From 05bc00b5f226e6e6695ef00609a02549284c8f55 Mon Sep 17 00:00:00 2001 From: Florian Dold Date: Fri, 30 Jul 2021 13:22:45 +0200 Subject: debian: better config split by package --- debian/auditor-conf/apache.conf | 4 -- debian/auditor-conf/nginx.conf | 7 --- debian/etc-libtalerexchange/taler/overrides.conf | 1 + debian/etc-libtalerexchange/taler/taler.conf | 47 ++++++++++++++++++++ .../apache2/sites-available/taler-auditor.conf | 4 ++ .../nginx/sites-available/taler-auditor | 7 +++ .../taler/conf.d/auditor-system.conf | 12 ++++++ .../taler/secrets/auditor-db.secret.conf | 10 +++++ .../apache2/sites-available/taler-exchange.conf | 4 ++ .../nginx/sites-available/taler-exchange | 7 +++ .../taler/conf.d/exchange-business.conf | 50 ++++++++++++++++++++++ .../taler/conf.d/exchange-system.conf | 11 +++++ .../taler/secrets/exchange-accounts.secret.conf | 21 +++++++++ .../taler/secrets/exchange-db.secret.conf | 10 +++++ debian/etc/taler/conf.d/auditor-system.conf | 12 ------ debian/etc/taler/conf.d/exchange-business.conf | 50 ---------------------- debian/etc/taler/conf.d/exchange-system.conf | 11 ----- debian/etc/taler/secrets/auditor-db.secret.conf | 10 ----- .../taler/secrets/exchange-accounts.secret.conf | 21 --------- debian/etc/taler/secrets/exchange-db.secret.conf | 10 ----- debian/etc/taler/taler.conf | 47 -------------------- debian/exchange-conf/apache.conf | 4 -- debian/exchange-conf/nginx.conf | 7 --- debian/taler-auditor.install | 3 +- debian/taler-exchange.install | 3 +- 25 files changed, 186 insertions(+), 187 deletions(-) delete mode 100644 debian/auditor-conf/apache.conf delete mode 100644 debian/auditor-conf/nginx.conf create mode 100644 debian/etc-libtalerexchange/taler/overrides.conf create mode 100644 debian/etc-libtalerexchange/taler/taler.conf create mode 100644 debian/etc-taler-auditor/apache2/sites-available/taler-auditor.conf create mode 100644 debian/etc-taler-auditor/nginx/sites-available/taler-auditor create mode 100644 debian/etc-taler-auditor/taler/conf.d/auditor-system.conf create mode 100644 debian/etc-taler-auditor/taler/secrets/auditor-db.secret.conf create mode 100644 debian/etc-taler-exchange/apache2/sites-available/taler-exchange.conf create mode 100644 debian/etc-taler-exchange/nginx/sites-available/taler-exchange create mode 100644 debian/etc-taler-exchange/taler/conf.d/exchange-business.conf create mode 100644 debian/etc-taler-exchange/taler/conf.d/exchange-system.conf create mode 100644 debian/etc-taler-exchange/taler/secrets/exchange-accounts.secret.conf create mode 100644 debian/etc-taler-exchange/taler/secrets/exchange-db.secret.conf delete mode 100644 debian/etc/taler/conf.d/auditor-system.conf delete mode 100644 debian/etc/taler/conf.d/exchange-business.conf delete mode 100644 debian/etc/taler/conf.d/exchange-system.conf delete mode 100644 debian/etc/taler/secrets/auditor-db.secret.conf delete mode 100644 debian/etc/taler/secrets/exchange-accounts.secret.conf delete mode 100644 debian/etc/taler/secrets/exchange-db.secret.conf delete mode 100644 debian/etc/taler/taler.conf delete mode 100644 debian/exchange-conf/apache.conf delete mode 100644 debian/exchange-conf/nginx.conf diff --git a/debian/auditor-conf/apache.conf b/debian/auditor-conf/apache.conf deleted file mode 100644 index f68c59558..000000000 --- a/debian/auditor-conf/apache.conf +++ /dev/null @@ -1,4 +0,0 @@ - -ProxyPass "unix:/var/lib/taler-auditor/auditor.sock|http://example.com/" -RequestHeader add "X-Forwarded-Proto" "https" - diff --git a/debian/auditor-conf/nginx.conf b/debian/auditor-conf/nginx.conf deleted file mode 100644 index 