fix syntax issues - ansible-taler-exchange - Ansible playbook to deploy a production Taler Exchange

commit ef9b1ee81183dcaa4c0cebe94c935aa986b06850
parent 108f568b194ed8aebc090731df105a9e05ae9dbd
Author: Christian Grothoff <christian@grothoff.org>
Date:   Sun, 24 Nov 2024 13:34:21 +0100

fix syntax issues

Diffstat:
M README  | 2 +-
M ansible.cfg  | 2 +-
R inventories/staging/hosts.example -> inventories/example  | 0 
D inventories/production/hosts.example  | 4 ----
A inventories/tops  | 2 ++
M playbooks/setup.yml  | 44 ++++++++++++++++++++++----------------------
M playbooks/test-secrets.yml  | 25 ++++++++++++-------------
M roles/challenger/tasks/main.yml  | 31 +++++++++++++++++--------------
M roles/common_packages/tasks/main.yml  | 13 +++++++++----
M roles/exchange/tasks/main.yml  | 4 ++--
M roles/libeufin-nexus/tasks/main.yml  | 4 ++--
M roles/webserver/tasks/main.yml  | 38 +++++++++++++++++++-------------------

12 files changed, 87 insertions(+), 82 deletions(-)
diff --git a/README b/README
@@ -5,7 +5,7 @@
 To run the main playbook (playbooks/setup.yml):
 
 ```
-$ ansible-playbook --verbose -i <host>, --user root playbooks/setup.yml --extra-vars "@playbook/test-secrets.yml"
+$ ansible-playbook --verbose --inventory <host>, --user root playbooks/setup.yml --extra-vars "@playbooks/test-secrets.yml"
 ```
 
