debian: auditor config

author: Florian Dold <florian@dold.me> 2024-11-26 22:09:05 +0100
committer: Florian Dold <florian@dold.me> 2024-11-26 22:09:05 +0100
commit: 4a6a7f66b791931f405be2c616ca9d316b9773ee (patch)
tree: 36a9fc1b7ca06fd8071fc14a42f84917d60931c6 /debian
parent: ff469f5a429f474e85584f31ac97867d08387f06 (diff)
11 files changed, 195 insertions, 33 deletions
diff --git a/debian/.gitignore b/debian/.gitignore
index f3ddfd1d2..26596372b 100644
--- a/debian/.gitignore
+++ b/debian/.gitignore
@@ -1,23 +1,23 @@
-.debhelper/
-autoreconf.after
-autoreconf.before
-debhelper-build-stamp
-files
+/.debhelper/
+/autoreconf.after
+/autoreconf.before
+/debhelper-build-stamp
+/files
 *.log
-libtalerexchange.substvars
-libtalerexchange/
-taler-exchange-dev.substvars
-taler-exchange-dev/
-taler-exchange.substvars
-taler-exchange/
-taler-exchange-database/
-tmp/
-libtalerexchange-dev.substvars
-libtalerexchange-dev/
-taler-auditor.postrm.debhelper
-taler-auditor.substvars
-taler-auditor/
-taler-exchange.postrm.debhelper
-*.debhelper
-*.substvars
-taler-exchange-offline
+/libtalerexchange.substvars
+/libtalerexchange/
+/taler-exchange-dev.substvars
+/taler-exchange-dev/
+/taler-exchange.substvars
+/taler-exchange/
+/taler-exchange-database/
+/tmp/
+/libtalerexchange-dev.substvars
+/libtalerexchange-dev/
+/taler-auditor.postrm.debhelper
+/taler-auditor.substvars
+/taler-auditor/
+/taler-exchange.postrm.debhelper
+/*.debhelper
+/*.substvars
+/taler-exchange-offline
diff --git a/debian/etc-taler-auditor/taler-auditor/conf.d/exchange-business.conf b/debian/etc-taler-auditor/taler-auditor/conf.d/exchange-business.conf
new file mode 100644
index 000000000..c48cb5c96
--- /dev/null
+++ b/debian/etc-taler-auditor/taler-auditor/conf.d/exchange-business.conf
@@ -0,0 +1,47 @@
+# Configuration for business-level aspects of the exchange.
+
+[exchange]
+
+# Here you MUST add the master public key of the offline system
+# which you can get using `taler-exchange-offline setup`.
+# This is just an example, your key will be different!
+# MASTER_PUBLIC_KEY = YE6Q6TR1EDB7FD0S68TGDZGF1P0GHJD2S0XVV8R2S62MYJ6HJ4ZG
+# MASTER_PUBLIC_KEY =
+
+# Publicly visible base URL of the exchange.
+# BASE_URL = https://example.com/
+# BASE_URL =
+
+# Here you MUST configure the amount above which transactions are
+# always subject to manual AML review.
+# AML_THRESHOLD = 
+
+# Attribute encryption key for storing attributes encrypted
+# in the database. Should be a high-entropy nonce.
+ATTRIBUTE_ENCRYPTION_KEY = SET_ME_PLEASE
+
+# For your terms of service and privacy policy, you should specify
+# an Etag that must be updated whenever there are significant
+# changes to either document.  The format is up to you, what matters
+# is that the value is updated and never re-used. See the HTTP
+# specification on Etags.
+# TERMS_ETAG =
+# PRIVACY_ETAG =
+
+# Bank accounts used by the exchange should be specified here:
+[exchange-account-1]
+
+ENABLE_CREDIT = NO
+ENABLE_DEBIT = NO
+
+# Account identifier in the form of an RFC-8905 payto:// URI.
+# For SEPA, looks like payto://sepa/$IBAN?receiver-name=$NAME
+# Make sure to URL-encode spaces in $NAME!
+PAYTO_URI =
+
+# Credentials to access the account are in a separate
+# config file with restricted permissions.
+@inline-secret@ exchange-accountcredentials-1 ../secrets/exchange-accountcredentials-1.secret.conf
+
+
+
diff --git a/debian/etc-taler-auditor/taler-auditor/conf.d/exchange-coins.conf b/debian/etc-taler-auditor/taler-auditor/conf.d/exchange-coins.conf
new file mode 100644
index 000000000..8294525cb
--- /dev/null
+++ b/debian/etc-taler-auditor/taler-auditor/conf.d/exchange-coins.conf
@@ -0,0 +1,33 @@
+#
+# This configuration file specifies the various denominations offered by your
+# exchange.
+#
+# Each denomination must be specified in a sections starting with
+# "coin_".
+#
+# What follows is an example.
+# 
+
+# [coin_FOO]
+## Actual value of the coin
+#VALUE = KUDOS:1
+
+## How long will one key be used for withdrawals?
+#DURATION_WITHDRAW = 7 days
+
+## How long do users have to spend their coins?
+#DURATION_SPEND = 2 years
+
+## How long does the exchange keep the proofs around for legal disputes?
+#DURATION_LEGAL = 6 years
+
+## Fees charged. Note that for the lowest denomination, the
+## fee must precisely be the lowest denomination, or zero.
+#FEE_WITHDRAW = KUDOS:0
+#FEE_DEPOSIT = KUDOS:0
+#FEE_REFRESH = KUDOS:0
+#FEE_REFUND = KUDOS:0
+
+## How long should the RSA keys be. Do not change unless you really know