3fdffdad3..000000000 --- a/debian/auditor-conf/nginx.conf +++ /dev/null @@ -1,7 +0,0 @@ -location /taler-auditor/ { - proxy_pass http://unix:/var/lib/taler-auditor/auditor.sock; - proxy_redirect off; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-Host "example.com"; - proxy_set_header X-Forwarded-Proto "https"; -} \ No newline at end of file diff --git a/debian/etc-libtalerexchange/taler/overrides.conf b/debian/etc-libtalerexchange/taler/overrides.conf new file mode 100644 index 000000000..60296ead4 --- /dev/null +++ b/debian/etc-libtalerexchange/taler/overrides.conf @@ -0,0 +1 @@ +# This configuration will be changed by tooling. Do not touch it manually. diff --git a/debian/etc-libtalerexchange/taler/taler.conf b/debian/etc-libtalerexchange/taler/taler.conf new file mode 100644 index 000000000..71663be5e --- /dev/null +++ b/debian/etc-libtalerexchange/taler/taler.conf @@ -0,0 +1,47 @@ +# Main entry point for the GNU Taler configuration. +# +# Structure: +# - taler.conf is the main configuration entry point +# used by all Taler components (the file you are currently +# looking at. +# - overrides.conf contains configuration overrides that are +# set by some tools that help with the configuration, +# and should not be edited by humans. Comments in this file +# are not preserved. +# - conf.d/ contains configuration files for +# Taler components, which can be read by all +# users of the system and are included by the main +# configuration. +# - secrets/ contains configuration snippets +# with secrets for particular services. +# These files should have restrictive permissions +# so that only users of the relevant services +# can read it. All files in it should end with +# ".secret.conf". + +[taler] + +# Currency of the Taler deployment. This setting applies to all Taler +# components that only support a single currency. +#currency = KUDOS + +# Smallest currency unit handled by the underlying bank system. Taler payments +# can make payments smaller than this units, but interactions with external +# systems is always rounded to this unit. +#currency_round_unit = KUDOS:0.01 + + +[paths] + +TALER_HOME = /var/lib/taler +TALER_RUNTIME_DIR = /run/taler +TALER_CACHE_HOME = /var/cache/taler +TALER_CONFIG_HOME = /etc/taler +TALER_DATA_HOME = /var/lib/taler + + +# Inline configurations from all Taler components. +@inline-matching@ conf.d/*.conf + +# Overrides from tools that help with configuration. +@inline@ overrides.conf diff --git a/debian/etc-taler-auditor/apache2/sites-available/taler-auditor.conf b/debian/etc-taler-auditor/apache2/sites-available/taler-auditor.conf new file mode 100644 index 000000000..f68c59558 --- /dev/null +++ b/debian/etc-taler-auditor/apache2/sites-available/taler-auditor.conf @@ -0,0 +1,4 @@ + +ProxyPass "unix:/var/lib/taler-auditor/auditor.sock|http://example.com/" +RequestHeader add "X-Forwarded-Proto" "https" + diff --git a/debian/etc-taler-auditor/nginx/sites-available/taler-auditor b/debian/etc-taler-auditor/nginx/sites-available/taler-auditor new file mode 100644 index 000000000..3fdffdad3 --- /dev/null +++ b/debian/etc-taler-auditor/nginx/sites-available/taler-auditor @@ -0,0 +1,7 @@ +location /taler-auditor/ { + proxy_pass http://unix:/var/lib/taler-auditor/auditor.sock; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host "example.com"; + proxy_set_header X-Forwarded-Proto "https"; +} \ No newline at end of file diff --git a/debian/etc-taler-auditor/taler/conf.d/auditor-system.conf b/debian/etc-taler-auditor/taler/conf.d/auditor-system.conf new file mode 100644 index 000000000..3d3aef33a --- /dev/null +++ b/debian/etc-taler-auditor/taler/conf.d/auditor-system.conf @@ -0,0 +1,12 @@ +# Read secret sections into configuration, but only +# if we have permission to do so. +@inline-secret@ auditordb-postgres ../secrets/auditor-db.secret.conf + +[auditor] +# Debian package is configured to use a reverse proxy with a UNIX +# domain socket. See nginx/apache configuration files. +SERVE = UNIX +UNIXPATH = /var/lib/taler-auditor/auditor.sock + +# Only supported database is Postgres right now. +DATABASE = postgres diff --git a/debian/etc-taler-auditor/taler/secrets/auditor-db.secret.conf b/debian/etc-taler-auditor/taler/secrets/auditor-db.secret.conf new file mode 100644 index 000000000..b81bb817f --- /dev/null +++ b/debian/etc-taler-auditor/taler/secrets/auditor-db.secret.conf @@ -0,0 +1,10 @@ +# Database configuration for the Taler auditor. + +[auditordb-postgres] + +# Typically, there should only be a single line here, of the form: + +CONFIG=postgres:///DATABASE + +# The details of the URI depend on where the database lives and how +# access control was configured. diff --git a/debian/etc-taler-exchange/apache2/sites-available/taler-exchange.conf b/debian/etc-taler-exchange/apache2/sites-available/taler-exchange.conf new file mode 100644 index 000000000..3cfbf9edb --- /dev/null +++ b/debian/etc-taler-exchange/apache2/sites-available/taler-exchange.conf @@ -0,0 +1,4 @@ + +ProxyPass "unix:/var/lib/taler-exchange/exchange.sock|http://example.com/" +RequestHeader add "X-Forwarded-Proto" "https" + diff --git a/debian/etc-taler-exchange/nginx/sites-available/taler-exchange b/debian/etc-taler-exchange/nginx/sites-available/taler-exchange new file mode 100644 index 000000000..6737d9129 --- /dev/null +++ b/debian/etc-taler-exchange/nginx/sites-available/taler-exchange @@ -0,0 +1,7 @@ +location /taler-exchange/ { + proxy_pass http://unix:/run/taler/exchange/exchange-http.sock; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host "example.com"; + proxy_set_header X-Forwarded-Proto "https"; +} diff --git a/debian/etc-taler-exchange/taler/conf.d/exchange-business.conf b/debian/etc-taler-exchange/taler/conf.d/exchange-business.conf new file mode 100644 index 000000000..92d968f4d --- /dev/null +++ b/debian/etc-taler-exchange/taler/conf.d/exchange-business.conf @@ -0,0 +1,50 @@ +# Configuration for business-level aspects of the exchange. + +[exchange] + +# Here you MUST add the master public key of the offline system +# which you can get using `taler-exchange-offline setup`. +# This is just an example, your key will be different! +# MASTER_PUBLIC_KEY = YE6Q6TR1EDB7FD0S68TGDZGF1P0GHJD2S0XVV8R2S62MYJ6HJ4ZG +MASTER_PUBLIC_KEY = + +# Publicly visible base URL of the exchange. +# BASE_URL = https://example.com/ +BASE_URL = + +# For your terms of service and privacy policy, you should specify +# an Etag that must be updated whenever there are significant +# changes to either document. The format is up to you, what matters +# is that the value is updated and never re-used. See the HTTP +# specification on Etags. +# TERMS_ETAG = +# PRIVACY_ETAG = + + +# You must specify the various denominations to be offered by your exchange +# in sections called "coin_". +# What follows is an example. + +# [coin_FOO] +## Actual value of the coin +#VALUE = KUDOS:1 + +## How long will one key be used for withdrawals? +#DURATION_WITHDRAW = 7 days + +## How long do users have to spend their coins? +#DURATION_SPEND = 2 years + +## How long does the exchange keep the proofs around for legal disputes? +#DURATION_LEGAL = 6 years + +## Fees charged. Note that for the lowest