From b7e2029efb92fb5e49f56dfcbbfcd79a271386c3 Mon Sep 17 00:00:00 2001
From: Christian Grothoff <christian@grothoff.org>
Date: Tue, 3 Aug 2021 11:16:52 +0200
Subject: -minor improvements

---
 taler-exchange-setup-guide.rst | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/taler-exchange-setup-guide.rst b/taler-exchange-setup-guide.rst
index 1d6e0b20..f867feda 100644
--- a/taler-exchange-setup-guide.rst
+++ b/taler-exchange-setup-guide.rst
@@ -163,6 +163,8 @@ The package will deploy systemd service files in
 
 (FIXME: Explain the Debian package users, groups and locations. -- anything missing?)
 
+FIXME: I do not see how secmod keys are kept isolated from
+the other users!
 
 
 Basic Setup: Currency and Denominations
@@ -225,8 +227,9 @@ pattern ``exchange-account-$id``, where ``$id`` is an internal identifier for
 the bank account accessed with the Wire Gateway. The configuration file
 ``/etc/taler/conf.d/exchange-system.conf`` by default loads the section
 ``exchange-account-1`` from the secret file
-``/etc/taler/secrets/exchange-accounts.secret.conf``.
-
+``/etc/taler/secrets/exchange-accounts.secret.conf``.  The latter file
+should already be only readable for the taler-exchange-wire user.  Other
+exchange processes should not have access to this information.
 
 .. code-block:: ini
   :caption: /etc/taler/secrets/exchange-accounts.secret.conf
@@ -340,7 +343,7 @@ The responsibilities of this offline signing machine are:
 
 .. code-block:: shell-session
 
-  [root@exchange-online]# sudo -u taler-exchange-offline taler-exchange-offline setup
+  [root@exchange-offline]# sudo -u taler-exchange-offline taler-exchange-offline setup
   < ... prints the exchange master public key >
 
 The public key printed as the output of this command should must be put into the configuration
@@ -379,9 +382,10 @@ enabled in nginx:
 
 .. code-block:: shell-session
 
-  [root@exchange-online]# cp /etc/nginx/sites-available/taler-exchange /etc/nginx/sites-enabled/
-  [root@exchange-online]# vim /etc/nginx/sites-enabled/taler-exchange
+  [root@exchange-online]# vim /etc/nginx/sites-available/taler-exchange
   < ... customize configuration ... >
+  [root@exchange-online]# ln -s /etc/nginx/sites-available/taler-exchange \
+                                /etc/nginx/sites-enabled/taler-exchange
   [root@exchange-online]# systemctl reload nginx
 
 
-- 
cgit v1.2.3