sandcastle-ng

Scripts for the deployment of Sandcastle (GNU Taler)
Log | Files | Refs | README
commit 8381a0ab80ba82a4961de560ba9da36e7226691e
parent 244b536f0392510843494c7bd080624ca4f081dc
Author: Florian Dold <florian@dold.me>
Date:   Tue,  4 Feb 2025 20:40:30 +0100

import/export

Diffstat:

Msandcastle-export | 8++++----


Mscripts/demo/setup-sandcastle.sh | 524+++++++++++++++++++++++++++++++++++++++++--------------------------------------


2 files changed, 277 insertions(+), 255 deletions(-)

diff --git a/sandcastle-export b/sandcastle-export
@@ -9,10 +9,10 @@ mkdir -p "$target/taler-exchange"
 mkdir -p "$target/taler-merchant"
 mkdir -p "$target/libeufin"
 
-podman cp taler-sandcastle:/var/lib/taler-exchange/offline/ $target/taler-exchange/.
-podman cp taler-sandcastle:/var/lib/taler-exchange/secmod-rsa/ $target/taler-exchange/.
-podman cp taler-sandcastle:/var/lib/taler-exchange/secmod-eddsa/ $target/taler-exchange/.
-podman cp taler-sandcastle:/var/lib/taler-exchange/secmod-cs/ $target/taler-exchange/.
+podman cp taler-sandcastle:/var/lib/taler-exchange/offline/. $target/taler-exchange/offline
+podman cp taler-sandcastle:/var/lib/taler-exchange/secmod-rsa/. $target/taler-exchange/secmod-rsa
+podman cp taler-sandcastle:/var/lib/taler-exchange/secmod-eddsa/. $target/taler-exchange/secmod-eddsa
+podman cp taler-sandcastle:/var/lib/taler-exchange/secmod-cs/. $target/taler-exchange/secmod-cs
 
 podman exec taler-sandcastle sudo -u postgres pg_dump taler-exchange > $target/taler-exchange/taler-exchange.sql
 
diff --git a/scripts/demo/setup-sandcastle.sh b/scripts/demo/setup-sandcastle.sh
@@ -129,32 +129,284 @@ lift_dir talerdata /etc/libeufin etc-libeufin
 lift_dir talerdata /var/lib/postgresql var-lib-postgresql
 lift_dir talerdata_persistent /var/lib/taler-exchange/offline exchange-offline
 
