commit 96f78414e91d2b5bbd68a7d35963e1bd744ccdf8
parent 09b5039ffa38546549fd17bfa7751882e1a0a08e
Author: Florian Dold <florian@dold.me>
Date: Mon, 2 Dec 2024 22:39:08 +0100
config split, tweaks
Diffstat:
2 files changed, 72 insertions(+), 76 deletions(-)
diff --git a/buildconfig/exchange.tag b/buildconfig/exchange.tag
@@ -1 +1 @@
-v0.14.1-dev.12
+v0.14.1-dev.13
diff --git a/scripts/demo/setup-sandcastle.sh b/scripts/demo/setup-sandcastle.sh
@@ -99,48 +99,30 @@ systemctl reset-failed
# postgres DB directory
function lift_dir() {
- src=$1
- target=$2
+ where=$1
+ src=$2
+ target=$3
if [[ -L $src ]]; then
# be idempotent
echo "$src is already a symlink"
- elif [[ -d /talerdata/$target ]]; then
- echo "symlinking existing /talerdata/$target"
+ elif [[ -d /$where/$target ]]; then
+ echo "symlinking existing /$where/$target"
rm -rf "$src"
- ln -s "/talerdata/$target" "$src"
+ ln -s "/$where/$target" "$src"
else
- echo "symlinking new /talerdata/$target"
- mv "$src" "/talerdata/$target"
- ln -s "/talerdata/$target" "$src"
+ echo "symlinking new /$where/$target"
+ mv "$src" "/$where/$target"
+ ln -s "/$where/$target" "$src"
fi
}
-function persist_exchange_key() {
- src=$1
- target=$2
- if [[ -L $src ]]; then
- # be idempotent
- echo "$src is already a symlink"
- elif [[ -d /talerdata_persistent/$target ]]; then
- echo "symlinking existing /talerdata_persistent/$target"
- rm -rf "$src"
- ln -s "/talerdata_persistent/$target" "$src"
- # if the directory is empty then we want to attempt to
- # move the keys over from the main data dir.
- # we check for an empty dir using "ls -A"
- elif [[ -z "$(ls -A /talerdata_persistent/$target)" ]]; then
- echo "symlinking new /talerdata_persistent/$target"
- mv "/talerdata/var-lib-taler/$target" "/talerdata_persistent/"
- ln -s "/talerdata_persistent/$target" "$src"
- fi
-}
-
-lift_dir /var/lib/taler var-lib-taler
-lift_dir /etc/taler etc-taler
-lift_dir /etc/libeufin etc-libeufin
-lift_dir /etc/taler etc-challenger
-lift_dir /var/lib/postgresql var-lib-postgresql
-persist_exchange_key /var/lib/taler/exchange-offline exchange-offline
+lift_dir talerdata /var/lib/taler-exchange var-lib-taler-exchange
+lift_dir talerdata /etc/taler-merchant etc-taler-merchant
+lift_dir talerdata /etc/taler-exchange etc-taler-exchange
+lift_dir talerdata /etc/taler-exchange etc-taler-auditor
+lift_dir talerdata /etc/libeufin etc-libeufin
+lift_dir talerdata /var/lib/postgresql var-lib-postgresql
+lift_dir talerdata_persistent /var/lib/taler-exchange/offline exchange-offline
# We need to adjust file ownership, as the container might have different user and group
# IDs than the volume. That can happen when the packages in the container are installed
@@ -148,14 +130,15 @@ persist_exchange_key /var/lib/taler/exchange-offline exchange-offline
