commit 66f60c399e8b6364ac26be9adc760eee0e10d98b
parent f6e6c5e5867778d3236f409ca7e5ea440122f400
Author: Christian Grothoff <christian@grothoff.org>
Date: Sun, 27 Apr 2025 15:56:50 +0200
fix misc. deployment issues found in attempted deployment for rusty
Diffstat:
13 files changed, 62 insertions(+), 67 deletions(-)
diff --git a/inventories/host_vars/rusty/.gitignore b/inventories/host_vars/rusty/.gitignore
@@ -0,0 +1 @@
+test-secrets.yml
diff --git a/inventories/host_vars/rusty/test-public.yml b/inventories/host_vars/rusty/test-public.yml
@@ -1,8 +1,15 @@
# Public variables for a "test" deployment
# Deploy challenger?
DEPLOY_CHALLENGER: true
+# Disable restore from backup? MUST be set to "false" once in production!
+# This forces a backup to be provided *if* there is no database on the
+# target system already. If such a database exists, we will NOT restore
+# any backup even if this is 'false'. If no database exists on the target
+# system and this option is 'false', then a backup must have been provided
+# at the originating host (you get get it using the 'restore.sh' script).
+DISABLE_RESTORE_BACKUP: true
# Main domain name.
-DOMAIN_NAME: "rusty.taler-ops.ch"
+DOMAIN_NAME: "stage.taler-ops.ch"
# Use nightly Taler distro (true/false).
USE_NIGHTLY: true
# Deploy EBICS configuration (true/false).
diff --git a/inventories/host_vars/rusty/test-secrets.yml b/inventories/host_vars/rusty/test-secrets.yml
@@ -1,29 +0,0 @@
----
-# Symmetric encryption secret for KYC attribute encryption.
-EXCHANGE_ATTRIBUTE_ENCRYPTION_KEY: SECRET2
-# EBICS access details
-LIBEUFIN_NEXUS_EBICS_HOST_BASE_URL: https://isotest.postfinance.ch/ebicsweb/ebicsweb
-LIBEUFIN_NEXUS_EBICS_HOST_ID: PFEBICS
-LIBEUFIN_NEXUS_EBICS_USER_ID: PFC00664
-LIBEUFIN_NEXUS_EBICS_PARTNER_ID: PFC00664
-LIBEUFIN_NEXUS_EBICS_SYSTEM_ID: PFC00664
-
-# Authorization token for the telesign SMS service
-SMS_CHALLENGER_TELESIGN_AUTH_TOKEN: my-auth-token
-
-# Authorization data for the pingen postal service
-POSTAL_CHALLENGER_PINGEN_CLIENT_ID: myid
-POSTAL_CHALLENGER_PINGEN_CLIENT_SECRET: mysecret
-POSTAL_CHALLENGER_PINGEN_ORG_ID: orgid
-
-# KYCaid access token
-EXCHANGE_KYCAID_ACCESS_TOKEN: FIXME
-
-# Bearer access token for the auditor
-AUDITOR_ACCESS_TOKEN: secret-token:FIXME
-
-# Bearer access token for monitoring
-PROMETHEUS_ACCESS_TOKEN: secret-token:FIXME
-
-# Bearer access token for loki.taler-systems.com
-LOKI_ACCESS_TOKEN: secret-token:FIXME
diff --git a/inventories/host_vars/rusty/test-secrets.yml.gpg b/inventories/host_vars/rusty/test-secrets.yml.gpg
Binary files differ.
diff --git a/roles/auditor/templates/etc/nginx/sites-available/auditor-http.conf.j2 b/roles/auditor/templates/etc/nginx/sites-available/auditor-http.conf.j2
@@ -10,7 +10,12 @@ server {
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
- root /var/www/letsencrypt/auditor.{{ DOMAIN_NAME }};
+ root /var/www/letsencrypt;
+ }
+
+ # Hide /acme-challenge subdirectory and return 404 on all requests.
+ location = /.well-known/acme-challenge/ {
+ return 404;
}
location / {
diff --git a/roles/challenger/templates/etc/nginx/sites-available/email-challenger-http.conf.j2 b/roles/challenger/templates/etc/nginx/sites-available/email-challenger-http.conf.j2
@@ -10,7 +10,12 @@ server {
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
- root /var/www/letsencrypt/email.challenger.{{ DOMAIN_NAME }};
+ root /var/www/letsencrypt;
+ }
+
+ # Hide /acme-challenge subdirectory and return 404 on all requests.
+ location = /.well-known/acme-challenge/ {
+ return 404;
}
location / {
diff --git a/roles/challenger/templates/etc/nginx/sites-available/postal-challenger-http.conf.j2 b/roles/challenger/templates/etc/nginx/sites-available/postal-challenger-http.conf.j2
@@ -10,7 +10,12 @@ server {
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
- root /var/www/letsencrypt/postal.challenger.{{ DOMAIN_NAME }};
+ root /var/www/letsencrypt;
+ }
+
+ # Hide /acme-challenge subdirectory and return 404 on all requests.
