From 90d4bc9519507c64ad5c0a604140fcf00a9702ee Mon Sep 17 00:00:00 2001
From: Christian Grothoff <christian@grothoff.org>
Date: Fri, 1 Jan 2021 20:43:59 +0100
Subject: work on Debian package: extend pre-configuration, add reverse proxy
 setup logic, add database setup logic (untested)

---
 debian/conf/apache.conf           |  4 ++
 debian/conf/nginx.conf            |  7 ++++
 debian/control                    |  1 +
 debian/db/install/pgsql           |  2 +
 debian/db/upgrade/pgsql           |  2 +
 debian/etc/taler-exchange-db.conf |  3 ++
 debian/etc/taler-exchange.conf    | 12 ++++++
 debian/etc/taler-wire.conf        |  1 +
 debian/etc/taler.conf             |  5 ---
 debian/taler-exchange.config      |  7 +++-
 debian/taler-exchange.install     |  5 ++-
 debian/taler-exchange.postinst    | 86 +++++++++++++++++++++++++++++++--------
 debian/taler-exchange.postrm      | 41 +++++++++++++++++--
 debian/taler-exchange.prerm       | 17 ++++++++
 debian/taler-exchange.templates   | 19 +++++----
 15 files changed, 177 insertions(+), 35 deletions(-)
 create mode 100644 debian/conf/apache.conf
 create mode 100644 debian/conf/nginx.conf
 create mode 100644 debian/db/install/pgsql
 create mode 100644 debian/db/upgrade/pgsql
 create mode 100644 debian/etc/taler-exchange-db.conf
 create mode 100644 debian/etc/taler-exchange.conf
 create mode 100644 debian/etc/taler-wire.conf
 delete mode 100644 debian/etc/taler.conf
 create mode 100644 debian/taler-exchange.prerm

(limited to 'debian')

diff --git a/debian/conf/apache.conf b/debian/conf/apache.conf
new file mode 100644
index 000000000..3cfbf9edb
--- /dev/null
+++ b/debian/conf/apache.conf
@@ -0,0 +1,4 @@
+<Location "/taler-exchange/">
+ProxyPass "unix:/var/lib/taler-exchange/exchange.sock|http://example.com/"
+RequestHeader add "X-Forwarded-Proto" "https"
+</Location>
diff --git a/debian/conf/nginx.conf b/debian/conf/nginx.conf
new file mode 100644
index 000000000..2921c9998
--- /dev/null
+++ b/debian/conf/nginx.conf
@@ -0,0 +1,7 @@
+location /taler-exchange/ {
+         proxy_pass http://unix:/var/lib/taler-exchange/exchange.sock;
+         proxy_redirect off;
+         proxy_set_header Host $host;
+         proxy_set_header X-Forwarded-Host "example.com";
+         proxy_set_header X-Forwarded-Proto "https";
+}
\ No newline at end of file
diff --git a/debian/control b/debian/control
index d50478556..873bed6a9 100644
--- a/debian/control
+++ b/debian/control
@@ -54,6 +54,7 @@ Depends:
  adduser,
  lsb-base,
  netbase,
+ dbconfig-pgsql | dbconfig-no-thanks,
  python3-jinja2,
  ${misc:Depends},
  ${shlibs:Depends}
diff --git a/debian/db/install/pgsql b/debian/db/install/pgsql
new file mode 100644
index 000000000..0740e0d1d
--- /dev/null
+++ b/debian/db/install/pgsql
@@ -0,0 +1,2 @@
+#!/bin/sh
+taler-exchange-dbinit -c /etc/taler.conf
diff --git a/debian/db/upgrade/pgsql b/debian/db/upgrade/pgsql
new file mode 100644
index 000000000..0740e0d1d
--- /dev/null
+++ b/debian/db/upgrade/pgsql
@@ -0,0 +1,2 @@
+#!/bin/sh
+taler-exchange-dbinit -c /etc/taler.conf
diff --git a/debian/etc/taler-exchange-db.conf b/debian/etc/taler-exchange-db.conf
new file mode 100644
index 000000000..b894671d5
--- /dev/null
+++ b/debian/etc/taler-exchange-db.conf
@@ -0,0 +1,3 @@
+[taler-exchangdb-postgres]
+
+CONFIG = postgres:///taler-exchange
diff --git a/debian/etc/taler-exchange.conf b/debian/etc/taler-exchange.conf
new file mode 100644
index 000000000..4a8069598
--- /dev/null
+++ b/debian/etc/taler-exchange.conf
@@ -0,0 +1,12 @@
+@INLINE@ /etc/taler-exchange-db.conf
+
+[PATHS]
+
+# Move runtime data "tmp" directory to /var/lib/taler-exchange/
+# to possibly provide additional protection from unwarranted access.
+TALER_RUNTIME_DIR = /var/lib/taler-exchange/tmp/
+
+[exchange]
+SERVE = UNIX
+UNIXPATH = /var/lib/taler-exchange/exchange.sock
+DATABASE = postgres
diff --git a/debian/etc/taler-wire.conf b/debian/etc/taler-wire.conf
new file mode 100644
index 000000000..f30fe0778
--- /dev/null
+++ b/debian/etc/taler-wire.conf
@@ -0,0 +1 @@
+@INLINE@ /etc/taler-exchange-db.conf
diff --git a/debian/etc/taler.conf b/debian/etc/taler.conf
deleted file mode 100644
index 4d721e02c..000000000
--- a/debian/etc/taler.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-[PATHS]
-
-# Move runtime data "tmp" directory to /var/lib/taler-exchange/
-# to possibly provide additional protection from unwarranted access.
-TALER_RUNTIME_DIR = /var/lib/taler-exchange/tmp/
diff --git a/debian/taler-exchange.config b/debian/taler-exchange.config
index 9cb12cd78..1afcf3587 100644
--- a/debian/taler-exchange.config
+++ b/debian/taler-exchange.config
@@ -22,7 +22,10 @@ db_go
 db_input low taler-exchange/groupname || true
 db_go
 
