commit d9688b33e1dce90b5071563afb799d94d8963dd6 parent 84e4701e69db6f1d8404ac7dabcb078fc23c743b Author: Florian Dold <florian@dold.me> Date: Tue, 24 Jun 2025 22:25:42 +0200 gls config Diffstat:
32 files changed, 101 insertions(+), 82 deletions(-)
diff --git a/inventories/group_vars/testing/test-public.yml b/inventories/group_vars/testing/test-public.yml @@ -3,7 +3,8 @@ # Deploy challenger? deploy_challenger: true # Main domain name. -DOMAIN_NAME: "topstest.fdold.eu" +domain_name: "topstest.fdold.eu" +exchange_domain: "exchange.{{ domain_name }}" # Use nightly Taler distro (true/false). USE_NIGHTLY: true # Deploy EBICS configuration (true/false). @@ -13,9 +14,9 @@ CURRENCY: CHF # Smallest unit of the currency for wire transfers. CURRENCY_ROUND_UNIT: "CHF:0.01" # Base URL of the exchange REST API -EXCHANGE_BASE_URL: "https://exchange.{{ DOMAIN_NAME }}/" +EXCHANGE_BASE_URL: "https://{{ exchange_domain }}/" # Base URL of the auditor REST API -AUDITOR_BASE_URL: "https://auditor.{{ DOMAIN_NAME }}/" +AUDITOR_BASE_URL: "https://auditor.{{ domain_name }}/" # Exchange offline master public key. EXCHANGE_MASTER_PUB: GT1ZRF6DT4RAETDEGW3KTWRH15RAKH9T0TK6ZJEYFGRX18B54AK0 # Auditor offline public key. diff --git a/inventories/host_vars/adacor-test-01/config.yml b/inventories/host_vars/adacor-test-01/config.yml @@ -10,7 +10,10 @@ use_ebics: true # Use externally created EBICS keys. ebics_keys_external: true # Main domain name. -DOMAIN_NAME: "test.exchange.gls.de" +domain_name: "test.exchange.gls.de" +exchange_domain: "test.exchange.gls.de" +# We bring our own certificates +exchange_use_letsencrypt: false # High-level kind of deployment. # Other customizations depend on this. # Can be "gls" or "tops" (later: "magnet") @@ -31,7 +34,7 @@ CURRENCY: EUR # Smallest unit of the currency for wire transfers. CURRENCY_ROUND_UNIT: "EUR:0.01" # Base URL of the exchange REST API -EXCHANGE_BASE_URL: "https://exchange.{{ DOMAIN_NAME }}/" +EXCHANGE_BASE_URL: "https://exchange.{{ domain_name }}/" # Exchange offline master public key. EXCHANGE_MASTER_PUB: ABSERA9GY2RV0G12RZYTZ11WMG81ZRT8S9DTQJ8JNXXE5RXAKBF0 # URL with merchants accepting this exchange. diff --git a/inventories/host_vars/fdold-acai-gls/test-public.yml b/inventories/host_vars/fdold-acai-gls/test-public.yml @@ -10,7 +10,7 @@ use_ebics: true # Use externally created EBICS keys. ebics_keys_external: true # Main domain name. -DOMAIN_NAME: "glstest.taler.net" +domain_name: "glstest.taler.net" # High-level kind of deployment. # Other customizations depend on this. # Can be "gls" or "tops" (later: "magnet") @@ -31,7 +31,7 @@ CURRENCY: EUR # Smallest unit of the currency for wire transfers. CURRENCY_ROUND_UNIT: "EUR:0.01" # Base URL of the exchange REST API -EXCHANGE_BASE_URL: "https://exchange.{{ DOMAIN_NAME }}/" +EXCHANGE_BASE_URL: "https://exchange.{{ domain_name }}/" # Exchange offline master public key. EXCHANGE_MASTER_PUB: ABSERA9GY2RV0G12RZYTZ11WMG81ZRT8S9DTQJ8JNXXE5RXAKBF0 # URL with merchants accepting this exchange. diff --git a/inventories/host_vars/fdold-acai-tops/test-public.yml b/inventories/host_vars/fdold-acai-tops/test-public.yml @@ -4,7 +4,8 @@ USE_PREGENERATED_DHPARAM: true # Deploy challenger? deploy_challenger: true # Main domain name. -DOMAIN_NAME: "topstest.fdold.eu" +domain_name: "topstest.fdold.eu" +exchange_domain: "exchange.