diff options
author | Florian Dold <florian@dold.me> | 2021-07-16 17:16:38 +0200 |
---|---|---|
committer | Florian Dold <florian@dold.me> | 2021-07-16 17:16:38 +0200 |
commit | 5597dc6f1e8d8b73f906365618ba3922f9dd7660 (patch) | |
tree | 0f8fa93ba389f87e88115e0c4c64a906c494988a /debian | |
parent | 970c9eab865715b7f37d9e0a6b14e233fddcfa12 (diff) |
debian: new config file structure
Diffstat (limited to 'debian')
-rw-r--r-- | debian/etc/taler-exchange.conf | 38 | ||||
-rw-r--r-- | debian/etc/taler/auditor-service-default.conf | 1 | ||||
-rw-r--r-- | debian/etc/taler/auditor-system.conf (renamed from debian/etc/taler-auditor.conf) | 0 | ||||
-rw-r--r-- | debian/etc/taler/exchange-business.conf (renamed from debian/etc/taler-secmod.conf) | 18 | ||||
-rw-r--r-- | debian/etc/taler/exchange-db.conf (renamed from debian/etc/taler-exchange-db.conf) | 3 | ||||
-rw-r--r-- | debian/etc/taler/exchange-service-default.conf | 3 | ||||
-rw-r--r-- | debian/etc/taler/exchange-service-wire.conf | 4 | ||||
-rw-r--r-- | debian/etc/taler/exchange-system.conf | 21 | ||||
-rw-r--r-- | debian/etc/taler/exchange-wire-gateway.conf (renamed from debian/etc/taler-wire.conf) | 6 | ||||
-rw-r--r-- | debian/taler-auditor.install | 2 | ||||
-rw-r--r-- | debian/taler-exchange.install | 4 | ||||
-rw-r--r-- | debian/taler-exchange.postinst | 255 |
12 files changed, 177 insertions, 178 deletions
diff --git a/debian/etc/taler-exchange.conf b/debian/etc/taler-exchange.conf deleted file mode 100644 index 34af223d2..000000000 --- a/debian/etc/taler-exchange.conf +++ /dev/null @@ -1,38 +0,0 @@ -# First line should be: "INLINE@ taler-exchange-db.conf" -# 2nd line should be: "INLINE@ taler-secmod.conf" -@INLINE@ taler-exchange-db.conf -@INLINE@ taler-secmod.conf -# Do not edit this file using 'taler-config', otherwise the line -# above will be lost! -# -# Please read the taler-exchange.README.Debian for how to configure a Taler exchange. -# - -[PATHS] - -# Move runtime data "tmp" directory to /var/lib/taler-exchange/ -# to possibly provide additional protection from unwarranted access. -TALER_RUNTIME_DIR = /var/lib/taler-exchange/tmp/ - -[exchange] -# Debian package is configured to use a reverse proxy with a UNIX -# domain socket. See nginx/apache configuration files. -SERVE = UNIX -UNIXPATH = /var/lib/taler-exchange/exchange.sock - -# Only supported database is Postgres right now. -DATABASE = postgres - -# Here you MUST add the master public key of the offline system -# which you can get using `taler-exchange-offline setup`. -# This is just an example, your key will be different! -# MASTER_PUBLIC_KEY = YE6Q6TR1EDB7FD0S68TGDZGF1P0GHJD2S0XVV8R2S62MYJ6HJ4ZG -MASTER_PUBLIC_KEY = - -# For your terms of service and privacy policy, you should specify -# an Etag that must be updated whenever there are significant -# changes to either document. The format is up to you, what matters -# is that the value is updated and never re-used. See the HTTP -# specification on Etags. -# TERMS_ETAG = -# PRIVACY_ETAG = diff --git a/debian/etc/taler/auditor-service-default.conf b/debian/etc/taler/auditor-service-default.conf new file mode 100644 index 000000000..d57283ea5 --- /dev/null +++ b/debian/etc/taler/auditor-service-default.conf @@ -0,0 +1 @@ +@INCLUDE@ /etc/taler/auditor-system.conf diff --git a/debian/etc/taler-auditor.conf