-db_input medium taler-exchange/autostart || true
-db_go
+if [ -f /usr/share/dbconfig-common/dpkg/config.pgsql ]; then
+    . /usr/share/dbconfig-common/dpkg/config.pgsql
+    dbc_go taler-exchange "$@"
+fi
+
 
 db_stop
diff --git a/debian/taler-exchange.install b/debian/taler-exchange.install
index d3ceccc14..a6486f384 100644
--- a/debian/taler-exchange.install
+++ b/debian/taler-exchange.install
@@ -1,3 +1,6 @@
-etc/taler.conf
 usr/bin/
 usr/lib/*/taler/*.so
+debian/etc/* etc/
+debian/db/install/* usr/share/dbconfig-common/scripts/taler-exchange/install/
+debian/db/upgrade/* usr/share/dbconfig-common/scripts/taler-exchange/upgrade/
+debian/conf/* etc/taler-exchange/
\ No newline at end of file
diff --git a/debian/taler-exchange.postinst b/debian/taler-exchange.postinst
index cfaf04a45..8256e886a 100644
--- a/debian/taler-exchange.postinst
+++ b/debian/taler-exchange.postinst
@@ -2,6 +2,27 @@
 
 set -e
 
+
+apache_install() {
+	mkdir -p /etc/apache2/conf-available
+    if [ ! -f /etc/apache2/conf-available/taler-exchange.conf ];
+    then
+	    cp /etc/taler-exchange/apache.conf /etc/apache2/conf-available/taler-exchange.conf
+    fi
+    a2enmod proxy
+    a2enmod proxy_http
+    a2enmod headers
+}
+
+
+nginx_install() {
+	mkdir -p /etc/nginx/conf-available
+    if [ ! -f /etc/apache2/conf-available/taler-exchange.conf ];
+    then
+	    cp /etc/taler-exchange/nginx.conf /etc/nginx/conf-available/taler-exchange.conf
+    fi
+}
+
 . /usr/share/debconf/confmodule
 
 case "${1}" in
@@ -26,16 +47,13 @@ case "${1}" in
 		db_get taler-exchange/groupname
 		_GROUPNAME="${RET:-taler-private}"
 