-# Now that the /var/lib/postgres is available, we can start postgres
+
+# Usage: get_credential_pw COMPONENT/ACCOUNT
+function get_credential_pw() {
+  if [[ ${USE_INSECURE_SANDBOX_PASSWORDS:-0} = 1 ]]; then
+    echo "sandbox"
+    return
+  fi
+  p=/credentials/$1
+  if [[ ! -f $p ]]; then
+    mkdir -p $(dirname "$p")
+    uuidgen -r >$p
+  fi
+  cat "$p"
+}
+
+# If necessary, import the offline key.
+# Done before everything else, as we need the key
+# to generate the config.
+
+if [[ -d /exported && -e /exported/import-request ]]; then
+  echo "Importing exchange offline key"
+  rm -rf /var/lib/taler-exchange/offline/*
+  cp -r /exported/taler-exchange/offline/* /var/lib/taler-exchange/offline/
+fi
+
+# Adjust permissions
+chown --recursive taler-exchange-offline:taler-exchange-offline /var/lib/taler-exchange/offline/* || true
+
+
+MASTER_PUBLIC_KEY=$(sudo -i -u taler-exchange-offline taler-exchange-offline -LDEBUG setup)
+
+
+#
+# Create the basic configuration files
+#
+
+mkdir -p /etc/challenger/conf.d
+cat <<EOF >/etc/challenger/conf.d/setup-sandcastle.conf
+[challenger]
+ADDRESS_TYPE = email
+AUTH_COMMAND = /data/sandcastle-challenger-auth
+ADDRESS_RESTRICTIONS = {"email":{"hint":"not an e-mail address","regex":"^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+.[a-zA-Z0-9-.]+$"}}
+EOF
+
+cat <<EOF >/etc/libeufin/libeufin-bank.conf
+[libeufin-bank]
+CURRENCY = $CURRENCY
+DEFAULT_DEBT_LIMIT = $CURRENCY:500
+REGISTRATION_BONUS = $CURRENCY:100
+SPA_CAPTCHA_URL = $PROTO://$BANK_DOMAIN$PORT_SUFFIX/webui/#/operation/{woid}
+SUGGESTED_WITHDRAWAL_EXCHANGE = $PROTO://$EXCHANGE_DOMAIN$PORT_SUFFIX/
+ALLOW_REGISTRATION = yes
+SERVE = tcp
+PORT = 8080
+# Bind address.
+# Option soon to be deprecated!
+ADDRESS = 0.0.0.0
+
+# Compat mode for now
+PWD_CHECK = no
+PWD_AUTH_COMPAT = yes
+
+[currency-$CURRENCY]
+ENABLED = YES
+name = "${NAME:=Kudos}"
+code = "$CURRENCY"
+decimal_separator = "."
+fractional_input_digits = ${FRACTIONALS:=2}
+fractional_normal_digits = ${FRACTIONALS:=2}
+fractional_trailing_zero_digits = ${FRACTIONALS:=2}
+is_currency_name_leading = NO
+alt_unit_names = {"0":"${ALT_UNIT_NAME:=ク}"}
+EOF
+
+cat <<EOF >/etc/libeufin/settings.json
+{
+  "topNavSites": {
+    "Landing": "$PROTO://$LANDING_DOMAIN$PORT_SUFFIX/",
+    "Bank": "$PROTO://$BANK_DOMAIN$PORT_SUFFIX",
+    "Essay Shop": "$PROTO://$BLOG_DOMAIN$PORT_SUFFIX",
+    "Donations": "$PROTO://$DONATIONS_DOMAIN$PORT_SUFFIX"
+  }
+}
+EOF
+
+# Generate /tmp/sandcastle-setup.conf
+cat <<EOF >/tmp/sandcastle-setup.conf
+[currency-$CURRENCY]
+ENABLED = YES
+name = "${NAME:=Kudos}"
+code = "$CURRENCY"
+decimal_separator = "."
+fractional_input_digits = ${FRACTIONALS:=2}
+fractional_normal_digits = ${FRACTIONALS:=2}
+fractional_trailing_zero_digits = ${FRACTIONALS:=2}
+is_currency_name_leading = NO
+alt_unit_names = {"0":"${ALT_UNIT_NAME:=ク}"}
+EOF
+
+cp /tmp/sandcastle-setup.conf /etc/taler-exchange/conf.d/sandcastle-setup.conf
+cp /tmp/sandcastle-setup.conf /etc/taler-merchant/conf.d/sandcastle-setup.conf
+
+
+cat <<EOF >/etc/taler-exchange/conf.d/sandcastle-exchange.conf
+[exchange]
+CURRENCY = $CURRENCY
+CURRENCY_ROUND_UNIT = $CURRENCY:0.01
+AML_THRESHOLD = $CURRENCY:1000000
+MASTER_PUBLIC_KEY = $MASTER_PUBLIC_KEY
+BASE_URL = $PROTO://$EXCHANGE_DOMAIN$PORT_SUFFIX/
+
+[taler-exchange-secmod-rsa]
+LOOKAHEAD_SIGN = 4 weeks
+
+[taler-exchange-secmod-eddsa]
+LOOKAHEAD_SIGN = 4 weeks
+
+[taler-exchange-secmod-cs]
+LOOKAHEAD_SIGN = 4 weeks
+
+[exchange-account-default]
+PAYTO_URI = $EXCHANGE_FULL_PAYTO
+ENABLE_DEBIT = YES
+ENABLE_CREDIT = YES
+@inline-secret@ exchange-accountcredentials-default ../secrets/exchange-accountcredentials-default.secret.conf
+EOF
