ansible-taler-exchange

Ansible playbook to deploy a production Taler Exchange
Log | Files | Refs | Submodules | README | LICENSE
commit 7cbd733f104dff3f92394a706bda312cd47fe9fb
parent 82dbaf477e9b8da01b4194d6a163032b89c44dee
Author: Florian Dold <florian@dold.me>
Date:   Wed,  5 Nov 2025 21:43:17 +0100

spec: follow ansible-vault best practices

Diffstat:

Mansible.cfg | 2+-


Dinventories/host_vars/spec/prod-secrets.yml.gpg | 0


Dinventories/host_vars/spec/tops-public.yml | 77-----------------------------------------------------------------------------


Ainventories/host_vars/spec/vars.yml | 115+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Ainventories/host_vars/spec/vault.yml | 82+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


5 files changed, 198 insertions(+), 78 deletions(-)

diff --git a/ansible.cfg b/ansible.cfg
@@ -12,4 +12,4 @@ use_persistent_connections = True
 
 pipelining = True
 
-vault_password_file: vault_pass.txt
+vault_password_file = vault_pass.txt
diff --git a/inventories/host_vars/spec/prod-secrets.yml.gpg b/inventories/host_vars/spec/prod-secrets.yml.gpg
Binary files differ.
diff --git a/inventories/host_vars/spec/tops-public.yml b/inventories/host_vars/spec/tops-public.yml
@@ -1,77 +0,0 @@
-# Public variables for the Taler Operations AG (TOPS) deployment
-# Deploy challenger?
-deploy_challenger: true
-# What kind of environment are we deploying?
-DEPLOYMENT_KIND: "tops"
-# Disable restore from backup? MUST be set to "false" once in production!
-# This forces a backup to be provided *if* there is no database on the
-# target system already. If such a database exists, we will NOT restore
-# any backup even if this is 'false'. If no database exists on the target
-# system and this option is 'false', then a backup must have been provided
-# at the originating host (you get get it using the 'restore.sh' script).
-DISABLE_RESTORE_BACKUP: false
-# Use EBICS? (starts libeufin-nexus-fetch/submit services)
-USE_EBICS: false
-# Write EBICS configuration (with values in secret config)
-configure_ebics: true
-# Main domain name.
-domain_name: "taler-ops.ch"
-exchange_domain: "exchange.{{ domain_name }}"
-# Our internal hostname
-TARGET_HOST_NAME: "spec.taler-ops.ch"
-# Suite for taler packages.
-taler_repo_suites: trixie
-# Deploy EBICS configuration (true/false).
-use_ebics: false
-# Our currency.
-CURRENCY: CHF
-# Smallest unit of the currency for wire transfers.
-CURRENCY_ROUND_UNIT: "CHF:0.01"
-# Sanction list to use, comment out to disable
-# SANCTION_LIST: sanctions-swiss.json
-# Base URL of the exchange REST API
-EXCHANGE_BASE_URL: "https://exchange.{{ domain_name }}/"
-# Base URL of the auditor REST API
-AUDITOR_BASE_URL: "https://auditor.{{ domain_name }}/"
-# Exchange offline master public key.
-EXCHANGE_MASTER_PUB: 9V0G82S7JQW2ZRYF7BMGKKQ1TNR1VNVXZJSNQ2VSDGWC80D9W0YG
-# Auditor offline public key.
-AUDITOR_PUB: P6B7ZS7Y1Y12S0VP0PAJ1GQGSHW8RE4NSBTP8PR254J18SK24MH0
-# URL with merchants accepting this exchange.
-EXCHANGE_SHOPPING_URL: "https://shops.taler-ops.ch/"
-# Name of Terms of service resource file
-EXCHANGE_TERMS_ETAG: "exchange-tos-tops-v0"
-# Name of Privacy policy resource file
-EXCHANGE_PP_ETAG: "exchange-pp-v0"
-# Full BIC of exchange account
-EXCHANGE_BANK_ACCOUNT_BIC: "POFICHBEXXX"
-# Full Payto URI of exchange account (for credit and debit)
-EXCHANGE_BANK_ACCOUNT_IBAN: "CH9709000000166556130"
-# Full Payto URI of exchange account (for credit and debit)