# This is only relevant for non-root ownership.
chown taler-exchange-offline:taler-exchange-offline /talerdata_persistent/exchange-offline
-chown --recursive taler-exchange-offline:taler-exchange-offline /var/lib/taler/exchange-offline/* || true
+chown --recursive taler-exchange-offline:taler-exchange-offline /var/lib/taler-exchange/offline/* || true
+
+chown --recursive taler-exchange-secmod-cs:taler-exchange-secmod /var/lib/taler-exchange/secmod-cs
+chown --recursive taler-exchange-secmod-rsa:taler-exchange-secmod /var/lib/taler-exchange/secmod-rsa
+chown --recursive taler-exchange-secmod-eddsa:taler-exchange-secmod /var/lib/taler-exchange/secmod-eddsa
-chown --recursive taler-exchange-secmod-cs:taler-exchange-secmod /var/lib/taler/exchange-secmod-cs
-chown --recursive taler-exchange-secmod-rsa:taler-exchange-secmod /var/lib/taler/exchange-secmod-rsa
-chown --recursive taler-exchange-secmod-eddsa:taler-exchange-secmod /var/lib/taler/exchange-secmod-eddsa
+chown root:taler-exchange-db /etc/taler-exchange/secrets/exchange-db.secret.conf
-chown root:taler-exchange-db /etc/taler/secrets/auditor-db.secret.conf
-chown root:taler-exchange-db /etc/taler/secrets/exchange-db.secret.conf
+chown root:taler-auditor-httpd /etc/taler-auditor/secrets/auditor-db.secret.conf
# FIXME: More permissions to adjust!
@@ -188,11 +171,11 @@ cat <<EOF >/etc/caddy/Caddyfile
# are reverse-proxied to serve on a TCP port.
:$PORT_INTERNAL_EXCHANGE {
- reverse_proxy unix//run/taler/exchange-httpd/exchange-http.sock
+ reverse_proxy unix//run/taler-exchange/httpd/exchange-http.sock
}
:$PORT_INTERNAL_MERCHANT {
- reverse_proxy unix//run/taler/merchant-httpd/merchant-http.sock {
+ reverse_proxy unix//run/taler-merchant/httpd/merchant-http.sock {
# Set this, or otherwise wrong taler://pay URIs will be generated.
header_up X-Forwarded-Proto "https"
}
@@ -205,7 +188,7 @@ cat <<EOF >/etc/caddy/Caddyfile
}
:$PORT_INTERNAL_AUDITOR {
- reverse_proxy unix//run/taler/auditor-httpd/auditor-http.sock
+ reverse_proxy unix//run/taler-auditor/httpd/auditor-http.sock
}
:$PORT_INTERNAL_CHALLENGER {
@@ -246,12 +229,12 @@ https://$BANK_DOMAIN {
https://$EXCHANGE_DOMAIN {
tls internal
- reverse_proxy unix//run/taler/exchange-httpd/exchange-http.sock
+ reverse_proxy unix//run/taler-exchange/httpd/exchange-http.sock
}
https://$MERCHANT_DOMAIN {
tls internal
- reverse_proxy unix//run/taler/merchant-httpd/merchant-http.sock {
+ reverse_proxy unix//run/taler-merchant/httpd/merchant-http.sock {
# Set this, or otherwise wrong taler://pay URIs will be generated.
header_up X-Forwarded-Proto "https"