denomination, the +## fee must precisely be the lowest denomination, or zero. +#FEE_WITHDRAW = KUDOS:0 +#FEE_DEPOSIT = KUDOS:0 +#FEE_REFRESH = KUDOS:0 +#FEE_REFUND = KUDOS:0 + +## How long should the RSA keys be. Do not change unless you really know +## what you are doing (consult your local cryptographer first!). +#RSA_KEYSIZE = 2048 diff --git a/debian/etc-taler-exchange/taler/conf.d/exchange-system.conf b/debian/etc-taler-exchange/taler/conf.d/exchange-system.conf new file mode 100644 index 000000000..7fb65d983 --- /dev/null +++ b/debian/etc-taler-exchange/taler/conf.d/exchange-system.conf @@ -0,0 +1,11 @@ +# Configuration settings for system parameters of the exchange. + +# Read secret sections into configuration, but only +# if we have permission to do so. +@inline-secret@ exchange-account-1 ../secrets/exchange-accounts.secret.conf +@inline-secret@ exchangedb-postgres ../secrets/exchange-db.secret.conf + +[exchange] + +# Only supported database is Postgres right now. +DATABASE = postgres diff --git a/debian/etc-taler-exchange/taler/secrets/exchange-accounts.secret.conf b/debian/etc-taler-exchange/taler/secrets/exchange-accounts.secret.conf new file mode 100644 index 000000000..7b6c649fd --- /dev/null +++ b/debian/etc-taler-exchange/taler/secrets/exchange-accounts.secret.conf @@ -0,0 +1,21 @@ +# This file should contain the wire account access information which is needed +# by the Taler exchange to talk to LibEuFin to interact with the bank. +# The file SHOULD only be readable for the "taler-exchange-wire" user, +# as other users/services have no business talking to the bank. + + +[exchange-account-1] +enable_credit = yes + +enable_debit = yes + +wire_gateway_auth_method = basic + +password = + +username = + +wire_gateway_url = + +payto_uri = + diff --git a/debian/etc-taler-exchange/taler/secrets/exchange-db.secret.conf b/debian/etc-taler-exchange/taler/secrets/exchange-db.secret.conf new file mode 100644 index 000000000..596dcc92b --- /dev/null +++ b/debian/etc-taler-exchange/taler/secrets/exchange-db.secret.conf @@ -0,0 +1,10 @@ +# Database configuration for the Taler exchange. + +[exchangedb-postgres] + +# Typically, there should only be a single line here, of the form: + +CONFIG=postgres:///DATABASE + +# The details of the URI depend on where the database lives and how +# access control was configured. diff --git a/debian/etc/taler/conf.d/auditor-system.conf b/debian/etc/taler/conf.d/auditor-system.conf deleted file mode 100644 index 3d3aef33a..000000000 --- a/debian/etc/taler/conf.d/auditor-system.conf +++ /dev/null @@ -1,12 +0,0 @@ -# Read secret sections into configuration, but only -# if we have permission to do so. -@inline-secret@ auditordb-postgres ../secrets/auditor-db.secret.conf - -[auditor] -# Debian package is configured to use a reverse proxy with a UNIX -# domain socket. See nginx/apache configuration files. -SERVE = UNIX -UNIXPATH = /var/lib/taler-auditor/auditor.sock - -# Only supported database is Postgres right now. -DATABASE = postgres diff --git a/debian/etc/taler/conf.d/exchange-business.conf b/debian/etc/taler/conf.d/exchange-business.conf deleted file mode 100644 index 92d968f4d..000000000 --- a/debian/etc/taler/conf.d/exchange-business.conf +++ /dev/null @@ -1,50 +0,0 @@ -# Configuration for business-level aspects of the exchange. - -[exchange] - -# Here you MUST add the master public key of the offline system -# which you can get using `taler-exchange-offline setup`. -# This is just an example, your key will be different! -# MASTER_PUBLIC_KEY = YE6Q6TR1EDB7FD0S68TGDZGF1P0GHJD2S0XVV8R2S62MYJ6HJ4ZG -MASTER_PUBLIC_KEY = - -# Publicly visible base URL of the exchange. -# BASE_URL = https://example.com/ -BASE_URL = - -# For your terms of service and privacy policy, you should specify -# an Etag that must be updated whenever there are significant -# changes to either document. The format is up to you, what matters -# is that the value is updated and never re-used. See the HTTP -# specification on Etags. -# TERMS_ETAG = -# PRIVACY_ETAG = - - -# You must specify the various denominations to be offered by your exchange -# in sections called "coin_". -# What follows is an example. - -# [coin_FOO] -## Actual value of the coin -#VALUE = KUDOS:1 - -## How long will one key be used for withdrawals? -#DURATION_WITHDRAW = 7 days - -## How long do users have to spend their coins? -#DURATION_SPEND = 2 years - -## How long does the exchange keep the proofs around for legal disputes? -#DURATION_LEGAL = 6 years - -## Fees charged. Note that for the lowest denomination, the -## fee must precisely be the lowest denomination, or zero. -#FEE_WITHDRAW = KUDOS:0 -#FEE_DEPOSIT = KUDOS:0 -#FEE_REFRESH = KUDOS:0 -#FEE_REFUND = KUDOS:0 - -## How long should the RSA keys be. Do not change unless you really know -## what you are doing (consult your local cryptographer first!). -#RSA_KEYSIZE = 2048 diff --git a/debian/etc/taler/conf.d/exchange-system.conf b/debian/etc/taler/conf.d/exchange-system.conf deleted file mode 100644 index 7fb65d983..000000000 --- a/debian/etc/taler/conf.d/exchange-system.conf +++ /dev/null @@ -1,11 +0,0 @@ -# Configuration settings for system parameters of the exchange. - -# Read secret sections into configuration, but only -# if we have permission to do so. -@inline-secret@ exchange-account-1 ../secrets/exchange-accounts.secret.conf -@inline-secret@ exchangedb-postgres ../secrets/exchange-db.secret.conf - -[exchange] - -# Only supported database is Postgres right now. -DATABASE = postgres diff --git a/debian/etc/taler/secrets/auditor-db.secret.conf b/debian/etc/taler/secrets/auditor-db.secret.conf deleted file mode 100644 index b81bb817f..000000000 --- a/debian/etc/taler/secrets/auditor-db.secret.conf +++ /dev/null @@ -1,10 +0,0 @@ -# Database configuration for the Taler auditor. - -[auditordb-postgres] - -# Typically, there should only be a single line here, of the form: - -CONFIG=postgres:///DATABASE - -# The details of the URI depend on where the database lives and how -# access control was configured. diff --git a/debian/etc/taler/secrets/exchange-accounts.secret.conf b/debian/etc/taler/secrets/exchange-accounts.secret.conf deleted file mode 100644 index 7b6c649fd..000000000 --- a/debian/etc/taler/secrets/exchange-accounts.secret.conf +++ /dev/null @@ -1,21 +0,0 @@ -# This file should contain the wire account access information which is needed -# by the Taler exchange to talk to LibEuFin to interact with the bank. -# The file SHOULD only be readable for the "taler-exchange-wire" user, -# as other users/services have no business talking to the bank. - - -[exchange-account-1] -enable_credit = yes - -enable_debit = yes - -wire_gateway_auth_method = basic - -password = - -username = - -wire_gateway_url = - -payto_uri = - diff --git a/debian/etc/taler/secrets/exchange-db.secret.conf b/debian/etc/taler/secrets/exchange-db.secret.conf deleted file mode 100644 index 596dcc92b..000000000 --- a/debian/etc/taler/secrets/exchange-db.secret.conf +++ /dev/null @@ -1,10 +0,0 @@ -# Database configuration for the Taler exchange. - -[exchangedb-postgres] - -# Typically, there should only be a single line here, of the form: - -CONFIG=postgres:///DATABASE - -# The details of the URI depend on where the database lives and how -# access control was configured. diff --git a/debian/etc/taler/taler.conf b/debian/etc/taler/taler.conf deleted file mode 100644 index 71663be5e..000000000 --- a/debian/etc/taler/taler.conf +++ /dev/null @@ -1,47 +0,0 @@ -# Main entry point for the GNU Taler configuration. -# -# Structure: -# - taler.conf is the main configuration entry point -# used by all Taler components (the file you are currently -# looking at. -# - overrides.conf contains configuration overrides that are -# set by some tools that help with the configuration, -# and should not be edited by humans. Comments in this file -# are not preserved. -# - conf.d/ contains configuration files for -# Taler components, which can be read by all -# users of the system and are included by the main -# configuration. -# - secrets/ contains configuration snippets -# with secrets for particular services. -# These files should have restrictive permissions -# so that only users of the relevant services -# can read it. All files in it should end with -# ".secret.conf". - -[taler] - -# Currency of the Taler deployment. This setting applies to all Taler -# components that only support a single currency. -#currency = KUDOS - -# Smallest currency unit handled by the underlying bank system. Taler payments -# can make payments smaller than this units, but interactions with external -# systems is always rounded to this unit. -#currency_round_unit = KUDOS:0.01 - - -[paths] - -TALER_HOME = /var/lib/taler -TALER_RUNTIME_DIR = /run/taler -TALER_CACHE_HOME = /var/cache/taler -TALER_CONFIG_HOME = /etc/taler -TALER_DATA_HOME = /var/lib/taler - - -# Inline configurations from all Taler components. -@inline-matching@ conf.d/*.conf - -# Overrides from tools that help with configuration. -@inline@ overrides.conf diff --git a/debian/exchange-conf/apache.conf b/debian/exchange-conf/apache.conf deleted file mode 100644 index 3cfbf9edb..000000000 --- a/debian/exchange-conf/apache.conf +++ /dev/null @@ -1,4 +0,0 @@ - -ProxyPass "unix:/var/lib/taler-exchange/exchange.sock|http://example.com/" -RequestHeader add "X-Forwarded-Proto" "https" - diff --git a/debian/exchange-conf/nginx.conf b/debian/exchange-conf/nginx.conf deleted file mode 100644 index 6737d9129..000000000 --- a/debian/exchange-conf/nginx.conf +++ /dev/null @@ -1,7 +0,0 @@ -location /taler-exchange/ { - proxy_pass http://unix:/run/taler/exchange/exchange-http.sock; - proxy_redirect off; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-Host "example.com"; - proxy_set_header X-Forwarded-Proto "https"; -} diff --git a/debian/taler-auditor.install b/debian/taler-auditor.install index 86bfbf8d9..0d7d941a0 100644 --- a/debian/taler-auditor.install +++ b/debian/taler-auditor.install @@ -15,7 +15,6 @@ usr/share/taler/config.d/auditor* usr/share/taler/sql/auditor/* # Configuration -debian/etc/taler/conf.d/auditor* etc/taler/conf.d/ -debian/etc/taler/secrets/auditor* etc/taler/secrets/ +debian/etc-taler-auditor/* etc/ usr/share/taler/exchange/auditor-report.tex.j2 diff --git a/debian/taler-exchange.install b/debian/taler-exchange.install index f43ba2118..9e404ff29 100644 --- a/debian/taler-exchange.install +++ b/debian/taler-exchange.install @@ -22,8 +22,7 @@ usr/share/info/taler-exchange* usr/share/taler/config.d/* # configuration files in /etc/taler -debian/etc/taler/conf.d/exchange* etc/taler/conf.d/ -debian/etc/taler/secrets/exchange* etc/taler/secrets/ +debian/etc-taler-exchange etc/ usr/share/taler/exchange/pp/*/* usr/share/taler/exchange/tos/*/* -- cgit v1.2.3