-EXCHANGE_BANK_ACCOUNT_PAYTO: "payto://iban/{{ EXCHANGE_BANK_ACCOUNT_IBAN }}?receiver-name=Taler+Operations+AG"
-# Port to be used by libeufin-nexus for the taler-exchange-wire-gateway
-LIBEUFIN_PORT: 8082
-# Name of the exchange account at libeufin-nexus
-LIBEUFIN_EXCHANGE_ACCOUNT: "exchange"
-# Name of the bank dialect
-LIBEUFIN_NEXUS_BANK_DIALECT: "postfinance"
-# SPA dialect (tops, gls, magnet, ...)
-EXCHANGE_SPA_DIALECT: "tops"
-# Business name of the exchange operator
-EXCHANGE_OPERATOR_LEGAL_NAME: "Taler Operations AG"
-# Where to send people after they passed KYC.
-KYC_THANK_YOU_URL: https://taler-ops.ch/en/thank-you-kyc.html
-# Template to use for identification of individuals with KYCAID
-KYCAID_TEMPLATE_INDIVIDUAL: tmpl_xxx
-# Template to use for identification of businesses with KYCAID
-KYCAID_TEMPLATE_BUSINESS: tmpl_xxx
-# Regex specifying allowed phone numbers for the SMS check
-EXCHANGE_AML_PROGRAM_TOPS_SMS_HINT: "Swiss number required"
-EXCHANGE_AML_PROGRAM_TOPS_SMS_EXAMPLE: "+41948224521"
-EXCHANGE_AML_PROGRAM_TOPS_SMS_REGEX: "\\\\+41[0-9]+"
-# Regex specifying allowed country names for the postal address check
-EXCHANGE_AML_PROGRAM_TOPS_POSTAL_COUNTRY_HINT: "Swiss address required"
-EXCHANGE_AML_PROGRAM_TOPS_POSTAL_EXAMPLE: "Max Mustermann\\nBahnhofsplatz 1\\n4201 Biel/Bienne"
-EXCHANGE_AML_PROGRAM_TOPS_POSTAL_COUNTRY_REGEX: "CH|Ch|ch"
-# Tool to use for sanction list checking
-EXCHANGE_SANCTION_HELPER: taler-exchange-helper-sanctions-dummy
diff --git a/inventories/host_vars/spec/vars.yml b/inventories/host_vars/spec/vars.yml
@@ -0,0 +1,115 @@
+# Public variables for the Taler Operations AG (TOPS) deployment
+# Deploy challenger?
+deploy_challenger: true
+# What kind of environment are we deploying?
+DEPLOYMENT_KIND: "tops"
+# Disable restore from backup? MUST be set to "false" once in production!
+# This forces a backup to be provided *if* there is no database on the
+# target system already. If such a database exists, we will NOT restore
+# any backup even if this is 'false'. If no database exists on the target
+# system and this option is 'false', then a backup must have been provided
+# at the originating host (you get get it using the 'restore.sh' script).
+DISABLE_RESTORE_BACKUP: false
+# Use EBICS? (starts libeufin-nexus-fetch/submit services)
+USE_EBICS: false
+# Write EBICS configuration (with values in secret config)
+configure_ebics: true
+# Main domain name.
+domain_name: "taler-ops.ch"
+exchange_domain: "exchange.{{ domain_name }}"
+# Our internal hostname
+TARGET_HOST_NAME: "spec.taler-ops.ch"
+# Suite for taler packages.
+taler_repo_suites: trixie
+# Deploy EBICS configuration (true/false).
+use_ebics: false
+# Our currency.
+CURRENCY: CHF
+# Smallest unit of the currency for wire transfers.
+CURRENCY_ROUND_UNIT: "CHF:0.01"
+# Sanction list to use, comment out to disable
+# SANCTION_LIST: sanctions-swiss.json
+# Base URL of the exchange REST API
+EXCHANGE_BASE_URL: "https://exchange.{{ domain_name }}/"
+# Base URL of the auditor REST API
+AUDITOR_BASE_URL: "https://auditor.{{ domain_name }}/"
+# Exchange offline master public key.
+EXCHANGE_MASTER_PUB: 9V0G82S7JQW2ZRYF7BMGKKQ1TNR1VNVXZJSNQ2VSDGWC80D9W0YG
+# Auditor offline public key.
+AUDITOR_PUB: P6B7ZS7Y1Y12S0VP0PAJ1GQGSHW8RE4NSBTP8PR254J18SK24MH0
+# URL with merchants accepting this exchange.
+EXCHANGE_SHOPPING_URL: "https://shops.taler-ops.ch/"
+# Name of Terms of service resource file
+EXCHANGE_TERMS_ETAG: "exchange-tos-tops-v0"
