ansible-taler-exchange

Ansible playbook to deploy a production Taler Exchange
Log | Files | Refs | Submodules | README | LICENSE
commit 8bc41bd18cf34afb1da68a886ce7aac18d1225c6
parent aa06c0b1b7d4e56558cb982ef958c29ef4706a82
Author: Christian Grothoff <christian@grothoff.org>
Date:   Fri, 22 Nov 2024 22:33:56 +0100

work on configs

Diffstat:

Mplaybooks/setup.yml | 15+++++++++++++--


Mplaybooks/test-secrets.yml | 8+++++++-


Mroles/exchange/templates/etc/taler-exchange/secrets/exchange-accountcredentials-primary.secret.conf.j2 | 2+-


Droles/libeufin-nexus/files/etc/libeufin/libeufin-nexus.conf | 49-------------------------------------------------


Mroles/libeufin-nexus/tasks/main.yml | 13+++++++++++--


Aroles/libeufin-nexus/templates/etc/libeufin/libeufin-nexus.conf.j2 | 59+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


6 files changed, 91 insertions(+), 55 deletions(-)

diff --git a/playbooks/setup.yml b/playbooks/setup.yml
@@ -13,6 +13,9 @@
 # Note that we ONLY define those variables here that are NOT
 # secrets. For secrets, test-secrets.yml contains a template.
   vars:
+# Our currency.
+    CURRENCY = CHF
+# Base URL of the exchange REST API
     EXCHANGE_BASE_URL="https://exchange.taler-ops.ch/"
 # Exchange offline master public key.
     EXCHANGE_MASTER_PUB=
@@ -21,8 +24,16 @@
 # Name of Privacy policy resource file
     EXCHANGE_PP_ETAG="exchange-pp-v0"
 # Full Payto URI of exchange account (for credit and debit)
-    EXCHANGE_BANK_ACCOUNT_PAYTO="payto://iban/DE12345678?receiver-name=operator"
-# Port to be used by libeufin-nexus
+    EXCHANGE_BANK_ACCOUNT_BIC="POFICHBEXXX"
+# Full Payto URI of exchange account (for credit and debit)
+    EXCHANGE_BANK_ACCOUNT_IBAN="CH9889144237951612671"
+# Full Payto URI of exchange account (for credit and debit)
+    EXCHANGE_BANK_ACCOUNT_PAYTO="payto://iban/{{ EXCHANGE_BANK_ACCOUNT_IBAN }}?receiver-name=operator"
+# Port to be used by libeufin-nexus for the taler-exchange-wire-gateway
     LIBEUFIN_PORT=8082
 # Name of the exchange account at libeufin-nexus
     LIBEUFIN_EXCHANGE_ACCOUNT="exchange"
+# Name of the bank dialect
+    LIBEUFIN_NEXUS_BANK_DIALECT="postfinance"
+# Business name of the exchange operator
+    EXCHANGE_OPERATOR_LEGAL_NAME="Taler Exchange Operator Legal Name"
diff --git a/playbooks/test-secrets.yml b/playbooks/test-secrets.yml
@@ -1,4 +1,10 @@
 # Secret token to use to authenticate to SMS challenger service.
-EXCHANGE_SMS_CHALLENGER_TOKEN=SECRET1
+EXCHANGE_SMS_CHALLENGER_TOKEN=SECRET1 => fact?
 # Symmetric encryption secret for KYC attribute encryption.
 EXCHANGE_ATTRIBUTE_ENCRYPTION_KEY=SECRET2
+# EBICS ccess details
+LIBEUFIN_NEXUS_EBICS_HOST_BASE_URL = https://isotest.postfinance.ch/ebicsweb/ebicsweb
+LIBEUFIN_NEXUS_EBICS_HOST_ID = PFEBICS
+LIBEUFIN_NEXUS_EBICS_USER_ID = PFC00664
+LIBEUFIN_NEXUS_EBICS_PARTNER_ID = PFC00664
+LIBEUFIN_NEXUS_EBICS_SYSTEM_ID = PFC00664
diff --git a/roles/exchange/templates/etc/taler-exchange/secrets/exchange-accountcredentials-primary.secret.conf.j2 b/roles/exchange/templates/etc/taler-exchange/secrets/exchange-accountcredentials-primary.secret.conf.j2
@@ -1,4 +1,4 @@
 [exchange-accountcredentials-primary]
 WIRE_GATEWAY_AUTH_METHOD = token
-WIRE_GATEWAY_URL = "http://localhost:{{ LIBEUFIN_PORT }}/accounts/{{ LIBEUFIN_EXCHANGE_ACCOUNT }}/taler-wire-gateway/"
+WIRE_GATEWAY_URL = "http://localhost:{{ LIBEUFIN_PORT }}/taler-wire-gateway/"
 TOKEN = {{ EXCHANGE_WIRE_GATEWAY_ACCESS_TOKEN }}
diff --git a/roles/libeufin-nexus/files/etc/libeufin/libeufin-nexus.conf b/roles/libeufin-nexus/files/etc/libeufin/libeufin-nexus.conf
@@ -1,49 +0,0 @@
-# This is the main configuration entrypoint for the libeufin-nexus.
-
-[nexus-postgres]
-CONFIG = postgres:///libeufin
-
-[nexus-ebics]
-
-# Currency used by the bank where Nexus is client.
-CURRENCY = CHF
-
-# Base URL of the bank server.
-HOST_BASE_URL = https://isotest.postfinance.ch/ebicsweb/ebicsweb
-
-# EBICS host ID.
-HOST_ID = PFEBICS
-
-# EBICS user ID, as assigned by the bank.
-USER_ID = PFC00664
-
-# EBICS partner ID, as assigned by the bank.
-PARTNER_ID = PFC00664
-
-# EBICS partner ID, as assigned by the bank. # ???
-SYSTEM_ID = PFC00664
-
-# IBAN of the bank account that is associated with the EBICS subscriber.
-IBAN = CH9889144237951612671
-
-# BIC of the bank account that is associated with the EBICS subscriber
-BIC = POFICHBEXXX
-
-# Legal entity that is associated with the EBICS subscriber.
-NAME = "Taler Exchange Operator Legal Name"
-
-# EBICS version and ISO20022 recommendations that
-# Nexus would honor in the communication with the bank.
-BANK_DIALECT = "postfinance"
-
-# Exchange accounts bounce invalid incoming transactions.
-ACCOUNT_TYPE = exchange
-
-[nexus-fetch]
-FREQUENCY = 30s
-
-[nexus-submit]
-FREQUENCY = 30s
-
-[nexus-postgres]
-CONFIG=postgres:///libeufin
diff --git a/roles/libeufin-nexus/tasks/main.yml b/roles/libeufin-nexus/tasks/main.yml
@@ -11,9 +11,18 @@
     path: "/etc/libeufin"
     state: directory
 
