aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFlorian Dold <florian@dold.me>2021-07-29 13:41:49 +0200
committerFlorian Dold <florian@dold.me>2021-07-29 13:41:49 +0200
commita367347a54338641180083573698b1fb48aced55 (patch)
tree4e0310ab335b58e68b9711eb3b33fa1c620b8785
parent036d4cb71ac1abe1990c936ee1f3b2cbf15d14c1 (diff)
simplify configuration
-rw-r--r--debian/etc/taler/auditor-service-default.conf1
-rw-r--r--debian/etc/taler/conf.d/auditor-system.conf (renamed from debian/etc/taler/auditor-system.conf)8
-rw-r--r--debian/etc/taler/conf.d/exchange-business.conf (renamed from debian/etc/taler/exchange-business.conf)4
-rw-r--r--debian/etc/taler/conf.d/exchange-system.conf (renamed from debian/etc/taler/exchange-system.conf)14
-rw-r--r--debian/etc/taler/exchange-offline.conf8
-rw-r--r--debian/etc/taler/exchange-service-default.conf10
-rw-r--r--debian/etc/taler/exchange-service-secmod.conf9
-rw-r--r--debian/etc/taler/exchange-service-wire.conf12
-rw-r--r--debian/etc/taler/secrets/auditor-db.secret.conf10
-rw-r--r--debian/etc/taler/secrets/exchange-accounts.secret.conf (renamed from debian/etc/taler/exchange-wire-gateway.conf)17
-rw-r--r--debian/etc/taler/secrets/exchange-db.secret.conf (renamed from debian/etc/taler/exchange-db.conf)2
-rw-r--r--debian/etc/taler/taler.conf29
-rw-r--r--debian/taler-auditor.taler-auditor-httpd.service2
-rw-r--r--debian/taler-exchange-offline.postinst16
-rw-r--r--debian/taler-exchange.postinst10
-rw-r--r--debian/taler-exchange.taler-exchange-aggregator.service2
-rw-r--r--debian/taler-exchange.taler-exchange-closer.service2
-rw-r--r--debian/taler-exchange.taler-exchange-httpd.service2
-rw-r--r--debian/taler-exchange.taler-exchange-secmod-eddsa.service2
-rw-r--r--debian/taler-exchange.taler-exchange-secmod-rsa.service2
-rw-r--r--debian/taler-exchange.taler-exchange-transfer.service2
-rw-r--r--debian/taler-exchange.taler-exchange-wirewatch.service2
-rw-r--r--debian/taler-exchange.tmpfiles4
23 files changed, 82 insertions, 88 deletions
diff --git a/debian/etc/taler/auditor-service-default.conf b/debian/etc/taler/auditor-service-default.conf
deleted file mode 100644
index 259c4359d..000000000
--- a/debian/etc/taler/auditor-service-default.conf
+++ /dev/null
@@ -1 +0,0 @@
-@INLINE@ auditor-system.conf
diff --git a/debian/etc/taler/auditor-system.conf b/debian/etc/taler/conf.d/auditor-system.conf
index 50971b2ef..3d3aef33a 100644
--- a/debian/etc/taler/auditor-system.conf
+++ b/debian/etc/taler/conf.d/auditor-system.conf
@@ -1,8 +1,6 @@
-[PATHS]
-
-# Move runtime data "tmp" directory to /var/lib/taler-auditor/
-# to possibly provide additional protection from unwarranted access.
-TALER_RUNTIME_DIR = /var/lib/taler-auditor/tmp/
+# Read secret sections into configuration, but only
+# if we have permission to do so.
