sandcastle-ng

setup-sandcastle.sh (39954B)

---

 #!/usr/bin/env bash
 
 # This scripts provisions all configuration and
 # services for the Taler sandcastle container.
 #
 # Important: This script needs to be completely
 # idempotent, nothing must break if it is executed
 # multiple times.
 
 set -eu
 set -x
 export LC_ALL="C.UTF-8"
 
 if [[ -n ${SANDCASTLE_SKIP_SETUP:-} ]]; then
   echo "skipping sandcastle setup, requested by environment var SANDCASTLE_SKIP_SETUP"
   exit 1
 fi
 
 
 # Helper to replace a comment-delimited block of lines in a config file with
 # the desired content. If the block doesn't exist yet, append it.
 update_config_block() {
   local config_file="$1"
   local marker_tag="$2"
   local new_content="$3"
   local begin_marker="# begin ${marker_tag}"
   local end_marker="# end ${marker_tag}"
   if [[ ! -f "$config_file" ]]; then
     echo "Error: Config file '$config_file' not found." >&2
     return 1
   fi
   if grep -qF "$begin_marker" "$config_file"; then
     # Markers exist. Replace the block.
     # Escape newlines in the content so sed processes it as a single block
     local escaped_content="${new_content//$'\n'/\\n}"
     sed -i "/$begin_marker/,/$end_marker/c\\$begin_marker\n$escaped_content\n$end_marker" "$config_file"
   else
     # Markers do not exist. Append to the end.
     printf "\n%s\n%s\n%s\n" "$begin_marker" "$new_content" "$end_marker" >> "$config_file"
   fi
 }
 
 echo "Provisioning sandcastle"
 
 # General configuration.
 # Might eventually be moved to an external file.
 
 # Source any overrides from external file
 if [[ -e /overrides ]]; then
   source /overrides
 fi
 
 # When serving on an external port (for localhost deployments),
 # we use http.
 if [[ ${EXTERNAL_PORT:-} =~ ^[0-9]+$ ]]; then
   PROTO=http
   PORT_SUFFIX=:$EXTERNAL_PORT
 else
   PROTO=https
   PORT_SUFFIX=
 fi
 
 : ${CURRENCY:="KUDOS"}
 : ${WIRE_METHOD:=x-taler-bank}
 
 
 if [[ $WIRE_METHOD = iban ]]; then
   EXCHANGE_IBAN=DE159593
   EXCHANGE_PAYTO="payto://iban/$EXCHANGE_IBAN?receiver-name=Sandcastle+Echange+Inc"
 
   # Randomly generated IBANs for the merchants
   MERCHANT_IBAN_ADMIN=DE85500105175178585583
   MERCHANT_IBAN_POS=DE4218710
   MERCHANT_IBAN_BLOG=DE8292195
   MERCHANT_IBAN_GNUNET=DE9709960
   MERCHANT_IBAN_TALER=DE1740597
   MERCHANT_IBAN_TOR=DE2648777
   MERCHANT_IBAN_SANDBOX=DE949115029592
   MERCHANT_IBAN_UMAMI=DE358841382499
 
   MERCHANT_PAYTO_ADMIN="payto://iban/$MERCHANT_IBAN_ADMIN?receiver-name=Default+Merchant"
   MERCHANT_PAYTO_POS="payto://iban/$MERCHANT_IBAN_POS?receiver-name=PoS+Merchant"
   MERCHANT_PAYTO_BLOG="payto://iban/$MERCHANT_IBAN_BLOG?receiver-name=Blog+Merchant"
   MERCHANT_PAYTO_GNUNET="payto://iban/$MERCHANT_IBAN_GNUNET?receiver-name=GNUnet+Merchant"
   MERCHANT_PAYTO_TALER="payto://iban/$MERCHANT_IBAN_TALER?receiver-name=Taler+Merchant"
   MERCHANT_PAYTO_TOR="payto://iban/$MERCHANT_IBAN_TOR?receiver-name=Tor+Merchant"
   MERCHANT_PAYTO_UMAMI="payto://iban/$MERCHANT_IBAN_UMAMI?receiver-name=Umami"
   MERCHANT_PAYTO_SANDBOX="payto://iban/$MERCHANT_IBAN_SANDBOX?receiver-name=Sandbox+Merchant"
 elif [[ $WIRE_METHOD = x-taler-bank ]]; then
   XTBHOST=sandcastle
   EXCHANGE_PAYTO="payto://x-taler-bank/$XTBHOST/exchange?receiver-name=Sandcastle+Echange+Inc"
   MERCHANT_PAYTO_ADMIN="payto://x-taler-bank/$XTBHOST/merchant-admin?receiver-name=Default+Merchant"
   MERCHANT_PAYTO_POS="payto://x-taler-bank/$XTBHOST/merchant-pos?receiver-name=PoS+Merchant"
   MERCHANT_PAYTO_BLOG="payto://x-taler-bank/$XTBHOST/merchant-blog?receiver-name=Blog+Merchant"
   MERCHANT_PAYTO_GNUNET="payto://x-taler-bank/$XTBHOST/merchant-gnunet?receiver-name=GNUnet+Merchant"
   MERCHANT_PAYTO_TALER="payto://x-taler-bank/$XTBHOST/merchant-taler?receiver-name=Taler+Merchant"
   MERCHANT_PAYTO_TOR="payto://x-taler-bank/$XTBHOST/merchant-tor?receiver-name=Tor+Merchant"
   MERCHANT_PAYTO_UMAMI="payto://x-taler-bank/$XTBHOST/merchant-umami?receiver-name=Umami"
   MERCHANT_PAYTO_SANDBOX="payto://x-taler-bank/$XTBHOST/merchant-sandbox?receiver-name=Sandbox+Merchant"
 else
   echo "wire method $WIRE_METHOD not supported"
   exit 1
 fi
 
 MYDOMAIN=${MYDOMAIN:="demo.taler.net"}
 LANDING_DOMAIN=$MYDOMAIN
 BANK_DOMAIN=bank.$MYDOMAIN
 EXCHANGE_DOMAIN=exchange.$MYDOMAIN
 MERCHANT_DOMAIN=backend.$MYDOMAIN
 DONAU_DOMAIN=donau.$MYDOMAIN
 BLOG_DOMAIN=shop.$MYDOMAIN
 DONATIONS_DOMAIN=donations.$MYDOMAIN
 DRUPAL_DOMAIN=drupal.$MYDOMAIN
 CHALLENGER_DOMAIN=challenger.$MYDOMAIN
 AUDITOR_DOMAIN=auditor.$MYDOMAIN
 
