commit be70a2095935cffb7ee291cc6358ae0fa3d7f708
parent 6d2fd19fc753801c131a3b6c712269efce7fb8f9
Author: Florian Dold <florian@dold.me>
Date: Mon, 8 Dec 2025 17:52:14 +0100
add php / drupal / turnstile
Diffstat:
5 files changed, 94 insertions(+), 2 deletions(-)
diff --git a/Dockerfile b/Dockerfile
@@ -301,6 +301,14 @@ RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install --no-instal
#WORKDIR /
+FROM base-system as turnstile
+COPY buildconfig/turnstile.* /buildconfig/
+RUN TAG=$(cat /buildconfig/turnstile.tag) && \
+ cd /opt/ && \
+ git clone git://git.taler.net/turnstile \
+ --branch $TAG && \
+ cd /opt/turnstile && git checkout $(cat /buildconfig/turnstile.checkout)
+
# Final image
FROM base-system as taler-final
RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt-get -y upgrade && apt-get --no-install-recommends install -y \
@@ -320,7 +328,15 @@ RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt-get -y upgrade && apt-g
s-nail \
systemd-coredump \
libnss3-tools \
- uuid-runtime
+ uuid-runtime \
+ php \
+ composer \
+ php-pgsql \
+ php-fpm \
+ php-dom \
+ php-gd \
+ php-curl \
+ ;
RUN mkdir -p /packages
COPY --from=gnunet /packages/gnunet/* /packages/
@@ -334,6 +350,7 @@ COPY --from=libeufin /packages/libeufin/* /packages/
COPY --from=merchant-demos /packages/merchant-demos/* /packages/
COPY --from=challenger /packages/challenger/* /packages/
COPY --from=donau /packages/donau/* /packages/
+COPY --from=turnstile /opt/turnstile /opt/turnstile
RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt-get -y upgrade && \
apt-get install --no-install-recommends -y /packages/*.deb
COPY systemd/setup-sandcastle.service /etc/systemd/system/
diff --git a/host/container-taler-sandcastle-demo.service b/host/container-taler-sandcastle-demo.service
@@ -20,6 +20,7 @@ Environment=SANDCASTLE_PORT_BANK_SPA=127.0.0.1:15002
Environment=SANDCASTLE_PORT_CHALLENGER=127.0.0.1:15003
Environment=SANDCASTLE_PORT_AUDITOR=127.0.0.1:15004
Environment=SANDCASTLE_PORT_DONAU=127.0.0.1:15005
+Environment=SANDCASTLE_PORT_DRUPAL=127.0.0.1:15006
Restart=on-failure
TimeoutStopSec=70
ExecStart=%h/sandcastle-ng/sandcastle-run
diff --git a/host/container-taler-sandcastle-test.service b/host/container-taler-sandcastle-test.service
@@ -20,6 +20,7 @@ Environment=SANDCASTLE_PORT_BANK_SPA=127.0.0.1:16009
Environment=SANDCASTLE_PORT_CHALLENGER=127.0.0.1:16010
Environment=SANDCASTLE_PORT_AUDITOR=127.0.0.1:16011
Environment=SANDCASTLE_PORT_DONAU=127.0.0.1:16012
+Environment=SANDCASTLE_PORT_DRUPAL=127.0.0.1:16013
Restart=on-failure
TimeoutStopSec=70
ExecStart=%h/sandcastle-ng/sandcastle-run
diff --git a/sandcastle-run b/sandcastle-run
@@ -16,6 +16,7 @@ SANDCASTLE_PORT_BANK_SPA=${SANDCASTLE_PORT_BANK_SPA:-127.0.0.1:16009}
SANDCASTLE_PORT_CHALLENGER=${SANDCASTLE_PORT_CHALLENGER:-127.0.0.1:16010}
SANDCASTLE_PORT_AUDITOR=${SANDCASTLE_PORT_AUDITOR:-127.0.0.1:16011}
SANDCASTLE_PORT_DONAU=${SANDCASTLE_PORT_DONAU:-127.0.0.1:16012}
+SANDCASTLE_PORT_DRUPAL=${SANDCASTLE_PORT_DRUPAL:-127.0.0.1:16013}
# Container-internal ports, should by synced with scripts/setup-sandcastle.sh
PORT_INTERNAL_EXCHANGE=8201
@@ -29,6 +30,7 @@ PORT_INTERNAL_BANK_SPA=8505
PORT_INTERNAL_CHALLENGER=8506
PORT_INTERNAL_AUDITOR=8507
PORT_INTERNAL_DONAU=8508
+PORT_INTERNAL_DRUPAL=8509
SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd)