{{ domain_name }}" # Our internal hostname TARGET_HOST_NAME: "acai.box.fdold.eu" # Disable restore from backup? MUST be set to "false" once in production! @@ -23,9 +24,9 @@ CURRENCY: CHF # Smallest unit of the currency for wire transfers. CURRENCY_ROUND_UNIT: "CHF:0.01" # Base URL of the exchange REST API -EXCHANGE_BASE_URL: "https://exchange.{{ DOMAIN_NAME }}/" +EXCHANGE_BASE_URL: "https://exchange.{{ domain_name }}/" # Base URL of the auditor REST API -AUDITOR_BASE_URL: "https://auditor.{{ DOMAIN_NAME }}/" +AUDITOR_BASE_URL: "https://auditor.{{ domain_name }}/" # Exchange offline master public key. EXCHANGE_MASTER_PUB: GT1ZRF6DT4RAETDEGW3KTWRH15RAKH9T0TK6ZJEYFGRX18B54AK0 # Auditor offline public key. diff --git a/inventories/host_vars/fdold-guava-glsint/test-public.yml b/inventories/host_vars/fdold-guava-glsint/test-public.yml @@ -10,7 +10,8 @@ use_ebics: false # Use externally created EBICS keys. ebics_keys_external: false # Main domain name. -DOMAIN_NAME: "glsint.fdold.eu" +domain_name: "glsint.fdold.eu" +exchange_domain: "exchange.{{ domain_name }}" # High-level kind of deployment. # Other customizations depend on this. # Can be "gls" or "tops" (later: "magnet") @@ -31,7 +32,7 @@ CURRENCY: EUR # Smallest unit of the currency for wire transfers. CURRENCY_ROUND_UNIT: "EUR:0.01" # Base URL of the exchange REST API -EXCHANGE_BASE_URL: "https://exchange.{{ DOMAIN_NAME }}/" +EXCHANGE_BASE_URL: "https://exchange.{{ domain_name }}/" # Exchange offline master public key. EXCHANGE_MASTER_PUB: GW875YV09RZ743X045DNSQC7SFNF0G66707H7PT3TP0RWPAPR340 # URL with merchants accepting this exchange. diff --git a/inventories/host_vars/podman-localhost/test-public.yml b/inventories/host_vars/podman-localhost/test-public.yml @@ -1,7 +1,8 @@ --- # Public variables for a "test" deployment # Main domain name. -DOMAIN_NAME: "topstest.fdold.eu" +domain_name: "topstest.fdold.eu" +exchange_domain: "exchange.{{ domain_name }}" # Use nightly Taler distro (true/false). USE_NIGHTLY: true # Deploy EBICS configuration (true/false). @@ -11,9 +12,9 @@ CURRENCY: CHF # Smallest unit of the currency for wire transfers. CURRENCY_ROUND_UNIT: "CHF:0.01" # Base URL of the exchange REST API -EXCHANGE_BASE_URL: "https://exchange.{{ DOMAIN_NAME }}/" +EXCHANGE_BASE_URL: "https://exchange.{{ domain_name }}/" # Base URL of the auditor REST API -AUDITOR_BASE_URL: "https://auditor.{{ DOMAIN_NAME }}/" +AUDITOR_BASE_URL: "https://auditor.{{ domain_name }}/" # Exchange offline master public key. EXCHANGE_MASTER_PUB: GT1ZRF6DT4RAETDEGW3KTWRH15RAKH9T0TK6ZJEYFGRX18B54AK0 # Auditor offline public key. diff --git a/inventories/host_vars/rusty/test-public.yml b/inventories/host_vars/rusty/test-public.yml @@ -11,7 +11,8 @@ deploy_challenger: true # at the originating host (you get get it using the 'restore.sh' script). DISABLE_RESTORE_BACKUP: true # Main domain name. -DOMAIN_NAME: "stage.taler-ops.ch" +domain_name: "stage.taler-ops.ch" +exchange_domain: "exchange.