 # Ports of the services running inside the container.
 # Should be synchronized with the sandcastle-run script.
 PORT_INTERNAL_EXCHANGE=8201
 PORT_INTERNAL_MERCHANT=8301
 PORT_INTERNAL_LIBEUFIN_BANK=8080
 PORT_INTERNAL_LANDING=8501
 PORT_INTERNAL_BLOG=8502
 PORT_INTERNAL_DONATIONS=8503
 PORT_INTERNAL_PROVISION=8504
 PORT_INTERNAL_BANK_SPA=8505
 PORT_INTERNAL_CHALLENGER=8506
 PORT_INTERNAL_AUDITOR=8507
 PORT_INTERNAL_DONAU=8508
 PORT_INTERNAL_DRUPAL=8509
 
 
 ENABLE_AUDITOR=0
 
 # Just make sure the services are stopped
 systemctl stop postgresql.service
 systemctl stop taler-auditor.target
 systemctl stop taler-exchange.target
 systemctl stop taler-exchange-offline.timer
 systemctl stop taler-merchant-httpd.service
 systemctl stop taler-merchant.target
 systemctl stop taler-demo-landing.service
 systemctl stop taler-demo-blog.service
 systemctl stop taler-demo-donations.service
 systemctl stop libeufin-bank.service
 systemctl stop donau-httpd.service
 
 # libeufin-nexus is not used
 systemctl stop libeufin-nexus-ebics-fetch.service
 systemctl disable libeufin-nexus-ebics-fetch.service
 systemctl stop libeufin-nexus-ebics-submit.service
 systemctl disable libeufin-nexus-ebics-submit.service
 
 systemctl reset-failed
 
 # We now make sure that some important locations are symlinked to
 # the persistent storage volume.
 # Files that already exist in this location are moved to the storage volume
 # and then symlinked.
 # These locations are:
 # /etc/taler
 # /etc/libeufin
 # /var/lib/taler
 # postgres DB directory
 
 function lift_dir() {
   where=$1
   src=$2
   target=$3
   if [[ -L $src ]]; then
     # be idempotent
     echo "$src is already a symlink"
   elif [[ -d /$where/$target ]]; then
     echo "symlinking existing /$where/$target"
     rm -rf "$src"
     ln -s "/$where/$target" "$src"
   else
     echo "symlinking new /$where/$target"
     mv "$src" "/$where/$target"
     ln -s "/$where/$target" "$src"
   fi
 }
 
 lift_dir talerdata /var/lib/taler-exchange var-lib-taler-exchange
 lift_dir talerdata /etc/taler-merchant etc-taler-merchant
 lift_dir talerdata /etc/taler-exchange etc-taler-exchange
 lift_dir talerdata /etc/taler-exchange etc-taler-auditor
 lift_dir talerdata /etc/donau etc-donau
 lift_dir talerdata /etc/libeufin etc-libeufin
 # lift both config and data
 lift_dir talerdata /etc/postgresql etc-postgresql
 lift_dir talerdata /var/lib/postgresql var-lib-postgresql
 # offline keys are in a separate volume
 lift_dir talerdata_persistent /var/lib/taler-exchange/offline exchange-offline
 
 # Usage: get_credential_pw COMPONENT/ACCOUNT
 function get_credential_pw() {
   if [[ ${USE_INSECURE_SANDBOX_PASSWORDS:-0} = 1 ]]; then
     echo "sandbox"
     return
   fi
   p=/credentials/$1
   if [[ ! -f $p ]]; then
     mkdir -p $(dirname "$p")
     uuidgen -r >$p
   fi
   cat "$p"
 }
 
 import_instr=none
 if [[ -d /exported && -e /exported/import-request ]]; then
   import_instr=$(cat /exported/import-request)
 fi
 
 # If necessary, import the offline key.
 # Done before everything else, as we need the key
 # to generate the config.
 
 if [[ $import_instr = all ]]; then
   echo "Importing exchange offline key"
   rm -rf /var/lib/taler-exchange/offline/*
   cp -r /exported/taler-exchange/offline/* /var/lib/taler-exchange/offline/
 fi
 
 # Adjust ownership.
 # Necessary when the container is rebuilt with different user IDs.
 chown --recursive taler-exchange-offline:taler-exchange-offline /var/lib/taler-exchange/offline/. || true
 chown root:taler-exchange-db /etc/taler-exchange/secrets/exchange-db.secret.conf
 chown taler-exchange-wire:root /etc/taler-exchange/secrets/exchange-accountcredentials-*.conf
 chown taler-merchant-httpd:root /etc/taler-merchant/secrets/merchant-db.secret.conf
 chown root:donau-db /etc/donau/secrets/donau-db.secret.conf
 
 
 MASTER_PUBLIC_KEY=$(sudo -u taler-exchange-offline taler-exchange-offline -LDEBUG setup)
 
 
 #
 # Create the basic configuration files
 #
 
 mkdir -p /etc/challenger/conf.d
 cat <<EOF >/etc/challenger/conf.d/setup-sandcastle.conf
 [challenger]
 BASE_URL = $PROTO://$CHALLENGER_DOMAIN$PORT_SUFFIX/
 ADDRESS_TYPE = email
 AUTH_COMMAND = /data/sandcastle-challenger-auth
 ADDRESS_RESTRICTIONS = {"email":{"hint":"not an e-mail address","regex":"^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+.[a-zA-Z0-9-.]+$"}}
 EOF
 
 cat <<EOF >/etc/libeufin/libeufin-bank.conf
 [libeufin-bank]
 BASE_URL = $PROTO://$BANK_DOMAIN$PORT_SUFFIX/
 CURRENCY = $CURRENCY
 DEFAULT_DEBT_LIMIT = $CURRENCY:500
 REGISTRATION_BONUS = $CURRENCY:100
 SPA_CAPTCHA_URL = $PROTO://$BANK_DOMAIN$PORT_SUFFIX/webui/#/operation/{woid}
 SUGGESTED_WITHDRAWAL_EXCHANGE = $PROTO://$EXCHANGE_DOMAIN$PORT_SUFFIX/
 ALLOW_REGISTRATION = yes
 SERVE = tcp
 PORT = 8080
 # Bind address.
 # Option soon to be deprecated!
 ADDRESS = 0.0.0.0
 WIRE_TYPE = $WIRE_METHOD
 
 # Compat mode for now
 PWD_CHECK = no
 PWD_AUTH_COMPAT = yes
 
 [currency-$CURRENCY]
 ENABLED = YES
 name = "${NAME:=Kudos}"
 code = "$CURRENCY"
 decimal_separator = "."
 fractional_input_digits = ${FRACTIONALS:=2}
 fractional_normal_digits = ${FRACTIONALS:=2}
 fractional_trailing_zero_digits = ${FRACTIONALS:=2}
 is_currency_name_leading = NO
 alt_unit_names = {"0":"${ALT_UNIT_NAME:=ク}"}
 EOF
 
 cat <<EOF >/etc/libeufin/settings.json
 {
   "topNavSites": {
     "Landing": "$PROTO://$LANDING_DOMAIN$PORT_SUFFIX/",
     "Bank": "$PROTO://$BANK_DOMAIN$PORT_SUFFIX",
     "Essay Shop": "$PROTO://$BLOG_DOMAIN$PORT_SUFFIX",
     "Donations": "$PROTO://$DONATIONS_DOMAIN$PORT_SUFFIX",
   }
 }
 EOF
 
