AML_PROGRAM_TOPS_SMS_WITHDRAW_THRESHOLD: CHF:200 # Limit to lift for merge upon SMS registration EXCHANGE_AML_PROGRAM_TOPS_SMS_MERGE_THRESHOLD: CHF:0 +# Regex specifying allowed country names for the postal address check + EXCHANGE_AML_PROGRAM_TOPS_POSTAL_COUNTRY_REGEX: "CH|Ch|Switzerland|[Die ]Schweiz|[La ]Suisse" diff --git a/roles/challenger/files/etc/systemd/system/email-challenger-httpd.service b/roles/challenger/files/etc/systemd/system/email-challenger-httpd.service @@ -10,7 +10,7 @@ RestartMode=direct RestartSec=1s RestartPreventExitStatus=2 3 4 5 6 9 RuntimeMaxSec=3600s -ExecStart=/usr/bin/challenger-httpd -c /etc/challenger/email-challenger.conf -L INFO +ExecStart=/usr/bin/challenger-httpd -c /etc/challenger/challenger-email.conf -L INFO [Install] diff --git a/roles/challenger/files/etc/systemd/system/postal-challenger-httpd.service b/roles/challenger/files/etc/systemd/system/postal-challenger-httpd.service @@ -1,5 +1,5 @@ [Unit] -Description=Postal challenger backend +Description=Postal Challenger backend [Service] User=challenger-httpd @@ -10,7 +10,7 @@ RestartMode=direct RestartSec=1s RestartPreventExitStatus=2 3 4 5 6 9 RuntimeMaxSec=3600s -ExecStart=/usr/bin/challenger-httpd -c /etc/challenger/postal-challenger.conf -L INFO +ExecStart=/usr/bin/challenger-httpd -c /etc/challenger/challenger-postal.conf -L INFO # Used to set the credentials for the challenger-send-post.sh script. EnvironmentFile=/etc/challenger/postal-challenger.env diff --git a/roles/challenger/files/etc/systemd/system/sms-challenger-httpd.service b/roles/challenger/files/etc/systemd/system/sms-challenger-httpd.service @@ -10,7 +10,7 @@ RestartMode=direct RestartSec=1s RestartPreventExitStatus=2 3 4 5 6 9 RuntimeMaxSec=3600s -ExecStart=/usr/bin/challenger-httpd -c /etc/challenger/sms-challenger.conf -L INFO +ExecStart=/usr/bin/challenger-httpd -c /etc/challenger/challenger-sms.conf -L INFO # Used to set the AUTH_TOKEN for the challenger-send-sms.sh script. EnvironmentFile=/etc/challenger/sms-challenger.env diff --git a/roles/challenger/tasks/main.yml b/roles/challenger/tasks/main.yml @@ -1,26 +1,32 @@ --- +- name: Populate service facts + service_facts: + - name: Ensure SMS challenger service is stopped before we upgrade ansible.builtin.systemd_service: name: sms-challenger state: stopped enabled: false + when: "'SMS Challenger backend' in services" - name: Ensure email challenger service is stopped before we upgrade ansible.builtin.systemd_service: name: email-challenger state: stopped enabled: false + when: "'Email Challenger backend' in services" - name: Ensure postal challenger service is stopped before we upgrade ansible.builtin.systemd_service: name: postal-challenger state: stopped enabled: false + when: "'Postal Challenger backend' in services" - name: Install Challenger package apt: name: - - challenger + - challenger-httpd state: latest when: ansible_os_family == 'Debian' @@ -39,6 +45,33 @@ name: challenger-email state: present +- name: Ensure Ansible facts directory exists + file: + path: "/etc/ansible/facts.d/" + state: directory + +- name: sms-challenger access secret setup + ansible.builtin.shell: + cmd: echo "[sms-challenger]\nCLIENT_SECRET=$(dd if=/dev/random count=1 bs=32 status=none | gnunet-base32)" > /etc/ansible/facts.d/sms-challenger-client-secret.fact + creates: /etc/ansible/facts.d/sms-challenger-client-secret.fact + +- name: email-challenger access secret setup + ansible.builtin.shell: + cmd: echo "[email-challenger]\nCLIENT_SECRET=$(dd if=/dev/random count=1 bs=32 status=none | gnunet-base32)" > /etc/ansible/facts.d/email-challenger-client-secret.fact + creates: /etc/ansible/facts.d/email-challenger-client-secret.fact + +- name: postal-challenger access secret setup + ansible.builtin.shell: + cmd: echo "[postal-challenger]\nCLIENT_SECRET=$(dd if=/dev/random count=1 bs=32 status=none | gnunet-base32)" > /etc/ansible/facts.d/postal-challenger-client-secret.fact + creates: /etc/ansible/facts.d/postal-challenger-client-secret.fact + +- name: sms-challenger force ansible to regather just created fact(s) + ansible.builtin.setup: + filter: + - 'sms-challenger-client-secret' + - 'email-challenger-client-secret' + - 'postal-challenger-client-secret' + - name: Place SMS challenger config ansible.builtin.template: src: templates/etc/challenger/challenger-sms.conf.j2 @@ -48,108 +81,104 @@ mode: 0640 - name: Place Postal challenger config - copy: - src: etc/challenger/challenger-postal.conf + ansible.builtin.template: + src: templates/etc/challenger/challenger-postal.conf.j2 dest: "/etc/challenger/challenger-postal.conf" owner: root group: challenger-postal mode: 0640 - name: Place email challenger config - copy: - src: etc/challenger/challenger-email.conf + ansible.builtin.template: + src: templates/etc/challenger/challenger-email.conf.j2 dest: "/etc/challenger/challenger-email.conf" owner: root group: challenger-email mode: 0640 +- name: Place SMS challenger environment data + ansible.builtin.template: + src: templates/etc/challenger/sms-challenger.env.j2 + dest: /etc/challenger/sms-challenger.env + owner: root + group: challenger-sms + mode: 0640 + +- name: Place postal challenger environment data + ansible.builtin.template: + src: templates/etc/challenger/postal-challenger.env.j2 + dest: /etc/challenger/postal-challenger.env + owner: root + group: challenger-postal + mode: 0640 + - name: Setup SMS Challenger database shell: - cmd: challenger-dbconfig -c /etc/challenger/sms-challenger.conf -u challenger-sms -n challenger-sms + cmd: challenger-dbconfig -c /etc/challenger/challenger-sms.conf -u challenger-sms -n challenger-sms chdir: /tmp - name: Setup Postal Challenger database shell: - cmd: challenger-dbconfig -c /etc/challenger/postal-challenger.conf -u challenger-postal -n challenger-postal + cmd: challenger-dbconfig -c /etc/challenger/challenger-postal.conf -u challenger-postal -n challenger-postal chdir: /tmp - name: Setup email Challenger database shell: - cmd: challenger-dbconfig -c /etc/challenger/email-challenger.conf -u challenger-email -n challenger-email + cmd: challenger-dbconfig -c /etc/challenger/challenger-email.conf -u challenger-email -n challenger-email chdir: /tmp -- name: Ensure Ansible facts directory dir exists - file: - path: "/etc/ansible/facts.d/" - state: directory - -- name: sms-challenger access secret setup - command: echo -e "[sms-challenger]\nCLIENT_SECRET=$(dd if=/dev/random count=1 bs=32 status=none | gnunet-base32)" > /etc/ansible/facts.d/sms-challenger-client-secret.fact - args: -# Ensures we only run when the file does not yet exist - creates: /etc/ansible/facts.d/sms-challenger-client-secret.fact - -# FIXME: these 3 can probably be combined, figure out how... - name: sms-challenger force ansible to regather just created fact(s) - setup: filter='sms-challenger-client-secret' - -- name: email-challenger force ansible to regather just created fact(s) - setup: filter='email-challenger-client-secret' - -- name: postal-challenger force ansible to regather just created fact(s) - setup: filter='postal-challenger-client-secret' + ansible.builtin.setup: + filter: + - 'sms-challenger-client-secret' + - 'email-challenger-client-secret' + - 'postal-challenger-client-secret' - name: Setup SMS Challenger exchange account shell: - cmd: challenger-admin -c /etc/challenger/sms-challenger.conf --quiet --add={{ ansible_local['sms-challenger-client-secret']['sms-challenger']['CLIENT_SECRET'] }} {{ EXCHANGE_BASE_URL }}kyc-proof/sms-challenger | awk '{print "[sms-challenger]\nCLIENT_ID="$1"\n\n"}' > /etc/ansible/facts.d/sms-challenger-client-id.fact + cmd: challenger-admin -c /etc/challenger/challenger-sms.conf --quiet --add={{ ansible_facts['ansible_local']['sms-challenger-client-secret']['sms-challenger']['client_secret'] }} {{ EXCHANGE_BASE_URL }}kyc-proof/sms-challenger | awk '{print "[sms-challenger]\nCLIENT_ID="$1"\n\n"}' > /etc/ansible/facts.d/sms-challenger-client-id.fact chdir: /tmp + creates: /etc/ansible/facts.d/sms-challenger-client-id.fact - name: Setup Email Challenger exchange account shell: - cmd: challenger-admin -c /etc/challenger/email-challenger.conf --quiet --add={{ ansible_local['email-challenger-client-secret']['email-challenger']['CLIENT_SECRET'] }} {{ EXCHANGE_BASE_URL }}kyc-proof/email-challenger | awk '{print "[email-challenger]\nCLIENT_ID="$1"\n\n"}' > /etc/ansible/facts.d/email-challenger-client-id.fact + cmd: challenger-admin -c /etc/challenger/challenger-email.conf --quiet --add={{ ansible_facts['ansible_local']['email-challenger-client-secret']['email-challenger']['client_secret'] }} {{ EXCHANGE_BASE_URL }}kyc-proof/email-challenger | awk '{print "[email-challenger]\nCLIENT_ID="$1"\n\n"}' > /etc/ansible/facts.d/email-challenger-client-id.fact chdir: /tmp + creates: /etc/ansible/facts.d/email-challenger-client-id.fact - name: Setup Postal Challenger exchange account shell: - cmd: challenger-admin -c /etc/challenger/postal-challenger.conf --quiet --add={{ ansible_local['postal-challenger-client-secret']['postal-challenger']['CLIENT_SECRET'] }} {{ EXCHANGE_BASE_URL }}kyc-proof/postal-challenger | awk '{print "[postal-challenger]\nCLIENT_ID="$1"\n\n"}' > /etc/ansible/facts.d/postal-challenger-client-id.fact + cmd: challenger-admin -c /etc/challenger/challenger-postal.conf --quiet --add={{ ansible_facts['ansible_local']['postal-challenger-client-secret']['postal-challenger']['client_secret'] }} {{ EXCHANGE_BASE_URL }}kyc-proof/postal-challenger | awk '{print "[postal-challenger]\nCLIENT_ID="$1"\n\n"}' > /etc/ansible/facts.d/postal-challenger-client-id.fact chdir: /tmp + creates: /etc/ansible/facts.d/postal-challenger-client-id.fact + +- name: sms-challenger force ansible to regather just created fact(s) + ansible.builtin.setup: + filter: + - 'sms-challenger-client-id' + - 'email-challenger-client-id' + - 'postal-challenger-client-id' - name: Place SMS challenger exchange config ansible.builtin.template: - src: templates/etc/taler-exchange/config.d/sms-challenger.conf.j2 - dest: /etc/taler-exchange/config.d/sms-challenger.conf + src: templates/etc/taler-exchange/config.d/challenger-sms.conf.j2 + dest: /etc/taler-exchange/config.d/challenger-sms.conf owner: root group: challenger-sms mode: 0640 - name: Place email challenger exchange config ansible.builtin.template: - src: templates/etc/taler-exchange/config.d/email-challenger.conf.j2 - dest: /etc/taler-exchange/config.d/email-challenger.conf + src: templates/etc/taler-exchange/config.d/challenger-email.conf.j2 + dest: /etc/taler-exchange/config.d/challenger-email.conf owner: root group: challenger-email mode: 0640 - name: Place postal challenger exchange config ansible.builtin.template: - src: templates/etc/taler-exchange/config.d/postal-challenger.conf.j2 - dest: /etc/taler-exchange/config.d/postal-challenger.conf - owner: root - group: challenger-postal - mode: 0640 - -- name: Place SMS challenger environment data - ansible.builtin.template: - src: templates/etc/challenger/sms-challenger.env.j2 - dest: /etc/challenger/sms-challenger.env - owner: root - group: challenger-sms - mode: 0640 - -- name: Place postal challenger environment data - ansible.builtin.template: - src: templates/etc/challenger/postal-challenger.env.j2 - dest: /etc/challenger/postal-challenger.env + src: templates/etc/taler-exchange/config.d/challenger-postal.conf.j2 + dest: /etc/taler-exchange/config.d/challenger-postal.conf owner: root group: challenger-postal mode: 0640 diff --git a/roles/challenger/templates/etc/challenger/email-challenger.conf.j2 b/roles/challenger/templates/etc/challenger/challenger-email.conf.j2 diff --git a/roles/challenger/templates/etc/challenger/postal-challenger.conf.j2 b/roles/challenger/templates/etc/challenger/challenger-postal.conf.j2 diff --git a/roles/challenger/templates/etc/challenger/sms-challenger.conf.j2 b/roles/challenger/templates/etc/challenger/challenger-sms.conf.j2 diff --git a/roles/challenger/templates/etc/taler-exchange/config.d/challenger-email.conf.j2 b/roles/challenger/templates/etc/taler-exchange/config.d/challenger-email.conf.j2 @@ -0,0 +1,13 @@ +[kyc-provider-email-challenger] +LOGIC = oauth2 +KYC_OAUTH2_VALIDITY = 2 years +KYC_OAUTH2_AUTHORIZE_URL = https://email.challenger.{{ DOMAIN_NAME }}/authorize#setup +KYC_OAUTH2_TOKEN_URL = https://email.challenger.{{ DOMAIN_NAME }}/token +KYC_OAUTH2_INFO_URL = https://email.challenger.