+@inline-secret@ auditordb-postgres ../secrets/auditor-db.secret.conf
[auditor]
# Debian package is configured to use a reverse proxy with a UNIX
diff --git a/debian/etc/taler/exchange-business.conf b/debian/etc/taler/conf.d/exchange-business.conf
index 669ed4546..ecd010da1 100644
--- a/debian/etc/taler/exchange-business.conf
+++ b/debian/etc/taler/conf.d/exchange-business.conf
@@ -1,8 +1,6 @@
# Configuration for business-level aspects of the exchange.
-[taler]
-# Here you need to set the currency of your exchange:
-# CURRENCY = KUDOS
+[exchange]
# Here you MUST add the master public key of the offline system
# which you can get using `taler-exchange-offline setup`.
diff --git a/debian/etc/taler/exchange-system.conf b/debian/etc/taler/conf.d/exchange-system.conf
index 2b7f34304..6df381eef 100644
--- a/debian/etc/taler/exchange-system.conf
+++ b/debian/etc/taler/conf.d/exchange-system.conf
@@ -1,13 +1,9 @@
-# Configuration settings for system parameters of
-# the exchange. Should be included in all service-specific
-# configuration files for the exchange.
-#
-# Please read the taler-exchange.README.Debian for how to configure a Taler exchange.
-
-[PATHS]
-
-TALER_RUNTIME_DIR = /run/taler-exchange-private
+# Configuration settings for system parameters of the exchange.
+# Read secret sections into configuration, but only
+# if we have permission to do so.
+@inline-secret@ exchange-account-1 ../secrets/exchange-accounts.secret.conf
+@inline-secret@ exchangedb-postgres ../secrets/exchange-db.secret.conf
[exchange]
# Debian package is configured to use a reverse proxy with a UNIX
diff --git a/debian/etc/taler/exchange-offline.conf b/debian/etc/taler/exchange-offline.conf
deleted file mode 100644
index c1c039f91..000000000
--- a/debian/etc/taler/exchange-offline.conf
+++ /dev/null
@@ -1,8 +0,0 @@
-# This configuration file is the entry point for the offline key management.
-#
-# It includes other configuration files, which are applied on top of the
-# read-only base configuration (typically in /usr/share/taler/config.d/).
-
-# This file should be identical to the business configuration of the running
-# online exchange
-@INLINE@ exchange-business.conf
diff --git a/debian/etc/taler/exchange-service-default.conf b/debian/etc/taler/exchange-service-default.conf
deleted file mode 100644
index 4e3981004..000000000
--- a/debian/etc/taler/exchange-service-default.conf
+++ /dev/null
@@ -1,10 +0,0 @@
-# This configuration file is the entry point for most
-# Taler exchange services.
-#
-# It includes other configuration files,
-# which are applied on top of the read-only base configuration
-# (typically in /usr/share/taler/config.d/).
-
-@INLINE@ exchange-system.conf
-@INLINE@ exchange-db.conf
-@INLINE@ exchange-business.conf
diff --git a/debian/etc/taler/exchange-service-secmod.conf b/debian/etc/taler/exchange-service-secmod.conf
deleted file mode 100644
index 5f5c012c6..000000000
--- a/debian/etc/taler/exchange-service-secmod.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# This configuration file is the entry point for the exchange
-# security modules.
-#
-# It includes other configuration files,
-# which are applied on top of the read-only base configuration
-# (typically in /usr/share/taler/config.d/).
-
-@INLINE@ exchange-system.conf
-@INLINE@ exchange-business.conf
diff --git a/debian/etc/taler/exchange-service-wire.conf b/debian/etc/taler/exchange-service-wire.conf
deleted file mode 100644
index ed25e381c..000000000
--- a/debian/etc/taler/exchange-service-wire.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-# This configuration file is the entry point for
-# Taler exchange services that access the wire gateway,
-# i.e. the protocol bridge to core banking functionality.
-#
-# It includes other configuration files,
-# which are applied on top of the read-only base configuration
-# (typically in /usr/share/taler/config.d/).
-
-@INLINE@ exchange-system.conf
-@INLINE@ exchange-db.conf
-@INLINE@ exchange-business.conf
-@INLINE@ exchange-wire-gateway.conf
diff --git a/debian/etc/taler/secrets/auditor-db.secret.conf b/debian/etc/taler/secrets/auditor-db.secret.conf
new file mode 100644
index 000000000..b81bb817f
--- /dev/null
+++ b/debian/etc/taler/secrets/auditor-db.secret.conf
@@ -0,0 +1,10 @@
+# Database configuration for the Taler auditor.
