simplify configuration

debian/etc/taler/auditor-service-default.conf

@@ -1 +0,0 @@
-@INLINE@ auditor-system.conf

debian/etc/taler/conf.d/auditor-system.conf

@@ -1,8 +1,6 @@
-[PATHS]
-
-# Move runtime data "tmp" directory to /var/lib/taler-auditor/
-# to possibly provide additional protection from unwarranted access.
-TALER_RUNTIME_DIR = /var/lib/taler-auditor/tmp/
+# Read secret sections into configuration, but only
+# if we have permission to do so.
+@inline-secret@ auditordb-postgres ../secrets/auditor-db.secret.conf
 
 [auditor]
 # Debian package is configured to use a reverse proxy with a UNIX

debian/etc/taler/conf.d/exchange-business.conf

@@ -1,8 +1,6 @@
 # Configuration for business-level aspects of the exchange.
 
-[taler]
-# Here you need to set the currency of your exchange:
-# CURRENCY = KUDOS
+[exchange]
 
 # Here you MUST add the master public key of the offline system
 # which you can get using `taler-exchange-offline setup`.

debian/etc/taler/conf.d/exchange-system.conf

@@ -1,13 +1,9 @@
-# Configuration settings for system parameters of
-# the exchange.  Should be included in all service-specific
-# configuration files for the exchange.
-#
-# Please read the taler-exchange.README.Debian for how to configure a Taler exchange.
-
-[PATHS]
-
-TALER_RUNTIME_DIR = /run/taler-exchange-private
+# Configuration settings for system parameters of the exchange.
 
+# Read secret sections into configuration, but only
+# if we have permission to do so.
+@inline-secret@ exchange-account-1 ../secrets/exchange-accounts.secret.conf
+@inline-secret@ exchangedb-postgres ../secrets/exchange-db.secret.conf
 
 [exchange]
 # Debian package is configured to use a reverse proxy with a UNIX

debian/etc/taler/exchange-offline.conf

@@ -1,8 +0,0 @@
-# This configuration file is the entry point for the offline key management.
-#
-# It includes other configuration files, which are applied on top of the
-# read-only base configuration (typically in /usr/share/taler/config.d/).
-
-# This file should be identical to the business configuration of the running
-# online exchange
-@INLINE@ exchange-business.conf

debian/etc/taler/exchange-service-default.conf

@@ -1,10 +0,0 @@
-# This configuration file is the entry point for most
-# Taler exchange services.
-#
-# It includes other configuration files,
-# which are applied on top of the read-only base configuration
-# (typically in /usr/share/taler/config.d/).
-
-@INLINE@ exchange-system.conf
-@INLINE@ exchange-db.conf
-@INLINE@ exchange-business.conf

debian/etc/taler/exchange-service-secmod.conf

@@ -1,9 +0,0 @@
-# This configuration file is the entry point for the exchange
-# security modules.
-#
-# It includes other configuration files,
-# which are applied on top of the read-only base configuration
-# (typically in /usr/share/taler/config.d/).
-
-@INLINE@ exchange-system.conf
-@INLINE@ exchange-business.conf

debian/etc/taler/exchange-service-wire.conf

@@ -1,12 +0,0 @@
-# This configuration file is the entry point for
-# Taler exchange services that access the wire gateway,
-# i.e. the protocol bridge to core banking functionality.
-#
-# It includes other configuration files,
-# which are applied on top of the read-only base configuration
-# (typically in /usr/share/taler/config.d/).
-
-@INLINE@ exchange-system.conf
-@INLINE@ exchange-db.conf
-@INLINE@ exchange-business.conf
-@INLINE@ exchange-wire-gateway.conf

debian/etc/taler/secrets/auditor-db.secret.conf

@@ -0,0 +1,10 @@
+# Database configuration for the Taler auditor.
+
+[auditordb-postgres]
+
+# Typically, there should only be a single line here, of the form:
+
+CONFIG=postgres:///DATABASE
+
+# The details of the URI depend on where the database lives and how
+# access control was configured.