{{ domain_name }}" # Our internal hostname TARGET_HOST_NAME: "rusty.taler-ops.ch" # Use nightly Taler distro (true/false). @@ -25,9 +26,9 @@ CURRENCY_ROUND_UNIT: "CHF:0.01" # Sanction list to use, comment out to disable SANCTION_LIST: sanctions-swiss.json # Base URL of the exchange REST API -EXCHANGE_BASE_URL: "https://exchange.{{ DOMAIN_NAME }}/" +EXCHANGE_BASE_URL: "https://exchange.{{ domain_name }}/" # Base URL of the auditor REST API -AUDITOR_BASE_URL: "https://auditor.{{ DOMAIN_NAME }}/" +AUDITOR_BASE_URL: "https://auditor.{{ domain_name }}/" # Exchange offline master public key. EXCHANGE_MASTER_PUB: GT1ZRF6DT4RAETDEGW3KTWRH15RAKH9T0TK6ZJEYFGRX18B54AK0 # Auditor offline public key. diff --git a/inventories/host_vars/spec/tops-public.yml b/inventories/host_vars/spec/tops-public.yml @@ -15,7 +15,8 @@ USE_EBICS: false # Write EBICS configuration (with values in secret config) configure_ebics: true # Main domain name. -DOMAIN_NAME: "taler-ops.ch" +domain_name: "taler-ops.ch" +exchange_domain: "exchange.{{ domain_name }}" # Our internal hostname TARGET_HOST_NAME: "spec.taler-ops.ch" # Use nightly Taler distro (true/false). @@ -29,9 +30,9 @@ CURRENCY_ROUND_UNIT: "CHF:0.01" # Sanction list to use, comment out to disable # SANCTION_LIST: sanctions-swiss.json # Base URL of the exchange REST API -EXCHANGE_BASE_URL: "https://exchange.{{ DOMAIN_NAME }}/" +EXCHANGE_BASE_URL: "https://exchange.{{ domain_name }}/" # Base URL of the auditor REST API -AUDITOR_BASE_URL: "https://auditor.{{ DOMAIN_NAME }}/" +AUDITOR_BASE_URL: "https://auditor.{{ domain_name }}/" # Exchange offline master public key. EXCHANGE_MASTER_PUB: 9V0G82S7JQW2ZRYF7BMGKKQ1TNR1VNVXZJSNQ2VSDGWC80D9W0YG # Auditor offline public key. diff --git a/roles/auditor/tasks/main.yml b/roles/auditor/tasks/main.yml @@ -51,7 +51,7 @@ vars: cert_name: auditor wanted_cert_domains: - - "auditor.{{ DOMAIN_NAME }}" + - "auditor.{{ domain_name }}" nginx_sites: - auditor-http.conf - auditor-nginx.conf diff --git a/roles/auditor/templates/etc/nginx/sites-available/auditor-http.conf.j2 b/roles/auditor/templates/etc/nginx/sites-available/auditor-http.conf.j2 @@ -3,10 +3,10 @@ server { listen 80; listen [::]:80; - server_name auditor.{{ DOMAIN_NAME }}; + server_name auditor.{{ domain_name }}; - error_log /var/log/nginx/auditor.{{ DOMAIN_NAME }}-http.err; - access_log /var/log/nginx/auditor.{{ DOMAIN_NAME }}-http.log; + error_log /var/log/nginx/auditor.{{ domain_name }}-http.err; + access_log /var/log/nginx/auditor.{{ domain_name }}-http.log; location / { return 301 https://$host$request_uri; diff --git a/roles/auditor/templates/etc/nginx/sites-available/auditor-nginx.conf.j2 b/roles/auditor/templates/etc/nginx/sites-available/auditor-nginx.conf.j2 @@ -5,7 +5,7 @@ server { # Do not identify as nginx server_tokens off; - server_name auditor.{{ DOMAIN_NAME }}; + server_name auditor.{{ domain_name }}; ssl_certificate /etc/letsencrypt/live/auditor/fullchain.pem; @@ -26,10 +26,10 @@ server { if ($http_user_agent ~* "Bytedance|bytespider|Amazonbot|Claude|Anthropic|AI|GPT|acebook") { return 451 ; } - error_log /var/log/nginx/auditor.