move unmaintained files to historic/

101 files changed, 5665 insertions, 0 deletions

diff --git a/historic/docker/README b/historic/docker/README
new file mode 100644
index 0000000..6998ee3
--- /dev/null
+++ b/historic/docker/README
@@ -0,0 +1,90 @@
+=== Dockerizing the Exchange/Merchant ===
+
+This section shows how to run a "dockerized" exchange/merchant.
+The exchange uses postgresql (container) and is served
+by nginx (container).  The merchant instead depends on exchange
+(container) and postgresql (container).
+
+The docker's tools needed are: docker, docker-compose, docker-machine.
+Please refer to Docker's official documentation for their installation
+instructions.
+
+Before starting to build the exchange/merchant's image, make sure a
+docker-machine instance is up and running.
+
+1. Build the images.
+
+<COMPONENT> is either 'exchange' or 'merchant', depending on what is
+to be built.
+
+From <THIS_REPO/docker/<COMPONENT>, give:
+
+# NOTE for 'merchant' build:  as default, the merchant is configured
+# to work with the 'demo' exchange running at exchange.demo.taler.net.
+# Nonetheless, edit (before building) the files
+# <THIS_REPO>/docker/merchant/exchange_{pub,url}.txt, in case the merchant
+# needs to work with any other exchange.
+
+$ docker-compose build
+
+2. Launch the service.
+
+The following command launches the <COMPONENT> and all other services
+it depends on.  From the same directory as the previous step, issue:
+
+$ docker-compose up
+
+If everything worked as expected, you should see some live logging
+from all the containers.
+(Errors about existing roles/databases can be ignored.)
+
+3. Test
+
+Issue the following command to see if the <COMPONENT> has been
+correctly installed and launched.
+
+# Some 'greeting' message should be returned.  Note, the
+# service runs on port 80.
+
+$ curl http://`docker-machine ip`/
+
+
+=== How to use these images ===
+
+This section explains how to (1) build and (2) run individual
+images -- that is often not useful to run services, as they need
+to be "composed" in order to work properly.
+
+(1) is done by:
+
+$ docker build -t taler/base <THIS_REPO>/docker/base/
+$ docker build -t taler/exchange <THIS_REPO>/docker/exchange/
+
+Note that the value passed to option -t is completely arbitrary.
+
+(2) is done by:
+
+$ docker run -it taler/exchange
+
+=== How to destroy them ===
+
+Consider also the --no-cache option to force a rebuild.
+
+ $ docker build --no-cache <THIS_REPO>/docker/base
+
+1. Stop all containers:
+
+  $ docker stop $(docker ps -a -q)
+
+
+2. If necessary, remove all containers:
+
+  $ docker rm $(docker ps -a -q)
+
+3. Remove images:
+
+  $ docker rmi -f $(docker images -q)
+
+
+NOTE: for tripwire users, those commands are all defined
+      as aliases.
diff --git a/historic/docker/TODO b/historic/docker/TODO
new file mode 100644
index 0000000..387f758
--- /dev/null
+++ b/historic/docker/TODO
@@ -0,0 +1,28 @@
+Missing containers:
+
+- "standalone" ones: they actually *run* the
+  service and may also link to configuration on
+  the host machine when they are launched.
+
+- frontends
+
+- bank (more importantly needed to test the TGZ
+  which comes from 'make dist')
+
+- postgres (as a running service)
+
+- Feed configuration to exchange and merchant containers,
+  from outside (?) the container
+
+Missing compositions:
+
+Ideally, the Docker setting should instantiate two
+Taler flavours:
+
+- Self-contained testing: all components ready to be
+  tested by the automated clicker, AKA they are a replacement
+  for what runs at *.{test,demo}.taler.net
+
+- Ready-to-ship: a composition that instantiates a fully
+  operational exchange or merchant, according to the customer
+  needs.
diff --git a/historic/docker/base/Dockerfile b/historic/docker/base/Dockerfile
new file mode 100644
index 0000000..39e2c32
--- /dev/null
+++ b/historic/docker/base/Dockerfile
@@ -0,0 +1,54 @@
+FROM debian:unstable
+
+RUN apt-get update && apt-get install -qqy \
+      git \
+      build-essential \
+      autoconf \
+      autopoint \
+      libtool \
+      libgcrypt20 \
+      libgcrypt20-dev \
+      libidn11-dev \
+      zlib1g-dev \
+      libunistring-dev \
+      libjansson-dev \
+      libpq-dev \
+      libmicrohttpd-dev \
+      libcurl4-gnutls-dev \
+      python3 \
+      python3-pip \
+      postgresql
+
+# Needed to run the config generator
+RUN pip3 install click
+
+ENV HOME /root
+
+RUN git clone https://gnunet.org/git/gnunet/ ~/gnunet \
+    && git clone https://gnunet.org/git/libmicrohttpd/ ~/libmicrohttpd \
+    && git clone git://taler.net/deployment ~/deployment
+
+WORKDIR $HOME/gnunet
+
+RUN ./bootstrap \
+    && ./configure --with-libgnurl=/usr/local/ \
+    && make \
+    && make install
+
+WORKDIR $HOME/libmicrohttpd
+
+RUN ./bootstrap \
+    && ./configure --disable-doc \
+    && make \
+    && make install
+
+# To run the config generator, need:
+WORKDIR $HOME/deployment
+
+ENV LD_LIBRARY_PATH "/usr/local/lib"
+
+RUN export TALER_CONFIG_ENV="test" \
+    && export TALER_CONFIG_CURRENCY="EUR" \
+    && export LC_ALL="C.UTF-8" \
+    && export LANG="C.UTF-8" \
+    && ./bin/taler-deployment-config-generate
diff --git a/historic/docker/base/README b/historic/docker/base/README
new file mode 100644
index 0000000..573f4ef
--- /dev/null
+++ b/historic/docker/base/README
@@ -0,0 +1,7 @@
+This image serves as a basis to build exchange and merchant
+backend. It is responsible for installing the following packages:
+
+- GNUnet
+- Libjansson
+- Postgres
+- ...