 # Generate /tmp/sandcastle-setup.conf
 cat <<EOF >/tmp/sandcastle-setup.conf
 [currency-$CURRENCY]
 ENABLED = YES
 name = "${NAME:=Kudos}"
 code = "$CURRENCY"
 decimal_separator = "."
 fractional_input_digits = ${FRACTIONALS:=2}
 fractional_normal_digits = ${FRACTIONALS:=2}
 fractional_trailing_zero_digits = ${FRACTIONALS:=2}
 is_currency_name_leading = NO
 alt_unit_names = {"0":"${ALT_UNIT_NAME:=ク}"}
 EOF
 
 cp /tmp/sandcastle-setup.conf /etc/taler-exchange/conf.d/sandcastle-setup.conf
 cp /tmp/sandcastle-setup.conf /etc/taler-merchant/conf.d/sandcastle-setup.conf
 
 
 cat <<EOF >/etc/taler-exchange/conf.d/sandcastle-exchange.conf
 [exchange]
 CURRENCY = $CURRENCY
 CURRENCY_ROUND_UNIT = $CURRENCY:0.01
 TINY_AMOUNT = $CURRENCY:0.01
 AML_THRESHOLD = $CURRENCY:1000000
 MASTER_PUBLIC_KEY = $MASTER_PUBLIC_KEY
 BASE_URL = $PROTO://$EXCHANGE_DOMAIN$PORT_SUFFIX/
 
 [taler-exchange-secmod-rsa]
 LOOKAHEAD_SIGN = 4 weeks
 
 [taler-exchange-secmod-eddsa]
 LOOKAHEAD_SIGN = 4 weeks
 
 [taler-exchange-secmod-cs]
 LOOKAHEAD_SIGN = 4 weeks
 
 [exchange-account-default]
 PAYTO_URI = $EXCHANGE_PAYTO
 ENABLE_DEBIT = YES
 ENABLE_CREDIT = YES
 @inline-secret@ exchange-accountcredentials-default ../secrets/exchange-accountcredentials-default.secret.conf
 EOF
 
 
 cat <<EOF >/etc/taler-exchange/secrets/exchange-accountcredentials-default.secret.conf
 [exchange-accountcredentials-default]
 WIRE_GATEWAY_URL = $PROTO://$BANK_DOMAIN$PORT_SUFFIX/accounts/exchange/taler-wire-gateway/
 WIRE_GATEWAY_AUTH_METHOD = basic
 USERNAME = exchange
 PASSWORD = $(get_credential_pw bank/exchange)
 EOF
 
 if [[ $ENABLE_AUDITOR = 1 ]]; then
   # Make sandcastle exchange config available to auditor
   cp /etc/taler-exchange/conf.d/sandcastle-exchange.conf /etc/taler-auditor/conf.d/sandcastle-exchange.conf
 
   # We run the offline tooling as root, maybe in the future there should be
   # a separate user created by the Debian package for that.
   AUDITOR_PUB=$(taler-auditor-offline setup)
 
   cat <<EOF >/etc/taler-auditor/conf.d/sandcastle-auditor.conf
 [auditor]
 PUBLIC_KEY = $AUDITOR_PUB
 
 [exchangedb]
 
 $(dup_exchange_opt exchangedb IDLE_RESERVE_EXPIRATION_TIME)
 $(dup_exchange_opt exchangedb LEGAL_RESERVE_EXPIRATION_TIME)
 $(dup_exchange_opt exchangedb AGGREGATOR_SHIFT)
 $(dup_exchange_opt exchangedb DEFAULT_PURSE_LIMIT)
 
 [exchangedb-postgres]
 $(dup_exchange_opt exchangedb-postgres CONFIG)
 
 [exchange]
 $(dup_exchange_opt exchange CURRENCY)
 $(dup_exchange_opt exchange CURRENCY_ROUND_UNIT)
 $(dup_exchange_opt exchange DB)
 
 
 EOF
 fi
 
 # The config shipped with the package can conflict with the
 # trusted sandcastle exchange if the currency is KUDOS.
 rm -f /usr/share/taler-exchange/config.d/kudos.conf
 rm -f /usr/share/taler-merchant/config.d/kudos.conf
 
 
 MY_HELPER_EMAIL=${OVERRIDE_MERCHANT_HELPER_EMAIL:-/data/sandcastle-merchant-email-helper}
 
 # By default, use standalone SPA
 MERCHANT_SPA_SETTING=
 if [[ ${STANDALONE_MERCHANT_SPA:-1} == 1 ]]; then
   MERCHANT_SPA_SETTING="BACKOFFICE_SPA_DIR = /usr/local/share/taler-merchant-backoffice/"
 fi
 
 # We need to define the default currency for the UI.
 cat <<EOF >/etc/taler-merchant/conf.d/sandcastle-merchant.conf
 [merchant]
 CURRENCY = $CURRENCY
 
 ENABLE_SELF_PROVISIONING = YES
 
 MANDATORY_TAN_CHANNELS = email
 
 HELPER_EMAIL = $MY_HELPER_EMAIL
 
 $MERCHANT_SPA_SETTING
 
 EOF
 
 cat <<EOF >/etc/taler-merchant/conf.d/sandcastle-merchant-exchanges.conf
 [merchant-exchange-sandcastle]
 EXCHANGE_BASE_URL = $PROTO://$EXCHANGE_DOMAIN$PORT_SUFFIX/
 MASTER_KEY = $MASTER_PUBLIC_KEY
 CURRENCY = $CURRENCY
 EOF
 
 # Allow overrides to modify merchant config
 [[ $(type -t hook_merchant_config) == function ]] && hook_merchant_config
 
 # FIXME: This is a workaround, fix the packaging of taler-merchant-frontends here!
 mkdir -p /etc/taler
 
 
 cat <<EOF >/etc/taler/taler-merchant-frontends.conf
 # Different entry point, we need to repeat some settings.
 # In the future, taler-merchant-demos should become
 # robust enough to read from the main config.
 [taler]
 CURRENCY = $CURRENCY
 
 [frontend-demo-landing]
 SERVE = http
 HTTP_PORT = $PORT_INTERNAL_LANDING
 
 [frontend-demo-blog]
 SERVE = http
 HTTP_PORT = $PORT_INTERNAL_BLOG
 BACKEND_URL = $PROTO://$MERCHANT_DOMAIN$PORT_SUFFIX/instances/blog/
 BACKEND_APIKEY = secret-token:$(get_credential_pw merchant/blog)
 