+
+
+cat <<EOF >/etc/taler-exchange/secrets/exchange-accountcredentials-default.secret.conf
+[exchange-accountcredentials-default]
+WIRE_GATEWAY_URL = $PROTO://$BANK_DOMAIN$PORT_SUFFIX/accounts/exchange/taler-wire-gateway/
+WIRE_GATEWAY_AUTH_METHOD = basic
+USERNAME = exchange
+PASSWORD = $(get_credential_pw bank/exchange)
+EOF
+
+if [[ $ENABLE_AUDITOR = 1 ]]; then
+  # Make sandcastle exchange config available to auditor
+  cp /etc/taler-exchange/conf.d/sandcastle-exchange.conf /etc/taler-auditor/conf.d/sandcastle-exchange.conf
+
+  # We run the offline tooling as root, maybe in the future there should be
+  # a separate user created by the Debian package for that.
+  AUDITOR_PUB=$(taler-auditor-offline setup)
+
+  cat <<EOF >/etc/taler-auditor/conf.d/sandcastle-auditor.conf
+[auditor]
+PUBLIC_KEY = $AUDITOR_PUB
+
+[exchangedb]
+
+$(dup_exchange_opt exchangedb IDLE_RESERVE_EXPIRATION_TIME)
+$(dup_exchange_opt exchangedb LEGAL_RESERVE_EXPIRATION_TIME)
+$(dup_exchange_opt exchangedb AGGREGATOR_SHIFT)
+$(dup_exchange_opt exchangedb DEFAULT_PURSE_LIMIT)
+
+[exchangedb-postgres]
+$(dup_exchange_opt exchangedb-postgres CONFIG)
+
+[exchange]
+$(dup_exchange_opt exchange CURRENCY)
+$(dup_exchange_opt exchange CURRENCY_ROUND_UNIT)
+$(dup_exchange_opt exchange DB)
+
+
+EOF
+fi
+
+# The config shipped with the package can conflict with the
+# trusted sandcastle exchange if the currency is KUDOS.
+rm -f /usr/share/taler-exchange/config.d/kudos.conf
+rm -f /usr/share/taler-merchant/config.d/kudos.conf
+
+# We need to define the default currency for the UI.
+cat <<EOF >/etc/taler-merchant/conf.d/sandcastle-merchant.conf
+[merchant]
+CURRENCY = $CURRENCY
+EOF
+
+cat <<EOF >/etc/taler-merchant/conf.d/sandcastle-merchant-exchanges.conf
+[merchant-exchange-sandcastle]
+EXCHANGE_BASE_URL = $PROTO://$EXCHANGE_DOMAIN$PORT_SUFFIX/
+MASTER_KEY = $MASTER_PUBLIC_KEY
+CURRENCY = $CURRENCY
+EOF
+
+# Allow overrides to modify merchant config
+[[ $(type -t hook_merchant_config) == function ]] && hook_merchant_config
+
+# FIXME: This is a workaround, fix the packaging of taler-merchant-frontends here!
+mkdir -p /etc/taler
+
+
+cat <<EOF >/etc/taler/taler-merchant-frontends.conf
+# Different entry point, we need to repeat some settings.
+# In the future, taler-merchant-demos should become
+# robust enough to read from the main config.
+[taler]
+CURRENCY = $CURRENCY
+
+[frontend-demo-landing]
+SERVE = http
+HTTP_PORT = $PORT_INTERNAL_LANDING
+
+[frontend-demo-blog]
+SERVE = http
+HTTP_PORT = $PORT_INTERNAL_BLOG
+BACKEND_URL = $PROTO://$MERCHANT_DOMAIN$PORT_SUFFIX/instances/blog/
+BACKEND_APIKEY = secret-token:$(get_credential_pw merchant/blog)
+
+[frontend-demo-donations]
+SERVE = http
+HTTP_PORT = $PORT_INTERNAL_DONATIONS
+BACKEND_URL_TOR = $PROTO://$MERCHANT_DOMAIN$PORT_SUFFIX/instances/tor/
+BACKEND_APIKEY_TOR = secret-token:$(get_credential_pw merchant/tor)
+BACKEND_URL_TALER = $PROTO://$MERCHANT_DOMAIN$PORT_SUFFIX/instances/taler/
+BACKEND_APIKEY_TALER = secret-token:$(get_credential_pw merchant/taler)
+BACKEND_URL_GNUNET = $PROTO://$MERCHANT_DOMAIN$PORT_SUFFIX/instances/gnunet/
+BACKEND_APIKEY_GNUNET = secret-token:$(get_credential_pw merchant/gnunet)
+EOF
+
+# This really should not exist, the taler-merchant-frontends
+# should be easier to configure!
+cat <<EOF >/etc/taler/taler-merchant-frontends.env
+TALER_ENV_URL_INTRO=$PROTO://$LANDING_DOMAIN$PORT_SUFFIX/
+TALER_ENV_URL_LANDING=$PROTO://$LANDING_DOMAIN$PORT_SUFFIX/
+TALER_ENV_URL_BANK=$PROTO://$BANK_DOMAIN$PORT_SUFFIX/
+TALER_ENV_URL_MERCHANT_BLOG=$PROTO://$BLOG_DOMAIN$PORT_SUFFIX/
+TALER_ENV_URL_MERCHANT_DONATIONS=$PROTO://$DONATIONS_DOMAIN$PORT_SUFFIX/
+EOF
+
+#
+# Create databases
+#
 
