Magnet Bank Adapter Setup Manual

11. Magnet Bank Adapter Setup Manual#

taler-magnet-bank is a Magnet Bank Taler adapter.

This manual targets system administrators who want to install and operate a Magnet Bank GNU Taler adapter

11.1. Installation#

11.1.1. Installing on Debian#

To install the GNU Taler Debian packages, first ensure that you have the right Debian distribution. At this time, the packages are built for Debian trixie.

You need to add a file to import the GNU Taler packages. Typically, this is done by adding a file /etc/apt/sources.list.d/taler.list that looks like this:

deb [signed-by=/etc/apt/keyrings/taler-systems.gpg] https://deb.taler.net/apt/debian trixie main

Next, you must import the Taler Systems SA public package signing key into your keyring and update the package lists:

# wget -O /etc/apt/keyrings/taler-systems.gpg \
    https://taler.net/taler-systems.gpg
# apt update

Note

You may want to verify the correctness of the Taler Systems SA key out-of-band.

Now your system is ready to install the official GNU Taler binary packages using apt.

To install the adapter, you can now simply run:

# apt install taler-magnet-bank

11.1.2. Installing on Ubuntu#

To install the GNU Taler Ubuntu packages, first ensure that you have the right Ubuntu distribution. At this time, the packages are built for Ubuntu Lunar and Ubuntu Jammy. Make sure to have universe in your /etc/apt/sources.list.d/ubuntu.sources (after main) as we depend on some packages from Ubuntu universe.

A typical /etc/apt/sources.list.d/taler.list file for this setup would look like this for Ubuntu Noble:

deb [signed-by=/etc/apt/keyrings/taler-systems.gpg] https://deb.taler.net/apt/ubuntu/ noble main

Next, you must import the Taler Systems SA public package signing key into your keyring and update the package lists:

# wget -O /etc/apt/keyrings/taler-systems.gpg \
    https://taler.net/taler-systems.gpg
# apt update

Note

You may want to verify the correctness of the Taler Systems key out-of-band.

Now your system is ready to install the official GNU Taler binary packages using apt.

To install the adapter, you can now simply run:

# apt install taler-magnet-bank

11.1.3. Building from source#

Magnet Bank Adapter belongs to the Taler Rust project, and can be downloaded via Git:

$ git clone git://git.taler.net/taler-rust
$ cd taler-rust

You will need the latest version of the rust stable toolchain and a C toolchain:

$ sudo apt install rustup build-essential
$ rustup toolchain install stable

Then from top-level run:

$ ./bootstrap

11.1.3.1. Install deb package#

To install the adapter as a Debian/Ubuntu package with an automated secure setup and systemd services:

$ sudo apt install debhelper
$ make deb
$ sudo dpkg -i ../taler-magnet-bank*.deb

If the previous steps succeeded, the taler-magnet-bank command should be found in the $PATH.

11.1.3.2. Install binaries#

To install the adapter binaries and default configuration localy run:

$ ./configure --prefix=$PREFIX
$ make install

If the previous steps succeeded, the taler-magnet-bank command should be found in the $PATH.

11.1.4. Services, users, groups and file system hierarchy#

The taler-magnet-bank package will create several system users to compartmentalize different parts of the system:

  • taler-magnet-bank-httpd: runs the HTTP daemon with the API logic.

  • taler-magnet-bank-worker: runs the worker daemon interacting with the Magnet Bank API.

  • postgres: runs the PostgreSQL database (from postgresql package).

The adapter setup uses the following system groups:

  • taler-magnet-bank-db: group for all adapter users with direct database access, specifically taler-magnet-bank-httpd and taler-magnet-bank-worker.

The package will deploy systemd service files in /usr/lib/systemd/system/ for the various components:

  • taler-magnet-bank-httpd.service: adapter REST API.

  • taler-magnet-bank-httpd.socket: systemd socket activation for the HTTP daemon.

  • taler-magnet-bank-worker.service: worker deamon interacting with the Magnet Bank API.

