main.yml (7736B)
1 --- 2 - name: Get the list of services 3 service_facts: 4 5 - name: Ensure libeufin-nexus service is stopped before we upgrade 6 systemd: 7 name: libeufin-nexus.target 8 state: stopped 9 enabled: false 10 when: '"libeufin-nexus.target" in ansible_facts["services"]' 11 12 - name: Ensure libeufin-nexus-httpd service is stopped before we upgrade 13 service: 14 name: libeufin-nexus-httpd.service 15 state: stopped 16 enabled: false 17 when: '"libeufin-nexus-httpd.service" in ansible_facts["services"]' 18 19 - name: Install libeufin-nexus package 20 apt: 21 name: 22 - libeufin-nexus 23 state: latest 24 when: ansible_facts["os_family"] == 'Debian' 25 26 - name: Ensure libeufin config dir exists from installation 27 file: 28 path: "/etc/libeufin" 29 state: directory 30 mode: "0755" 31 owner: root 32 group: root 33 34 - name: Ensure nexus virtualhost configuration file exists 35 ansible.builtin.template: 36 src: templates/etc/nginx/sites-available/nexus-nginx.conf.j2 37 dest: /etc/nginx/sites-available/nexus-nginx.conf 38 owner: root 39 group: root 40 mode: "0644" 41 42 - name: Ensure nexus HTTP virtualhost configuration file exists 43 ansible.builtin.template: 44 src: templates/etc/nginx/sites-available/nexus-http.conf.j2 45 dest: /etc/nginx/sites-available/nexus-http.conf 46 owner: root 47 group: root 48 mode: "0644" 49 50 - name: Secure the libeufin with Letsencrypt 51 when: nexus_use_letsencrypt 52 ansible.builtin.include_role: 53 name: cert 54 vars: 55 cert_name: nexus 56 wanted_cert_domains: 57 - "{{ nexus_domain }}" 58 nginx_sites: 59 - nexus-http.conf 60 - nexus-nginx.conf 61 62 - name: Enable Taler nexus HTTP reverse proxy configuration 63 ansible.builtin.file: 64 src: /etc/nginx/sites-available/nexus-http.conf 65 dest: /etc/nginx/sites-enabled/nexus-http.conf 66 state: link 67 notify: Restart nginx 68 69 - name: Enable Taler nexus reverse proxy configuration 70 ansible.builtin.file: 71 src: /etc/nginx/sites-available/nexus-nginx.conf 72 dest: /etc/nginx/sites-enabled/nexus-nginx.conf 73 state: link 74 notify: Restart nginx 75 76 - name: Ensure Ansible facts directory dir exists 77 file: 78 path: "/etc/ansible/facts.d/" 79 state: directory 80 mode: "0700" 81 owner: root 82 group: root 83 84 - name: Libeufin-nexus access secret setup 85 ansible.builtin.command: 86 argv: 87 - setup-secret-fact 88 - /etc/ansible/facts.d/libeufin-nexus-access-token.fact 89 - "secret-token:" 90 creates: /etc/ansible/facts.d/libeufin-nexus-access-token.fact 91 92 - name: Libeufin-nexus force ansible to regather just created fact(s) 93 ansible.builtin.setup: 94 95 - name: Place libeufin-nexus config 96 ansible.builtin.template: 97 src: templates/etc/libeufin/libeufin-nexus.conf.j2 98 dest: "/etc/libeufin/libeufin-nexus.conf" 99 owner: root 100 group: root 101 mode: "0644" 102 103 - name: Place libeufin-nexus EBICS config 104 ansible.builtin.template: 105 src: templates/etc/libeufin/libeufin-nexus-ebics.conf.j2 106 dest: "/etc/libeufin/libeufin-nexus-ebics.conf" 107 owner: root 108 group: libeufin-nexus 109 mode: "0640" 110 when: use_ebics or configure_ebics 111 112 - name: Setup libeufin database 113 ansible.builtin.command: 114 cmd: libeufin-dbconfig --only-nexus 115 chdir: /tmp 116 117 - name: Show vars 118 ansible.builtin.setup: 119 120 - name: Check if EBICS client keys exist. 121 stat: 122 path: /var/lib/libeufin-nexus/client-ebics-keys.json 123 register: stat_result 124 125 - name: Fail if external client keys are missing. 126 fail: 127 msg: External EBICS client keys missing 128 when: ebics_keys_external and not stat_result.stat.exists 129 130 - name: Adjust EBICS client keys permissions 131 file: 132 path: "/var/lib/libeufin-nexus/client-ebics-keys.json" 133 state: file 134 mode: "0400" 135 owner: libeufin-nexus 136 group: libeufin-nexus 137 when: ebics_keys_external and stat_result.stat.exists 138 139 - name: Check if EBICS bank keys exist. 140 stat: 141 path: /var/lib/libeufin-nexus/bank-ebics-keys.json 142 register: stat_result 143 144 - name: Fail if external bank keys are missing. 