ansible-taler-exchange

Ansible playbook to deploy a production Taler Exchange
Log | Files | Refs | Submodules | README | LICENSE
commit a521f3edc7f12bcc90b6eed2d530f6e55eda7302
parent 6c911524e00db32fc403a0f3d6f19becf05ea0f6
Author: Christian Grothoff <christian@grothoff.org>
Date:   Sat, 23 Nov 2024 20:38:38 +0100

more work on configs

Diffstat:

Mplaybooks/setup.yml | 2++


Mroles/libeufin-nexus/tasks/main.yml | 7++++++-


Mroles/libeufin-nexus/templates/etc/libeufin/libeufin-nexus.conf.j2 | 2+-


Droles/libeufin-nexus/vars/main.yml | 7-------


Mroles/sms-challenger/tasks/main.yml | 24+++++++++++++++++++++---


Rroles/sms-challenger/files/etc/challenger/sms-challenger.conf -> roles/sms-challenger/templates/etc/challenger/sms-challenger.conf.j2 | 0


Aroles/sms-challenger/templates/etc/taler-exchange/config.d/sms-challenger.conf.j2 | 20++++++++++++++++++++


Aroles/webserver/templates/auditor-nginx.conf | 16++++++++++++++++


8 files changed, 66 insertions(+), 12 deletions(-)

diff --git a/playbooks/setup.yml b/playbooks/setup.yml
@@ -39,3 +39,5 @@
     LIBEUFIN_NEXUS_BANK_DIALECT="postfinance"
 # Business name of the exchange operator
     EXCHANGE_OPERATOR_LEGAL_NAME="Taler Exchange Operator Legal Name"
+# Where to send people after they passed KYC.
+    KYC_THANK_YOU_URL = https://taler-ops.ch/thank-you-kyc
diff --git a/roles/libeufin-nexus/tasks/main.yml b/roles/libeufin-nexus/tasks/main.yml
@@ -11,6 +11,11 @@
     path: "/etc/libeufin"
     state: directory
 
+- name: Ensure Ansible facts directory dir exists
+  file:
+    path: "/etc/ansible/facts.d/"
+    state: directory
+
 - name: libeufin-nexus access secret setup
   command: echo -e "[libeufin-nexus]\nAUTH_BEARER_TOKEN=$(dd if=/dev/random count=1 bs=32 status=none | gnunet-base32)" > /etc/ansible/facts.d/libeufin-nexus-access-token.fact
   args:
@@ -18,7 +23,7 @@
         creates: /etc/ansible/facts.d/libeufin-nexus-access-token.fact
 
 - name: libeufin-nexus: force ansible to regather just created fact(s)
-  setup: filter='libeufin-nexus'
+  setup: filter='libeufin-nexus-access-token'
 
 - name: Place libeufin-nexus config
   ansible.builtin.template:
diff --git a/roles/libeufin-nexus/templates/etc/libeufin/libeufin-nexus.conf.j2 b/roles/libeufin-nexus/templates/etc/libeufin/libeufin-nexus.conf.j2
@@ -56,4 +56,4 @@ CONFIG=postgres:///libeufin
 [nexus-httpd-wire-gateway-api]
 ENABLED = YES
 AUTH_METHOD = bearer-token
-AUTH_BEARER_TOKEN = {{ ansible_local['libeufin-nexus-access-token']['AUTH_BEARER_TOKEN'] }}
+AUTH_BEARER_TOKEN = {{ ansible_local['libeufin-nexus-access-token']['libeufin-nexus']['AUTH_BEARER_TOKEN'] }}
diff --git a/roles/libeufin-nexus/vars/main.yml b/roles/libeufin-nexus/vars/main.yml
@@ -1,7 +0,0 @@
-BANK_EXCHANGE_PASSWORD: xxxx
-BANK_ADMIN_PASSWORD: xxxx
-BANK_PORT: xxxx
-CURRENCY_NAME: xxxx
-IBAN: xxx
-HOSTNAME: XXXX
-TOS: yes/no
diff --git a/roles/sms-challenger/tasks/main.yml b/roles/sms-challenger/tasks/main.yml
@@ -7,8 +7,8 @@
     update_cache: true
 
