From f1fe5185be6db8a923e274a38de77d5a90bb3276 Mon Sep 17 00:00:00 2001 From: Christian Grothoff Date: Tue, 3 Aug 2021 11:52:05 +0200 Subject: -update manual --- taler-exchange-setup-guide.rst | 50 +++++++++++++++++++++++------------------- 1 file changed, 28 insertions(+), 22 deletions(-) (limited to 'taler-exchange-setup-guide.rst') diff --git a/taler-exchange-setup-guide.rst b/taler-exchange-setup-guide.rst index f867feda..10ac2d7e 100644 --- a/taler-exchange-setup-guide.rst +++ b/taler-exchange-setup-guide.rst @@ -125,14 +125,14 @@ Services, users, groups and file system hierarchy The *taler-exchange-httpd* package will create several system users to compartmentalize different parts of the system: - * taler-exchange-httpd: the user that runs the HTTP daemon with the core business logic - * taler-exchange-secmod-rsa: the user that manages the RSA private online signing keys - * taler-exchange-secmod-eddsa: the user that manages the EdDSA private online signing keys - * taler-exchange-closer: a helper process that closes reserves - * taler-exchange-aggregator: a helper process that aggregates deposits into larger wire transfer requests - * taler-exchange-wire: the user that performs wire transfers with the bank - * postgres: the user running the Postgres database (from *postgres* package) - * www-data: the user running the frontend HTTPS service with the TLS keys (from *nginx* package) + * taler-exchange-httpd: runs the HTTP daemon with the core business logic + * taler-exchange-secmod-rsa: manages the RSA private online signing keys + * taler-exchange-secmod-eddsa: manages the EdDSA private online signing keys + * taler-exchange-closer: closes idle reserves by triggering wire transfers that refund the originator + * taler-exchange-aggregator: aggregates deposits into larger wire transfer requests + * taler-exchange-wire: performs wire transfers with the bank (via libeufin/nexus) + * postgres: runs the Postgres database (from *postgres* package) + * www-data: runs the frontend HTTPS service with the TLS keys (from *nginx* package) .. note:: @@ -143,28 +143,34 @@ to compartmentalize different parts of the system: The exchange setup uses the following system groups: * taler-exchange-db: group for all Taler users with direct database access, specifically taler-exchange-httpd, taler-exchange-wire, taler-exchange-closer and taler-exchange-aggregator - * taler-exchange-secmod: FIXME: how is this used right now? - * taler-exchange-offline: FIXME: how is this used right now? + * taler-exchange-secmod: group for processes with access to online signing keys, so taler-exchange-secmod-rsa, taler-exchange-secmod-eddsa and taler-exchange-httpd + * taler-exchange-offline: group for the access to the offline private key (only used on the offline host and not used on the online system) The package will deploy systemd service files in ``/usr/lib/systemd/system/`` for the various components: - * taler-exchange-aggregator.service: FIXME - explain - * taler-exchange-closer.service: FIXME - explain - * taler-exchange-httpd.service: FIXME - explain - * taler-exchange-httpd.socket: FIXME - explain - * taler-exchange-secmod-eddsa.service: FIXME - explain - * taler-exchange-secmod-rsa.service: FIXME - explain - * taler-exchange.target: FIXME - explain - * taler-exchange-transfer.service: FIXME - explain - * taler-exchange-wirewatch.service: FIXME - explain + * taler-exchange-aggregator.service: service that schedules wire transfers which combine multiple deposits to the same merchant + * taler-exchange-closer.service: service that watches for reserves that have been abandoned and schedules wire transfers to send the money back to the originator + * taler-exchange-httpd.service: main Taler exchange logic with the public REST API + * taler-exchange-httpd.socket: systemd socket activation for the Taler exchange HTTP daemon + * taler-exchange-secmod-eddsa.service: software security module for making EdDSA signatures + * taler-exchange-secmod-rsa.service: software security module for making RSA signatures + * taler-exchange-transfer.service: service that triggers outgoing wire transfers (pays merchants) + * taler-exchange-wirewatch.service: service that watches for incoming wire transfers (first step of withdraw) + * taler-exchange.target: Main target for the Taler exchange to be operational -(FIXME: Explain the Debian package users, groups and locations. -- anything missing?) +The deployment creates the following key locations in the system: + + * /etc/taler/: configuration files + * /var/run/taler/: contains the UNIX domain sockets for inter-process communication (IPC) + * /var/lib/taler/: serves as the $HOME for all Taler users and contains sub-directories + with the private keys; which keys are stored here depends on the host: + + - online system: exchange-secmod-eddsa and exchange-secmod-rsa keys + - offline system: exchange-offline keys -FIXME: I do not see how secmod keys are kept isolated from -the other users! Basic Setup: Currency and Denominations -- cgit v1.2.3