diff --git a/historic/docker/debug/client/Dockerfile b/historic/docker/debug/client/Dockerfile
new file mode 100644
index 0000000..5c3f0ee
--- /dev/null
+++ b/historic/docker/debug/client/Dockerfile
@@ -0,0 +1,7 @@
+FROM debian:unstable
+
+RUN apt-get update && apt-get install -qqy postgresql
+
+COPY ./dbstart.sh /
+
+ENTRYPOINT ["./dbstart.sh"]
diff --git a/historic/docker/debug/client/dbstart.sh b/historic/docker/debug/client/dbstart.sh
new file mode 100755
index 0000000..a3d3726
--- /dev/null
+++ b/historic/docker/debug/client/dbstart.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+su -c "createuser --host=dbcontainer root" postgres
+su -c "createdb --host=dbcontainer talertest" postgres
diff --git a/historic/docker/debug/docker-compose.yml b/historic/docker/debug/docker-compose.yml
new file mode 100644
index 0000000..390f461
--- /dev/null
+++ b/historic/docker/debug/docker-compose.yml
@@ -0,0 +1,9 @@
+version: '2'
+services:
+  client:
+    build: ./client
+    image: taler/debug/db
+    depends_on:
+      - dbcontainer
+  dbcontainer:
+    image: postgres
diff --git a/historic/docker/debug/shell/Dockerfile b/historic/docker/debug/shell/Dockerfile
new file mode 100644
index 0000000..24e8371
--- /dev/null
+++ b/historic/docker/debug/shell/Dockerfile
@@ -0,0 +1,4 @@
+FROM debian:unstable
+
+RUN apt-get update && apt-get install -qqy \
+    postgresql
diff --git a/historic/docker/exchange/Dockerfile b/historic/docker/exchange/Dockerfile
new file mode 100644
index 0000000..d56754c
--- /dev/null
+++ b/historic/docker/exchange/Dockerfile
@@ -0,0 +1,17 @@
+FROM taler/base
+
+RUN git clone git://taler.net/exchange ~/exchange
+
+WORKDIR $HOME/exchange
+
+RUN ./bootstrap \
+    && ./configure CFLAGS='-ggdb -O0' \
+        --with-libgnurl=/usr/local \
+        --with-microhttpd=/usr/local \
+        --with-gnunet=/usr/local \
+    && make \
+    && make install
+
+COPY ./entry_point.sh /
+
+ENTRYPOINT ["/entry_point.sh"]
diff --git a/historic/docker/exchange/README b/historic/docker/exchange/README
new file mode 100644
index 0000000..45ce7cb
--- /dev/null
+++ b/historic/docker/exchange/README
@@ -0,0 +1,12 @@
+Launch the exchange, from the upper directory:
+
+1. Build the container:
+
+ $ docker-compose build exchange
+
+2. Launch it
+
+ $ docker-compose run -p 5555:8081 -p 5556:18080 exchange
+
+ # Replace 5555, 5556 with the port which is to serve the normal
+ # and /admin services.
diff --git a/historic/docker/exchange/docker-compose.yml b/historic/docker/exchange/docker-compose.yml
new file mode 100644
index 0000000..284af86
--- /dev/null
+++ b/historic/docker/exchange/docker-compose.yml
@@ -0,0 +1,19 @@
+version: '2'
+services:
+  exchange:
+    build: .