{{ DOMAIN_NAME }}.err; - access_log /var/log/nginx/auditor.{{ DOMAIN_NAME }}.log; + error_log /var/log/nginx/auditor.{{ domain_name }}.err; + access_log /var/log/nginx/auditor.{{ domain_name }}.log; - access_log /var/log/nginx/auditor.{{ DOMAIN_NAME }}.tal taler if=$log_perf; + access_log /var/log/nginx/auditor.{{ domain_name }}.tal taler if=$log_perf; location / { # Most of the API we will put behind simple access control for now. if ($http_authorization != "Bearer {{ AUDITOR_ACCESS_TOKEN }}") { diff --git a/roles/cert/tasks/main.yml b/roles/cert/tasks/main.yml @@ -1,7 +1,7 @@ --- # Create certs with certbot and the nginx plugin. # Required vars: -# - DOMAIN_NAME: send e-mails to admin@{{ DOMAIN_NAME }} +# - domain_name: send e-mails to admin@{{ domain_name }} # - cert_name: name of the certbot certificate # - wanted_cert_domains: list of domains to issue a cert for # - nginx_sites: nginx sites that use this domain, enabled when @@ -59,7 +59,7 @@ - --noninteractive - --agree-tos - --email - - admin@{{ DOMAIN_NAME }} + - admin@{{ domain_name }} domain_args: "{{ wanted_cert_domains | product(['-d']) | map('reverse') | flatten | list }}" - name: Enable nginx sites diff --git a/roles/challenger/tasks/pre-exchange.yml b/roles/challenger/tasks/pre-exchange.yml @@ -332,9 +332,9 @@ vars: cert_name: challenger wanted_cert_domains: - - "sms.challenger.{{ DOMAIN_NAME }}" - - "email.challenger.{{ DOMAIN_NAME }}" - - "postal.challenger.{{ DOMAIN_NAME }}" + - "sms.challenger.{{ domain_name }}" + - "email.challenger.{{ domain_name }}" + - "postal.challenger.{{ domain_name }}" nginx_sites: - sms-challenger-nginx.conf - postal-challenger-nginx.conf diff --git a/roles/challenger/templates/etc/challenger/challenger-email.conf.j2 b/roles/challenger/templates/etc/challenger/challenger-email.conf.j2 @@ -25,7 +25,7 @@ MESSAGE_TEMPLATE_FILE = /etc/challenger/email-message-template.txt # Publicly visible base URL of the challenger. # BASE_URL = https://example.com/ -BASE_URL = https://email.challenger.{{ DOMAIN_NAME }}/ +BASE_URL = https://email.challenger.{{ domain_name }}/ # What address type are we validating? (phone, email, address, etc.) # A template of the form 'enter-$ADDRESS_TYPE-form' must diff --git a/roles/challenger/templates/etc/challenger/challenger-postal.conf.j2 b/roles/challenger/templates/etc/challenger/challenger-postal.conf.j2 @@ -16,7 +16,7 @@ AUTH_COMMAND = /usr/bin/challenger-send-post.sh # Publicly visible base URL of the challenger. # BASE_URL = https://example.com/ -BASE_URL = https://postal.challenger.{{ DOMAIN_NAME }}/ +BASE_URL = https://postal.challenger.{{ domain_name }}/ # How long is an individual validation request valid? VALIDATION_DURATION = 45d diff --git a/roles/challenger/templates/etc/challenger/challenger-sms.conf.j2 b/roles/challenger/templates/etc/challenger/challenger-sms.conf.j2 @@ -19,7 +19,7 @@ MESSAGE_TEMPLATE_FILE = /etc/challenger/sms-message-template.txt # Publicly visible base URL of the challenger. # BASE_URL = https://example.com/ -BASE_URL = https://sms.challenger.