 Instead of specifying the host(s) as arguments (note the trailing comma!)
diff --git a/ansible.cfg b/ansible.cfg
@@ -1,4 +1,4 @@
 [defaults]
-inventory = inventories
+inventory = inventories/tops
 roles_path = roles
 remote_user = root
diff --git a/inventories/staging/hosts.example b/inventories/example
diff --git a/inventories/production/hosts.example b/inventories/production/hosts.example
@@ -1,4 +0,0 @@
-[production]
-#taler-ops production server
-pixel.taler-ops.ch
-
diff --git a/inventories/tops b/inventories/tops
@@ -0,0 +1,2 @@
+[production]
+spec.taler-ops.ch ansible_port=22 ansible_user=root
diff --git a/playbooks/setup.yml b/playbooks/setup.yml
@@ -14,46 +14,46 @@
 # secrets. For secrets, test-secrets.yml contains a template.
   vars:
 # Our currency.
-    CURRENCY = CHF
+    CURRENCY: CHF
 # Smallest unit of the currency for wire transfers.
-    CURRENCY_ROUND_UNIT = CHF:0.01
+    CURRENCY_ROUND_UNIT: "CHF:0.01"
 # Main domain name.
-    DOMAIN_NAME = taler-ops.ch
+    DOMAIN_NAME: "taler-ops.ch"
 # Base URL of the exchange REST API
-    EXCHANGE_BASE_URL="https://exchange.{{ $DOMAIN_NAME }}/"
+    EXCHANGE_BASE_URL: "https://exchange.{{ $DOMAIN_NAME }}/"
 # Base URL of the auditor REST API
-    AUDITOR_BASE_URL="https://auditor.{{ $DOMAIN_NAME }}/"
+    AUDITOR_BASE_URL: "https://auditor.{{ $DOMAIN_NAME }}/"
 # Exchange offline master public key.
-    EXCHANGE_MASTER_PUB=
+    EXCHANGE_MASTER_PUB:
 # Auditor offline public key.
-    AUDITOR_PUB=
+    AUDITOR_PUB:
 # Name of Terms of service resource file
-    EXCHANGE_TERMS_ETAG="exchange-tos-v0"
+    EXCHANGE_TERMS_ETAG: "exchange-tos-v0"
 # Name of Privacy policy resource file
-    EXCHANGE_PP_ETAG="exchange-pp-v0"
+    EXCHANGE_PP_ETAG: "exchange-pp-v0"
 # Full Payto URI of exchange account (for credit and debit)
-    EXCHANGE_BANK_ACCOUNT_BIC="POFICHBEXXX"
+    EXCHANGE_BANK_ACCOUNT_BIC: "POFICHBEXXX"
 # Full Payto URI of exchange account (for credit and debit)
-    EXCHANGE_BANK_ACCOUNT_IBAN="CH9889144237951612671"
+    EXCHANGE_BANK_ACCOUNT_IBAN: "CH9889144237951612671"
 # Full Payto URI of exchange account (for credit and debit)
-    EXCHANGE_BANK_ACCOUNT_PAYTO="payto://iban/{{ EXCHANGE_BANK_ACCOUNT_IBAN }}?receiver-name=operator"
+    EXCHANGE_BANK_ACCOUNT_PAYTO: "payto://iban/{{ EXCHANGE_BANK_ACCOUNT_IBAN }}?receiver-name: operator"
 # Port to be used by libeufin-nexus for the taler-exchange-wire-gateway
-    LIBEUFIN_PORT=8082
+    LIBEUFIN_PORT: 8082
 # Name of the exchange account at libeufin-nexus
-    LIBEUFIN_EXCHANGE_ACCOUNT="exchange"
+    LIBEUFIN_EXCHANGE_ACCOUNT: "exchange"
 # Name of the bank dialect
-    LIBEUFIN_NEXUS_BANK_DIALECT="postfinance"
+    LIBEUFIN_NEXUS_BANK_DIALECT: "postfinance"
 # Business name of the exchange operator
-    EXCHANGE_OPERATOR_LEGAL_NAME="Taler Exchange Operator Legal Name"
+    EXCHANGE_OPERATOR_LEGAL_NAME: "Taler Exchange Operator Legal Name"
 # Where to send people after they passed KYC.
-    KYC_THANK_YOU_URL = https://taler-ops.ch/thank-you-kyc
+    KYC_THANK_YOU_URL: https://taler-ops.ch/thank-you-kyc
 # Template to use for identification of individuals with KYCAID
-    KYCAID_TEMPLATE_INDIVIDUAL = tmpl_xxx
+    KYCAID_TEMPLATE_INDIVIDUAL: tmpl_xxx
 # Template to use for identification of businesses with KYCAID
-    KYCAID_TEMPLATE_BUSINESS = tmpl_xxx
+    KYCAID_TEMPLATE_BUSINESS: tmpl_xxx
 # Regex specifying allowed phone numbers for the SMS check
-    EXCHANGE_AML_PROGRAM_TOPS_SMS_REGEX = \+41[0-9]+
+    EXCHANGE_AML_PROGRAM_TOPS_SMS_REGEX: \+41[0-9]+
 # Limit to lift for withdraw upon SMS registration
-    EXCHANGE_AML_PROGRAM_TOPS_SMS_WITHDRAW_THRESHOLD = CHF:200
+    EXCHANGE_AML_PROGRAM_TOPS_SMS_WITHDRAW_THRESHOLD: CHF:200
 # Limit to lift for merge upon SMS registration
-    EXCHANGE_AML_PROGRAM_TOPS_SMS_MERGE_THRESHOLD = CHF:0
+    EXCHANGE_AML_PROGRAM_TOPS_SMS_MERGE_THRESHOLD: CHF:0
diff --git a/playbooks/test-secrets.yml b/playbooks/test-secrets.yml
@@ -1,21 +1,20 @@
-# Secret token to use to authenticate to SMS challenger service.
-EXCHANGE_SMS_CHALLENGER_TOKEN=SECRET1 => fact?
+---
 # Symmetric encryption secret for KYC attribute encryption.
-EXCHANGE_ATTRIBUTE_ENCRYPTION_KEY=SECRET2
+EXCHANGE_ATTRIBUTE_ENCRYPTION_KEY: SECRET2
 # EBICS access details
-LIBEUFIN_NEXUS_EBICS_HOST_BASE_URL = https://isotest.postfinance.ch/ebicsweb/ebicsweb
-LIBEUFIN_NEXUS_EBICS_HOST_ID = PFEBICS
-LIBEUFIN_NEXUS_EBICS_USER_ID = PFC00664
-LIBEUFIN_NEXUS_EBICS_PARTNER_ID = PFC00664
-LIBEUFIN_NEXUS_EBICS_SYSTEM_ID = PFC00664
+LIBEUFIN_NEXUS_EBICS_HOST_BASE_URL: https://isotest.postfinance.ch/ebicsweb/ebicsweb
+LIBEUFIN_NEXUS_EBICS_HOST_ID: PFEBICS
+LIBEUFIN_NEXUS_EBICS_USER_ID: PFC00664
+LIBEUFIN_NEXUS_EBICS_PARTNER_ID: PFC00664
+LIBEUFIN_NEXUS_EBICS_SYSTEM_ID: PFC00664
 