+    depends_on:
+      - dbcontainer
+      - base
+    image: taler/exchange
+  base:
+    build: ../base
+    image: taler/base
+  dbcontainer:
+    image: postgres
+  nginx:
+    build: ../nginx
+    depends_on:
+      - exchange
+    ports:
+      - "80:80"
diff --git a/historic/docker/exchange/entry_point.sh b/historic/docker/exchange/entry_point.sh
new file mode 100755
index 0000000..de21a39
--- /dev/null
+++ b/historic/docker/exchange/entry_point.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+ 
+
+if ! test -a $HOME/shared-data/exchange/offline-keys/master.priv; then
+  echo "Regenerating all keys and db entries"
+  (su -c "createuser --host=dbcontainer root" - postgres | exit 0)
+  (su -c "createdb --host=dbcontainer talertest" - postgres | exit 0)
+  mkdir -p $HOME/shared-data/exchange/offline-keys/
+  gnunet-ecc -g1 $HOME/shared-data/exchange/offline-keys/master.priv
+  taler-config -s exchangedb-postgres -o db_conn_str \
+    -V "dbname=talertest host=dbcontainer"
+  taler-config -s exchange -o serve -V tcp
+  taler-config -s exchange -o port -V 8081
+  taler-config -s exchange-admin -o serve -V tcp
+  taler-config -s exchange-admin -o port -V 18080
+  taler-config -s exchange -o master_public_key \
+    -V $(gnunet-ecc -p $HOME/shared-data/exchange/offline-keys/master.priv)
+  $HOME/deployment/bin/taler-deployment-config-sign
+  $HOME/deployment/bin/taler-deployment-keyup
+  taler-exchange-dbinit -r
+fi
+
+taler-exchange-httpd
diff --git a/historic/docker/merchant/Dockerfile b/historic/docker/merchant/Dockerfile
new file mode 100644
index 0000000..b8d682b
--- /dev/null
+++ b/historic/docker/merchant/Dockerfile
@@ -0,0 +1,19 @@
+FROM taler/exchange
+
+RUN git clone git://taler.net/merchant ~/merchant
+
+WORKDIR $HOME/merchant
+
+RUN ./bootstrap \
+    && ./configure CFLAGS='-ggdb -O0' \
+      --with-gnunet=/usr/local \
+      --with-exchange=/usr/local \
+      --with-microhttpd=/usr/local \
+    && make \
+    && make install
+
+COPY ./entry_point.sh /
+COPY ./exchange_pub.txt /
+COPY ./exchange_url.txt /
+
+ENTRYPOINT ["/entry_point.sh"]
diff --git a/historic/docker/merchant/docker-compose.yml b/historic/docker/merchant/docker-compose.yml
new file mode 100644
index 0000000..ccbfb70
--- /dev/null
+++ b/historic/docker/merchant/docker-compose.yml
@@ -0,0 +1,21 @@
+version: '2'
+services:
+  merchant:
+    build: .
+    depends_on:
+      - dbcontainer
+      - exchange
+    ports:
+      - "80:9966"
+  base:
+    build: ../base
+    image: taler/base
+  dbcontainer:
+    image: postgres
+  exchange:
+    build: ../exchange
+    depends_on:
+      - dbcontainer
+      - base
+    image: taler/exchange
+    entrypoint: "true"
diff --git a/historic/docker/merchant/entry_point.sh b/historic/docker/merchant/entry_point.sh
new file mode 100755
index 0000000..515c318
--- /dev/null
+++ b/historic/docker/merchant/entry_point.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+ 
+
+(su -c "createuser --host=dbcontainer root" - postgres | exit 0)
+(su -c "createdb --host=dbcontainer talertest" - postgres | exit 0)
+taler-config -s merchantdb-postgres -o config \
+  -V "dbname=talertest host=dbcontainer"
+taler-config -s merchant -o serve -V tcp
+taler-config -s merchant -o port -V 9966
+taler-config -s merchant-exchange-test -o master_key -V $(cat /exchange_pub.txt|tr -d '\n')
+taler-config -s merchant-exchange-test -o url -V $(cat /exchange_url.txt | tr -d '\n')
+taler-merchant-dbinit -r
+taler-merchant-httpd
diff --git a/historic/docker/merchant/exchange_pub.txt b/historic/docker/merchant/exchange_pub.txt
new file mode 100644
index 0000000..69f831b
--- /dev/null
+++ b/historic/docker/merchant/exchange_pub.txt
@@ -0,0 +1 @@
+CQQZ9DY3MZ1ARMN5K1VKDETS04Y2QCKMMCFHZSWJWWVN82BTTH00
diff --git a/historic/docker/merchant/exchange_url.txt b/historic/docker/merchant/exchange_url.txt
new file mode 100644
index 0000000..a2f087f
--- /dev/null
+++ b/historic/docker/merchant/exchange_url.txt
@@ -0,0 +1 @@
+https://exchange.demo.taler.net/
diff --git a/historic/docker/nginx/Dockerfile b/historic/docker/nginx/Dockerfile
new file mode 100644
index 0000000..5636699
--- /dev/null
+++ b/historic/docker/nginx/Dockerfile
@@ -0,0 +1,3 @@
+FROM nginx
+
+COPY ./proxy.conf /etc/nginx/conf.d/default.conf
diff --git a/historic/docker/nginx/nginx.conf b/historic/docker/nginx/nginx.conf
new file mode 100644
index 0000000..d9a2177
--- /dev/null
+++ b/historic/docker/nginx/nginx.conf
@@ -0,0 +1,33 @@
+
+user  nginx;
+worker_processes  1;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    #gzip  on;
+
+    include /etc/nginx/conf.d/*.conf;
+    include /etc/nginx/sites-enabled/*;
+}
diff --git a/historic/docker/nginx/proxy.conf b/historic/docker/nginx/proxy.conf
new file mode 100644
index 0000000..b4bf54a
--- /dev/null
+++ b/historic/docker/nginx/proxy.conf
@@ -0,0 +1,14 @@
+server {
+        listen *:80;
+	root /dev/null;
+
+	location / {
+	    autoindex off;
+            proxy_pass http://exchange:8081;
+	}
+
+	location /admin {
+	    autoindex off;
+	    proxy_pass http://exchange:18080;
+	}
+}
diff --git a/historic/docker/postgres/Dockerfile b/historic/docker/postgres/Dockerfile
new file mode 100644
index 0000000..d3f2fcb
--- /dev/null
+++ b/historic/docker/postgres/Dockerfile
@@ -0,0 +1 @@
+FROM postgres
diff --git a/historic/docker/postgres/README b/historic/docker/postgres/README
new file mode 100644
index 0000000..4584f0e
--- /dev/null
+++ b/historic/docker/postgres/README
@@ -0,0 +1,3 @@
+This container is to run Postgres service.