b/debian/etc/taler/auditor-system.conf index 50971b2ef..50971b2ef 100644 --- a/debian/etc/taler-auditor.conf +++ b/debian/etc/taler/auditor-system.conf diff --git a/debian/etc/taler-secmod.conf b/debian/etc/taler/exchange-business.conf index 8b3bb34d9..8b97c6089 100644 --- a/debian/etc/taler-secmod.conf +++ b/debian/etc/taler/exchange-business.conf @@ -1,13 +1,23 @@ -[PATHS] - -# Move runtime data "tmp" directory to /var/lib/taler-exchange/ -# to possibly provide additional protection from unwarranted access. TALER_RUNTIME_DIR = /var/lib/taler-exchange/tmp/ [taler] # Here you need to set the currency of your exchange: # CURRENCY = KUDOS +# Here you MUST add the master public key of the offline system +# which you can get using `taler-exchange-offline setup`. +# This is just an example, your key will be different! +# MASTER_PUBLIC_KEY = YE6Q6TR1EDB7FD0S68TGDZGF1P0GHJD2S0XVV8R2S62MYJ6HJ4ZG +MASTER_PUBLIC_KEY = + +# For your terms of service and privacy policy, you should specify +# an Etag that must be updated whenever there are significant +# changes to either document. The format is up to you, what matters +# is that the value is updated and never re-used. See the HTTP +# specification on Etags. +# TERMS_ETAG = +# PRIVACY_ETAG = + # You must specify the various denominations to be offered by your exchange # in sections called "coin_". diff --git a/debian/etc/taler-exchange-db.conf b/debian/etc/taler/exchange-db.conf index a6217f486..a7a727b62 100644 --- a/debian/etc/taler-exchange-db.conf +++ b/debian/etc/taler/exchange-db.conf @@ -1,5 +1,4 @@ -# This file should contain the access control information to talk to -# the exchange database. +# Database configuration for the Taler exchange. [exchangedb-postgres] diff --git a/debian/etc/taler/exchange-service-default.conf b/debian/etc/taler/exchange-service-default.conf new file mode 100644 index 000000000..0fa198f88 --- /dev/null +++ b/debian/etc/taler/exchange-service-default.conf @@ -0,0 +1,3 @@ +@INCLUDE@ /etc/taler/exchange-system.conf +@INCLUDE@ /etc/taler/exchange-db.conf +@INCLUDE@ /etc/taler/exchange-business.conf diff --git a/debian/etc/taler/exchange-service-wire.conf b/debian/etc/taler/exchange-service-wire.conf new file mode 100644 index 000000000..d6dc0253c --- /dev/null +++ b/debian/etc/taler/exchange-service-wire.conf @@ -0,0 +1,4 @@ +@INCLUDE@ /etc/taler/exchange-system.conf +@INCLUDE@ /etc/taler/exchange-db.conf +@INCLUDE@ /etc/taler/exchange-business.conf +@INCLUDE@ /etc/taler/exchange-wire-gateway.conf diff --git a/debian/etc/taler/exchange-system.conf b/debian/etc/taler/exchange-system.conf new file mode 100644 index 000000000..bdf53fce7 --- /dev/null +++ b/debian/etc/taler/exchange-system.conf @@ -0,0 +1,21 @@ +# Configuration settings for system parameters of +# the exchange. Should be included in all service-specific +# configuration files for the exchange. +# +# Please read the taler-exchange.README.Debian for how to configure a Taler exchange. + +[PATHS] + +# Move runtime data "tmp" directory to /var/lib/taler-exchange/ +# to possibly provide additional protection from unwarranted access. +TALER_RUNTIME_DIR = /var/lib/taler-exchange/tmp/ + + +[exchange] +# Debian package is configured to use a reverse proxy with a UNIX +# domain socket. See nginx/apache configuration files. +SERVE = UNIX +UNIXPATH = /var/lib/taler-exchange/exchange.sock + +# Only supported database is Postgres right now. +DATABASE = postgres diff --git a/debian/etc/taler-wire.conf b/debian/etc/taler/exchange-wire-gateway.conf index d0484381a..e5c749c88 100644 --- a/debian/etc/taler-wire.conf +++ b/debian/etc/taler/exchange-wire-gateway.conf @@ -1,9 +1,3 @@ -# First line should be: "INLINE@ taler-exchange-db.conf" -@INLINE@ taler-exchange-db.conf -# Do not edit this file using 'taler-config', otherwise the line -# above will be lost! - - # This file should contain the wire account access information which is needed # by the Taler exchange to talk to LibEuFin to interact with the bank. # The file SHOULD only be readable for the "taler-exchange-wire" user, diff --git a/debian/taler-auditor.install b/debian/taler-auditor.install index b2528c8ae..1f32e5bb3 100644 --- a/debian/taler-auditor.install +++ b/debian/taler-auditor.install @@ -13,6 +13,6 @@ usr/share/man/man1/taler-helper-auditor* usr/share/info/taler-auditor* usr/share/taler/config.d/auditor* usr/share/taler/sql/auditor/* -debian/etc/taler-auditor.conf etc/ +debian/etc/taler/auditor* etc/ debian/auditor-conf/* etc/taler-auditor/ usr/share/taler-exchange/auditor-report.tex.j2 diff --git a/debian/taler-exchange.install b/debian/taler-exchange.install index 7d484cbfe..82a39d46a 100644 --- a/debian/taler-exchange.install +++ b/debian/taler-exchange.install @@ -6,7 +6,7 @@ usr/share/man/man1/taler-wire* usr/share/info/taler-bank* usr/share/info/taler-exchange* usr/share/taler/config.d/* -debian/etc/* etc/ -debian/exchange-conf/* etc/taler-exchange/ +debian/etc/exchange* etc/ +debian/exchange-conf/* usr/share/taler/sample-configs/ usr/share/taler-exchange/pp/*/* usr/share/taler-exchange/tos/*/* diff --git a/debian/taler-exchange.postinst b/debian/taler-exchange.postinst index 72f8f6c5d..e8ef11d69 100644 --- a/debian/taler-exchange.postinst +++ b/debian/taler-exchange.postinst @@ -2,106 +2,111 @@ set -e - . /usr/share/debconf/confmodule +# usage: fixperm user:group perms file +function fixperm() { + chown "$1" "$3" + chmod "$2" "$3" +} + +# usage: lncfg user target +function lncfg() { + mkdir ~$1/.config + chown $1:$1 ~$1/.config + ln -sf $1/.config/taler.conf $2 +} + case "${1}" in - configure) - db_version 2.0 - - db_get taler-exchange/eusername - _EUSERNAME="${RET:-taler-exchange-httpd}" - - db_get taler-exchange/rsecusername - _RSECUSERNAME="${RET:-taler-exchange-secmod-rsa}" - - db_get taler-exchange/esecusername - _ESECUSERNAME="${RET:-taler-exchange-secmod-eddsa}" - - db_get taler-exchange/wireusername - _WIREUSERNAME="${RET:-taler-exchange-wire}" - - db_get taler-exchange/aggrusername - _AGGRUSERNAME="${RET:-taler-exchange-aggregator}" - - db_get taler-exchange/groupname - _GROUPNAME="${RET:-taler-private}" - - db_get taler-exchange/dbgroupname - _DBGROUPNAME="${RET:-taler-exchange-db}" - - db_stop - - CONFIG_FILE="/etc/default/taler-exchange" - TALER_HOME="/var/lib/taler-exchange" - - # Creating taler groups as needed - if ! getent group ${_GROUPNAME} > /dev/null - then - echo -n "Creating new Taler group ${_GROUPNAME}:" - addgroup --quiet --system ${_GROUPNAME} - echo " done." - fi - if ! getent group ${_DBGROUPNAME} > /dev/null - then - echo -n "Creating new Taler group ${_DBGROUPNAME}:" - addgroup --quiet --system ${_DBGROUPNAME} - echo " done." - fi - - # Creating taler users if needed - if ! getent passwd ${_EUSERNAME} > /dev/null - then - echo -n "Creating new Taler user ${_EUSERNAME}:" - adduser --quiet --system --ingroup ${_GROUPNAME} --home ${TALER_HOME}/httpd ${_EUSERNAME} - adduser ${_EUSERNAME} ${_DBGROUPNAME} - echo " done." - fi - if ! getent passwd ${_RSECUSERNAME} > /dev/null - then - echo -n "Creating new Taler user ${_RSECUSERNAME}:" - adduser --quiet --system --ingroup ${_GROUPNAME} --home ${TALER_HOME}/secmod-rsa ${_RSECUSERNAME} - echo " done." - fi - if ! getent passwd ${_ESECUSERNAME} > /dev/null - then - echo -n "Creating new Taler user ${_ESECUSERNAME}:" - adduser --quiet --system --ingroup ${_GROUPNAME} --home ${TALER_HOME}/secmod-eddsa ${_ESECUSERNAME} - echo " done." - fi - if ! getent passwd ${_WIREUSERNAME} > /dev/null - then - echo -n "Creating new Taler user ${_WIREUSERNAME}:" - adduser --quiet --system --home ${TALER_HOME}/wire ${_WIREUSERNAME} - adduser --quiet ${_WIREUSERNAME} ${_DBGROUPNAME} - echo " done." - fi - if ! getent passwd ${_AGGRUSERNAME} > /dev/null - then - echo -n "Creating new Taler user ${_AGGRUSERNAME}:" - adduser --quiet --system --home ${TALER_HOME}/aggregator ${_AGGRUSERNAME} - adduser --quiet ${_AGGRUSERNAME} ${_DBGROUPNAME} - echo " done." - fi - - # Writing new values to configuration file - echo -n "Writing new configuration file:" - CONFIG_NEW=$(tempfile) - -cat > "${CONFIG_NEW}" <<EOF +configure) + db_version 2.0 + + db_get taler-exchange/eusername + _EUSERNAME="${RET:-taler-exchange-httpd}" + + db_get taler-exchange/rsecusername + _RSECUSERNAME="${RET:-taler-exchange-secmod-rsa}" + + db_get taler-exchange/esecusername + _ESECUSERNAME="${RET:-taler-exchange-secmod-eddsa}" + + db_get taler-exchange/wireusername + _WIREUSERNAME="${RET:-taler-exchange-wire}" + + db_get taler-exchange/aggrusername + _AGGRUSERNAME="${RET:-taler-exchange-aggregator}" + + db_get taler-exchange/groupname + _GROUPNAME="${RET:-taler-private}" + + db_get taler-exchange/dbgroupname + _DBGROUPNAME="${RET:-taler-exchange-db}" + + db_stop + + CONFIG_FILE="/etc/default/taler-exchange" + TALER_HOME="/var/lib/taler-exchange" + + # Creating taler groups as needed + if ! getent group ${_GROUPNAME} >/dev/null; then + echo -n "Creating new Taler group ${_GROUPNAME}:" + addgroup --quiet --system ${_GROUPNAME} + echo " done." + fi + if ! getent group ${_DBGROUPNAME} >/dev/null; then + echo -n "Creating new Taler group ${_DBGROUPNAME}:" + addgroup --quiet --system ${_DBGROUPNAME} + echo " done." + fi + + # Creating taler users if needed + if ! getent passwd ${_EUSERNAME} >/dev/null; then + echo -n "Creating new Taler user ${_EUSERNAME}:" + adduser --quiet --system --ingroup ${_GROUPNAME} --home ${TALER_HOME}/httpd ${_EUSERNAME} + adduser ${_EUSERNAME} ${_DBGROUPNAME} + echo " done." + fi + if ! getent passwd ${_RSECUSERNAME} >/dev/null; then + echo -n "Creating new Taler user ${_RSECUSERNAME}:" + adduser --quiet --system --ingroup ${_GROUPNAME} --home ${TALER_HOME}/secmod-rsa ${_RSECUSERNAME} + echo " done." + fi + if ! getent passwd ${_ESECUSERNAME} >/dev/null; then + echo -n "Creating new Taler user ${_ESECUSERNAME}:" + adduser --quiet --system --ingroup ${_GROUPNAME} --home ${TALER_HOME}/secmod-eddsa ${_ESECUSERNAME} + echo " done." + fi + if ! getent passwd ${_WIREUSERNAME} >/dev/null; then + echo -n "Creating new Taler user ${_WIREUSERNAME}:" + adduser --quiet --system --home ${TALER_HOME}/wire ${_WIREUSERNAME} + adduser --quiet ${_WIREUSERNAME} ${_DBGROUPNAME} + echo " done." + fi + if ! getent passwd ${_AGGRUSERNAME} >/dev/null; then + echo -n "Creating new Taler user ${_AGGRUSERNAME}:" + adduser --quiet --system --home ${TALER_HOME}/aggregator ${_AGGRUSERNAME} + adduser --quiet ${_AGGRUSERNAME} ${_DBGROUPNAME} + echo " done." + fi + + # Writing new values to configuration file + echo -n "Writing new configuration file:" + CONFIG_NEW=$(tempfile) + + cat >"${CONFIG_NEW}" <<EOF # This file controls the behaviour of the Taler init script. # It will be parsed as a shell script. # please do not edit by hand, use 'dpkg-reconfigure taler-exchange'. TALER_EUSER=${_EUSERNAME} -TALER_RSECUSER=${_RESCUSERNAME} +TALER_RSECUSER=${_RSECUSERNAME} TALER_ESECUSER=${_ESECUSERNAME} TALER_WIREUSER=${_WIREUSERNAME} TALER_AGGRUSER=${_AGGRUSERNAME} TALER_GROUP=${_GROUPNAME} EOF -cat > "/etc/systemd/system/taler-exchange-httpd.socket" <<EOF + cat >"/etc/systemd/system/taler-exchange-httpd.socket" <<EOF [Unit] Description=Taler Exchange Socket PartOf=taler-exchange-httpd.service @@ -118,7 +123,7 @@ SocketMode=0660 WantedBy=sockets.target EOF -cat > "/etc/systemd/system/taler-exchange-httpd.service" <<EOF + cat >"/etc/systemd/system/taler-exchange-httpd.service" <<EOF [Unit] Description=GNU Taler payment system exchange REST API AssertPathExists=/var/lib/taler-exchange/ @@ -131,7 +136,7 @@ EnvironmentFile=/etc/default/taler-exchange User=${_EUSERNAME} Type=simple Restart=on-failure -ExecStart=/usr/bin/taler-exchange-httpd -c /etc/taler-exchange.conf +ExecStart=/usr/bin/taler-exchange-httpd -c /etc/taler/exchange-service-default.conf PrivateTmp=no PrivateDevices=yes ProtectSystem=full @@ -140,7 +145,7 @@ ProtectSystem=full WantedBy=multi-user.target EOF -cat > "/etc/systemd/system/taler-exchange-secmod-rsa.service" <<EOF + cat >"/etc/systemd/system/taler-exchange-secmod-rsa.service" <<EOF [Unit] Description=GNU Taler payment system exchange RSA security module @@ -149,13 +154,13 @@ EnvironmentFile=/etc/default/taler-exchange User=${_RSECUSERNAME} Type=simple Restart=on-failure -ExecStart=/usr/bin/taler-exchange-secmod-rsa -c /etc/taler-secmod.conf +ExecStart=/usr/bin/taler-exchange-secmod-rsa -c /etc/taler/exchange-service-default.conf PrivateTmp=no PrivateDevices=yes ProtectSystem=full EOF -cat > "/etc/systemd/system/taler-exchange-secmod-eddsa.service" <<EOF + cat >"/etc/systemd/system/taler-exchange-secmod-eddsa.service" <<EOF [Unit] Description=GNU Taler payment system exchange EdDSA security module @@ -164,13 +169,13 @@ EnvironmentFile=/etc/default/taler-exchange User=${_ESECUSERNAME} Type=simple Restart=on-failure -ExecStart=/usr/bin/taler-exchange-secmod-eddsa -c /etc/taler-secmod.conf +ExecStart=/usr/bin/taler-exchange-secmod-eddsa -c /etc/taler/exchange-service-default.conf PrivateTmp=no PrivateDevices=yes ProtectSystem=full EOF -cat > "/etc/systemd/system/taler-exchange-wirewatch.service" <<EOF + cat >"/etc/systemd/system/taler-exchange-wirewatch.service" <<EOF [Unit] Description=GNU Taler payment system exchange wirewatch service After=network.target @@ -180,14 +185,14 @@ EnvironmentFile=/etc/default/taler-exchange User=${_WIREUSERNAME} Type=simple