use technical users for libeufin import/export operations if running in manual mode - ansible-taler-exchange - Ansible playbook to deploy a production Taler Exchange

commit 92d1ce05375f2cbe8b63fd3547c917bc20df54fe
parent cd8e9198fdce81f8e45996806cebcd1ce5e54fab
Author: Christian Grothoff <christian@grothoff.org>
Date:   Sun, 23 Feb 2025 11:17:22 +0100

use technical users for libeufin import/export operations if running in manual mode

Diffstat:
D export.sh  | 10 ----------
D import.sh  | 17 -----------------
D playbooks/libeufin-export.yml  | 17 -----------------
D playbooks/libeufin-import.yml  | 5 -----
A roles/libeufin-nexus/files/etc/sudoers.d/libeufin-bank-export  | 1 +
A roles/libeufin-nexus/files/etc/sudoers.d/libeufin-bank-import  | 1 +
A roles/libeufin-nexus/files/home/libeufin-nexus-export/.ssh/authorized_keys  | 2 ++
A roles/libeufin-nexus/files/home/libeufin-nexus-import/.ssh/authorized_keys  | 2 ++
A roles/libeufin-nexus/files/usr/local/bin/libeufin-bank-export.sh  | 2 ++
A roles/libeufin-nexus/files/usr/local/bin/libeufin-bank-import.sh  | 2 ++
M roles/libeufin-nexus/tasks/main.yml  | 74 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
D roles/libeufin-transaction-export/tasks/main.yml  | 31 -------------------------------
D roles/libeufin-transaction-import/tasks/main.yml  | 31 -------------------------------

