[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[taler-deployment] branch master updated: import sandcastle-ng
|
From: |
gnunet |
|
Subject: |
[taler-deployment] branch master updated: import sandcastle-ng |
|
Date: |
Wed, 18 Oct 2023 23:31:53 +0200 |
This is an automated email from the git hooks/post-receive script.
dold pushed a commit to branch master
in repository deployment.
The following commit(s) were added to refs/heads/master by this push:
new e5a83f4 import sandcastle-ng
e5a83f4 is described below
commit e5a83f4b2fe047de00f366b09fd84c630545087f
Author: Florian Dold <florian@dold.me>
AuthorDate: Wed Oct 18 23:31:50 2023 +0200
import sandcastle-ng
---
sandcastle-ng/Dockerfile | 236 ++++++++++
sandcastle-ng/README.md | 137 ++++++
sandcastle-ng/apt/caddy-stable-archive-keyring.gpg | 64 +++
.../apt/caddy-stable-archive-keyring.gpg.gpg | Bin 0 -> 2808 bytes
sandcastle-ng/apt/caddy-stable.list | 9 +
sandcastle-ng/buildconfig/README | 5 +
sandcastle-ng/buildconfig/exchange.tag | 1 +
sandcastle-ng/buildconfig/gnunet.tag | 1 +
sandcastle-ng/buildconfig/libeufin.tag | 1 +
sandcastle-ng/buildconfig/libmhd.tag | 1 +
sandcastle-ng/buildconfig/merchant-demos.tag | 1 +
sandcastle-ng/buildconfig/merchant.tag | 1 +
sandcastle-ng/buildconfig/sync.tag | 1 +
sandcastle-ng/buildconfig/wallet.tag | 1 +
sandcastle-ng/sandcastle-build | 9 +
sandcastle-ng/sandcastle-enter | 3 +
sandcastle-ng/sandcastle-run | 56 +++
sandcastle-ng/scripts/demo/setup-sandcastle.sh | 511 +++++++++++++++++++++
sandcastle-ng/scripts/none/setup-sandcastle.sh | 3 +
sandcastle-ng/systemd/setup-sandcastle.service | 11 +
20 files changed, 1052 insertions(+)
diff --git a/sandcastle-ng/Dockerfile b/sandcastle-ng/Dockerfile
new file mode 100644
index 0000000..f5bec33
--- /dev/null
+++ b/sandcastle-ng/Dockerfile
@@ -0,0 +1,236 @@
+FROM debian:bookworm AS base-system
+
+# FIXMEs:
+# - debian packages should be built with a nightly tag
+# - the final image contains all build dependencies, this isn't really
necessary
+# - the final image contains -dev packages, not really necessary
+# - GNUnet build dependencies are excessive, maybe we can just build the
required libs?
+
+RUN apt-get update && apt-get -y upgrade && apt-get --no-install-recommends
install -y \
+ autoconf \
+ autopoint \
+ build-essential \
+ po-debconf \
+ debhelper-compat \
+ apt-utils \
+ libtool \
+ texinfo \
+ libgcrypt-dev \
+ libidn11-dev \
+ zlib1g-dev \
+ libunistring-dev \
+ libjansson-dev \
+ git \
+ recutils \
+ libsqlite3-dev \
+ libpq-dev \
+ libmicrohttpd-dev \
+ libsodium-dev \
+ libqrencode-dev \
+ zip \
+ unzip \
+ jq \
+ npm \
+ openjdk-17-jre-headless \
+ openjdk-17-jdk-headless \
+ default-jre-headless \
+ nano \
+ procps \
+ python3-jinja2 \
+ python3-pip \
+ python3-sphinx \
+ python3-sphinx-rtd-theme \
+ python3-venv \
+ python3-dev \
+ nodejs \
+ iptables \
+ miniupnpc \
+ libextractor-dev \
+ libbluetooth-dev \
+ libcurl4-gnutls-dev \
+ libogg-dev \
+ libopus-dev \
+ libpulse-dev \
+ fakeroot \
+ libzbar-dev \
+ libltdl-dev \
+ net-tools \
+ python3-flask \
+ python3-flask-babel \
+ uwsgi \
+ python3-bs4 \
+ pybuild-plugin-pyproject
+
+# old: libzbar-dev
+
+# FIXME: Try to use debian packages where possible and otherwise really use
+# a venv or per-user installation of the package.
+RUN pip3 install --break-system-packages requests click poetry uwsgi htmlark
sphinx-book-theme
+
+# GNUnet
+FROM base-system AS gnunet
+
+COPY buildconfig/gnunet.tag /buildconfig/
+WORKDIR /build
+RUN TAG=$(cat /buildconfig/gnunet.tag) && \
+ git clone git://git.gnunet.org/gnunet \
+ --branch $TAG
+WORKDIR /build/gnunet
+RUN ./bootstrap
+RUN dpkg-buildpackage -rfakeroot -b -uc -us
+WORKDIR /
+RUN mkdir -p /packages/gnunet
+RUN mv /build/*.deb /packages/gnunet
+RUN rm -rf /build
+RUN dpkg -i /packages/gnunet/*.deb
+WORKDIR /
+
+# Exchange
+FROM gnunet as exchange
+
+COPY buildconfig/exchange.tag /buildconfig/
+WORKDIR /build
+RUN TAG=$(cat /buildconfig/exchange.tag) && \
+ git clone git://git.taler.net/exchange \
+ --branch $TAG
+WORKDIR /build/exchange
+RUN ./bootstrap
+RUN dpkg-buildpackage -rfakeroot -b -uc -us
+WORKDIR /
+RUN mkdir -p /packages/exchange
+RUN mv /build/*.deb /packages/exchange
+RUN rm -rf /build
+RUN dpkg -i /packages/exchange/*.deb
+WORKDIR /
+
+# Merchant
+FROM exchange as merchant
+
+COPY buildconfig/merchant.tag /buildconfig/
+WORKDIR /build
+RUN TAG=$(cat /buildconfig/merchant.tag) && \
+ git clone git://git.taler.net/merchant \
+ --branch $TAG
+WORKDIR /build/merchant
+RUN ./bootstrap
+RUN dpkg-buildpackage -rfakeroot -b -uc -us
+WORKDIR /
+RUN mkdir -p /packages/merchant
+RUN mv /build/*.deb /packages/merchant
+RUN rm -rf /build
+RUN dpkg -i /packages/merchant/*.deb
+WORKDIR /
+
+# Libeufin
+FROM base-system as libeufin
+
+WORKDIR /build
+COPY buildconfig/libeufin.tag /buildconfig/
+RUN TAG=$(cat /buildconfig/libeufin.tag) && \
+ git clone git://git.taler.net/libeufin \
+ --branch $TAG
+WORKDIR /build/libeufin
+RUN ./bootstrap
+RUN ./configure --prefix=/usr
+RUN dpkg-buildpackage -rfakeroot -b -uc -us
+WORKDIR /
+RUN mkdir -p /packages/libeufin
+RUN mv /build/*.deb /packages/libeufin
+RUN rm -rf /build
+RUN dpkg -i /packages/libeufin/*.deb
+
+# Merchant demos
+FROM base-system as merchant-demos
+
+WORKDIR /build
+COPY buildconfig/merchant-demos.tag /buildconfig/
+RUN TAG=$(cat /buildconfig/merchant-demos.tag) && \
+ git clone git://git.taler.net/taler-merchant-demos \
+ --branch $TAG
+WORKDIR /build/taler-merchant-demos
+RUN ./bootstrap
+RUN dpkg-buildpackage -rfakeroot -b -uc -us
+WORKDIR /
+RUN mkdir -p /packages/merchant-demos
+RUN mv /build/*.deb /packages/merchant-demos
+RUN rm -rf /build
+RUN dpkg -i /packages/merchant-demos/*.deb
+
+# wallet-core tools (taler-wallet-cli and taler-harness)
+FROM base-system as wallet
+WORKDIR /build
+COPY buildconfig/wallet.tag /buildconfig/
+RUN TAG=$(cat /buildconfig/wallet.tag) && \
+ git clone git://git.taler.net/wallet-core \
+ --branch $TAG
+RUN npm install -g pnpm@^8.7.0
+WORKDIR /build/wallet-core
+RUN ./bootstrap
+# taler-wallet-cli
+WORKDIR /build/wallet-core/packages/taler-wallet-cli
+RUN ./configure --prefix=/usr/local
+RUN make deps
+RUN dpkg-buildpackage -rfakeroot -b -uc -us
+# taler-harness
+WORKDIR /build/wallet-core/packages/taler-harness
+RUN ./configure --prefix=/usr/local
+RUN pnpm install --frozen-lockfile --filter @gnu-taler/taler-harness...
