1 files changed, 68 insertions, 47 deletions
diff --git a/libeufin/nexus-tutorial.rst b/libeufin/nexus-tutorial.rst
index 6ef78829..c00b9d4e 100644
--- a/libeufin/nexus-tutorial.rst
+++ b/libeufin/nexus-tutorial.rst
@@ -19,6 +19,28 @@ steps in "Setting up the Sandbox".
 Installing LibEuFin
 ===================
 
+.. warning::
+
+   LibEuFin does not yet ship with any systemd unit files.
+
+   There is an `open bug report <https://bugs.gnunet.org/view.php?id=6719>`__
+   for this issue.
+
+
+Installation on Debian
+----------------------
+
+.. include:: ../frags/installing-debian.rst
+
+To install LibEuFin, you can now simply run:
+
+.. code-block:: console
+
+   # apt install libeufin
+
+Run-time dependencies
+---------------------
+
 LibEuFin has the following run-time dependencies:
 
 * OpenJDK 11
@@ -26,6 +48,9 @@ LibEuFin has the following run-time dependencies:
 * python3-click (can be installed via ``pip3 install click``)
 * python3-requests (can be installed via ``pip3 install requests``)
 
+These dependencies only need to be installed manually when building from source
+or using the prebuilt binaries.
+
 Downloading prebuilt binaries
 -----------------------------
 
@@ -165,10 +190,21 @@ Use the following command to run the nexus service:
   $ libeufin-nexus serve --port 5001
 
 By default, the SQLite3 database ``/tmp/libeufin-nexus.sqlite3`` will be used.
+The database can be specified as a JDBC connection URI with the
+``--db-conn-string=$DBCONN`` option.  Only *SQLite* and *PostgreSQL (only via
+TCP)* are supported right now.
+
+.. warning::
+
+   For production-grade deployments of LibEuFin, we do not recommend specifying the
+   secret database credentials via command line arguments, as can will expose
+   those credentials to other users.
+
+   Instead, the DB connection string should be specified in an environment variable
+   (which can be set in the systemd unit via an ``EnvironmentFile`` option)
+   once LibEuFin supports this (see the corresponding
+   `bug tracker entry <https://bugs.gnunet.org/view.php?id=6720>`__).
 
-We recommend using the ``--db-conn-string=$DBCONN`` option.  It instructs Nexus
-to reach the database addressed by the JDBC connection URI.  Only *SQLite* and
-*PostgreSQL (only via TCP)* are supported right now.
 
 For example:
 
@@ -187,7 +223,8 @@ to create less privileged users is offered.
 
 .. note::
 
-  Privilege separation is not fully implemented yet.
+  User and permissions management in LibEuFin is still under development.
+  In particular, permissions for non-superusers are very limited at the moment.
 
 The command line interface needs the following three values
 to be defined in the environment: ``LIBEUFIN_NEXUS_URL``, ``LIBEUFIN_NEXUS_USERNAME``,
@@ -280,10 +317,10 @@ step is needed to let the user pick a custom name for such accounts.
       connections \
         import-bank-account \
           --offered-account-id testacct01 \
-          --nexus-bank-account-id $CUSTOM_RENAMING_FOR_ACCOUNT \
+          --nexus-bank-account-id $LOCAL_ACCOUNT_NAME \
           $CONNECTION_NAME
 
-Once a Nexus user imported a bank account (``$CUSTOM_RENAMING_FOR_ACCOUNT``)
+Once a Nexus user imported a bank account (``$LOCAL_ACCOUNT_NAME``)
 under a certain connection (``$CONNECTION_NAME``), it is possible
 to accomplish the usual operations for any bank account: asking for the
 list of transactions, and making a payment.
@@ -291,22 +328,16 @@ list of transactions, and making a payment.
 Request history of transactions
 ===============================
 
-..
-
-  FIXME: explain why requesting the history
-  goes through these two-phases.
+The LibEuFin nexus keeps a local copy of the bank account's transaction
+history.  Before querying transactions locally, it is necessary
+to request transactions for the bank account via the bank connection.
 