 systemctl start postgresql.service
 
+# Set up databases.
+# Do that *before* we potentially do a restore-from-backup.
 
-# Now all the basic stuff has been set up, we can try to import if required
+challenger-dbconfig
 
+# Sets up the database for both libeufin-bank and libeufin-nexus.  We only need
+# the libeufin-bank DB though.
+libeufin-dbconfig
+
+if [[ $ENABLE_AUDITOR = 1 ]]; then
+  # Add auditor user to DB group *before* running taler-exchange-dbconfig,
+  # so that DB permissions are adjusted accordingly.
+  usermod taler-auditor-httpd -aG taler-exchange-db
+  taler-auditor-dbconfig
+fi
+
+taler-exchange-dbconfig
+
+taler-merchant-dbconfig
 
-if [[ -d /exported && -e /exported/import-request ]]; then
-  echo "Import requested"
 
-  sudo -u postgres psql taler-exchange -f exported/taler-exchange/taler-exchange.sql
-  sudo -u postgres psql taler-merchant -f exported/taler-merchant/taler-merchant.sql
-  sudo -u postgres psql libeufin -f exported/libeufin/libeufin.sql
+#
+# Import backup if necessary.
+#
+
+if [[ -d /exported && -e /exported/import-request ]]; then
+  echo "Importing databases"
 
-  cp exported/taler-exchange/offline/* /var/lib/taler-exchange/offline/
+  sudo -u postgres psql taler-exchange -f /exported/taler-exchange/taler-exchange.sql
+  sudo -u postgres psql taler-merchant -f /exported/taler-merchant/taler-merchant.sql
+  sudo -u postgres psql libeufin -f /exported/libeufin/libeufin.sql
 
   rm -rf /var/lib/taler-exchange/secmod-eddsa/*
-  cp -r exported/taler-exchange/secmod-eddsa/* /var/lib/taler-exchange/secmod-eddsa/
+  cp -r /exported/taler-exchange/secmod-eddsa/* /var/lib/taler-exchange/secmod-eddsa/
 
   rm -rf /var/lib/taler-exchange/secmod-rsa/*
-  cp -r exported/taler-exchange/secmod-rsa/* /var/lib/taler-exchange/secmod-rsa/
+  cp -r /exported/taler-exchange/secmod-rsa/* /var/lib/taler-exchange/secmod-rsa/
 
   rm -rf /var/lib/taler-exchange/secmod-cs/*
-  cp -r exported/taler-exchange/secmod-cs/* /var/lib/taler-exchange/secmod-cs/
+  cp -r /exported/taler-exchange/secmod-cs/* /var/lib/taler-exchange/secmod-cs/
 