+RUN pnpm run --filter @gnu-taler/taler-harness... compile
+RUN dpkg-buildpackage -rfakeroot -b -uc -us
+# copy debs
+WORKDIR /
+RUN mkdir -p /packages/wallet
+RUN mv /build/wallet-core/packages/*.deb /packages/wallet
+RUN rm -rf /build
+RUN dpkg -i /packages/wallet/*.deb
+
+# Sync
+FROM merchant as sync
+COPY buildconfig/sync.tag /buildconfig/
+WORKDIR /build
+RUN TAG=$(cat /buildconfig/sync.tag) && \
+ git clone git://git.taler.net/sync \
+ --branch $TAG
+WORKDIR /build/sync
+RUN ./bootstrap
+RUN dpkg-buildpackage -rfakeroot -b -uc -us
+WORKDIR /
+RUN mkdir -p /packages/sync
+RUN mv /build/*.deb /packages/sync
+RUN rm -rf /build
+RUN dpkg -i /packages/sync/*.deb
+WORKDIR /
+
+
+# Final image
+FROM base-system as taler-final
+RUN apt-get update && apt-get -y upgrade && apt-get --no-install-recommends
install -y \
+ gpg
+COPY apt/caddy-stable.list /etc/apt/sources.list.d/caddy-stable.list
+COPY apt/caddy-stable-archive-keyring.gpg /tmp/caddy-stable-archive-keyring.gpg
+RUN gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
/tmp/caddy-stable-archive-keyring.gpg
+RUN apt-get update && apt-get -y upgrade && apt-get --no-install-recommends
install -y \
+ emacs \
+ vim \
+ curl \
+ postgresql \
+ bash-completion \
+ sudo \
+ less \
+ caddy \
+ systemd-coredump \
+ libnss3-tools \
+ latexmk \
+ texlive-latex-extra \
+ tex-gyre
+RUN mkdir -p /packages
+COPY --from=gnunet /packages/gnunet/* /packages/
+COPY --from=exchange /packages/exchange/* /packages/
+COPY --from=merchant /packages/merchant/* /packages/
+COPY --from=wallet /packages/wallet/* /packages/
+COPY --from=libeufin /packages/libeufin/* /packages/
+COPY --from=merchant-demos /packages/merchant-demos/* /packages/
+RUN dpkg -i /packages/*.deb
+COPY systemd/setup-sandcastle.service /etc/systemd/system/
+RUN systemctl enable setup-sandcastle.service
+RUN systemctl disable postgresql
diff --git a/sandcastle-ng/README.md b/sandcastle-ng/README.md
new file mode 100644
index 0000000..01339d0
--- /dev/null
+++ b/sandcastle-ng/README.md
@@ -0,0 +1,137 @@
+# Introduction
+
+The sandcastle is a containerized deployment of GNU Taler
+
+It uses podman to build an image and run a single container that
+has systemd running inside.
+
+
+# Prerequisites
+
+You need (on your host system):
+* podman
+* bash
+
+
+# Building the Container Image
+
+1. Set buildconfig/$component.tag to the right git tag you want to build
+2. Run ./sandcastle-build to build the Taler container. The resulting
container
+ is tagged as taler-base-all
+
+
+# Configuring the Deployment
+
+It is recommended that for each deployment, you clone the deployment.git
+repository and create a branch with deployment-specific changes.
+
+Currently there is not much configuration.
+
+The main adjustments to be made are:
+
+* scripts/demo/setup-sandcastle.sh has the currency on top of the file
+* sandcastle-run has variables for the port that'll be exposed ("published") on
+ the host. They can be overwritten with environment variables
+ (``TALER_SANDCASTLE_PORT_$COMPONENT``).
+
+
+# Running the Deployment
+
+Run ``./sandcastle-run`` to run the single container. The container will be
+named taler-sandcastle.
+
+You can run the container in the background by passing ``-d``. Note that
``./sandcastle-run`` is just
+a wrapper around ``podman run``.
+
+The running container publishes ports to the host as defined in
``./sandcastle-run``.
+You can manually verify these port mappings via ``podman port
taler-sandcastle``.
+
+# Stopping the deployment
+
+```
+podman stop taler-sandcastle
+```
+
+
+# Poking Around
+
+You can poke around in a running sandcastle instance by running
+
+```
+podman exec -it taler-sandcastle /bin/bash
+```
+
+Or, as a shortcut:
+
+```
+./sandcastle-enter
+```
+
+This will drop you into a shell inside the running container,
+where you have access to systemd, journalctl, etc.
+
+
+# Data Storage
+
+All persistent data is stored in a podman volume called
+talerdata. You can see where it is in your filesystem
+by running ``podman volume inspect talerdata``.
+
+That volume also contains the postgres database files.
+
+
+# Provisioning Details
+
+The whole deployment is configured by the script
``/provision/setup-sandcastle.sh``.
+This script will be run as a oneshot systemd service and will disable itself
after
+the first success.
+
+To troubleshoot, run ``journalctl -u setup-sandcastle.service``.
+
+There are different setup scripts in the ``scripts/$SANDCASTLE_SETUP_NAME``
+folders. Specifically:
+
+* ``none`` does no setup at all
+* ``demo`` is the usual Taler demo
+* TBD: ``regio`` is a currency conversion setup
+
+By default, ``demo`` is used. To mount a different provision script, set
``$SANDCASTLE_SETUP_NAME``
+when running ``./sandcastle-run``.
+
+You can always manually run the provisioning script inside the container as
+``/scripts/$SANDCASTLE_SETUP_NAME/setup-sandcastle.sh``.
+
+
+# Neat Things That Already Work
+
+* Rebulding the base image is incremental, since we use layers. If the tag
+ of the exchange is changed, only the exchange and components that depend
+ on it are rebuilt.
