diff --git a/debian/etc/taler/auditor-service-default.conf b/debian/etc/taler/auditor-service-default.conf deleted file mode 100644 index 259c4359d..000000000 --- a/debian/etc/taler/auditor-service-default.conf +++ /dev/null @@ -1 +0,0 @@ -@INLINE@ auditor-system.conf diff --git a/debian/etc/taler/auditor-system.conf b/debian/etc/taler/conf.d/auditor-system.conf similarity index 58% rename from debian/etc/taler/auditor-system.conf rename to debian/etc/taler/conf.d/auditor-system.conf index 50971b2ef..3d3aef33a 100644 --- a/debian/etc/taler/auditor-system.conf +++ b/debian/etc/taler/conf.d/auditor-system.conf @@ -1,8 +1,6 @@ -[PATHS] - -# Move runtime data "tmp" directory to /var/lib/taler-auditor/ -# to possibly provide additional protection from unwarranted access. -TALER_RUNTIME_DIR = /var/lib/taler-auditor/tmp/ +# Read secret sections into configuration, but only +# if we have permission to do so. +@inline-secret@ auditordb-postgres ../secrets/auditor-db.secret.conf [auditor] # Debian package is configured to use a reverse proxy with a UNIX diff --git a/debian/etc/taler/exchange-business.conf b/debian/etc/taler/conf.d/exchange-business.conf similarity index 94% rename from debian/etc/taler/exchange-business.conf rename to debian/etc/taler/conf.d/exchange-business.conf index 669ed4546..ecd010da1 100644 --- a/debian/etc/taler/exchange-business.conf +++ b/debian/etc/taler/conf.d/exchange-business.conf @@ -1,8 +1,6 @@ # Configuration for business-level aspects of the exchange. -[taler] -# Here you need to set the currency of your exchange: -# CURRENCY = KUDOS +[exchange] # Here you MUST add the master public key of the offline system # which you can get using `taler-exchange-offline setup`. diff --git a/debian/etc/taler/exchange-system.conf b/debian/etc/taler/conf.d/exchange-system.conf similarity index 55% rename from debian/etc/taler/exchange-system.conf rename to debian/etc/taler/conf.d/exchange-system.conf index 2b7f34304..6df381eef 100644 --- a/debian/etc/taler/exchange-system.conf +++ b/debian/etc/taler/conf.d/exchange-system.conf @@ -1,13 +1,9 @@ -# Configuration settings for system parameters of -# the exchange. Should be included in all service-specific -# configuration files for the exchange. -# -# Please read the taler-exchange.README.Debian for how to configure a Taler exchange. - -[PATHS] - -TALER_RUNTIME_DIR = /run/taler-exchange-private +# Configuration settings for system parameters of the exchange. +# Read secret sections into configuration, but only +# if we have permission to do so. +@inline-secret@ exchange-account-1 ../secrets/exchange-accounts.secret.conf +@inline-secret@ exchangedb-postgres ../secrets/exchange-db.secret.conf [exchange] # Debian package is configured to use a reverse proxy with a UNIX diff --git a/debian/etc/taler/exchange-offline.conf b/debian/etc/taler/exchange-offline.conf deleted file mode 100644 index c1c039f91..000000000 --- a/debian/etc/taler/exchange-offline.conf +++ /dev/null @@ -1,8 +0,0 @@ -# This configuration file is the entry point for the offline key management. -# -# It includes other configuration files, which are applied on top of the -# read-only base configuration (typically in /usr/share/taler/config.d/). - -# This file should be identical to the business configuration of the running -# online exchange -@INLINE@ exchange-business.conf diff --git a/debian/etc/taler/exchange-service-default.conf b/debian/etc/taler/exchange-service-default.conf deleted file mode 100644 index 4e3981004..000000000 --- a/debian/etc/taler/exchange-service-default.conf +++ /dev/null @@ -1,10 +0,0 @@ -# This configuration file is the entry point for most -# Taler exchange services. -# -# It includes other configuration files, -# which are applied on