+  echo "Marking import as done"
   rm /exported/import-request
 fi
 
@@ -163,32 +415,17 @@ fi
 # IDs than the volume. That can happen when the packages in the container are installed
 # in a different order.
 # This is only relevant for non-root ownership.
-function adjust_permissions() {
-  chown taler-exchange-offline:taler-exchange-offline /talerdata_persistent/exchange-offline
-  chown --recursive taler-exchange-offline:taler-exchange-offline /var/lib/taler-exchange/offline/* || true
-  chown --recursive taler-exchange-secmod-cs:taler-exchange-secmod /var/lib/taler-exchange/secmod-cs
-  chown --recursive taler-exchange-secmod-rsa:taler-exchange-secmod /var/lib/taler-exchange/secmod-rsa
-  chown --recursive taler-exchange-secmod-eddsa:taler-exchange-secmod /var/lib/taler-exchange/secmod-eddsa
-  chown root:taler-exchange-db /etc/taler-exchange/secrets/exchange-db.secret.conf
-  chown root:taler-auditor-httpd /etc/taler-auditor/secrets/auditor-db.secret.conf
-  # FIXME: More permissions to adjust!?
-}
-
-adjust_permissions
+chown --recursive taler-exchange-offline:taler-exchange-offline /var/lib/taler-exchange/offline/* || true
+chown --recursive taler-exchange-secmod-cs:taler-exchange-secmod /var/lib/taler-exchange/secmod-cs
+chown --recursive taler-exchange-secmod-rsa:taler-exchange-secmod /var/lib/taler-exchange/secmod-rsa
+chown --recursive taler-exchange-secmod-eddsa:taler-exchange-secmod /var/lib/taler-exchange/secmod-eddsa
+chown root:taler-exchange-db /etc/taler-exchange/secrets/exchange-db.secret.conf
+chown root:taler-auditor-httpd /etc/taler-auditor/secrets/auditor-db.secret.conf
+chmod 440 /etc/taler-merchant/secrets/merchant-db.secret.conf
+chown taler-merchant-httpd:root /etc/taler-merchant/secrets/merchant-db.secret.conf
+chown root:taler-exchange-db /etc/taler-exchange/secrets/exchange-db.secret.conf
+chown taler-exchange-wire:taler-exchange-db /etc/taler-exchange/secrets/exchange-accountcredentials-default.secret.conf
 
-# Usage: get_credential_pw COMPONENT/ACCOUNT
-function get_credential_pw() {
-  if [[ ${USE_INSECURE_SANDBOX_PASSWORDS:-0} = 1 ]]; then
-    echo "sandbox"
-    return
-  fi
-  p=/credentials/$1
-  if [[ ! -f $p ]]; then
-    mkdir -p $(dirname "$p")
-    uuidgen -r >$p
-  fi
-  cat "$p"
-}
 
 # Caddy configuration.
 # We use the caddy reverse proxy with automatic
@@ -348,69 +585,14 @@ caddy trust
 
 # Set up challenger
 
-challenger-dbconfig
-
 CHALLENGER_CLIENT_SECRET=secret-token:sandbox
 CHALLENGER_CLIENT_ID=$(sudo -u challenger-httpd challenger-admin -q --add="$CHALLENGER_CLIENT_SECRET" https://$EXCHANGE_DOMAIN/kyc-proof/mychallenger)
 echo Challenger client ID: $CHALLENGER_CLIENT_ID
 
-mkdir -p /etc/challenger/conf.d
-cat <<EOF >/etc/challenger/conf.d/setup-sandcastle.conf
-[challenger]
-ADDRESS_TYPE = email
-AUTH_COMMAND = /data/sandcastle-challenger-auth
-ADDRESS_RESTRICTIONS = {"email":{"hint":"not an e-mail address","regex":"^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+.[a-zA-Z0-9-.]+$"}}
-EOF
-
 systemctl enable --now challenger-httpd.service
 
