ansible-taler-exchange

Ansible playbook to deploy a production Taler Exchange
Log | Files | Refs | Submodules | README | LICENSE

main.yml (6505B)

      1 ---
      2 - name: Get the list of services
      3   service_facts:
      4 
      5 - name: Ensure libeufin-nexus service is stopped before we upgrade
      6   systemd:
      7     name: libeufin-nexus.target
      8     state: stopped
      9     enabled: false
     10   when: "'libeufin-nexus.target' in services"
     11 
     12 - name: Ensure libeufin-nexus-httpd service is stopped before we upgrade
     13   service:
     14     name: libeufin-nexus-httpd.service
     15     state: stopped
     16     enabled: false
     17   when: "'libeufin-nexus-httpd.service' in services"
     18 
     19 - name: Install libeufin-nexus package
     20   apt:
     21     name:
     22       - libeufin-nexus
     23     state: latest
     24   when: ansible_os_family == 'Debian'
     25 
     26 - name: Ensure libeufin config dir exists from installation
     27   file:
     28     path: "/etc/libeufin"
     29     state: directory
     30     mode: "0755"
     31     owner: root
     32     group: root
     33 
     34 # FIXME: is this needed or always there in Ansible?
     35 - name: Ensure Ansible facts directory dir exists
     36   file:
     37     path: "/etc/ansible/facts.d/"
     38     state: directory
     39     mode: "0700"
     40     owner: root
     41     group: root
     42 
     43 - name: Libeufin-nexus access secret setup
     44   ansible.builtin.command:
     45     argv:
     46       - setup-secret-fact
     47       - /etc/ansible/facts.d/libeufin-nexus-access-token.fact
     48       - "secret-token:"
     49     creates: /etc/ansible/facts.d/libeufin-nexus-access-token.fact
     50 
     51 - name: Libeufin-nexus force ansible to regather just created fact(s)
     52   ansible.builtin.setup:
     53 
     54 - name: Place libeufin-nexus config
     55   ansible.builtin.template:
     56     src: templates/etc/libeufin/libeufin-nexus.conf.j2
     57     dest: "/etc/libeufin/libeufin-nexus.conf"
     58     owner: root
     59     group: root
     60     mode: "0644"
     61 
     62 - name: Place libeufin-nexus EBICS config
     63   ansible.builtin.template:
     64     src: templates/etc/libeufin/libeufin-nexus-ebics.conf.j2
     65     dest: "/etc/libeufin/libeufin-nexus-ebics.conf"
     66     owner: root
     67     group: libeufin-nexus
     68     mode: "0640"
     69   when: use_ebics or configure_ebics
     70 
     71 - name: Setup libeufin database
     72   ansible.builtin.command:
     73     cmd: libeufin-dbconfig --only-nexus
     74     chdir: /tmp
     75 
     76 - name: Show vars
     77   ansible.builtin.setup:
     78 
     79 - name: Check if EBICS client keys exist.
     80   stat:
     81     path: /var/lib/libeufin-nexus/client-ebics-keys.json
     82   register: stat_result
     83 
     84 - name: Fail if external client keys are missing.
     85   fail:
     86     msg: External EBICS client keys missing
     87   when: ebics_keys_external and not stat_result.stat.exists
     88 
     89 - name: Adjust EBICS client keys permissions
     90   file:
     91     path: "/var/lib/libeufin-nexus/client-ebics-keys.json"
     92     state: file
     93     mode: "0400"
     94     owner: libeufin-nexus
     95     group: libeufin-nexus
     96   when: ebics_keys_external and stat_result.stat.exists
     97 
     98 - name: Check if EBICS bank keys exist.
     99   stat:
    100     path: /var/lib/libeufin-nexus/bank-ebics-keys.json
    101   register: stat_result
    102 
    103 - name: Fail if external bank keys are missing.
    104   fail:
    105     msg: External EBICS bank keys missing
    106   when: ebics_keys_external and not stat_result.stat.exists
    107 
    108 - name: Adjust EBICS client keys permissions
    109   file:
    110     path: "/var/lib/libeufin-nexus/bank-ebics-keys.json"
    111     state: file
    112     mode: "0400"
    113     owner: libeufin-nexus
    114     group: libeufin-nexus
    115   when: ebics_keys_external and stat_result.stat.exists
    116 
    117 # FIXME: this step currently fails with pofi, seems command wants
    118 # extra arguments to do PDF letter generation?
