commit e5a83f4b2fe047de00f366b09fd84c630545087f parent b2c96855f7e2f6c72d2da0bdbc24c351db1a1c2a Author: Florian Dold <florian@dold.me> Date: Wed, 18 Oct 2023 23:31:50 +0200 import sandcastle-ng Diffstat:
20 files changed, 1052 insertions(+), 0 deletions(-)
diff --git a/sandcastle-ng/Dockerfile b/sandcastle-ng/Dockerfile @@ -0,0 +1,236 @@ +FROM debian:bookworm AS base-system + +# FIXMEs: +# - debian packages should be built with a nightly tag +# - the final image contains all build dependencies, this isn't really necessary +# - the final image contains -dev packages, not really necessary +# - GNUnet build dependencies are excessive, maybe we can just build the required libs? + +RUN apt-get update && apt-get -y upgrade && apt-get --no-install-recommends install -y \ + autoconf \ + autopoint \ + build-essential \ + po-debconf \ + debhelper-compat \ + apt-utils \ + libtool \ + texinfo \ + libgcrypt-dev \ + libidn11-dev \ + zlib1g-dev \ + libunistring-dev \ + libjansson-dev \ + git \ + recutils \ + libsqlite3-dev \ + libpq-dev \ + libmicrohttpd-dev \ + libsodium-dev \ + libqrencode-dev \ + zip \ + unzip \ + jq \ + npm \ + openjdk-17-jre-headless \ + openjdk-17-jdk-headless \ + default-jre-headless \ + nano \ + procps \ + python3-jinja2 \ + python3-pip \ + python3-sphinx \ + python3-sphinx-rtd-theme \ + python3-venv \ + python3-dev \ + nodejs \ + iptables \ + miniupnpc \ + libextractor-dev \ + libbluetooth-dev \ + libcurl4-gnutls-dev \ + libogg-dev \ + libopus-dev \ + libpulse-dev \ + fakeroot \ + libzbar-dev \ + libltdl-dev \ + net-tools \ + python3-flask \ + python3-flask-babel \ + uwsgi \ + python3-bs4 \ + pybuild-plugin-pyproject + +# old: libzbar-dev + +# FIXME: Try to use debian packages where possible and otherwise really use +# a venv or per-user installation of the package. +RUN pip3 install --break-system-packages requests click poetry uwsgi htmlark sphinx-book-theme + +# GNUnet +FROM base-system AS gnunet + +COPY buildconfig/gnunet.tag /buildconfig/ +WORKDIR /build +RUN TAG=$(cat /buildconfig/gnunet.tag) && \ + git clone git://git.gnunet.org/gnunet \ + --branch $TAG +WORKDIR /build/gnunet +RUN ./bootstrap +RUN dpkg-buildpackage -rfakeroot -b -uc -us +WORKDIR / +RUN mkdir -p /packages/gnunet +RUN mv /build/*.deb /packages/gnunet +RUN rm -rf /build +RUN dpkg -i /packages/gnunet/*.deb +WORKDIR / + +# Exchange +FROM gnunet as exchange + +COPY buildconfig/exchange.tag /buildconfig/ +WORKDIR /build +RUN TAG=$(cat /buildconfig/exchange.tag) && \ + git clone git://git.taler.net/exchange \ + --branch $TAG +WORKDIR /build/exchange +RUN ./bootstrap +RUN dpkg-buildpackage -rfakeroot -b -uc -us +WORKDIR / +RUN mkdir -p /packages/exchange +RUN mv /build/*.deb /packages/exchange +RUN rm -rf /build +RUN dpkg -i /packages/exchange/*.deb +WORKDIR / + +# Merchant +FROM exchange as merchant + +COPY buildconfig/merchant.tag /buildconfig/ +WORKDIR /build +RUN TAG=$(cat /buildconfig/merchant.tag) && \ + git clone git://git.taler.net/merchant \ + --branch $TAG +WORKDIR /build/merchant +RUN ./bootstrap +RUN dpkg-buildpackage -rfakeroot -b -uc -us +WORKDIR / +RUN mkdir -p /packages/merchant +RUN mv /build/*.deb /packages/merchant +RUN rm -rf /build +RUN dpkg -i /packages/merchant/*.deb +WORKDIR / + +# Libeufin +FROM base-system as libeufin + +WORKDIR /build +COPY buildconfig/libeufin.tag /buildconfig/ +RUN TAG=$(cat /buildconfig/libeufin.tag) && \ + git clone git://git.taler.net/libeufin \ + --branch $TAG +WORKDIR /build/libeufin +RUN ./bootstrap +RUN ./configure --prefix=/usr +RUN dpkg-buildpackage -rfakeroot -b -uc -us +WORKDIR / +RUN mkdir -p /packages/libeufin +RUN mv /build/*.deb /packages/libeufin +RUN rm -rf /build +RUN dpkg -i /packages/libeufin/*.deb + +# Merchant demos +FROM base-system as merchant-demos + +WORKDIR /build +COPY buildconfig/merchant-demos.tag /buildconfig/ +RUN TAG=$(cat /buildconfig/merchant-demos.tag) && \ + git clone git://git.taler.net/taler-merchant-demos \ + --branch $TAG +WORKDIR /build/taler-merchant-demos +RUN ./bootstrap +RUN dpkg-buildpackage -rfakeroot -b -uc -us +WORKDIR / +RUN mkdir -p /packages/merchant-demos +RUN mv /build/*.deb /packages/merchant-demos +RUN rm -rf /build +RUN dpkg -i /packages/merchant-demos/*.deb + +# wallet-core tools (taler-wallet-cli and taler-harness) +FROM base-system as wallet +WORKDIR /build +COPY buildconfig/wallet.tag /buildconfig/ +RUN TAG=$(cat /buildconfig/wallet.tag) && \ + git clone git://git.taler.net/wallet-core \ + --branch $TAG +RUN npm install -g pnpm@^8.7.0 +WORKDIR /build/wallet-core +RUN ./bootstrap +# taler-wallet-cli +WORKDIR /build/wallet-core/packages/taler-wallet-cli +RUN ./configure --prefix=/usr/local +RUN make deps +RUN dpkg-buildpackage -rfakeroot -b -uc -us +# taler-harness +WORKDIR /build/wallet-core/packages/taler-harness +RUN ./configure --prefix=/usr/local +RUN pnpm install --frozen-lockfile --filter @gnu-taler/taler-harness... +RUN pnpm run --filter @gnu-taler/taler-harness... compile +RUN dpkg-buildpackage -rfakeroot -b -uc -us +# copy debs +WORKDIR / +RUN mkdir -p /packages/wallet +RUN mv /build/wallet-core/packages/*.deb /packages/wallet +RUN rm -rf /build +RUN dpkg -i /packages/wallet/*.deb + +# Sync +FROM merchant as sync +COPY buildconfig/sync.tag /buildconfig/ +WORKDIR /build +RUN TAG=$(cat /buildconfig/sync.tag) && \ + git clone git://git.taler.net/sync \ + --branch $TAG +WORKDIR /build/sync +RUN ./bootstrap +RUN dpkg-buildpackage -rfakeroot -b -uc -us +WORKDIR / +RUN mkdir -p /packages/sync +RUN mv /build/*.deb /packages/sync +RUN rm -rf /build +RUN dpkg -i /packages/sync/*.deb +WORKDIR / + + +# Final image +FROM base-system as taler-final +RUN apt-get update && apt-get -y upgrade && apt-get --no-install-recommends install -y \ + gpg +COPY apt/caddy-stable.list /etc/apt/sources.list.d/caddy-stable.list +COPY apt/caddy-stable-archive-keyring.gpg /tmp/caddy-stable-archive-keyring.gpg +RUN gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg /tmp/caddy-stable-archive-keyring.gpg +RUN apt-get update && apt-get -y upgrade && apt-get --no-install-recommends install -y \ + emacs \ + vim \ + curl \ + postgresql \ + bash-completion \ + sudo \ + less \ + caddy \ + systemd-coredump \ + libnss3-tools \ + latexmk \ + texlive-latex-extra \ + tex-gyre +RUN mkdir -p /packages +COPY --from=gnunet /packages/gnunet/* /packages/ +COPY --from=exchange /packages/exchange/* /packages/ +COPY --from=merchant /packages/merchant/* /packages/ +COPY --from=wallet /packages/wallet/* /packages/ +COPY --from=libeufin /packages/libeufin/* /packages/ +COPY --from=merchant-demos /packages/merchant-demos/* /packages/ +RUN dpkg -i /packages/*.deb +COPY systemd/setup-sandcastle.service /etc/systemd/system/ +RUN systemctl enable setup-sandcastle.service +RUN systemctl disable postgresql diff --git a/sandcastle-ng/README.md b/sandcastle-ng/README.md @@ -0,0 +1,137 @@ +# Introduction + +The sandcastle is a containerized deployment of GNU Taler + +It uses podman to build an image and run a single container that +has systemd running inside. + + +# Prerequisites + +You need (on your host system): +* podman +* bash + + +# Building the Container Image + +1. Set buildconfig/$component.tag to the right git tag you want to build +2. Run ./sandcastle-build to build the Taler container. The resulting container + is tagged as taler-base-all + + +# Configuring the Deployment + +It is recommended that for each deployment, you clone the deployment.git +repository and create a branch with deployment-specific changes. + +Currently there is not much configuration. + +The main adjustments to be made are: + +* scripts/demo/setup-sandcastle.sh has the currency on top of the file +* sandcastle-run has variables for the port that'll be exposed ("published") on + the host. They can be overwritten with environment variables + (``TALER_SANDCASTLE_PORT_$COMPONENT``). + + +# Running the Deployment + +Run ``./sandcastle-run`` to run the single container. The container will be +named taler-sandcastle. + +You can run the container in the background by passing ``-d``. Note that ``./sandcastle-run`` is just +a wrapper around ``podman run``. + +The running container publishes ports to the host as defined in ``./sandcastle-run``. +You can manually verify these port mappings via ``podman port taler-sandcastle``. + +# Stopping the deployment + +``` +podman stop taler-sandcastle +``` + + +# Poking Around + +You can poke around in a running sandcastle instance by running + +``` +podman exec -it taler-sandcastle /bin/bash +``` + +Or, as a shortcut: + +``` +./sandcastle-enter +``` + +This will drop you into a shell inside the running container, +where you have access to systemd, journalctl, etc. + + +# Data Storage + +All persistent data is stored in a podman volume called +talerdata. You can see where it is in your filesystem +by running ``podman volume inspect talerdata``. + +That volume also contains the postgres database files. + + +# Provisioning Details + +The whole deployment is configured by the script ``/provision/setup-sandcastle.sh``. +This script will be run as a oneshot systemd service and will disable itself after +the first success. + +To troubleshoot, run ``journalctl -u setup-sandcastle.service``. + +There are different setup scripts in the ``scripts/$SANDCASTLE_SETUP_NAME`` +folders. Specifically: + +* ``none`` does no setup at all +* ``demo`` is the usual Taler demo +* TBD: ``regio`` is a currency conversion setup + +By