{{ DOMAIN_NAME }}/info +KYC_OAUTH2_CLIENT_ID = {{ ansible_facts['ansible_local']['email-challenger-client-id']['email-challenger']['client_id'] }} +KYC_OAUTH2_CLIENT_SECRET = {{ ansible_facts['ansible_local']['email-challenger-client-secret']['email-challenger']['client_secret'] }} +KYC_OAUTH2_POST_URL = {{ KYC_THANK_YOU_URL }} +# FIXME: check this is OK... +KYC_OAUTH2_CONVERTER_HELPER = /usr/bin/cat +# FIXME: change in production? +KYC_OAUTH2_DEBUG_MODE = YES diff --git a/roles/challenger/templates/etc/taler-exchange/config.d/challenger-postal.conf.j2 b/roles/challenger/templates/etc/taler-exchange/config.d/challenger-postal.conf.j2 @@ -0,0 +1,13 @@ +[kyc-provider-postal-challenger] +LOGIC = oauth2 +KYC_OAUTH2_VALIDITY = 2 years +KYC_OAUTH2_AUTHORIZE_URL = https://postal.challenger.{{ DOMAIN_NAME }}/authorize#setup +KYC_OAUTH2_TOKEN_URL = https://postal.challenger.{{ DOMAIN_NAME }}/token +KYC_OAUTH2_INFO_URL = https://postal.challenger.{{ DOMAIN_NAME }}/info +KYC_OAUTH2_CLIENT_ID = {{ ansible_facts['ansible_local']['postal-challenger-client-id']['postal-challenger']['client_id'] }} +KYC_OAUTH2_CLIENT_SECRET = {{ ansible_facts['ansible_local']['postal-challenger-client-secret']['postal-challenger']['client_secret'] }} +KYC_OAUTH2_POST_URL = {{ KYC_THANK_YOU_URL }} +# FIXME: check this is OK... +KYC_OAUTH2_CONVERTER_HELPER = /usr/bin/cat +# FIXME: change in production? +KYC_OAUTH2_DEBUG_MODE = YES diff --git a/roles/challenger/templates/etc/taler-exchange/config.d/challenger-sms.conf.j2 b/roles/challenger/templates/etc/taler-exchange/config.d/challenger-sms.conf.j2 @@ -0,0 +1,13 @@ +[kyc-provider-sms-challenger] +LOGIC = oauth2 +KYC_OAUTH2_VALIDITY = 2 years +KYC_OAUTH2_AUTHORIZE_URL = https://sms.challenger.{{ DOMAIN_NAME }}/authorize#setup +KYC_OAUTH2_TOKEN_URL = https://sms.challenger.{{ DOMAIN_NAME }}/token +KYC_OAUTH2_INFO_URL = https://sms.challenger.{{ DOMAIN_NAME }}/info +KYC_OAUTH2_CLIENT_ID = {{ ansible_facts['ansible_local']['sms-challenger-client-id']['sms-challenger']['client_id'] }} +KYC_OAUTH2_CLIENT_SECRET = {{ ansible_facts['ansible_local']['sms-challenger-client-secret']['sms-challenger']['client_secret'] }} +KYC_OAUTH2_POST_URL = {{ KYC_THANK_YOU_URL }} +# FIXME: check this is OK... +KYC_OAUTH2_CONVERTER_HELPER = /usr/bin/cat +# FIXME: change in production? +KYC_OAUTH2_DEBUG_MODE = YES diff --git a/roles/challenger/templates/etc/taler-exchange/config.d/sms-challenger.conf.j2 b/roles/challenger/templates/etc/taler-exchange/config.d/sms-challenger.conf.j2 @@ -1,13 +0,0 @@ -[kyc-provider-sms-challenger] -LOGIC = oauth2 -KYC_OAUTH2_VALIDITY = 2 years -KYC_OAUTH2_AUTHORIZE_URL = https://sms.challenger.{{ DOMAIN_NAME }}/authorize#setup -KYC_OAUTH2_TOKEN_URL = https://sms.challenger.{{ DOMAIN_NAME }}/token -KYC_OAUTH2_INFO_URL = https://sms.challenger.{{ DOMAIN_NAME }}/info -KYC_OAUTH2_CLIENT_ID = {{ ansible_local['sms-challenger-client-id']['sms-challenger']['CLIENT_ID'] }} -KYC_OAUTH2_CLIENT_SECRET = {{ ansible_local['sms-challenger-client-secret']['sms-challenger']['CLIENT_SECRET'] }} -KYC_OAUTH2_POST_URL = {{ KYC_THANK_YOU_URL }} -# FIXME: check this is OK... -KYC_OAUTH2_CONVERTER_HELPER = /usr/bin/cat -# FIXME: change in production? -KYC_OAUTH2_DEBUG_MODE = YES diff --git a/roles/exchange/tasks/main.yml b/roles/exchange/tasks/main.yml @@ -27,6 +27,11 @@ state: link notify: restart nginx +- name: Ensure /etc/taler-exchange/config.d/ directory exists + file: + path: "/etc/taler-exchange/conf.d/" + state: directory + - name: Place taler-exchange business config ansible.builtin.template: src: templates/etc/taler-exchange/conf.d/exchange-business.conf.j2 @@ -43,6 +48,11 @@ group: root mode: 0644 +- name: Ensure /etc/taler-exchange/secrets/ directory exists + file: + path: "/etc/taler-exchange/secrets/" + state: directory + - name: Place taler-exchange account credentials ansible.builtin.template: src: templates/etc/taler-exchange/secrets/exchange-accountcredentials-primary.secret.conf.j2 @@ -75,7 +85,7 @@ copy: src: files/etc/taler-exchange/config.d/kyc-rules.conf dest: /etc/taler-exchange/config.d/kyc-rules.conf - when: have_kycrules.stat.exists + when: have_kycrules.stat.exists - name: Setup Taler Exchange database shell: diff --git a/roles/exchange/templates/etc/taler-exchange/secrets/exchange-accountcredentials-primary.secret.conf.j2 b/roles/exchange/templates/etc/taler-exchange/secrets/exchange-accountcredentials-primary.secret.conf.j2 @@ -6,4 +6,4 @@ ENABLE_CREDIT = YES WIRE_GATEWAY_AUTH_METHOD = token WIRE_GATEWAY_URL = "http://localhost:{{ LIBEUFIN_PORT }}/taler-wire-gateway/" -TOKEN = {{ EXCHANGE_WIRE_GATEWAY_ACCESS_TOKEN }} +TOKEN = {{ ansible_facts['ansible_local']['libeufin-nexus-access-token']['libeufin-nexus']['auth_bearer_token'] }} diff --git a/roles/exchange/templates/etc/taler-exchange/secrets/exchange-kyc-providers.conf.j2 b/roles/exchange/templates/etc/taler-exchange/secrets/exchange-kyc-providers.secret.conf.j2 diff --git a/roles/libeufin-nexus/tasks/main.yml b/roles/libeufin-nexus/tasks/main.yml @@ -25,10 +25,9 @@ state: directory - name: libeufin-nexus access secret setup - command: echo -e "[libeufin-nexus]\nAUTH_BEARER_TOKEN=$(dd if=/dev/random count=1 bs=32 status=none | gnunet-base32)" > /etc/ansible/facts.d/libeufin-nexus-access-token.fact - args: -# Ensures we only run when the file does not yet exist - creates: /etc/ansible/facts.d/libeufin-nexus-access-token.fact + ansible.builtin.shell: + cmd: echo "[libeufin-nexus]\nAUTH_BEARER_TOKEN=$(dd if=/dev/random count=1 bs=32 status=none | gnunet-base32)" > /etc/ansible/facts.d/libeufin-nexus-access-token.fact + creates: /etc/ansible/facts.d/libeufin-nexus-access-token.fact - name: libeufin-nexus force ansible to regather just created fact(s) setup: filter='libeufin-nexus-access-token' @@ -41,20 +40,36 @@ group: root mode: 0644 +- name: Place libeufin-nexus EBICS config + ansible.builtin.template: + src: templates/etc/libeufin/libeufin-nexus-ebics.conf.j2 + dest: "/etc/libeufin/libeufin-nexus-ebics.conf" + owner: root + group: libeufin-nexus + mode: 0640 + when: use_ebics + - name: Setup libeufin database shell: - cmd: libeufin-dbconfig --only-nexus -c /etc/libeufin/libeufin-nexus.conf + cmd: libeufin-dbconfig --only-nexus +# FIXME: pass "--bank-config=/etc/libeufin/libeufin-nexus.conf" once libeufin 0.14.x is out! chdir: /tmp +- name: show vars + ansible.builtin.setup: + +# FIXME: this step currently fails with pofi, seems command wants +# extra arguments to do PDF letter generation? - name: EBICS setup become: yes become_user: libeufin-nexus shell: cmd: libeufin-nexus ebics-setup + when: use_ebics - name: Ensure libeufin-nexus service is enabled and started service: - deamon_reload: true + daemon_reload: true name: libeufin-nexus.target state: started enabled: true diff --git a/roles/libeufin-nexus/templates/etc/libeufin/libeufin-nexus-ebics.conf.j2 b/roles/libeufin-nexus/templates/etc/libeufin/libeufin-nexus-ebics.conf.j2 @@ -0,0 +1,29 @@ +[nexus-ebics] + +# Base URL of the bank EBICS server. +HOST_BASE_URL = {{ LIBEUFIN_NEXUS_EBICS_HOST_BASE_URL }} + +# EBICS host ID. +HOST_ID = {{ LIBEUFIN_NEXUS_EBICS_HOST_ID }} + +# EBICS user ID, as assigned by the bank. +USER_ID = {{ LIBEUFIN_NEXUS_EBICS_USER_ID }} + +# EBICS partner ID, as assigned by the bank. +PARTNER_ID = {{ LIBEUFIN_NEXUS_EBICS_PARTNER_ID }} + +# EBICS partner ID, as assigned by the bank. # ??? +SYSTEM_ID = {{ LIBEUFIN_NEXUS_EBICS_SYSTEM_ID }} + +# IBAN of the bank account that is associated with the EBICS subscriber. +IBAN = {{ EXCHANGE_BANK_ACCOUNT_IBAN }} + +# BIC of the bank account that is associated with the EBICS subscriber +BIC = {{ EXCHANGE_BANK_ACCOUNT_BIC }} + +# Legal entity that is associated with the EBICS subscriber. +NAME = {{ EXCHANGE_OPERATOR_LEGAL_NAME }} + +# EBICS version and ISO20022 recommendations that +# Nexus would honor in the communication with the bank. +BANK_DIALECT = {{ LIBEUFIN_NEXUS_BANK_DIALECT }} diff --git a/roles/libeufin-nexus/templates/etc/libeufin/libeufin-nexus.conf.j2 b/roles/libeufin-nexus/templates/etc/libeufin/libeufin-nexus.conf.j2 @@ -8,34 +8,6 @@ CONFIG = postgres:///libeufin # Currency used by the bank where Nexus is client. CURRENCY = {{ CURRENCY }} -# Base URL of the bank server. -HOST_BASE_URL = {{ LIBEUFIN_NEXUS_EBICS_HOST_BASE_URL }} - -# EBICS host ID. -HOST_ID = {{ LIBEUFIN_NEXUS_EBICS_HOST_ID }} - -# EBICS user ID, as assigned by the bank. -USER_ID = {{ LIBEUFIN_NEXUS_EBICS_USER_ID }} - -# EBICS partner ID, as assigned by the bank. -PARTNER_ID = {{ LIBEUFIN_NEXUS_EBICS_PARTNER_ID }} - -# EBICS partner ID, as assigned by the bank. # ??? -SYSTEM_ID = {{ LIBEUFIN_NEXUS_EBICS_SYSTEM_ID }} - -# IBAN of the bank account that is associated with the EBICS subscriber. -IBAN = {{ EXCHANGE_BANK_ACCOUNT_IBAN }} - -# BIC of the bank account that is associated with the EBICS subscriber -BIC = {{ EXCHANGE_BANK_ACCOUNT_BIC }} - -# Legal entity that is associated with the EBICS subscriber. -NAME = {{ EXCHANGE_OPERATOR_LEGAL_NAME }} - -# EBICS version and ISO20022 recommendations that -# Nexus would honor in the communication with the bank. -BANK_DIALECT = {{ LIBEUFIN_NEXUS_BANK_DIALECT }} - # Exchange accounts bounce invalid incoming transactions. ACCOUNT_TYPE = exchange @@ -56,4 +28,7 @@ CONFIG=postgres:///libeufin [nexus-httpd-wire-gateway-api] ENABLED = YES AUTH_METHOD = bearer-token -AUTH_BEARER_TOKEN = {{ ansible_local['libeufin-nexus-access-token']['libeufin-nexus']['AUTH_BEARER_TOKEN'] }} +AUTH_BEARER_TOKEN = {{ ansible_facts['ansible_local']['libeufin-nexus-access-token']['libeufin-nexus']['auth_bearer_token'] }} + +# FIXME: is this supported by libeufin? +@inline-secret@ nexus-ebics libeufin-nexus-ebics.conf