+* Inside the container, the service names resolve to localhost,
+ and on localhost a reverse proxy with locally signed certificates
+ ensures that services can talk to each other *within* the container
+ by using their *public* base URL.
+
+
+# Future Extensions
+
+* Fix rewards by deploying Javier's reward topup script inside the container
via a systemd timer!
+* Variant where credentials use proper secret management instead of
hard-coding all
+ passwords to "sandbox".
+* Better way to access logs, better way to expose errors during provisioning
+* The Dockerfile should introduce nightly tags for debian packages it builds.
+ Currently it just uses the latest defined version, which is confusing.
+* Deploy the Taler woocommerce plugin, wordpress plugin, Joomla plugin
+* Do self-tests of the deployment using the wallet CLI
+* Running the auditor
+* Running a currency conversion setup with multiple libeufin-bank instances
+* Allow a localhost-only, non-tls setup for being able to access a non-tls
+ Taler deployment on the podman host.
+* Instead of exposing HTTP ports, we could expose everything via unix domain
sockets,
+ avoiding port collision problems.
+* Instead of requiring the reverse proxy to handle TLS,
+ the sandcastle container itself could do TLS termination with caddy.
+* To improve performance, allow connecting to an external database
+* Make it easy to import and export the persistent data
+* Extra tooling to checkpoint images/containers to revert to a previous
+ state quickly.
diff --git a/sandcastle-ng/apt/caddy-stable-archive-keyring.gpg
b/sandcastle-ng/apt/caddy-stable-archive-keyring.gpg
new file mode 100644
index 0000000..444c642
--- /dev/null
+++ b/sandcastle-ng/apt/caddy-stable-archive-keyring.gpg
@@ -0,0 +1,64 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2
+
+mQINBFb+quEBEACl3/YkFekflvauEASL+neZjCctYWyt57Dv5AdRmUPO4zkxylLG
+d/9JawlUfHuYYU4emz7940S2wR8kbBimiLgxMqyGP5+RQnggNZhjYIXoqkkh0G8v
+purq+58d+VNYf0LWnWlwuJC0dtpi4bPqZTc5ST4QOItFK0s7F2xZJyOkuAPDI782
+pGMR8UzpburHt9JwIUv1oOHFfFA/4HFQ++A6RF9bjYQFNMreaXsvMKIA5VQKcnDd
+SbKEfKnr0bwGr59MsnsQBgr1Ats2W722jIs89YevBanS6n0FWeiSxUqUrNypTLkL
+QHVPlK7Agq1XGWUhu55clFC6loQXboph9BhnSxSn9Kou4toXDQj6AMDuLGcV+VQ+
+fVfSZFXsp/evzqkjbc0jsUTVOZgZhhRP8DD+vjkzJFfCq/tAWu4qgqnOwE9kEEQL
+MXsnsZNSYS3MvWnQFPBmg0B483iKxaA/Oe89WckTnjt+jlpAKhOoS5ZURdOtwv1i
+yrKlYiXYMQCMhOd3BCw5RELb7Qtpz+gBaOoxQMMyRRYwKiturpQdV53FVvu/re/x
+xXVuxRyRI2Yo94ba3a5bEGjR3CNjvx7LuGuWplYyzDWn+OXa/HiTqWM153ho+oUl
+s3ntiHQ16jtgyhcNSuMffCcMLYanfmB+2m4HZmkl97vs7XvclClEXNV6VwARAQAB
+tCpDYWRkeSBXZWIgU2VydmVyIDxjb250YWN0QGNhZGR5c2VydmVyLmNvbT6JAjQE
+EwEKAB4FAlb+quECGwMDCwkHAxUKCAIeAQIXgAMWAgECGQEACgkQFVttecpW6jRx
+cQ/9GHdVoYf15rcU0ip3Vw1MF06ndRxLmilgBvdweZ5NcRttbu8ESh+MP59Z0gOp
+0uX/CqBnqZb9E2vbYyly1plq5GwP4tcCHwwkyOT1doGcyP1XylPkJkieP9YUWsIA
+3oG/wCsqxxwVYzwvm0opBdrNf6pAYg2tGNCqxh8bmYPDaReu3t2LZ6qeJ4obhYTx
+IwAh36oF5dVG5OW2dnMNFVpjoEgCavvTNTcJCgonLct6Zl+Q7xptJyBv3LS8L674
+V2nxcoLvtTjXG86D3yPJvD1I5WYPEZMpHznj1PEztgOrvLo+Fyu+T5vCHqfTY6mG
+89BXz8L4o5aBr2uY+ZV5oQa6GuV8GIiiWIZNyDwXTnUiW/GsUFNwg0AP05rva8fF
+2a3ybwsq/Sv2nraKQMpYRltBQZkg+l5nZD7znHpYBfJiH6eW3/7ft3w8OptiIcu6
+87UzhI28yoFSNE+85V3sz7JphZ/XFaU2ApESO1ahjDzP96w4u0HeSds6tbkR3OlC
+ECcFOmX79MhWfjDaVNnknBqGzjy1JdQ0ZKNWMZRVyxZ9fKiZxFw+q40Sta7ynxfH
+p4v0bM8vDLM3cxxOj38U5jsP/ChctyZO3P0nCEzIAR9kvumc5PSqpjiqWlbaHsxa
+fXohi3LAIi/clgIOV7bIVRmTz6b61Ngf+C8VYzlUph0ygS25Ag0EX+uckAEQAKyq
+E0nbZa8/6Js5TGvlRGi/pb59c6cC+yqB3d7qzOuIJ/61W9yCXliQRZSB32dGXsqD
+a375PtGlE5p7id4PNwegx2C4fFN6PWdxO1bwhOnrcUov6YHggkcjaFJqaWoa/EvF
+DUgEKd0d1WGzNHlmkM0P6puJ8lbPW3SeWtv+V83BvS9Hkb//43HKNk2J3cV/+RNb
+MsfER5CRAFYYHs/lyT2mpYU5dislzk4VDZbR7iyzXIrUEAQdpXe8itFYjFf8xzAe
+qDsUefarr485USnTTxQtcBKX06ruHiQUSCOs7HR6cDJi332cTXT7kSbq3ouq9nB8
+oaxhl2I20kVBWqdRyzVAwtGvjkWIYuUteIpguzAqpfsBv6IJ/W5G5jw+HEUJSCRr
+6rlC1z9agGCKl53NTV4gHqRY2GpYPr2KNN3uTVojignCC9BEP0eRqj876X90Y7id
+QuDda/+QaHH6htUe/W51j5RLVWssCLTZwHPZmeHtxz6U6IOEtlSuso7IN4HQsdaj
+lmOP+kfNy1gKVOW9fvF2HpUvY2cNwjSAO96C3K4w4z/ykHco/6HhZcAb/MydMKPy
+cI8jUDKa++Dk88xvq/AsRH++ri5WIY3n/HIkDyxGX5KCyxAfU1xuGkosnu7iBxoz
+2YVIV5GUwjf7ysOmgkb7FAcb73hUnCdGxcbWiQofABEBAAGJBHIEGAEKACYWIQRl
+dgxR7eogF86iyhUVW215ylbqNAUCX+uckAIbAgUJCWYBgAJACRAVW215ylbqNMF0
+IAQZAQoAHRYhBC9cO+mIas0pEyme+6uh+biHWmZhBQJf65yQAAoJEKuh+biHWmZh
+ZIIP/2FxCz40ev/sR60ozPRg/eMqAx8M8tmwACjPk84tCZryTRQ9dQ2nKzIWIQvt
+rLljl0OU3CCLgHRHl5lEjTgeDSfvrCLgss48fKAenBlHLGTzaMqdI6bs1fg7Ieh5
+dZQd9Crf6xLC7tBSjEzaqaPseux9tEdLEbHn8oJlQAgymW4wBko+ymriZpjs43Hx
+ir8iHn/H+oSJe4tOwaGmLzbMY5LMffvUWVKnoacjIx92XiVlUVypkh22iSa0upsz
+vseu+hiytwBMyxU99dsRwOQy2BZd3P/tCwpnDI8hSZCzBTyuo6XNgwLHZzvUuNKc
