feat(cdk-mintd): move remote signatory config into its own section

crates/cdk-integration-tests/src/bin/start_fake_mint.rs

@@ -53,10 +53,13 @@ async fn start_fake_mint(
 ) -> Result<tokio::task::JoinHandle<()>> {
     let signatory_config = if external_signatory {
         println!("Configuring external signatory");
-        Some((
-            "https://127.0.0.1:15060".to_string(),  // Default signatory URL
-            temp_dir.to_string_lossy().to_string(), // Certs directory as string
-        ))
+        Some(cdk_mintd::config::Signatory {
+            enabled: true,
+            address: "127.0.0.1".to_string(),
+            port: 15060,
+            tls_dir: Some(temp_dir.to_path_buf()),
+            allow_insecure: false,
+        })
     } else {
         None
     };

crates/cdk-integration-tests/src/bin/start_regtest_mints.rs

@@ -445,8 +445,6 @@ fn create_ldk_settings(
                 "eye survey guilt napkin crystal cup whisper salt luggage manage unveil loyal"
                     .to_string(),
             ),
-            signatory_url: None,
-            signatory_certs: None,
             input_fee_ppk: None,
             use_keyset_v2: None,
             http_cache: cdk_axum::cache::Config::default(),
@@ -555,8 +553,6 @@ fn create_onchain_settings(port: u16) -> cdk_mintd::config::Settings {
                 "eye survey guilt napkin crystal cup whisper salt luggage manage unveil loyal"
                     .to_string(),
             ),
-            signatory_url: None,
-            signatory_certs: None,
             input_fee_ppk: None,
             use_keyset_v2: None,
             http_cache: cdk_axum::cache::Config::default(),

crates/cdk-integration-tests/src/shared.rs

@@ -159,7 +159,7 @@ pub fn create_fake_wallet_settings(
     port: u16,
     database: &str,
     mnemonic: Option<String>,
-    signatory_config: Option<(String, String)>, // (url, certs_dir)
+    signatory_config: Option<cdk_mintd::config::Signatory>,
     fake_wallet_config: Option<cdk_mintd::config::FakeWallet>,
     onchain_config: Option<cdk_mintd::config::Onchain>,
 ) -> cdk_mintd::config::Settings {
@@ -187,10 +187,6 @@ pub fn create_fake_wallet_settings(
             listen_port: port,
             seed: None,
             mnemonic: mnemonic.clone(),
-            signatory_url: signatory_config.as_ref().map(|(url, _)| url.clone()),
-            signatory_certs: signatory_config
-                .as_ref()
-                .map(|(_, certs_dir)| certs_dir.clone()),
             input_fee_ppk: None,
             use_keyset_v2: None,
             http_cache: cache::Config::default(),
@@ -201,6 +197,7 @@ pub fn create_fake_wallet_settings(
             },
             enable_info_page: None,
         },
+        signatory: signatory_config,
         mint_info: cdk_mintd::config::MintInfo::default(),
         limits: cdk_mintd::config::Limits::default(),
         ln: vec![
@@ -262,8 +259,6 @@ pub fn create_cln_settings(
             listen_port: port,
             seed: None,
             mnemonic: Some(mnemonic),
-            signatory_url: None,
-            signatory_certs: None,
             input_fee_ppk: None,
             use_keyset_v2: None,
             http_cache: cache::Config::default(),
@@ -318,8 +313,6 @@ pub fn create_lnd_settings(
             listen_port: port,
             seed: None,
             mnemonic: Some(mnemonic),
-            signatory_url: None,
-            signatory_certs: None,
             input_fee_ppk: None,
             use_keyset_v2: None,
             http_cache: cache::Config::default(),

crates/cdk-mintd/example.config.toml

@@ -27,6 +27,13 @@ melt_ttl = 120
 # Log level for file output (default: "debug")
 # file_level = "debug"
 
+[signatory]
+enabled = false
+# address = "127.0.0.1"
+# port = 15060
+# tls_dir = "/path/to/tls"
+# allow_insecure = false
+
 [mint_management_rpc]
 enabled = false
 # address = "127.0.0.1"
@@ -320,7 +327,7 @@ max_delay_time = 3
 
 # [grpc_processor]
 # gRPC Payment Processor configuration
-# addr = "127.0.0.1"
+# address = "127.0.0.1"
 # port = 50051
 # tls_dir = "/path/to/tls"
 # allow_insecure = false

crates/cdk-mintd/src/config.rs

@@ -54,8 +54,6 @@ pub struct Info {
     /// Overrides mnemonic
     pub seed: Option<String>,
     pub mnemonic: Option<String>,
-    pub signatory_url: Option<String>,
-    pub signatory_certs: Option<String>,
     pub input_fee_ppk: Option<u64>,
     /// Use keyset v2
     pub use_keyset_v2: Option<bool>,
@@ -87,8 +85,6 @@ impl Default for Info {
             listen_port: 8091, // Default to port 8091 instead of 0
             seed: None,
             mnemonic: None,
-            signatory_url: None,
-            signatory_certs: None,
             input_fee_ppk: None,
             use_keyset_v2: None,
             http_cache: cache::Config::default(),
@@ -107,7 +103,7 @@ impl std::fmt::Debug for Info {
                 let hash = sha256::Hash::hash(mnemonic.as_bytes());
                 format!("<hashed: {hash}>")
             } else {
-                format!("<url: {}>", self.signatory_url.clone().unwrap_or_default())
+                "<not set>".to_string()
             }
         };
 
