[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[taler-docs] branch master updated: document new configuration layout
|
From: |
gnunet |
|
Subject: |
[taler-docs] branch master updated: document new configuration layout |
|
Date: |
Wed, 04 Aug 2021 19:38:29 +0200 |
This is an automated email from the git hooks/post-receive script.
dold pushed a commit to branch master
in repository docs.
The following commit(s) were added to refs/heads/master by this push:
new 58cf85f document new configuration layout
58cf85f is described below
commit 58cf85f57a11641ae254cbf54b1246b187f9eb69
Author: Florian Dold <florian@dold.me>
AuthorDate: Wed Aug 4 19:38:24 2021 +0200
document new configuration layout
---
taler-exchange-setup-guide.rst | 94 +++++++++++++++++++++++++-----------------
1 file changed, 57 insertions(+), 37 deletions(-)
diff --git a/taler-exchange-setup-guide.rst b/taler-exchange-setup-guide.rst
index f950484..0853d7d 100644
--- a/taler-exchange-setup-guide.rst
+++ b/taler-exchange-setup-guide.rst
@@ -33,8 +33,8 @@ We recommend the setup of offline signing keys to be done on
a second machine th
does not have internet access.
In the guide, we mark commands that are supposed to be executed on the online
-exchange machine as `[root@exchange-online]#` / `[$user@exchange-online]$` and
commands for the offline
-machine as `[root@exchange-offline]#` /`[$user@exchange-offline]$`. It is
possible to do the entire setup
+exchange machine as ``[root@exchange-online]#`` / ``[$user@exchange-online]$``
and commands for the offline
+machine as ``[root@exchange-offline]#`` / ``[$user@exchange-offline]$``. It
is possible to do the entire setup
on one machine, but we do not recommend this for security reasons.
@@ -145,14 +145,14 @@ Services, users, groups and file system hierarchy
The *taler-exchange-httpd* package will create several system users
to compartmentalize different parts of the system:
- * taler-exchange-httpd: runs the HTTP daemon with the core business logic
- * taler-exchange-secmod-rsa: manages the RSA private online signing keys
- * taler-exchange-secmod-eddsa: manages the EdDSA private online signing keys
- * taler-exchange-closer: closes idle reserves by triggering wire transfers
that refund the originator
- * taler-exchange-aggregator: aggregates deposits into larger wire transfer
requests
- * taler-exchange-wire: performs wire transfers with the bank (via
libeufin/nexus)
- * postgres: runs the Postgres database (from *postgres* package)
- * www-data: runs the frontend HTTPS service with the TLS keys (from *nginx*
package)
+* taler-exchange-httpd: runs the HTTP daemon with the core business logic
+* taler-exchange-secmod-rsa: manages the RSA private online signing keys
+* taler-exchange-secmod-eddsa: manages the EdDSA private online signing keys
+* taler-exchange-closer: closes idle reserves by triggering wire transfers
that refund the originator
+* taler-exchange-aggregator: aggregates deposits into larger wire transfer
requests
+* taler-exchange-wire: performs wire transfers with the bank (via
libeufin/nexus)
+* postgres: runs the Postgres database (from *postgres* package)
+* www-data: runs the frontend HTTPS service with the TLS keys (from *nginx*
package)
.. note::
@@ -162,34 +162,34 @@ to compartmentalize different parts of the system:
The exchange setup uses the following system groups:
- * taler-exchange-db: group for all Taler users with direct database access,
specifically taler-exchange-httpd, taler-exchange-wire, taler-exchange-closer
and taler-exchange-aggregator
- * taler-exchange-secmod: group for processes with access to online signing
keys, so taler-exchange-secmod-rsa, taler-exchange-secmod-eddsa and
taler-exchange-httpd
- * taler-exchange-offline: group for the access to the offline private key
(only used on the offline host and not used on the online system)
+* taler-exchange-db: group for all Taler users with direct database access,
specifically taler-exchange-httpd, taler-exchange-wire, taler-exchange-closer
and taler-exchange-aggregator
+* taler-exchange-secmod: group for processes with access to online signing
keys, so taler-exchange-secmod-rsa, taler-exchange-secmod-eddsa and
taler-exchange-httpd
+* taler-exchange-offline: group for the access to the offline private key
(only used on the offline host and not used on the online system)
The package will deploy systemd service files in
``/usr/lib/systemd/system/`` for the various components:
- * taler-exchange-aggregator.service: service that schedules wire transfers
which combine multiple deposits to the same merchant
- * taler-exchange-closer.service: service that watches for reserves that have
been abandoned and schedules wire transfers to send the money back to the
originator
- * taler-exchange-httpd.service: main Taler exchange logic with the public
REST API