+qXZK4kxPRTVGyur9S1rYbZqnmPf4Wy7wFtwRUvbVve6BVdc7v9zWsTkEtTEJ4Buh
+GHSwBTdGKy8CJJgRN8K2umGCPxnUNvoCOsqW6xIJTp2baM1nRWZf1UvNjgVhwyJt
+AlrMk1xdmDDqVUO80Y5p7Jn2G1XPlQOVHcjyjFtM4sIWPqnrRzTzB4xTAZ1push3
+EOys2+4IGLgS7P6z0q+4Cxwtnm32ZueQDWyQA5gOOZAodb8HCku6sIIiF+zGtrNO
+F45xsKAoJVPt5VvH4zOKK+TbYyHAN/Ujpf09zXrTtmrnHwjB8PD+Uq2Ober/Zf5Q
+4MGnzQAy/Qkw8suciIxgLC9kCNwJIFRULHMTUsAFaAq+L9+IBmwP/R2Yt/Gop4Nl
+IfJDSMIBXGVn/2I2rTW0NDU3UC1njVRSVwQ4fjyRcuxi7dM/f8YBPnNGXO2Ur709
+f7LF7GkY/VgjQ9RWaZ6CB3GPhUjj1Q5nmW+lQkyehPYgx1/MuD3wq3w/BfYyrYHb
+xRn5r4N5QmUasFrPH8Ey/zI2cEFwckek0Z1G2SwnkEsY0e9vy12RvCGGicHJ+Xxs
+7E/L6rEjRpcQg1xzzCh1Sdx4ZKIxss9N5vJ5xCTd9kFl68ZCQJEz9zJUztEiEYcG
+l6WQ+BK3W4UepkbzgZ1HVB2LWf84cHC4a983k0avI1KtKSNd6Nn4qUJUa1Hj+mw7
+tlCwt97V+vbEnhFsoVjObJqsVXQOs9CdOiV2vsRqVD5tQPEq3AfowGHtNgxXbfO/
+wPiLmPSzZOaAlFaRXX6Off9B6RYuh5pVd/njewpsPAJfefiYeBOS0nThrQMbweyf
+S7FG/ibAE8NspI2Dn3nT+D6cUeYzCVkhNKKgBzYotODMl0N3H6pfOQwWp0aO8teo
+0v07lrePvMGNQcu2GuTM1v9YOt5kMrfbNgdAfrN8BLPUV/ZseCdKlfJLNlh6/pxr
+STw95n1JvFHpSZCMR5NWbiEdtXZmlJTFlMNMww8vO3DwTkA9hdqnKl04yPHQQpMD
+A5zVwuXbvH6GHaZJVHUrII6w8rjimo5r
+=e4lF
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/sandcastle-ng/apt/caddy-stable-archive-keyring.gpg.gpg
b/sandcastle-ng/apt/caddy-stable-archive-keyring.gpg.gpg
new file mode 100644
index 0000000..286fb00
Binary files /dev/null and
b/sandcastle-ng/apt/caddy-stable-archive-keyring.gpg.gpg differ
diff --git a/sandcastle-ng/apt/caddy-stable.list
b/sandcastle-ng/apt/caddy-stable.list
new file mode 100644
index 0000000..d9503cb
--- /dev/null
+++ b/sandcastle-ng/apt/caddy-stable.list
@@ -0,0 +1,9 @@
+# Source: Caddy
+# Site: https://github.com/caddyserver/caddy
+# Repository: Caddy / stable
+# Description: Fast, multi-platform web server with automatic HTTPS
+
+
+deb [signed-by=/usr/share/keyrings/caddy-stable-archive-keyring.gpg]
https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main
+
+deb-src [signed-by=/usr/share/keyrings/caddy-stable-archive-keyring.gpg]
https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main
diff --git a/sandcastle-ng/buildconfig/README b/sandcastle-ng/buildconfig/README
new file mode 100644
index 0000000..005630f
--- /dev/null
+++ b/sandcastle-ng/buildconfig/README
@@ -0,0 +1,5 @@
+These files determine the git tag from which the respective components are
+built in the base Docker image.
+
+They are in separate files to make modification checking with
+staged Docker builds work nicely.
diff --git a/sandcastle-ng/buildconfig/exchange.tag
b/sandcastle-ng/buildconfig/exchange.tag
new file mode 100644
index 0000000..37cffb3
--- /dev/null
+++ b/sandcastle-ng/buildconfig/exchange.tag
@@ -0,0 +1 @@
+v0.9.4-dev.3
diff --git a/sandcastle-ng/buildconfig/gnunet.tag
b/sandcastle-ng/buildconfig/gnunet.tag
new file mode 100644
index 0000000..46def34
--- /dev/null
+++ b/sandcastle-ng/buildconfig/gnunet.tag
@@ -0,0 +1 @@
+v0.20.1-talerdev.1
diff --git a/sandcastle-ng/buildconfig/libeufin.tag
b/sandcastle-ng/buildconfig/libeufin.tag
new file mode 100644
index 0000000..95c601b
--- /dev/null
+++ b/sandcastle-ng/buildconfig/libeufin.tag
@@ -0,0 +1 @@
+v0.9.3-dev.27
diff --git a/sandcastle-ng/buildconfig/libmhd.tag
b/sandcastle-ng/buildconfig/libmhd.tag
new file mode 100644
index 0000000..17ab5bf
--- /dev/null
+++ b/sandcastle-ng/buildconfig/libmhd.tag
@@ -0,0 +1 @@
+v0.9.75
diff --git a/sandcastle-ng/buildconfig/merchant-demos.tag
b/sandcastle-ng/buildconfig/merchant-demos.tag
new file mode 100644
index 0000000..8864e2c
--- /dev/null
+++ b/sandcastle-ng/buildconfig/merchant-demos.tag
@@ -0,0 +1 @@
+v0.9.3-dev.6
diff --git a/sandcastle-ng/buildconfig/merchant.tag
b/sandcastle-ng/buildconfig/merchant.tag
new file mode 100644
index 0000000..5373159
--- /dev/null
+++ b/sandcastle-ng/buildconfig/merchant.tag
@@ -0,0 +1 @@
+v0.9.4-dev.2
diff --git a/sandcastle-ng/buildconfig/sync.tag
b/sandcastle-ng/buildconfig/sync.tag
new file mode 100644
index 0000000..188bef5
--- /dev/null
+++ b/sandcastle-ng/buildconfig/sync.tag
@@ -0,0 +1 @@
+v0.9.3
diff --git a/sandcastle-ng/buildconfig/wallet.tag
b/sandcastle-ng/buildconfig/wallet.tag
new file mode 100644
index 0000000..be571b2
--- /dev/null
+++ b/sandcastle-ng/buildconfig/wallet.tag
@@ -0,0 +1 @@
+v0.9.3-dev.33
diff --git a/sandcastle-ng/sandcastle-build b/sandcastle-ng/sandcastle-build
new file mode 100755
index 0000000..7a655dd
--- /dev/null
+++ b/sandcastle-ng/sandcastle-build
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+set -eu
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
+cd "$SCRIPT_DIR"
+
+exec podman build -f Dockerfile --target taler-final -t taler-base-all .