default, ``demo`` is used. To mount a different provision script, set ``$SANDCASTLE_SETUP_NAME`` +when running ``./sandcastle-run``. + +You can always manually run the provisioning script inside the container as +``/scripts/$SANDCASTLE_SETUP_NAME/setup-sandcastle.sh``. + + +# Neat Things That Already Work + +* Rebulding the base image is incremental, since we use layers. If the tag + of the exchange is changed, only the exchange and components that depend + on it are rebuilt. +* Inside the container, the service names resolve to localhost, + and on localhost a reverse proxy with locally signed certificates + ensures that services can talk to each other *within* the container + by using their *public* base URL. + + +# Future Extensions + +* Fix rewards by deploying Javier's reward topup script inside the container via a systemd timer! +* Variant where credentials use proper secret management instead of hard-coding all + passwords to "sandbox". +* Better way to access logs, better way to expose errors during provisioning +* The Dockerfile should introduce nightly tags for debian packages it builds. + Currently it just uses the latest defined version, which is confusing. +* Deploy the Taler woocommerce plugin, wordpress plugin, Joomla plugin +* Do self-tests of the deployment using the wallet CLI +* Running the auditor +* Running a currency conversion setup with multiple libeufin-bank instances +* Allow a localhost-only, non-tls setup for being able to access a non-tls + Taler deployment on the podman host. +* Instead of exposing HTTP ports, we could expose everything via unix domain sockets, + avoiding port collision problems. +* Instead of requiring the reverse proxy to handle TLS, + the sandcastle container itself could do TLS termination with caddy. +* To improve performance, allow connecting to an external database +* Make it easy to import and export the persistent data +* Extra tooling to checkpoint images/containers to revert to a previous + state quickly. diff --git a/sandcastle-ng/apt/caddy-stable-archive-keyring.gpg b/sandcastle-ng/apt/caddy-stable-archive-keyring.gpg @@ -0,0 +1,64 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2 + +mQINBFb+quEBEACl3/YkFekflvauEASL+neZjCctYWyt57Dv5AdRmUPO4zkxylLG +d/9JawlUfHuYYU4emz7940S2wR8kbBimiLgxMqyGP5+RQnggNZhjYIXoqkkh0G8v +purq+58d+VNYf0LWnWlwuJC0dtpi4bPqZTc5ST4QOItFK0s7F2xZJyOkuAPDI782 +pGMR8UzpburHt9JwIUv1oOHFfFA/4HFQ++A6RF9bjYQFNMreaXsvMKIA5VQKcnDd +SbKEfKnr0bwGr59MsnsQBgr1Ats2W722jIs89YevBanS6n0FWeiSxUqUrNypTLkL +QHVPlK7Agq1XGWUhu55clFC6loQXboph9BhnSxSn9Kou4toXDQj6AMDuLGcV+VQ+ +fVfSZFXsp/evzqkjbc0jsUTVOZgZhhRP8DD+vjkzJFfCq/tAWu4qgqnOwE9kEEQL +MXsnsZNSYS3MvWnQFPBmg0B483iKxaA/Oe89WckTnjt+jlpAKhOoS5ZURdOtwv1i +yrKlYiXYMQCMhOd3BCw5RELb7Qtpz+gBaOoxQMMyRRYwKiturpQdV53FVvu/re/x +xXVuxRyRI2Yo94ba3a5bEGjR3CNjvx7LuGuWplYyzDWn+OXa/HiTqWM153ho+oUl +s3ntiHQ16jtgyhcNSuMffCcMLYanfmB+2m4HZmkl97vs7XvclClEXNV6VwARAQAB +tCpDYWRkeSBXZWIgU2VydmVyIDxjb250YWN0QGNhZGR5c2VydmVyLmNvbT6JAjQE +EwEKAB4FAlb+quECGwMDCwkHAxUKCAIeAQIXgAMWAgECGQEACgkQFVttecpW6jRx +cQ/9GHdVoYf15rcU0ip3Vw1MF06ndRxLmilgBvdweZ5NcRttbu8ESh+MP59Z0gOp +0uX/CqBnqZb9E2vbYyly1plq5GwP4tcCHwwkyOT1doGcyP1XylPkJkieP9YUWsIA +3oG/wCsqxxwVYzwvm0opBdrNf6pAYg2tGNCqxh8bmYPDaReu3t2LZ6qeJ4obhYTx +IwAh36oF5dVG5OW2dnMNFVpjoEgCavvTNTcJCgonLct6Zl+Q7xptJyBv3LS8L674 +V2nxcoLvtTjXG86D3yPJvD1I5WYPEZMpHznj1PEztgOrvLo+Fyu+T5vCHqfTY6mG +89BXz8L4o5aBr2uY+ZV5oQa6GuV8GIiiWIZNyDwXTnUiW/GsUFNwg0AP05rva8fF +2a3ybwsq/Sv2nraKQMpYRltBQZkg+l5nZD7znHpYBfJiH6eW3/7ft3w8OptiIcu6 +87UzhI28yoFSNE+85V3sz7JphZ/XFaU2ApESO1ahjDzP96w4u0HeSds6tbkR3OlC +ECcFOmX79MhWfjDaVNnknBqGzjy1JdQ0ZKNWMZRVyxZ9fKiZxFw+q40Sta7ynxfH +p4v0bM8vDLM3cxxOj38U5jsP/ChctyZO3P0nCEzIAR9kvumc5PSqpjiqWlbaHsxa +fXohi3LAIi/clgIOV7bIVRmTz6b61Ngf+C8VYzlUph0ygS25Ag0EX+uckAEQAKyq +E0nbZa8/6Js5TGvlRGi/pb59c6cC+yqB3d7qzOuIJ/61W9yCXliQRZSB32dGXsqD +a375PtGlE5p7id4PNwegx2C4fFN6PWdxO1bwhOnrcUov6YHggkcjaFJqaWoa/EvF +DUgEKd0d1WGzNHlmkM0P6puJ8lbPW3SeWtv+V83BvS9Hkb//43HKNk2J3cV/+RNb +MsfER5CRAFYYHs/lyT2mpYU5dislzk4VDZbR7iyzXIrUEAQdpXe8itFYjFf8xzAe +qDsUefarr485USnTTxQtcBKX06ruHiQUSCOs7HR6cDJi332cTXT7kSbq3ouq9nB8 +oaxhl2I20kVBWqdRyzVAwtGvjkWIYuUteIpguzAqpfsBv6IJ/W5G5jw+HEUJSCRr +6rlC1z9agGCKl53NTV4gHqRY2GpYPr2KNN3uTVojignCC9BEP0eRqj876X90Y7id +QuDda/+QaHH6htUe/W51j5RLVWssCLTZwHPZmeHtxz6U6IOEtlSuso7IN4HQsdaj +lmOP+kfNy1gKVOW9fvF2HpUvY2cNwjSAO96C3K4w4z/ykHco/6HhZcAb/MydMKPy +cI8jUDKa++Dk88xvq/AsRH++ri5WIY3n/HIkDyxGX5KCyxAfU1xuGkosnu7iBxoz +2YVIV5GUwjf7ysOmgkb7FAcb73hUnCdGxcbWiQofABEBAAGJBHIEGAEKACYWIQRl +dgxR7eogF86iyhUVW215ylbqNAUCX+uckAIbAgUJCWYBgAJACRAVW215ylbqNMF0 +IAQZAQoAHRYhBC9cO+mIas0pEyme+6uh+biHWmZhBQJf65yQAAoJEKuh+biHWmZh +ZIIP/2FxCz40ev/sR60ozPRg/eMqAx8M8tmwACjPk84tCZryTRQ9dQ2nKzIWIQvt +rLljl0OU3CCLgHRHl5lEjTgeDSfvrCLgss48fKAenBlHLGTzaMqdI6bs1fg7Ieh5 +dZQd9Crf6xLC7tBSjEzaqaPseux9tEdLEbHn8oJlQAgymW4wBko+ymriZpjs43Hx +ir8iHn/H+oSJe4tOwaGmLzbMY5LMffvUWVKnoacjIx92XiVlUVypkh22iSa0upsz +vseu+hiytwBMyxU99dsRwOQy2BZd3P/tCwpnDI8hSZCzBTyuo6XNgwLHZzvUuNKc +qXZK4kxPRTVGyur9S1rYbZqnmPf4Wy7wFtwRUvbVve6BVdc7v9zWsTkEtTEJ4Buh +GHSwBTdGKy8CJJgRN8K2umGCPxnUNvoCOsqW6xIJTp2baM1nRWZf1UvNjgVhwyJt +AlrMk1xdmDDqVUO80Y5p7Jn2G1XPlQOVHcjyjFtM4sIWPqnrRzTzB4xTAZ1push3 +EOys2+4IGLgS7P6z0q+4Cxwtnm32ZueQDWyQA5gOOZAodb8HCku6sIIiF+zGtrNO +F45xsKAoJVPt5VvH4zOKK+TbYyHAN/Ujpf09zXrTtmrnHwjB8PD+Uq2Ober/Zf5Q +4MGnzQAy/Qkw8suciIxgLC9kCNwJIFRULHMTUsAFaAq+L9+IBmwP/R2Yt/Gop4Nl +IfJDSMIBXGVn/2I2rTW0NDU3UC1njVRSVwQ4fjyRcuxi7dM/f8YBPnNGXO2Ur709 +f7LF7GkY/VgjQ9RWaZ6CB3GPhUjj1Q5nmW+lQkyehPYgx1/MuD3wq3w/BfYyrYHb +xRn5r4N5QmUasFrPH8Ey/zI2cEFwckek0Z1G2SwnkEsY0e9vy12RvCGGicHJ+Xxs +7E/L6rEjRpcQg1xzzCh1Sdx4ZKIxss9N5vJ5xCTd9kFl68ZCQJEz9zJUztEiEYcG +l6WQ+BK3W4UepkbzgZ1HVB2LWf84cHC4a983k0avI1KtKSNd6Nn4qUJUa1Hj+mw7 +tlCwt97V+vbEnhFsoVjObJqsVXQOs9CdOiV2vsRqVD5tQPEq3AfowGHtNgxXbfO/ +wPiLmPSzZOaAlFaRXX6Off9B6RYuh5pVd/njewpsPAJfefiYeBOS0nThrQMbweyf +S7FG/ibAE8NspI2Dn3nT+D6cUeYzCVkhNKKgBzYotODMl0N3H6pfOQwWp0aO8teo +0v07lrePvMGNQcu2GuTM1v9YOt5kMrfbNgdAfrN8BLPUV/ZseCdKlfJLNlh6/pxr +STw95n1JvFHpSZCMR5NWbiEdtXZmlJTFlMNMww8vO3DwTkA9hdqnKl04yPHQQpMD +A5zVwuXbvH6GHaZJVHUrII6w8rjimo5r +=e4lF +-----END PGP PUBLIC KEY BLOCK----- diff --git a/sandcastle-ng/apt/caddy-stable-archive-keyring.gpg.gpg b/sandcastle-ng/apt/caddy-stable-archive-keyring.gpg.gpg Binary files differ. diff --git a/sandcastle-ng/apt/caddy-stable.list b/sandcastle-ng/apt/caddy-stable.list @@ -0,0 +1,9 @@ +# Source: Caddy +# Site: https://github.com/caddyserver/caddy +# Repository: Caddy / stable +# Description: Fast, multi-platform web server with automatic HTTPS + + +deb [signed-by=/usr/share/keyrings/caddy-stable-archive-keyring.gpg] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main + +deb-src [signed-by=/usr/share/keyrings/caddy-stable-archive-keyring.gpg] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main diff --git a/sandcastle-ng/buildconfig/README b/sandcastle-ng/buildconfig/README @@ -0,0 +1,5 @@ +These files determine the git tag from which the respective components are +built in the base Docker image. + +They are in separate files to make modification checking with +staged Docker builds work nicely. diff --git a/sandcastle-ng/buildconfig/exchange.tag b/sandcastle-ng/buildconfig/exchange.tag @@ -0,0 +1 @@ +v0.9.4-dev.3 diff --git a/sandcastle-ng/buildconfig/gnunet.tag b/sandcastle-ng/buildconfig/gnunet.tag @@ -0,0 +1 @@ +v0.20.1-talerdev.1 diff --git a/sandcastle-ng/buildconfig/libeufin.tag b/sandcastle-ng/buildconfig/libeufin.tag @@ -0,0 +1 @@ +v0.9.3-dev.27 diff --git a/sandcastle-ng/buildconfig/libmhd.tag b/sandcastle-ng/buildconfig/libmhd.tag @@ -0,0 +1 @@ +v0.9.75 diff --git a/sandcastle-ng/buildconfig/merchant-demos.tag b/sandcastle-ng/buildconfig/merchant-demos.tag @@ -0,0 +1 @@ +v0.9.3-dev.6 diff --git a/sandcastle-ng/buildconfig/merchant.tag b/sandcastle-ng/buildconfig/merchant.tag @@ -0,0 +1 @@ +v0.9.4-dev.2 diff --git a/sandcastle-ng/buildconfig/sync.tag b/sandcastle-ng/buildconfig/sync.tag @@ -0,0 +1 @@ +v0.9.3 diff --git a/sandcastle-ng/buildconfig/wallet.tag b/sandcastle-ng/buildconfig/wallet.tag @@ -0,0 +1 @@ +v0.9.3-dev.33 diff --git a/sandcastle-ng/sandcastle-build b/sandcastle-ng/sandcastle-build @@ -0,0 +1,9 @@ +#!/usr/bin/env bash + +set -eu + +SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) + +cd "$SCRIPT_DIR" + +exec podman build -f Dockerfile --target taler-final -t taler-base-all . diff --git a/sandcastle-ng/sandcastle-enter b/sandcastle-ng/sandcastle-enter @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +exec podman exec -it taler-sandcastle /bin/bash diff --git a/sandcastle-ng/sandcastle-run b/sandcastle-ng/sandcastle-run @@ -0,0 +1,56 @@ +#!/usr/bin/env bash + +# Run the Taler container with all the right mounts and preset parameters + +set -eu + +SANDCASTLE_PORT_MERCHANT=16000 +SANDCASTLE_PORT_EXCHANGE=16001 +SANDCASTLE_PORT_BLOG=16002 +SANDCASTLE_PORT_DONATIONS=16003 +SANDCASTLE_PORT_SURVEY=16004 +SANDCASTLE_PORT_LANDING=16005 +SANDCASTLE_PORT_LIBEUFIN_BANK=16007 +SANDCASTLE_PORT_BANK_SPA=16006 + +# Container-internal ports, should by synced with scripts/setup-sandcastle.sh +PORT_INTERNAL_EXCHANGE=8201 +PORT_INTERNAL_MERCHANT=8301 +PORT_INTERNAL_LIBEUFIN_BANK=8080 +PORT_INTERNAL_LANDING=8501 +PORT_INTERNAL_BLOG=8502 +PORT_INTERNAL_DONATIONS=8503 +PORT_INTERNAL_SURVEY=8504 +PORT_INTERNAL_BANK_SPA=8505 + +SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +cd $SCRIPT_DIR + +existing_id=$(podman ps -q -a -f=name=taler-sandcastle) + +if [[ ! -z "$existing_id" ]]; then + echo "removing