ansible-taler-exchange

Ansible playbook to deploy a production Taler Exchange
Log | Files | Refs | Submodules | README | LICENSE

main.yml (3112B)

      1 ---
      2 # Role: Install dependencies
      3 
      4 - name: Disable password authentication and X11 forwarding in SSH
      5   ansible.builtin.lineinfile:
      6     path: /etc/ssh/sshd_config
      7     regexp: "{{ item.regexp }}"
      8     line: "{{ item.line }}"
      9     state: present
     10   loop:
     11     - { regexp: '^#?PasswordAuthentication.*', line: 'PasswordAuthentication no' }
     12     - { regexp: '^#?X11Forwarding.*', line: 'X11Forwarding no' }
     13 
     14 - name: Restart SSH service
     15   ansible.builtin.service:
     16     name: ssh
     17     state: restarted
     18 
     19 - name: Deploy TSYS signing key
     20   copy:
     21     src: etc/apt/keyrings/taler-systems.gpg
     22     dest: /etc/apt/keyrings/taler-systems.gpg
     23     owner: root
     24     group: root
     25     mode: "0644"
     26 
     27 - name: Add GNU Taler repo (Debian)
     28   deb822_repository:
     29     name: Taler
     30     types: deb
     31     uris: https://deb.taler.net/apt/debian
     32     suites: "{{ taler_repo_suites }}"
     33     components:
     34       - main
     35     architectures: amd64
     36     signed_by: /etc/apt/keyrings/taler-systems.gpg
     37   when: ansible_distribution == 'Debian'
     38 
     39 - name: Add GNU Taler repo (Ubuntu)
     40   deb822_repository:
     41     name: Taler
     42     types: deb
     43     uris: https://deb.taler.net/apt/ubuntu
     44     suites: "{{ taler_repo_suites }}"
     45     components:
     46       - main
     47     architectures: amd64
     48     signed_by: /etc/apt/keyrings/taler-systems.gpg
     49   when: ansible_distribution == 'Ubuntu'
     50 
     51 - name: Pin taler repo to lowest priority so they don't auto upgrade
     52   copy:
     53     src: etc/apt/preferences.d/limit-taler-repo
     54     dest: /etc/apt/preferences.d/limit-taler-repo
     55     owner: root
     56     group: root
     57     mode: "0644"
     58 
     59 - name: Deploy current base distro
     60   apt:
     61     state: latest
     62     update_cache: true
     63     autoclean: true
     64     autoremove: true
     65     upgrade: safe
     66   when: ansible_os_family == 'Debian'
     67 
     68 - name: Install packages required by Ansible
     69   apt:
     70     name:
     71       - python3-debian
     72       - python3-psycopg2
     73     state: latest
     74   when: ansible_os_family == 'Debian'
     75 
     76 - name: Install Taler dependencies on Debian/Ubuntu
     77   apt:
     78     name:
     79       - curl
     80       - jq
     81       - sudo
     82       - uuid-runtime
     83       - wget
     84       - openssl
     85       - libgnunet
     86     state: latest
     87   when: ansible_os_family == 'Debian'
     88 
     89 - name: Install robocop if sanction lists are in use
     90   apt:
     91     name:
     92       - robocop
     93     state: latest
     94   when:
     95     - SANCTION_LIST is defined
     96     - ansible_os_family == 'Debian'
     97 
     98 - name: Install setup-secret-fact helper
     99   ansible.builtin.copy:
    100     src: setup-secret-fact
    101     dest: /bin/setup-secret-fact
    102     owner: root
    103     group: root
    104     mode: "0744"
    105 
    106 - name: Install setup-challenger-client-id-fact helper
    107   ansible.builtin.copy:
    108     src: setup-challenger-client-id-fact
    109     dest: /bin/setup-challenger-client-id-fact
    110     owner: root
    111     group: root
    112     mode: "0744"
    113 
    114 - name: Generate dhparam.pem
    115   command: openssl dhparam -out dhparam.pem 4096
    116   args:
    117     chdir: /etc/ssl/private/
    118     creates: /etc/ssl/private/dhparam.pem
    119   when: not (USE_PREGENERATED_DHPARAM | default(False))
    120 
    121 - name: Deploy pregenerated dhparam.pem
    122   copy:
    123     src: dhparam_pregenerated.pem
    124     dest: /etc/ssl/private/dhparam.pem
    125     owner: root
    126     group: root
    127     mode: "0644"
    128   when: (USE_PREGENERATED_DHPARAM | default(False))