 # Authorization token for the telesign SMS service
-SMS_CHALLENGER_TELESIGN_AUTH_TOKEN = my-auth-token
+SMS_CHALLENGER_TELESIGN_AUTH_TOKEN: my-auth-token
 
 # Authorization data for the pingen postal service
-POSTAL_CHALLENGER_PINGEN_CLIENT_ID = myid
-POSTAL_CHALLENGER_PINGEN_CLIENT_SECRET = mysecret
-POSTAL_CHALLENGER_PINGEN_ORG_ID = orgid
+POSTAL_CHALLENGER_PINGEN_CLIENT_ID: myid
+POSTAL_CHALLENGER_PINGEN_CLIENT_SECRET: mysecret
+POSTAL_CHALLENGER_PINGEN_ORG_ID: orgid
 
 # KYCaid access token
-EXCHANGE_KYCAID_ACCESS_TOKEN = FIXME
+EXCHANGE_KYCAID_ACCESS_TOKEN: FIXME
diff --git a/roles/challenger/tasks/main.yml b/roles/challenger/tasks/main.yml
@@ -90,13 +90,13 @@
         creates: /etc/ansible/facts.d/sms-challenger-client-secret.fact
 
 # FIXME: these 3 can probably be combined, figure out how...
-- name: sms-challenger: force ansible to regather just created fact(s)
+- name: sms-challenger force ansible to regather just created fact(s)
   setup: filter='sms-challenger-client-secret'
 
-- name: email-challenger: force ansible to regather just created fact(s)
+- name: email-challenger force ansible to regather just created fact(s)
   setup: filter='email-challenger-client-secret'
 
-- name: postal-challenger: force ansible to regather just created fact(s)
+- name: postal-challenger force ansible to regather just created fact(s)
   setup: filter='postal-challenger-client-secret'
 
 - name: Setup SMS Challenger exchange account
@@ -117,7 +117,7 @@
 - name: Place SMS challenger exchange config
   ansible.builtin.template:
     src: templates/etc/taler-exchange/config.d/sms-challenger.conf.j2
-    dest: "/etc/taler-exchange/config.d/sms-challenger.conf"
+    dest: /etc/taler-exchange/config.d/sms-challenger.conf
     owner: root
     group: challenger-sms
     mode: 0640
@@ -125,7 +125,7 @@
 - name: Place email challenger exchange config
   ansible.builtin.template:
     src: templates/etc/taler-exchange/config.d/email-challenger.conf.j2
-    dest: "/etc/taler-exchange/config.d/email-challenger.conf"
+    dest: /etc/taler-exchange/config.d/email-challenger.conf
     owner: root
     group: challenger-email
     mode: 0640
@@ -133,7 +133,7 @@
 - name: Place postal challenger exchange config
   ansible.builtin.template:
     src: templates/etc/taler-exchange/config.d/postal-challenger.conf.j2
-    dest: "/etc/taler-exchange/config.d/postal-challenger.conf"
+    dest: /etc/taler-exchange/config.d/postal-challenger.conf
     owner: root
     group: challenger-postal
     mode: 0640
@@ -141,7 +141,7 @@
 - name: Place SMS challenger environment data
   ansible.builtin.template:
     src: templates/etc/challenger/sms-challenger.env.j2
-    dest: "/etc/challenger/sms-challenger.env
+    dest: /etc/challenger/sms-challenger.env
     owner: root
     group: challenger-sms
     mode: 0640
@@ -149,7 +149,7 @@
 - name: Place postal challenger environment data
   ansible.builtin.template:
     src: templates/etc/challenger/postal-challenger.env.j2
-    dest: "/etc/challenger/postal-challenger.env
+    dest: /etc/challenger/postal-challenger.env
     owner: root
     group: challenger-postal
     mode: 0640
@@ -157,17 +157,17 @@
 - name: Place sms-challenger systemd service file
   copy:
     src: etc/systemd/system/sms-challenger-httpd.service
-    dest: "/etc/systemd/system/sms-challenger-httpd.service
+    dest: /etc/systemd/system/sms-challenger-httpd.service
 
