merchant: start/health + certbot_renew (container nginx TLS :8081, ACME :8082)

This commit is contained in:
Hernâni Marques 2026-06-29 16:11:55 +02:00
parent ad85a60c62
commit 4823c8f602
No known key found for this signature in database
13 changed files with 795 additions and 0 deletions

View file

@ -0,0 +1,63 @@
# taler-merchant (container `taler-hacktivism`)
Image: `localhost/taler-hacktivism-live:9010`
Publish: **9010/tcp only**
Labels: `org.hacktivism.service=taler-merchant`, `host_port=9010`, `site=taler.hacktivism.ch`
## Config layout (same pattern as exchange)
| Path in container | Mirror in this dir |
|-------------------|--------------------|
| `taler-merchant.conf` | includes documented in `taler-merchant.conf.includes.txt` |
| `overrides.conf` | tooling — do not edit (not mirrored) |
| **`merchant-overrides.conf`** | **`merchant-overrides.conf`** |
| `conf.d/merchant.conf` | `conf.d-merchant.conf` |
| nginx `sites-available/taler-merchant` | `nginx-taler-merchant.conf` |
Secrets (`secrets/*.secret.conf`, SMTP password) are **not** mirrored.
## Manual start (merchant model)
| Path | User | Role |
|------|------|------|
| `/root/start_base_services_for_taler.sh` | **root** | logs, SMS env, postgres → shell as `taler-merchant-httpd` |
| `/usr/local/bin/start_merchant.sh` | **taler-merchant-httpd** | start / `--restart` httpd + helpers |
| `/usr/local/bin/check_merchant-health.sh` | any | health (socket + nginx) |
Also under `/usr/local/bin/`: email/SMS helpers, `stats--merchant-payments.sh`.
Certbot loop: `/root/scripts/certbot_renew.sh` (started from base script).
Git scripts: `scripts/taler-merchant/`.
## Site settings (overrides)
- **Default currency:** CHF (`[taler]` / `[merchant]`)
- **Exchanges (multi-currency):**
- CHF → `exchange.taler-ops.ch` (package default `[merchant-exchange-chf]` in `tops.conf` — do not redeclare as `merchant-exchange-tops`)
- GOA → `exchange.hacktivism.ch` (`[merchant-exchange-goa]` in `merchant-overrides.conf`)
- **SERVE:** unix socket → nginx :9010 SSL → Caddy :9001
- **Self-provisioning:** YES; **no mandatory TAN** (SMS off)
- **Terms:** `TERMS_ETAG = merchant-tos-dual-v0` — short dual-currency notice (GOA explorational + CHF real). Sources in `terms-src/`; install with `scripts/taler-merchant/install_dual_terms.sh` inside the container, then restart `taler-merchant-httpd`. Public: `https://taler.hacktivism.ch/terms`
Wire status is **per account × exchange**: an `x-taler-bank` GOA payto shows `ready` for hacktivism and `unsupported` for taler-ops (expected). CHF/IBAN accounts use taler-ops.
### Container → public exchange (pasta)
Inside pasta, `exchange.hacktivism.ch` must not resolve to **127.0.0.1** (merchant nginx self-signed). Pin public A in container `/etc/hosts`:
```
212.51.151.254 exchange.hacktivism.ch bank.hacktivism.ch taler.hacktivism.ch
```
After conf/hosts changes: `taler-merchant-exchangekeyupdate -t` and `taler-merchant-kyccheck -t`.## Ports
| Port | Role |
|------|------|
| 9010 | nginx TLS in container (podman) |
| unix sock | `taler-merchant-httpd` |
## Demo instance (2026-07-09)
Self-provisioned shop **`goa-demo-cp4zqk`**, bank account same username, payto linked, seed **GOA:5000**.
Details + credential paths: **`demo-instance-goa-demo-cp4zqk.md`**.

View file

@ -0,0 +1,7 @@
# Package drop-in: /etc/taler-merchant/conf.d/merchant.conf
# Read secret sections into configuration, but only
# if we have permission to do so.
@inline-secret@ merchantdb-postgres ../secrets/merchant-db.secret.conf
[merchant]
SERVE = systemd

