ansible-taler-exchange

Ansible playbook to deploy a production Taler Exchange
Log | Files | Refs | Submodules | README | LICENSE
commit 999a0d73c08417f3cc5fbc56d76f5219046914f1
parent dd29e3ad83e0a491cff86b3e051e273e2cff0a24
Author: Christian Grothoff <christian@grothoff.org>
Date:   Tue, 24 Dec 2024 22:24:45 +0100

fix auditor permissions

Diffstat:

MREADME | 3+++


MTODO | 2--


Mroles/auditor/tasks/main.yml | 47+++++++++++++++++++++++++++++++++++++++++++----


Mroles/auditor/templates/etc/taler-auditor/conf.d/taler-auditor-master.conf.j2 | 21+++++++++++++++++++++


Aroles/auditor/templates/etc/taler-auditor/secrets/auditor-accountcredentials-primary.secret.conf.j2 | 2++


Mroles/exchange/templates/etc/taler-exchange/conf.d/exchange-business.conf.j2 | 2--


6 files changed, 69 insertions(+), 8 deletions(-)

diff --git a/README b/README
@@ -6,6 +6,9 @@ First, install the prometheus collection using:
 
 $ ansible-galaxy collection install prometheus.prometheus
 
+Depending on your local installation, you may also need:
+
+$ ansible-galaxy collection install community.postgresql
 
 ## Running the Playbook
 
diff --git a/TODO b/TODO
@@ -10,8 +10,6 @@
   => right now uses Bearer token. Is that OK?
 
 @CG:
-- auditor lacks rights to access exchange-DB
-- FIXMEs in auditor about configuration details (libeufin access!)
 - add playbooks to TOPS to import/export libeufin transactions
 
 ----
diff --git a/roles/auditor/tasks/main.yml b/roles/auditor/tasks/main.yml
@@ -94,15 +94,54 @@
     group: root
     mode: 0644
 
-# FIXME: copy over configs for exchange-database,
-# exchange-bank account and denominations to auditor/config.d/!
-
 - name: Setup Taler Auditor database
   shell:
     cmd: taler-auditor-dbconfig -c /etc/taler-auditor/taler-auditor.conf
     chdir: /tmp
 
-# FIXME: grant auditor access to the *exchange* database!
+- name: Configure auditor access to exchange bank account
+  ansible.builtin.template:
+    src: templates/etc/taler-auditor/secrets/auditor-accountcredentials-primary.secret.conf.j2
+    dest: /etc/taler-auditor/secrets/auditor-accountcredentials-primary.secret.conf
+    owner: taler-auditor-httpd
+    group: root
+    mode: 0400
+
+- name: Grant access to exchange database
+  community.postgresql.postgresql_privs:
+    database: taler-exchange
+    state: present
+    privs: SELECT
+    schema: exchange
+    objs: ALL_IN_SCHEMA
+    role: taler-auditor-httpd
+    grant_option: false
+  become: yes
+  become_user: postgres
+
+- name: Grant access to exchange database versioning
+  community.postgresql.postgresql_privs:
+    database: taler-exchange
+    state: present
+    privs: SELECT
+    schema: _v
+    objs: ALL_IN_SCHEMA
+    role: taler-auditor-httpd
+    grant_option: false
+  become: yes
+  become_user: postgres
+
+- name: Grant usage to exchange database versioning
+  community.postgresql.postgresql_privs:
+    database: taler-exchange
+    state: present
+    privs: USAGE
+    type: schema
+    objs: _v
+    role: taler-auditor-httpd
+    grant_option: false
+  become: yes
+  become_user: postgres
 
 - name: Ensure taler-auditor service is enabled and started
   service:
diff --git a/roles/auditor/templates/etc/taler-auditor/conf.d/taler-auditor-master.conf.j2 b/roles/auditor/templates/etc/taler-auditor/conf.d/taler-auditor-master.conf.j2
@@ -7,3 +7,24 @@ SERVE = unix
 CURRENCY = {{ CURRENCY }}
 CURRENCY_ROUND_UNIT = {{ CURRENCY_ROUND_UNIT }}
 DB = postgres
+
+# Here you MUST add the master public key of the offline system
+# which you can get using `taler-exchange-offline setup`.
+MASTER_PUBLIC_KEY = {{ EXCHANGE_MASTER_PUB }}
+
+
+# Bank accounts used by the exchange should be specified here:
+[exchange-account-primary]
+
+ENABLE_CREDIT = YES
+ENABLE_DEBIT = YES
+
+# Account identifier in the form of an RFC-8905 payto:// URI.
+# For SEPA, looks like payto://sepa/$IBAN?receiver-name=$NAME
+# Make sure to URL-encode spaces in $NAME!
+PAYTO_URI = {{ EXCHANGE_BANK_ACCOUNT_PAYTO }}
+
+
+# Credentials to access the account are in a separate
+# config file with restricted permissions.
+@inline-secret@ exchange-accountcredentials-primary ../secrets/auditor-accountcredentials-primary.secret.conf
diff --git a/roles/auditor/templates/etc/taler-auditor/secrets/auditor-accountcredentials-primary.secret.conf.j2 b/roles/auditor/templates/etc/taler-auditor/secrets/auditor-accountcredentials-primary.secret.conf.j2
@@ -0,0 +1 @@
+../../../../../exchange/templates/etc/taler-exchange/secrets/exchange-accountcredentials-primary.secret.conf.j2
+\ No newline at end of file
diff --git a/roles/exchange/templates/etc/taler-exchange/conf.d/exchange-business.conf.j2 b/roles/exchange/templates/etc/taler-exchange/conf.d/exchange-business.conf.j2
@@ -9,8 +9,6 @@ TINY_AMOUNT = {{ CURRENCY_ROUND_UNIT }}
 
 # Here you MUST add the master public key of the offline system
 # which you can get using `taler-exchange-offline setup`.
-# This is just an example, your key will be different!
-# MASTER_PUBLIC_KEY = YE6Q6TR1EDB7FD0S68TGDZGF1P0GHJD2S0XVV8R2S62MYJ6HJ4ZG
 MASTER_PUBLIC_KEY = {{ EXCHANGE_MASTER_PUB }}
 
 # Publicly visible base URL of the exchange.