+# Name of Privacy policy resource file
+EXCHANGE_PP_ETAG: "exchange-pp-v0"
+# Full BIC of exchange account
+EXCHANGE_BANK_ACCOUNT_BIC: "POFICHBEXXX"
+# Full Payto URI of exchange account (for credit and debit)
+EXCHANGE_BANK_ACCOUNT_IBAN: "CH9709000000166556130"
+# Full Payto URI of exchange account (for credit and debit)
+EXCHANGE_BANK_ACCOUNT_PAYTO: "payto://iban/{{ EXCHANGE_BANK_ACCOUNT_IBAN }}?receiver-name=Taler+Operations+AG"
+# Port to be used by libeufin-nexus for the taler-exchange-wire-gateway
+LIBEUFIN_PORT: 8082
+# Name of the exchange account at libeufin-nexus
+LIBEUFIN_EXCHANGE_ACCOUNT: "exchange"
+# Name of the bank dialect
+LIBEUFIN_NEXUS_BANK_DIALECT: "postfinance"
+# SPA dialect (tops, gls, magnet, ...)
+EXCHANGE_SPA_DIALECT: "tops"
+# Business name of the exchange operator
+EXCHANGE_OPERATOR_LEGAL_NAME: "Taler Operations AG"
+# Where to send people after they passed KYC.
+KYC_THANK_YOU_URL: https://taler-ops.ch/en/thank-you-kyc.html
+# Template to use for identification of individuals with KYCAID
+KYCAID_TEMPLATE_INDIVIDUAL: tmpl_xxx
+# Template to use for identification of businesses with KYCAID
+KYCAID_TEMPLATE_BUSINESS: tmpl_xxx
+# Regex specifying allowed phone numbers for the SMS check
+EXCHANGE_AML_PROGRAM_TOPS_SMS_HINT: "Swiss number required"
+EXCHANGE_AML_PROGRAM_TOPS_SMS_EXAMPLE: "+41948224521"
+EXCHANGE_AML_PROGRAM_TOPS_SMS_REGEX: "\\\\+41[0-9]+"
+# Regex specifying allowed country names for the postal address check
+EXCHANGE_AML_PROGRAM_TOPS_POSTAL_COUNTRY_HINT: "Swiss address required"
+EXCHANGE_AML_PROGRAM_TOPS_POSTAL_EXAMPLE: "Max Mustermann\\nBahnhofsplatz 1\\n4201 Biel/Bienne"
+EXCHANGE_AML_PROGRAM_TOPS_POSTAL_COUNTRY_REGEX: "CH|Ch|ch"
+# Tool to use for sanction list checking
+EXCHANGE_SANCTION_HELPER: taler-exchange-helper-sanctions-dummy
+
+# Secrets are taken from the vault file and substituted via
+# the vault_* variables.
+#
+# YOU MAY ONLY edit the vault.yml file via
+# $ ansible-vault edit inventories/host_vars/spec/vault.yml
+# to decrease the likelihood of unencrypted secrets ending up in git.
+HAVE_SECRETS: true
+
+# Symmetric encryption secret for KYC attribute encryption.
+EXCHANGE_ATTRIBUTE_ENCRYPTION_KEY: "{{ vault_exchange_attribute_encryption_key }}"
+# EBICS access details (we're not actually using this...)
+LIBEUFIN_NEXUS_EBICS_HOST_BASE_URL: https://isotest.postfinance.ch/ebicsweb/ebicsweb
+LIBEUFIN_NEXUS_EBICS_HOST_ID: PFEBICS
+LIBEUFIN_NEXUS_EBICS_USER_ID: "{{ vault_libeufin_nexus_ebics_user_id }}"
+LIBEUFIN_NEXUS_EBICS_PARTNER_ID: "{{ vault_libeufin_nexus_ebics_partner_id }}"
+LIBEUFIN_NEXUS_EBICS_SYSTEM_ID: "{{ vault_libeufin_nexus_ebics_system_id }}"
+
+# Authorization token for the telesign SMS service
+# "Basic" is pre-pended by the shell script
+SMS_CHALLENGER_TELESIGN_AUTH_TOKEN: "{{ vault_sms_challenger_telesign_auth_token }}"
+
+# Authorization data for the pingen postal service
+POSTAL_CHALLENGER_PINGEN_CLIENT_ID: "{{ vault_postal_challenger_pingen_client_id }}"
+POSTAL_CHALLENGER_PINGEN_CLIENT_SECRET: "{{ vault_postal_challenger_pingen_client_secret }}"
+POSTAL_CHALLENGER_PINGEN_ORG_ID: "{{ vault_postal_challenger_pingen_org_id }}"
+
+# KYCaid access token
+EXCHANGE_KYCAID_ACCESS_TOKEN: "{{ vault_exchange_kycaid_access_token }}"
+
+# Bearer access token for the auditor SPA (set via browser extension to set Authorization HTTP header on auditor.$DOMAIN!)
+AUDITOR_ACCESS_TOKEN: "{{ vault_auditor_access_token }}"
+