View file

@ -0,0 +1,71 @@
# Site overrides for taler.hacktivism.ch (container taler-hacktivism).
# Multi-currency: CHF (taler-ops) + GOA (local exchange).
# Do not edit overrides.conf (tooling).
[taler]
CURRENCY = CHF
### Disable package demonstrator KUDOS only
[merchant-exchange-kudos]
DISABLED = YES
[currency-KUDOS]
ENABLED = NO
[merchant]
CURRENCY = CHF
DATABASE = postgres
# Dual-currency short notice (GOA explorational + CHF real).
# Install: scripts/taler-merchant/install_dual_terms.sh (inside container).
# Bump etag when text changes so wallets/browsers drop long-lived /terms cache.
TERMS_ETAG = merchant-tos-dual-v2
TERMS_DIR = ${TALER_DATA_HOME}terms/
# Swiss FADP privacy (install: scripts/taler-merchant/install_swiss_privacy.sh)
PRIVACY_ETAG = merchant-pp-swiss-v0
PRIVACY_DIR = ${TALER_DATA_HOME}terms/
UNIXPATH = /var/run/taler-merchant/httpd/merchant-http.sock
UNIXPATH_MODE = 660
SERVE = unix
DEFAULT_PERSONA = point-of-sale
# Demo short deadlines (package: pay 1d, refund 15d, wire 1w).
# Wire happens after refund deadline; refund/pay windows also kept short.
DEFAULT_PAY_DELAY = 1 minute
DEFAULT_REFUND_DELAY = 30 s
DEFAULT_WIRE_TRANSFER_DELAY = 30 s
ENABLE_SELF_PROVISIONING = YES
# No mandatory TAN (SMS auth off)
MANDATORY_TAN_CHANNELS =
HELPER_EMAIL = /usr/local/bin/taler-hacktivism-email-helper.sh
# HELPER_SMS = /usr/local/bin/taler-hacktivism-sms-helper-wrapper.sh
[merchantdb-postgres]
CONFIG = postgres:///taler-merchant
### CHF — package default in /usr/share/taler-merchant/config.d/tops.conf
### section [merchant-exchange-chf] → https://exchange.taler-ops.ch/
### Do NOT redeclare the same EXCHANGE_BASE_URL under another section name
### (exchangekeyupdate: "configured in multiple sections").
### Ensure package CHF stays enabled (only disable KUDOS above).
### GOA — local exchange.hacktivism.ch (x-taler-bank / bank.hacktivism.ch)
[merchant-exchange-goa]
EXCHANGE_BASE_URL = https://exchange.hacktivism.ch/
MASTER_KEY = TW6K5FXF81VYCAH0YWYX0SX98KBBSJ42VX27WAX01FTFH400QG10
CURRENCY = GOA
[currency-goa]
ENABLED = YES
name = "GOA exploration currency"
code = GOA
fractional_input_digits = 8
fractional_normal_digits = 0
fractional_trailing_zero_digits = 0
# Keep in sync with exchange-overrides [currency-goa] (wallet compares unit maps).
# Scale keys only in [-8, 24] (exchange rejects outside that range).
alt_unit_names_are_symbols = NO
alt_unit_names = {"24":"Yotta-GOA","21":"Zetta-GOA","18":"Exa-GOA","15":"Peta-GOA","12":"Tera-GOA","9":"Giga-GOA","6":"Mega-GOA","3":"Kilo-GOA","0":"GOA","-1":"Deci-GOA","-2":"Centi-GOA","-3":"Milli-GOA","-6":"Micro-GOA","-7":"Deci-Micro-GOA","-8":"Atomic-GOA"}
common_amounts = "GOA:10 GOA:20 GOA:50 GOA:100 GOA:200 GOA:1000"

View file

@ -0,0 +1,50 @@
# Container: /etc/nginx/sites-available/taler-merchant
# Enabled: sites-enabled/taler-merchant → this file
# Host publish: 9010/tcp (podman pasta). Caddy terminates public HTTPS and
# reverse_proxies to https://127.0.0.1:9010 (see configs/caddy/Caddyfile).
server {
listen 9010 ssl;
listen [::]:9010 ssl;
server_name taler.hacktivism.ch;
ssl_certificate /etc/letsencrypt/live/taler.hacktivism.ch/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/taler.hacktivism.ch/privkey.pem;
access_log /var/log/nginx/merchant.log;
error_log /var/log/nginx/merchant.err;
# Public landing first (Caddy should also redir / → /intro/; this covers :9010)
location = / {
return 302 /intro/;
}
# Merchant-httpd only serves /terms and /privacy without trailing slash
location = /terms/ {
return 302 /terms;
}
location = /privacy/ {
return 302 /privacy;
}
location / {
proxy_pass http://unix:/var/run/taler-merchant/httpd/merchant-http.sock;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host "taler.hacktivism.ch";
proxy_set_header X-Forwarded-Proto "https";
}
}
server {
# ACME HTTP-01 is handled by Caddy :9000; this block kept for reference.
# listen 9010;
# listen [::]:9010;
server_name taler.hacktivism.ch;
location /.well-known/acme-challenge/ {
alias /var/www/letsencrypt/.well-known/acme-challenge/;
}
}

View file

@ -0,0 +1,5 @@
# From /etc/taler-merchant/taler-merchant.conf (include order)
@inline-matching@ conf.d/*.conf
@inline@ overrides.conf
# Site overrides last (glob; file is merchant-overrides.conf)
@inline-matching@ merchant-overrides.conf