 [frontend-demo-donations]
 DONAU_URL = $PROTO://$DONAU_DOMAIN$PORT_SUFFIX/
 SERVE = http
 HTTP_PORT = $PORT_INTERNAL_DONATIONS
 BACKEND_URL_TOR = $PROTO://$MERCHANT_DOMAIN$PORT_SUFFIX/instances/tor/
 BACKEND_APIKEY_TOR = secret-token:$(get_credential_pw merchant/tor)
 BACKEND_URL_TALER = $PROTO://$MERCHANT_DOMAIN$PORT_SUFFIX/instances/taler/
 BACKEND_APIKEY_TALER = secret-token:$(get_credential_pw merchant/taler)
 BACKEND_URL_GNUNET = $PROTO://$MERCHANT_DOMAIN$PORT_SUFFIX/instances/gnunet/
 BACKEND_APIKEY_GNUNET = secret-token:$(get_credential_pw merchant/gnunet)
 EOF
 
 # This really should not exist, the taler-merchant-frontends
 # should be easier to configure!
 cat <<EOF >/etc/taler/taler-merchant-frontends.env
 TALER_ENV_URL_INTRO=$PROTO://$LANDING_DOMAIN$PORT_SUFFIX/
 TALER_ENV_URL_LANDING=$PROTO://$LANDING_DOMAIN$PORT_SUFFIX/
 TALER_ENV_URL_BANK=$PROTO://$BANK_DOMAIN$PORT_SUFFIX/
 TALER_ENV_URL_MERCHANT_BLOG=$PROTO://$BLOG_DOMAIN$PORT_SUFFIX/
 TALER_ENV_URL_MERCHANT_DONATIONS=$PROTO://$DONATIONS_DOMAIN$PORT_SUFFIX/
 EOF
 
 #
 # Create databases
 #
 
 function wait_pg_ready() {
   while true; do
     ret=0
     pg_isready || ret=$?
     case "$ret" in
       0)
         echo "Postgres is ready" >&2
         break
         ;;
       1|2)
         echo "pg_isready returned status $ret, waiting" >&2
         sleep 1
         ;;
       3)
         echo "pg_isready returned status $ret, giving up" >&2
         exit 3
         ;;
     esac
   done
 }
 
 # Since the sandcastle is a test system, we turn fsync off for performance
 # reasons (especially with the drupal setup).
 # CAUTION: You do not want to set this in production,
 # especially not for the taler-exchange.
 pg_conftool 17 main set fsync off
 
 backup_file=/exported/postgres-backup.sql
 if [[ $import_instr = singledump ]]; then
   echo "Importing database dump"
   if [[ ! -e "$backup_file" ]]; then
     echo "Requested import, but backup file does not exist" >&2
     exit 1
   fi
   pg_dropcluster --stop 17 main || true
   pg_createcluster 17 main
   systemctl start postgresql.service
   wait_pg_ready
   sudo -u postgres psql postgres -f "$backup_file"
 else
   systemctl start postgresql.service
   wait_pg_ready
 fi
 
 # Set up databases.
 # Do that *before* we potentially do a per-service restore-from-backup.
 
 challenger-dbconfig
 
 # Sets up the database for both libeufin-bank and libeufin-nexus.  We only need
 # the libeufin-bank DB though.
 libeufin-dbconfig
 
 if [[ $ENABLE_AUDITOR = 1 ]]; then
   # Add auditor user to DB group *before* running taler-exchange-dbconfig,
   # so that DB permissions are adjusted accordingly.
   usermod taler-auditor-httpd -aG taler-exchange-db
   taler-auditor-dbconfig
 fi
 
 taler-exchange-dbconfig
 
 taler-merchant-dbconfig
 
 
 #
 # Import backup if necessary.
 #
 
 if [[ $import_instr = all ]]; then
   echo "Importing databases"
 
   # FIXME: Consider backing up old DB before importing new one
   # FIXME: This is rather hacky, it would be better to use "pg_dump -Fc" and "pg_restore"
   sudo -u postgres dropdb taler-exchange
   sudo -u postgres dropdb taler-merchant
   sudo -u postgres dropdb libeufin
 
   sudo -u postgres createdb taler-exchange
   sudo -u postgres createdb taler-merchant
   sudo -u postgres createdb libeufin
 
   sudo -u postgres psql taler-exchange -f /exported/taler-exchange/taler-exchange.sql
   sudo -u postgres psql taler-merchant -f /exported/taler-merchant/taler-merchant.sql
   sudo -u postgres psql libeufin -f /exported/libeufin/libeufin.sql
 
   libeufin-dbconfig
   taler-exchange-dbconfig
   taler-merchant-dbconfig
 
   rm -rf /var/lib/taler-exchange/secmod-eddsa/*
   cp -r /exported/taler-exchange/secmod-eddsa/* /var/lib/taler-exchange/secmod-eddsa/
 
   rm -rf /var/lib/taler-exchange/secmod-rsa/*
   cp -r /exported/taler-exchange/secmod-rsa/* /var/lib/taler-exchange/secmod-rsa/
 
   rm -rf /var/lib/taler-exchange/secmod-cs/*
   cp -r /exported/taler-exchange/secmod-cs/* /var/lib/taler-exchange/secmod-cs/
 fi
 
 if [[ $import_instr != none ]]; then
   echo "Marking import as done"
   rm /exported/import-request
 fi
 
 # We need to adjust file ownership, as the container might have different user and group
 # IDs than the volume. That can happen when the packages in the container are installed
 # in a different order.
 # This is only relevant for non-root ownership.
 chown --recursive taler-exchange-offline:taler-exchange-offline /var/lib/taler-exchange/offline/* || true
 chown --recursive taler-exchange-secmod-cs:taler-exchange-secmod /var/lib/taler-exchange/secmod-cs
 chown --recursive taler-exchange-secmod-rsa:taler-exchange-secmod /var/lib/taler-exchange/secmod-rsa
 chown --recursive taler-exchange-secmod-eddsa:taler-exchange-secmod /var/lib/taler-exchange/secmod-eddsa
 chown root:taler-exchange-db /etc/taler-exchange/secrets/exchange-db.secret.conf
 chown root:taler-auditor-httpd /etc/taler-auditor/secrets/auditor-db.secret.conf
 chmod 440 /etc/taler-merchant/secrets/merchant-db.secret.conf
 chown taler-merchant-httpd:root /etc/taler-merchant/secrets/merchant-db.secret.conf
 chown root:taler-exchange-db /etc/taler-exchange/secrets/exchange-db.secret.conf
 chown taler-exchange-wire:taler-exchange-db /etc/taler-exchange/secrets/exchange-accountcredentials-default.secret.conf
 
 
 # Caddy configuration.
 # We use the caddy reverse proxy with automatic
 # internal TLS setup to ensure that the services are
 # reachable inside the container without any external
 # DNS setup under the same domain name and with TLS
 # from inside the container.
 
