From bfbbb5f8182fa668a992fadd504e43daa31962a4 Mon Sep 17 00:00:00 2001 From: Christian Grothoff Date: Fri, 1 Jan 2021 20:43:30 +0100 Subject: improving Debian package (untested) --- debian/conf/apache.conf | 8 ++ debian/conf/nginx.conf | 19 +++++ debian/control | 3 + debian/db/install/pgsql | 2 + debian/db/upgrade/pgsql | 2 + debian/etc/taler-merchant.conf | 8 ++ debian/taler-merchant.README.Debian | 15 +++- debian/taler-merchant.config | 7 +- debian/taler-merchant.install | 4 + debian/taler-merchant.postinst | 152 +++++++++++++++++++++++++++++++++++- debian/taler-merchant.postrm | 62 ++++++++++++++- debian/taler-merchant.prerm | 18 +++++ debian/taler-merchant.templates | 28 ++++++- 13 files changed, 316 insertions(+), 12 deletions(-) create mode 100644 debian/conf/apache.conf create mode 100644 debian/conf/nginx.conf create mode 100644 debian/db/install/pgsql create mode 100644 debian/db/upgrade/pgsql create mode 100644 debian/etc/taler-merchant.conf create mode 100644 debian/taler-merchant.prerm (limited to 'debian') diff --git a/debian/conf/apache.conf b/debian/conf/apache.conf new file mode 100644 index 00000000..e25d54c7 --- /dev/null +++ b/debian/conf/apache.conf @@ -0,0 +1,8 @@ + +RewriteEngine On +RewriteCond "%{HTTP:AUTHORIZATION}" "!= %SECURITYTOKEN%" +RewriteRule "(.+)/private/" "-" [F] + +ProxyPass "unix:/var/lib/taler-merchant/merchant.sock|http://example.com/" +RequestHeader add "X-Forwarded-Proto" "https" + diff --git a/debian/conf/nginx.conf b/debian/conf/nginx.conf new file mode 100644 index 00000000..a57a2e19 --- /dev/null +++ b/debian/conf/nginx.conf @@ -0,0 +1,19 @@ +location ~ /taler-merchant/private/ { + if ($http_authorization !~ "(?i)ApiKey %SECURITYTOKEN%") { + return 401; + } + proxy_pass http://unix:/var/lib/taler-merchant/merchant.sock; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host "example.com"; + proxy_set_header X-Forwarded-Proto "https"; +} + +location /taler-merchant/ { + proxy_pass http://unix:/var/lib/taler-merchant/merchant.sock; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host "example.com"; + proxy_set_header X-Forwarded-Proto "https"; + +} \ No newline at end of file diff --git a/debian/control b/debian/control index 4e5c0335..2086184c 100644 --- a/debian/control +++ b/debian/control @@ -42,6 +42,9 @@ Depends: adduser, lsb-base, netbase, + apache2 | nginx | httpd, + postgresql, + dbconfig-pgsql | dbconfig-no-thanks, ${misc:Depends}, ${shlibs:Depends} Description: GNU's payment system merchant backend. diff --git a/debian/db/install/pgsql b/debian/db/install/pgsql new file mode 100644 index 00000000..f15429b0 --- /dev/null +++ b/debian/db/install/pgsql @@ -0,0 +1,2 @@ +#!/bin/sh +taler-merchant-dbinit -c /etc/taler-merchant.conf diff --git a/debian/db/upgrade/pgsql b/debian/db/upgrade/pgsql new file mode 100644 index 00000000..f15429b0 --- /dev/null +++ b/debian/db/upgrade/pgsql @@ -0,0 +1,2 @@ +#!/bin/sh +taler-merchant-dbinit -c /etc/taler-merchant.conf diff --git a/debian/etc/taler-merchant.conf b/debian/etc/taler-merchant.conf new file mode 100644 index 00000000..ef4c1f52 --- /dev/null +++ b/debian/etc/taler-merchant.conf @@ -0,0 +1,8 @@ +[taler] +# Note: change this to the currency you will use! +CURRENCY = KUDOS + +[merchant] +SERVE = UNIX +UNIXPATH = /var/lib/taler-merchant/merchant.sock +DATABASE = postgres diff --git a/debian/taler-merchant.README.Debian b/debian/taler-merchant.README.Debian index 3098670c..4020d42b 100644 --- a/debian/taler-merchant.README.Debian +++ b/debian/taler-merchant.README.Debian @@ -1,6 +1,19 @@ taler-merchant -------------- -TBD. +This package is a backend to be used by merchants that +want to accept GNU Taler payments. + +This package is integrated with Apache or Nginx, automatically +deploying a configuration for the backend to the respective +Web server at the "/taler-merchant/" endpoint. + +To access the priviledged parts of the Taler backend, you need to provide the +API KEY in an HTTP "Authorization" header. This Debian package creates a +random API KEY and stores it in plaintext in +"/var/lib/taler-merchant/master-api-key.txt." You can change the key by +editing the respective Web server's configuration. The "master-api-key.txt" +file is not actually required and provided for convenience. + -- Christian Grothoff Fri 01 Jan 2021 11:37:14 AM CET diff --git a/debian/taler-merchant.config b/debian/taler-merchant.config index 16ea1fee..3115a407 100644 --- a/debian/taler-merchant.config +++ b/debian/taler-merchant.config @@ -4,7 +4,10 @@ set -e . /usr/share/debconf/confmodule -db_input medium taler-exchange/autostart || true -db_go +if [ -f /usr/share/dbconfig-common/dpkg/config.pgsql ]; then + . /usr/share/dbconfig-common/dpkg/config.pgsql + dbc_go taler-merchant "$@" +fi + db_stop diff --git a/debian/taler-merchant.install b/debian/taler-merchant.install index 4a24865a..162c7304 100644 --- a/debian/taler-merchant.install +++ b/debian/taler-merchant.install @@ -1,2 +1,6 @@ usr/bin/ usr/lib/*/taler/*.so +debian/conf/* etc/taler-merchant/ +debian/etc/taler-merchant.conf /etc/taler-merchant.conf +debian/db/install/* usr/share/dbconfig-common/scripts/taler-merchant/install/ +debian/db/upgrade/* usr/share/dbconfig-common/scripts/taler-merchant/upgrade/ diff --git a/debian/taler-merchant.postinst b/debian/taler-merchant.postinst index 5cc1a6ad..baa291f6 100644 --- a/debian/taler-merchant.postinst +++ b/debian/taler-merchant.postinst @@ -2,15 +2,163 @@ set -e +# Set permissions for sqlite3 file +# (for when we support sqlite3 in the future) +dbc_dbfile_owner="${_USERNAME}:${_GROUPNAME}" +dbc_dbfile_perms="0600" + + +# 1st argument will be the SECURITYTOKEN to use. +apache_install() { + mkdir -p /etc/apache2/conf-available + if [ ! -f /etc/apache2/conf-available/taler-merchant.conf ]; + then + cat /etc/taler-merchant/apache.conf | sed -e "s/%SECURITYTOKEN%/$1/" > /etc/apache2/conf-available/taler-merchant.conf + fi + # TODO: might want to remember if *we* enabled those, and disable in postrm + a2enmod proxy + a2enmod proxy_http + a2enmod headers + a2enmod rewrite +} + +# 1st argument will be the SECURITYTOKEN to use. +nginx_install() { + mkdir -p /etc/nginx/conf-available + if [ ! -f /etc/apache2/conf-available/taler-merchant.conf ]; + then + cat /etc/taler-merchant/nginx.conf | sed -e "s/%SECURITYTOKEN%/$1/" > /etc/nginx/conf-available/taler-merchant.conf + fi +} + . /usr/share/debconf/confmodule + case "${1}" in configure) db_version 2.0 - db_get taler-merchant/autostart - _AUTOSTART="${RET}" # boolean + db_get taler-merchant/username + _USERNAME="${RET:-taler-merchant-httpd}" + + db_get taler-merchant/groupname + _GROUPNAME="${RET:-www-data}" + + # Read default values + TALER_HOME="/var/lib/taler-merchant" + + # Creating taler group if needed + if ! getent group ${_GROUPNAME} > /dev/null + then + echo -n "Creating new Taler group ${_GROUPNAME}:" + addgroup --quiet --system ${_GROUPNAME} + echo " done." + fi + # Creating taler users if needed + if ! getent passwd ${_USERNAME} > /dev/null + then + echo -n "Creating new Taler user ${_USERNAME}:" + adduser --quiet --system --ingroup ${_GROUPNAME} --home ${TALER_HOME}/httpd ${_USERNAME} + echo " done." + fi + + # Create access secret + SECRET=`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1` + echo SECRET > ${TALER_HOME}/master-api-key.txt + chown ${_USERNAME}:${_GROUPNAME} ${TALER_HOME}/master-api-key.txt + chmod 440 ${TALER_HOME}/master-api-key.txt + + # Writing new values to configuration file + echo -n "Writing new configuration file:" + CONFIG_NEW=$(tempfile) + +cat > "${CONFIG_NEW}" < "/etc/systemd/system/taler-merchant-httpd.service" < /dev/null ; then + if invoke-rc.d $webserver