commit d93b06a93e5b0e0ba9cf15cf9c06c22c9ce3ef84
parent 229e96029992309b2c007c41e99adaf269544f06
Author: Florian Dold <florian@dold.me>
Date: Tue, 24 Jun 2025 20:48:44 +0200
new GLS server, towards vault
Diffstat:
5 files changed, 112 insertions(+), 0 deletions(-)
diff --git a/.gitignore b/.gitignore
@@ -9,6 +9,9 @@ prod-secrets.yml
# keep ignoring it to prevent accidental commits of it.
tops-secrets.yml
+# Vault password file, gpg-encrypted in this repo.
+vault_pass.txt
+
# Text editor files
*~
.vscode
diff --git a/ansible.cfg b/ansible.cfg
@@ -11,3 +11,5 @@ stdout_callback = yaml
use_persistent_connections = True
pipelining = True
+
+vault_password_file: vault_pass.txt
diff --git a/inventories/default b/inventories/default
@@ -9,6 +9,9 @@ spec ansible_port=22 ansible_user=root ansible_host=spec.taler-ops.ch
rusty ansible_port=22 ansible_user=root ansible_host=rusty.taler-ops.ch
podman-localhost ansible_port=8022 ansible_host=127.0.0.1
+# GLS test server, behind VPN. Hostname is taler-root-01
+adacor-test-01 ansible_user=customer ansible_host=192.168.89.2
+
[testing]
rusty
podman-localhost
diff --git a/inventories/host_vars/adacor-test-01/config.yml b/inventories/host_vars/adacor-test-01/config.yml
@@ -0,0 +1,104 @@
+---
+# Pregenerated dhparam.pem is less secure
+# but significantly faster.
+USE_PREGENERATED_DHPARAM: true
+# No auditor (yet)
+deploy_auditor: false
+deploy_monitoring: false
+# We use EBICS to talk to the bank.
+use_ebics: true
+# Use externally created EBICS keys.
+ebics_keys_external: true
+# Main domain name.
+DOMAIN_NAME: "test.exchange.gls.de"
+# High-level kind of deployment.
+# Other customizations depend on this.
+# Can be "gls" or "tops" (later: "magnet")
+DEPLOYMENT_KIND: "gls"
+# Our internal hostname
+TARGET_HOST_NAME: "test.exchange.gls.de"
+# Disable restore from backup? MUST be set to "false" once in production!
+# This forces a backup to be provided *if* there is no database on the
+# target system already. If such a database exists, we will NOT restore
+# any backup even if this is 'false'. If no database exists on the target
+# system and this option is 'false', then a backup must have been provided
+# at the originating host (you get get it using the 'restore.sh' script).
+DISABLE_RESTORE_BACKUP: true
+# Use nightly Taler distro (true/false).
+USE_NIGHTLY: false
+# Our currency.
+CURRENCY: EUR
+# Smallest unit of the currency for wire transfers.
+CURRENCY_ROUND_UNIT: "EUR:0.01"
+# Base URL of the exchange REST API
+EXCHANGE_BASE_URL: "https://exchange.{{ DOMAIN_NAME }}/"
+# Exchange offline master public key.
+EXCHANGE_MASTER_PUB: ABSERA9GY2RV0G12RZYTZ11WMG81ZRT8S9DTQJ8JNXXE5RXAKBF0
+# URL with merchants accepting this exchange.
+EXCHANGE_SHOPPING_URL: "https://shops.taler.gls.de/"
+# Name of Terms of service resource file
+EXCHANGE_TERMS_ETAG: "exchange-gls-tos-test-v3"
+# Name of Privacy policy resource file
+EXCHANGE_PP_ETAG: "exchange-pp-v0"
+# Full BIC of exchange account
+EXCHANGE_BANK_ACCOUNT_BIC: "GENODEM1GLS"
+# Full Payto URI of exchange account (for credit and debit)
+EXCHANGE_BANK_ACCOUNT_IBAN: "DE88430609678937360305"
+# Full Payto URI of exchange account (for credit and debit)
+EXCHANGE_BANK_ACCOUNT_PAYTO: "payto://iban/{{ EXCHANGE_BANK_ACCOUNT_IBAN }}?receiver-name=GLS+Taler+Verrechnungskonto"
+# Port to be used by libeufin-nexus for the taler-exchange-wire-gateway
+LIBEUFIN_PORT: 8082
+# Name of the exchange account at libeufin-nexus
+LIBEUFIN_EXCHANGE_ACCOUNT: "exchange"
+# Which KYC/AML rules to set up.
+# Name of the bank dialect
+LIBEUFIN_NEXUS_BANK_DIALECT: "gls"
+# SPA dialect (tops, gls, magnet, ...)
+EXCHANGE_SPA_DIALECT: "gls"
+# Business name of the exchange operator
+EXCHANGE_OPERATOR_LEGAL_NAME: "GLS Test"
+# Where to send people after they passed KYC.
+KYC_THANK_YOU_URL: https://taler.gls.de/thank-you-kyc
+# Tool to use for sanction list checking
+EXCHANGE_SANCTION_HELPER: taler-exchange-helper-sanctions-dummy
+
+# Secrets are inlined in this file.
+HAVE_SECRETS: true
+
+# Symmetric encryption secret for KYC attribute encryption.
+EXCHANGE_ATTRIBUTE_ENCRYPTION_KEY: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 36663934633134656638303766343335666566656164643031346466653232623163666466653031
+ 3636643034313962613032646636666236333963616131610a336436356132333630626264613638
+ 36323430393931663934366335363334336163333665343332363562376462663961663265306335
+ 3762386231396233620a333430626337376432653739623961366631363836653737393033396230
+ 39313563333135363962656466643166313032303161323236346364306234633265363631343035
+ 3730363664306633323531386335306563373965663830353566
+
+# EBICS access details (public)
+LIBEUFIN_NEXUS_EBICS_BANK_DIALECT: "gls"
+LIBEUFIN_NEXUS_EBICS_HOST_BASE_URL: https://ebics.multivia-suite.de/ebicsweb/ebicsweb
+LIBEUFIN_NEXUS_EBICS_HOST_ID: MULTIVIA
+
+# EBICS access details (secrets)
+LIBEUFIN_NEXUS_EBICS_USER_ID: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 65333130663361313831656438363264373733363832376338633565653533303239356465636535
+ 6264616437396337323761373631653062393562636135380a386463383537353334333831613763
+ 32363665323539373162386239313133356634303737393766613663346461386136313334613936
+ 6133643261633133630a386332336463343466643535346536323730616163663436356531326463
+ 6562
+LIBEUFIN_NEXUS_EBICS_PARTNER_ID: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 33346334386637393965656534636162633462303838636636616262366531663035323431626637
+ 3533333836353038393361666630376565656433626431320a613930393833343233363362616464
+ 64636633636633336633363466303566623934666634316164336164613731313737353231386337
+ 3438336664313733320a623366643232333666373030306339343766353661336566666531376437
+ 3439
+LIBEUFIN_NEXUS_EBICS_SYSTEM_ID: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 62626237303264333130356565386432633261323936353136353335666338636335323763343135
+ 3465356539316430306336346666356535363165643061620a643237653532616262323535366237
+ 30333336326565343463356238333434373265353833626163313866623165376164393734323335
+ 3230623737333230310a333230356439363462623531323339633732353964656439636664653931
+ 6437
diff --git a/vault_pass.txt.gpg b/vault_pass.txt.gpg
Binary files differ.