{{ DOMAIN_NAME }}/ +BASE_URL = https://sms.challenger.{{ domain_name }}/ # What address type are we validating? (phone, email, address, etc.) # A template of the form 'enter-$ADDRESS_TYPE-form' must diff --git a/roles/challenger/templates/etc/nginx/sites-available/email-challenger-http.conf.j2 b/roles/challenger/templates/etc/nginx/sites-available/email-challenger-http.conf.j2 @@ -3,10 +3,10 @@ server { listen 80; listen [::]:80; - server_name email.challenger.{{ DOMAIN_NAME }}; + server_name email.challenger.{{ domain_name }}; - error_log /var/log/nginx/email.challenger.{{ DOMAIN_NAME }}-http.err; - access_log /var/log/nginx/email.challenger.{{ DOMAIN_NAME }}-http.log; + error_log /var/log/nginx/email.challenger.{{ domain_name }}-http.err; + access_log /var/log/nginx/email.challenger.{{ domain_name }}-http.log; location / { return 301 https://$host$request_uri; diff --git a/roles/challenger/templates/etc/nginx/sites-available/email-challenger-nginx.conf.j2 b/roles/challenger/templates/etc/nginx/sites-available/email-challenger-nginx.conf.j2 @@ -5,7 +5,7 @@ server { # Do not identify as nginx server_tokens off; - server_name email.challenger.{{ DOMAIN_NAME }}; + server_name email.challenger.{{ domain_name }}; include conf.d/challenger-tls.conf.inc; @@ -16,10 +16,10 @@ server { if ($http_user_agent ~* "Bytedance|bytespider|Amazonbot|Claude|Anthropic|AI|GPT|acebook") { return 451 ; } - error_log /var/log/nginx/email.challenger.{{ DOMAIN_NAME }}.err; - access_log /var/log/nginx/email.challenger.{{ DOMAIN_NAME }}.log apm; + error_log /var/log/nginx/email.challenger.{{ domain_name }}.err; + access_log /var/log/nginx/email.challenger.{{ domain_name }}.log apm; - access_log /var/log/nginx/email.challenger.{{ DOMAIN_NAME }}.tal taler if=$log_perf; + access_log /var/log/nginx/email.challenger.{{ domain_name }}.tal taler if=$log_perf; location / { proxy_pass http://unix:/var/run/challenger-email/challenger-http.sock; diff --git a/roles/challenger/templates/etc/nginx/sites-available/postal-challenger-http.conf.j2 b/roles/challenger/templates/etc/nginx/sites-available/postal-challenger-http.conf.j2 @@ -3,10 +3,10 @@ server { listen 80; listen [::]:80; - server_name postal.challenger.{{ DOMAIN_NAME }}; + server_name postal.challenger.{{ domain_name }}; - error_log /var/log/nginx/postal.challenger.{{ DOMAIN_NAME }}-http.err; - access_log /var/log/nginx/postal.challenger.{{ DOMAIN_NAME }}-http.log; + error_log /var/log/nginx/postal.challenger.{{ domain_name }}-http.err; + access_log /var/log/nginx/postal.challenger.{{ domain_name }}-http.log; location / { return 301 https://$host$request_uri; diff --git a/roles/challenger/templates/etc/nginx/sites-available/postal-challenger-nginx.conf.j2 b/roles/challenger/templates/etc/nginx/sites-available/postal-challenger-nginx.conf.j2 @@ -5,7 +5,7 @@ server { # Do not identify as nginx server_tokens off; - server_name postal.challenger.{{ DOMAIN_NAME }}; + server_name postal.challenger.