 - name: Place postal-challenger systemd service file
   copy:
     src: etc/systemd/system/poastal-challenger-httpd.service
-    dest: "/etc/systemd/system/postal-challenger-httpd.service
+    dest: /etc/systemd/system/postal-challenger-httpd.service
 
 - name: Place email-challenger systemd service file
   copy:
     src: etc/systemd/system/email-challenger-httpd.service
-    dest: "/etc/systemd/system/email-challenger-httpd.service
+    dest: /etc/systemd/system/email-challenger-httpd.service
 
 - name: Ensure SMS challenger service is enabled and started
   ansible.builtin.systemd_service:
@@ -191,7 +191,7 @@
 - name: Place SMS challenger Nginx configuration
   ansible.builtin.template:
     src: templates/etc/nginx/sites-available/sms-challenger-nginx.conf.j2
-    dest: "/etc/nginx/sites-available/sms-challenger-nginx.conf
+    dest: /etc/nginx/sites-available/sms-challenger-nginx.conf
     owner: root
     group: root
     mode: 0644
@@ -206,7 +206,7 @@
 - name: Place email challenger Nginx configuration
   ansible.builtin.template:
     src: templates/etc/nginx/sites-available/email-challenger-nginx.conf.j2
-    dest: "/etc/nginx/sites-available/email-challenger-nginx.conf
+    dest: /etc/nginx/sites-available/email-challenger-nginx.conf
     owner: root
     group: root
     mode: 0644
@@ -221,7 +221,7 @@
 - name: Place postal challenger Nginx configuration
   ansible.builtin.template:
     src: templates/etc/nginx/sites-available/postal-challenger-nginx.conf.j2
-    dest: "/etc/nginx/sites-available/postal-challenger-nginx.conf
+    dest: /etc/nginx/sites-available/postal-challenger-nginx.conf
     owner: root
     group: root
     mode: 0644
@@ -231,4 +231,7 @@
     src: /etc/nginx/sites-available/postal-challenger-nginx.conf
     dest: /etc/nginx/sites-enabled/postal-challenger-nginx.conf
     state: link
+    owner: root
+    group: root
+    mode: 0644
   notify: restart nginx
diff --git a/roles/common_packages/tasks/main.yml b/roles/common_packages/tasks/main.yml
@@ -1,11 +1,8 @@
 ---
 # Role: Install dependencies
 
-- name: Install packages required by Ansible and deploy current base distro
+- name: Deploy current base distro
   apt:
-    name:
-      - python3-debian
-      - python3-psycopg2
     state: latest
     update_cache: true
     autoclean: true
@@ -13,6 +10,14 @@
     upgrade: safe
   when: ansible_os_family == 'Debian'
 
+- name: Install packages required by Ansible
+  apt:
+    name:
+      - python3-debian
+      - python3-psycopg2
+    state: latest
+  when: ansible_os_family == 'Debian'
+
 - name: Install Taler dependencies on Debian/Ubuntu
   apt:
     name:
diff --git a/roles/exchange/tasks/main.yml b/roles/exchange/tasks/main.yml
@@ -69,13 +69,13 @@
 
 - name: Check if we have kyc-rules (depends on branch)
   local_action: stat path=files/etc/taler-exchange/config.d/kyc-rules.conf
-  register: kyc-rules.conf
+  register: have_kycrules
 
