commit c2e829c88685853877d4a7b1bce3e284c0dda525
parent 92d1ce05375f2cbe8b63fd3547c917bc20df54fe
Author: Christian Grothoff <christian@grothoff.org>
Date: Sun, 23 Feb 2025 21:46:48 +0100
fix libeufin-manual import/export setup
Diffstat:
8 files changed, 43 insertions(+), 27 deletions(-)
diff --git a/playbooks/tops-public.yml b/playbooks/tops-public.yml
@@ -20,7 +20,7 @@ EXCHANGE_BASE_URL: "https://exchange.{{ DOMAIN_NAME }}/"
# Base URL of the auditor REST API
AUDITOR_BASE_URL: "https://auditor.{{ DOMAIN_NAME }}/"
# Exchange offline master public key.
-EXCHANGE_MASTER_PUB: W91R2NPHGP9TD36EXCAWNTW63QHEED4P12SNTKPE1WD5YM6MVA40
+EXCHANGE_MASTER_PUB: 9V0G82S7JQW2ZRYF7BMGKKQ1TNR1VNVXZJSNQ2VSDGWC80D9W0YG
# Auditor offline public key.
AUDITOR_PUB: P6B7ZS7Y1Y12S0VP0PAJ1GQGSHW8RE4NSBTP8PR254J18SK24MH0
# URL with merchants accepting this exchange.
diff --git a/roles/libeufin-nexus/files/etc/sudoers.d/libeufin-bank-export b/roles/libeufin-nexus/files/etc/sudoers.d/libeufin-bank-export
@@ -1 +0,0 @@
-libeufin-bank-export ALL=(libeufin-bank:libeufin-bank) NOPASSWD: /usr/bin/libeufin-nexus ^export -$
diff --git a/roles/libeufin-nexus/files/etc/sudoers.d/libeufin-bank-import b/roles/libeufin-nexus/files/etc/sudoers.d/libeufin-bank-import
@@ -1 +0,0 @@
-libeufin-bank-import ALL=(libeufin-bank:libeufin-bank) NOPASSWD: /usr/bin/libeufin-nexus ^import -$
diff --git a/roles/libeufin-nexus/files/etc/sudoers.d/libeufin-nexus-export b/roles/libeufin-nexus/files/etc/sudoers.d/libeufin-nexus-export
@@ -0,0 +1 @@
+libeufin-nexus-export ALL=(libeufin-nexus:libeufin-nexus) NOPASSWD: /usr/bin/libeufin-nexus ^manual export -$
diff --git a/roles/libeufin-nexus/files/etc/sudoers.d/libeufin-nexus-import b/roles/libeufin-nexus/files/etc/sudoers.d/libeufin-nexus-import
@@ -0,0 +1 @@
+libeufin-nexus-import ALL=(libeufin-nexus:libeufin-nexus) NOPASSWD: /usr/bin/libeufin-nexus ^manual import -$
diff --git a/roles/libeufin-nexus/files/usr/local/bin/libeufin-bank-export.sh b/roles/libeufin-nexus/files/usr/local/bin/libeufin-bank-export.sh
@@ -1,2 +1,2 @@
#!/bin/sh
-exec sudo -u /usr/bin/libeufin-nexus libeufin-bank export -
+exec sudo -u libeufin-nexus /usr/bin/libeufin-bank manual export -
diff --git a/roles/libeufin-nexus/files/usr/local/bin/libeufin-bank-import.sh b/roles/libeufin-nexus/files/usr/local/bin/libeufin-bank-import.sh
@@ -1,2 +1,2 @@
#!/bin/sh
-exec sudo -u /usr/bin/libeufin-nexus libeufin-bank import -
+exec sudo -u libeufin-nexus /usr/bin/libeufin-bank manual import -
diff --git a/roles/libeufin-nexus/tasks/main.yml b/roles/libeufin-nexus/tasks/main.yml
@@ -93,64 +93,80 @@
enabled: true
when: ! use_ebics
-- name: Place login script for libeufin-bank-import technical user
+- name: Place login script for libeufin-nexus-import technical user
ansible.builtin.copy:
- src: files/usr/local/bin/libeufin-bank-import.sh
- dest: "/usr/local/bin/libeufin-bank-import.sh"
+ src: files/usr/local/bin/libeufin-nexus-import.sh
+ dest: "/usr/local/bin/libeufin-nexus-import.sh"
owner: root
group: root
mode: 0755
-- name: Place login script for libeufin-bank-export technical user
+- name: Place login script for libeufin-nexus-export technical user
ansible.builtin.copy:
- src: files/usr/local/bin/libeufin-bank-export.sh
- dest: "/usr/local/bin/libeufin-bank-export.sh"
+ src: files/usr/local/bin/libeufin-nexus-export.sh
+ dest: "/usr/local/bin/libeufin-nexus-export.sh"
owner: root
group: root
mode: 0755
-- name: Ensure group for libeufin-bank-import exists
+- name: Ensure group for libeufin-nexus-import exists
group:
- name: libeufin-bank-import
+ name: libeufin-nexus-import
when: ! use_ebics
-- name: Ensure group for libeufin-bank-export exists
+- name: Ensure group for libeufin-nexus-export exists
group:
- name: libeufin-bank-export
+ name: libeufin-nexus-export
when: ! use_ebics
-- name: Ensure technical user for libeufin-bank import exists
+- name: Ensure technical user for libeufin-nexus import exists
user:
- name: libeufin-bank-import
- group: libeufin-bank-import
- shell: /usr/local/bin/libeufin-bank-import.sh
+ name: libeufin-nexus-import
+ group: libeufin-nexus-import
+ shell: /usr/local/bin/libeufin-nexus-import.sh
password: '!'
when: ! use_ebics
-- name: Ensure technical user for libeufin-bank export exists
+- name: Ensure technical user for libeufin-nexus export exists
user:
- name: libeufin-bank-export
- group: libeufin-bank-export
- shell: /usr/local/bin/libeufin-bank-export.sh
+ name: libeufin-nexus-export
+ group: libeufin-nexus-export
+ shell: /usr/local/bin/libeufin-nexus-export.sh
password: '!'
when: ! use_ebics
- name: Grant sudo rights to login script for importer
ansible.builtin.copy:
- src: files/etc/sudoers.d/libeufin-bank-import
- dest: "/etc/sudoers.d/libeufin-bank-import"
+ src: files/etc/sudoers.d/libeufin-nexus-import
+ dest: "/etc/sudoers.d/libeufin-nexus-import"
owner: root
group: root
mode: 0644
- name: Grant sudo rights to login script for exporter
ansible.builtin.copy:
- src: files/etc/sudoers.d/libeufin-bank-export
- dest: "/etc/sudoers.d/libeufin-bank-export"
+ src: files/etc/sudoers.d/libeufin-nexus-export
+ dest: "/etc/sudoers.d/libeufin-nexus-export"
owner: root
group: root
mode: 0644
+- name: Ensure .ssh dir exists for libeufin-nexus-import user
+ file:
+ path: "/home/libeufin-nexus-import/.ssh/"
+ state: directory
+ owner: libeufin-nexus-import
+ group: libeufin-nexus-import
+ mode: 755
+
+- name: Ensure .ssh dir exists for libeufin-nexus-export user
+ file:
+ path: "/home/libeufin-nexus-export/.ssh/"
+ state: directory
+ owner: libeufin-nexus-export
+ group: libeufin-nexus-export
+ mode: 755
+
- name: Allow technical users access to import acocunt.
ansible.builtin.copy:
src: files/home/libeufin-nexus-import/.ssh/authorized_keys