- * taler-exchange-httpd.socket: systemd socket activation for the Taler
exchange HTTP daemon
- * taler-exchange-secmod-eddsa.service: software security module for making
EdDSA signatures
- * taler-exchange-secmod-rsa.service: software security module for making RSA
signatures
- * taler-exchange-transfer.service: service that triggers outgoing wire
transfers (pays merchants)
- * taler-exchange-wirewatch.service: service that watches for incoming wire
transfers (first step of withdraw)
- * taler-exchange.target: Main target for the Taler exchange to be operational
+* taler-exchange-aggregator.service: service that schedules wire transfers
which combine multiple deposits to the same merchant
+* taler-exchange-closer.service: service that watches for reserves that have
been abandoned and schedules wire transfers to send the money back to the
originator
+* taler-exchange-httpd.service: main Taler exchange logic with the public REST
API
+* taler-exchange-httpd.socket: systemd socket activation for the Taler
exchange HTTP daemon
+* taler-exchange-secmod-eddsa.service: software security module for making
EdDSA signatures
+* taler-exchange-secmod-rsa.service: software security module for making RSA
signatures
+* taler-exchange-transfer.service: service that triggers outgoing wire
transfers (pays merchants)
+* taler-exchange-wirewatch.service: service that watches for incoming wire
transfers (first step of withdraw)
+* taler-exchange.target: Main target for the Taler exchange to be operational
The deployment creates the following key locations in the system:
- * /etc/taler/: configuration files
- * /var/run/taler/: contains the UNIX domain sockets for inter-process
communication (IPC)
- * /var/lib/taler/: serves as the $HOME for all Taler users and contains
sub-directories
- with the private keys; which keys are stored here depends on the host:
+* /etc/taler/: configuration files
+* /var/run/taler/: contains the UNIX domain sockets for inter-process
communication (IPC)
+* /var/lib/taler/: serves as the $HOME for all Taler users and contains
sub-directories
+ with the private keys; which keys are stored here depends on the host:
- - online system: exchange-secmod-eddsa and exchange-secmod-rsa keys
- - offline system: exchange-offline keys
+ * online system: exchange-secmod-eddsa and exchange-secmod-rsa keys
+ * offline system: exchange-offline keys
@@ -250,20 +250,34 @@ Typically only one Wire Gateway is used.
A Taler Wire Gateway is configured in a configuration section that follows the
pattern ``exchange-account-$id``, where ``$id`` is an internal identifier for
-the bank account accessed with the Wire Gateway. The configuration file
-``/etc/taler/conf.d/exchange-system.conf`` by default loads the section
-``exchange-account-1`` from the secret file
-``/etc/taler/secrets/exchange-accounts.secret.conf``. The latter file
-should already be only readable for the taler-exchange-wire user. Other
+the bank account accessed by the exchange. The basic information for an
account should
+be put in ``/etc/taler/conf.d/exchange-business.conf``.
+The secret credentials to access the Taler Wire Gateway API should
+be put into a corresponding ``exchange-accountcredentials-$id`` section
+in ``/etc/taler/secrets/exchange-accountcredentials.conf``.
+The latter file
+should already be only readable for the ``taler-exchange-wire`` user. Other
exchange processes should not have access to this information.
.. code-block:: ini
- :caption: /etc/taler/secrets/exchange-accounts.secret.conf
+ :caption: /etc/taler/secrets/exchange-business.conf
[exchange-account-1]
enable_credit = yes
enable_debit = yes
+ # Account identifier in the form of an RFC-8905 payto:// URI
+ # For SEPA, looks like payto://sepa/$IBAN
+ payto_uri =
+
+ @inline-secret@ exchange-accountcredentials-1
../secrets/exchange-accountcredendials.secret.conf
+
+
+.. code-block:: ini
+ :caption: /etc/taler/secrets/exchange-accountcredentials.secret.conf
+
+ [exchange-accountcredentials-1]
+
# LibEuFin expects basic auth
wire_gateway_auth_method = basic
@@ -274,9 +288,6 @@ exchange processes should not have access to this
information.
# base URL of the wire gateway set up with LibEuFin
wire_gateway_url = ...
- # Account identifier in the form of an RFC-8905 payto:// URI
- # For SEPA, looks like payto://sepa/$IBAN
- payto_uri =
The Wire Gateway configuration can be tested with the following command:
@@ -531,6 +542,15 @@ a merchant backend is not required, as the wallet acts as
a merchant.
# After enough time has passed, the money should arrive at the specified IBAN
+Summary of Variables
+====================
+
+This section summarizes all placeholder variables used in this document.
+
+
+TBD.
+
+
FIXMEs
======
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [taler-docs] branch master updated: document new configuration layout,
gnunet <=