merchant: start/health + certbot_renew (container nginx TLS :8081, ACME :8082)
This commit is contained in:
parent
ad85a60c62
commit
4823c8f602
13 changed files with 795 additions and 0 deletions
63
configs/taler-merchant/README.md
Normal file
63
configs/taler-merchant/README.md
Normal file
|
|
@ -0,0 +1,63 @@
|
|||
# taler-merchant (container `taler-hacktivism`)
|
||||
|
||||
Image: `localhost/taler-hacktivism-live:9010`
|
||||
Publish: **9010/tcp only**
|
||||
Labels: `org.hacktivism.service=taler-merchant`, `host_port=9010`, `site=taler.hacktivism.ch`
|
||||
|
||||
## Config layout (same pattern as exchange)
|
||||
|
||||
| Path in container | Mirror in this dir |
|
||||
|-------------------|--------------------|
|
||||
| `taler-merchant.conf` | includes documented in `taler-merchant.conf.includes.txt` |
|
||||
| `overrides.conf` | tooling — do not edit (not mirrored) |
|
||||
| **`merchant-overrides.conf`** | **`merchant-overrides.conf`** |
|
||||
| `conf.d/merchant.conf` | `conf.d-merchant.conf` |
|
||||
| nginx `sites-available/taler-merchant` | `nginx-taler-merchant.conf` |
|
||||
|
||||
Secrets (`secrets/*.secret.conf`, SMTP password) are **not** mirrored.
|
||||
|
||||
## Manual start (merchant model)
|
||||
|
||||
| Path | User | Role |
|
||||
|------|------|------|
|
||||
| `/root/start_base_services_for_taler.sh` | **root** | logs, SMS env, postgres → shell as `taler-merchant-httpd` |
|
||||
| `/usr/local/bin/start_merchant.sh` | **taler-merchant-httpd** | start / `--restart` httpd + helpers |
|
||||
| `/usr/local/bin/check_merchant-health.sh` | any | health (socket + nginx) |
|
||||
|
||||
Also under `/usr/local/bin/`: email/SMS helpers, `stats--merchant-payments.sh`.
|
||||
Certbot loop: `/root/scripts/certbot_renew.sh` (started from base script).
|
||||
|
||||
Git scripts: `scripts/taler-merchant/`.
|
||||
|
||||
## Site settings (overrides)
|
||||
|
||||
- **Default currency:** CHF (`[taler]` / `[merchant]`)
|
||||
- **Exchanges (multi-currency):**
|
||||
- CHF → `exchange.taler-ops.ch` (package default `[merchant-exchange-chf]` in `tops.conf` — do not redeclare as `merchant-exchange-tops`)
|
||||
- GOA → `exchange.hacktivism.ch` (`[merchant-exchange-goa]` in `merchant-overrides.conf`)
|
||||
- **SERVE:** unix socket → nginx :9010 SSL → Caddy :9001
|
||||
- **Self-provisioning:** YES; **no mandatory TAN** (SMS off)
|
||||
- **Terms:** `TERMS_ETAG = merchant-tos-dual-v0` — short dual-currency notice (GOA explorational + CHF real). Sources in `terms-src/`; install with `scripts/taler-merchant/install_dual_terms.sh` inside the container, then restart `taler-merchant-httpd`. Public: `https://taler.hacktivism.ch/terms`
|
||||
|
||||
Wire status is **per account × exchange**: an `x-taler-bank` GOA payto shows `ready` for hacktivism and `unsupported` for taler-ops (expected). CHF/IBAN accounts use taler-ops.
|
||||
|
||||
### Container → public exchange (pasta)
|
||||
|
||||
Inside pasta, `exchange.hacktivism.ch` must not resolve to **127.0.0.1** (merchant nginx self-signed). Pin public A in container `/etc/hosts`:
|
||||
|
||||
```
|
||||
212.51.151.254 exchange.hacktivism.ch bank.hacktivism.ch taler.hacktivism.ch
|
||||
```
|
||||
|
||||
After conf/hosts changes: `taler-merchant-exchangekeyupdate -t` and `taler-merchant-kyccheck -t`.## Ports
|
||||
|
||||
| Port | Role |
|
||||
|------|------|
|
||||
| 9010 | nginx TLS in container (podman) |
|
||||
| unix sock | `taler-merchant-httpd` |
|
||||
|
||||
## Demo instance (2026-07-09)
|
||||
|
||||
Self-provisioned shop **`goa-demo-cp4zqk`**, bank account same username, payto linked, seed **GOA:5000**.