{{ domain_name }}; include conf.d/challenger-tls.conf.inc; @@ -16,10 +16,10 @@ server { keepalive_requests 10000; keepalive_timeout 650s; - error_log /var/log/nginx/postal.challenger.{{ DOMAIN_NAME }}.err; - access_log /var/log/nginx/postal.challenger.{{ DOMAIN_NAME }}.log apm; + error_log /var/log/nginx/postal.challenger.{{ domain_name }}.err; + access_log /var/log/nginx/postal.challenger.{{ domain_name }}.log apm; - access_log /var/log/nginx/postal.challenger.{{ DOMAIN_NAME }}.tal taler if=$log_perf; + access_log /var/log/nginx/postal.challenger.{{ domain_name }}.tal taler if=$log_perf; location / { proxy_pass http://unix:/var/run/challenger-postal/challenger-http.sock; diff --git a/roles/challenger/templates/etc/nginx/sites-available/sms-challenger-http.conf.j2 b/roles/challenger/templates/etc/nginx/sites-available/sms-challenger-http.conf.j2 @@ -3,10 +3,10 @@ server { listen 80; listen [::]:80; - server_name sms.challenger.{{ DOMAIN_NAME }}; + server_name sms.challenger.{{ domain_name }}; - error_log /var/log/nginx/sms.challenger.{{ DOMAIN_NAME }}-http.err; - access_log /var/log/nginx/sms.challenger.{{ DOMAIN_NAME }}-http.log; + error_log /var/log/nginx/sms.challenger.{{ domain_name }}-http.err; + access_log /var/log/nginx/sms.challenger.{{ domain_name }}-http.log; location / { return 301 https://$host$request_uri; diff --git a/roles/challenger/templates/etc/nginx/sites-available/sms-challenger-nginx.conf.j2 b/roles/challenger/templates/etc/nginx/sites-available/sms-challenger-nginx.conf.j2 @@ -5,7 +5,7 @@ server { # Do not identify as nginx server_tokens off; - server_name sms.challenger.{{ DOMAIN_NAME }}; + server_name sms.challenger.{{ domain_name }}; include conf.d/challenger-tls.conf.inc; @@ -16,10 +16,10 @@ server { keepalive_requests 10000; keepalive_timeout 650s; - error_log /var/log/nginx/sms.challenger.{{ DOMAIN_NAME }}.err; - access_log /var/log/nginx/sms.challenger.{{ DOMAIN_NAME }}.log apm; + error_log /var/log/nginx/sms.challenger.{{ domain_name }}.err; + access_log /var/log/nginx/sms.challenger.{{ domain_name }}.log apm; - access_log /var/log/nginx/sms.challenger.{{ DOMAIN_NAME }}.tal taler if=$log_perf; + access_log /var/log/nginx/sms.challenger.{{ domain_name }}.tal taler if=$log_perf; location / { proxy_pass http://unix:/var/run/challenger-sms/challenger-http.sock; diff --git a/roles/challenger/templates/etc/taler-exchange/secrets/challenger-email.secret.conf.j2 b/roles/challenger/templates/etc/taler-exchange/secrets/challenger-email.secret.conf.j2 @@ -1,9 +1,9 @@ [kyc-provider-email-challenger] LOGIC = oauth2 KYC_OAUTH2_VALIDITY = 2 years -KYC_OAUTH2_AUTHORIZE_URL = https://email.challenger.{{ DOMAIN_NAME }}/authorize#setup -KYC_OAUTH2_TOKEN_URL = https://email.challenger.{{ DOMAIN_NAME }}/token -KYC_OAUTH2_INFO_URL = https://email.challenger.{{ DOMAIN_NAME }}/info +KYC_OAUTH2_AUTHORIZE_URL = https://email.challenger.{{ domain_name }}/authorize#setup +KYC_OAUTH2_TOKEN_URL = https://email.challenger.{{ domain_name }}/token +KYC_OAUTH2_INFO_URL = https://email.challenger.