status > /dev/null 2>&1 ; then + invoke-rc.d $webserver reload 3>/dev/null || true + fi + else + if /etc/init.d/$webserver status > /dev/null 2>&1 ; then + /etc/init.d/$webserver reload 3>/dev/null || true + fi + fi + fi + done db_stop # Cleaning diff --git a/debian/taler-merchant.postrm b/debian/taler-merchant.postrm index 2564dff2..2cf6a941 100644 --- a/debian/taler-merchant.postrm +++ b/debian/taler-merchant.postrm @@ -15,18 +15,74 @@ pathfind() { return 1 } +apache_remove() { + if [ diff /etc/taler-merchant/apache.conf /etc/apache2/conf-available/taler-merchant.conf >/dev/null 2>&1 ]; + then + rm -f /etc/apache2/conf-available/taler-merchant.conf + fi +} + +nginx_remove() { + if [ diff /etc/taler-exchange/nginx.conf /etc/apache2/conf-available/taler-exchange.conf >/dev/null 2>&1 ]; + then + rm -f /etc/nginx/conf-available/taler-merchant.conf + fi +} + +if [ -f /usr/share/debconf/confmodule ]; then + . /usr/share/debconf/confmodule +fi + +if [ -f /usr/share/dbconfig-common/dpkg/postrm.pgsql ]; then + . /usr/share/dbconfig-common/dpkg/postrm.pgsql + dbc_go taler-merchant "$@" +fi + + +if [ "$1" = "remove" ] || [ "$1" = "purge" ]; then + if [ -f /usr/share/debconf/confmodule ]; then + db_version 2.0 + db_get taler-merchant/reconfigure-webserver + webservers="$RET" + for webserver in $webservers; do + webserver=${webserver%,} + if [ "$webserver" = "nginx" ] ; then + nginx_remove + else + apache_remove + fi + done + fi +fi + case "${1}" in purge) - if [ -e /usr/share/debconf/confmodule ] + if [ -e /usr/share/debconf/confmodule ] then . /usr/share/debconf/confmodule db_version 2.0 + + db_get taler-merchant/username + _USERNAME="${RET:-taler-merchant-httpd}" + + db_get taler-merchant/groupname + _GROUPNAME="${RET:-taler-merchant-httpd}" else + _USERNAME="taler-merchant-httpd" + _GROUPNAME="taler-merchant-httpd" fi - ;; - remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + if pathfind deluser + then + deluser --quiet --system ${_USERNAME} || true + fi + if pathfind delgroup + then + delgroup --quiet --system --only-if-empty ${_GROUPNAME} || true + fi + ;; + remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) ;; *) diff --git a/debian/taler-merchant.prerm b/debian/taler-merchant.prerm new file mode 100644 index 00000000..84d4c486 --- /dev/null +++ b/debian/taler-merchant.prerm @@ -0,0 +1,18 @@ +#!/bin/sh + +set -e + + +if [ -f /usr/share/debconf/confmodule ]; then + . /usr/share/debconf/confmodule +fi +. /usr/share/dbconfig-common/dpkg/prerm + +if [ -f /usr/share/dbconfig-common/dpkg/prerm.pgsql ]; then + . /usr/share/dbconfig-common/dpkg/prerm.pgsql + dbc_go taler-merchant "$@" +fi + + +db_stop +exit 0 diff --git a/debian/taler-merchant.templates b/debian/taler-merchant.templates index 36b9e5f0..9f000393 100644 --- a/debian/taler-merchant.templates +++ b/debian/taler-merchant.templates @@ -1,4 +1,24 @@ -Template: taler-merchant/autostart -Type: boolean -Default: true -_Description: Should the Taler merchant be launched on boot? +Template: taler-merchant/reconfigure-webserver +Type: multiselect +Choices: apache2, lighttpd, nginx +_Description: Web server to reconfigure automatically: + Please choose the web server that should be automatically configured + as a frontend for taler-merchant-httpd. + + +Template: taler-merchant/username +Type: string +Default: taler-merchant-httpd +_Description: Taler user: + Please choose the user that the taler-merchant-httpd process will run as. + . + This should be a dedicated account. If the specified account does not + already exist, it will automatically be created, with no login shell. + +Template: taler-merchant/groupname +Type: string +Default: www-data +_Description: Taler group: + Please choose the group that the taler-merchant-httpd will run as. + . + This should be the same group that the Web server is in. -- cgit v1.2.3