}
@@ -259,7 +242,7 @@ https://$MERCHANT_DOMAIN {
https://$AUDITOR_DOMAIN {
tls internal
- reverse_proxy unix//run/taler/auditor-httpd/auditor-http.sock
+ reverse_proxy unix//run/taler-auditor/httpd/auditor-http.sock
}
https://$CHALLENGER_DOMAIN {
@@ -281,18 +264,18 @@ http://$BANK_DOMAIN$PORT_SUFFIX {
}
http://$EXCHANGE_DOMAIN$PORT_SUFFIX {
- reverse_proxy unix//run/taler/exchange-httpd/exchange-http.sock
+ reverse_proxy unix//run/taler-exchange/httpd/exchange-http.sock
}
http://$MERCHANT_DOMAIN$PORT_SUFFIX {
- reverse_proxy unix//run/taler/merchant-httpd/merchant-http.sock {
+ reverse_proxy unix//run/taler-exchange/httpd/merchant-http.sock {
# Set this, or otherwise wrong taler://pay URIs will be generated.
header_up X-Forwarded-Proto "https"
}
}
http://$AUDITOR_DOMAIN$PORT_SUFFIX {
- reverse_proxy unix//run/taler/auditor-httpd/auditor-http.sock
+ reverse_proxy unix//run/taler-auditor/httpd/auditor-http.sock
}
http://$CHALLENGER_DOMAIN$PORT_SUFFIX {
@@ -470,12 +453,8 @@ MASTER_PUBLIC_KEY=$(sudo -i -u taler-exchange-offline taler-exchange-offline -LD
EXCHANGE_DB=talerexchange
-# Generate /etc/taler/conf.d/setup.conf
-cat <<EOF >/etc/taler/conf.d/setup.conf
-[taler]
-CURRENCY = $CURRENCY
-CURRENCY_ROUND_UNIT = $CURRENCY:0.01
-
+# Generate /tmp/sandcastle-setup.conf
+cat <<EOF >/tmp/sandcastle-setup.conf
[currency-$CURRENCY]
ENABLED = YES
name = "${NAME:=Kudos}"
@@ -486,8 +465,16 @@ fractional_normal_digits = ${FRACTIONALS:=2}
fractional_trailing_zero_digits = ${FRACTIONALS:=2}
is_currency_name_leading = NO
alt_unit_names = {"0":"${ALT_UNIT_NAME:=ク}"}
+EOF
+
+cp /tmp/sandcastle-setup.conf /etc/taler-exchange/conf.d/sandcastle-setup.conf
+cp /tmp/sandcastle-setup.conf /etc/taler-merchant/conf.d/sandcastle-setup.conf
+
+cat <<EOF >/etc/taler-exchange/conf.d/sandcastle-exchange.conf
[exchange]
+CURRENCY = $CURRENCY
+CURRENCY_ROUND_UNIT = $CURRENCY:0.01
AML_THRESHOLD = $CURRENCY:1000000
MASTER_PUBLIC_KEY = $MASTER_PUBLIC_KEY
BASE_URL = $PROTO://$EXCHANGE_DOMAIN$PORT_SUFFIX/
@@ -505,7 +492,7 @@ EOF
if [[ ${ENABLE_KYC:-0} == 1 ]]; then
# KYC config
- cat <<EOF >/etc/taler/conf.d/sandcastle-kyc.conf
+ cat <<EOF >/etc/taler-exchange/conf.d/sandcastle-kyc.conf
[exchange]
enable_kyc = yes
@@ -578,17 +565,17 @@ KYC_OAUTH2_CONVERTER_HELPER = taler-exchange-kyc-oauth2-challenger.sh
EOF
else
- rm -f /etc/taler/conf.d/sandcastle-kyc.conf
+ rm -f /etc/taler-exchange/conf.d/sandcastle-kyc.conf
fi
-cat <<EOF >/etc/taler/secrets/exchange-db.secret.conf
+cat <<EOF >/etc/taler-exchange/secrets/exchange-db.secret.conf
[exchangedb-postgres]
CONFIG=postgres:///${EXCHANGE_DB}
EOF
-chmod 440 /etc/taler/secrets/exchange-db.secret.conf
-chown root:taler-exchange-db /etc/taler/secrets/exchange-db.secret.conf
+chmod 440 /etc/taler-exchange/secrets/exchange-db.secret.conf
+chown root:taler-exchange-db /etc/taler-exchange/secrets/exchange-db.secret.conf
-cat <<EOF >/etc/taler/secrets/exchange-accountcredentials-default.secret.conf
+cat <<EOF >/etc/taler-exchange/secrets/exchange-accountcredentials-default.secret.conf
[exchange-accountcredentials-default]
WIRE_GATEWAY_URL = $PROTO://$BANK_DOMAIN$PORT_SUFFIX/accounts/exchange/taler-wire-gateway/
WIRE_GATEWAY_AUTH_METHOD = basic
@@ -596,17 +583,15 @@ USERNAME = exchange
PASSWORD = $(get_credential_pw bank/exchange)
EOF
-# Allow group read for the auditor
-chmod 440 /etc/taler/secrets/exchange-accountcredentials-default.secret.conf
-chown taler-exchange-wire:taler-exchange-db /etc/taler/secrets/exchange-accountcredentials-default.secret.conf
+chown taler-exchange-wire:taler-exchange-db /etc/taler-exchange/secrets/exchange-accountcredentials-default.secret.conf