 # Set up bank
 
-cat <<EOF >/etc/libeufin/libeufin-bank.conf
-[libeufin-bank]
-CURRENCY = $CURRENCY
-DEFAULT_DEBT_LIMIT = $CURRENCY:500
-REGISTRATION_BONUS = $CURRENCY:100
-SPA_CAPTCHA_URL = $PROTO://$BANK_DOMAIN$PORT_SUFFIX/webui/#/operation/{woid}
-SUGGESTED_WITHDRAWAL_EXCHANGE = $PROTO://$EXCHANGE_DOMAIN$PORT_SUFFIX/
-ALLOW_REGISTRATION = yes
-SERVE = tcp
-PORT = 8080
-# Bind address.
-# Option soon to be deprecated!
-ADDRESS = 0.0.0.0
-
-# Compat mode for now
-PWD_CHECK = no
-PWD_AUTH_COMPAT = yes
-
-[currency-$CURRENCY]
-ENABLED = YES
-name = "${NAME:=Kudos}"
-code = "$CURRENCY"
-decimal_separator = "."
-fractional_input_digits = ${FRACTIONALS:=2}
-fractional_normal_digits = ${FRACTIONALS:=2}
-fractional_trailing_zero_digits = ${FRACTIONALS:=2}
-is_currency_name_leading = NO
-alt_unit_names = {"0":"${ALT_UNIT_NAME:=ク}"}
-EOF
-
-cat <<EOF >/etc/libeufin/settings.json
-{
-  "topNavSites": {
-    "Landing": "$PROTO://$LANDING_DOMAIN$PORT_SUFFIX/",
-    "Bank": "$PROTO://$BANK_DOMAIN$PORT_SUFFIX",
-    "Essay Shop": "$PROTO://$BLOG_DOMAIN$PORT_SUFFIX",
-    "Donations": "$PROTO://$DONATIONS_DOMAIN$PORT_SUFFIX"
-  }
-}
-EOF
-
-# Sets up the database for both libeufin-bank and libeufin-nexus.  We only need
-# the libeufin-bank DB though.
-libeufin-dbconfig
-
 sudo -i -u libeufin-bank libeufin-bank edit-account admin --debit_threshold=$CURRENCY:1000000
 sudo -i -u libeufin-bank libeufin-bank passwd admin $(get_credential_pw bank/admin)
 
@@ -479,50 +661,6 @@ taler-harness deployment provision-bank-account "${BANK_BASEURL}" \
 
 # Set up exchange
 
-MASTER_PUBLIC_KEY=$(sudo -i -u taler-exchange-offline taler-exchange-offline -LDEBUG setup)
-
-# Generate /tmp/sandcastle-setup.conf
-cat <<EOF >/tmp/sandcastle-setup.conf
-[currency-$CURRENCY]
-ENABLED = YES
-name = "${NAME:=Kudos}"
-code = "$CURRENCY"
-decimal_separator = "."
-fractional_input_digits = ${FRACTIONALS:=2}
-fractional_normal_digits = ${FRACTIONALS:=2}
-fractional_trailing_zero_digits = ${FRACTIONALS:=2}
-is_currency_name_leading = NO
-alt_unit_names = {"0":"${ALT_UNIT_NAME:=ク}"}
-EOF
-
-cp /tmp/sandcastle-setup.conf /etc/taler-exchange/conf.d/sandcastle-setup.conf
-cp /tmp/sandcastle-setup.conf /etc/taler-merchant/conf.d/sandcastle-setup.conf
-
-
-cat <<EOF >/etc/taler-exchange/conf.d/sandcastle-exchange.conf
-[exchange]
-CURRENCY = $CURRENCY
-CURRENCY_ROUND_UNIT = $CURRENCY:0.01
-AML_THRESHOLD = $CURRENCY:1000000
-MASTER_PUBLIC_KEY = $MASTER_PUBLIC_KEY
-BASE_URL = $PROTO://$EXCHANGE_DOMAIN$PORT_SUFFIX/
-
-[taler-exchange-secmod-rsa]
-LOOKAHEAD_SIGN = 4 weeks
-
-[taler-exchange-secmod-eddsa]
-LOOKAHEAD_SIGN = 4 weeks
-
-[taler-exchange-secmod-cs]
-LOOKAHEAD_SIGN = 4 weeks
-
-[exchange-account-default]
-PAYTO_URI = $EXCHANGE_FULL_PAYTO
-ENABLE_DEBIT = YES
-ENABLE_CREDIT = YES
-@inline-secret@ exchange-accountcredentials-default ../secrets/exchange-accountcredentials-default.secret.conf
-EOF
-
 ##
 ## Configure KYC if enabled
 ##
@@ -654,17 +792,6 @@ else
   rm -f /etc/taler-exchange/conf.d/sandcastle-kyc.conf
 fi
 