debian/etc/taler/secrets/exchange-accounts.secret.conf

@@ -2,3 +2,20 @@
 # by the Taler exchange to talk to LibEuFin to interact with the bank.
 # The file SHOULD only be readable for the "taler-exchange-wire" user,
 # as other users/services have no business talking to the bank.
+
+
+[exchange-account-1]
+enable_credit = yes
+
+enable_debit = yes
+
+wire_gateway_auth_method = basic
+
+password =
+
+username =
+
+wire_gateway_url =
+
+payto_uri =
+

debian/etc/taler/secrets/exchange-db.secret.conf

@@ -4,7 +4,7 @@
 
 # Typically, there should only be a single line here, of the form:
 
-# CONFIG=postgres:///DATABASE
+CONFIG=postgres:///DATABASE
 
 # The details of the URI depend on where the database lives and how
 # access control was configured.

debian/etc/taler/taler.conf

@@ -0,0 +1,29 @@
+# Main entry point for the GNU Taler configuration.
+#
+# Structure:
+# - taler.conf is the main configuration entry point
+#   used by all Taler components
+# - conf.d/ contains configuration files for
+#   Taler components, which can be read by all
+#   users of the system and are included by the main
+#   configuration
+# - secrets/ contains configuration snippets
+#   with secrets for particular services.
+#   These files should have restrictive permissions
+#   so that only users of the relevant services
+#   can read it.
+
+[taler]
+
+# Currency of the Taler deployment.  This setting applies to all Taler
+# components that only support a single currency.
+#currency = KUDOS
+
+# Smallest currency unit handled by the underlying bank system.  Taler payments
+# can make payments smaller than this units, but interactions with external
+# systems is always rounded to this unit.
+#currency_round_unit = KUDOS:0.01
+
+
+# Inline configurations from all Taler components.
+@inline-matching@ conf.d/*.conf

debian/taler-auditor.taler-auditor-httpd.service

@@ -6,7 +6,7 @@ After=postgres.service network.target
 User=taler-auditor-httpd
 Type=simple
 Restart=on-failure
-ExecStart=/usr/bin/taler-auditor-httpd -c /etc/taler-auditor.conf
+ExecStart=/usr/bin/taler-auditor-httpd -c /etc/taler/taler.conf
 
 [Install]
 WantedBy=multi-user.target

debian/taler-exchange-offline.postinst

@@ -1,4 +1,3 @@
-#!/bin/bash
 
 set -e
 
@@ -6,16 +5,6 @@ set -e
 
 TALER_HOME="/var/lib/taler-exchange"
 
-# usage: lncfg user home target
-function lncfg() {
-  local cf=$TALER_HOME/$2/.config
-  if [ ! -e $cf ]; then
-    mkdir $cf
-    chown $(stat -L -c %u $TALER_HOME/$2):$(stat -L -c %g $TALER_HOME/$2) $cf
-  fi
-  ln -sf $3 $cf/taler.conf
-}
-
 case "${1}" in
 configure)
 
@@ -29,11 +18,6 @@ configure)
       --home ${TALER_HOME}/offline taler-exchange-offline
   fi
 
-  lncfg taler-exchange-offline offline /etc/taler/exchange-offline.conf
-
-  echo "All done."
-  ;;
-
 abort-upgrade | abort-remove | abort-deconfigure) ;;
 
 *)

debian/taler-exchange.postinst

@@ -15,6 +15,12 @@ _ESECUSERNAME=taler-exchange-secmod-eddsa
 _AGGRUSERNAME=taler-exchange-aggregator
 _WIREUSERNAME=taler-exchange-wire
 
+# usage: fixperm user:group perms file
+function fixperm() {
+  chown "$1" "$3"
+  chmod "$2" "$3"
+}
+
 case "${1}" in
 configure)
 
@@ -50,8 +56,8 @@ configure)
     adduser --quiet ${_AGGRUSERNAME} ${_DBGROUPNAME}
   fi
 
-  fixperm ${_WIREUSERNAME}:root 460 /etc/taler/exchange-wire-gateway.conf
-  fixperm root:${_DBGROUPNAME} 640 /etc/taler/exchange-db.conf
+  fixperm ${_WIREUSERNAME}:root 460 /etc/taler/secrets/exchange-accounts.secret.conf
+  fixperm root:${_DBGROUPNAME} 640 /etc/taler/secrets/exchange-db.secret.conf
 
