Close the remaining "secrets touch a plaintext file" gap. The unattended
restart mode now SEALS the operator-chosen wallet password to the host with
`systemd-creds encrypt` (ciphertext at rest, read via LoadCredentialEncrypted,
decrypted into a tmpfs credentials dir at each start), so no plaintext wallet
key is written to disk. When systemd-creds is unavailable it falls back to the
legacy root-owned 0400 plaintext file with a loud warning, and re-running
`setup --reconfigure` once it is available upgrades to encryption.
- wizard: seal via systemd-creds (injectable for tests), write the
encrypted.conf drop-in, keep the manual.conf tmpfs path unchanged;
reconfiguring a till that keeps no readable password on disk (encrypted or
manual) now prompts for the existing password to reopen the wallet.
- startup: loud deprecation warning when a money secret (GP_MNEMONIC,
GP_WALLET_PASSWORD, GP_NSEC) is supplied INLINE rather than via a *_FILE or
systemd credential; the value is never logged, only the variable name.
- docs: README, .env.example, install.sh, and the systemd unit updated to the
encrypted-at-rest default and the honest fallback/trade-off.
Tests: gp-core config + gp-core/gp-server setup cover the inline-secret warning,
the encrypted drop-in, the sealed-vs-plaintext shapes, and encrypted
reconfigure. Full workspace suite green; fmt introduces no new drift; clippy
-D warnings clean on the workspace crates.
Make the gp-server setup wizard grin-wallet-faithful about the two secrets
that belong to the operator, and let them decide how the till restarts.
- Wallet password: the wizard now PROMPTS for it (entered twice, confirmed to
match, hidden echo on a TTY) instead of auto-generating it. Only the service
secrets (API token, admin token, webhook secret) are still generated.
- Seed: a fresh 24-word seed is shown once and gated behind an explicit
"wrote it down" acknowledgement before proceeding, like grin-wallet init; the
paste-existing-recovery-phrase path is kept and gated the same way.
- Restart mode: the wizard offers both and defaults to unattended. Unattended
seals the chosen password to the host as a 0400 systemd credential so the
service auto-restarts (honest trade-off disclosed). Manual persists nothing
and writes a gp-server.service.d/manual.conf drop-in that repoints the
credential to a tmpfs path the operator populates via systemd-ask-password at
each start.
- Pure helpers (validate_password, passwords_match, RestartMode/parse, parse_ack,
render_manual_dropin, mode-aware render_env) unit-tested in gp-core; wizard
flow tested in gp-server (fresh/paste, unattended/manual, mismatch reprompt).
- Reconfigure keeps an existing wallet's seed, password, and restart mode
untouched (never re-prompts), so a running till is undisturbed.
- Updated deploy/gp-server.service, deploy/.env.example, README, and the
WooCommerce/Medusa quickstarts to drop all auto-generated-password wording.
- gp-server.service: drop the GP_MNEMONIC credential from the default unit
(the seed lives only encrypted at rest + the operator's written backup);
keep GP_WALLET_PASSWORD_FILE via LoadCredential. A commented first-boot-only
bootstrap remains for the no-wizard path.
- install.sh: end by offering to run `gp-server setup` (no longer pre-writes
the env file, which would block the wizard's re-run guard).
- package-woocommerce.sh: build goblinpay-woocommerce.zip (single top-level
folder) as a release artifact.
- WooCommerce plugin: fix the default server URL port (8192 -> 8080) to match
the server's default bind; same fix in the connector README/INSTALL.
Multi-stage non-root Dockerfile (builds -p gp-server against the nip44/nym siblings; excludes the goblin-tree dev crate), a full docker-compose (server + bundled nostr-rs-relay + auto-HTTPS Caddy), a hardened systemd unit (DynamicUser, ProtectSystem=strict, NoNewPrivileges, seed via LoadCredential), an install.sh bare-metal bootstrap, .env.example, and an fmt+clippy+test CI workflow for Gitea and GitHub.