+
+[auditordb-postgres]
+
+# Typically, there should only be a single line here, of the form:
+
+CONFIG=postgres:///DATABASE
+
+# The details of the URI depend on where the database lives and how
+# access control was configured.
diff --git a/debian/etc/taler/exchange-wire-gateway.conf b/debian/etc/taler/secrets/exchange-accounts.secret.conf
index e5c749c88..7b6c649fd 100644
--- a/debian/etc/taler/exchange-wire-gateway.conf
+++ b/debian/etc/taler/secrets/exchange-accounts.secret.conf
@@ -2,3 +2,20 @@
# by the Taler exchange to talk to LibEuFin to interact with the bank.
# The file SHOULD only be readable for the "taler-exchange-wire" user,
# as other users/services have no business talking to the bank.
+
+
+[exchange-account-1]
+enable_credit = yes
+
+enable_debit = yes
+
+wire_gateway_auth_method = basic
+
+password =
+
+username =
+
+wire_gateway_url =
+
+payto_uri =
+
diff --git a/debian/etc/taler/exchange-db.conf b/debian/etc/taler/secrets/exchange-db.secret.conf
index a7a727b62..596dcc92b 100644
--- a/debian/etc/taler/exchange-db.conf
+++ b/debian/etc/taler/secrets/exchange-db.secret.conf
@@ -4,7 +4,7 @@
# Typically, there should only be a single line here, of the form:
-# CONFIG=postgres:///DATABASE
+CONFIG=postgres:///DATABASE
# The details of the URI depend on where the database lives and how
# access control was configured.
diff --git a/debian/etc/taler/taler.conf b/debian/etc/taler/taler.conf
new file mode 100644
index 000000000..27ccf47d2
--- /dev/null
+++ b/debian/etc/taler/taler.conf
@@ -0,0 +1,29 @@
+# Main entry point for the GNU Taler configuration.
+#
+# Structure:
+# - taler.conf is the main configuration entry point
+# used by all Taler components
+# - conf.d/ contains configuration files for
+# Taler components, which can be read by all
+# users of the system and are included by the main
+# configuration
+# - secrets/ contains configuration snippets
+# with secrets for particular services.
+# These files should have restrictive permissions
+# so that only users of the relevant services
+# can read it.
+
+[taler]
+
+# Currency of the Taler deployment. This setting applies to all Taler
+# components that only support a single currency.
+#currency = KUDOS
+
+# Smallest currency unit handled by the underlying bank system. Taler payments
+# can make payments smaller than this units, but interactions with external
+# systems is always rounded to this unit.
+#currency_round_unit = KUDOS:0.01
+
+
+# Inline configurations from all Taler components.
+@inline-matching@ conf.d/*.conf
diff --git a/debian/taler-auditor.taler-auditor-httpd.service b/debian/taler-auditor.taler-auditor-httpd.service
index c5e1970c8..9aefab641 100644
--- a/debian/taler-auditor.taler-auditor-httpd.service
+++ b/debian/taler-auditor.taler-auditor-httpd.service
@@ -6,7 +6,7 @@ After=postgres.service network.target
User=taler-auditor-httpd
Type=simple
Restart=on-failure
-ExecStart=/usr/bin/taler-auditor-httpd -c /etc/taler-auditor.conf
+ExecStart=/usr/bin/taler-auditor-httpd -c /etc/taler/taler.conf
[Install]
WantedBy=multi-user.target
diff --git a/debian/taler-exchange-offline.postinst b/debian/taler-exchange-offline.postinst
index a0659232a..b93761de1 100644
--- a/debian/taler-exchange-offline.postinst
+++ b/debian/taler-exchange-offline.postinst
@@ -1,4 +1,3 @@
-#!/bin/bash
set -e
@@ -6,16 +5,6 @@ set -e
TALER_HOME="/var/lib/taler-exchange"
-# usage: lncfg user home target
-function lncfg() {
- local cf=$TALER_HOME/$2/.config
- if [ ! -e $cf ]; then
- mkdir $cf
- chown $(stat -L -c %u $TALER_HOME/$2):$(stat -L -c %g $TALER_HOME/$2) $cf
- fi
- ln -sf $3 $cf/taler.conf
-}
-
case "${1}" in
configure)
@@ -29,11 +18,6 @@ configure)
--home ${TALER_HOME}/offline taler-exchange-offline
fi
- lncfg taler-exchange-offline offline /etc/taler/exchange-offline.conf
-
- echo "All done."
