commit c25162ee525504182801f1e6850a44234033bcbc
parent cf910f795d92926c0e495e5242c5e6251052ee40
Author: Christian Grothoff <christian@grothoff.org>
Date: Sat, 15 Feb 2025 14:53:36 +0100
add playbook for sanction list checking
Diffstat:
10 files changed, 102 insertions(+), 7 deletions(-)
diff --git a/README b/README
@@ -41,6 +41,18 @@ $ cat playbooks/tops-secrets.yml | gpg --encrypt \
--recipient me@fdold.eu > playbooks/tops-secrets.yml.gpg
+## Checking sanction lists
+
+Run
+
+$ ./sanction-check.sh $DEPLOYMENT $LIST
+
+where "$DEPLOYMENT" specifies the name of the deployment to
+use ("test" or "tops") and $LIST is the name of the sanction
+list file on the local disk. This script currently always
+uses the "tops" inventory.
+
+
## Setting up backups (TOPS-only for now)
First run:
diff --git a/deploy.sh b/deploy.sh
@@ -3,7 +3,7 @@ set -eu
if [ -z ${1:-} ]
then
- echo "Call with 'test' or 'prod' to select which secrets to use"
+ echo "Call with 'test' or 'tops' to select which secrets to use"
exit 1
fi
diff --git a/export.sh b/export.sh
@@ -3,4 +3,8 @@
set -eu
mkdir -p exports
-ansible-playbook --verbose --inventory inventories/tops --user root playbooks/libeufin-export.yml
+ansible-playbook \
+ --verbose \
+ --inventory inventories/tops \
+ --user root \
+ playbooks/libeufin-export.yml
diff --git a/import.sh b/import.sh
@@ -1,5 +1,17 @@
#!/bin/bash
set -eu
+if [ -z ${1:-} ]
+then
+ echo "Call with CAMT file of transactions to import as second argument"
+ exit 1
+fi
+
+
mkdir -p exports
-ansible-playbook --extra-vars "SOURCE=$1" --verbose --inventory inventories/tops --user root playbooks/libeufin-import.yml
+ansible-playbook \
+ --extra-vars "SOURCE=$1" \
+ --verbose \
+ --inventory inventories/tops \
+ --user root \
+ playbooks/libeufin-import.yml
diff --git a/playbooks/sanctionlist-check.yml b/playbooks/sanctionlist-check.yml
@@ -0,0 +1,5 @@
+---
+- name: Import a sanction list an run all records against it
+ hosts: all
+ roles:
+ - exchange-sanctionlist-import
diff --git a/playbooks/test-public.yml b/playbooks/test-public.yml
@@ -55,3 +55,5 @@ EXCHANGE_AML_PROGRAM_TOPS_SMS_WITHDRAW_THRESHOLD: CHF:200
EXCHANGE_AML_PROGRAM_TOPS_SMS_MERGE_THRESHOLD: CHF:0
# Regex specifying allowed country names for the postal address check
EXCHANGE_AML_PROGRAM_TOPS_POSTAL_COUNTRY_REGEX: "CH|Ch|ch"
+# Tool to use for sanction list checking
+EXCHANGE_SANCTION_HELPER: taler-exchange-helper-sanctions-dummy
diff --git a/playbooks/tops-public.yml b/playbooks/tops-public.yml
@@ -57,3 +57,5 @@ EXCHANGE_AML_PROGRAM_TOPS_SMS_WITHDRAW_THRESHOLD: CHF:200
EXCHANGE_AML_PROGRAM_TOPS_SMS_MERGE_THRESHOLD: CHF:0
# Regex specifying allowed country names for the postal address check
EXCHANGE_AML_PROGRAM_TOPS_POSTAL_COUNTRY_REGEX: "CH|Ch|ch"
+# Tool to use for sanction list checking
+EXCHANGE_SANCTION_HELPER: taler-exchange-helper-sanctions-dummy
diff --git a/roles/exchange-sanctionlist-import/tasks/main.yml b/roles/exchange-sanctionlist-import/tasks/main.yml
@@ -0,0 +1,31 @@
+---
+- name: Get current date
+ ansible.builtin.shell:
+ cmd: "date +%F"
+ register: today
+
+- name: Create temporary file as destination for the import
+ ansible.builtin.tempfile:
+ path: /tmp
+ prefix: "exchange-sanctionlist-import-{{ today.stdout }}-"
+ suffix: .xml
+ register: importfile
+
+- name: Push file to local system
+ copy:
+ src: "{{ SANCTION_LIST }}"
+ dest: "{{ importfile.path }}"
+ owner: taler-exchange-httpd
+ mode: 400
+
+- name: Check sanction list
+ ansible.builtin.shell:
+ cmd: "taler-exchange-sanctionscheck -- {{ EXCHANGE_SANCTION_HELPER }} {{ importfile.path }}"
+ become: yes
+ become_user: taler-exchange-httpd
+
+#- name: Remove the temporary file on the server
+# ansible.builtin.file:
+# path: "{{ importfile.path }}"
+# state: absent
+# when: importfile.path is defined
diff --git a/sanction-check.sh b/sanction-check.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+set -eu
+if [ -z ${1:-} ]
+then
+ echo "Call with 'test' or 'tops' as 1st argument to select which configuration to use"
+ exit 1
+fi
+if [ -z ${2:-} ]
+then
+ echo "Pass sanction list as 2nd argument"
+ exit 1
+fi
+if [ -f ${2:-} ]
+then
+ echo "Sanction list '$2' not found"
+ exit 1
+fi
+
+ansible-playbook \
+ --extra-vars "SANCTION_LIST=$2" \
+ --extra-vars "@playbooks/$1-public.yml" \
+ --verbose \
+ --inventory inventories/tops \
+ --user root \
+ playbooks/sanctionlist-check.yml
diff --git a/setup-pixel-borg.sh b/setup-pixel-borg.sh
@@ -7,10 +7,11 @@ then
echo "You need to set the PIXEL_BORG_KEY in your environment before running this script (see admin-log/pixel/03-borg.txt)"
exit 1
fi
-ansible-playbook --extra-vars PIXEL_BORG_KEY="$PIXEL_BORG_KEY" \
- --inventory inventories/tops \
- --user root \
- playbooks/pixel-borg.yml
+ansible-playbook \
+ --extra-vars PIXEL_BORG_KEY="$PIXEL_BORG_KEY" \
+ --inventory inventories/tops \
+ --user root \
+ playbooks/pixel-borg.yml
mv borg-repokey/*/home/borg/borg-repo.key .
rm -rf borg-repokey/
echo "Make sure to back up the borg-repo.key to admin-log/pixel/borg-repo.key"