+- name: libeufin-nexus access secret setup
+  command: echo -e "[libeufin-nexus]\nAUTH_BEARER_TOKEN=$(dd if=/dev/random count=1 bs=32 status=none | gnunet-base32)" > /etc/ansible/facts.d/libeufin-nexus-access-token.fact
+  args:
+# Ensures we only run when the file does not yet exist
+        creates: /etc/ansible/facts.d/libeufin-nexus-access-token.fact
+
+- name: libeufin-nexus: force ansible to regather just created fact(s)
+  setup: filter='libeufin-nexus'
+
 - name: Place libeufin-nexus config
-  copy:
-    src: etc/libeufin/libeufin-nexus.conf
+  ansible.builtin.template:
+    src: templates/etc/libeufin/libeufin-nexus.conf.j2
     dest: "/etc/libeufin/libeufin-nexus.conf"
     owner: root
     group: root
diff --git a/roles/libeufin-nexus/templates/etc/libeufin/libeufin-nexus.conf.j2 b/roles/libeufin-nexus/templates/etc/libeufin/libeufin-nexus.conf.j2
@@ -0,0 +1,59 @@
+# This is the main configuration entrypoint for the libeufin-nexus.
+
+[nexus-postgres]
+CONFIG = postgres:///libeufin
+
+[nexus-ebics]
+
+# Currency used by the bank where Nexus is client.
+CURRENCY = {{ CURRENCY }}
+
+# Base URL of the bank server.
+HOST_BASE_URL = {{ LIBEUFIN_NEXUS_EBICS_HOST_BASE_URL }}
+
+# EBICS host ID.
+HOST_ID = {{ LIBEUFIN_NEXUS_EBICS_HOST_ID }}
+
+# EBICS user ID, as assigned by the bank.
+USER_ID = {{ LIBEUFIN_NEXUS_EBICS_USER_ID }}
+
+# EBICS partner ID, as assigned by the bank.
+PARTNER_ID = {{ LIBEUFIN_NEXUS_EBICS_PARTNER_ID }}
+
+# EBICS partner ID, as assigned by the bank. # ???
+SYSTEM_ID = {{ LIBEUFIN_NEXUS_EBICS_SYSTEM_ID }}
+
+# IBAN of the bank account that is associated with the EBICS subscriber.
+IBAN = {{ EXCHANGE_BANK_ACCOUNT_IBAN }}
+
+# BIC of the bank account that is associated with the EBICS subscriber
+BIC = {{ EXCHANGE_BANK_ACCOUNT_BIC }}
+
+# Legal entity that is associated with the EBICS subscriber.
+NAME = {{ EXCHANGE_OPERATOR_LEGAL_NAME }}
+
+# EBICS version and ISO20022 recommendations that
+# Nexus would honor in the communication with the bank.
+BANK_DIALECT = {{ LIBEUFIN_NEXUS_BANK_DIALECT }}
+
+# Exchange accounts bounce invalid incoming transactions.
+ACCOUNT_TYPE = exchange
+
+[nexus-fetch]
+FREQUENCY = 30s
+
+[nexus-submit]
+FREQUENCY = 30s
+
+[nexus-httpd]
+SERVE = tcp
+PORT = {{ LIBEUFIN_PORT }}
+BIND_TO = 127.0.0.1
+
+[nexus-postgres]
+CONFIG=postgres:///libeufin
+
+[nexus-httpd-wire-gateway-api]
+ENABLED = YES
+AUTH_METHOD = bearer-token
+AUTH_BEARER_TOKEN = {{ ansible_local['libeufin-nexus-access-token']['AUTH_BEARER_TOKEN'] }}