-chown root:taler-exchange-db /etc/taler-exchange/secrets/exchange-db.secret.conf
-
-cat <<EOF >/etc/taler-exchange/secrets/exchange-accountcredentials-default.secret.conf
-[exchange-accountcredentials-default]
-WIRE_GATEWAY_URL = $PROTO://$BANK_DOMAIN$PORT_SUFFIX/accounts/exchange/taler-wire-gateway/
-WIRE_GATEWAY_AUTH_METHOD = basic
-USERNAME = exchange
-PASSWORD = $(get_credential_pw bank/exchange)
-EOF
-
-chown taler-exchange-wire:taler-exchange-db /etc/taler-exchange/secrets/exchange-accountcredentials-default.secret.conf
 
 if [[ ! -e /etc/taler-exchange/conf.d/sandcastle-$CURRENCY-coins.conf ]]; then
   # Only create if necessary, as each [COIN-...] section
@@ -675,15 +802,6 @@ if [[ ! -e /etc/taler-exchange/conf.d/sandcastle-$CURRENCY-coins.conf ]]; then
     >"/etc/taler-exchange/conf.d/sandcastle-$CURRENCY-coins.conf"
 fi
 
-if [[ $ENABLE_AUDITOR = 1 ]]; then
-  # Add auditor user to DB group *before* running taler-exchange-dbconfig,
-  # so that DB permissions are adjusted accordingly.
-  usermod taler-auditor-httpd -aG taler-exchange-db
-fi
-
-echo "Initializing exchange database"
-taler-exchange-dbconfig
-
 taler-terms-generator -K -i /usr/share/taler-exchange/terms/exchange-tos-v0
 taler-terms-generator -K -i /usr/share/taler-exchange/terms/exchange-pp-v0
 
@@ -717,68 +835,11 @@ function dup_exchange_opt() {
 #
 
 if [[ $ENABLE_AUDITOR = 1 ]]; then
-  # Make sandcastle exchange config available to auditor
-  cp /etc/taler-exchange/conf.d/sandcastle-exchange.conf /etc/taler-auditor/conf.d/sandcastle-exchange.conf
-
-  # We run the offline tooling as root, maybe in the future there should be
-  # a separate user created by the Debian package for that.
-  AUDITOR_PUB=$(taler-auditor-offline setup)
-
-  cat <<EOF >/etc/taler-auditor/conf.d/sandcastle-auditor.conf
-[auditor]
-PUBLIC_KEY = $AUDITOR_PUB
-
-[exchangedb]
-
-$(dup_exchange_opt exchangedb IDLE_RESERVE_EXPIRATION_TIME)
-$(dup_exchange_opt exchangedb LEGAL_RESERVE_EXPIRATION_TIME)
-$(dup_exchange_opt exchangedb AGGREGATOR_SHIFT)
-$(dup_exchange_opt exchangedb DEFAULT_PURSE_LIMIT)
-
-[exchangedb-postgres]
-$(dup_exchange_opt exchangedb-postgres CONFIG)
-
-[exchange]
-$(dup_exchange_opt exchange CURRENCY)
-$(dup_exchange_opt exchange CURRENCY_ROUND_UNIT)
-$(dup_exchange_opt exchange DB)
-
-
-EOF
-
-  taler-auditor-dbconfig
-
   systemctl enable --now taler-auditor.target
 fi
 