+
+It has to create the "root" user and the "talertest" database.
diff --git a/historic/docker/taler-full/Dockerfile b/historic/docker/taler-full/Dockerfile
new file mode 100644
index 0000000..ac01271
--- /dev/null
+++ b/historic/docker/taler-full/Dockerfile
@@ -0,0 +1,59 @@
+FROM debian:jessie
+
+ENV PREFIX=/usr
+
+RUN apt-get update && apt-get install -y \
+  git subversion \
+  make \
+  autoconf autopoint libtool texinfo \
+  libgcrypt-dev libidn11-dev zlib1g-dev libunistring-dev \
+  libjansson-dev \
+  libsqlite3-dev \
+  libpq-dev postgresql \
+  python3-pip \
+  \
+  && \
+  rm -rf /var/lib/apt/lists/*
+
+RUN pip3 install -U pip
+
+RUN git clone git://taler.net/deployment \
+  && \
+  deployment/bootstrap-hybrid
+
+RUN $HOME/deployment/taler-build/invalidate.sh \
+  && \
+  cd $HOME/deployment/taler-build && make;
+
+# cannot get $HOME to work
+ENV PATH=/root/local/bin:$PATH
+
+RUN taler-config-generate -e -m -C PUDOS -m -e -w test \
+  --bank-url https://bank.test.taler.net \
+  --exchange-bank-account 2 \
+  --merchant-bank-account 3 \
+  --trusted
+
+RUN service postgresql start \
+  && \
+  su -c 'psql -c "CREATE ROLE root WITH SUPERUSER LOGIN"' postgres \
+  && \
+  su -c 'psql -c "CREATE DATABASE taler WITH OWNER root"' postgres \
+  && \
+  su -c 'psql -c "CREATE DATABASE talermerchant WITH OWNER root"' postgres
+
+RUN printf '#!/bin/bash \n \
+    taler-exchange-keyup \
+    && taler-exchange-keycheck \
+    && service postgresql start \
+    && taler-exchange-dbinit \
+    && taler-exchange-httpd' > $HOME/local/bin/launch_exchange \
+  && \
+  chmod +x $HOME/local/bin/launch_exchange.sh
+
+RUN printf '#!/bin/bash \n \
+    service postgresql start \
+    && \
+    taler-merchant-httpd' > $HOME/local/bin/launch_merchant \
+  && \
+  chmod +x $HOME/local/bin/launch_merchant.sh
diff --git a/historic/docker/taler-full/README b/historic/docker/taler-full/README
new file mode 100644
index 0000000..d5316aa
--- /dev/null
+++ b/historic/docker/taler-full/README
@@ -0,0 +1,2 @@
+OBSOLETE. Kept around for the sole purpose of grasping
+commands from it.
diff --git a/historic/guix/build.sh b/historic/guix/build.sh
new file mode 100755
index 0000000..d3ed1d2
--- /dev/null
+++ b/historic/guix/build.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+guix system vm --no-build-hook --no-grafts config.scm
diff --git a/historic/guix/config.scm b/historic/guix/config.scm
new file mode 100644
index 0000000..2b4771d
--- /dev/null
+++ b/historic/guix/config.scm
@@ -0,0 +1,302 @@
+;;; This file is part of GNU Taler.
+;;; Copyright © 2018 GNUnet e.V.
+;;;
+;;; GNU Taler is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU Affero General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Taler is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU Affero General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU Affero General Public License
+;;; along with GNU Taler.  If not, see <http://www.gnu.org/licenses/>.
+
+;; Load modules relative to the script name.
+(eval-when (load compile eval)
+  (set! %load-path
+        (cons ((@ (guix utils) current-source-directory)) %load-path)))
+
+(use-modules
+ (srfi srfi-1)
+ (ice-9 match)
+ (gnu)
+ (guix)
+ (guix utils)
+ (guix gexp)
+ (guix records)
+ (guix modules)
+ ((gnu packages admin) #:select (shadow shepherd))
+ (taler-helpers)
+ ((fixed-fcgiwrap) #:prefix fixed:))
+
+(use-system-modules nss)
+(use-service-modules networking
+		     ssh
+		     version-control
+		     cgit
+		     databases
+		     admin
+		     web
+		     shepherd)
+(use-package-modules base
+		     bash
+		     shells
+		     web
+		     tls)
+
+;;; Commentary:
+;;;
+;;; The GNU/Linux system that runs on gv.taler.net is defined here.