 systemctl stop caddy.service
 
 cat <<EOF >/etc/caddy/Caddyfile
 {
   servers {
       trusted_proxies static private_ranges
   }
 }
 
 # Services that only listen on unix domain sockets
 # are reverse-proxied to serve on a TCP port.
 
 :$PORT_INTERNAL_EXCHANGE {
   reverse_proxy unix//run/taler-exchange/httpd/exchange-http.sock
 }
 
 :$PORT_INTERNAL_MERCHANT {
   reverse_proxy unix//run/taler-merchant/httpd/merchant-http.sock {
     # Set this, or otherwise wrong taler://pay URIs will be generated.
     header_up X-Forwarded-Proto "https"
   }
 }
 
 :$PORT_INTERNAL_DONAU {
   reverse_proxy unix//run/donau/httpd/http.sock {
     header_up X-Forwarded-Proto "https"
   }
 }
 
 :$PORT_INTERNAL_BANK_SPA {
   root * /usr/share/libeufin/spa
   root /settings.json /etc/libeufin/
   file_server
 }
 
 :$PORT_INTERNAL_DRUPAL {
   root * /talerdata/sandcastle-drupal/web/
   php_fastcgi unix/var/run/php/php8.4-fpm.sock
   file_server
 }
 
 :$PORT_INTERNAL_AUDITOR {
   reverse_proxy unix//run/taler-auditor/httpd/auditor-http.sock
 }
 
 :$PORT_INTERNAL_CHALLENGER {
   handle {
     reverse_proxy unix//run/challenger/httpd/challenger.http {
       # Set this, or otherwise wrong taler://pay URIs will be generated.
       header_up X-Forwarded-Proto "https"
     }
   }
 
   # Serve challenges via HTTP.
   # This is obviously completely insecure, but fine
   # for the demo sandcastle.
   handle_path /challenges/* {
     root * /tmp/challenges/
     file_server {
       browse
     }
   }
 }
 EOF
 
 if [[ $PROTO = https ]]; then
   cat <<EOF >>/etc/caddy/Caddyfile
 
 # Internally reverse-proxy https://,
 # so that service can talk to each other via
 # https:// inside the container.
 
 https://$BANK_DOMAIN {
   tls internal
   reverse_proxy :8080 {
     # libeufin-bank should eventually not require this anymore,
     # but currently doesn't work without this header.
     header_up X-Forwarded-Prefix ""
   }
 }
 
 https://$EXCHANGE_DOMAIN {
   tls internal
   reverse_proxy unix//run/taler-exchange/httpd/exchange-http.sock
 }
 
 https://$MERCHANT_DOMAIN {
   tls internal
   reverse_proxy unix//run/taler-merchant/httpd/merchant-http.sock {
     # Set this, or otherwise wrong taler://pay URIs will be generated.
     header_up X-Forwarded-Proto "https"
   }
 }
 
 https://$DONAU_DOMAIN {
   tls internal
   reverse_proxy unix//run/donau/httpd/http.sock {
     header_up X-Forwarded-Proto "https"
   }
 }
 
 https://$AUDITOR_DOMAIN {
   tls internal
   reverse_proxy unix//run/taler-auditor/httpd/auditor-http.sock
 }
 
 https://$CHALLENGER_DOMAIN {
   tls internal
   reverse_proxy unix//run/challenger/httpd/challenger.http
 }
 
 EOF
 
 else
   # Config for HTTP without TLS.
 
   cat <<EOF >>/etc/caddy/Caddyfile
 
 http://$BANK_DOMAIN$PORT_SUFFIX {
   reverse_proxy :8080 {
     # libeufin-bank should eventually not require this anymore,
     # but currently doesn't work without this header.
     header_up X-Forwarded-Prefix ""
   }
 }
 
 http://$EXCHANGE_DOMAIN$PORT_SUFFIX {
   reverse_proxy unix//run/taler-exchange/httpd/exchange-http.sock
 }
 
 http://$MERCHANT_DOMAIN$PORT_SUFFIX {
   reverse_proxy unix//run/taler-merchant/httpd/merchant-http.sock
 }
 
 http://$DONAU_DOMAIN$PORT_SUFFIX {
   reverse_proxy unix//run/donau/httpd/http.sock
 }
 
 http://$AUDITOR_DOMAIN$PORT_SUFFIX {
   reverse_proxy unix//run/taler-auditor/httpd/auditor-http.sock
 }
 
 http://$CHALLENGER_DOMAIN$PORT_SUFFIX {
   reverse_proxy unix//run/challenger/httpd/challenger.http
 }
 
 http://$LANDING_DOMAIN$PORT_SUFFIX {
   reverse_proxy :$PORT_INTERNAL_LANDING
 }
 
 http://$BLOG_DOMAIN$PORT_SUFFIX {
   reverse_proxy :$PORT_INTERNAL_BLOG
 }
 
 http://$DONATIONS_DOMAIN$PORT_SUFFIX {
   reverse_proxy :$PORT_INTERNAL_DONATIONS
 }
 
 http://$DRUPAL_DOMAIN$PORT_SUFFIX {
   reverse_proxy :$PORT_INTERNAL_DRUPAL
 }
 
 EOF
 
 fi
 
 cat <<EOF >>/etc/hosts
 # Start of Taler Sandcastle Domains
 127.0.0.1 $LANDING_DOMAIN
 127.0.0.1 $BANK_DOMAIN
 127.0.0.1 $EXCHANGE_DOMAIN
 127.0.0.1 $MERCHANT_DOMAIN
 127.0.0.1 $BLOG_DOMAIN
 127.0.0.1 $DONATIONS_DOMAIN
 127.0.0.1 $CHALLENGER_DOMAIN
 127.0.0.1 $DRUPAL_DOMAIN
 # End of Taler Sandcastle Domains
 EOF
 
 systemctl start caddy.service
 
 # Install local, internal CA certs for caddy
 caddy trust
 
 # Set up challenger
 
 CHALLENGER_CLIENT_SECRET=secret-token:sandbox
 CHALLENGER_CLIENT_ID=$(sudo -u challenger-httpd challenger-admin -q --add="$CHALLENGER_CLIENT_SECRET" https://$EXCHANGE_DOMAIN/kyc-proof/mychallenger)
 echo Challenger client ID: $CHALLENGER_CLIENT_ID
 
 systemctl enable --now challenger-httpd.service
 
 # Set up bank
 
 sudo -u libeufin-bank libeufin-bank edit-account admin --debit_threshold=$CURRENCY:1000000
 sudo -u libeufin-bank libeufin-bank passwd admin $(get_credential_pw bank/admin)
 