top of the read-only base configuration -# (typically in /usr/share/taler/config.d/). - -@INLINE@ exchange-system.conf -@INLINE@ exchange-db.conf -@INLINE@ exchange-business.conf diff --git a/debian/etc/taler/exchange-service-secmod.conf b/debian/etc/taler/exchange-service-secmod.conf deleted file mode 100644 index 5f5c012c6..000000000 --- a/debian/etc/taler/exchange-service-secmod.conf +++ /dev/null @@ -1,9 +0,0 @@ -# This configuration file is the entry point for the exchange -# security modules. -# -# It includes other configuration files, -# which are applied on top of the read-only base configuration -# (typically in /usr/share/taler/config.d/). - -@INLINE@ exchange-system.conf -@INLINE@ exchange-business.conf diff --git a/debian/etc/taler/exchange-service-wire.conf b/debian/etc/taler/exchange-service-wire.conf deleted file mode 100644 index ed25e381c..000000000 --- a/debian/etc/taler/exchange-service-wire.conf +++ /dev/null @@ -1,12 +0,0 @@ -# This configuration file is the entry point for -# Taler exchange services that access the wire gateway, -# i.e. the protocol bridge to core banking functionality. -# -# It includes other configuration files, -# which are applied on top of the read-only base configuration -# (typically in /usr/share/taler/config.d/). - -@INLINE@ exchange-system.conf -@INLINE@ exchange-db.conf -@INLINE@ exchange-business.conf -@INLINE@ exchange-wire-gateway.conf diff --git a/debian/etc/taler/secrets/auditor-db.secret.conf b/debian/etc/taler/secrets/auditor-db.secret.conf new file mode 100644 index 000000000..b81bb817f --- /dev/null +++ b/debian/etc/taler/secrets/auditor-db.secret.conf @@ -0,0 +1,10 @@ +# Database configuration for the Taler auditor. + +[auditordb-postgres] + +# Typically, there should only be a single line here, of the form: + +CONFIG=postgres:///DATABASE + +# The details of the URI depend on where the database lives and how +# access control was configured. diff --git a/debian/etc/taler/exchange-wire-gateway.conf b/debian/etc/taler/secrets/exchange-accounts.secret.conf similarity index 64% rename from debian/etc/taler/exchange-wire-gateway.conf rename to debian/etc/taler/secrets/exchange-accounts.secret.conf index e5c749c88..7b6c649fd 100644 --- a/debian/etc/taler/exchange-wire-gateway.conf +++ b/debian/etc/taler/secrets/exchange-accounts.secret.conf @@ -2,3 +2,20 @@ # by the Taler exchange to talk to LibEuFin to interact with the bank. # The file SHOULD only be readable for the "taler-exchange-wire" user, # as other users/services have no business talking to the bank. + + +[exchange-account-1] +enable_credit = yes + +enable_debit = yes + +wire_gateway_auth_method = basic + +password = + +username = + +wire_gateway_url = + +payto_uri = + diff --git a/debian/etc/taler/exchange-db.conf b/debian/etc/taler/secrets/exchange-db.secret.conf similarity index 89% rename from debian/etc/taler/exchange-db.conf rename to debian/etc/taler/secrets/exchange-db.secret.conf index a7a727b62..596dcc92b 100644 --- a/debian/etc/taler/exchange-db.conf +++ b/debian/etc/taler/secrets/exchange-db.secret.conf @@ -4,7 +4,7 @@ # Typically, there should only be a single line here, of the form: -# CONFIG=postgres:///DATABASE +CONFIG=postgres:///DATABASE # The details of the URI depend on where the database lives and how # access control was configured. diff --git a/debian/etc/taler/taler.conf b/debian/etc/taler/taler.conf new file mode 100644 index 000000000..27ccf47d2 --- /dev/null +++ b/debian/etc/taler/taler.conf @@ -0,0 +1,29 @@ +# Main entry point for the GNU Taler configuration. +# +# Structure: +# - taler.conf is the main configuration entry point +# used by all Taler components +# - conf.d/ contains configuration files for +# Taler components, which can be read