+
+
+
+
+
+;;; --- cron jobs start
+(define %certbot-job
+  ;; LE cert renewal 7d / 2
+  #~(job (lambda (now)
+           (next-day-from (next-hour-from now '(3))
+                          '(2 5)))
+         (string-append #$certbot "/bin/certbot renew")))
+;;; --- cron jobs end
+
+(define %my-deploy-hook
+ (programm-file "my-deploy-hook"
+  #~(let* ((pid (call-with-input-file "/var/run/nginx/pid" read))
+           (cert-dir (getenv "RENEWED_LINEAGE"))
+           (privkey (string-append cert-dir "/privkey.pem")))
+     (chmod privkey #o600)
+     (kill pid SIGHUP))))
+
+;;; --- nginx start
+;; TODO: Translate nginx code to guix nginx-service without a file
+;;       if possible wiht our config.
+;; DOCUMENTATION: There are 2 ways to run nginx on GuixSD, we use
+;; the way which allows us to work directly on nginx files instead
+;; of generating them through Guix, for now. Every update of the
+;; nginx config requires a reconfigure!
+(define %nginx-deploy-hook
+  (program-file
+   "nginx-deploy-hook"
+   #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read)))
+       (kill pid SIGHUP))))
+
+(define %nginx-config
+  (computed-file "nginx-config"
+                 (with-imported-modules '((guix build utils))
+                                        #~(begin
+                                            (use-modules (guix build utils))
+                                            (mkdir #$output)
+                                            (chdir #$output)
+                                            (symlink #$(local-file "etc/nginx/nginx.conf")
+                                                     "nginx.conf")
+                                            (mkdir "conf.d")
+                                            (copy-file #$(local-file "etc/nginx/conf.d/favicon_robots")
+                                                       "conf.d/favicon_robots")
+                                            (copy-file #$(local-file "etc/nginx/conf.d/talerssl")
+                                                       "conf.d/talerssl")
+                                            (mkdir "sites-enabled")
+                                            ;; (copy-file #$(local-file "etc/nginx/sites-enabled/git.site")
+                                            ;;            "sites-enabled/git.site")
+                                            (copy-file #$(local-file "etc/nginx/sites-enabled/git-ssl.site")
+                                                       "sites-enabled/git-ssl.site")
+                                            (copy-file #$(local-file "etc/nginx/sites-enabled/default.site")
+                                                       "sites-enabled/default.site")))))
+
+;; this includes defaults, so 'fastcgi' related files:
+(define %nginx-mime-types
+  (simple-service 'nginx-mime.types
+                  etc-service-type
+                  `(("nginx" ,(file-append nginx "/share/nginx/conf")))))
+
+(define %nginx-cache-activation
+  (simple-service 'nginx-/var/cache/nginx
+                  activation-service-type
+                  (with-imported-modules '((guix build utils))
+                                         #~(begin
+                                             (use-modules (guix build utils))
+                                             (mkdir-p "/var/cache/nginx")))))
+;;; --- nginx end
+
+(operating-system
+ (host-name "gv")
+ (timezone "Europe/Paris")
+ (locale "en_US.utf8")
+ (initrd-modules (cons* "megaraid_sas" %base-initrd-modules))
+ (kernel-arguments (list "console=ttyS0" "console=tty0"))
+
+ (bootloader (bootloader-configuration
+              (bootloader grub-bootloader)
+              (target "/dev/sda")))
+
+ (users
+  (cons* (user-account
+          (name "grothoff")
+          (comment "Christian Grothoff")
+          (group "users")
+          (supplementary-groups '("wheel" "netdev" "kvm"))
+          (home-directory "/home/grothoff"))
+         (user-account
+          (name "dold")
+          (comment "Florian Dold")
+          (group "users")
+          (supplementary-groups '("wheel" "netdev" "kvm"))
+          (home-directory "/home/dold"))
+         (user-account
+          (name "ng0")
+          (comment "Nils Gillmann")
+          (group "users")
+          (supplementary-groups '("wheel" "netdev" "kvm"))
+          (home-directory "/home/ng0"))
+         (user-account
+          (name "stanisci")
+          (comment "Marcello Stanisci")
+          (group "users")
+          (supplementary-groups '("wheel" "netdev" "kvm"))
+          (home-directory "/home/stanisci"))
+         (user-account
+          (name "git")
+          (comment "gitolite")
+          (group "git")
+          (home-directory "/home/git"))
+         %base-user-accounts))
+
+ (groups (cons (user-group (name "git"))
+               %base-groups))
+
+ (file-systems
+  (cons* (file-system
+          (device (uuid "304189db-f9df-4222-810d-94c993598c3b"))
+          (mount-point "/")
+          (type "ext4"))
+         %base-file-systems))
+
+ (packages
+  (append (map specification->package
+               '("mg" "cryptsetup"
+                 "screen" "tmux" "wget"
+                 "vim" "openssh" "openssl"
+                 "nvi"
+                 "postgresql"
+                 "nss-certs"
+                 "curl" "gnutls-dane"
+                 "gitolite"
+                 "acme-client"
+                 #| "buildbot" |#
+                 "fcgiwrap"
+                 "python-future"
+                 "python" "python-jinja2"
+                 "python-sphinx"))
+          %base-packages))
+
+ ;; TODO: cgit service?
+ ;; TODO: gitolite service?