|
||||
|
||||
Details + credential paths: **`demo-instance-goa-demo-cp4zqk.md`**.
|
||||
7
configs/taler-merchant/conf.d-merchant.conf
Normal file
7
configs/taler-merchant/conf.d-merchant.conf
Normal file
|
|
@ -0,0 +1,7 @@
|
|||
# Package drop-in: /etc/taler-merchant/conf.d/merchant.conf
|
||||
# Read secret sections into configuration, but only
|
||||
# if we have permission to do so.
|
||||
@inline-secret@ merchantdb-postgres ../secrets/merchant-db.secret.conf
|
||||
|
||||
[merchant]
|
||||
SERVE = systemd
|
||||
71
configs/taler-merchant/merchant-overrides.conf
Normal file
71
configs/taler-merchant/merchant-overrides.conf
Normal file
|
|
@ -0,0 +1,71 @@
|
|||
# Site overrides for taler.hacktivism.ch (container taler-hacktivism).
|
||||
# Multi-currency: CHF (taler-ops) + GOA (local exchange).
|
||||
# Do not edit overrides.conf (tooling).
|
||||
|
||||
[taler]
|
||||
CURRENCY = CHF
|
||||
|
||||
### Disable package demonstrator KUDOS only
|
||||
[merchant-exchange-kudos]
|
||||
DISABLED = YES
|
||||
|
||||
[currency-KUDOS]
|
||||
ENABLED = NO
|
||||
|
||||
[merchant]
|
||||
CURRENCY = CHF
|
||||
DATABASE = postgres
|
||||
# Dual-currency short notice (GOA explorational + CHF real).
|
||||
# Install: scripts/taler-merchant/install_dual_terms.sh (inside container).
|
||||
# Bump etag when text changes so wallets/browsers drop long-lived /terms cache.
|
||||
TERMS_ETAG = merchant-tos-dual-v2
|
||||
TERMS_DIR = ${TALER_DATA_HOME}terms/
|
||||
# Swiss FADP privacy (install: scripts/taler-merchant/install_swiss_privacy.sh)
|
||||
PRIVACY_ETAG = merchant-pp-swiss-v0
|
||||
PRIVACY_DIR = ${TALER_DATA_HOME}terms/
|
||||
|
||||
UNIXPATH = /var/run/taler-merchant/httpd/merchant-http.sock
|
||||
UNIXPATH_MODE = 660
|
||||
SERVE = unix
|
||||
|
||||
DEFAULT_PERSONA = point-of-sale
|
||||
|
||||
# Demo short deadlines (package: pay 1d, refund 15d, wire 1w).
|
||||
# Wire happens after refund deadline; refund/pay windows also kept short.
|
||||
DEFAULT_PAY_DELAY = 1 minute
|
||||
DEFAULT_REFUND_DELAY = 30 s
|
||||
DEFAULT_WIRE_TRANSFER_DELAY = 30 s
|
||||
|
||||
ENABLE_SELF_PROVISIONING = YES
|
||||
# No mandatory TAN (SMS auth off)
|
||||
MANDATORY_TAN_CHANNELS =
|
||||
HELPER_EMAIL = /usr/local/bin/taler-hacktivism-email-helper.sh
|
||||
# HELPER_SMS = /usr/local/bin/taler-hacktivism-sms-helper-wrapper.sh
|
||||
|
||||
[merchantdb-postgres]