+## what you are doing (consult your local cryptographer first!).
+#RSA_KEYSIZE = 2048
diff --git a/debian/etc-taler-auditor/taler-auditor/conf.d/exchange-system.conf b/debian/etc-taler-auditor/taler-auditor/conf.d/exchange-system.conf
new file mode 100644
index 000000000..af37f1913
--- /dev/null
+++ b/debian/etc-taler-auditor/taler-auditor/conf.d/exchange-system.conf
@@ -0,0 +1,14 @@
+# Configuration settings for system parameters of the exchange.
+
+# Read secret sections into configuration, but only
+# if we have permission to do so.
+@inline-secret@ exchangedb-postgres ../secrets/exchange-db.secret.conf
+
+[exchange]
+
+# Only supported database is Postgres right now.
+DATABASE = postgres
+
+SERVE = unix
+UNIXPATH_MODE = 666
+
diff --git a/debian/etc-taler-auditor/taler-auditor/overrides.conf b/debian/etc-taler-auditor/taler-auditor/overrides.conf
new file mode 100644
index 000000000..60296ead4
--- /dev/null
+++ b/debian/etc-taler-auditor/taler-auditor/overrides.conf
@@ -0,0 +1 @@
+# This configuration will be changed by tooling.  Do not touch it manually.
diff --git a/debian/etc-taler-auditor/taler-auditor/secrets/auditor-db.secret.conf b/debian/etc-taler-auditor/taler-auditor/secrets/auditor-db.secret.conf
new file mode 100644
index 000000000..75b91fdb3
--- /dev/null
+++ b/debian/etc-taler-auditor/taler-auditor/secrets/auditor-db.secret.conf
@@ -0,0 +1,13 @@
+# Database configuration for the Taler auditor.
+
+# In a simple setup, it points to the same database
+# that the exchange uses.
+
+[auditordb-postgres]
+
+# Typically, there should only be a single line here, of the form:
+
+CONFIG=postgres:///taler-exchange
+
+# The details of the URI depend on where the database lives and how
+# access control was configured.
diff --git a/debian/etc-taler-auditor/taler-auditor/secrets/exchange-accountcredentials-1.secret.conf b/debian/etc-taler-auditor/taler-auditor/secrets/exchange-accountcredentials-1.secret.conf
new file mode 100644
index 000000000..8c8d14320
--- /dev/null
+++ b/debian/etc-taler-auditor/taler-auditor/secrets/exchange-accountcredentials-1.secret.conf
@@ -0,0 +1,17 @@
+# This file contains the secret credentials
+# to access the Taler Wire Gateway API (usually
+# provided by LibEuFin) for the exchange accounts.
+#
+# Each exchange-account-* section should have a matching
+# exchange-accountcredentials-* section here.
+#
+# Each of those sections must be imported via @inline-secret@,
+# usually in conf.d/exchange-business.conf.
+
+[exchange-accountcredentials-1]
+
+wire_gateway_auth_method = basic
+password =
+username =
+wire_gateway_url =
+
diff --git a/debian/etc-taler-auditor/taler-auditor/taler-auditor.conf b/debian/etc-taler-auditor/taler-auditor/taler-auditor.conf
new file mode 100644
index 000000000..ea6a2934b
--- /dev/null
+++ b/debian/etc-taler-auditor/taler-auditor/taler-auditor.conf
@@ -0,0 +1,35 @@
+# Main entry point for the GNU Taler auditor configuration.
+#
+# Structure:
+# - taler-auditor.conf is the main configuration entry point
+#   used by the taler-auditor component (the file you are currently
+#   looking at.
+# - overrides.conf contains configuration overrides that are
+#   set by some tools that help with the configuration,
+#   and should not be edited by humans.  Comments in this file
+#   are not preserved.
+# - conf.d/ contains configuration files for
+#   Taler components, which can be read by all
+#   users of the system and are included by the main
+#   configuration.
+# - secrets/ contains configuration snippets
+#   with secrets for particular services.
+#   These files should have restrictive permissions
+#   so that only users of the relevant services
+#   can read it.  All files in it should end with
+#   ".secret.conf".
+
+[exchange]
+
+#currency = KUDOS
+
+# Smallest currency unit handled by the underlying bank system.  Taler payments
+# can make payments smaller than this units, but interactions with external
+# systems is always rounded to this unit.
+#currency_round_unit = KUDOS:0.01
+
+# Inline configurations from all Taler components.
+@inline-matching@ conf.d/*.conf
+
+# Overrides from tools that help with configuration.
+@inline@ overrides.conf
diff --git a/debian/taler-auditor.postinst b/debian/taler-auditor.postinst
index 847e4aac1..e624c6df3 100644
--- a/debian/taler-auditor.postinst
+++ b/debian/taler-auditor.postinst
@@ -9,6 +9,12 @@ TALER_HOME="/var/lib/taler-auditor"
 _USERNAME=taler-auditor-httpd
 _GROUPNAME=taler-auditor-httpd
 
