4 Commits

Author SHA1 Message Date
2ro b2e11ff1fe security: encrypt the wallet password at rest + deprecate inline secrets
Close the remaining "secrets touch a plaintext file" gap. The unattended
restart mode now SEALS the operator-chosen wallet password to the host with
`systemd-creds encrypt` (ciphertext at rest, read via LoadCredentialEncrypted,
decrypted into a tmpfs credentials dir at each start), so no plaintext wallet
key is written to disk. When systemd-creds is unavailable it falls back to the
legacy root-owned 0400 plaintext file with a loud warning, and re-running
`setup --reconfigure` once it is available upgrades to encryption.

- wizard: seal via systemd-creds (injectable for tests), write the
  encrypted.conf drop-in, keep the manual.conf tmpfs path unchanged;
  reconfiguring a till that keeps no readable password on disk (encrypted or
  manual) now prompts for the existing password to reopen the wallet.
- startup: loud deprecation warning when a money secret (GP_MNEMONIC,
  GP_WALLET_PASSWORD, GP_NSEC) is supplied INLINE rather than via a *_FILE or
  systemd credential; the value is never logged, only the variable name.
- docs: README, .env.example, install.sh, and the systemd unit updated to the
  encrypted-at-rest default and the honest fallback/trade-off.

Tests: gp-core config + gp-core/gp-server setup cover the inline-secret warning,
the encrypted drop-in, the sealed-vs-plaintext shapes, and encrypted
reconfigure. Full workspace suite green; fmt introduces no new drift; clippy
-D warnings clean on the workspace crates.
2026-07-06 20:17:52 -04:00
2ro e404aca7b4 setup: operator-chosen wallet password + seed acknowledgement + restart-mode choice
ci / fmt / clippy / test (push) Has been cancelled
Make the gp-server setup wizard grin-wallet-faithful about the two secrets
that belong to the operator, and let them decide how the till restarts.

- Wallet password: the wizard now PROMPTS for it (entered twice, confirmed to
  match, hidden echo on a TTY) instead of auto-generating it. Only the service
  secrets (API token, admin token, webhook secret) are still generated.
- Seed: a fresh 24-word seed is shown once and gated behind an explicit
  "wrote it down" acknowledgement before proceeding, like grin-wallet init; the
  paste-existing-recovery-phrase path is kept and gated the same way.
- Restart mode: the wizard offers both and defaults to unattended. Unattended
  seals the chosen password to the host as a 0400 systemd credential so the
  service auto-restarts (honest trade-off disclosed). Manual persists nothing
  and writes a gp-server.service.d/manual.conf drop-in that repoints the
  credential to a tmpfs path the operator populates via systemd-ask-password at
  each start.
- Pure helpers (validate_password, passwords_match, RestartMode/parse, parse_ack,
  render_manual_dropin, mode-aware render_env) unit-tested in gp-core; wizard
  flow tested in gp-server (fresh/paste, unattended/manual, mismatch reprompt).
- Reconfigure keeps an existing wallet's seed, password, and restart mode
  untouched (never re-prompts), so a running till is undisturbed.
- Updated deploy/gp-server.service, deploy/.env.example, README, and the
  WooCommerce/Medusa quickstarts to drop all auto-generated-password wording.
2026-07-05 14:41:00 -04:00
2ro fba3e6ff03 deploy: wizard-first install, drop GP_MNEMONIC from the unit, plugin zip + port fix
- gp-server.service: drop the GP_MNEMONIC credential from the default unit
  (the seed lives only encrypted at rest + the operator's written backup);
  keep GP_WALLET_PASSWORD_FILE via LoadCredential. A commented first-boot-only
  bootstrap remains for the no-wizard path.
- install.sh: end by offering to run `gp-server setup` (no longer pre-writes
  the env file, which would block the wizard's re-run guard).
- package-woocommerce.sh: build goblinpay-woocommerce.zip (single top-level
  folder) as a release artifact.
- WooCommerce plugin: fix the default server URL port (8192 -> 8080) to match
  the server's default bind; same fix in the connector README/INSTALL.
2026-07-05 01:02:30 -04:00
2ro 3fdf4a230c M11: reproducible deploy pipeline
Multi-stage non-root Dockerfile (builds -p gp-server against the nip44/nym siblings; excludes the goblin-tree dev crate), a full docker-compose (server + bundled nostr-rs-relay + auto-HTTPS Caddy), a hardened systemd unit (DynamicUser, ProtectSystem=strict, NoNewPrivileges, seed via LoadCredential), an install.sh bare-metal bootstrap, .env.example, and an fmt+clippy+test CI workflow for Gitea and GitHub.
2026-07-03 03:22:43 -04:00