+
+ (services
+  (cons*
+   (service static-networking-service-type
+            (list
+             (static-networking
+              (interface "enp4s0f1")
+              (ip "147.87.255.221")
+              (netmask "255.255.255.240")
+              (gateway "147.87.255.209")
+              (name-servers '("8.8.8.8")))))
+
+   (service special-files-service-type
+            ;; Using 'canonical-package' as bash and coreutils
+            ;; canonical packages are already a part of
+            ;; '%base-packages'.
+            `(("/bin/sh" ,(file-append (canonical-package bash)
+                                       "/bin/sh"))
+              ("/usr/bin/env" ,(file-append (canonical-package coreutils)
+                                            "/bin/env"))
+              ("/bin/ksh" ,(file-append (canonical-package loksh)
+                                        "/bin/ksh"))))
+   ;; TODO: Add git.taler.net
+   ;; TODO: acme-client cronjob for:
+   ;; taler.net www.taler.net api.taler.net lcov.taler.net
+   ;; git.taler.net  gauger.taler.net buildbot.taler.net
+   ;; test.taler.net playground.test.taler.net
+   ;; auditor.test.taler.net auditor.demo.taler.net
+   ;; demo.taler.net shop.test.taler.net
+   ;; shop.demo.taler.net survey.test.taler.net
+   ;; survey.demo.taler.net donations.demo.taler.net
+   ;; backend.test.taler.net backend.demo.taler.net
+   ;; bank.test.taler.net bank.demo.taler.net
+   ;; www.git.taler.net exchange.demo.taler.net
+   ;; exchange.test.taler.net env.taler.net
+   ;; envs.taler.net blog.demo.taler.net
+   ;; blog.test.taler.net donations.test.taler.net
+   ;; docs.taler.net intranet.taler.net stage.taler.net
+   ;;(service certbot-service-type
+   ;;         (certbot-configuration
+   ;;          (email "cert-admin-taler@n0.is")
+   ;;          (certificates
+   ;;           (list
+   ;;            (certificate-configuration
+   ;;             (domains '("gv.taler.net"))
+   ;;             (deploy-hook %my-deploy-hook)))))))
+
+   (service openssh-service-type
+            (openssh-configuration
+             (x11-forwarding? #t)
+             (port-number 22)
+             (password-authentication? #f)
+             (permit-root-login 'without-password)
+             (authorized-keys
+              `(("root" ,(concat-local-files
+                          "root.pub"
+                          '("keys/ssh/grothoff.pub"
+                            "keys/ssh/ng0.pub"
+                            "keys/ssh/dold.pub"
+                            "keys/ssh/stanisci.pub")))
+                ("stanisci" ,(local-file "keys/ssh/stanisci.pub"))
+                ("dold" ,(local-file "keys/ssh/dold.pub"))
+                ("ng0" ,(local-file "keys/ssh/ng0.pub"))
+                ("grothoff" ,(local-file "keys/ssh/grothoff.pub"))))))
+
+   ;; (service rottlog-service-type (rottlog-configuration))
+   ;; (service mcron-service-type
+   ;;          (mcron-configuration
+   ;;           (jobs (list %gc-job %thing1))))
+   (service postgresql-service-type)
+   (git-daemon-service
+    #:config (git-daemon-configuration
+              (user-path "git")))
+   (service openntpd-service-type
+            (openntpd-configuration
+             (listen-on '("127.0.0.1" "::1"))
+             (sensor '("udcf0 correction 70000"))
+             (constraint-from '("www.gnu.org"))
+             (constraints-from '("https://www.google.com/"))
+             (allow-large-adjustment? #t)))
+   (service fixed:fcgiwrap-service-type
+            (fixed:fcgiwrap-configuration
+             (socket "unix:/var/run/fcgiwrap/fcgiwrap.socket")
+             (adjusted-socket-permissions #t)
+             (ensure-socket-dir? #t)))
+   ;;(service cgit-service-type
+   ;;         (opaque-cgit-configuration
+   ;;          (cgitrc "/etc/deployment/guix/etc/cgitrc")))
+   (service nginx-service-type
+            (nginx-configuration
+             (file (file-append %nginx-config
+                                "/nginx.conf"))))
+   %nginx-mime-types
+   %nginx-cache-activation
+   (modify-services %base-services
+                    (guix-service-type
+                     config =>
+                     (guix-configuration
+                      (inherit config)
+                      (substitute-urls
+                       (cons* "https://berlin.guixsd.org"
+                              %default-substitute-urls)))))))
+
+ ;; Allow resolution of '.local' host names with mDNS.