by all +# users of the system and are included by the main +# configuration +# - secrets/ contains configuration snippets +# with secrets for particular services. +# These files should have restrictive permissions +# so that only users of the relevant services +# can read it. + +[taler] + +# Currency of the Taler deployment. This setting applies to all Taler +# components that only support a single currency. +#currency = KUDOS + +# Smallest currency unit handled by the underlying bank system. Taler payments +# can make payments smaller than this units, but interactions with external +# systems is always rounded to this unit. +#currency_round_unit = KUDOS:0.01 + + +# Inline configurations from all Taler components. +@inline-matching@ conf.d/*.conf diff --git a/debian/taler-auditor.taler-auditor-httpd.service b/debian/taler-auditor.taler-auditor-httpd.service index c5e1970c8..9aefab641 100644 --- a/debian/taler-auditor.taler-auditor-httpd.service +++ b/debian/taler-auditor.taler-auditor-httpd.service @@ -6,7 +6,7 @@ After=postgres.service network.target User=taler-auditor-httpd Type=simple Restart=on-failure -ExecStart=/usr/bin/taler-auditor-httpd -c /etc/taler-auditor.conf +ExecStart=/usr/bin/taler-auditor-httpd -c /etc/taler/taler.conf [Install] WantedBy=multi-user.target diff --git a/debian/taler-exchange-offline.postinst b/debian/taler-exchange-offline.postinst index a0659232a..b93761de1 100644 --- a/debian/taler-exchange-offline.postinst +++ b/debian/taler-exchange-offline.postinst @@ -1,4 +1,3 @@ -#!/bin/bash set -e @@ -6,16 +5,6 @@ set -e TALER_HOME="/var/lib/taler-exchange" -# usage: lncfg user home target -function lncfg() { - local cf=$TALER_HOME/$2/.config - if [ ! -e $cf ]; then - mkdir $cf - chown $(stat -L -c %u $TALER_HOME/$2):$(stat -L -c %g $TALER_HOME/$2) $cf - fi - ln -sf $3 $cf/taler.conf -} - case "${1}" in configure) @@ -29,11 +18,6 @@ configure) --home ${TALER_HOME}/offline taler-exchange-offline fi - lncfg taler-exchange-offline offline /etc/taler/exchange-offline.conf - - echo "All done." - ;; - abort-upgrade | abort-remove | abort-deconfigure) ;; *) diff --git a/debian/taler-exchange.postinst b/debian/taler-exchange.postinst index 18f140f5c..a5a2b97a3 100644 --- a/debian/taler-exchange.postinst +++ b/debian/taler-exchange.postinst @@ -15,6 +15,12 @@ _ESECUSERNAME=taler-exchange-secmod-eddsa _AGGRUSERNAME=taler-exchange-aggregator _WIREUSERNAME=taler-exchange-wire +# usage: fixperm user:group perms file +function fixperm() { + chown "$1" "$3" + chmod "$2" "$3" +} + case "${1}" in configure) @@ -50,8 +56,8 @@ configure) adduser --quiet ${_AGGRUSERNAME} ${_DBGROUPNAME} fi - fixperm ${_WIREUSERNAME}:root 460 /etc/taler/exchange-wire-gateway.conf - fixperm root:${_DBGROUPNAME} 640 /etc/taler/exchange-db.conf + fixperm ${_WIREUSERNAME}:root 460 /etc/taler/secrets/exchange-accounts.secret.conf + fixperm root:${_DBGROUPNAME} 640 /etc/taler/secrets/exchange-db.secret.conf ;; diff --git a/debian/taler-exchange.taler-exchange-aggregator.service b/debian/taler-exchange.taler-exchange-aggregator.service index b7010973a..daee1d0ba 100644 --- a/debian/taler-exchange.taler-exchange-aggregator.service +++ b/debian/taler-exchange.taler-exchange-aggregator.service @@ -6,7 +6,7 @@ PartOf=taler-exchange.service User=taler-exchange-aggregator Type=simple Restart=on-failure -ExecStart=/usr/bin/taler-exchange-aggregator -c /etc/taler/exchange-service-default.conf +ExecStart=/usr/bin/taler-exchange-aggregator -c /etc/taler/taler.conf StandardOutput=journal StandardError=journal PrivateTmp=yes diff --git a/debian/taler-exchange.taler-exchange-closer.service b/debian/taler-exchange.taler-exchange-closer.service index c4a8f2c42..3698a73ae 100644 --- a/debian/taler-exchange.taler-exchange-closer.service +++ b/debian/taler-exchange.taler-exchange-closer.service @@ -6,7 +6,7 @@ PartOf=taler-exchange.service User=taler-exchange-closer Type=simple Restart=on-failure -ExecStart=/usr/bin/taler-exchange-closer -c /etc/taler/exchange-service-default.conf +ExecStart=/usr/bin/taler-exchange-closer -c /etc/taler/taler.conf StandardOutput=journal StandardError=journal PrivateTmp=yes diff --git a/debian/taler-exchange.taler-exchange-httpd.service b/debian/taler-exchange.taler-exchange-httpd.service index c0f03cff3..ae7947853 100644 --- a/debian/taler-exchange.taler-exchange-httpd.service +++ b/debian/taler-exchange.taler-exchange-httpd.service @@ -10,7 +10,7 @@ PartOf=taler-exchange.service User=taler-exchange-httpd Type=simple Restart=on-failure -ExecStart=/usr/bin/taler-exchange-httpd -c /etc/taler/exchange-service-default.conf +ExecStart=/usr/bin/taler-exchange-httpd -c /etc/taler/taler.conf StandardOutput=journal StandardError=journal PrivateTmp=no diff --git a/debian/taler-exchange.taler-exchange-secmod-eddsa.service b/debian/taler-exchange.taler-exchange-secmod-eddsa.service index b91a742d2..3ca329aa9 100644 --- a/debian/taler-exchange.taler-exchange-secmod-eddsa.service +++ b/debian/taler-exchange.taler-exchange-secmod-eddsa.service @@ -7,7 +7,7 @@ PartOf=taler-exchange.service User=taler-exchange-secmod-eddsa Type=simple Restart=on-failure -ExecStart=/usr/bin/taler-exchange-secmod-eddsa -c /etc/taler/exchange-service-secmod.conf +ExecStart=/usr/bin/taler-exchange-secmod-eddsa -c /etc/taler/taler.conf StandardOutput=journal StandardError=journal PrivateTmp=no diff --git a/debian/taler-exchange.taler-exchange-secmod-rsa.service b/debian/taler-exchange.taler-exchange-secmod-rsa.service index 2b45df460..bd72d4de7 100644 --- a/debian/taler-exchange.taler-exchange-secmod-rsa.service +++ b/debian/taler-exchange.taler-exchange-secmod-rsa.service @@ -7,7 +7,7 @@ PartOf=taler-exchange.service User=taler-exchange-secmod-rsa Type=simple Restart=on-failure -ExecStart=/usr/bin/taler-exchange-secmod-rsa -c /etc/taler/exchange-service-secmod.conf +ExecStart=/usr/bin/taler-exchange-secmod-rsa -c /etc/taler/taler.con StandardOutput=journal StandardError=journal PrivateTmp=no diff --git a/debian/taler-exchange.taler-exchange-transfer.service b/debian/taler-exchange.taler-exchange-transfer.service index 782762335..bd60a8a42 100644 --- a/debian/taler-exchange.taler-exchange-transfer.service +++ b/debian/taler-exchange.taler-exchange-transfer.service @@ -7,7 +7,7 @@ PartOf=taler-exchange.service User=taler-exchange-wire Type=simple Restart=on-failure -ExecStart=/usr/bin/taler-exchange-transfer -c /etc/taler/exchange-service-wire.conf +ExecStart=/usr/bin/taler-exchange-transfer -c /etc/taler/taler.conf StandardOutput=journal StandardError=journal PrivateTmp=yes diff --git a/debian/taler-exchange.taler-exchange-wirewatch.service b/debian/taler-exchange.taler-exchange-wirewatch.service index ba54770f8..2e2fb1b75 100644 --- a/debian/taler-exchange.taler-exchange-wirewatch.service +++ b/debian/taler-exchange.taler-exchange-wirewatch.service @@ -7,7 +7,7 @@ PartOf=taler-exchange.service User=taler-exchange-wire Type=simple Restart=on-failure -ExecStart=/usr/bin/taler-exchange-wirewatch -c /etc/taler/exchange-service-wire.conf +ExecStart=/usr/bin/taler-exchange-wirewatch -c /etc/taler/taler.conf StandardOutput=journal StandardError=journal PrivateTmp=yes diff --git a/debian/taler-exchange.tmpfiles b/debian/taler-exchange.tmpfiles deleted file mode 100644 index 382295932..000000000 --- a/debian/taler-exchange.tmpfiles +++ /dev/null @@ -1,4 +0,0 @@ -# Type Path Mode User Group Age Argument - -# Directory for secmod server and client sockets -d /var/taler-exchange 2660 root taler-exchange-secmod - -