summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Grothoff <christian@grothoff.org>2021-08-03 11:52:05 +0200
committerChristian Grothoff <christian@grothoff.org>2021-08-03 11:52:05 +0200
commitf1fe5185be6db8a923e274a38de77d5a90bb3276 (patch)
treefe60bed5533417315021ec0784fa08b633f3b4e4
parentb7e2029efb92fb5e49f56dfcbbfcd79a271386c3 (diff)
downloaddocs-f1fe5185be6db8a923e274a38de77d5a90bb3276.tar.gz
docs-f1fe5185be6db8a923e274a38de77d5a90bb3276.tar.bz2
docs-f1fe5185be6db8a923e274a38de77d5a90bb3276.zip
-update manual
-rw-r--r--taler-exchange-setup-guide.rst50
1 files changed, 28 insertions, 22 deletions
diff --git a/taler-exchange-setup-guide.rst b/taler-exchange-setup-guide.rst
index f867fed..10ac2d7 100644
--- a/taler-exchange-setup-guide.rst
+++ b/taler-exchange-setup-guide.rst
@@ -125,14 +125,14 @@ Services, users, groups and file system hierarchy
The *taler-exchange-httpd* package will create several system users
to compartmentalize different parts of the system:
- * taler-exchange-httpd: the user that runs the HTTP daemon with the core business logic
- * taler-exchange-secmod-rsa: the user that manages the RSA private online signing keys
- * taler-exchange-secmod-eddsa: the user that manages the EdDSA private online signing keys
- * taler-exchange-closer: a helper process that closes reserves
- * taler-exchange-aggregator: a helper process that aggregates deposits into larger wire transfer requests
- * taler-exchange-wire: the user that performs wire transfers with the bank
- * postgres: the user running the Postgres database (from *postgres* package)
- * www-data: the user running the frontend HTTPS service with the TLS keys (from *nginx* package)
+ * taler-exchange-httpd: runs the HTTP daemon with the core business logic
+ * taler-exchange-secmod-rsa: manages the RSA private online signing keys
+ * taler-exchange-secmod-eddsa: manages the EdDSA private online signing keys
+ * taler-exchange-closer: closes idle reserves by triggering wire transfers that refund the originator
+ * taler-exchange-aggregator: aggregates deposits into larger wire transfer requests
+ * taler-exchange-wire: performs wire transfers with the bank (via libeufin/nexus)
+ * postgres: runs the Postgres database (from *postgres* package)
+ * www-data: runs the frontend HTTPS service with the TLS keys (from *nginx* package)
.. note::
@@ -143,28 +143,34 @@ to compartmentalize different parts of the system:
The exchange setup uses the following system groups:
* taler-exchange-db: group for all Taler users with direct database access, specifically taler-exchange-httpd, taler-exchange-wire, taler-exchange-closer and taler-exchange-aggregator
- * taler-exchange-secmod: FIXME: how is this used right now?
- * taler-exchange-offline: FIXME: how is this used right now?
+ * taler-exchange-secmod: group for processes with access to online signing keys, so taler-exchange-secmod-rsa, taler-exchange-secmod-eddsa and taler-exchange-httpd
+ * taler-exchange-offline: group for the access to the offline private key (only used on the offline host and not used on the online system)
The package will deploy systemd service files in
``/usr/lib/systemd/system/`` for the various components:
- * taler-exchange-aggregator.service: FIXME - explain
- * taler-exchange-closer.service: FIXME - explain
- * taler-exchange-httpd.service: FIXME - explain
- * taler-exchange-httpd.socket: FIXME - explain
- * taler-exchange-secmod-eddsa.service: FIXME - explain
- * taler-exchange-secmod-rsa.service: FIXME - explain
- * taler-exchange.target: FIXME - explain
- * taler-exchange-transfer.service: FIXME - explain
- * taler-exchange-wirewatch.service: FIXME - explain
+ * taler-exchange-aggregator.service: service that schedules wire transfers which combine multiple deposits to the same merchant
+ * taler-exchange-closer.service: service that watches for reserves that have been abandoned and schedules wire transfers to send the money back to the originator
+ * taler-exchange-httpd.service: main Taler exchange logic with the public REST API
+ * taler-exchange-httpd.socket: systemd socket activation for the Taler exchange HTTP daemon
+ * taler-exchange-secmod-eddsa.service: software security module for making EdDSA signatures
+ * taler-exchange-secmod-rsa.service: software security module for making RSA signatures
+ * taler-exchange-transfer.service: service that triggers outgoing wire transfers (pays merchants)
+ * taler-exchange-wirewatch.service: service that watches for incoming wire transfers (first step of withdraw)
+ * taler-exchange.target: Main target for the Taler exchange to be operational
-(FIXME: Explain the Debian package users, groups and locations. -- anything missing?)
+The deployment creates the following key locations in the system:
+
+ * /etc/taler/: configuration files
+ * /var/run/taler/: contains the UNIX domain sockets for inter-process communication (IPC)
+ * /var/lib/taler/: serves as the $HOME for all Taler users and contains sub-directories
+ with the private keys; which keys are stored here depends on the host:
+
+ - online system: exchange-secmod-eddsa and exchange-secmod-rsa keys
+ - offline system: exchange-offline keys
-FIXME: I do not see how secmod keys are kept isolated from
-the other users!
Basic Setup: Currency and Denominations