+# Bearer access token for monitoring.$DOMAIN (must be given to grafana)
+PROMETHEUS_ACCESS_TOKEN: "{{ vault_prometheus_access_token }}"
+
+# Bearer access token for loki.taler-systems.com (see that nginx config)
+LOKI_ACCESS_TOKEN: "{{ vault_loki_access_token }}"
diff --git a/inventories/host_vars/spec/vault.yml b/inventories/host_vars/spec/vault.yml
@@ -0,0 +1,82 @@
+$ANSIBLE_VAULT;1.1;AES256
+31633564396334313837633739653133666630646231336162633035356238626535653565323734
+6532656461326436383631333236316337303433613238370a356537336332326561313735313832
+39356263613230323137653937313137656261636161313266663736396435666562663637343265
+3461333064386561360a623438366366333339646661353437313765613438653039393438636530
+31346565666336666264316234356361646462393835303262396234323066316137393863323732
+66613265396265636262353037313065313430323134323430663165636237333436363166306632
+37633538373836653132666537316265366234336161393939376164626139316531373239336139
+65396532316161623264396339336132636439353161666362646636663664363435623366353761
+64623834356439383639336338626332636162346163616533613331313338663330333261323062
+61633239616435366361383463333838313732373463663663373965643232646362396166383630
+63306631626464333737363366313734303732356637616435623939363763613233626630376462
+38613966633037653335316338666332633864346563396530613961386236373262323766313033
+38663035346234373935613432353563376537663431616132623138303237326166643161643238
+66323031356439303132613463313730336532626664323536613030643734356632313730626433
+36313738613230323963346435616332353066666538613232626332623739343733613733363430
+39656561316664313533356432613237336263356237346261343830626566656538363636653539
+31333234353863663237386466303363303961616265393131633236613161653830353333316638
+62316635323132656439646530663638313230333233306131666166646533363566623064393333
+64333564383139623162346163316233623539353663626465373730393832646536366431376231
+34306232383430396439633635333930616432393331393137393030343835633364633036613539
+35373766653065323936616337346463336261363832393739346432383939373131313864333134
+64303061376564663866663136376439383766656236653031343237643036663366633564323564
+65383935353330646533356261666639636337313535623839616538313431393537386265366365
+63313662373730306434636162396462363630376666666335343664316162613333396166336236
+34626663633439333338353265613862336262373365343835386633353031373434326161353735
+66343433323935616130646235313537373164326262653738313533666464373363656339656133
+61393938306237613432363365356534303366363238316361613131643637353030353835643166
+34626237366564633232666364323036383064333030363930333732613562626461353236313934
+39323664303132663636383366663037633338353866373239373032353839323031323237323933
+65633366363230326439386539643565626664383062313462626261626331626163333839313931
+30613538643039633163646437373835386166653139323839643337356133626338663139343934
+30333165346533303465366139396131383361346338666232656639306466353865363934333434
+30303161396235336530663966653163333566616630303737636666636233326266383139356637
+30633736346662636164303366343863333133623930663037356432383733396536636464616165
+38653035313035623663363433346133336264316561633938313061363566616563373034373835
+61343032343538366165663133393932653633393034363831663437393466663332653137653430
+63373566656662323165663337333165623965313866653462316462623866366433383965316565
+33343662663035303038343665333334313038336339353661333036323765373634356335623730