 systemctl enable --now libeufin-bank.service
 
 BANK_BASEURL=$PROTO://$BANK_DOMAIN$PORT_SUFFIX/
 
 taler-harness deployment wait-taler-service taler-corebank ${BANK_BASEURL}config
 
 sudo -u libeufin-bank libeufin-bank passwd exchange $(get_credential_pw bank/exchange) || true
 taler-harness deployment provision-bank-account "${BANK_BASEURL}" \
   --login exchange --exchange --public \
   --payto $EXCHANGE_PAYTO \
   --name Exchange \
   --password $(get_credential_pw bank/exchange)
 
 sudo -u libeufin-bank libeufin-bank passwd merchant-admin $(get_credential_pw bank/merchant-admin) || true
 taler-harness deployment provision-bank-account "${BANK_BASEURL}" \
   --login merchant-admin --public \
   --payto $MERCHANT_PAYTO_ADMIN \
   --name "Default Demo Merchant" \
   --password $(get_credential_pw bank/merchant-admin)
 
 sudo -u libeufin-bank libeufin-bank passwd merchant-pos $(get_credential_pw bank/merchant-pos) || true
 taler-harness deployment provision-bank-account "${BANK_BASEURL}" \
   --login merchant-pos --public \
   --payto $MERCHANT_PAYTO_POS \
   --name "PoS Merchant" \
   --password $(get_credential_pw bank/merchant-pos)
 
 sudo -u libeufin-bank libeufin-bank passwd merchant-blog $(get_credential_pw bank/merchant-blog) || true
 taler-harness deployment provision-bank-account "${BANK_BASEURL}" \
   --login merchant-blog --public \
   --payto $MERCHANT_PAYTO_BLOG \
   --name "Blog Merchant" \
   --password $(get_credential_pw bank/merchant-blog)
 
 sudo -u libeufin-bank libeufin-bank passwd merchant-gnunet $(get_credential_pw bank/merchant-gnunet) || true
 taler-harness deployment provision-bank-account "${BANK_BASEURL}" \
   --login merchant-gnunet --public \
   --payto "$MERCHANT_PAYTO_GNUNET" \
   --name "GNUnet Donations Merchant" \
   --password $(get_credential_pw bank/merchant-gnunet)
 
 sudo -u libeufin-bank libeufin-bank passwd merchant-taler $(get_credential_pw bank/merchant-taler) || true
 taler-harness deployment provision-bank-account "${BANK_BASEURL}" \
   --login merchant-taler --public \
   --payto "$MERCHANT_PAYTO_TALER" \
   --name "Taler Donations Merchant" \
   --password $(get_credential_pw bank/merchant-taler)
 
 sudo -u libeufin-bank libeufin-bank passwd merchant-tor $(get_credential_pw bank/merchant-tor) || true
 taler-harness deployment provision-bank-account "${BANK_BASEURL}" \
   --login merchant-tor --public \
   --payto "$MERCHANT_PAYTO_TOR" \
   --name "Tor Donations Merchant" \
   --password $(get_credential_pw bank/merchant-tor)
 
 sudo -u libeufin-bank libeufin-bank passwd merchant-umami $(get_credential_pw bank/merchant-umami) || true
 taler-harness deployment provision-bank-account "${BANK_BASEURL}" \
   --login merchant-umami --public \
   --payto "$MERCHANT_PAYTO_UMAMI" \
   --name "Umami Merchant" \
   --password $(get_credential_pw bank/merchant-umami)
 
 # Special bank account without a secure password
 sudo -u libeufin-bank libeufin-bank passwd merchant-sandbox sandbox || true
 taler-harness deployment provision-bank-account "${BANK_BASEURL}" \
   --login merchant-sandbox --public \
   --payto "$MERCHANT_PAYTO_SANDBOX" \
   --name "Sandbox Merchant" \
   --password sandbox
 
 # Set up exchange
 
 ##
 ## Configure KYC if enabled
 ##
 
 if [[ ${ENABLE_KYC:-0} = 1 ]]; then
   # KYC config
   if [[ ${KYC_DIALECT:-simple} = simple ]]; then
     source /data/setup-kyc-simple.sh
   elif [[ ${KYC_DIALECT:-simple} = tops ]]; then
     source /data/setup-kyc-tops.sh
   fi
 else
   rm -f /etc/taler-exchange/conf.d/sandcastle-kyc.conf
 fi
 
 
 if [[ ! -e /etc/taler-exchange/conf.d/sandcastle-$CURRENCY-coins.conf ]]; then
   # Only create if necessary, as each [COIN-...] section
   # has a unique name with a timestamp.
   taler-harness deployment gen-coin-config \
     --min-amount "${CURRENCY}:0.01" \
     --max-amount "${CURRENCY}:100" \
     --no-fees \
     >"/etc/taler-exchange/conf.d/sandcastle-$CURRENCY-coins.conf"
 else
   # Exchange broke backwards compatibility, fix up existing config file.
   sed -i 's/COIN-/COIN_/gI' "/etc/taler-exchange/conf.d/sandcastle-$CURRENCY-coins.conf"
 fi
 
 taler-terms-generator -i /usr/share/taler-exchange/terms/exchange-tos-v0
 taler-terms-generator -i /usr/share/taler-exchange/terms/exchange-pp-v0
 
 systemctl enable --now taler-exchange.target
 
 taler-harness deployment wait-taler-service taler-exchange $PROTO://$EXCHANGE_DOMAIN$PORT_SUFFIX/config
 taler-harness deployment wait-endpoint $PROTO://$EXCHANGE_DOMAIN$PORT_SUFFIX/management/keys
 
 sudo -u taler-exchange-offline \
   taler-exchange-offline \
   -c /etc/taler-exchange/taler-exchange.conf \
   download \
   sign \
   upload
 
 sudo -u taler-exchange-offline \
   taler-exchange-offline \
   enable-account "${EXCHANGE_PAYTO}" \
   wire-fee now "$WIRE_METHOD" "${CURRENCY}":0 "${CURRENCY}":0 \
   global-fee now "${CURRENCY}":0 "${CURRENCY}":0 "${CURRENCY}":0 1h 6a 0 \
   upload
 
 systemctl enable --now taler-exchange-offline.timer
 
 function dup_exchange_opt() {
   echo "$2 = $(taler-exchange-config -c /etc/taler-exchange/taler-exchange.conf -s $1 -o $2)"
 }
 
 #
 # Set up exchange auditor
 #
 
 if [[ $ENABLE_AUDITOR = 1 ]]; then
   systemctl enable --now taler-auditor.target
 fi
 