- ;;
-
abort-upgrade | abort-remove | abort-deconfigure) ;;
*)
diff --git a/debian/taler-exchange.postinst b/debian/taler-exchange.postinst
index 18f140f5c..a5a2b97a3 100644
--- a/debian/taler-exchange.postinst
+++ b/debian/taler-exchange.postinst
@@ -15,6 +15,12 @@ _ESECUSERNAME=taler-exchange-secmod-eddsa
_AGGRUSERNAME=taler-exchange-aggregator
_WIREUSERNAME=taler-exchange-wire
+# usage: fixperm user:group perms file
+function fixperm() {
+ chown "$1" "$3"
+ chmod "$2" "$3"
+}
+
case "${1}" in
configure)
@@ -50,8 +56,8 @@ configure)
adduser --quiet ${_AGGRUSERNAME} ${_DBGROUPNAME}
fi
- fixperm ${_WIREUSERNAME}:root 460 /etc/taler/exchange-wire-gateway.conf
- fixperm root:${_DBGROUPNAME} 640 /etc/taler/exchange-db.conf
+ fixperm ${_WIREUSERNAME}:root 460 /etc/taler/secrets/exchange-accounts.secret.conf
+ fixperm root:${_DBGROUPNAME} 640 /etc/taler/secrets/exchange-db.secret.conf
;;
diff --git a/debian/taler-exchange.taler-exchange-aggregator.service b/debian/taler-exchange.taler-exchange-aggregator.service
index b7010973a..daee1d0ba 100644
--- a/debian/taler-exchange.taler-exchange-aggregator.service
+++ b/debian/taler-exchange.taler-exchange-aggregator.service
@@ -6,7 +6,7 @@ PartOf=taler-exchange.service
User=taler-exchange-aggregator
Type=simple
Restart=on-failure
-ExecStart=/usr/bin/taler-exchange-aggregator -c /etc/taler/exchange-service-default.conf
+ExecStart=/usr/bin/taler-exchange-aggregator -c /etc/taler/taler.conf
StandardOutput=journal
StandardError=journal
PrivateTmp=yes
diff --git a/debian/taler-exchange.taler-exchange-closer.service b/debian/taler-exchange.taler-exchange-closer.service
index c4a8f2c42..3698a73ae 100644
--- a/debian/taler-exchange.taler-exchange-closer.service
+++ b/debian/taler-exchange.taler-exchange-closer.service
@@ -6,7 +6,7 @@ PartOf=taler-exchange.service
User=taler-exchange-closer
Type=simple
Restart=on-failure
-ExecStart=/usr/bin/taler-exchange-closer -c /etc/taler/exchange-service-default.conf
+ExecStart=/usr/bin/taler-exchange-closer -c /etc/taler/taler.conf
StandardOutput=journal
StandardError=journal
PrivateTmp=yes
diff --git a/debian/taler-exchange.taler-exchange-httpd.service b/debian/taler-exchange.taler-exchange-httpd.service
index c0f03cff3..ae7947853 100644
--- a/debian/taler-exchange.taler-exchange-httpd.service
+++ b/debian/taler-exchange.taler-exchange-httpd.service
@@ -10,7 +10,7 @@ PartOf=taler-exchange.service
User=taler-exchange-httpd
Type=simple
Restart=on-failure
-ExecStart=/usr/bin/taler-exchange-httpd -c /etc/taler/exchange-service-default.conf
+ExecStart=/usr/bin/taler-exchange-httpd -c /etc/taler/taler.conf
StandardOutput=journal
StandardError=journal
PrivateTmp=no