   ;;
 

debian/taler-exchange.taler-exchange-aggregator.service

@@ -6,7 +6,7 @@ PartOf=taler-exchange.service
 User=taler-exchange-aggregator
 Type=simple
 Restart=on-failure
-ExecStart=/usr/bin/taler-exchange-aggregator -c /etc/taler/exchange-service-default.conf
+ExecStart=/usr/bin/taler-exchange-aggregator -c /etc/taler/taler.conf
 StandardOutput=journal
 StandardError=journal
 PrivateTmp=yes

debian/taler-exchange.taler-exchange-closer.service

@@ -6,7 +6,7 @@ PartOf=taler-exchange.service
 User=taler-exchange-closer
 Type=simple
 Restart=on-failure
-ExecStart=/usr/bin/taler-exchange-closer -c /etc/taler/exchange-service-default.conf
+ExecStart=/usr/bin/taler-exchange-closer -c /etc/taler/taler.conf
 StandardOutput=journal
 StandardError=journal
 PrivateTmp=yes

debian/taler-exchange.taler-exchange-httpd.service

@@ -10,7 +10,7 @@ PartOf=taler-exchange.service
 User=taler-exchange-httpd
 Type=simple
 Restart=on-failure
-ExecStart=/usr/bin/taler-exchange-httpd -c /etc/taler/exchange-service-default.conf
+ExecStart=/usr/bin/taler-exchange-httpd -c /etc/taler/taler.conf
 StandardOutput=journal
 StandardError=journal
 PrivateTmp=no

debian/taler-exchange.taler-exchange-secmod-eddsa.service

@@ -7,7 +7,7 @@ PartOf=taler-exchange.service
 User=taler-exchange-secmod-eddsa
 Type=simple
 Restart=on-failure
-ExecStart=/usr/bin/taler-exchange-secmod-eddsa -c /etc/taler/exchange-service-secmod.conf
+ExecStart=/usr/bin/taler-exchange-secmod-eddsa -c /etc/taler/taler.conf
 StandardOutput=journal
 StandardError=journal
 PrivateTmp=no

debian/taler-exchange.taler-exchange-secmod-rsa.service

@@ -7,7 +7,7 @@ PartOf=taler-exchange.service
 User=taler-exchange-secmod-rsa
 Type=simple
 Restart=on-failure
-ExecStart=/usr/bin/taler-exchange-secmod-rsa -c /etc/taler/exchange-service-secmod.conf
+ExecStart=/usr/bin/taler-exchange-secmod-rsa -c /etc/taler/taler.con
 StandardOutput=journal
 StandardError=journal
 PrivateTmp=no

debian/taler-exchange.taler-exchange-transfer.service

@@ -7,7 +7,7 @@ PartOf=taler-exchange.service
 User=taler-exchange-wire
 Type=simple
 Restart=on-failure
-ExecStart=/usr/bin/taler-exchange-transfer -c /etc/taler/exchange-service-wire.conf
+ExecStart=/usr/bin/taler-exchange-transfer -c /etc/taler/taler.conf
 StandardOutput=journal
 StandardError=journal
 PrivateTmp=yes

debian/taler-exchange.taler-exchange-wirewatch.service

@@ -7,7 +7,7 @@ PartOf=taler-exchange.service
 User=taler-exchange-wire
 Type=simple
 Restart=on-failure
-ExecStart=/usr/bin/taler-exchange-wirewatch -c /etc/taler/exchange-service-wire.conf
+ExecStart=/usr/bin/taler-exchange-wirewatch -c /etc/taler/taler.conf
 StandardOutput=journal
 StandardError=journal
 PrivateTmp=yes

debian/taler-exchange.tmpfiles

@@ -1,4 +0,0 @@
-# Type  Path Mode User Group Age Argument
-
-# Directory for secmod server and client sockets
-d /var/taler-exchange 2660 root taler-exchange-secmod - -