@@ -125,6 +121,40 @@ impl std::fmt::Debug for Info {
     }
 }
 
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
+pub struct Signatory {
+    #[serde(default)]
+    pub enabled: bool,
+    #[serde(default = "default_signatory_address")]
+    pub address: String,
+    #[serde(default = "default_signatory_port")]
+    pub port: u16,
+    #[serde(default)]
+    pub tls_dir: Option<PathBuf>,
+    #[serde(default)]
+    pub allow_insecure: bool,
+}
+
+impl Default for Signatory {
+    fn default() -> Self {
+        Self {
+            enabled: false,
+            address: default_signatory_address(),
+            port: default_signatory_port(),
+            tls_dir: None,
+            allow_insecure: false,
+        }
+    }
+}
+
+fn default_signatory_address() -> String {
+    "127.0.0.1".to_string()
+}
+
+fn default_signatory_port() -> u16 {
+    15060
+}
+
 #[derive(Debug, Serialize, Deserialize, Clone, PartialEq, Default)]
 #[serde(rename_all = "lowercase")]
 pub enum LnBackend {
@@ -845,8 +875,8 @@ fn default_fake_wallet_supported_units() -> Vec<CurrencyUnit> {
 pub struct GrpcProcessor {
     #[serde(default)]
     pub supported_units: Vec<CurrencyUnit>,
-    #[serde(default = "default_grpc_addr")]
-    pub addr: String,
+    #[serde(default = "default_grpc_address", alias = "addr")]
+    pub address: String,
     #[serde(default = "default_grpc_port")]
     pub port: u16,
     #[serde(default)]
@@ -859,15 +889,15 @@ impl Default for GrpcProcessor {
     fn default() -> Self {
         Self {
             supported_units: Vec::new(),
-            addr: default_grpc_addr(),
+            address: default_grpc_address(),
             port: default_grpc_port(),
             tls_dir: None,
             allow_insecure: false,
         }
     }
 }
 
-fn default_grpc_addr() -> String {
+fn default_grpc_address() -> String {
     "127.0.0.1".to_string()
 }
 
@@ -1004,6 +1034,7 @@ fn default_blind() -> AuthType {
 #[derive(Debug, Clone, Serialize, Deserialize, Default)]
 pub struct Settings {
     pub info: Info,
+    pub signatory: Option<Signatory>,
     pub mint_info: MintInfo,
     #[serde(default, deserialize_with = "deserialize_ln")]
     pub ln: Vec<Ln>,
@@ -1209,9 +1240,13 @@ impl Settings {
             // override with file contents
             .add_source(File::with_name(&config))
             .build()?;
-        let settings: Settings = config.try_deserialize()?;
+        config.try_deserialize()
+    }
 
-        Ok(settings)
+    pub(crate) fn enabled_signatory(&self) -> Option<&Signatory> {
+        self.signatory
+            .as_ref()
+            .filter(|signatory| signatory.enabled)
     }
 }
 
@@ -2225,7 +2260,7 @@ max_melt = 500000
         // Verify that settings were populated from env vars
         assert!(settings.grpc_processor.is_some());
         let grpc_config = settings.grpc_processor.as_ref().unwrap();
-        assert_eq!(grpc_config.addr, "localhost");
+        assert_eq!(grpc_config.address, "localhost");
         assert_eq!(grpc_config.port, 50051);
 
         // Cleanup env vars

crates/cdk-mintd/src/env_vars/common.rs

@@ -8,8 +8,11 @@ pub const ENV_LISTEN_HOST: &str = "CDK_MINTD_LISTEN_HOST";
 pub const ENV_LISTEN_PORT: &str = "CDK_MINTD_LISTEN_PORT";
 pub const ENV_SEED: &str = "CDK_MINTD_SEED";
 pub const ENV_MNEMONIC: &str = "CDK_MINTD_MNEMONIC";
-pub const ENV_SIGNATORY_URL: &str = "CDK_MINTD_SIGNATORY_URL";
-pub const ENV_SIGNATORY_CERTS: &str = "CDK_MINTD_SIGNATORY_CERTS";
+pub const ENV_SIGNATORY_ENABLED: &str = "CDK_MINTD_SIGNATORY_ENABLED";
+pub const ENV_SIGNATORY_ADDRESS: &str = "CDK_MINTD_SIGNATORY_ADDRESS";
+pub const ENV_SIGNATORY_PORT: &str = "CDK_MINTD_SIGNATORY_PORT";
+pub const ENV_SIGNATORY_TLS_DIR: &str = "CDK_MINTD_SIGNATORY_TLS_DIR";
+pub const ENV_SIGNATORY_ALLOW_INSECURE: &str = "CDK_MINTD_SIGNATORY_ALLOW_INSECURE";
 pub const ENV_SECONDS_QUOTE_VALID: &str = "CDK_MINTD_SECONDS_QUOTE_VALID";
 pub const ENV_CACHE_SECONDS: &str = "CDK_MINTD_CACHE_SECONDS";
 pub const ENV_EXTEND_CACHE_SECONDS: &str = "CDK_MINTD_EXTEND_CACHE_SECONDS";