diff --git a/sandcastle-ng/sandcastle-enter b/sandcastle-ng/sandcastle-enter
new file mode 100755
index 0000000..25bf48e
--- /dev/null
+++ b/sandcastle-ng/sandcastle-enter
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+exec podman exec -it taler-sandcastle /bin/bash
diff --git a/sandcastle-ng/sandcastle-run b/sandcastle-ng/sandcastle-run
new file mode 100755
index 0000000..c79551f
--- /dev/null
+++ b/sandcastle-ng/sandcastle-run
@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+
+# Run the Taler container with all the right mounts and preset parameters
+
+set -eu
+
+SANDCASTLE_PORT_MERCHANT=16000
+SANDCASTLE_PORT_EXCHANGE=16001
+SANDCASTLE_PORT_BLOG=16002
+SANDCASTLE_PORT_DONATIONS=16003
+SANDCASTLE_PORT_SURVEY=16004
+SANDCASTLE_PORT_LANDING=16005
+SANDCASTLE_PORT_LIBEUFIN_BANK=16007
+SANDCASTLE_PORT_BANK_SPA=16006
+
+# Container-internal ports, should by synced with scripts/setup-sandcastle.sh
+PORT_INTERNAL_EXCHANGE=8201
+PORT_INTERNAL_MERCHANT=8301
+PORT_INTERNAL_LIBEUFIN_BANK=8080
+PORT_INTERNAL_LANDING=8501
+PORT_INTERNAL_BLOG=8502
+PORT_INTERNAL_DONATIONS=8503
+PORT_INTERNAL_SURVEY=8504
+PORT_INTERNAL_BANK_SPA=8505
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+cd $SCRIPT_DIR
+
+existing_id=$(podman ps -q -a -f=name=taler-sandcastle)
+
+if [[ ! -z "$existing_id" ]]; then
+ echo "removing existing taler-sandcastle container $existing_id"
+ podman rm "$existing_id"
+fi
+
+# We need to be careful with SELinux when using volume mounts, relabel!
+
+SETUP_NAME=${SANDCASTLE_SETUP_NAME:-demo}
+
+exec podman run \
+ -p=$SANDCASTLE_PORT_MERCHANT:$PORT_INTERNAL_MERCHANT \
+ -p=$SANDCASTLE_PORT_EXCHANGE:$PORT_INTERNAL_EXCHANGE \
+ -p=$SANDCASTLE_PORT_LIBEUFIN_BANK:$PORT_INTERNAL_LIBEUFIN_BANK \
+ -p=$SANDCASTLE_PORT_LANDING:$PORT_INTERNAL_LANDING \
+ -p=$SANDCASTLE_PORT_BLOG:$PORT_INTERNAL_BLOG \
+ -p=$SANDCASTLE_PORT_DONATIONS:$PORT_INTERNAL_DONATIONS \
+ -p=$SANDCASTLE_PORT_SURVEY:$PORT_INTERNAL_SURVEY \
+ -p=$SANDCASTLE_PORT_BANK_SPA:$PORT_INTERNAL_BANK_SPA \
+ --name taler-sandcastle \
+ --systemd=always \
+ -v talerdata:/talerdata:Z \
+ -v $PWD/scripts:/scripts:Z \
+ -v $PWD/scripts/$SETUP_NAME:/provision:Z \
+ --entrypoint /sbin/init \
+ "$@" \
+ taler-base-all
diff --git a/sandcastle-ng/scripts/demo/setup-sandcastle.sh
b/sandcastle-ng/scripts/demo/setup-sandcastle.sh
new file mode 100755
index 0000000..9302d72
--- /dev/null
+++ b/sandcastle-ng/scripts/demo/setup-sandcastle.sh
@@ -0,0 +1,511 @@
+#!/usr/bin/env bash
+
+# This scripts provisions all configuration and
+# services for the Taler sandcastle container.
+#
+# Important: This script needs to be completely
+# idempotent, nothing must break if it is executed
+# multiple times.
+
+set -eu
+set -x
+
+if [[ ! -z "${SANDCASTLE_SKIP_SETUP:-}" ]]; then
+ echo "skipping sandcastle setup, requested by environment var
SANDCASTLE_SKIP_SETUP"
+ exit 1
+fi
+
+echo "Provisioning sandcastle"
+
+# General configuration.
+# Might eventually be moved to an external file.
+
+CURRENCY=KUDOS
+EXCHANGE_IBAN=DE159593
+EXCHANGE_PLAIN_PAYTO=payto://iban/$EXCHANGE_IBAN
+EXCHANGE_FULL_PAYTO="payto://iban/$EXCHANGE_IBAN?receiver-name=Sandcastle+Echange+Inc"
+EXCHANGE_BANK_PASSWORD=sandbox
+
+# Randomly generated IBANs for the merchants
+MERCHANT_IBAN_DEFAULT=DE5135717
+MERCHANT_IBAN_POS=DE4218710
+MERCHANT_IBAN_BLOG=DE8292195
+MERCHANT_IBAN_GNUNET=DE9709960
+MERCHANT_IBAN_TALER=DE1740597
+MERCHANT_IBAN_TOR=DE2648777
+MERCHANT_IBAN_SURVEY=DE0793060
+
+MYDOMAIN=demo.taler.net
+LANDING_DOMAIN=$MYDOMAIN
+BANK_DOMAIN=bank.$MYDOMAIN
+EXCHANGE_DOMAIN=exchange.$MYDOMAIN
+MERCHANT_DOMAIN=backend.$MYDOMAIN
+BLOG_DOMAIN=shop.$MYDOMAIN
+DONATIONS_DOMAIN=donations.$MYDOMAIN
+SURVEY_DOMAIN=survey.$MYDOMAIN
+
+# Ports of the services running inside the container.
+# Should be synchronized with the sandcastle-run script.
+PORT_INTERNAL_EXCHANGE=8201
+PORT_INTERNAL_MERCHANT=8301
+PORT_INTERNAL_LIBEUFIN_BANK=8080
+PORT_INTERNAL_LANDING=8501
+PORT_INTERNAL_BLOG=8502
+PORT_INTERNAL_DONATIONS=8503
+PORT_INTERNAL_SURVEY=8504
+PORT_INTERNAL_BANK_SPA=8505
+
+# Just make sure the services are stopped
+systemctl stop taler-exchange.target
+systemctl stop taler-merchant-httpd.service
+systemctl stop postgresql.service
+systemctl stop taler-demo-landing.service
+systemctl stop taler-demo-blog.service
+systemctl stop taler-demo-donations.service
+systemctl stop taler-demo-survey.service
+systemctl stop libeufin-bank.service
+
+# We now make sure that some important locations are symlinked to
+# the persistent storage volume.