  • taler-magnet-bank.target: main target for the adapter to be operational.

The deployment creates the following key locations in the system:

  • /etc/taler-magnet-bank/: configuration files.

  • /run/taler-magnet-bank/: contains the UNIX domain sockets for inter-process communication (IPC).

  • /var/lib/taler-magnet-bank/: serves as the $HOME for taler-magnet-bank-worker and contains the Magnet Bank authentification tokens.

11.2. Configuration Fundamentals#

This chapter provides fundamental details about the adapter configuration.

The configuration for all adapter components uses a single configuration file as entry point: /etc/taler-magnet-bank/taler-magnet-bank.conf.

System defaults are automatically loaded from files in /usr/share/taler-magnet-bank/config.d. These default files should never be modified.

The default configuration taler-magnet-bank.conf configuration file also includes all configuration files in /etc/taler-magnet-bank/conf.d. The settings from files in conf.d are only relevant to particular components of an adapter, while taler-magnet-bank.conf contains settings that affect all adapter components.

The directory /etc/taler-magnet-bank/secrets contains configuration file snippets with values that should only be readable to certain users. They are included with the @inline-secret@ directive and should end with .secret.conf.

To view the entire configuration annotated with the source of each configuration option, you can use the taler-magnet-bank config helper:

# taler-magnet-bank config dump --diagnostics

11.2.1. Configuration format#

All GNU Taler components are designed to possibly share the same configuration files. When installing a GNU Taler component, the installation deploys default values in configuration files located at ${prefix}/share/taler/config.d/ where ${prefix} is the installation prefix. Different components must be installed to the same prefix.

In order to override these defaults, the user can write a custom configuration file and either pass it to the component at execution time using the -c option, or name it taler.conf and place it under $HOME/.config/ which is where components will look by default. Note that the systemd service files pass -c /etc/taler/taler.conf, thus making /etc/taler/taler.conf the primary location for the configuration.

A config file is a text file containing sections, and each section contains maps options to their values. Configuration files follow basically the INI syntax:

[section1]
value1 = string
value2 = 23

[section2]
value21 = string
value22 = /path22

Comments start with a hash (#). Throughout the configuration, it is possible to use $-substitution for options relating to names of files or directories. It is also possible to provide defaults values for those variables that are unset, by using the following syntax: ${VAR:-default}. There are two ways a user can set the value of $-prefixable variables:

  1. by defining them under a [paths] section:

    [paths]
TALER_DEPLOYMENT_SHARED = ${HOME}/shared-data
..
[section-x]
path-x = ${TALER_DEPLOYMENT_SHARED}/x

  2. or by setting them in the environment:

    $ export VAR=/x

The configuration loader will give precedence to variables set under [path] over environment variables.

The utility taler-config, which gets installed along with the exchange, can be used get and set configuration values without directly editing the configuration file. The option -f is particularly useful to resolve pathnames, when they use several levels of $-expanded variables. See taler-config --help.

The repository git://git.taler.net/deployment contains example code for generating configuration files under deployment/netzbon/.

11.3. Basic Setup#

11.3.1. Using package script#

11.3.1.1. Database setup#

The configuration file must include a connection string that tells the adapter how it should connect to the database. The default is:

/etc/taler-magnet-bank/secrets/magnet-bank-db.secret.conf#
[magnet-bankdb-postgres]
config = postgres:///taler-magnet-bank

If the database is run on a different host, please follow the instructions from the PostgreSQL manual for configuring remote access.