existing taler-sandcastle container $existing_id" + podman rm "$existing_id" +fi + +# We need to be careful with SELinux when using volume mounts, relabel! + +SETUP_NAME=${SANDCASTLE_SETUP_NAME:-demo} + +exec podman run \ + -p=$SANDCASTLE_PORT_MERCHANT:$PORT_INTERNAL_MERCHANT \ + -p=$SANDCASTLE_PORT_EXCHANGE:$PORT_INTERNAL_EXCHANGE \ + -p=$SANDCASTLE_PORT_LIBEUFIN_BANK:$PORT_INTERNAL_LIBEUFIN_BANK \ + -p=$SANDCASTLE_PORT_LANDING:$PORT_INTERNAL_LANDING \ + -p=$SANDCASTLE_PORT_BLOG:$PORT_INTERNAL_BLOG \ + -p=$SANDCASTLE_PORT_DONATIONS:$PORT_INTERNAL_DONATIONS \ + -p=$SANDCASTLE_PORT_SURVEY:$PORT_INTERNAL_SURVEY \ + -p=$SANDCASTLE_PORT_BANK_SPA:$PORT_INTERNAL_BANK_SPA \ + --name taler-sandcastle \ + --systemd=always \ + -v talerdata:/talerdata:Z \ + -v $PWD/scripts:/scripts:Z \ + -v $PWD/scripts/$SETUP_NAME:/provision:Z \ + --entrypoint /sbin/init \ + "$@" \ + taler-base-all diff --git a/sandcastle-ng/scripts/demo/setup-sandcastle.sh b/sandcastle-ng/scripts/demo/setup-sandcastle.sh @@ -0,0 +1,511 @@ +#!/usr/bin/env bash + +# This scripts provisions all configuration and +# services for the Taler sandcastle container. +# +# Important: This script needs to be completely +# idempotent, nothing must break if it is executed +# multiple times. + +set -eu +set -x + +if [[ ! -z "${SANDCASTLE_SKIP_SETUP:-}" ]]; then + echo "skipping sandcastle setup, requested by environment var SANDCASTLE_SKIP_SETUP" + exit 1 +fi + +echo "Provisioning sandcastle" + +# General configuration. +# Might eventually be moved to an external file. + +CURRENCY=KUDOS +EXCHANGE_IBAN=DE159593 +EXCHANGE_PLAIN_PAYTO=payto://iban/$EXCHANGE_IBAN +EXCHANGE_FULL_PAYTO="payto://iban/$EXCHANGE_IBAN?receiver-name=Sandcastle+Echange+Inc" +EXCHANGE_BANK_PASSWORD=sandbox + +# Randomly generated IBANs for the merchants +MERCHANT_IBAN_DEFAULT=DE5135717 +MERCHANT_IBAN_POS=DE4218710 +MERCHANT_IBAN_BLOG=DE8292195 +MERCHANT_IBAN_GNUNET=DE9709960 +MERCHANT_IBAN_TALER=DE1740597 +MERCHANT_IBAN_TOR=DE2648777 +MERCHANT_IBAN_SURVEY=DE0793060 + +MYDOMAIN=demo.taler.net +LANDING_DOMAIN=$MYDOMAIN +BANK_DOMAIN=bank.$MYDOMAIN +EXCHANGE_DOMAIN=exchange.$MYDOMAIN +MERCHANT_DOMAIN=backend.$MYDOMAIN +BLOG_DOMAIN=shop.$MYDOMAIN +DONATIONS_DOMAIN=donations.$MYDOMAIN +SURVEY_DOMAIN=survey.$MYDOMAIN + +# Ports of the services running inside the container. +# Should be synchronized with the sandcastle-run script. +PORT_INTERNAL_EXCHANGE=8201 +PORT_INTERNAL_MERCHANT=8301 +PORT_INTERNAL_LIBEUFIN_BANK=8080 +PORT_INTERNAL_LANDING=8501 +PORT_INTERNAL_BLOG=8502 +PORT_INTERNAL_DONATIONS=8503 +PORT_INTERNAL_SURVEY=8504 +PORT_INTERNAL_BANK_SPA=8505 + +# Just make sure the services are stopped +systemctl stop taler-exchange.target +systemctl stop taler-merchant-httpd.service +systemctl stop postgresql.service +systemctl stop taler-demo-landing.service +systemctl stop taler-demo-blog.service +systemctl stop taler-demo-donations.service +systemctl stop taler-demo-survey.service +systemctl stop libeufin-bank.service + +# We now make sure that some important locations are symlinked to +# the persistent storage volume. +# Files that already exist in this location are moved to the storage volume +# and then symlinked. +# These locations are: +# /etc/taler +# /etc/libeufin-bank +# /var/lib/taler +# postgres DB directory + +function lift_dir() { + src=$1 + target=$2 + if [[ -L "$src" ]]; then + # be idempotent + echo "$src is already a symlink" + elif [[ -d /talerdata/$target ]]; then + echo "symlinking existing /talerdata/$target" + rm -rf "$src" + ln -s "/talerdata/$target" "$src" + else + echo "symlinking new /talerdata/$target" + mv "$src" "/talerdata/$target" + ln -s "/talerdata/$target" "$src" + fi +} + +lift_dir /var/lib/taler var-lib-taler +lift_dir /etc/taler etc-taler +lift_dir /etc/libeufin-bank etc-libeufin-bank +lift_dir /var/lib/postgresql var-lib-postgresql +lift_dir /usr/share/taler/terms usr-share-taler-terms + +# Caddy configuration. +# We use the caddy reverse proxy with automatic +# internal TLS setup to ensure that the services are +# reachable inside the container without any external +# DNS setup under the same domain name and with TLS +# from inside the container. + +systemctl stop caddy.service + +cat <<EOF > /etc/caddy/Caddyfile +https://$BANK_DOMAIN { + tls internal + reverse_proxy :8080 { + # libeufin-bank should eventually not require this anymore, + # but currently doesn't work without this header. + header_up X-Forwarded-Prefix "" + } +} + +https://$EXCHANGE_DOMAIN { + tls internal + reverse_proxy unix//run/taler/exchange-httpd/exchange-http.sock +} + +https://$MERCHANT_DOMAIN { + tls internal + reverse_proxy unix//run/taler/merchant-httpd/merchant-http.sock +} + +# Services that only listen on