commit aa06c0b1b7d4e56558cb982ef958c29ef4706a82
parent b759d5b5bccd6fa0ec5bc16fbd7905ed720b2691
Author: Christian Grothoff <christian@grothoff.org>
Date: Fri, 22 Nov 2024 20:50:54 +0100
work more on exchange setup
Diffstat:
7 files changed, 84 insertions(+), 8 deletions(-)
diff --git a/README b/README
@@ -5,12 +5,15 @@
To run the main playbook (playbooks/setup.yml):
```
-$ ansible-playbook --verbose -i <host>, --user root playbooks/setup.yml
+$ ansible-playbook --verbose -i <host>, --user root playbooks/setup.yml --extra-vars "@playbook/test-secrets.yml"
```
Instead of specifying the host(s) as arguments (note the trailing comma!)
you can pass an inventory file. See `inventories/`, and update accordingly.
+For production, replace the "test-secrets.yml" file with the actual secrets
+for your deployment.
+
## Testing Locally
With podman and ansible installed locally one can run `./test.sh`.
diff --git a/playbooks/setup.yml b/playbooks/setup.yml
@@ -13,4 +13,16 @@
# Note that we ONLY define those variables here that are NOT
# secrets. For secrets, test-secrets.yml contains a template.
vars:
- EXCHANGE_HOSTNAME= https://exchange.taler-ops.ch
+ EXCHANGE_BASE_URL="https://exchange.taler-ops.ch/"
+# Exchange offline master public key.
+ EXCHANGE_MASTER_PUB=
+# Name of Terms of service resource file
+ EXCHANGE_TERMS_ETAG="exchange-tos-v0"
+# Name of Privacy policy resource file
+ EXCHANGE_PP_ETAG="exchange-pp-v0"
+# Full Payto URI of exchange account (for credit and debit)
+ EXCHANGE_BANK_ACCOUNT_PAYTO="payto://iban/DE12345678?receiver-name=operator"
+# Port to be used by libeufin-nexus
+ LIBEUFIN_PORT=8082
+# Name of the exchange account at libeufin-nexus
+ LIBEUFIN_EXCHANGE_ACCOUNT="exchange"
diff --git a/playbooks/test-secrets.yml b/playbooks/test-secrets.yml
@@ -1 +1,4 @@
-EXCHAGNE_SMS_CHALLENGER_TOKEN=SECRET1
+# Secret token to use to authenticate to SMS challenger service.
+EXCHANGE_SMS_CHALLENGER_TOKEN=SECRET1
+# Symmetric encryption secret for KYC attribute encryption.
+EXCHANGE_ATTRIBUTE_ENCRYPTION_KEY=SECRET2
diff --git a/roles/exchange/tasks/main.yml b/roles/exchange/tasks/main.yml
@@ -6,11 +6,6 @@
state: latest
update_cache: true
-- name: Ensure Taler exchange config dir exists from installation
- file:
- path: "/etc/taler-exchange"
- state: directory
-
- name: Ensure Taler exchange virtualhost configuration file exists
template:
src: exchange-nginx.conf
@@ -21,15 +16,30 @@
copy:
src: etc/taler-exchange/taler-exchange.conf
dest: "/etc/taler-exchange/taler-exchange.conf"
+
+- name: Place taler-exchange business config
+ ansible.builtin.template:
+ src: templates/etc/taler-exchange/conf.d/exchange-business.conf.j2
+ dest: "/etc/taler-exchange/conf.d/exchange-business.conf"
owner: root
group: root
mode: 0644
+- name: Place taler-exchange account credentials
+ ansible.builtin.template:
+ src: templates/etc/taler-exchange/secrets/exchange-accountcredentials-primary.secret.conf.j2
+ dest: "/etc/taler-exchange/secrets/exchange-accountcredentials-primary.secret.conf"
+ owner: taler-exchange-wire
+ group: root
+ mode: 0400
+
- name: Setup Taler Exchange database
shell:
cmd: taler-exchange-dbconfig -c /etc/taler-exchange/taler-exchange.conf
chdir: /tmp
+# FIXME: change to templating, set proper virtual host from
+# EXCHANGE_BASE_URL or similar variables!