+35333665343230383466366662613963306438656561646135306630323136383234313337343233
+30663165656334393031383932646335323134383936356264326439666163653338653361633764
+34663663383435643834346230336638366633656431336235666432313232343961656230613535
+64633763306636616533376338316235666337343265386566633932656332663566386136316632
+38616561343937613336663139386564393235663565346639333666343061396364663435363464
+32613332663131623934393865653231663261316662323839373361613330343062356239663433
+64633633623537646633313132363830356137313437363864346663653662393433666635623538
+65353365633364326537356266666337656664653437343730363734356330356639623931353966
+38366232623135373836386363623030366362663536306630323535363166643462366632363265
+37343430336238666234303239613463333939376365353464643233623539323763656530663934
+32653339343935356163623936323363386465663035616331386131653665646238663138336438
+64646335613764616265613834613562613862353866386262663063613162306530393234393262
+31666130646166653536393832393034383666356566346236326637326334343539653632316336
+34313637383866333634626431643161323735333932336165306433656461396564623638313435
+63366430346431613963636666393866333135333430353463333861303538636636303566663938
+34376464653462323938663335326237343466316334303636376366373937656135376562613236
+32316333303739393235356435646361613234393836393761313636663136626434326337633066
+32653661623332613763363563353764346365373937646463356462613038616462316164656631
+61393832626536323462613866306134323635323533396530613237663436316332643330393731
+61316533316166623035353863623635343066373466356433613062396132373966356265393332
+66646535323233623361323833323533616565356163353939666539373363613738646233303862
+39353232306438666538666532383535623732386430663262646433396430633630303136633163
+32376463653034646638333431633964616130636364383737313266643930383838616364343739
+30666466326335333939383764383435656662633966633133313966303065373563373463623639
+62353039633032396133366330346235333534353435353537643463303566303132626439333462
+34343638373063393361643737353237306266363764663135343734663138383537326535653433
+63393866346162393764653538313034343731663330323637326666393265373035316235633634
+62616132336330393538343663356534353630303934383035623239633139656562393632656165
+32613738653930323930306265356539613339633336373066393730356564653535366239653937
+30353938616666373930393666613266376561383236613162346365313139323137613262623735
+63363036633561323739656438313761656435393137383830333931636264303363323439316132
+36653731653631326661306638306637373330323732336232353931393237323637643430353163
+66653335313665663466306162616635353065303634643066346234313264363733316665653738
+37643463363061306335393162633136393262376465666336323833393666653833303230373962
+30353263306465646665333261383363666330626536666230613535653935313238336363326638
+36363264373031646463316665353764626132333431333630613766333434396634363837366363
+33313239366563643164366465636261633238303961316261626266616530666131656439386664
+32306634623065653363613330326661316639653664663938633239353031306538393161363665
+63313161656134646337303761656639343439336231336365343965663265626161363230343632
+39623131393530666564643037316163633861643764346531333964363662313465353364626432
+38663930353033383662396430656632386563303961396433346634316334396133383766643838
+33326465313732353964313632313532313932343834333430643837343562323166623934373466
+6232