{{ domain_name }}/info KYC_OAUTH2_CLIENT_ID = {{ ansible_local['email-challenger-client-id'] }} KYC_OAUTH2_CLIENT_SECRET = {{ ansible_local['email-challenger-client-secret'] }} KYC_OAUTH2_POST_URL = {{ KYC_THANK_YOU_URL }} diff --git a/roles/challenger/templates/etc/taler-exchange/secrets/challenger-postal.secret.conf.j2 b/roles/challenger/templates/etc/taler-exchange/secrets/challenger-postal.secret.conf.j2 @@ -1,9 +1,9 @@ [kyc-provider-postal-challenger] LOGIC = oauth2 KYC_OAUTH2_VALIDITY = 2 years -KYC_OAUTH2_AUTHORIZE_URL = https://postal.challenger.{{ DOMAIN_NAME }}/authorize#setup -KYC_OAUTH2_TOKEN_URL = https://postal.challenger.{{ DOMAIN_NAME }}/token -KYC_OAUTH2_INFO_URL = https://postal.challenger.{{ DOMAIN_NAME }}/info +KYC_OAUTH2_AUTHORIZE_URL = https://postal.challenger.{{ domain_name }}/authorize#setup +KYC_OAUTH2_TOKEN_URL = https://postal.challenger.{{ domain_name }}/token +KYC_OAUTH2_INFO_URL = https://postal.challenger.{{ domain_name }}/info KYC_OAUTH2_CLIENT_ID = {{ ansible_local['postal-challenger-client-id'] }} KYC_OAUTH2_CLIENT_SECRET = {{ ansible_local['postal-challenger-client-secret'] }} KYC_OAUTH2_POST_URL = {{ KYC_THANK_YOU_URL }} diff --git a/roles/challenger/templates/etc/taler-exchange/secrets/challenger-sms.secret.conf.j2 b/roles/challenger/templates/etc/taler-exchange/secrets/challenger-sms.secret.conf.j2 @@ -1,9 +1,9 @@ [kyc-provider-sms-challenger] LOGIC = oauth2 KYC_OAUTH2_VALIDITY = 2 years -KYC_OAUTH2_AUTHORIZE_URL = https://sms.challenger.{{ DOMAIN_NAME }}/authorize#setup -KYC_OAUTH2_TOKEN_URL = https://sms.challenger.{{ DOMAIN_NAME }}/token -KYC_OAUTH2_INFO_URL = https://sms.challenger.{{ DOMAIN_NAME }}/info +KYC_OAUTH2_AUTHORIZE_URL = https://sms.challenger.{{ domain_name }}/authorize#setup +KYC_OAUTH2_TOKEN_URL = https://sms.challenger.{{ domain_name }}/token +KYC_OAUTH2_INFO_URL = https://sms.challenger.{{ domain_name }}/info KYC_OAUTH2_CLIENT_ID = {{ ansible_local['sms-challenger-client-id'] }} KYC_OAUTH2_CLIENT_SECRET = {{ ansible_local['sms-challenger-client-secret'] }} KYC_OAUTH2_POST_URL = {{ KYC_THANK_YOU_URL }} diff --git a/roles/exchange/defaults/main.yml b/roles/exchange/defaults/main.yml @@ -0,0 +1 @@ +exchange_use_letsencrypt: true +\ No newline at end of file diff --git a/roles/exchange/tasks/main.yml b/roles/exchange/tasks/main.yml @@ -41,12 +41,13 @@ mode: "0644" - name: Secure the exchange site with Letsencrypt + when: exchange_use_letsencrypt ansible.builtin.include_role: name: cert vars: cert_name: exchange wanted_cert_domains: - - "exchange.{{ DOMAIN_NAME }}" + - "{{ exchange_domain }}" nginx_sites: - exchange-http.conf - exchange-nginx.conf diff --git a/roles/exchange/templates/etc/nginx/sites-available/exchange-http.conf.j2 b/roles/exchange/templates/etc/nginx/sites-available/exchange-http.conf.j2 @@ -3,10 +3,10 @@ server { listen 80; listen [::]:80; - server_name exchange.{{ DOMAIN_NAME }}; + server_name {{ exchange_domain }}; - error_log /var/log/nginx/exchange.{{ DOMAIN_NAME }}-http.err; - access_log /var/log/nginx/exchange.