    119 - name: EBICS setup
    120   become: true
    121   become_user: libeufin-nexus
    122   ansible.builtin.command:
    123     cmd: libeufin-nexus ebics-setup
    124   when: use_ebics
    125 
    126 - name: Ensure libeufin-nexus target is enabled and started
    127   service:
    128     daemon_reload: true
    129     name: libeufin-nexus.target
    130     state: started
    131     enabled: true
    132   when: use_ebics
    133 
    134 - name: Ensure libeufin-nexus-httpd service is enabled and started
    135   service:
    136     daemon_reload: true
    137     name: libeufin-nexus-httpd.service
    138     state: started
    139     enabled: true
    140 
    141 - name: Place login script for libeufin-nexus-import technical user
    142   ansible.builtin.copy:
    143     src: usr/local/bin/libeufin-nexus-import.sh
    144     dest: "/usr/local/bin/libeufin-nexus-import.sh"
    145     owner: root
    146     group: root
    147     mode: "0755"
    148   when: not use_ebics
    149 
    150 - name: Place login script for libeufin-nexus-export technical user
    151   ansible.builtin.copy:
    152     src: usr/local/bin/libeufin-nexus-export.sh
    153     dest: "/usr/local/bin/libeufin-nexus-export.sh"
    154     owner: root
    155     group: root
    156     mode: "0755"
    157   when: not use_ebics
    158 
    159 - name: Ensure group for libeufin-nexus-import exists
    160   group:
    161     name: libeufin-nexus-import
    162   when: not use_ebics
    163 
    164 - name: Ensure group for libeufin-nexus-export exists
    165   group:
    166     name: libeufin-nexus-export
    167   when: not use_ebics
    168 
    169 - name: Ensure technical user for libeufin-nexus import exists
    170   user:
    171     name: libeufin-nexus-import
    172     group: libeufin-nexus-import
    173     shell: /usr/local/bin/libeufin-nexus-import.sh
    174     password: "!"
    175   when: not use_ebics
    176 
    177 - name: Ensure technical user for libeufin-nexus export exists
    178   user:
    179     name: libeufin-nexus-export
    180     group: libeufin-nexus-export
    181     shell: /usr/local/bin/libeufin-nexus-export.sh
    182     password: "!"
    183   when: not use_ebics
    184 
    185 - name: Grant sudo rights to login script for importer
    186   ansible.builtin.copy:
    187     src: etc/sudoers.d/libeufin-nexus-import
    188     dest: "/etc/sudoers.d/libeufin-nexus-import"
    189     owner: root
    190     group: root
    191     mode: "0644"
    192   when: not use_ebics
    193 
    194 - name: Grant sudo rights to login script for exporter
    195   ansible.builtin.copy:
    196     src: etc/sudoers.d/libeufin-nexus-export
    197     dest: "/etc/sudoers.d/libeufin-nexus-export"
    198     owner: root
    199     group: root
    200     mode: "0644"
    201   when: not use_ebics
    202 
    203 - name: Ensure .ssh dir exists for libeufin-nexus-import user
    204   file:
    205     path: "/home/libeufin-nexus-import/.ssh/"
    206     state: directory
    207     owner: libeufin-nexus-import
    208     group: libeufin-nexus-import
    209     mode: "0755"
    210   when: not use_ebics
    211 
    212 - name: Ensure .ssh dir exists for libeufin-nexus-export user
    213   file:
    214     path: "/home/libeufin-nexus-export/.ssh/"
    215     state: directory
    216     owner: libeufin-nexus-export
    217     group: libeufin-nexus-export
    218     mode: "0755"
    219   when: not use_ebics
    220 
    221 - name: Allow technical users access to import acocunt.
    222   ansible.builtin.copy:
    223     src: home/libeufin-nexus-import/.ssh/authorized_keys
    224     dest: "/home/libeufin-nexus-import/.ssh/authorized_keys"
    225     owner: libeufin-nexus-import
    226     group: libeufin-nexus-import
    227     mode: "0644"
    228   when: not use_ebics
    229 
    230 - name: Allow technical users access to export acocunt.
    231   ansible.builtin.copy:
    232     src: home/libeufin-nexus-export/.ssh/authorized_keys
    233     dest: "/home/libeufin-nexus-export/.ssh/authorized_keys"
    234     owner: libeufin-nexus-export
    235     group: libeufin-nexus-export
    236     mode: "0644"
    237   when: not use_ebics