13 files changed, 84 insertions(+), 111 deletions(-)
diff --git a/export.sh b/export.sh
@@ -1,10 +0,0 @@
-#!/bin/bash
-
-set -eu
-
-mkdir -p exports
-ansible-playbook \
-    --verbose \
-    --inventory inventories/tops \
-    --user root \
-    playbooks/libeufin-export.yml
diff --git a/import.sh b/import.sh
@@ -1,17 +0,0 @@
-#!/bin/bash
-
-set -eu
-if [ -z ${1:-} ]
-then
-    echo "Call with CAMT file of transactions to import as second argument"
-    exit 1
-fi
-
-
-mkdir -p exports
-ansible-playbook \
-    --extra-vars "SOURCE=$1" \
-    --verbose \
-    --inventory inventories/tops \
-    --user root \
-    playbooks/libeufin-import.yml
diff --git a/playbooks/libeufin-export.yml b/playbooks/libeufin-export.yml
@@ -1,17 +0,0 @@
----
-- name: Export pending outgoing transactions from libeufin-nexus
-  hosts: all
-  roles:
-    - libeufin-transaction-export
-
-- name: Unpack locally
-  hosts: 127.0.0.1
-  connection: local
-  tasks:
-  - name: unpack
-    ansible.builtin.shell:
-      cmd: "unzip spec.taler-ops.ch{{ hostvars['spec.taler-ops.ch']['exportfile']['path'] }}"
-      chdir: "../exports/{{ hostvars['spec.taler-ops.ch']['today']['stdout'] }}"
-
-# FIXME: should replace spec.taler-ops.ch above with {{ TARGET_HOST_NAME }}
-# somehow.
diff --git a/playbooks/libeufin-import.yml b/playbooks/libeufin-import.yml
@@ -1,5 +0,0 @@
----
-- name: Import pending outgoing transactions from libeufin-nexus
-  hosts: all
-  roles:
-    - libeufin-transaction-import
diff --git a/roles/libeufin-nexus/files/etc/sudoers.d/libeufin-bank-export b/roles/libeufin-nexus/files/etc/sudoers.d/libeufin-bank-export
@@ -0,0 +1 @@
+libeufin-bank-export ALL=(libeufin-bank:libeufin-bank) NOPASSWD: /usr/bin/libeufin-nexus ^export -$
diff --git a/roles/libeufin-nexus/files/etc/sudoers.d/libeufin-bank-import b/roles/libeufin-nexus/files/etc/sudoers.d/libeufin-bank-import
@@ -0,0 +1 @@
+libeufin-bank-import ALL=(libeufin-bank:libeufin-bank) NOPASSWD: /usr/bin/libeufin-nexus ^import -$
diff --git a/roles/libeufin-nexus/files/home/libeufin-nexus-export/.ssh/authorized_keys b/roles/libeufin-nexus/files/home/libeufin-nexus-export/.ssh/authorized_keys
@@ -0,0 +1,2 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMoIegg0tBeGy7nm7yDtRhTkTeMsvmrFi7bkMwVd/Q5l grothoff@phoenix
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBzUCTqBXvVePqQ83D+TLvolgTnM0rTYZCeH7/GCQ6xF dold+mb@taler.net
diff --git a/roles/libeufin-nexus/files/home/libeufin-nexus-import/.ssh/authorized_keys b/roles/libeufin-nexus/files/home/libeufin-nexus-import/.ssh/authorized_keys
@@ -0,0 +1,2 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMoIegg0tBeGy7nm7yDtRhTkTeMsvmrFi7bkMwVd/Q5l grothoff@phoenix
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBzUCTqBXvVePqQ83D+TLvolgTnM0rTYZCeH7/GCQ6xF dold+mb@taler.net
diff --git a/roles/libeufin-nexus/files/usr/local/bin/libeufin-bank-export.sh b/roles/libeufin-nexus/files/usr/local/bin/libeufin-bank-export.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+exec sudo -u /usr/bin/libeufin-nexus libeufin-bank export -
diff --git a/roles/libeufin-nexus/files/usr/local/bin/libeufin-bank-import.sh b/roles/libeufin-nexus/files/usr/local/bin/libeufin-bank-import.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+exec sudo -u /usr/bin/libeufin-nexus libeufin-bank import -
diff --git a/roles/libeufin-nexus/tasks/main.yml b/roles/libeufin-nexus/tasks/main.yml
@@ -92,3 +92,77 @@
     state: started
     enabled: true
   when: ! use_ebics
+
+- name: Place login script for libeufin-bank-import technical user
+  ansible.builtin.copy:
+    src: files/usr/local/bin/libeufin-bank-import.sh
+    dest: "/usr/local/bin/libeufin-bank-import.sh"
+    owner: root
+    group: root
+    mode: 0755
+
+- name: Place login script for libeufin-bank-export technical user
+  ansible.builtin.copy:
+    src: files/usr/local/bin/libeufin-bank-export.sh
+    dest: "/usr/local/bin/libeufin-bank-export.sh"
+    owner: root
+    group: root
+    mode: 0755
+
+- name: Ensure group for libeufin-bank-import exists
+  group:
+    name: libeufin-bank-import
+  when: ! use_ebics
+
+- name: Ensure group for libeufin-bank-export exists
+  group:
+    name: libeufin-bank-export
+  when: ! use_ebics
+
+- name: Ensure technical user for libeufin-bank import exists
+  user:
+    name: libeufin-bank-import
+    group: libeufin-bank-import
+    shell: /usr/local/bin/libeufin-bank-import.sh
+    password: '!'
+  when: ! use_ebics
+
+- name: Ensure technical user for libeufin-bank export exists
+  user:
+    name: libeufin-bank-export
+    group: libeufin-bank-export
+    shell: /usr/local/bin/libeufin-bank-export.sh
+    password: '!'
+  when: ! use_ebics
+
+- name: Grant sudo rights to login script for importer
+  ansible.builtin.copy:
+    src: files/etc/sudoers.d/libeufin-bank-import
+    dest: "/etc/sudoers.d/libeufin-bank-import"
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Grant sudo rights to login script for exporter
+  ansible.builtin.copy:
+    src: files/etc/sudoers.d/libeufin-bank-export
+    dest: "/etc/sudoers.d/libeufin-bank-export"
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Allow technical users access to import acocunt.
+  ansible.builtin.copy:
+    src: files/home/libeufin-nexus-import/.ssh/authorized_keys
+    dest: "/home/libeufin-nexus-import/.ssh/authorized_keys"
+    owner: libeufin-nexus-import
+    group: libeufin-nexus-import
+    mode: 0644
+
+- name: Allow technical users access to export acocunt.
+  ansible.builtin.copy:
+    src: files/home/libeufin-nexus-export/.ssh/authorized_keys
+    dest: "/home/libeufin-nexus-export/.ssh/authorized_keys"
+    owner: libeufin-nexus-export
+    group: libeufin-nexus-export
+    mode: 0644
diff --git a/roles/libeufin-transaction-export/tasks/main.yml b/roles/libeufin-transaction-export/tasks/main.yml
@@ -1,31 +0,0 @@
----
-- name: Get current date
-  ansible.builtin.shell:
-    cmd: "date +%F"
-  register: today
-
-- name: Create temporary file as destination for the export
-  ansible.builtin.tempfile:
-    path: /tmp
-    prefix: "libeufin-transaction-export-{{ today.stdout }}-"
-    suffix: .zip
-  become: yes
-  become_user: libeufin-nexus
-  register: exportfile
-
-- name: Export from libeufin-nexus
-  ansible.builtin.shell:
-    cmd: "libeufin-nexus manual export {{ exportfile.path }}"
-  become: yes
-  become_user: libeufin-nexus
-
-- name: Fetch file to local system
-  fetch:
-    src: "{{ exportfile.path }}"
-    dest: "../exports/{{ today.stdout }}"
-
-#- name: Remove the temporary file on the server
-#  ansible.builtin.file:
-#    path: "{{ exportfile.path }}"
-#    state: absent
-#  when: exportfile.path is defined
diff --git a/roles/libeufin-transaction-import/tasks/main.yml b/roles/libeufin-transaction-import/tasks/main.yml
@@ -1,31 +0,0 @@
----
-- name: Get current date
-  ansible.builtin.shell:
-    cmd: "date +%F"
-  register: today
-
-- name: Create temporary file as destination for the import
-  ansible.builtin.tempfile:
-    path: /tmp
-    prefix: "libeufin-transaction-import-{{ today.stdout }}-"
-    suffix: .xml
-  register: importfile
-
-- name: Push file to local system
-  copy:
-    src: "{{ SOURCE }}"
-    dest: "{{ importfile.path }}"
-    owner: libeufin-nexus
-    mode: 400
-
-- name: Import into libeufin-nexus
-  ansible.builtin.shell:
-    cmd: "libeufin-nexus manual import {{ importfile.path }}"
-  become: yes
-  become_user: libeufin-nexus
-
-#- name: Remove the temporary file on the server
-#  ansible.builtin.file:
-#    path: "{{ importfile.path }}"
-#    state: absent
-#  when: importfile.path is defined