 # Set up merchant backend
 
-chmod 440 /etc/taler-merchant/secrets/merchant-db.secret.conf
-chown taler-merchant-httpd:root /etc/taler-merchant/secrets/merchant-db.secret.conf
-
-taler-merchant-dbconfig
-
-# The config shipped with the package can conflict with the
-# trusted sandcastle exchange if the currency is KUDOS.
-rm -f /usr/share/taler-exchange/config.d/kudos.conf
-rm -f /usr/share/taler-merchant/config.d/kudos.conf
-
-# We need to define the default currency for the UI.
-cat <<EOF >/etc/taler-merchant/conf.d/sandcastle-merchant.conf
-[merchant]
-CURRENCY = $CURRENCY
-EOF
-
-cat <<EOF >/etc/taler-merchant/conf.d/sandcastle-merchant-exchanges.conf
-[merchant-exchange-sandcastle]
-EXCHANGE_BASE_URL = $PROTO://$EXCHANGE_DOMAIN$PORT_SUFFIX/
-MASTER_KEY = $MASTER_PUBLIC_KEY
-CURRENCY = $CURRENCY
-EOF
-
-# Allow overrides to modify merchant config
-[[ $(type -t hook_merchant_config) == function ]] && hook_merchant_config
-
 MERCHANT_BASEURL=$PROTO://$MERCHANT_DOMAIN$PORT_SUFFIX/
 
 systemctl enable --now taler-merchant.target
@@ -853,47 +914,8 @@ taler-harness deployment provision-merchant-instance \
   --id sandbox \
   --payto "payto://iban/$MERCHANT_IBAN_SANDBOX?receiver-name=Sandbox+Merchant"
 
-mkdir -p /etc/taler
-
 # Now we set up the taler-merchant-demos
 
-cat <<EOF >/etc/taler/taler-merchant-frontends.conf
-# Different entry point, we need to repeat some settings.
-# In the future, taler-merchant-demos should become
-# robust enough to read from the main config.
-[taler]
-CURRENCY = $CURRENCY
-
-[frontend-demo-landing]
-SERVE = http
-HTTP_PORT = $PORT_INTERNAL_LANDING
-
-[frontend-demo-blog]
-SERVE = http
-HTTP_PORT = $PORT_INTERNAL_BLOG
-BACKEND_URL = $PROTO://$MERCHANT_DOMAIN$PORT_SUFFIX/instances/blog/
-BACKEND_APIKEY = secret-token:$(get_credential_pw merchant/blog)
-
-[frontend-demo-donations]
-SERVE = http
-HTTP_PORT = $PORT_INTERNAL_DONATIONS
-BACKEND_URL_TOR = $PROTO://$MERCHANT_DOMAIN$PORT_SUFFIX/instances/tor/
-BACKEND_APIKEY_TOR = secret-token:$(get_credential_pw merchant/tor)
-BACKEND_URL_TALER = $PROTO://$MERCHANT_DOMAIN$PORT_SUFFIX/instances/taler/
-BACKEND_APIKEY_TALER = secret-token:$(get_credential_pw merchant/taler)
-BACKEND_URL_GNUNET = $PROTO://$MERCHANT_DOMAIN$PORT_SUFFIX/instances/gnunet/
-BACKEND_APIKEY_GNUNET = secret-token:$(get_credential_pw merchant/gnunet)
-EOF
-
-# This really should not exist, the taler-merchant-frontends
-# should be easier to configure!
-cat <<EOF >/etc/taler/taler-merchant-frontends.env
-TALER_ENV_URL_INTRO=$PROTO://$LANDING_DOMAIN$PORT_SUFFIX/
-TALER_ENV_URL_LANDING=$PROTO://$LANDING_DOMAIN$PORT_SUFFIX/
-TALER_ENV_URL_BANK=$PROTO://$BANK_DOMAIN$PORT_SUFFIX/
-TALER_ENV_URL_MERCHANT_BLOG=$PROTO://$BLOG_DOMAIN$PORT_SUFFIX/
-TALER_ENV_URL_MERCHANT_DONATIONS=$PROTO://$DONATIONS_DOMAIN$PORT_SUFFIX/
-EOF
 
 systemctl enable --now taler-demo-landing
 systemctl enable --now taler-demo-blog