diff --git a/debian/taler-exchange.taler-exchange-secmod-eddsa.service b/debian/taler-exchange.taler-exchange-secmod-eddsa.service
index b91a742d2..3ca329aa9 100644
--- a/debian/taler-exchange.taler-exchange-secmod-eddsa.service
+++ b/debian/taler-exchange.taler-exchange-secmod-eddsa.service
@@ -7,7 +7,7 @@ PartOf=taler-exchange.service
User=taler-exchange-secmod-eddsa
Type=simple
Restart=on-failure
-ExecStart=/usr/bin/taler-exchange-secmod-eddsa -c /etc/taler/exchange-service-secmod.conf
+ExecStart=/usr/bin/taler-exchange-secmod-eddsa -c /etc/taler/taler.conf
StandardOutput=journal
StandardError=journal
PrivateTmp=no
diff --git a/debian/taler-exchange.taler-exchange-secmod-rsa.service b/debian/taler-exchange.taler-exchange-secmod-rsa.service
index 2b45df460..bd72d4de7 100644
--- a/debian/taler-exchange.taler-exchange-secmod-rsa.service
+++ b/debian/taler-exchange.taler-exchange-secmod-rsa.service
@@ -7,7 +7,7 @@ PartOf=taler-exchange.service
User=taler-exchange-secmod-rsa
Type=simple
Restart=on-failure
-ExecStart=/usr/bin/taler-exchange-secmod-rsa -c /etc/taler/exchange-service-secmod.conf
+ExecStart=/usr/bin/taler-exchange-secmod-rsa -c /etc/taler/taler.con
StandardOutput=journal
StandardError=journal
PrivateTmp=no
diff --git a/debian/taler-exchange.taler-exchange-transfer.service b/debian/taler-exchange.taler-exchange-transfer.service
index 782762335..bd60a8a42 100644
--- a/debian/taler-exchange.taler-exchange-transfer.service
+++ b/debian/taler-exchange.taler-exchange-transfer.service
@@ -7,7 +7,7 @@ PartOf=taler-exchange.service
User=taler-exchange-wire
Type=simple
Restart=on-failure
-ExecStart=/usr/bin/taler-exchange-transfer -c /etc/taler/exchange-service-wire.conf
+ExecStart=/usr/bin/taler-exchange-transfer -c /etc/taler/taler.conf
StandardOutput=journal
StandardError=journal
PrivateTmp=yes
diff --git a/debian/taler-exchange.taler-exchange-wirewatch.service b/debian/taler-exchange.taler-exchange-wirewatch.service
index ba54770f8..2e2fb1b75 100644
--- a/debian/taler-exchange.taler-exchange-wirewatch.service
+++ b/debian/taler-exchange.taler-exchange-wirewatch.service
@@ -7,7 +7,7 @@ PartOf=taler-exchange.service
User=taler-exchange-wire
Type=simple
Restart=on-failure
-ExecStart=/usr/bin/taler-exchange-wirewatch -c /etc/taler/exchange-service-wire.conf
+ExecStart=/usr/bin/taler-exchange-wirewatch -c /etc/taler/taler.conf
StandardOutput=journal
StandardError=journal
PrivateTmp=yes
diff --git a/debian/taler-exchange.tmpfiles b/debian/taler-exchange.tmpfiles
deleted file mode 100644
index 382295932..000000000
--- a/debian/taler-exchange.tmpfiles
+++ /dev/null
@@ -1,4 +0,0 @@
-# Type Path Mode User Group Age Argument
-
-# Directory for secmod server and client sockets
-d /var/taler-exchange 2660 root taler-exchange-secmod - -