+ location = /.well-known/acme-challenge/ {
+ return 404;
}
location / {
diff --git a/roles/challenger/templates/etc/nginx/sites-available/sms-challenger-http.conf.j2 b/roles/challenger/templates/etc/nginx/sites-available/sms-challenger-http.conf.j2
@@ -10,7 +10,12 @@ server {
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
- root /var/www/letsencrypt/sms.challenger.{{ DOMAIN_NAME }};
+ root /var/www/letsencrypt;
+ }
+
+ # Hide /acme-challenge subdirectory and return 404 on all requests.
+ location = /.well-known/acme-challenge/ {
+ return 404;
}
location / {
diff --git a/roles/database/tasks/main.yml b/roles/database/tasks/main.yml
@@ -88,12 +88,3 @@
ansible.builtin.file:
path: /tmp/postgres-backup.sql.gz
state: absent
-
-- name: Create empty taler-exchange database (if first deployment)
- become: true
- become_user: postgres
- community.postgresql.postgresql_db:
- login_user: postgres
- db: taler-exchange
- state: present
- when: DISABLE_RESTORE_BACKUP | bool
diff --git a/roles/exchange/tasks/main.yml b/roles/exchange/tasks/main.yml
@@ -150,7 +150,7 @@
when: have_kycrules.stat.exists
-- name: Setup Taler Exchange database
+- name: Setup or upgrade Taler Exchange database
ansible.builtin.command:
cmd: taler-exchange-dbconfig -c /etc/taler-exchange/taler-exchange.conf
chdir: /tmp
diff --git a/roles/exchange/templates/etc/nginx/sites-available/exchange-http.conf.j2 b/roles/exchange/templates/etc/nginx/sites-available/exchange-http.conf.j2
@@ -10,7 +10,12 @@ server {
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
- root /var/www/letsencrypt/exchange.{{ DOMAIN_NAME }};
+ root /var/www/letsencrypt;
+ }
+
+ # Hide /acme-challenge subdirectory and return 404 on all requests.
+ location = /.well-known/acme-challenge/ {
+ return 404;
}
location / {
diff --git a/roles/monitoring/tasks/main.yml b/roles/monitoring/tasks/main.yml
@@ -60,15 +60,6 @@
- alloy
install_recommends: false
-- name: Ensure Taler monitoring virtualhost configuration file exists
- template:
- src: templates/etc/nginx/sites-available/monitoring-nginx.conf.j2
- dest: /etc/nginx/sites-available/monitoring-nginx.conf
- owner: root
- group: root
- mode: "0644"
- notify: Restart nginx
-
- name: Ensure Taler monitoring HTTP virtualhost configuration file exists
template:
src: templates/etc/nginx/sites-available/monitoring-http.conf.j2
@@ -85,18 +76,6 @@
state: link
notify: Restart nginx
-- name: Enable Taler monitoring reverse proxy configuration
- file:
- src: /etc/nginx/sites-available/monitoring-nginx.conf
- dest: /etc/nginx/sites-enabled/monitoring-nginx.conf
- state: link
- notify: Restart nginx
-
-
-# We need to make sure that our handler notifies nginx to restart NOW
-- name: Flush handlers
- meta: flush_handlers
-
- name: Secure the monitoring site with Letsencrypt
ansible.builtin.include_role:
name: geerlingguy.certbot
@@ -120,6 +99,27 @@
domains:
- "monitoring.{{ DOMAIN_NAME }}"
+- name: Ensure Taler monitoring HTTPS configuration file exists
+ template:
+ src: templates/etc/nginx/sites-available/monitoring-nginx.conf.j2
+ dest: /etc/nginx/sites-available/monitoring-nginx.conf
+ owner: root
+ group: root
+ mode: "0644"
+ notify: Restart nginx
+
+- name: Enable Taler monitoring HTTPS reverse proxy configuration
+ file:
+ src: /etc/nginx/sites-available/monitoring-nginx.conf
+ dest: /etc/nginx/sites-enabled/monitoring-nginx.conf
+ state: link
+ notify: Restart nginx
+
+
+# We need to make sure that our handler notifies nginx to restart NOW
+- name: Flush handlers
+ meta: flush_handlers
+
- name: Create prometheus database user
community.postgresql.postgresql_user:
name: prometheus
diff --git a/roles/monitoring/templates/etc/nginx/sites-available/monitoring-http.conf.j2 b/roles/monitoring/templates/etc/nginx/sites-available/monitoring-http.conf.j2
@@ -10,7 +10,7 @@ server {
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
- root /var/www/letsencrypt/monitoring.{{ DOMAIN_NAME }};
+ root /var/www/letsencrypt/monitoring;
}
location / {