cd $SCRIPT_DIR
@@ -93,6 +95,7 @@ exec podman run \
-p=$SANDCASTLE_PORT_CHALLENGER:$PORT_INTERNAL_CHALLENGER \
-p=$SANDCASTLE_PORT_AUDITOR:$PORT_INTERNAL_AUDITOR \
-p=$SANDCASTLE_PORT_DONAU:$PORT_INTERNAL_DONAU \
+ -p=$SANDCASTLE_PORT_DRUPAL:$PORT_INTERNAL_DRUPAL \
--privileged \
--name taler-sandcastle \
--systemd=always \
diff --git a/scripts/demo/setup-sandcastle.sh b/scripts/demo/setup-sandcastle.sh
@@ -53,6 +53,7 @@ if [[ $WIRE_METHOD = iban ]]; then
MERCHANT_IBAN_TALER=DE1740597
MERCHANT_IBAN_TOR=DE2648777
MERCHANT_IBAN_SANDBOX=DE949115029592
+ MERCHANT_IBAN_UMAMI=DE358841382499
MERCHANT_PAYTO_ADMIN="payto://iban/$MERCHANT_IBAN_ADMIN?receiver-name=Default+Merchant"
MERCHANT_PAYTO_POS="payto://iban/$MERCHANT_IBAN_POS?receiver-name=PoS+Merchant"
@@ -60,6 +61,7 @@ if [[ $WIRE_METHOD = iban ]]; then
MERCHANT_PAYTO_GNUNET="payto://iban/$MERCHANT_IBAN_GNUNET?receiver-name=GNUnet+Merchant"
MERCHANT_PAYTO_TALER="payto://iban/$MERCHANT_IBAN_TALER?receiver-name=Taler+Merchant"
MERCHANT_PAYTO_TOR="payto://iban/$MERCHANT_IBAN_TOR?receiver-name=Tor+Merchant"
+ MERCHANT_PAYTO_UMAMI="payto://iban/$MERCHANT_IBAN_UMAMI?receiver-name=Umami"
MERCHANT_PAYTO_SANDBOX="payto://iban/$MERCHANT_IBAN_SANDBOX?receiver-name=Sandbox+Merchant"
elif [[ $WIRE_METHOD = x-taler-bank ]]; then
XTBHOST=sandcastle
@@ -70,6 +72,7 @@ elif [[ $WIRE_METHOD = x-taler-bank ]]; then
MERCHANT_PAYTO_GNUNET="payto://x-taler-bank/$XTBHOST/merchant-gnunet?receiver-name=GNUnet+Merchant"
MERCHANT_PAYTO_TALER="payto://x-taler-bank/$XTBHOST/merchant-taler?receiver-name=Taler+Merchant"
MERCHANT_PAYTO_TOR="payto://x-taler-bank/$XTBHOST/merchant-tor?receiver-name=Tor+Merchant"
+ MERCHANT_PAYTO_UMAMI="payto://x-taler-bank/$XTBHOST/merchant-umami?receiver-name=Umami"
MERCHANT_PAYTO_SANDBOX="payto://x-taler-bank/$XTBHOST/merchant-sandbox?receiver-name=Sandbox+Merchant"
else
echo "wire method $WIRE_METHOD not supported"
@@ -84,6 +87,7 @@ MERCHANT_DOMAIN=backend.$MYDOMAIN
DONAU_DOMAIN=donau.$MYDOMAIN
BLOG_DOMAIN=shop.$MYDOMAIN
DONATIONS_DOMAIN=donations.$MYDOMAIN
+DRUPAL_DOMAIN=drupal.$MYDOMAIN
CHALLENGER_DOMAIN=challenger.$MYDOMAIN
AUDITOR_DOMAIN=auditor.$MYDOMAIN
@@ -100,6 +104,7 @@ PORT_INTERNAL_BANK_SPA=8505
PORT_INTERNAL_CHALLENGER=8506
PORT_INTERNAL_AUDITOR=8507
PORT_INTERNAL_DONAU=8508
+PORT_INTERNAL_DRUPAL=8509
ENABLE_AUDITOR=0
@@ -165,7 +170,6 @@ lift_dir talerdata /var/lib/postgresql var-lib-postgresql
# offline keys are in a separate volume
lift_dir talerdata_persistent /var/lib/taler-exchange/offline exchange-offline
-
# Usage: get_credential_pw COMPONENT/ACCOUNT
function get_credential_pw() {
if [[ ${USE_INSECURE_SANDBOX_PASSWORDS:-0} = 1 ]]; then
@@ -582,6 +586,12 @@ cat <<EOF >/etc/caddy/Caddyfile
file_server
}
+:$PORT_INTERNAL_DRUPAL {
+ root * /talerdata/sandcastle-drupal/web/
+ php_fastcgi unix/var/run/php/php8.4-fpm.sock
+ file_server
+}
+
:$PORT_INTERNAL_AUDITOR {
reverse_proxy unix//run/taler-auditor/httpd/auditor-http.sock
}
@@ -699,6 +709,10 @@ http://$DONATIONS_DOMAIN$PORT_SUFFIX {
reverse_proxy :$PORT_INTERNAL_DONATIONS
}
+http://$DRUPAL_DOMAIN$PORT_SUFFIX {
+ reverse_proxy :$PORT_INTERNAL_DRUPAL
+}
+
EOF
fi
@@ -712,6 +726,7 @@ cat <<EOF >>/etc/hosts
127.0.0.1 $BLOG_DOMAIN
127.0.0.1 $DONATIONS_DOMAIN
127.0.0.1 $CHALLENGER_DOMAIN
+127.0.0.1 $DRUPAL_DOMAIN