- name: Enable Taler exchange virtual host by creating symlink
file:
src: "/etc/nginx/sites-available/exchange-nginx.conf"
diff --git a/roles/exchange/templates/etc/taler-exchange/conf.d/exchange-business.conf.j2 b/roles/exchange/templates/etc/taler-exchange/conf.d/exchange-business.conf.j2
@@ -0,0 +1,40 @@
+# Configuration for business-level aspects of the exchange.
+
+[exchange]
+
+# Here you MUST add the master public key of the offline system
+# which you can get using `taler-exchange-offline setup`.
+# This is just an example, your key will be different!
+# MASTER_PUBLIC_KEY = YE6Q6TR1EDB7FD0S68TGDZGF1P0GHJD2S0XVV8R2S62MYJ6HJ4ZG
+MASTER_PUBLIC_KEY = {{ EXCHANGE_MASTER_PUB }}
+
+# Publicly visible base URL of the exchange.
+# BASE_URL = https://example.com/
+BASE_URL = {{ EXCHANGE_BASE_URL }}
+
+# Attribute encryption key for storing attributes encrypted
+# in the database. Should be a high-entropy nonce.
+ATTRIBUTE_ENCRYPTION_KEY = {{ EXCHANGE_ATTRIBUTE_ENCRYPTION_KEY }}
+
+# For your terms of service and privacy policy, you should specify
+# an Etag that must be updated whenever there are significant
+# changes to either document. The format is up to you, what matters
+# is that the value is updated and never re-used. See the HTTP
+# specification on Etags.
+TERMS_ETAG = {{ EXCHANGE_TERMS_ETAG }}
+PRIVACY_ETAG = {{ EXCHANGE_PP_ETAG }}
+
+# Bank accounts used by the exchange should be specified here:
+[exchange-account-primary]
+
+ENABLE_CREDIT = YES
+ENABLE_DEBIT = YES
+
+# Account identifier in the form of an RFC-8905 payto:// URI.
+# For SEPA, looks like payto://sepa/$IBAN?receiver-name=$NAME
+# Make sure to URL-encode spaces in $NAME!
+PAYTO_URI = {{ EXCHANGE_BANK_ACCOUNT_PAYTO }}
+
+# Credentials to access the account are in a separate
+# config file with restricted permissions.
+@inline-secret@ exchange-accountcredentials-primary ../secrets/exchange-accountcredentials-primary.secret.conf
diff --git a/roles/exchange/templates/etc/taler-exchange/secrets/exchange-accountcredentials-primary.secret.conf.j2 b/roles/exchange/templates/etc/taler-exchange/secrets/exchange-accountcredentials-primary.secret.conf.j2
@@ -0,0 +1,4 @@
+[exchange-accountcredentials-primary]
+WIRE_GATEWAY_AUTH_METHOD = token
+WIRE_GATEWAY_URL = "http://localhost:{{ LIBEUFIN_PORT }}/accounts/{{ LIBEUFIN_EXCHANGE_ACCOUNT }}/taler-wire-gateway/"
+TOKEN = {{ EXCHANGE_WIRE_GATEWAY_ACCESS_TOKEN }}
diff --git a/roles/libeufin-nexus/tasks/main.yml b/roles/libeufin-nexus/tasks/main.yml
@@ -29,3 +29,7 @@
become_user: libeufin-nexus
shell:
cmd: libeufin-nexus ebics-setup
+
+# FIXME: make sure we launch et {{ http://localhost:LIBEUFIN_PORT/ }}!
+# FIXME: create '{{ LIBEUFIN_EXCHANGE_ACCOUNT }}' account and
+# set fact for EXCHANGE_WIRE_GATEWAY_ACCESS_TOKEN