+function mark_secret() {
+  if ! dpkg-statoverride --list "$1" >/dev/null 2>&1; then
+    dpkg-statoverride --add --update ${_USERNAME} ${_GROUPNAME} 640 "$1"
+  fi
+}
+
 case "${1}" in
 configure)
   # Creating taler groups as needed
@@ -20,12 +26,8 @@ configure)
     adduser --quiet --system --ingroup ${_GROUPNAME} --no-create-home --home ${TALER_HOME} ${_USERNAME}
   fi
 
-  if ! dpkg-statoverride --list /etc/taler/secrets/auditor-db.secret.conf >/dev/null 2>&1
-  then
-    dpkg-statoverride --add --update \
-      ${_USERNAME} ${_GROUPNAME} 640 \
-      /etc/taler/secrets/auditor-db.secret.conf
-  fi
+  mark_secret /etc/taler-auditor/secrets/auditor-db.secret.conf
+  mark_secret /etc/taler-exchange/secrets/exchange-accountcredentials-1.secret.conf
 
   ;;
 
diff --git a/debian/taler-auditor.postrm b/debian/taler-auditor.postrm
index 639e3241e..4537eae8d 100644
--- a/debian/taler-auditor.postrm
+++ b/debian/taler-auditor.postrm
@@ -12,7 +12,7 @@ _GROUPNAME=taler-auditor-httpd
 case "${1}" in
 purge)
     dpkg-statoverride --remove \
-      /etc/taler/secrets/auditor-db.secret.conf || true
+      /etc/taler/taler-auditor/secrets/auditor-db.secret.conf || true
     deluser --system --quiet ${_USERNAME} || true
     delgroup --only-if-empty --quiet ${_GROUPNAME} || true
     ;;
diff --git a/debian/taler-exchange.postinst b/debian/taler-exchange.postinst
index 7509a7749..74d4754a2 100644
--- a/debian/taler-exchange.postinst
+++ b/debian/taler-exchange.postinst
@@ -59,16 +59,16 @@ configure)
     adduser --quiet ${_EXPIUSERNAME} ${_DBGROUPNAME}
   fi
 
-  if ! dpkg-statoverride --list /etc/taler/secrets/exchange-accountcredentials-1.secret.conf >/dev/null 2>&1; then
+  if ! dpkg-statoverride --list /etc/taler-exchange/secrets/exchange-accountcredentials-1.secret.conf >/dev/null 2>&1; then
     dpkg-statoverride --add --update \
       ${_WIREUSERNAME} root 640 \
-      /etc/taler/secrets/exchange-accountcredentials-1.secret.conf
+      /etc/taler-exchange/secrets/exchange-accountcredentials-1.secret.conf
   fi
 
-  if ! dpkg-statoverride --list /etc/taler/secrets/exchange-db.secret.conf >/dev/null 2>&1; then
+  if ! dpkg-statoverride --list /etc/taler-exchange/secrets/exchange-db.secret.conf >/dev/null 2>&1; then
     dpkg-statoverride --add --update \
       root ${_DBGROUPNAME} 640 \
-      /etc/taler/secrets/exchange-db.secret.conf
+      /etc/taler-exchange/secrets/exchange-db.secret.conf
   fi
 
   ;;
author	Florian Dold <florian@dold.me>	2024-11-26 22:09:05 +0100
committer	Florian Dold <florian@dold.me>	2024-11-26 22:09:05 +0100
commit	4a6a7f66b791931f405be2c616ca9d316b9773ee (patch)
tree	36a9fc1b7ca06fd8071fc14a42f84917d60931c6 /debian
parent	ff469f5a429f474e85584f31ac97867d08387f06 (diff)