commit a367347a54338641180083573698b1fb48aced55 parent 036d4cb71ac1abe1990c936ee1f3b2cbf15d14c1 Author: Florian Dold <florian@dold.me> Date: Thu, 29 Jul 2021 13:41:49 +0200 simplify configuration Diffstat:
28 files changed, 162 insertions(+), 168 deletions(-)
diff --git a/debian/etc/taler/auditor-service-default.conf b/debian/etc/taler/auditor-service-default.conf @@ -1 +0,0 @@ -@INLINE@ auditor-system.conf diff --git a/debian/etc/taler/auditor-system.conf b/debian/etc/taler/auditor-system.conf @@ -1,14 +0,0 @@ -[PATHS] - -# Move runtime data "tmp" directory to /var/lib/taler-auditor/ -# to possibly provide additional protection from unwarranted access. -TALER_RUNTIME_DIR = /var/lib/taler-auditor/tmp/ - -[auditor] -# Debian package is configured to use a reverse proxy with a UNIX -# domain socket. See nginx/apache configuration files. -SERVE = UNIX -UNIXPATH = /var/lib/taler-auditor/auditor.sock - -# Only supported database is Postgres right now. -DATABASE = postgres diff --git a/debian/etc/taler/conf.d/auditor-system.conf b/debian/etc/taler/conf.d/auditor-system.conf @@ -0,0 +1,12 @@ +# Read secret sections into configuration, but only +# if we have permission to do so. +@inline-secret@ auditordb-postgres ../secrets/auditor-db.secret.conf + +[auditor] +# Debian package is configured to use a reverse proxy with a UNIX +# domain socket. See nginx/apache configuration files. +SERVE = UNIX +UNIXPATH = /var/lib/taler-auditor/auditor.sock + +# Only supported database is Postgres right now. +DATABASE = postgres diff --git a/debian/etc/taler/conf.d/exchange-business.conf b/debian/etc/taler/conf.d/exchange-business.conf @@ -0,0 +1,46 @@ +# Configuration for business-level aspects of the exchange. + +[exchange] + +# Here you MUST add the master public key of the offline system +# which you can get using `taler-exchange-offline setup`. +# This is just an example, your key will be different! +# MASTER_PUBLIC_KEY = YE6Q6TR1EDB7FD0S68TGDZGF1P0GHJD2S0XVV8R2S62MYJ6HJ4ZG +MASTER_PUBLIC_KEY = + +# For your terms of service and privacy policy, you should specify +# an Etag that must be updated whenever there are significant +# changes to either document. The format is up to you, what matters +# is that the value is updated and never re-used. See the HTTP +# specification on Etags. +# TERMS_ETAG = +# PRIVACY_ETAG = + + +# You must specify the various denominations to be offered by your exchange +# in sections called "coin_". +# What follows is an example. + +# [coin_FOO] +## Actual value of the coin +#VALUE = KUDOS:1 + +## How long will one key be used for withdrawals? +#DURATION_WITHDRAW = 7 days + +## How long do users have to spend their coins? +#DURATION_SPEND = 2 years + +## How long does the exchange keep the proofs around for legal disputes? +#DURATION_LEGAL = 6 years + +## Fees charged. Note that for the lowest denomination, the +## fee must precisely be the lowest denomination, or zero. +#FEE_WITHDRAW = KUDOS:0 +#FEE_DEPOSIT = KUDOS:0 +#FEE_REFRESH = KUDOS:0 +#FEE_REFUND = KUDOS:0 + +## How long should the RSA keys be. Do not change unless you really know +## what you are doing (consult your local cryptographer first!). +#RSA_KEYSIZE = 2048 diff --git a/debian/etc/taler/conf.d/exchange-system.conf b/debian/etc/taler/conf.d/exchange-system.conf @@ -0,0 +1,18 @@ +# Configuration settings for system parameters of the exchange. + +# Read secret sections into configuration, but only +# if we have permission to do so. +@inline-secret@ exchange-account-1 ../secrets/exchange-accounts.secret.conf +@inline-secret@ exchangedb-postgres ../secrets/exchange-db.secret.conf + +[exchange] +# Debian package is configured to use a reverse proxy with a UNIX +# domain socket. See nginx/apache configuration files. +# +# FIXME: This should be set to something like "NONE" +# since systemd creates the socket for us. +SERVE = UNIX +UNIXPATH = /var/lib/taler-exchange/exchange.sock + +# Only supported database is Postgres right now. +DATABASE = postgres diff --git a/debian/etc/taler/exchange-business.conf b/debian/etc/taler/exchange-business.conf @@ -1,48 +0,0 @@ -# Configuration for business-level aspects of the exchange. - -[taler] -# Here you need to set the currency of your exchange: -# CURRENCY = KUDOS - -# Here you MUST add the master public key of the offline system -# which you can get using `taler-exchange-offline setup`. -# This is just an example, your key will be different! -# MASTER_PUBLIC_KEY = YE6Q6TR1EDB7FD0S68TGDZGF1P0GHJD2S0XVV8R2S62MYJ6HJ4ZG -MASTER_PUBLIC_KEY = - -# For your terms of service and privacy policy, you should specify -# an Etag that must be updated whenever there are significant -# changes to either document. The format is up to you, what matters -# is that the value is updated and never re-used. See the HTTP -# specification on Etags. -# TERMS_ETAG = -# PRIVACY_ETAG = - - -# You must specify the various denominations to be offered by your exchange -# in sections called "coin_". -# What follows is an example. - -# [coin_FOO] -## Actual value of the coin -#VALUE = KUDOS:1 - -## How long will one key be used for withdrawals? -#DURATION_WITHDRAW = 7 days - -## How long do users have to spend their coins? -#DURATION_SPEND = 2 years - -## How long does the exchange keep the proofs around for legal disputes? -#DURATION_LEGAL = 6 years - -## Fees charged. Note that for the lowest denomination, the -## fee must precisely be the lowest denomination, or zero. -#FEE_WITHDRAW = KUDOS:0 -#FEE_DEPOSIT = KUDOS:0 -#FEE_REFRESH = KUDOS:0 -#FEE_REFUND = KUDOS:0 - -## How long should the RSA keys be. Do not change unless you really know -## what you are doing (consult your local cryptographer first!). -#RSA_KEYSIZE = 2048 diff --git a/debian/etc/taler/exchange-db.conf b/debian/etc/taler/exchange-db.conf @@ -1,10 +0,0 @@ -# Database configuration for the Taler exchange. - -[exchangedb-postgres] - -# Typically, there should only be a single line here, of the form: - -# CONFIG=postgres:///DATABASE - -# The details of the URI depend on where the database lives and how -# access control was configured. diff --git a/debian/etc/taler/exchange-offline.conf b/debian/etc/taler/exchange-offline.conf @@ -1,8 +0,0 @@ -# This configuration file is the entry point for the offline key management. -# -# It includes other configuration files, which are applied on top of the -# read-only base configuration (typically in /usr/share/taler/config.d/). - -# This file should be identical to the business configuration of the running -# online exchange -@INLINE@ exchange-business.conf diff --git a/debian/etc/taler/exchange-service-default.conf b/debian/etc/taler/exchange-service-default.conf @@ -1,10 +0,0 @@ -# This configuration file is the entry point for most -# Taler exchange services. -# -# It includes other configuration files, -# which are applied on top of the read-only base configuration -# (typically in /usr/share/taler/config.d/). - -@INLINE@ exchange-system.conf -@INLINE@ exchange-db.conf -@INLINE@ exchange-business.conf diff --git a/debian/etc/taler/exchange-service-secmod.conf b/debian/etc/taler/exchange-service-secmod.conf @@ -1,9 +0,0 @@ -# This configuration file is the entry point for the exchange -# security modules. -# -# It includes other configuration files, -# which are applied on top of the read-only base configuration -# (typically in /usr/share/taler/config.d/). - -@INLINE@ exchange-system.conf -@INLINE@ exchange-business.conf diff --git a/debian/etc/taler/exchange-service-wire.conf b/debian/etc/taler/exchange-service-wire.conf @@ -1,12 +0,0 @@ -# This configuration file is the entry point for -# Taler exchange services that access the wire gateway, -# i.e. the protocol bridge to core banking functionality. -# -# It includes other configuration files, -# which are applied on top of the read-only base configuration -# (typically in /usr/share/taler/config.d/). - -@INLINE@ exchange-system.conf -@INLINE@ exchange-db.conf -@INLINE@ exchange-business.conf -@INLINE@ exchange-wire-gateway.conf diff --git a/debian/etc/taler/exchange-system.conf b/debian/etc/taler/exchange-system.conf @@ -1,22 +0,0 @@ -# Configuration settings for system parameters of -# the exchange. Should be included in all service-specific -# configuration files for the exchange. -# -# Please read the taler-exchange.README.Debian for how to configure a Taler exchange. - -[PATHS] - -TALER_RUNTIME_DIR = /run/taler-exchange-private - - -[exchange] -# Debian