	ansible-taler-exchange Ansible playbook to deploy a production Taler Exchange
	Log \| Files \| Refs \| Submodules \| README \| LICENSE

D	export.sh	\|	10	----------
D	import.sh	\|	17	-----------------
D	playbooks/libeufin-export.yml	\|	17	-----------------
D	playbooks/libeufin-import.yml	\|	5	-----
A	roles/libeufin-nexus/files/etc/sudoers.d/libeufin-bank-export	\|	1	+
A	roles/libeufin-nexus/files/etc/sudoers.d/libeufin-bank-import	\|	1	+
A	roles/libeufin-nexus/files/home/libeufin-nexus-export/.ssh/authorized_keys	\|	2	++
A	roles/libeufin-nexus/files/home/libeufin-nexus-import/.ssh/authorized_keys	\|	2	++
A	roles/libeufin-nexus/files/usr/local/bin/libeufin-bank-export.sh	\|	2	++
A	roles/libeufin-nexus/files/usr/local/bin/libeufin-bank-import.sh	\|	2	++
M	roles/libeufin-nexus/tasks/main.yml	\|	74	++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
D	roles/libeufin-transaction-export/tasks/main.yml	\|	31	-------------------------------
D	roles/libeufin-transaction-import/tasks/main.yml	\|	31	-------------------------------