+# Files that already exist in this location are moved to the storage volume
+# and then symlinked.
+# These locations are:
+# /etc/taler
+# /etc/libeufin-bank
+# /var/lib/taler
+# postgres DB directory
+
+function lift_dir() {
+ src=$1
+ target=$2
+ if [[ -L "$src" ]]; then
+ # be idempotent
+ echo "$src is already a symlink"
+ elif [[ -d /talerdata/$target ]]; then
+ echo "symlinking existing /talerdata/$target"
+ rm -rf "$src"
+ ln -s "/talerdata/$target" "$src"
+ else
+ echo "symlinking new /talerdata/$target"
+ mv "$src" "/talerdata/$target"
+ ln -s "/talerdata/$target" "$src"
+ fi
+}
+
+lift_dir /var/lib/taler var-lib-taler
+lift_dir /etc/taler etc-taler
+lift_dir /etc/libeufin-bank etc-libeufin-bank
+lift_dir /var/lib/postgresql var-lib-postgresql
+lift_dir /usr/share/taler/terms usr-share-taler-terms
+
+# Caddy configuration.
+# We use the caddy reverse proxy with automatic
+# internal TLS setup to ensure that the services are
+# reachable inside the container without any external
+# DNS setup under the same domain name and with TLS
+# from inside the container.
+
+systemctl stop caddy.service
+
+cat <<EOF > /etc/caddy/Caddyfile
+https://$BANK_DOMAIN {
+ tls internal
+ reverse_proxy :8080 {
+ # libeufin-bank should eventually not require this anymore,
+ # but currently doesn't work without this header.
+ header_up X-Forwarded-Prefix ""
+ }
+}
+
+https://$EXCHANGE_DOMAIN {
+ tls internal
+ reverse_proxy unix//run/taler/exchange-httpd/exchange-http.sock
+}
+
+https://$MERCHANT_DOMAIN {
+ tls internal
+ reverse_proxy unix//run/taler/merchant-httpd/merchant-http.sock
+}
+
+# Services that only listen on unix domain sockets
+# are reverse-proxied to serve on a TCP port.
+
+:$PORT_INTERNAL_EXCHANGE {
+ reverse_proxy unix//run/taler/exchange-httpd/exchange-http.sock
+}
+
+:$PORT_INTERNAL_MERCHANT {
+ reverse_proxy unix//run/taler/merchant-httpd/merchant-http.sock {
+ # Set this, or otherwise wrong taler://pay URIs will be generated.
+ header_up X-Forwarded-Proto "https"
+ }
+}
+
+:$PORT_INTERNAL_BANK_SPA {
+ root * /usr/share/libeufin-bank/spa
+ root /demobank-ui-settings.js /etc/libeufin-bank/
+ file_server
+}
+EOF
+
+cat <<EOF >> /etc/hosts
+# Start of Taler Sandcastle Domains
+127.0.0.1 $LANDING_DOMAIN
+127.0.0.1 $BANK_DOMAIN
+127.0.0.1 $EXCHANGE_DOMAIN
+127.0.0.1 $MERCHANT_DOMAIN
+127.0.0.1 $BLOG_DOMAIN
+127.0.0.1 $DONATIONS_DOMAIN
+127.0.0.1 $SURVEY_DOMAIN
+# End of Taler Sandcastle Domains
+EOF
+
+systemctl start caddy.service
+
+# Install local, internal CA certs for caddy
+caddy trust
+
+systemctl start postgresql.service
+
+# Set up bank
+
+BANK_DB=libeufinbank
+# Use "|| true" to continue if these already exist.
+sudo -i -u postgres createuser -d libeufin-bank || true
+sudo -i -u postgres createdb -O libeufin-bank $BANK_DB || true
+
+sudo -i -u libeufin-bank libeufin-bank dbinit
+
+cat <<EOF >/etc/libeufin-bank/libeufin-bank.conf
+[libeufin-bank]
+CURRENCY = $CURRENCY
+DEFAULT_CUSTOMER_DEBT_LIMIT = $CURRENCY:200
+DEFAULT_ADMIN_DEBT_LIMIT = $CURRENCY:2000
+REGISTRATION_BONUS = $CURRENCY:100
+REGISTRATION_BONUS_ENABLED = yes
+SPA_CAPTCHA_URL = https://$BANK_DOMAIN/webui/#/operation/{woid}
+SUGGESTED_WITHDRAWAL_EXCHANGE = https://$EXCHANGE_DOMAIN/
+
+[currency-$CURRENCY]
+ENABLED = YES
+name = "$CURRENCY (Taler Demonstrator)"
+code = "$CURRENCY"
+decimal_separator = "."
+fractional_input_digits = 2
+fractional_normal_digits = 2
+fractional_trailing_zero_digits = 2
+is_currency_name_leading = NO
+alt_unit_names = {"0":"$CURRENCY"}
+EOF
+
+cat <<EOF >/etc/libeufin-bank/demobank-ui-settings.js
+globalThis.talerDemobankSettings = {
+ // Only Admin adds users
+ allowRegistrations: false,
+ bankName: "Taler Bank",
+ allowRegistrations: true,
+ simplePasswordForRandomAccounts: true,
+ allowRandomAccountCreation: true,
+ // Show explainer text and navbar to other demo sites
+ showDemoNav: false,
+ demoSites: [
+ ["Landing", "https://$LANDING_DOMAIN/";],
+ ["Bank", "https://$BANK_DOMAIN/";],
+ ["Essay Shop", "https://$BLOG_DOMAIN/";],
+ ["Donations", "https://$DONATIONS_DOMAIN/";],
+ ["Survey", "https://$SURVEY_DOMAIN/";],
+ ],
+ backendBaseURL: "https://$BANK_DOMAIN/";,
+};
+EOF
+
+systemctl enable --now libeufin-bank.service
+
+# TODO: Create accounts for exchange and merchants
+
+taler-harness deployment wait-taler-service libeufin-bank
https://$BANK_DOMAIN/config
+taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \
+ --login exchange --exchange --public \
+ --payto $EXCHANGE_PLAIN_PAYTO \
+ --name Exchange \
+ --password sandbox
+
+taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \
+ --login merchant-default --public \
+ --payto "payto://iban/$MERCHANT_IBAN_DEFAULT" \
+ --name "Default Demo Merchant" \
+ --password sandbox
+
+taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \
+ --login merchant-pos --public \
+ --payto "payto://iban/$MERCHANT_IBAN_POS" \
+ --name "PoS Merchant" \
+ --password sandbox
+
+taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \
+ --login merchant-blog --public \
+ --payto "payto://iban/$MERCHANT_IBAN_BLOG" \
+ --name "Blog Merchant" \
+ --password sandbox
+
+taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \
+ --login merchant-gnunet --public \
+ --payto "payto://iban/$MERCHANT_IBAN_GNUNET" \
+ --name "GNUnet Donations Merchant" \
+ --password sandbox
+
+taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \
+ --login merchant-taler --public \
+ --payto "payto://iban/$MERCHANT_IBAN_TALER" \
+ --name "Taler Donations Merchant" \
+ --password sandbox
+
+taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \
+ --login merchant-tor --public \
+ --payto "payto://iban/$MERCHANT_IBAN_TOR" \
+ --name "Tor Donations Merchant" \
+ --password sandbox
+
+taler-harness deployment provision-bank-account https://$BANK_DOMAIN/ \
+ --login merchant-survey --public \
+ --payto "payto://iban/$MERCHANT_IBAN_SURVEY" \
+ --name "Tor Survey Merchant" \
+ --password sandbox
+
+# Set up exchange
+
+MASTER_PUBLIC_KEY=$(sudo -i -u taler-exchange-offline taler-exchange-offline
-LDEBUG setup)
+
+EXCHANGE_DB=talerexchange
+# Use "|| true" to continue if these already exist.