package is configured to use a reverse proxy with a UNIX -# domain socket. See nginx/apache configuration files. -# -# FIXME: This should be set to something like "NONE" -# since systemd creates the socket for us. -SERVE = UNIX -UNIXPATH = /var/lib/taler-exchange/exchange.sock - -# Only supported database is Postgres right now. -DATABASE = postgres diff --git a/debian/etc/taler/exchange-wire-gateway.conf b/debian/etc/taler/exchange-wire-gateway.conf @@ -1,4 +0,0 @@ -# This file should contain the wire account access information which is needed -# by the Taler exchange to talk to LibEuFin to interact with the bank. -# The file SHOULD only be readable for the "taler-exchange-wire" user, -# as other users/services have no business talking to the bank. diff --git a/debian/etc/taler/secrets/auditor-db.secret.conf b/debian/etc/taler/secrets/auditor-db.secret.conf @@ -0,0 +1,10 @@ +# Database configuration for the Taler auditor. + +[auditordb-postgres] + +# Typically, there should only be a single line here, of the form: + +CONFIG=postgres:///DATABASE + +# The details of the URI depend on where the database lives and how +# access control was configured. diff --git a/debian/etc/taler/secrets/exchange-accounts.secret.conf b/debian/etc/taler/secrets/exchange-accounts.secret.conf @@ -0,0 +1,21 @@ +# This file should contain the wire account access information which is needed +# by the Taler exchange to talk to LibEuFin to interact with the bank. +# The file SHOULD only be readable for the "taler-exchange-wire" user, +# as other users/services have no business talking to the bank. + + +[exchange-account-1] +enable_credit = yes + +enable_debit = yes + +wire_gateway_auth_method = basic + +password = + +username = + +wire_gateway_url = + +payto_uri = + diff --git a/debian/etc/taler/secrets/exchange-db.secret.conf b/debian/etc/taler/secrets/exchange-db.secret.conf @@ -0,0 +1,10 @@ +# Database configuration for the Taler exchange. + +[exchangedb-postgres] + +# Typically, there should only be a single line here, of the form: + +CONFIG=postgres:///DATABASE + +# The details of the URI depend on where the database lives and how +# access control was configured. diff --git a/debian/etc/taler/taler.conf b/debian/etc/taler/taler.conf @@ -0,0 +1,29 @@ +# Main entry point for the GNU Taler configuration. +# +# Structure: +# - taler.conf is the main configuration entry point +# used by all Taler components +# - conf.d/ contains configuration files for +# Taler components, which can be read by all +# users of the system and are included by the main +# configuration +# - secrets/ contains configuration snippets +# with secrets for particular services. +# These files should have restrictive permissions +# so that only users of the relevant services +# can read it. + +[taler] + +# Currency of the Taler deployment. This setting applies to all Taler +# components that only support a single currency. +#currency = KUDOS + +# Smallest currency unit handled by the underlying bank system. Taler payments +# can make payments smaller than this units, but interactions with external +# systems is always rounded to this unit. +#currency_round_unit = KUDOS:0.01 + + +# Inline configurations from all Taler components. +@inline-matching@ conf.d/*.conf diff --git a/debian/taler-auditor.taler-auditor-httpd.service b/debian/taler-auditor.taler-auditor-httpd.service @@ -6,7 +6,7 @@ After=postgres.service network.target User=taler-auditor-httpd Type=simple Restart=on-failure -ExecStart=/usr/bin/taler-auditor-httpd -c /etc/taler-auditor.conf +ExecStart=/usr/bin/taler-auditor-httpd -c /etc/taler/taler.conf [Install] WantedBy=multi-user.target diff --git a/debian/taler-exchange-offline.postinst b/debian/taler-exchange-offline.postinst @@ -1,4 +1,3 @@ -#!