 - name: Place taler-exchange KYC configuration (if exists)
   copy:
     src: files/etc/taler-exchange/config.d/kyc-rules.conf
     dest: /etc/taler-exchange/config.d/kyc-rules.conf
-    when: kyc-rules.conf.stat.exists
+    when: have_kycrules.stat.exists
 
 - name: Setup Taler Exchange database
   shell:
diff --git a/roles/libeufin-nexus/tasks/main.yml b/roles/libeufin-nexus/tasks/main.yml
@@ -1,7 +1,7 @@
 ---
 - name: Ensure libeufin-nexus service is stopped before we upgrade
   service:
-    deamon_reload: true
+    daemon_reload: true
     name: libeufin-nexus.target
     state: stopped
     enabled: false
@@ -30,7 +30,7 @@
 # Ensures we only run when the file does not yet exist
         creates: /etc/ansible/facts.d/libeufin-nexus-access-token.fact
 
-- name: libeufin-nexus: force ansible to regather just created fact(s)
+- name: libeufin-nexus force ansible to regather just created fact(s)
   setup: filter='libeufin-nexus-access-token'
 
 - name: Place libeufin-nexus config
diff --git a/roles/webserver/tasks/main.yml b/roles/webserver/tasks/main.yml
@@ -8,28 +8,28 @@
     update_cache: yes
   when: ansible_os_family == 'Debian'
 
-    #- name: Install Certbot and Certbot Nginx plugin
-    #  package:
-    #    name: "{{ item }}"
-    #    state: present
-    #  with_items:
-    #    - certbot
-    #    - python3-certbot-nginx  # Certbot plugin for Nginx
-    #
-    #- name: Obtain or renew SSL certificate using Certbot with Nginx
-    #  command: certbot --nginx --domain "{{ SUBDOMAIN }}.{{ DOMAIN_NAME }}" --redirect --non-interactive --agree-tos --email "{{ ACME_EMAIL }}"
-    #  register: certbot_result
-    #  changed_when: "'Certificate not yet due for renewal' not in certbot_result.stdout"
-    #
-    #- name: Reload Nginx configuration if certificates were obtained or renewed
-    #  service:
-    #    name: nginx
-    #    state: restarted
-    #  when: certbot_result.changed
+#- name: Install Certbot and Certbot Nginx plugin
+#  package:
+#    name: "{{ item }}"
+#    state: present
+#  with_items:
+#    - certbot
+#    - python3-certbot-nginx  # Certbot plugin for Nginx
+#
+#- name: Obtain or renew SSL certificate using Certbot with Nginx
+#  command: certbot --nginx --domain "{{ SUBDOMAIN }}.{{ DOMAIN_NAME }}" --redirect --non-interactive --agree-tos --email "{{ ACME_EMAIL }}"
+#  register: certbot_result
+#  changed_when: "'Certificate not yet due for renewal' not in certbot_result.stdout"
+#
+#- name: Reload Nginx configuration if certificates were obtained or renewed
+#  service:
+#    name: nginx
+#    state: restarted
+#  when: certbot_result.changed
 
 - name: Remove default nginx configuration
   file:
-  path: /etc/nginx/sites-enabled/default
+    path: /etc/nginx/sites-enabled/default
     state: absent
 
 - name: Ensure Nginx service is enabled and started

	ansible-taler-exchange Ansible playbook to deploy a production Taler Exchange
	Log \| Files \| Refs \| Submodules \| README \| LICENSE

M	README	\|	2	+-
M	ansible.cfg	\|	2	+-
R	inventories/staging/hosts.example -> inventories/example	\|	0
D	inventories/production/hosts.example	\|	4	----
A	inventories/tops	\|	2	++
M	playbooks/setup.yml	\|	44	++++++++++++++++++++++----------------------
M	playbooks/test-secrets.yml	\|	25	++++++++++++-------------
M	roles/challenger/tasks/main.yml	\|	31	+++++++++++++++++--------------
M	roles/common_packages/tasks/main.yml	\|	13	+++++++++----
M	roles/exchange/tasks/main.yml	\|	4	++--
M	roles/libeufin-nexus/tasks/main.yml	\|	4	++--
M	roles/webserver/tasks/main.yml	\|	38	+++++++++++++++++++-------------------