-		db_get taler-exchange/autostart
-		_AUTOSTART="${RET}" # boolean
+   		db_get taler-exchange/dbgroupname
+		_DBGROUPNAME="${RET:-taler-exchange-db}"
 
 		db_stop
 
-		CONFIG_FILE="/etc/default/taler"
-
-		# Read default values
+		CONFIG_FILE="/etc/default/taler-exchange"
 		TALER_HOME="/var/lib/taler-exchange"
-		eval $(grep TALER_HOME /etc/taler.conf | tr -d '[:blank:]')
 
 		# Creating taler group if needed
 		if ! getent group ${_GROUPNAME} > /dev/null
@@ -50,6 +68,7 @@ case "${1}" in
 		then
 			echo -n "Creating new Taler user ${_EUSERNAME}:"
 			adduser --quiet --system --ingroup ${_GROUPNAME} --home ${TALER_HOME}/httpd ${_EUSERNAME}
+            adduser ${_EUSERNAME} ${_DBGROUPNAME}
 			echo " done."
 		fi
 		if ! getent passwd ${_RSECUSERNAME} > /dev/null
@@ -68,12 +87,14 @@ case "${1}" in
 		then
 			echo -n "Creating new Taler user ${_WIREUSERNAME}:"
 			adduser --quiet --system --home ${TALER_HOME}/wire ${_WIREUSERNAME}
+            adduser ${_WIREUSERNAME} ${_DBGROUPNAME}
 			echo " done."
 		fi
 		if ! getent passwd ${_AGGRUSERNAME} > /dev/null
 		then
 			echo -n "Creating new Taler user ${_AGGRUSERNAME}:"
 			adduser --quiet --system --home ${TALER_HOME}/aggregator ${_AGGRUSERNAME}
+            adduser ${_AGGRUSERNAME} ${_DBGROUPNAME}
 			echo " done."
 		fi
 
@@ -92,7 +113,6 @@ TALER_ESECUSER=${_ESECUSERNAME}
 TALER_WIREUSER=${_WIREUSERNAME}
 TALER_AGGRUSER=${_AGGRUSERNAME}
 TALER_GROUP=${_GROUPNAME}
-TALER_AUTOSTART="${_AUTOSTART}"
 EOF
 
 cat > "/etc/systemd/system/taler-exchange-httpd.service" <<EOF
@@ -103,11 +123,11 @@ Wants=taler-exchange-wirewatch taler-exchange-aggregator taler-exchange-transfer
 After=postgres.service network.target
 
 [Service]
-EnvironmentFile=/etc/default/taler
+EnvironmentFile=/etc/default/taler-exchange
 User=${_EUSERNAME}
 Type=simple
 Restart=on-failure
-ExecStart=/usr/bin/taler-exchange-httpd -c /etc/taler.conf
+ExecStart=/usr/bin/taler-exchange-httpd -c /etc/taler-exchange.conf
 
 [Install]
 WantedBy=multi-user.target
@@ -118,11 +138,11 @@ cat > "/etc/systemd/system/taler-exchange-helper-rsa.service" <<EOF
 Description=GNU Taler payment system exchange RSA security module
 
 [Service]
-EnvironmentFile=/etc/default/taler
+EnvironmentFile=/etc/default/taler-exchange
 User=${_RSECUSERNAME}
 Type=simple
 Restart=on-failure
-ExecStart=/usr/bin/taler-helper-crypto-rsa -c /etc/taler.conf
+ExecStart=/usr/bin/taler-helper-crypto-rsa -c /etc/taler-exchange.conf
 