+sudo -i -u postgres createuser -d taler-exchange-httpd || true
+sudo -i -u postgres createuser taler-exchange-wire || true
+sudo -i -u postgres createuser taler-exchange-closer || true
+sudo -i -u postgres createuser taler-exchange-aggregator || true
+sudo -i -u postgres createdb -O taler-exchange-httpd $EXCHANGE_DB || true
+
+# Generate /etc/taler/conf.d/setup.conf
+cat <<EOF > /etc/taler/conf.d/setup.conf
+[taler]
+CURRENCY = $CURRENCY
+CURRENCY_ROUND_UNIT = $CURRENCY:0.01
+
+[currency-$CURRENCY]
+ENABLED = YES
+name = "$CURRENCY (Taler Demonstrator)"
+code = "$CURRENCY"
+decimal_separator = "."
+fractional_input_digits = 2
+fractional_normal_digits = 2
+fractional_trailing_zero_digits = 2
+is_currency_name_leading = NO
+alt_unit_names = {"0":"$CURRENCY"}
+
+[exchange]
+AML_THRESHOLD = $CURRENCY:1000000
+MASTER_PUBLIC_KEY = $MASTER_PUBLIC_KEY
+BASE_URL = https://$EXCHANGE_DOMAIN/
+
+[exchange-account-default]
+PAYTO_URI = $EXCHANGE_FULL_PAYTO
+ENABLE_DEBIT = YES
+ENABLE_CREDIT = YES
+@inline-secret@ exchange-accountcredentials-default
../secrets/exchange-accountcredentials-default.secret.conf
+EOF
+
+cat <<EOF >/etc/taler/secrets/exchange-db.secret.conf
+[exchangedb-postgres]
+CONFIG=postgres:///${EXCHANGE_DB}
+EOF
+chmod 440 /etc/taler/secrets/exchange-db.secret.conf
+chown root:taler-exchange-db /etc/taler/secrets/exchange-db.secret.conf
+
+cat <<EOF > /etc/taler/secrets/exchange-accountcredentials-default.secret.conf
+[exchange-accountcredentials-default]
+WIRE_GATEWAY_URL = https://$BANK_DOMAIN/accounts/exchange/taler-wire-gateway/
+WIRE_GATEWAY_AUTH_METHOD = basic
+USERNAME = exchange
+PASSWORD = ${EXCHANGE_BANK_PASSWORD}
+EOF
+chmod 400 /etc/taler/secrets/exchange-accountcredentials-default.secret.conf
+chown taler-exchange-wire:taler-exchange-db
/etc/taler/secrets/exchange-accountcredentials-default.secret.conf
+
+if [[ ! -e /etc/taler/conf.d/$CURRENCY-coins.conf ]]; then
+ # Only create if necessary, as each [COIN-...] section
+ # has a unique name with a timestamp.
+ taler-harness deployment gen-coin-config \
+ --min-amount "${CURRENCY}:0.01" \
+ --max-amount "${CURRENCY}:100" \
+ >"/etc/taler/conf.d/$CURRENCY-coins.conf"
+fi
+
+echo "Initializing exchange database"
+sudo -u taler-exchange-httpd taler-exchange-dbinit -LDEBUG -c
/etc/taler/taler.conf
+
+echo 'GRANT USAGE ON SCHEMA exchange TO "taler-exchange-wire";' | sudo -i -u
postgres psql -f - ${EXCHANGE_DB}
+echo 'GRANT SELECT,INSERT,UPDATE,DELETE ON ALL TABLES IN SCHEMA exchange TO
"taler-exchange-wire";' | sudo -i -u postgres psql -f - ${EXCHANGE_DB}
+echo 'GRANT USAGE ON SCHEMA _v TO "taler-exchange-wire";' | sudo -i -u
postgres psql -f - ${EXCHANGE_DB}
+echo 'GRANT SELECT ON ALL TABLES IN SCHEMA _v TO "taler-exchange-wire";' |
sudo -i -u postgres psql -f - ${EXCHANGE_DB}
+
+echo 'GRANT USAGE ON SCHEMA exchange TO "taler-exchange-closer";' | sudo -i -u
postgres psql -f - ${EXCHANGE_DB}
+echo 'GRANT SELECT,INSERT,UPDATE,DELETE ON ALL TABLES IN SCHEMA exchange TO
"taler-exchange-closer";' | sudo -i -u postgres psql -f - ${EXCHANGE_DB}
+echo 'GRANT USAGE ON SCHEMA _v TO "taler-exchange-closer";' | sudo -i -u
postgres psql -f - ${EXCHANGE_DB}
+echo 'GRANT SELECT ON ALL TABLES IN SCHEMA _v TO "taler-exchange-closer";' |
sudo -i -u postgres psql -f - ${EXCHANGE_DB}
+
+echo 'GRANT USAGE ON SCHEMA exchange TO "taler-exchange-aggregator";' | sudo
-i -u postgres psql -f - ${EXCHANGE_DB}
+echo 'GRANT SELECT,INSERT,UPDATE,DELETE ON ALL TABLES IN SCHEMA exchange TO
"taler-exchange-aggregator";' | sudo -i -u postgres psql -f - ${EXCHANGE_DB}
+echo 'GRANT USAGE ON SCHEMA _v TO "taler-exchange-aggregator";' | sudo -i -u
postgres psql -f - ${EXCHANGE_DB}
+echo 'GRANT SELECT ON ALL TABLES IN SCHEMA _v TO "taler-exchange-aggregator";'
| sudo -i -u postgres psql -f - ${EXCHANGE_DB}
+
+
+# # The ToS generator is currently borked, we don't generated ToS until that's
fixed.