unix domain sockets +# are reverse-proxied to serve on a TCP port. + +:$PORT_INTERNAL_EXCHANGE { + reverse_proxy unix//run/taler/exchange-httpd/exchange-http.sock +} + +:$PORT_INTERNAL_MERCHANT { + reverse_proxy unix//run/taler/merchant-httpd/merchant-http.sock { + # Set this, or otherwise wrong taler://pay URIs will be generated. + header_up X-Forwarded-Proto "https" + } +} + +:$PORT_INTERNAL_BANK_SPA { + root * /usr/share/libeufin-bank/spa + root /demobank-ui-settings.js /etc/libeufin-bank/ + file_server +} +EOF + +cat <<EOF >> /etc/hosts +# Start of Taler Sandcastle Domains +127.0.0.1 $LANDING_DOMAIN +127.0.0.1 $BANK_DOMAIN +127.0.0.1 $EXCHANGE_DOMAIN +127.0.0.1 $MERCHANT_DOMAIN +127.0.0.1 $BLOG_DOMAIN +127.0.0.1 $DONATIONS_DOMAIN +127.0.0.1 $SURVEY_DOMAIN +# End of Taler Sandcastle Domains +EOF + +systemctl start caddy.service + +# Install local, internal CA certs for caddy +caddy trust + +systemctl start postgresql.service + +# Set up bank + +BANK_DB=libeufinbank +# Use "|| true" to continue if these already exist. +sudo -i -u postgres createuser -d libeufin-bank || true +sudo -i -u postgres createdb -O libeufin-bank $BANK_DB || true + +sudo -i -u libeufin-bank libeufin-bank dbinit + +cat <<EOF >/etc/libeufin-bank/libeufin-bank.conf +[libeufin-bank] +CURRENCY = $CURRENCY +DEFAULT_CUSTOMER_DEBT_LIMIT = $CURRENCY:200 +DEFAULT_ADMIN_DEBT_LIMIT = $CURRENCY:2000 +REGISTRATION_BONUS = $CURRENCY:100 +REGISTRATION_BONUS_ENABLED = yes +SPA_CAPTCHA_URL = https://$BANK_DOMAIN/webui/#/operation/{woid} +SUGGESTED_WITHDRAWAL_EXCHANGE = https://$EXCHANGE_DOMAIN/ + +[currency-$CURRENCY] +ENABLED = YES +name = "$CURRENCY (Taler Demonstrator)" +code = "$CURRENCY" +decimal_separator = "." +fractional_input_digits = 2 +fractional_normal_digits = 2 +fractional_trailing_zero_digits = 2 +is_currency_name_leading = NO +alt_unit_names = {"0":"$CURRENCY"} +EOF + +cat <<EOF >/etc/libeufin-bank/demobank-ui-settings.js +globalThis.talerDemobankSettings = { + // Only Admin adds users + allowRegistrations: false, + bankName: "Taler Bank", + allowRegistrations: true, + simplePasswordForRandomAccounts: true, + allowRandomAccountCreation: true, + // Show explainer text and navbar to other demo sites + showDemoNav: false, + demoSites: [ + ["Landing", "https://$LANDING_DOMAIN/"], + ["Bank", "https://$BANK_DOMAIN/"], + ["Essay Shop", "https://$BLOG_DOMAIN/"], + ["Donations", "https://$DONATIONS_DOMAIN/"], + ["Survey", "https://$SURVEY_DOMAIN/"], + ], + backendBaseURL: "https://$BANK_DOMAIN/", +}; +EOF + +systemctl enable --now libeufin-bank.service + +# TODO: Create accounts for exchange and merchants + +taler-harness deployment wait-taler-service libeufin-bank https://$BANK_DOMAIN/config +taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \ + --login exchange --exchange --public \ + --payto $EXCHANGE_PLAIN_PAYTO \ + --name Exchange \ + --password sandbox + +taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \ + --login merchant-default --public \ + --payto "payto://iban/$MERCHANT_IBAN_DEFAULT" \ + --name "Default Demo Merchant" \ + --password sandbox + +taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \ + --login merchant-pos --public \ + --payto "payto://iban/$MERCHANT_IBAN_POS" \ + --name "PoS Merchant" \ + --password sandbox + +taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \ + --login merchant-blog --public \ + --payto "payto://iban/$MERCHANT_IBAN_BLOG" \ + --name "Blog Merchant" \ + --password sandbox + +taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \ + --login merchant-gnunet --public \ + --payto "payto://iban/$MERCHANT_IBAN_GNUNET" \ + --name "GNUnet Donations Merchant" \ + --password sandbox + +taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \ + --login merchant-taler --public \ + --payto "payto://iban/$MERCHANT_IBAN_TALER" \ + --name "Taler Donations Merchant" \ + --password sandbox + +taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \ + --login merchant-tor --public \ + --payto "payto://iban/$MERCHANT_IBAN_TOR" \ + --name "Tor Donations Merchant" \ + --password sandbox + +taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \ + --login merchant-survey --public \ + --payto "payto://iban/$MERCHANT_IBAN_SURVEY" \ + --name "Tor Survey Merchant" \ + --password sandbox + +# Set up exchange + +MASTER_PUBLIC_KEY=$(sudo -i -u taler-exchange-offline taler-exchange-offline -LDEBUG setup) + +EXCHANGE_DB=talerexchange +# Use "|| true" to continue if these already exist. +sudo -i -u postgres createuser -d taler-exchange-httpd || true +sudo -i -u postgres createuser taler-exchange-wire || true +sudo -i -u postgres createuser taler-exchange-closer || true +sudo -i -u postgres createuser taler-exchange-aggregator || true +sudo -i -u postgres createdb -O taler-exchange-httpd $EXCHANGE_DB || true + +# Generate /etc/taler/conf.d/setup.conf +cat <<EOF > /etc/taler/conf.d/setup.conf +[taler] +CURRENCY = $CURRENCY +CURRENCY_ROUND_UNIT = $CURRENCY:0.01 + +[currency-$CURRENCY] +ENABLED = YES +name = "$CURRENCY (Taler Demonstrator)" +code = "$CURRENCY" +decimal_separator = "." +fractional_input_digits = 2 +fractional_normal_digits = 2 +fractional_trailing_zero_digits = 2 +is_currency_name_leading = NO +alt_unit_names = {"0":"$CURRENCY"} + +[exchange] +AML_THRESHOLD = $CURRENCY:1000000 +MASTER_PUBLIC_KEY = $MASTER_PUBLIC_KEY +BASE_URL = https://$EXCHANGE_DOMAIN/ + +[exchange-account-default] +PAYTO_URI = $EXCHANGE_FULL_PAYTO +ENABLE_DEBIT = YES +ENABLE_CREDIT = YES +@inline-secret@ exchange-accountcredentials-default ../secrets/exchange-accountcredentials-default.secret.conf +EOF + +cat <<EOF >/etc/taler/secrets/exchange-db.secret.conf +[exchangedb-postgres] +CONFIG=postgres:///${EXCHANGE_DB} +EOF +chmod 440 /etc/taler/secrets/exchange-db.secret.conf +chown root:taler-exchange-db /etc/taler/secrets/exchange-db.secret.conf + +cat <<EOF > /etc/taler/secrets/exchange-accountcredentials-default.secret.conf +[exchange-accountcredentials-default] +WIRE_GATEWAY_URL = https://$BANK_DOMAIN/accounts/exchange/taler-wire-gateway/ +WIRE_GATEWAY_AUTH_METHOD = basic +USERNAME = exchange +PASSWORD = ${EXCHANGE_BANK_PASSWORD} +EOF +chmod 400 /etc/taler/secrets/exchange-accountcredentials-default.secret.conf +chown taler-exchange-wire:taler-exchange-db /etc/taler/secrets/exchange-accountcredentials-default.secret.conf + +if [[ ! -e /etc/taler/conf.d/$CURRENCY-coins.conf ]]; then + # Only create if necessary, as each [COIN-...] section + # has a unique name with a timestamp. + taler-harness deployment gen-coin-config \ + --min-amount "${CURRENCY}:0.01" \ + --max-amount "${CURRENCY}:100" \ + >"/etc/taler/conf.d/$CURRENCY-coins.conf" +fi + +echo "Initializing exchange database" +sudo -u taler-exchange-httpd taler-exchange-dbinit -LDEBUG -c /etc/taler/taler.conf + +echo 'GRANT USAGE ON SCHEMA exchange TO "taler-exchange-wire";' | sudo -i -u postgres psql -f - ${EXCHANGE_DB} +echo 'GRANT SELECT,INSERT,UPDATE,DELETE ON ALL TABLES IN SCHEMA exchange TO "taler-exchange-wire";' | sudo -i -u postgres psql -f - ${EXCHANGE_DB} +echo 'GRANT USAGE ON SCHEMA _v TO "taler-exchange-wire";' | sudo -i -u postgres psql -f - ${EXCHANGE_DB} +echo 'GRANT SELECT ON ALL TABLES IN SCHEMA _v TO "taler-exchange-wire";' | sudo -i -u postgres psql -f - ${EXCHANGE_DB} + +echo 'GRANT USAGE ON SCHEMA exchange TO "taler-exchange-closer";' | sudo -i -u postgres psql -f - ${EXCHANGE_DB} +echo 'GRANT SELECT,INSERT,UPDATE,DELETE ON ALL TABLES IN SCHEMA exchange TO "taler-exchange-closer";' | sudo -i -u postgres psql -f - ${EXCHANGE_DB} +echo 'GRANT USAGE ON SCHEMA _v TO "taler-exchange-closer";' | sudo -i -u postgres psql -f - ${EXCHANGE_DB} +echo 'GRANT SELECT ON ALL TABLES IN SCHEMA _v TO "taler-exchange-closer";' | sudo -i -u postgres psql -f - ${EXCHANGE_DB} + +echo 'GRANT USAGE ON SCHEMA exchange TO "taler-exchange-aggregator";' | sudo -i -u postgres psql -f - ${EXCHANGE_DB} +echo 'GRANT SELECT,INSERT,UPDATE,DELETE ON ALL TABLES IN SCHEMA exchange TO "taler-exchange-aggregator";' | sudo -i -u postgres psql -f - ${EXCHANGE_DB} +echo 'GRANT USAGE ON SCHEMA _v TO "taler-exchange-aggregator";' | sudo -i -u postgres psql -f - ${EXCHANGE_DB} +echo 'GRANT SELECT ON ALL TABLES IN SCHEMA _v TO "taler-exchange-aggregator";' | sudo -i -u postgres psql -f - ${EXCHANGE_DB} + + +# # The ToS generator is currently borked, we don't generated ToS until that's fixed. +TOS_PATH=/usr/share/taler/terms +if [[ ! -e "$TOS_PATH/stamp-generated" ]]; then + # ToS generator is picky about the path that it is being run from + cd $TOS_PATH + taler-terms-generator -i exchange-tos-v0 -a "Taler Systems SA" -C "Taler Systems SA" -p a4 -o $TOS_PATH -l en + taler-terms-generator -i exchange-pp-v0 -a "Taler Systems SA" -C "Taler Systems SA" -p a4 -o $TOS_PATH -l en + taler-terms-generator -i exchange-tos-v0 -a "Taler Systems SA" -C "Taler Systems SA" -p a4 -o $TOS_PATH + taler-terms-generator -i exchange-pp-v0 -a "Taler Systems SA" -C "Taler Systems SA" -p a4 -o $TOS_PATH + touch "$TOS_PATH/stamp-generated" + cd - +fi + +systemctl enable --now taler-exchange.target + +taler-harness deployment wait-taler-service taler-exchange https://$EXCHANGE_DOMAIN/config +taler-harness deployment wait-endpoint https://$EXCHANGE_DOMAIN/management/keys + +sudo -i -u taler-exchange-offline \ + taler-exchange-offline \ + -c /etc/taler/taler.conf \ + download \ + sign \ + upload + +sudo -i -u taler-exchange-offline \ + taler-exchange-offline \ + enable-account "${EXCHANGE_FULL_PAYTO}" \ + wire-fee now iban "${CURRENCY}":0 "${CURRENCY}":0 \ + global-fee now "${CURRENCY}":0 "${CURRENCY}":0 "${CURRENCY}":0 1h 6a 0 \ + upload + +# Set up merchant backend + +MERCHANT_DB=talermerchant +# Use "|| true" to continue if these already exist. +sudo -i -u postgres createuser -d taler-merchant-httpd || true +sudo -i -u postgres createdb -O taler-merchant-httpd $MERCHANT_DB || true + +cat <<EOF >/etc/taler/secrets/merchant-db.secret.conf +[merchantdb-postgres] +CONFIG=postgres:///${MERCHANT_DB} +EOF +chmod 440 /etc/taler/secrets/merchant-db.secret.conf +chown taler-merchant-httpd:root /etc/taler/secrets/merchant-db.secret.conf + +sudo -u taler-merchant-httpd taler-merchant-dbinit -c /etc/taler/taler.conf + +cat <<EOF >/etc/taler/conf.d/merchant-exchanges.conf +[merchant-exchange-sandcastle] +EXCHANGE_BASE_URL = https://$EXCHANGE_DOMAIN/ +MASTER_KEY = $MASTER_PUBLIC_KEY +CURRENCY = $CURRENCY +EOF + +systemctl enable --now taler-merchant-httpd +taler-harness deployment wait-taler-service taler-merchant https://$MERCHANT_DOMAIN/config + +taler-harness deployment provision-merchant-instance \ + https://$MERCHANT_DOMAIN/ \ + --management-token secret-token:sandbox \ + --instance-token secret-token:sandbox \ + --name Merchant \ + --id default \ + --payto "payto://iban/$MERCHANT_IBAN_DEFAULT?receiver-name=Merchant" + +taler-harness deployment provision-merchant-instance \ + https://$MERCHANT_DOMAIN/ \ + --management-token secret-token:sandbox \ + --instance-token secret-token:sandbox \ + --name "POS Merchant" \ + --id pos \ + --payto "payto://iban/$MERCHANT_IBAN_POS?receiver-name=POS+Merchant" + +taler-harness deployment provision-merchant-instance \ + https://$MERCHANT_DOMAIN/ \ + --management-token secret-token:sandbox \ + --instance-token secret-token:sandbox \ + --name "Blog Merchant" \ + --id blog \ + --payto "payto://iban/$MERCHANT_IBAN_BLOG?receiver-name=Blog+Merchant" + +taler-harness deployment provision-merchant-instance \ + https://$MERCHANT_DOMAIN/ \ + --management-token secret-token:sandbox \ + --instance-token secret-token:sandbox \ + --name "GNUnet Merchant" \ + --id gnunet \ + --payto "payto://iban/$MERCHANT_IBAN_GNUNET?receiver-name=GNUnet+Merchant" + +taler-harness deployment provision-merchant-instance \ + https://$MERCHANT_DOMAIN/ \ + --management-token secret-token:sandbox \ + --instance-token secret-token:sandbox \ + --name "Taler Merchant" \ + --id taler \ + --payto "payto://iban/$MERCHANT_IBAN_TALER?receiver-name=Taler+Merchant" + +taler-harness deployment provision-merchant-instance \ + https://$MERCHANT_DOMAIN/ \ + --management-token secret-token:sandbox \ + --instance-token secret-token:sandbox \ + --name "Tor Merchant" \ + --id tor \ + --payto "payto://iban/$MERCHANT_IBAN_TOR?receiver-name=Tor+Merchant" + + +# Now we set up the taler-merchant-demos + +cat <<EOF >/etc/taler/taler-merchant-frontends.conf +# Different entry point, we need to repeat some settings. +# In the future, taler-merchant-demos should become +# robust enough to read from the main config. +[taler] +CURRENCY = $CURRENCY +[frontends] +BACKEND = https://$MERCHANT_DOMAIN/ +BACKEND_APIKEY = secret-token:sandbox +[landing] +SERVE = http +HTTP_PORT = $PORT_INTERNAL_LANDING +[blog] +SERVE = http +HTTP_PORT = $PORT_INTERNAL_BLOG +[donations] +SERVE = http +HTTP_PORT = $PORT_INTERNAL_DONATIONS +[survey] +SERVE = http +HTTP_PORT = $PORT_INTERNAL_SURVEY +EOF + +# This really should not exist, the taler-merchant-frontends +# should be easier to configure! +cat <<EOF >/etc/taler/taler-merchant-frontends.env +TALER_ENV_URL_INTRO=https://$LANDING_DOMAIN/ +TALER_ENV_URL_LANDING=https://$LANDING_DOMAIN/ +TALER_ENV_URL_BANK=https://$BANK_DOMAIN/ +TALER_ENV_URL_MERCHANT_BLOG=https://$BLOG_DOMAIN/ +TALER_ENV_URL_MERCHANT_DONATIONS=https://$DONATIONS_DOMAIN/ +TALER_ENV_URL_MERCHANT_SURVEY=https://$SURVEY_DOMAIN/ +EOF + +systemctl enable --now taler-demo-landing +systemctl enable --now taler-demo-blog +systemctl enable --now taler-demo-donations +systemctl enable --now taler-demo-survey + + +# FIXME: Maybe do some taler-wallet-cli test? +# FIXME: How do we report errors occurring during the setup script? diff --git a/sandcastle-ng/scripts/none/setup-sandcastle.sh b/sandcastle-ng/scripts/none/setup-sandcastle.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +echo "skipping provisioning" diff --git a/sandcastle-ng/systemd/setup-sandcastle.service b/sandcastle-ng/systemd/setup-sandcastle.service @@ -0,0 +1,11 @@ +[Unit] +Description=Provision the sandcastle +ConditionPathExists=/provision/setup-sandcastle.sh + +[Service] +Type=oneshot +ExecStart=/provision/setup-sandcastle.sh +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target