 [Install]
 WantedBy=multi-user.target
@@ -132,11 +152,11 @@ cat > "/etc/systemd/system/taler-exchange-helper-eddsa.service" <<EOF
 Description=GNU Taler payment system exchange EdDSA security module
 
 [Service]
-EnvironmentFile=/etc/default/taler
+EnvironmentFile=/etc/default/taler-exchange
 User=${_ESECUSERNAME}
 Type=simple
 Restart=on-failure
-ExecStart=/usr/bin/taler-helper-crypto-eddsa -c /etc/taler.conf
+ExecStart=/usr/bin/taler-helper-crypto-eddsa -c /etc/taler-exchange.conf
 EOF
 cat > "/etc/systemd/system/taler-exchange-wirewatch.service" <<EOF
 [Unit]
@@ -144,7 +164,7 @@ Description=GNU Taler payment system exchange wirewatch service
 After=network.target
 
 [Service]
-EnvironmentFile=/etc/default/taler
+EnvironmentFile=/etc/default/taler-exchange
 User=${_WIREUSERNAME}
 Type=simple
 Restart=on-failure
@@ -156,7 +176,7 @@ Description=GNU Taler payment system exchange transfer service
 After=network.target
 
 [Service]
-EnvironmentFile=/etc/default/taler
+EnvironmentFile=/etc/default/taler-exchange
 User=${_WIREUSERNAME}
 Type=simple
 Restart=on-failure
@@ -167,7 +187,7 @@ cat > "/etc/systemd/system/taler-exchange-aggregator.service" <<EOF
 Description=GNU Taler payment system exchange aggregator service
 
 [Service]
-EnvironmentFile=/etc/default/taler
+EnvironmentFile=/etc/default/taler-exchange
 User=${_AGGRUSERNAME}
 Type=simple
 Restart=on-failure
@@ -184,6 +204,40 @@ EOF
         chmod 770 /var/lib/taler-exchange/tmp
         chmod +s /var/lib/taler-exchange/tmp
 
+        # Setup postgres database (needs dbconfig-pgsql package)
+        if [ -f /usr/share/dbconfig-common/dpkg/postinst.pgsql ]; then
+            . /usr/share/dbconfig-common/dpkg/postinst.pgsql
+            # dbc_dbfile_* should not apply for Postgres, but better be safe...
+            dbc_dbfile_owner="${_EUSERNAME}:${_DBGROUPNAME}"
+            dbc_dbfile_perms="0660"
+            dbc_pgsql_createdb_encoding="UTF8"
+            dbc_go taler-exchange "$@"
+        fi
+        # get database settings from dbconfig-common
+        if [ -f /etc/dbconfig-common/taler-exchange.conf ]; then
+            . /etc/dbconfig-common/taler-exchange.conf
+            case "$dbc_dbtype" in
+                pgsql)
+                    taler-config -c /etc/taler-exchange-db.conf \
+                                 -s "exchangedb-postgres" \
+                                 -o "CONFIG" \
+                                 -V "postgres://$dbc_dbuser:$dbc_dbpass@$dbc_dbserver/$dbc_dbname"
+                    taler-config -c /etc/taler-exchange-db.conf \
+                                 -s "exchange" \
+                                 -o "DB" \
+                                 -V "postgres"
+                    chown ${_EUSERNAME}:${_DBGROUPNAME} /etc/taler-exchange-db.conf
+                    chmod 440 /etc/taler-exchange-db.conf
+                ;;
+                "")
+                ;;
+                *)
+                    echo "Unsupported database type $dbc_type."
+                    exit 1
+                    ;;
+            esac
+        fi
+
 		# Cleaning
 		rm -f "${CONFIG_NEW}"
 		echo "All done."
diff --git a/debian/taler-exchange.postrm b/debian/taler-exchange.postrm
index e2cba9d46..3843294e0 100644
--- a/debian/taler-exchange.postrm
+++ b/debian/taler-exchange.postrm
@@ -15,6 +15,43 @@ pathfind() {
 	return 1
 }
 