-if [[ ! -e /etc/taler/conf.d/$CURRENCY-coins.conf ]]; then
+if [[ ! -e /etc/taler-exchange/conf.d/sandcastle-$CURRENCY-coins.conf ]]; then
# Only create if necessary, as each [COIN-...] section
# has a unique name with a timestamp.
taler-harness deployment gen-coin-config \
--min-amount "${CURRENCY}:0.01" \
--max-amount "${CURRENCY}:100" \
- >"/etc/taler/conf.d/$CURRENCY-coins.conf"
+ >"/etc/taler-exchange/conf.d/sandcastle-$CURRENCY-coins.conf"
fi
# Add auditor user to DB group *before* running taler-exchange-dbconfig,
@@ -616,8 +601,8 @@ usermod taler-auditor-httpd -aG taler-exchange-db
echo "Initializing exchange database"
taler-exchange-dbconfig
-taler-terms-generator -K -i /usr/share/taler/terms/exchange-tos-v0
-taler-terms-generator -K -i /usr/share/taler/terms/exchange-pp-v0
+taler-terms-generator -K -i /usr/share/taler-exchange/terms/exchange-tos-v0
+taler-terms-generator -K -i /usr/share/taler-exchange/terms/exchange-pp-v0
systemctl enable --now taler-exchange.target
@@ -626,7 +611,7 @@ taler-harness deployment wait-endpoint $PROTO://$EXCHANGE_DOMAIN$PORT_SUFFIX/man
sudo -i -u taler-exchange-offline \
taler-exchange-offline \
- -c /etc/taler/taler.conf \
+ -c /etc/taler-exchange/taler-exchange.conf \
download \
sign \
upload
@@ -644,15 +629,23 @@ systemctl enable --now taler-exchange-offline.timer
# Set up exchange auditor
#
+# Make sandcastle exchange config available to auditor
+cp /etc/taler-exchange/conf.d/sandcastle-exchange.conf /etc/taler-auditor/conf.d/sandcastle-exchange.conf
+
# We run the offline tooling as root, maybe in the future there should be
# a separate user created by the Debian package for that.
AUDITOR_PUB=$(taler-auditor-offline setup)
-cat <<EOF >/etc/taler/conf.d/auditor.conf
+cat <<EOF >/etc/taler-auditor/conf.d/sandcastle-auditor.conf
[auditor]
PUBLIC_KEY = $AUDITOR_PUB
EOF
+cat <<EOF >/etc/taler-auditor/secrets/auditor-db.secret.conf
+[auditordb-postgres]
+CONFIG=postgres:///${EXCHANGE_DB}
+EOF
+
taler-auditor-dbconfig
@@ -663,21 +656,22 @@ systemctl enable --now taler-auditor.target
MERCHANT_DB=talermerchant
-cat <<EOF >/etc/taler/secrets/merchant-db.secret.conf
+cat <<EOF >/etc/taler-merchant/secrets/merchant-db.secret.conf
[merchantdb-postgres]
CONFIG=postgres:///${MERCHANT_DB}
EOF
-chmod 440 /etc/taler/secrets/merchant-db.secret.conf
-chown taler-merchant-httpd:root /etc/taler/secrets/merchant-db.secret.conf
+chmod 440 /etc/taler-merchant/secrets/merchant-db.secret.conf
+chown taler-merchant-httpd:root /etc/taler-merchant/secrets/merchant-db.secret.conf
taler-merchant-dbconfig
# The config shipped with the package can conflict with the
# trusted sandcastle exchange if the currency is KUDOS.
-rm -f /usr/share/taler/config.d/kudos.conf
+rm -f /usr/share/taler-exchange/config.d/kudos.conf
+rm -f /usr/share/taler-merchant/config.d/kudos.conf
-cat <<EOF >/etc/taler/conf.d/merchant-exchanges.conf
+cat <<EOF >/etc/taler-merchant/conf.d/sandcastle-merchant-exchanges.conf
[merchant-exchange-sandcastle]
EXCHANGE_BASE_URL = $PROTO://$EXCHANGE_DOMAIN$PORT_SUFFIX/
MASTER_KEY = $MASTER_PUBLIC_KEY
@@ -758,6 +752,8 @@ taler-harness deployment provision-merchant-instance \
--id sandbox \
--payto "payto://iban/$MERCHANT_IBAN_SANDBOX?receiver-name=Sandbox+Merchant"
+mkdir /etc/taler
+
# Now we set up the taler-merchant-demos
cat <<EOF >/etc/taler/taler-merchant-frontends.conf