+TOS_PATH=/usr/share/taler/terms
+if [[ ! -e "$TOS_PATH/stamp-generated" ]]; then
+ # ToS generator is picky about the path that it is being run from
+ cd $TOS_PATH
+ taler-terms-generator -i exchange-tos-v0 -a "Taler Systems SA" -C "Taler
Systems SA" -p a4 -o $TOS_PATH -l en
+ taler-terms-generator -i exchange-pp-v0 -a "Taler Systems SA" -C "Taler
Systems SA" -p a4 -o $TOS_PATH -l en
+ taler-terms-generator -i exchange-tos-v0 -a "Taler Systems SA" -C "Taler
Systems SA" -p a4 -o $TOS_PATH
+ taler-terms-generator -i exchange-pp-v0 -a "Taler Systems SA" -C "Taler
Systems SA" -p a4 -o $TOS_PATH
+ touch "$TOS_PATH/stamp-generated"
+ cd -
+fi
+
+systemctl enable --now taler-exchange.target
+
+taler-harness deployment wait-taler-service taler-exchange
https://$EXCHANGE_DOMAIN/config
+taler-harness deployment wait-endpoint https://$EXCHANGE_DOMAIN/management/keys
+
+sudo -i -u taler-exchange-offline \
+ taler-exchange-offline \
+ -c /etc/taler/taler.conf \
+ download \
+ sign \
+ upload
+
+sudo -i -u taler-exchange-offline \
+ taler-exchange-offline \
+ enable-account "${EXCHANGE_FULL_PAYTO}" \
+ wire-fee now iban "${CURRENCY}":0 "${CURRENCY}":0 \
+ global-fee now "${CURRENCY}":0 "${CURRENCY}":0 "${CURRENCY}":0 1h 6a 0 \
+ upload
+
+# Set up merchant backend
+
+MERCHANT_DB=talermerchant
+# Use "|| true" to continue if these already exist.
+sudo -i -u postgres createuser -d taler-merchant-httpd || true
+sudo -i -u postgres createdb -O taler-merchant-httpd $MERCHANT_DB || true
+
+cat <<EOF >/etc/taler/secrets/merchant-db.secret.conf
+[merchantdb-postgres]
+CONFIG=postgres:///${MERCHANT_DB}
+EOF
+chmod 440 /etc/taler/secrets/merchant-db.secret.conf
+chown taler-merchant-httpd:root /etc/taler/secrets/merchant-db.secret.conf
+
+sudo -u taler-merchant-httpd taler-merchant-dbinit -c /etc/taler/taler.conf
+
+cat <<EOF >/etc/taler/conf.d/merchant-exchanges.conf
+[merchant-exchange-sandcastle]
+EXCHANGE_BASE_URL = https://$EXCHANGE_DOMAIN/
+MASTER_KEY = $MASTER_PUBLIC_KEY
+CURRENCY = $CURRENCY
+EOF
+
+systemctl enable --now taler-merchant-httpd
+taler-harness deployment wait-taler-service taler-merchant
https://$MERCHANT_DOMAIN/config
+
+taler-harness deployment provision-merchant-instance \
+ https://$MERCHANT_DOMAIN/ \
+ --management-token secret-token:sandbox \
+ --instance-token secret-token:sandbox \
+ --name Merchant \
+ --id default \
+ --payto "payto://iban/$MERCHANT_IBAN_DEFAULT?receiver-name=Merchant"
+
+taler-harness deployment provision-merchant-instance \
+ https://$MERCHANT_DOMAIN/ \
+ --management-token secret-token:sandbox \
+ --instance-token secret-token:sandbox \
+ --name "POS Merchant" \
+ --id pos \
+ --payto "payto://iban/$MERCHANT_IBAN_POS?receiver-name=POS+Merchant"
+
+taler-harness deployment provision-merchant-instance \
+ https://$MERCHANT_DOMAIN/ \
+ --management-token secret-token:sandbox \
+ --instance-token secret-token:sandbox \
+ --name "Blog Merchant" \
+ --id blog \
+ --payto "payto://iban/$MERCHANT_IBAN_BLOG?receiver-name=Blog+Merchant"
+
+taler-harness deployment provision-merchant-instance \
+ https://$MERCHANT_DOMAIN/ \
+ --management-token secret-token:sandbox \
+ --instance-token secret-token:sandbox \
+ --name "GNUnet Merchant" \
+ --id gnunet \
+ --payto "payto://iban/$MERCHANT_IBAN_GNUNET?receiver-name=GNUnet+Merchant"
+
+taler-harness deployment provision-merchant-instance \
+ https://$MERCHANT_DOMAIN/ \
+ --management-token secret-token:sandbox \
+ --instance-token secret-token:sandbox \
+ --name "Taler Merchant" \
+ --id taler \
+ --payto "payto://iban/$MERCHANT_IBAN_TALER?receiver-name=Taler+Merchant"
+
+taler-harness deployment provision-merchant-instance \
+ https://$MERCHANT_DOMAIN/ \
+ --management-token secret-token:sandbox \
+ --instance-token secret-token:sandbox \
+ --name "Tor Merchant" \
+ --id tor \
+ --payto "payto://iban/$MERCHANT_IBAN_TOR?receiver-name=Tor+Merchant"
+
+
+# Now we set up the taler-merchant-demos
+
+cat <<EOF >/etc/taler/taler-merchant-frontends.conf
+# Different entry point, we need to repeat some settings.
+# In the future, taler-merchant-demos should become
+# robust enough to read from the main config.
+[taler]
+CURRENCY = $CURRENCY
+[frontends]
+BACKEND = https://$MERCHANT_DOMAIN/
+BACKEND_APIKEY = secret-token:sandbox
+[landing]
+SERVE = http
+HTTP_PORT = $PORT_INTERNAL_LANDING
+[blog]
+SERVE = http
+HTTP_PORT = $PORT_INTERNAL_BLOG
+[donations]
+SERVE = http
+HTTP_PORT = $PORT_INTERNAL_DONATIONS
+[survey]
+SERVE = http
+HTTP_PORT = $PORT_INTERNAL_SURVEY
+EOF
+
+# This really should not exist, the taler-merchant-frontends
+# should be easier to configure!
+cat <<EOF >/etc/taler/taler-merchant-frontends.env
+TALER_ENV_URL_INTRO=https://$LANDING_DOMAIN/
+TALER_ENV_URL_LANDING=https://$LANDING_DOMAIN/
+TALER_ENV_URL_BANK=https://$BANK_DOMAIN/
+TALER_ENV_URL_MERCHANT_BLOG=https://$BLOG_DOMAIN/
+TALER_ENV_URL_MERCHANT_DONATIONS=https://$DONATIONS_DOMAIN/
+TALER_ENV_URL_MERCHANT_SURVEY=https://$SURVEY_DOMAIN/
+EOF
+
+systemctl enable --now taler-demo-landing
+systemctl enable --now taler-demo-blog
+systemctl enable --now taler-demo-donations
+systemctl enable --now taler-demo-survey
+
+
+# FIXME: Maybe do some taler-wallet-cli test?
+# FIXME: How do we report errors occurring during the setup script?
diff --git a/sandcastle-ng/scripts/none/setup-sandcastle.sh
b/sandcastle-ng/scripts/none/setup-sandcastle.sh
new file mode 100755
index 0000000..1427b11
--- /dev/null
+++ b/sandcastle-ng/scripts/none/setup-sandcastle.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+echo "skipping provisioning"
diff --git a/sandcastle-ng/systemd/setup-sandcastle.service
b/sandcastle-ng/systemd/setup-sandcastle.service
new file mode 100644
index 0000000..31ff233
--- /dev/null
+++ b/sandcastle-ng/systemd/setup-sandcastle.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Provision the sandcastle
+ConditionPathExists=/provision/setup-sandcastle.sh
+
+[Service]
+Type=oneshot
+ExecStart=/provision/setup-sandcastle.sh
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [taler-deployment] branch master updated: import sandcastle-ng,
gnunet <=