+ (name-service-switch %mdns-host-lookup-nss))
diff --git a/historic/guix/custom-packages/postfix.scm b/historic/guix/custom-packages/postfix.scm
new file mode 100644
index 0000000..9927145
--- /dev/null
+++ b/historic/guix/custom-packages/postfix.scm
@@ -0,0 +1,133 @@
+(define-module (custom-packages postfix)
+  #:use-module (gnu packages databases)
+  #:use-module (gnu packages m4)
+  #:use-module (gnu packages pcre)
+  #:use-module (gnu packages tls)
+  #:use-module (gnu packages cyrus-sasl)
+  #:use-module (gnu packages openldap)
+  #:use-module (guix)
+  #:use-module (guix utils)
+  #:use-module (guix build-system gnu)
+  #:use-module ((guix licenses) #:prefix license:))
+
+
+(define-public postfix
+  (package
+   (name "postfix")
+   (version "3.3.2")
+   (source (origin
+            (method url-fetch)
+            (uri (string-append
+                  "http://cdn.postfix.johnriley.me/mirrors/postfix-release/official/postfix-"
+                  version ".tar.gz"))
+            (sha256 (base32
+                     "0nxkszdgs6fs86j6w1lf3vhxvjh1hw2jmrii5icqx9a9xqgg74rw"))))
+   (native-inputs
+     `(("m4" ,m4)))
+   (inputs
+     `(("bdb" ,bdb)
+       ("openssl" ,openssl)
+       ("sqlite" ,sqlite)
+       ("pcre" ,pcre)
+       ("postgresql" ,postgresql)
+       ("openldap" ,openldap)
+       ("cyrus-sasl" ,cyrus-sasl)
+       ("lmdb" ,lmdb)))
+   (build-system gnu-build-system)
+   (arguments
+     `(#:tests? #f ; Postfix does not come with any tests.
+       #:phases
+       (modify-phases %standard-phases
+         (replace 'configure
+           ;; Postfix does not have a standard "./configure".
+           (lambda* (#:key outputs inputs configure-flags #:allow-other-keys)
+             (define (dir-setting name dir)
+	       (string-append name "=" (assoc-ref outputs "out") dir))
+	     (invoke
+	       "make"
+	       "makefiles"
+	       (string-append "SHELL=" (which "sh"))
+	       (dir-setting "daemon_directory" "/libexec/postfix")
+	       (dir-setting "shlib_directory" "/lib/postfix")
+	       (dir-setting "command_directory" "/sbin")
+	       (dir-setting "manpage_directory" "/share/man")
+	       (dir-setting "newaliases_path" "/bin/newaliases")
+	       (dir-setting "mailq_path" "/bin/mailq")
+	       (dir-setting "sendmail_path" "/sbin/sendmail")
+	       (string-append
+		 "CCARGS="
+		 (string-join
+		   (list
+		     "-DHAS_DB"
+		     "-DHAS_LMDB"
+		     "-DHAS_PGSQL"
+		     "-DHAS_PCRE"
+		     "-DHAS_LDAP"
+		     "-DHAS_SQLITE"
+		     "-DUSE_TLS"
+		     "-DUSE_SASL_AUTH"
+		     "-DUSE_CYRUS_SASL"
+		     ;; only the default, can be changed at run time
+		     "-DDEF_SERVER_SASL_TYPE=\\\"dovecot\\\""
+		     "-DNO_NIS"
+		     (string-append
+		       "-I"
+		       (assoc-ref inputs "cyrus-sasl")
+		       "/include/sasl"))
+		   " "))
+	       "shared=yes"
+	       (string-append
+		 "SHLIB_RPATH=-Wl,-rpath,"
+		 (assoc-ref outputs "out")
+		 "/lib/postfix")
+	       "dynamicmaps=yes"
+	       "AUXLIBS=-ldb -lresolv -lssl -lcrypto -lsasl2"
+	       "AUXLIBS_LMDB=-llmdb"
+	       "AUXLIBS_LDAP=-lldap -llber"
+	       "AUXLIBS_PCRE=-lpcre"
+	       "AUXLIBS_PGSQL=-lpq"
+	       "AUXLIBS_SQLITE=-lsqlite3 -lpthread")))
+         (replace 'install
+           ;; Postfix's "make install" is interactive, we work around this
+           ;; by directly calling postfix-install with the right arguments.
+           (lambda* (#:key outputs inputs configure-flags #:allow-other-keys)
+	     (substitute* "postfix-install"
+	      (("^SHELL=/bin/sh$") "SHELL=sh")
+	      (("^PATH=.*$") ""))
+	     (setenv "LD_LIBRARY_PATH"
+		     (string-append (getcwd) "/lib"))
+	     (invoke
+	       "sh"
+	       "postfix-install"
+	       (string-append "install_root=" (assoc-ref outputs "out"))
+	       "daemon_directory=/libexec/postfix"
+	       "command_directory=/sbin"
+	       "manpage_directory=/share/man"
+	       "newaliases_path=/bin/newaliases"
+	       "mailq_path=/bin/mailq"
+	       "sendmail_path=/sbin/sendmail"
+	       "shlib_directory=/lib/postfix"
+	       "-non-interactive"
+	       "-package")))
+         (add-after 'install 'patch-master-cf
+           ;; Make sure that the default main.cf does not contain wrong/confusing
+           ;; paths.
+           (lambda* (#:key outputs inputs configure-flags #:allow-other-keys)
+             (define comment
+               "# Note for Guix: This parameter should usually not be
+# changed, as the compiled-in default in the postfix
+# binaries already points to the Guix store.")
+	     (substitute* (string-append
+                            (assoc-ref outputs "out")
+                            "/etc/postfix/main.cf")
+              (("^daemon_directory ?=" m) (string-append comment "\n#" m))))))))
+   (synopsis "High-performance mail transport agent")
+   (description
+    "Postfix is Wietse Venema's mail transport agent that started
+     life as an alternative to the widely-used Sendmail program.