+apache_remove() {
+    if [ diff /etc/taler-exchange/apache.conf /etc/apache2/conf-available/taler-exchange.conf >/dev/null 2>&1 ];
+    then
+	    rm -f /etc/apache2/conf-available/taler-exchange.conf
+    fi
+}
+
+nginx_remove() {
+    if [ diff /etc/taler-exchange/nginx.conf /etc/nginx/conf-available/taler-exchange.conf >/dev/null 2>&1 ];
+    then
+	    rm -f /etc/nginx/conf-available/taler-exchange.conf
+    fi
+}
+
+if [ -f /usr/share/dbconfig-common/dpkg/postrm.pgsql ]; then
+    . /usr/share/dbconfig-common/dpkg/postrm.pgsql
+    dbc_go taler-exchange "$@"
+fi
+
+
+if [ "$1" = "remove" ] || [ "$1" = "purge" ]; then
+	if [ -f /usr/share/debconf/confmodule ]; then
+		db_version 2.0
+		db_get taler-exchange/reconfigure-webserver
+		webservers="$RET"
+		for webserver in $webservers; do
+			webserver=${webserver%,}
+			if [ "$webserver" = "nginx" ] ; then
+				nginx_remove
+			else
+				apache_remove
+			fi
+		done
+	fi
+fi
+
+
 case "${1}" in
 	purge)
 		if [ -e /usr/share/debconf/confmodule ]
@@ -48,8 +85,6 @@ case "${1}" in
 			_GROUPNAME="taler-private"
 		fi
 
-		TALERDNS_GROUP="talerdns"
-
 		if pathfind deluser
 		then
 			deluser --quiet --system ${_EUSERNAME} || true
@@ -64,7 +99,7 @@ case "${1}" in
 			delgroup --quiet --system --only-if-empty ${_GROUPNAME} || true
 		fi
 
-		rm -rf /var/log/taler/ /var/lib/taler /etc/default/taler
+		rm -rf /var/log/taler-exchange/ /var/lib/taler-exchange /etc/default/taler-exchange
 		;;
 
 	remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
diff --git a/debian/taler-exchange.prerm b/debian/taler-exchange.prerm
new file mode 100644
index 000000000..88a747cb7
--- /dev/null
+++ b/debian/taler-exchange.prerm
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+set -e
+
+
+if [ -f /usr/share/debconf/confmodule ]; then
+    . /usr/share/debconf/confmodule
+fi
+. /usr/share/dbconfig-common/dpkg/prerm
+
+if [ -f /usr/share/dbconfig-common/dpkg/prerm.pgsql ]; then
+    . /usr/share/dbconfig-common/dpkg/prerm.pgsql
+    dbc_go taler-exchange "$@"
+fi
+
+db_stop
+exit 0
\ No newline at end of file
diff --git a/debian/taler-exchange.templates b/debian/taler-exchange.templates
index 8cc9d1d4a..43c3524e4 100644
--- a/debian/taler-exchange.templates
+++ b/debian/taler-exchange.templates
@@ -46,7 +46,7 @@ _Description: Taler user:
 
 Template: taler-exchange/groupname
 Type: string
-Default: taler
+Default: taler-private
 _Description: Taler group:
  Please choose the group that the Taler exchange and security
  modules will run as.
@@ -55,10 +55,13 @@ _Description: Taler group:
  Only the members of this group will have access to Taler private
  online signing keys.
 
-Template: taler-exchange/autostart
-Type: boolean
-Default: true
-_Description: Should the Taler exchange be launched on boot?
- If you choose this option, a Taler exchange will be launched each time
- the system is started. Otherwise, you will need to launch
- Taler each time you want to use it.
+
+Template: taler-exchange/dbgroupname
+Type: string
+Default: taler-exchange-db
+_Description: Taler group:
+ Please choose the group that the Taler users with database access
+ should be in.
+ .
+ This should be a dedicated group, not one that already owns data.
+ Only the members of this group will have access to Taler database.
-- 
cgit v1.2.3