# End of Taler Sandcastle Domains
EOF
@@ -788,6 +803,13 @@ taler-harness deployment provision-bank-account "${BANK_BASEURL}" \
--name "Tor Donations Merchant" \
--password $(get_credential_pw bank/merchant-tor)
+sudo -i -u libeufin-bank libeufin-bank passwd merchant-umami $(get_credential_pw bank/merchant-umami) || true
+taler-harness deployment provision-bank-account "${BANK_BASEURL}" \
+ --login merchant-umami --public \
+ --payto "$MERCHANT_PAYTO_UMAMI" \
+ --name "Umami Merchant" \
+ --password $(get_credential_pw bank/merchant-umami)
+
# Special bank account without a secure password
sudo -i -u libeufin-bank libeufin-bank passwd merchant-sandbox sandbox || true
taler-harness deployment provision-bank-account "${BANK_BASEURL}" \
@@ -959,6 +981,18 @@ if [[ $instance_missing = yes ]]; then
--payto "$MERCHANT_PAYTO_TOR"
fi
+instance_missing=no
+reset_merchant_pw umami || instance_missing=yes
+if [[ $instance_missing = yes ]]; then
+ taler-harness deployment provision-merchant-instance \
+ ${MERCHANT_BASEURL} \
+ --management-token $ADMIN_TOK \
+ --instance-password $(get_credential_pw merchant/umami) \
+ --name "Umami Merchant" \
+ --id umami \
+ --payto "$MERCHANT_PAYTO_UMAMI"
+fi
+
# Special instance with fixed "sandbox" password
sudo -u taler-merchant-httpd taler-merchant-passwd --instance sandbox sandbox || true
taler-harness deployment provision-merchant-instance \
@@ -1053,6 +1087,7 @@ taler-harness deployment provision-merchant-donau \
--donau-auth-token secret-token:secret \
--currency $CURRENCY
+UMAMI_TOK=$(taler-harness merchant token ${MERCHANT_BASEURL}instances/umami/ umami --password $(get_credential_pw merchant/umami))
# Now we set up the taler-merchant-demos
@@ -1060,5 +1095,40 @@ systemctl enable --now taler-demo-landing
systemctl enable --now taler-demo-blog
systemctl enable --now taler-demo-donations
+# Turnstile (drupal/php)
+
+systemctl enable --now php8.4-fpm
+
+DRUPAL_DB_PW=$(get_credential_pw db/drupal)
+
+sudo -i -u postgres psql postgres -c "CREATE ROLE drupal WITH login;" || true
+sudo -i -u postgres psql postgres -c "ALTER ROLE drupal password '$DRUPAL_DB_PW';"
+sudo -u postgres createdb drupal --owner=drupal || true
+
+# Needed by PHP's composer
+export HOME=/root
+
+# FIXME: Would probably be better to checkout output of
+# drush status --fields=bootstrap --format=string
+
+cd /talerdata/
+if [[ ! -e /talerdata/sandcastle-drupal ]]; then
+ composer create-project drupal/recommended-project:^10 sandcastle-drupal
+ cd sandcastle-drupal
+ composer require drush/drush
+ composer exec -- drush site-install demo_umami --account-name=admin --account-pass=admin --account-mail=admin@localhost --db-url=pgsql://drupal:$DRUPAL_DB_PW@localhost/drupal --site-name=SandcastleUmami --yes
+fi
+
+chown -R www-data:www-data /talerdata/sandcastle-drupal/
+
+ln -s /opt/turnstile /talerdata/sandcastle-drupal/web/modules/taler_turnstile
+
+cd sandcastle-drupal
+composer exec -- drush en taler_turnstile
+composer exec -- drush config:set taler_turnstile.settings access_token "$UMAMI_TOK" --yes
+composer exec -- drush config:set taler_turnstile.settings payment_backend_url '$PROTO://$MERCHANT_DOMAIN$PORT_SUFFIX/instances/umami/' --yes
+
+cd /
+
# FIXME: Maybe do some taler-wallet-cli test?
# FIXME: How do we report errors occurring during the setup script?