 # Set up merchant backend
 
 MERCHANT_BASEURL=$PROTO://$MERCHANT_DOMAIN$PORT_SUFFIX/
 
 cat <<EOF >/etc/taler-merchant/conf.d/sandcastle-merchant-terms.conf
 [merchant]
 TERMS_ETAG = merchant-tos-demo-v0
 TERMS_DIR = \${TALER_DATA_HOME}terms/
 EOF
 
 taler-terms-generator -i /usr/share/taler-merchant/terms/merchant-tos-demo-v0.en.rst -o "$(taler-merchant-config -f -s merchant -o terms_dir)"
 
 systemctl enable --now taler-merchant.target
 taler-harness deployment wait-taler-service taler-merchant ${MERCHANT_BASEURL}config
 
 function reset_merchant_pw() {
   pw=$(get_credential_pw merchant/$1)
   sudo -u taler-merchant-httpd taler-merchant-passwd --instance "$1" "$pw"
   if [[ $? -eq 2 ]]; then
     echo "Instance $1 does not exist" >&2
     return 2
   fi
   if [[ $? -ne 0 ]]; then
     echo "Failed to reset password for merchant instance $1" >&2
     exit 1
   fi
 }
 
 # FIXME: Move this into a harness tool (that just reads a config file)?
 
 instance_missing=no
 reset_merchant_pw admin || instance_missing=yes
 if [[ $instance_missing = yes ]]; then
   taler-harness deployment provision-merchant-instance \
     ${MERCHANT_BASEURL} \
     --management-token "secret-token:none" \
     --instance-password $(get_credential_pw merchant/admin) \
     --name Merchant \
     --id admin \
     --payto "$MERCHANT_PAYTO_ADMIN"
 fi
 
 ADMIN_TOK=$(taler-harness merchant token ${MERCHANT_BASEURL} admin --password $(get_credential_pw merchant/admin))
 
 instance_missing=no
 reset_merchant_pw pos || instance_missing=yes
 if [[ $instance_missing = yes ]]; then
   taler-harness deployment provision-merchant-instance \
     ${MERCHANT_BASEURL} \
     --management-token $ADMIN_TOK \
     --instance-password $(get_credential_pw merchant/pos) \
     --name "POS Merchant" \
     --id pos \
     --payto "$MERCHANT_PAYTO_POS"
 fi
 
 instance_missing=no
 reset_merchant_pw blog || instance_missing=yes
 if [[ $instance_missing = yes ]]; then
   taler-harness deployment provision-merchant-instance \
     ${MERCHANT_BASEURL} \
     --management-token $ADMIN_TOK \
     --instance-password $(get_credential_pw merchant/blog) \
     --name "Blog Merchant" \
     --id blog \
     --payto "$MERCHANT_PAYTO_BLOG"
 fi
 
 instance_missing=no
 reset_merchant_pw gnunet || instance_missing=yes
 if [[ $instance_missing = yes ]]; then
   taler-harness deployment provision-merchant-instance \
     ${MERCHANT_BASEURL} \
     --management-token $ADMIN_TOK \
     --instance-password $(get_credential_pw merchant/gnunet) \
     --name "GNUnet Merchant" \
     --id gnunet \
     --payto "$MERCHANT_PAYTO_GNUNET"
 fi
 
 instance_missing=no
 reset_merchant_pw taler || instance_missing=yes
 if [[ $instance_missing = yes ]]; then
   taler-harness deployment provision-merchant-instance \
     ${MERCHANT_BASEURL} \
     --management-token $ADMIN_TOK \
     --instance-password $(get_credential_pw merchant/taler) \
     --name "Taler Merchant" \
     --id taler \
     --payto "$MERCHANT_PAYTO_TALER"
 fi
 
 instance_missing=no
 reset_merchant_pw tor || instance_missing=yes
 if [[ $instance_missing = yes ]]; then
   taler-harness deployment provision-merchant-instance \
     ${MERCHANT_BASEURL} \
     --management-token $ADMIN_TOK \
     --instance-password $(get_credential_pw merchant/tor) \
     --name "Tor Merchant" \
     --id tor \
     --payto "$MERCHANT_PAYTO_TOR"
 fi
 
 instance_missing=no
 reset_merchant_pw umami || instance_missing=yes
 if [[ $instance_missing = yes ]]; then
   taler-harness deployment provision-merchant-instance \
     ${MERCHANT_BASEURL} \
     --management-token $ADMIN_TOK \
     --instance-password $(get_credential_pw merchant/umami) \
     --name "Umami Merchant" \
     --id umami \
     --payto "$MERCHANT_PAYTO_UMAMI"
 fi
 
 # Special instance with fixed "sandbox" password
 sudo -u taler-merchant-httpd taler-merchant-passwd --instance sandbox sandbox || true
 taler-harness deployment provision-merchant-instance \
   ${MERCHANT_BASEURL} \
   --management-token $ADMIN_TOK \
   --instance-password sandbox \
   --name "sandbox merchant" \
   --id sandbox \
   --payto "$MERCHANT_PAYTO_SANDBOX"
 
 # token families needed by demo blog
 
 langs=(de en ar zh fr hi it ja ko pt pt_BR ru es sv tr uk)
 valid_before_ts=$(date -u +%s -d '+1 year') # one year later
 duration_us=$((30 * 24 * 60 * 60 * 1000000)) # 30 days
 validity_granularity_us=$((24 * 60 * 60 * 1000000)) # 1 day
 
 # FIXME: Move this into a harness tool?
 for lang in "${langs[@]}"; do
     curl -X POST "${MERCHANT_BASEURL}instances/blog/private/tokenfamilies" \
          -H "Authorization: Bearer secret-token:$(get_credential_pw merchant/blog)" \
          -H "Content-Type: application/json" \
          --data-raw "{
   \"kind\": \"subscription\",
   \"slug\": \"blog_abo_${lang}\",
   \"name\": \"One month of access (${lang})\",
   \"description\": \"One month of access (${lang})\",
   \"description_i18n\": {
     \"de\": \"Ein monat lang Zugang zu den Artikeln\",
     \"en\": \"One month of access to articles\",
     \"fr\": \"Un mois d'accès aux articles\",
     \"es\": \"Un mes de acceso a los artículos\"
   },
   \"valid_before\": { \"t_s\": ${valid_before_ts} },
   \"duration\": { \"d_us\": ${duration_us} },
   \"validity_granularity\": { \"d_us\": ${validity_granularity_us} }
 }"
 done
 
 
 