/bin/bash set -e @@ -6,16 +5,6 @@ set -e TALER_HOME="/var/lib/taler-exchange" -# usage: lncfg user home target -function lncfg() { - local cf=$TALER_HOME/$2/.config - if [ ! -e $cf ]; then - mkdir $cf - chown $(stat -L -c %u $TALER_HOME/$2):$(stat -L -c %g $TALER_HOME/$2) $cf - fi - ln -sf $3 $cf/taler.conf -} - case "${1}" in configure) @@ -29,11 +18,6 @@ configure) --home ${TALER_HOME}/offline taler-exchange-offline fi - lncfg taler-exchange-offline offline /etc/taler/exchange-offline.conf - - echo "All done." - ;; - abort-upgrade | abort-remove | abort-deconfigure) ;; *) diff --git a/debian/taler-exchange.postinst b/debian/taler-exchange.postinst @@ -15,6 +15,12 @@ _ESECUSERNAME=taler-exchange-secmod-eddsa _AGGRUSERNAME=taler-exchange-aggregator _WIREUSERNAME=taler-exchange-wire +# usage: fixperm user:group perms file +function fixperm() { + chown "$1" "$3" + chmod "$2" "$3" +} + case "${1}" in configure) @@ -50,8 +56,8 @@ configure) adduser --quiet ${_AGGRUSERNAME} ${_DBGROUPNAME} fi - fixperm ${_WIREUSERNAME}:root 460 /etc/taler/exchange-wire-gateway.conf - fixperm root:${_DBGROUPNAME} 640 /etc/taler/exchange-db.conf + fixperm ${_WIREUSERNAME}:root 460 /etc/taler/secrets/exchange-accounts.secret.conf + fixperm root:${_DBGROUPNAME} 640 /etc/taler/secrets/exchange-db.secret.conf ;; diff --git a/debian/taler-exchange.taler-exchange-aggregator.service b/debian/taler-exchange.taler-exchange-aggregator.service @@ -6,7 +6,7 @@ PartOf=taler-exchange.service User=taler-exchange-aggregator Type=simple Restart=on-failure -ExecStart=/usr/bin/taler-exchange-aggregator -c /etc/taler/exchange-service-default.conf +ExecStart=/usr/bin/taler-exchange-aggregator -c /etc/taler/taler.conf StandardOutput=journal StandardError=journal PrivateTmp=yes diff --git a/debian/taler-exchange.taler-exchange-closer.service b/debian/taler-exchange.taler-exchange-closer.service @@ -6,7 +6,7 @@ PartOf=taler-exchange.service User=taler-exchange-closer Type=simple Restart=on-failure -ExecStart=/usr/bin/taler-exchange-closer -c /etc/taler/exchange-service-default.conf +ExecStart=/usr/bin/taler-exchange-closer -c /etc/taler/taler.conf StandardOutput=journal StandardError=journal PrivateTmp=yes diff --git a/debian/taler-exchange.taler-exchange-httpd.service b/debian/taler-exchange.taler-exchange-httpd.service @@ -10,7 +10,7 @@ PartOf=taler-exchange.service User=taler-exchange-httpd Type=simple Restart=on-failure -ExecStart=/usr/bin/taler-exchange-httpd -c /etc/taler/exchange-service-default.conf +ExecStart=/usr/bin/taler-exchange-httpd -c /etc/taler/taler.conf StandardOutput=journal StandardError=journal PrivateTmp=no diff --git a/debian/taler-exchange.taler-exchange-secmod-eddsa.service b/debian/taler-exchange.taler-exchange-secmod-eddsa.service @@ -7,7 +7,7 @@ PartOf=taler-exchange.service User=taler-exchange-secmod-eddsa Type=simple Restart=on-failure -ExecStart=/usr/bin/taler-exchange-secmod-eddsa -c /etc/taler/exchange-service-secmod.conf +ExecStart=/usr/bin/taler-exchange-secmod-eddsa -c /etc/taler/taler.conf StandardOutput=journal StandardError=journal PrivateTmp=no diff --git a/debian/taler-exchange.taler-exchange-secmod-rsa.service b/debian/taler-exchange.taler-exchange-secmod-rsa.service @@ -7,7 +7,7 @@ PartOf=taler-exchange.service User=taler-exchange-secmod-rsa Type=simple Restart=on-failure -ExecStart=/usr/bin/taler-exchange-secmod-rsa -c /etc/taler/exchange-service-secmod.conf +ExecStart=/usr/bin/taler-exchange-secmod-rsa -c /etc/taler/taler.con StandardOutput=journal StandardError=journal PrivateTmp=no diff --git a/debian/taler-exchange.taler-exchange-transfer.service b/debian/taler-exchange.taler-exchange-transfer.service @@ -7,7 +7,7 @@ PartOf=taler-exchange.service User=taler-exchange-wire Type=simple Restart=on-failure -ExecStart=/usr/bin/taler-exchange-transfer -c /etc/taler/exchange-service-wire.conf +ExecStart=/usr/bin/taler-exchange-transfer -c /etc/taler/taler.conf StandardOutput=journal StandardError=journal PrivateTmp=yes diff --git a/debian/taler-exchange.taler-exchange-wirewatch.service b/debian/taler-exchange.taler-exchange-wirewatch.service @@ -7,7 +7,7 @@ PartOf=taler-exchange.service User=taler-exchange-wire Type=simple Restart=on-failure -ExecStart=/usr/bin/taler-exchange-wirewatch -c /etc/taler/exchange-service-wire.conf +ExecStart=/usr/bin/taler-exchange-wirewatch -c /etc/taler/taler.conf StandardOutput=journal StandardError=journal PrivateTmp=yes diff --git a/debian/taler-exchange.tmpfiles b/debian/taler-exchange.tmpfiles @@ -1,4 +0,0 @@ -# Type Path Mode User Group Age Argument - -# Directory for secmod server and client sockets -d /var/taler-exchange 2660 root taler-exchange-secmod - -