-It is first needed to tell Nexus to download the latest news
-from the bank, and then ask it again to return the results.
-
-This command asks Nexus to *download the latest bank statements*:
+This command asks Nexus to download the latest transaction reports/statements
+through the bank connection:
 
 .. code-block:: console
 
-  $ libeufin-cli \
-      accounts \
-        fetch-transactions \
-          $CUSTOM_RENAMING_FOR_ACCOUNT
+  $ libeufin-cli accounts fetch-transactions $LOCAL_ACCOUNT_NAME
 
 .. note::
 
@@ -316,36 +347,32 @@ This command asks Nexus to *download the latest bank statements*:
    reports).
 
 Once Nexus stored all the information in the database, the
-client can ask to actually **see** the transactions:
+client can ask to actually see the transactions:
 
 .. code-block:: console
 
-  $ libeufin-cli accounts \
-      transactions \
-        $CUSTOM_RENAMING_FOR_ACCOUNT
+  $ libeufin-cli accounts transactions $LOCAL_ACCOUNT_NAME
 
 Make a payment
 ==============
 
-..
-
-  FIXME: explain why payments go through these two-phases.
+Payments pass through two phases: preparation and submission.  The preparation
+phase assigns the payment initiation a unique ID, which prevents accidental
+double submissions of payments in case of network failures or other
+disruptions.
 
-Payments pass through two phases: preparation and submission.
 
 The following command prepares a payment:
 
 .. code-block:: console
 
-  $ libeufin-cli \
-      accounts \
-        prepare-payment \
+  $ libeufin-cli accounts prepare-payment \
           --creditor-iban $IBAN_TO_SEND_MONEY_TO \
           --creditor-bic $BIC_TO_SEND_MONEY_TO \
           --creditor-name $CREDITOR_NAME \
           --payment-amount $AMOUNT \
           --payment-subject $SUBJECT \
-          $CUSTOM_RENAMING_FOR_ACCOUNT
+          $LOCAL_ACCOUNT_NAME
 
 Note: the ``$AMOUNT`` value needs the format ``X.Y:CURRENCY``; for example
 ``10:EUR``, or ``1.01:EUR``.
@@ -356,11 +383,9 @@ in the next step, to **send the payment instructions to the bank**:
 
 .. code-block:: console
 
-  $ libeufin-cli \
-      accounts \
-        submit-payment \
-          --payment-uuid $UUID \
-          $CUSTOM_RENAMING_FOR_ACCOUNT
+  $ libeufin-cli accounts submit-payment \
+        --payment-uuid $UUID \
+        $LOCAL_ACCOUNT_NAME
 
 Automatic scheduling
 ====================
@@ -415,12 +440,10 @@ INI and HIA secret keys will be restored for the requesting user.
 
 .. code-block:: console
 
-  $ libeufin-cli \
-      connection \
-        restore-backup \
-          --passphrase $SECRET \
-          --backup-file $BACKUP_FILE \
-          $CONNECTION_NAME
+  $ libeufin-cli connection \ restore-backup
+      --passphrase $SECRET \
+      --backup-file $BACKUP_FILE \
+      $CONNECTION_NAME
 
 Creating a Taler facade
 =======================
@@ -436,12 +459,10 @@ existing bank account / connection pair.
 
 .. code-block:: console
 
-  $ libeufin-cli \
-      facades \
-        new-facade \
-          --facade-name $FACADE_NAME \
-          $CONNECTION_NAME \
-          $CUSTOM_RENAMING_FOR_ACCOUNT
+  $ libeufin-cli facades new-facade \
+      --facade-name $FACADE_NAME \
+      $CONNECTION_NAME \
+      $LOCAL_ACCOUNT_NAME
 
 At this point, the additional *taler-wire-gateway* (FIXME: link
 here to API here) API becomes offered by the Nexus.  The purpose