145 fail: 146 msg: External EBICS bank keys missing 147 when: ebics_keys_external and not stat_result.stat.exists 148 149 - name: Adjust EBICS client keys permissions 150 file: 151 path: "/var/lib/libeufin-nexus/bank-ebics-keys.json" 152 state: file 153 mode: "0400" 154 owner: libeufin-nexus 155 group: libeufin-nexus 156 when: ebics_keys_external and stat_result.stat.exists 157 158 # FIXME: this step currently fails with pofi, seems command wants 159 # extra arguments to do PDF letter generation? 160 - name: EBICS setup 161 become: true 162 become_user: libeufin-nexus 163 ansible.builtin.command: 164 cmd: libeufin-nexus ebics-setup 165 when: use_ebics 166 167 - name: Ensure libeufin-nexus target is enabled and started 168 service: 169 daemon_reload: true 170 name: libeufin-nexus.target 171 state: started 172 enabled: true 173 when: use_ebics 174 175 - name: Ensure libeufin-nexus-httpd service is enabled and started 176 service: 177 daemon_reload: true 178 name: libeufin-nexus-httpd.service 179 state: started 180 enabled: true 181 182 - name: Place login script for libeufin-nexus-import technical user 183 ansible.builtin.copy: 184 src: usr/local/bin/libeufin-nexus-import.sh 185 dest: "/usr/local/bin/libeufin-nexus-import.sh" 186 owner: root 187 group: root 188 mode: "0755" 189 when: not use_ebics 190 191 - name: Place login script for libeufin-nexus-export technical user 192 ansible.builtin.copy: 193 src: usr/local/bin/libeufin-nexus-export.sh 194 dest: "/usr/local/bin/libeufin-nexus-export.sh" 195 owner: root 196 group: root 197 mode: "0755" 198 when: not use_ebics 199 200 - name: Ensure group for libeufin-nexus-import exists 201 group: 202 name: libeufin-nexus-import 203 when: not use_ebics 204 205 - name: Ensure group for libeufin-nexus-export exists 206 group: 207 name: libeufin-nexus-export 208 when: not use_ebics 209 210 - name: Ensure technical user for libeufin-nexus import exists 211 user: 212 name: libeufin-nexus-import 213 group: libeufin-nexus-import 214 shell: /usr/local/bin/libeufin-nexus-import.sh 215 password: "!" 216 when: not use_ebics 217 218 - name: Ensure technical user for libeufin-nexus export exists 219 user: 220 name: libeufin-nexus-export 221 group: libeufin-nexus-export 222 shell: /usr/local/bin/libeufin-nexus-export.sh 223 password: "!" 224 when: not use_ebics 225 226 - name: Grant sudo rights to login script for importer 227 ansible.builtin.copy: 228 src: etc/sudoers.d/libeufin-nexus-import 229 dest: "/etc/sudoers.d/libeufin-nexus-import" 230 owner: root 231 group: root 232 mode: "0644" 233 when: not use_ebics 234 235 - name: Grant sudo rights to login script for exporter 236 ansible.builtin.copy: 237 src: etc/sudoers.d/libeufin-nexus-export 238 dest: "/etc/sudoers.d/libeufin-nexus-export" 239 owner: root 240 group: root 241 mode: "0644" 242 when: not use_ebics 243 244 - name: Ensure .ssh dir exists for libeufin-nexus-import user 245 file: 246 path: "/home/libeufin-nexus-import/.ssh/" 247 state: directory 248 owner: libeufin-nexus-import 249 group: libeufin-nexus-import 250 mode: "0755" 251 when: not use_ebics 252 253 - name: Ensure .ssh dir exists for libeufin-nexus-export user 254 file: 255 path: "/home/libeufin-nexus-export/.ssh/" 256 state: directory 257 owner: libeufin-nexus-export 258 group: libeufin-nexus-export 259 mode: "0755" 260 when: not use_ebics 261 262 - name: Allow technical users access to import acocunt. 263 ansible.builtin.copy: 264 src: home/libeufin-nexus-import/.ssh/authorized_keys 265 dest: "/home/libeufin-nexus-import/.ssh/authorized_keys" 266 owner: libeufin-nexus-import 267 group: libeufin-nexus-import 268 mode: "0644" 269 when: not use_ebics 270 271 - name: Allow technical users access to export acocunt. 272 ansible.builtin.copy: 273 src: home/libeufin-nexus-export/.ssh/authorized_keys 274 dest: "/home/libeufin-nexus-export/.ssh/authorized_keys" 275 owner: libeufin-nexus-export 276 group: libeufin-nexus-export 277 mode: "0644" 278 when: not use_ebics