Restart=on-failure -ExecStart=/usr/bin/taler-exchange-wirewatch -c /etc/taler-wire.conf +ExecStart=/usr/bin/taler-exchange-wirewatch -c /etc/taler/exchange-service-wire.conf PrivateTmp=yes PrivateDevices=yes ProtectSystem=full EOF -cat > "/etc/systemd/system/taler-exchange-transfer.service" <<EOF + cat >"/etc/systemd/system/taler-exchange-transfer.service" <<EOF [Unit] Description=GNU Taler payment system exchange transfer service After=network.target @@ -197,13 +202,13 @@ EnvironmentFile=/etc/default/taler-exchange User=${_WIREUSERNAME} Type=simple Restart=on-failure -ExecStart=/usr/bin/taler-exchange-wirewatch -c /etc/taler-wire.conf +ExecStart=/usr/bin/taler-exchange-wirewatch -c /etc/taler/exchange-service-wire.conf PrivateTmp=yes PrivateDevices=yes ProtectSystem=full EOF -cat > "/etc/systemd/system/taler-exchange-aggregator.service" <<EOF + cat >"/etc/systemd/system/taler-exchange-aggregator.service" <<EOF [Unit] Description=GNU Taler payment system exchange aggregator service @@ -212,7 +217,7 @@ EnvironmentFile=/etc/default/taler-exchange User=${_AGGRUSERNAME} Type=simple Restart=on-failure -ExecStart=/usr/bin/taler-exchange-aggregator -c /etc/taler.conf +ExecStart=/usr/bin/taler-exchange-aggregator -c /etc/taler/exchange-service-default.conf PrivateTmp=yes PrivateDevices=yes ProtectSystem=full @@ -220,42 +225,42 @@ ProtectSystem=full EOF - cp -f "${CONFIG_NEW}" "${CONFIG_FILE}" - rm -f "${CONFIG_NEW}" - echo " done." + cp -f "${CONFIG_NEW}" "${CONFIG_FILE}" + rm -f "${CONFIG_NEW}" + echo " done." - echo -n "Setting up system services " + echo -n "Setting up system services " - mkdir -p /var/lib/taler-exchange/tmp - chown root:${_GROUPNAME} /var/lib/taler-exchange/tmp - chmod 770 /var/lib/taler-exchange/tmp - chmod +s /var/lib/taler-exchange/tmp + mkdir -p /var/lib/taler-exchange/tmp + chown root:${_GROUPNAME} /var/lib/taler-exchange/tmp + chmod 770 /var/lib/taler-exchange/tmp + chmod +s /var/lib/taler-exchange/tmp - chown root:${_GROUPNAME} /etc/taler-secmod.conf - chmod 640 /etc/taler-secmod.conf - chown ${_WIREUSERNAME}:root /etc/taler-wire.conf - chmod 460 /etc/taler-wire.conf - chown root:${_DBGROUPNAME} /etc/taler-exchange-db.conf - chmod 640 /etc/taler-exchange-db.conf - chown ${_EUSERNAME}:${_GROUPNAME} /etc/taler-exchange.conf - chmod 460 /etc/taler-wire.conf + fixperm ${_WIREUSERNAME}:root 460 /etc/taler/exchange-wire-gateway.conf + fixperm root:${_DBGROUPNAME} 640 /etc/taler/exchange-db.conf - systemctl daemon-reload >/dev/null 2>&1 || true + systemctl daemon-reload >/dev/null 2>&1 || true + echo "done." - echo "done." + echo -n "Linking config files" + lncfg ${_EUSERNAME} /etc/taler/exchange-service-default.conf + lncfg ${_RSECUSERNAME} /etc/taler/exchange-service-default.conf + lncfg ${_ESECUSERNAME} /etc/taler/exchange-service-default.conf + lncfg ${_AGGRUSERNAME} /etc/taler/exchange-service-default.conf + lncfg ${_WIREUSERNAME} /etc/taler/exchange-service-wire.conf + echo " done" - # Cleaning - echo "All done." - ;; + # Cleaning + echo "All done." + ;; - abort-upgrade|abort-remove|abort-deconfigure) - ;; +abort-upgrade | abort-remove | abort-deconfigure) ;; - *) - echo "postinst called with unknown argument \`${1}'" >&2 - exit 1 - ;; +*) + echo "postinst called with unknown argument \`${1}'" >&2 + exit 1 + ;; esac #DEBHELPER# |