 - name: Place SMS challenger config
-  copy:
-    src: etc/challenger/challenger-sms.conf
+  ansible.builtin.template:
+    src: templates/etc/challenger/challenger-sms.conf.j2
     dest: "/etc/challenger/challenger-sms.conf"
     owner: root
     group: challenger-sms
@@ -24,11 +24,29 @@
     path: "/etc/ansible/facts.d/"
     state: directory
 
+- name: sms-challenger access secret setup
+  command: echo -e "[sms-challenger]\nCLIENT_SECRET=$(dd if=/dev/random count=1 bs=32 status=none | gnunet-base32)" > /etc/ansible/facts.d/sms-challenger-client-secret.fact
+  args:
+# Ensures we only run when the file does not yet exist
+        creates: /etc/ansible/facts.d/sms-challenger-client-secret.fact
+
+- name: sms-challenger: force ansible to regather just created fact(s)
+  setup: filter='sms-challenger-client-secret'
+
 - name: Setup SMS Challenger exchange account
   shell:
-    cmd: challenger-admin -c /etc/challenger/sms-challenger.conf --quiet --add={{ EXCHANGE_SMS_CHALLENGER_TOKEN }} {{ EXCHANGE_HOSTNAME }}/FIXME | awk '{print "[sms-challenger]\nCLIENT_ID="$1"\n\n"}' > /etc/ansible/facts.d/sms-challenger.fact
+    cmd: challenger-admin -c /etc/challenger/sms-challenger.conf --quiet --add={{ ansible_local['sms-challenger-client-secret']['sms-challenger']['CLIENT_SECRET'] }} {{ EXCHANGE_BASE_URL }}kyc-proof | awk '{print "[sms-challenger]\nCLIENT_ID="$1"\n\n"}' > /etc/ansible/facts.d/sms-challenger-client-id.fact
     chdir: /tmp
 
+- name: Place SMS challenger exchange config
+  ansible.builtin.template:
+    src: templates/etc/taler-exchange/config.d/sms-challenger.conf.j2
+    dest: "/etc/taler-exchange/config.d/sms-challenger.conf"
+    owner: root
+    group: challenger-sms
+    mode: 0640
+
+
 - name: Ensure SMS challenger service is enabled and started
   service:
     name: sms-challenger
diff --git a/roles/sms-challenger/files/etc/challenger/sms-challenger.conf b/roles/sms-challenger/templates/etc/challenger/sms-challenger.conf.j2
diff --git a/roles/sms-challenger/templates/etc/taler-exchange/config.d/sms-challenger.conf.j2 b/roles/sms-challenger/templates/etc/taler-exchange/config.d/sms-challenger.conf.j2
@@ -0,0 +1,20 @@
+[kyc-provider-sms-challenger]
+LOGIC = oauth2
+
+KYC_OAUTH2_VALIDITY = 2 years
+
+KYC_OAUTH2_AUTHORIZE_URL = https://sms.challenger.{{ DOMAIN_NAME }}/authorize#setup
+
+KYC_OAUTH2_TOKEN_URL = https://sms.challenger.{{ DOMAIN_NAME }}/token
+
+KYC_OAUTH2_INFO_URL = https://sms.challenger.{{ DOMAIN_NAME }}/info
+
+KYC_OAUTH2_CLIENT_ID = {{ ansible_local['sms-challenger-client-id']['sms-challenger']['CLIENT_ID'] }}
+
+KYC_OAUTH2_CLIENT_SECRET = {{ ansible_local['sms-challenger-client-secret']['sms-challenger']['CLIENT_SECRET'] }}
+
+KYC_OAUTH2_POST_URL = {{ KYC_THANK_YOU_URL }}
+
+KYC_OAUTH2_CONVERTER_HELPER = /usr/bin/cat
+
+KYC_OAUTH2_DEBUG_MODE = YES
diff --git a/roles/webserver/templates/auditor-nginx.conf b/roles/webserver/templates/auditor-nginx.conf
@@ -0,0 +1,16 @@
+server {
+
+  listen 80;
+  listen [::]:80;
+
+  server_name auditor.{{ DOMAIN_NAME }};
+
+  # Bigger than default timeout to support long polling
+  proxy_read_timeout 6500s;
+  keepalive_requests 1000000;
+  keepalive_timeout 6500s;
+
+  location / {
+     proxy_pass http://unix:/var/run/taler/auditor-httpd/auditor-http.sock;
+  }
+}