crates/cdk-mintd/src/env_vars/grpc_processor.rs

@@ -28,7 +28,7 @@ impl GrpcProcessor {
         }
 
         if let Ok(addr) = env::var(ENV_GRPC_PROCESSOR_ADDRESS) {
-            self.addr = addr;
+            self.address = addr;
         }
 
         if let Ok(port) = env::var(ENV_GRPC_PROCESSOR_PORT) {

crates/cdk-mintd/src/env_vars/info.rs

@@ -25,14 +25,6 @@ impl Info {
             }
         }
 
-        if let Ok(signatory_url) = env::var(ENV_SIGNATORY_URL) {
-            self.signatory_url = Some(signatory_url);
-        }
-
-        if let Ok(signatory_certs) = env::var(ENV_SIGNATORY_CERTS) {
-            self.signatory_certs = Some(signatory_certs);
-        }
-
         if let Ok(seed) = env::var(ENV_SEED) {
             self.seed = Some(seed);
         }

crates/cdk-mintd/src/env_vars/mod.rs

@@ -11,6 +11,7 @@ mod limits;
 mod ln;
 mod mint_info;
 mod onchain;
+mod signatory;
 
 mod auth;
 #[cfg(feature = "bdk")]
@@ -95,6 +96,8 @@ impl Settings {
         });
 
         self.info = self.info.clone().from_env();
+        self.signatory = Some(self.signatory.clone().unwrap_or_default().from_env());
+
         self.mint_info = self.mint_info.clone().from_env();
         // CDK_MINTD_LN_* env vars only apply when there is exactly one
         // configured Lightning entry. Multi-backend setups must choose units

crates/cdk-mintd/src/env_vars/signatory.rs

@@ -0,0 +1,86 @@
+//! Remote signatory environment variables
+
+use std::env;
+
+use super::common::*;
+use crate::config::Signatory;
+
+impl Signatory {
+    pub fn from_env(mut self) -> Self {
+        if let Ok(enabled) = env::var(ENV_SIGNATORY_ENABLED) {
+            if let Ok(enabled) = enabled.parse() {
+                self.enabled = enabled;
+            }
+        }
+
+        if let Ok(addr) = env::var(ENV_SIGNATORY_ADDRESS) {
+            self.address = addr;
+        }
+
+        if let Ok(port) = env::var(ENV_SIGNATORY_PORT) {
+            if let Ok(port) = port.parse() {
+                self.port = port;
+            }
+        }
+
+        if let Ok(tls_dir) = env::var(ENV_SIGNATORY_TLS_DIR) {
+            self.tls_dir = Some(tls_dir.into());
+        }
+
+        if let Ok(allow_insecure) = env::var(ENV_SIGNATORY_ALLOW_INSECURE) {
+            if let Ok(allow_insecure) = allow_insecure.parse() {
+                self.allow_insecure = allow_insecure;
+            }
+        }
+
+        self
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use std::path::PathBuf;
+
+    use super::*;
+
+    fn env_lock() -> std::sync::MutexGuard<'static, ()> {
+        static ENV_LOCK: std::sync::Mutex<()> = std::sync::Mutex::new(());
+
+        ENV_LOCK
+            .lock()
+            .expect("signatory env test lock should not be poisoned")
+    }
+
+    fn clear_env_vars() {
+        env::remove_var(ENV_SIGNATORY_ENABLED);
+        env::remove_var(ENV_SIGNATORY_ADDRESS);
+        env::remove_var(ENV_SIGNATORY_PORT);
+        env::remove_var(ENV_SIGNATORY_TLS_DIR);
+        env::remove_var(ENV_SIGNATORY_ALLOW_INSECURE);
+    }
+
+    #[test]
+    fn signatory_from_env_reads_enabled_and_connection_fields() {
+        let _guard = env_lock();
+        clear_env_vars();
+
+        env::set_var(ENV_SIGNATORY_ENABLED, "true");
+        env::set_var(ENV_SIGNATORY_ADDRESS, "0.0.0.0");
+        env::set_var(ENV_SIGNATORY_PORT, "15061");
+        env::set_var(ENV_SIGNATORY_TLS_DIR, "/var/lib/cdk/signatory-tls");
+        env::set_var(ENV_SIGNATORY_ALLOW_INSECURE, "true");
+
+        let signatory = Signatory::default().from_env();
+
+        assert!(signatory.enabled);
+        assert_eq!(signatory.address, "0.0.0.0");
+        assert_eq!(signatory.port, 15061);
+        assert_eq!(
+            signatory.tls_dir,
+            Some(PathBuf::from("/var/lib/cdk/signatory-tls"))
+        );
+        assert!(signatory.allow_insecure);
+
+        clear_env_vars();
+    }
+}