|
||||
CONFIG = postgres:///taler-merchant
|
||||
|
||||
### CHF — package default in /usr/share/taler-merchant/config.d/tops.conf
|
||||
### section [merchant-exchange-chf] → https://exchange.taler-ops.ch/
|
||||
### Do NOT redeclare the same EXCHANGE_BASE_URL under another section name
|
||||
### (exchangekeyupdate: "configured in multiple sections").
|
||||
### Ensure package CHF stays enabled (only disable KUDOS above).
|
||||
|
||||
### GOA — local exchange.hacktivism.ch (x-taler-bank / bank.hacktivism.ch)
|
||||
[merchant-exchange-goa]
|
||||
EXCHANGE_BASE_URL = https://exchange.hacktivism.ch/
|
||||
MASTER_KEY = TW6K5FXF81VYCAH0YWYX0SX98KBBSJ42VX27WAX01FTFH400QG10
|
||||
CURRENCY = GOA
|
||||
|
||||
[currency-goa]
|
||||
ENABLED = YES
|
||||
name = "GOA exploration currency"
|
||||
code = GOA
|
||||
fractional_input_digits = 8
|
||||
fractional_normal_digits = 0
|
||||
fractional_trailing_zero_digits = 0
|
||||
# Keep in sync with exchange-overrides [currency-goa] (wallet compares unit maps).
|
||||
# Scale keys only in [-8, 24] (exchange rejects outside that range).
|
||||
alt_unit_names_are_symbols = NO
|
||||
alt_unit_names = {"24":"Yotta-GOA","21":"Zetta-GOA","18":"Exa-GOA","15":"Peta-GOA","12":"Tera-GOA","9":"Giga-GOA","6":"Mega-GOA","3":"Kilo-GOA","0":"GOA","-1":"Deci-GOA","-2":"Centi-GOA","-3":"Milli-GOA","-6":"Micro-GOA","-7":"Deci-Micro-GOA","-8":"Atomic-GOA"}
|
||||
common_amounts = "GOA:10 GOA:20 GOA:50 GOA:100 GOA:200 GOA:1000"
|
||||
50
configs/taler-merchant/nginx-taler-merchant.conf
Normal file
50
configs/taler-merchant/nginx-taler-merchant.conf
Normal file
|
|
@ -0,0 +1,50 @@
|
|||
# Container: /etc/nginx/sites-available/taler-merchant
|
||||
# Enabled: sites-enabled/taler-merchant → this file
|
||||
# Host publish: 9010/tcp (podman pasta). Caddy terminates public HTTPS and
|
||||
# reverse_proxies to https://127.0.0.1:9010 (see configs/caddy/Caddyfile).
|
||||
|
||||
server {
|
||||
listen 9010 ssl;
|
||||
listen [::]:9010 ssl;
|
||||
|
||||
server_name taler.hacktivism.ch;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/taler.hacktivism.ch/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/taler.hacktivism.ch/privkey.pem;
|
||||
|
||||
access_log /var/log/nginx/merchant.log;
|
||||
error_log /var/log/nginx/merchant.err;
|
||||
|
||||
# Public landing first (Caddy should also redir / → /intro/; this covers :9010)
|
||||
location = / {
|
||||
return 302 /intro/;
|
||||
}
|
||||
|
||||
# Merchant-httpd only serves /terms and /privacy without trailing slash
|
||||
location = /terms/ {
|
||||
return 302 /terms;
|
||||
}
|
||||
location = /privacy/ {
|
||||
return 302 /privacy;
|
||||
}
|
||||
|
||||
location / {
|
||||
proxy_pass http://unix:/var/run/taler-merchant/httpd/merchant-http.sock;
|
||||
proxy_redirect off;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-Host "taler.hacktivism.ch";
|
||||
proxy_set_header X-Forwarded-Proto "https";
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
# ACME HTTP-01 is handled by Caddy :9000; this block kept for reference.
|
||||
# listen 9010;
|
||||
# listen [::]:9010;
|
||||
|
||||
server_name taler.hacktivism.ch;
|
||||
|
||||
location /.well-known/acme-challenge/ {
|
||||
alias /var/www/letsencrypt/.well-known/acme-challenge/;
|
||||
}
|
||||
}
|
||||
5
configs/taler-merchant/taler-merchant.conf.includes.txt
Normal file
5
configs/taler-merchant/taler-merchant.conf.includes.txt
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
# From /etc/taler-merchant/taler-merchant.conf (include order)
|
||||
@inline-matching@ conf.d/*.conf
|
||||
@inline@ overrides.conf
|
||||
# Site overrides last (glob; file is merchant-overrides.conf)
|
||||
@inline-matching@ merchant-overrides.conf
|
||||
Loading…
Add table
Add a link
Reference in a new issue