 # Set up Donau
 
 cat <<EOF >/etc/donau/conf.d/sandcastle.conf
 [donau]
 CURRENCY = $CURRENCY
 LEGAL_DOMAIN = Gnuland
 EXPIRE_LEGAL_YEARS = 3
 # We don't do the token yet, as the merchant doesn't support
 # authenticating with donau.
 # ADMIN_BEARER_TOKEN = secret-token:secret
 EOF
 
 donau-dbconfig
 
 if [[ ! -e /etc/donau/conf.d/sandcastle-$CURRENCY-units.conf ]]; then
   # Only create if necessary
   taler-harness deployment gen-doco-config \
     --min-amount "${CURRENCY}:0.01" \
     --max-amount "${CURRENCY}:100" \
     >"/etc/donau/conf.d/sandcastle-$CURRENCY-units.conf"
 fi
 
 systemctl enable --now donau.target
 
 DONAU_BASE_URL=$PROTO://$DONAU_DOMAIN$PORT_SUFFIX/
 
 taler-harness deployment wait-taler-service donau ${DONAU_BASE_URL}config
 
 # Mailbox and Directory
 mkdir -p /etc/taler-directory
 cp /usr/share/taler-directory/taldir.conf.example /etc/taler-directory/taler-directory.conf
 taler-directory-dbconfig
 systemctl enable --now taler-directory.service
 
 mkdir -p /etc/taler-mailbox
 cp /usr/share/taler-mailbox/mailbox.conf.example /etc/taler-mailbox/taler-mailbox.conf
 sed -i 's/localhost:11000/localhost:12000/' /etc/taler-mailbox/taler-mailbox.conf
 taler-mailbox-dbconfig
 systemctl enable --now taler-mailbox.service
 
 GNUNET_TOK=$(taler-harness merchant token ${MERCHANT_BASEURL}instances/gnunet/ gnunet --password $(get_credential_pw merchant/gnunet))
 taler-harness deployment provision-merchant-donau \
   --merchant-auth-token $GNUNET_TOK \
   --merchant-base-url $PROTO://$MERCHANT_DOMAIN$PORT_SUFFIX/instances/gnunet/ \
   --donau-base-url $DONAU_BASE_URL \
   --donau-auth-token secret-token:secret \
   --currency $CURRENCY
 
 TALER_TOK=$(taler-harness merchant token ${MERCHANT_BASEURL}instances/taler/ taler --password $(get_credential_pw merchant/taler))
 taler-harness deployment provision-merchant-donau \
   --merchant-auth-token $TALER_TOK \
   --merchant-base-url $PROTO://$MERCHANT_DOMAIN$PORT_SUFFIX/instances/taler/ \
   --donau-base-url $DONAU_BASE_URL \
   --donau-auth-token secret-token:secret \
   --currency $CURRENCY
 
 TOR_TOK=$(taler-harness merchant token ${MERCHANT_BASEURL}instances/tor/ tor --password $(get_credential_pw merchant/tor))
 taler-harness deployment provision-merchant-donau \
   --merchant-auth-token $TOR_TOK \
   --merchant-base-url $PROTO://$MERCHANT_DOMAIN$PORT_SUFFIX/instances/tor/ \
   --donau-base-url $DONAU_BASE_URL \
   --donau-auth-token secret-token:secret \
   --currency $CURRENCY
 
 UMAMI_TOK=$(taler-harness merchant token ${MERCHANT_BASEURL}instances/umami/ umami --password $(get_credential_pw merchant/umami))
 
 # Now we set up the taler-merchant-demos
 
 systemctl enable --now taler-demo-landing
 systemctl enable --now taler-demo-blog
 systemctl enable --now taler-demo-donations
 
 # Turnstile (drupal/php)
 
 
 systemctl enable --now php8.4-fpm
 
 DRUPAL_DB_PW=$(get_credential_pw db/drupal)
 DRUPAL_ADMIN_PW=$(get_credential_pw drupal/admin)
 
 sudo -i -u postgres psql postgres -c "CREATE ROLE drupal WITH login;" || true
 sudo -i -u postgres psql postgres -c "ALTER ROLE drupal password '$DRUPAL_DB_PW';"
 sudo -u postgres createdb drupal --owner=drupal || true
 
 # Needed by PHP's composer
 export HOME=/root
 
 # FIXME: Would probably be better to checkout output of
 # drush status --fields=bootstrap --format=string
 
 cd /talerdata/
 if [[ ! -e /talerdata/sandcastle-drupal ]]; then
   composer create-project drupal/recommended-project:^10 sandcastle-drupal
   cd /talerdata/sandcastle-drupal
   composer require drush/drush
   # This can take a ridiculous amount of time!
   COMPOSER_PROCESS_TIMEOUT=0 composer exec -- drush site-install demo_umami --account-name=admin --account-pass=$DRUPAL_ADMIN_PW --account-mail=admin@localhost --db-url=pgsql://drupal:$DRUPAL_DB_PW@localhost/drupal --site-name=SandcastleUmami --yes
 fi
 
 chown -R www-data:www-data /talerdata/sandcastle-drupal/
 
 ln -sf /opt/turnstile /talerdata/sandcastle-drupal/web/modules/taler_turnstile
 
 snip=$(cat <<'EOF'
 $settings['reverse_proxy'] = TRUE;
 $settings['reverse_proxy_addresses'] = ['127.0.0.1', '10.0.0.0/8'];
 $settings['trusted_host_patterns'] = ['.*'];
 EOF
 )
 
 update_config_block /talerdata/sandcastle-drupal/web/sites/default/settings.php SANDCASTLE "$snip"
 
 cd /talerdata/sandcastle-drupal
 composer exec -- drush upwd admin $DRUPAL_ADMIN_PW
 composer exec -- drush en taler_turnstile
 composer exec -- drush config:set taler_turnstile.settings access_token "$UMAMI_TOK" --yes
 composer exec -- drush config:set taler_turnstile.settings payment_backend_url "$PROTO://$MERCHANT_DOMAIN$PORT_SUFFIX/instances/umami/" --yes
 composer exec -- drush config:set --input-format=yaml taler_turnstile.settings enabled_content_types '["article", "recipe"]' --yes
 
 snip=$(cat <<'EOF' | sed "s/@CURRENCY@/$CURRENCY/"
 $storage = \Drupal::entityTypeManager()->getStorage('taler_turnstile_price_category');
 $e = $storage->create(['id'=>"normal", 'label'=>'Normal', 'description' => "Normal Article Price", 'prices' => ['%none%' => ['@CURRENCY@' => '0.3']]]);
 try {
   $e->save();
 } catch (Exception $ex) {
   echo $ex->getMessage();
   echo "\n";
 }
 EOF
 )
 composer exec -- drush php:eval "$snip"
 
 snip=$(cat <<'EOF'
 $prcat_storage = \Drupal::entityTypeManager()->getStorage('taler_turnstile_price_category');
 $node_storage = \Drupal::entityTypeManager()->getStorage('node');
 $prcat = $prcat_storage->load('normal');
 $nodes = $node_storage->loadByProperties(['type'=> ['article', 'recipe']]);
 foreach ($nodes as $k => $node) {
   echo 'updating node ' . $k . "\n";
   if (!$node->hasField('field_taler_turnstile_prcat')) {
     echo 'prcat missing' . "\n";
     continue;
   }
   $node->set('field_taler_turnstile_prcat', $prcat);
   $node->save();
 }
 EOF
 )
 composer exec -- drush php:eval "$snip"
 
 composer exec -- drush cr
 
 cd /
 
 # FIXME: Maybe do some taler-wallet-cli test?
 # FIXME: How do we report errors occurring during the setup script?