commit ee3f9300ce2bb8a83c0b247bc4455d0a813b5025 parent 948dc202506016b0534e65c5ec229d3efe28fb37 Author: Christian Grothoff <christian@grothoff.org> Date: Wed, 20 Nov 2024 09:53:31 +0100 restructure roles Diffstat:
18 files changed, 405 insertions(+), 15 deletions(-)
diff --git a/playbooks/setup.yml b/playbooks/setup.yml @@ -7,4 +7,6 @@ - webserver - database - taler-packages - - configuration + - libeufin-nexus + - exchange + - auditor diff --git a/roles/auditor/files/etc/taler-auditor/taler-auditor.conf b/roles/auditor/files/etc/taler-auditor/taler-auditor.conf @@ -0,0 +1,45 @@ +# Main entry point for the GNU Taler configuration. +# +# Structure: +# - taler.conf is the main configuration entry point +# used by all Taler components (the file you are currently +# looking at. +# - overrides.conf contains configuration overrides that are +# set by some tools that help with the configuration, +# and should not be edited by humans. Comments in this file +# are not preserved. +# - conf.d/ contains configuration files for +# Taler components, which can be read by all +# users of the system and are included by the main +# configuration. +# - secrets/ contains configuration snippets +# with secrets for particular services. +# These files should have restrictive permissions +# so that only users of the relevant services +# can read it. All files in it should end with +# ".secret.conf". + +[paths] + +TALER_HOME = /var/lib/taler-exchange/ +TALER_RUNTIME_DIR = /run/taler-exchange/ +TALER_CACHE_HOME = /var/cache/taler-exchange/ +TALER_CONFIG_HOME = /etc/taler-exchange/ +TALER_DATA_HOME = /var/lib/taler-exchange/ + +[exchange] + +# Currency of the Taler deployment. This setting applies to all Taler +# components that only support a single currency. +currency = CHF + +# Smallest currency unit handled by the underlying bank system. Taler payments +# can make payments smaller than this units, but interactions with external +# systems is always rounded to this unit. +currency_round_unit = CHF:0.01 + +# Inline configurations from all Taler components. +@inline-matching@ conf.d/*.conf + +# Overrides from tools that help with configuration. +@inline@ overrides.conf diff --git a/roles/auditor/tasks/main.yml b/roles/auditor/tasks/main.yml @@ -0,0 +1,18 @@ +--- +- name: Ensure Taler auditor config dir exists from installation + file: + path: "/etc/taler-auditor" + state: directory + +- name: Place taler-auditor config + copy: + src: etc/taler-auditor/taler-auditor.conf + dest: "/etc/taler-auditor/taler-auditor.conf" + owner: root + group: root + mode: 0644 + +- name: Setup Taler Auditor database + shell: + cmd: taler-auditor-dbconfig -c /etc/taler-auditor/taler-auditor.conf + chdir: /tmp diff --git a/roles/auditor/templates/taler-auditor.conf b/roles/auditor/templates/taler-auditor.conf @@ -0,0 +1,2 @@ +[auditor] +PUBLIC_KEY = $AUDITOR_PUB diff --git a/roles/auditor/vars/main.yml b/roles/auditor/vars/main.yml @@ -0,0 +1,3 @@ +BANK_EXCHANGE_PASSWORD: xxxx +BANK_PORT: xxxx + diff --git a/roles/email-challenger/files/etc/challenger/email-challenger.conf b/roles/email-challenger/files/etc/challenger/email-challenger.conf @@ -0,0 +1,22 @@ +# General settings for the backend. +[challenger] + +# Use TCP or UNIX domain sockets? +SERVE = UNIX + +# Which unix domain path should we bind to? Only used if "SERVE" is 'unix'. +UNIXPATH = /var/run/challenger-email/challenger-http.sock + +# What should be the file access permissions (see chmod) for "UNIXPATH"? +UNIXPATH_MODE = 660 + +# Which external command should be used to transmit challenges? +# Example commands are challenger-send-{sms,email,post}.sh +AUTH_COMMAND = challenger-send-email.sh + +# What address type are we validating? (phone, email, address, etc.) +# A template of the form 'enter-$ADDRESS_TYPE-form' must +# exist and the field names must be supported by the +# AUTH_COMMAND. +# +ADDRESS_TYPE = email diff --git a/roles/email-challenger/tasks/main.yml b/roles/email-challenger/tasks/main.yml @@ -0,0 +1,42 @@ +--- +- name: Ensure taler exchange config dir exists from installation + file: + path: "/etc/taler-exchange" + state: directory + +- name: Ensure libeufin config dir exists from installation + file: + path: "/etc/libeufin" + state: directory + +- name: Place libeufin-nexus config + copy: + src: etc/libeufin/libeufin-nexus.conf + dest: "/etc/libeufin/libeufin-nexus.conf" + owner: root + group: root + mode: 0644 + +- name: Place taler-exchange config + copy: + src: etc/taler-exchange/taler-exchange.conf + dest: "/etc/taler-exchange/taler-exchange.conf" + owner: root + group: root + mode: 0644 + +- name: Setup libeufin database + shell: + cmd: libeufin-dbconfig --only-nexus + chdir: /tmp + +- name: Setup Taler Exchange database + shell: + cmd: taler-exchange-dbconfig + chdir: /tmp + +- name: EBICS setup + become: yes + become_user: libeufin-nexus + shell: + cmd: libeufin-nexus ebics-setup diff --git a/roles/exchange/files/etc/taler-exchange/taler-exchange.conf b/roles/exchange/files/etc/taler-exchange/taler-exchange.conf @@ -0,0 +1,45 @@ +# Main entry point for the GNU Taler configuration. +# +# Structure: +# - taler.conf is the main configuration entry point +# used by all Taler components (the file you are currently +# looking at. +# - overrides.conf contains configuration overrides that are +# set by some tools that help with the configuration, +# and should not be edited by humans. Comments in this file +# are not preserved. +# - conf.d/ contains configuration files for +# Taler components, which can be read by all +# users of the system and are included by the main +# configuration. +# - secrets/ contains configuration snippets +# with secrets for particular services. +# These files should have restrictive permissions +# so that only users of the relevant services +# can read it. All files in it should end with +# ".secret.conf". + +[paths] + +TALER_HOME = /var/lib/taler-exchange/ +TALER_RUNTIME_DIR = /run/taler-exchange/ +TALER_CACHE_HOME = /var/cache/taler-exchange/ +TALER_CONFIG_HOME = /etc/taler-exchange/ +TALER_DATA_HOME = /var/lib/taler-exchange/ + +[exchange] + +# Currency of the Taler deployment. This setting applies to all Taler +# components that only support a single currency. +currency = CHF + +# Smallest currency unit handled by the underlying bank system. Taler payments +# can make payments smaller than this units, but interactions with external +# systems is always rounded to this unit. +currency_round_unit = CHF:0.01 + +# Inline configurations from all Taler components. +@inline-matching@ conf.d/*.conf + +# Overrides from tools that help with configuration. +@inline@ overrides.conf diff --git a/roles/exchange/tasks/main.yml b/roles/exchange/tasks/main.yml @@ -0,0 +1,31 @@ +--- +- name: Ensure Taler exchange config dir exists from installation + file: + path: "/etc/taler-exchange" + state: directory + +- name: Ensure Taler exchange virtualhost configuration file exists + template: + src: exchange-nginx.conf + dest: "/etc/nginx/sites-available/exchange-nginx.conf" + notify: restart nginx + +- name: Place taler-exchange config + copy: + src: etc/taler-exchange/taler-exchange.conf + dest: "/etc/taler-exchange/taler-exchange.conf" + owner: root + group: root + mode: 0644 + +- name: Setup Taler Exchange database + shell: + cmd: taler-exchange-dbconfig -c /etc/taler-exchange/taler-exchange.conf + chdir: /tmp + +- name: Enable Taler exchange virtual host by creating symlink + file: + src: "/etc/nginx/sites-available/exchange-nginx.conf" + dest: "/etc/nginx/sites-enabled/exchange-nginx.conf" + state: link + notify: restart nginx diff --git a/roles/exchange/vars/main.yml b/roles/exchange/vars/main.yml @@ -0,0 +1,4 @@ +BANK_EXCHANGE_PASSWORD: xxxx +BANK_PORT: xxxx +HOSTNAME: XXXX + diff --git a/roles/libeufin-nexus/files/etc/libeufin/libeufin-nexus.conf b/roles/libeufin-nexus/files/etc/libeufin/libeufin-nexus.conf @@ -0,0 +1,49 @@ +# This is the main configuration entrypoint for the libeufin-nexus. + +[nexus-postgres] +CONFIG = postgres:///libeufin + +[nexus-ebics] + +# Currency used by the bank where Nexus is client. +CURRENCY = CHF + +# Base URL of the bank server. +HOST_BASE_URL = https://isotest.postfinance.ch/ebicsweb/ebicsweb + +# EBICS host ID. +HOST_ID = PFEBICS + +# EBICS user ID, as assigned by the bank. +USER_ID = PFC00664 + +# EBICS partner ID, as assigned by the bank. +PARTNER_ID = PFC00664 + +# EBICS partner ID, as assigned by the bank. # ??? +SYSTEM_ID = PFC00664 + +# IBAN of the bank account that is associated with the EBICS subscriber. +IBAN = CH9889144237951612671 + +# BIC of the bank account that is associated with the EBICS subscriber +BIC = POFICHBEXXX + +# Legal entity that is associated with the EBICS subscriber. +NAME = "Taler Exchange Operator Legal Name" + +# EBICS version and ISO20022 recommendations that +# Nexus would honor in the communication with the bank. +BANK_DIALECT = "postfinance" + +# Exchange accounts bounce invalid incoming transactions. +ACCOUNT_TYPE = exchange + +[nexus-fetch] +FREQUENCY = 30s + +[nexus-submit] +FREQUENCY = 30s + +[nexus-postgres] +CONFIG=postgres:///libeufin diff --git a/roles/libeufin-nexus/tasks/main.yml b/roles/libeufin-nexus/tasks/main.yml @@ -0,0 +1,31 @@ +--- +- name: Install libeufin-nexus package + apt: + name: + - libeufin-nexus + state: latest + update_cache: true + +- name: Ensure libeufin config dir exists from installation + file: + path: "/etc/libeufin" + state: directory + +- name: Place libeufin-nexus config + copy: + src: etc/libeufin/libeufin-nexus.conf + dest: "/etc/libeufin/libeufin-nexus.conf" + owner: root + group: root + mode: 0644 + +- name: Setup libeufin database + shell: + cmd: libeufin-dbconfig --only-nexus + chdir: /tmp + +- name: EBICS setup + become: yes + become_user: libeufin-nexus + shell: + cmd: libeufin-nexus ebics-setup diff --git a/roles/postal-challenger/files/etc/challenger/postal-challenger.conf b/roles/postal-challenger/files/etc/challenger/postal-challenger.conf @@ -0,0 +1,22 @@ +# General settings for the backend. +[challenger] + +# Use TCP or UNIX domain sockets? +SERVE = UNIX + +# Which unix domain path should we bind to? Only used if "SERVE" is 'unix'. +UNIXPATH = /var/run/challenger-postal/challenger-http.sock + +# What should be the file access permissions (see chmod) for "UNIXPATH"? +UNIXPATH_MODE = 660 + +# Which external command should be used to transmit challenges? +# Example commands are challenger-send-{sms,email,post}.sh +AUTH_COMMAND = challenger-send-post.sh + +# What address type are we validating? (phone, email, address, etc.) +# A template of the form 'enter-$ADDRESS_TYPE-form' must +# exist and the field names must be supported by the +# AUTH_COMMAND. +# +ADDRESS_TYPE = address diff --git a/roles/postal-challenger/tasks/main.yml b/roles/postal-challenger/tasks/main.yml @@ -0,0 +1,24 @@ +--- +- name: Place taler-exchange config + copy: + src: etc/taler-exchange/taler-exchange.conf + dest: "/etc/taler-exchange/taler-exchange.conf" + owner: root + group: root + mode: 0644 + +- name: Setup libeufin database + shell: + cmd: libeufin-dbconfig --only-nexus + chdir: /tmp + +- name: Setup Taler Exchange database + shell: + cmd: taler-exchange-dbconfig + chdir: /tmp + +- name: EBICS setup + become: yes + become_user: libeufin-nexus + shell: + cmd: libeufin-nexus ebics-setup diff --git a/roles/sms-challenger/files/etc/challenger/sms-challenger.conf b/roles/sms-challenger/files/etc/challenger/sms-challenger.conf @@ -0,0 +1,22 @@ +# General settings for the backend. +[challenger] + +# Use TCP or UNIX domain sockets? +SERVE = UNIX + +# Which unix domain path should we bind to? Only used if "SERVE" is 'unix'. +UNIXPATH = /var/run/challenger-sms/challenger-http.sock + +# What should be the file access permissions (see chmod) for "UNIXPATH"? +UNIXPATH_MODE = 660 + +# Which external command should be used to transmit challenges? +# Example commands are challenger-send-{sms,email,post}.sh +AUTH_COMMAND = challenger-send-sms.sh + +# What address type are we validating? (phone, email, address, etc.) +# A template of the form 'enter-$ADDRESS_TYPE-form' must +# exist and the field names must be supported by the +# AUTH_COMMAND. +# +ADDRESS_TYPE = phone diff --git a/roles/sms-challenger/tasks/main.yml b/roles/sms-challenger/tasks/main.yml @@ -0,0 +1,42 @@ +--- +- name: Ensure taler exchange config dir exists from installation + file: + path: "/etc/taler-exchange" + state: directory + +- name: Ensure libeufin config dir exists from installation + file: + path: "/etc/libeufin" + state: directory + +- name: Place libeufin-nexus config + copy: + src: etc/libeufin/libeufin-nexus.conf + dest: "/etc/libeufin/libeufin-nexus.conf" + owner: root + group: root + mode: 0644 + +- name: Place taler-exchange config + copy: + src: etc/taler-exchange/taler-exchange.conf + dest: "/etc/taler-exchange/taler-exchange.conf" + owner: root + group: root + mode: 0644 + +- name: Setup libeufin database + shell: + cmd: libeufin-dbconfig --only-nexus + chdir: /tmp + +- name: Setup Taler Exchange database + shell: + cmd: taler-exchange-dbconfig + chdir: /tmp + +- name: EBICS setup + become: yes + become_user: libeufin-nexus + shell: + cmd: libeufin-nexus ebics-setup diff --git a/roles/taler-packages/tasks/main.yml b/roles/taler-packages/tasks/main.yml @@ -29,6 +29,5 @@ name: - taler-exchange - taler-auditor - - libeufin-nexus state: latest update_cache: true diff --git a/roles/webserver/tasks/main.yml b/roles/webserver/tasks/main.yml @@ -14,19 +14,6 @@ state: started enabled: yes -- name: Ensure virtualhost configuration file exists - template: - src: exchange-nginx.conf - dest: "/etc/nginx/sites-available/exchange-nginx.conf" - notify: restart nginx - -- name: Enable virtual host by creating symlink - file: - src: "/etc/nginx/sites-available/exchange-nginx.conf" - dest: "/etc/nginx/sites-enabled/exchange-nginx.conf" - state: link - notify: restart nginx - #- name: Install Certbot and Certbot Nginx plugin # package: # name: "{{ item }}"