{{ DOMAIN_NAME }}-http.log; + error_log /var/log/nginx/{{ exchange_domain }}-http.err; + access_log /var/log/nginx/{{ exchange_domain }}-http.log; location / { return 301 https://$host$request_uri; diff --git a/roles/exchange/templates/etc/nginx/sites-available/exchange-nginx.conf.j2 b/roles/exchange/templates/etc/nginx/sites-available/exchange-nginx.conf.j2 @@ -5,11 +5,18 @@ server { # Do not identify as nginx server_tokens off; - server_name exchange.{{ DOMAIN_NAME }}; + server_name {{ exchange_domain }}; +{%if exchange_use_letsencrypt %} ssl_certificate /etc/letsencrypt/live/exchange/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/exchange/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/exchange/chain.pem; +{% else %} + ssl_certificate /etc/nginx/ssl/taler-exchange.crt; + ssl_certificate_key /etc/nginx/ssl/taler-exchange.key; +{% endif %} + + ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_dhparam /etc/ssl/private/dhparam.pem; @@ -23,10 +30,10 @@ server { keepalive_requests 1000000; keepalive_timeout 6500s; - error_log /var/log/nginx/exchange.{{ DOMAIN_NAME }}.err; - access_log /var/log/nginx/exchange.{{ DOMAIN_NAME }}.log; + error_log /var/log/nginx/{{ exchange_domain }}.err; + access_log /var/log/nginx/{{ exchange_domain }}.log; - access_log /var/log/nginx/exchange.{{ DOMAIN_NAME }}.tal taler if=$log_perf; + access_log /var/log/nginx/{{ exchange_domain }}.tal taler if=$log_perf; location / { proxy_pass http://unix:/var/run/taler-exchange/httpd/exchange-http.sock; diff --git a/roles/monitoring/tasks/main.yml b/roles/monitoring/tasks/main.yml @@ -85,7 +85,7 @@ vars: cert_name: monitoring wanted_cert_domains: - - "monitoring.{{ DOMAIN_NAME }}" + - "monitoring.{{ domain_name }}" nginx_sites: - monitoring-nginx.conf - monitoring-http.conf diff --git a/roles/monitoring/templates/etc/nginx/sites-available/monitoring-http.conf.j2 b/roles/monitoring/templates/etc/nginx/sites-available/monitoring-http.conf.j2 @@ -3,10 +3,10 @@ server { listen 80; listen [::]:80; - server_name monitoring.{{ DOMAIN_NAME }}; + server_name monitoring.{{ domain_name }}; - error_log /var/log/nginx/monitoring.{{ DOMAIN_NAME }}-http.err; - access_log /var/log/nginx/monitoring.{{ DOMAIN_NAME }}-http.log; + error_log /var/log/nginx/monitoring.{{ domain_name }}-http.err; + access_log /var/log/nginx/monitoring.{{ domain_name }}-http.log; location / { return 301 https://$host$request_uri; diff --git a/roles/monitoring/templates/etc/nginx/sites-available/monitoring-nginx.conf.j2 b/roles/monitoring/templates/etc/nginx/sites-available/monitoring-nginx.conf.j2 @@ -5,7 +5,7 @@ server { # Do not identify as nginx server_tokens off; - server_name monitoring.{{ DOMAIN_NAME }}; + server_name monitoring.{{ domain_name }}; ssl_certificate /etc/letsencrypt/live/monitoring/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/monitoring/privkey.pem; @@ -18,8 +18,8 @@ server { add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; - error_log /var/log/nginx/monitoring.{{ DOMAIN_NAME }}.err; - access_log /var/log/nginx/monitoring.{{ DOMAIN_NAME }}.log; + error_log /var/log/nginx/monitoring.{{ domain_name }}.err; + access_log /var/log/nginx/monitoring.{{ domain_name }}.log; location /prometheus/ { if ($http_authorization != "Bearer {{ PROMETHEUS_ACCESS_TOKEN }}") {