Assuming the configuration is correct, the following command initializes (or upgrades) the database schema using: You can then use a script to automate a secure database setup:

$ sudo taler-magnet-bank-dbconfig

11.3.1.2. Worker setup#

You will need a Magnet Bank account to sync. Update the configuration files:

/etc/taler-magnet-bank/taler-magnet-bank.conf#
[magnet-bank]
IBAN = HU59131000073585363679133532
NAME = John Smith S.A.
/etc/taler-magnet-bank/secrets/magnet-bank-worker.secret.conf#
[magnet-bank-worker]
CONSUMER_KEY = $CONSUMER_KEY
CONSUMER_SECRET = $CONSUMER_SECRET

And finaly run the setup process:

$ sudo -u taler-magnet-bank-worker taler-magnet-bank -c /etc/taler-magnet-bank/taler-magnet-bank.conf setup

11.3.1.3. Wire Gateway setup#

Update the configuration files:

/etc/taler-magnet-bank/conf.d/magnet-bank-httpd.conf#
[magnet-bank-httpd-wire-gateway-api]
ENABLED = YES
/etc/taler-magnet-bank/secrets/magnet-bank-httpd.secret.conf#
[magnet-bank-httpd-wire-gateway-api
AUTH_METHOD = bearer
TOKEN = $SECRET_TOKEN

Check the server is correctly configured:

$ sudo -u taler-magnet-bank-httpd taler-magnet-bank -c /etc/taler-magnet-bank/taler-magnet-bank.conf serve --check

11.3.2. Manual setup#

11.3.2.1. Database setup#

The configuration file must include a connection string that tells the adapter how it should connect to the database. The default is:

$CONFIG_FILE#
[magnet-bankdb-postgres]
config = postgres:///taler-magnet-bank

You must make sure that this database exists and is accessible to the user running the adapter before continuing. If the database is run on a different host, please follow the instructions from the PostgreSQL manual for configuring remote access.

Assuming that the configuration file exists at $CONFIG_FILE, the following command initializes (or upgrades) the database schema:

$ taler-magnet-bank -c "$CONFIG_FILE" dbinit

Update the configuration files:

$CONFIG_FILE#
[magnet-bank]
IBAN = HU59131000073585363679133532
NAME = John Smith S.A.

[magnet-bank-worker]
CONSUMER_KEY = $CONSUMER_KEY
CONSUMER_SECRET = $CONSUMER_SECRET

And finaly run the setup process:

$ taler-magnet-bank -c "$CONFIG_FILE" setup

11.3.2.2. Wire Gateway setup#

Update the configuration files:

$CONF_FILE#
[magnet-bank-httpd-wire-gateway-api]
ENABLED = YES
AUTH_METHOD = bearer
TOKEN = $SECRET_TOKEN

Check the server is correctly configured:

$ taler-magnet-bank -c "$CONF_FILE" serve --check

11.4. Deployment#

This chapter describes how to deploy the adapter once the basic installation and configuration are completed.

11.4.1. Serving#

The adapter can serve HTTP over both TCP and UNIX domain socket.

The following options are to be configured in the section [magnet-bank-httpd]:

  • SERVE: Must be set to tcp to serve HTTP over TCP, or unix to serve HTTP over a UNIX domain socket.

  • PORT: Set to the TCP port to listen on if SERVE is tcp.

  • UNIXPATH: Set to the UNIX domain socket path to listen on if SERVE is unix.

  • UNIXPATH_MODE: Number giving the mode with the access permission mask

    for the UNIXPATH (i.e. 660 = rw-rw---). Make sure to set it in such a way that your adapter has permissions to access the UNIX domain socket. The default (660) assumes that the reverse proxy is a member of the group under which the adapter HTTP server is running.

11.4.2. Reverse Proxy Setup#

By default, the taler-magnet-bank-httpd service listens for HTTP connections on a UNIX domain socket. To make the service publicly available, a reverse proxy such as nginx should be used. We strongly recommend to configure nginx to use TLS.

The taler-magnet-bank package ships with a sample configuration that can be enabled in nginx:

# vim /etc/nginx/sites-available/taler-magnet-bank
< ... customize configuration ... >
# ln -s /etc/nginx/sites-available/taler-magnet-bank /etc/nginx/sites-enabled/taler-magnet-bank
# systemctl reload nginx

With this last step, we are finally ready to launch the main adapter process.

11.4.3. Launching the adapter#

$ sudo systemctl start taler-magnet-bank.target