+     Postfix attempts to be fast, easy to administer, and secure,
+     while at the same time being sendmail compatible enough to
+     not upset existing users. Thus, the outside has a sendmail-ish
+     flavor, but the inside is completely different.")
+   (license license:ibmpl1.0)
+   (home-page "http://www.postfix.org/")))
diff --git a/historic/guix/etc/aliases b/historic/guix/etc/aliases
new file mode 100644
index 0000000..6b76027
--- /dev/null
+++ b/historic/guix/etc/aliases
@@ -0,0 +1,110 @@
+# See man 5 aliases for format
+postmaster:    root
+root: admin
+
+# Executive team
+ceo: leon
+cto: grothoff
+cfo: clevel
+clevel: ceo,cto
+
+# Generic contact address
+contact: mail
+mail: ceo,cto,sva
+
+# All system admins
+admin: grothoff,dold,stanisci
+
+# Contact for translators
+translation-volunteer: admin
+
+# Feedback
+demo-feedback: admin
+wallet: florian,tg
+taler-bb: mstan
+buildfailures: mstan,florian,grothoff
+
+# Special
+protonmail: grothoff
+
+# ???
+msw: tg
+
+# For investors
+invest: grothoff
+
+# Twitter registration (ask grothoff for PW if desired)
+twitter: grothoff
+
+# Web server
+www-data: grothoff,marcello
+
+# Language teams
+it: marcello,fabrizio.biondi@inria.fr
+fr: marcello, cecile.gayet95@gmail.com
+de: grothoff,florian,sva,skuegel@web.de
+es: martin.olivera@gmail.com,chicadelaire@gmail.com,fumiko@futeisha.org,severo@rednegra.net
+cz: skuegel@web.de
+tn: os@vink-io.com
+ru: axel.denielt@gmail.com
+tr: ozcan@oyd.org.tr
+
+# All language teams (to notify about new text)
+translation-updates: it,de,fr,es,cz,tn,ru
+
+##################################################
+
+# Personal aliases
+nana: nana_void@riseup.net
+nk: nana
+karlstetter: nana
+nana.karlstetter: nana
+
+grothoff: grothoff@gnunet.org
+christian: grothoff
+christian.grothoff: grothoff
+cg: grothoff
+
+leon: leon.schumacher@digitalekho.com
+schumacher: leon
+leon.schumacher: leon
+ls: leon
+
+michael: michael.widmer@brinogroup.ch
+widmer: michael
+mw: michael
+michael.widmer: michael
+
+tg: *@tg-x.net
+
+sva: g@besva.de
+laengle: sva
+bernadette: sva
+bernadette.laengle: sva
+
+totakura: totakura@gnunet.org
+sreeharsha.totakura: totakura
+
+dold: dold@in.tum.de
+florian: dold
+florian.dold: dold
+
+carlo: lynX@the.internet.is.psyced.org
+
+ben: benedikt.mueller@sys24.org
+mueller: ben
+ben.mueller: ben
+
+onete: cristina.onete@gmail.com
+cristina: onete
+cristina.onete: onete
+
+burdges: burdges@gnunet.org
+jeff: burdges
+jeff.burdges: burdges
+
+mstan: marcello.stanisci@inria.fr
+marcello: mstan
+stanisci: mstan
+
+
diff --git a/historic/guix/etc/cgitrc b/historic/guix/etc/cgitrc
new file mode 100644
index 0000000..4ddaf0c
--- /dev/null
+++ b/historic/guix/etc/cgitrc
@@ -0,0 +1,73 @@
+#
+# cgit config
+# see cgitrc(5) for details
+#readme=:README
+virtual-root=/
+#cache-size=1000
+
+# Highlight source code with python pygments-based highlighter
+source-filter=/home/git/bin/cgit-syntax-highlighting.sh
+
+# Format org-mode, markdown, restructuredtext, manpages, text files, and html files
+about-filter=/home/git/bin/cgit-about-formatting.sh
+#about-filter=/usr/lib/cgit/filters/about-formatting.sh
+
+enable-filter-overrides=1
+
+css=/cgit/cgit.css
+logo=/cgit/cgit.png
+
+strict-export=git-daemon-export-ok
+scan-path=/home/git/repositories
+
+clone-prefix=https://git.taler.net git://git.taler.net ssh://git@taler.net
+
+snapshots=tar.gz zip
+
+root-title=TALER Git Repositories
+root-desc=Source code of various TALER-related projects
+root-readme=/home/git/repositories/README.html
+footer=/home/git/repositories/FOOTER.html
+
+readme=:README.org
+readme=:readme.org
+readme=:README.md
+readme=:readme.md
+readme=:README.mkd
+readme=:readme.mkd
+readme=:README.rst
+readme=:readme.rst
+readme=:README.html
+readme=:readme.html
+readme=:README.htm
+readme=:readme.htm
+readme=:README.txt
+readme=:readme.txt
+readme=:README
+readme=:readme
+readme=:INSTALL.org
+readme=:install.org
+readme=:INSTALL.md
+readme=:install.md
+readme=:INSTALL.mkd
+readme=:install.mkd
+readme=:INSTALL.rst
+readme=:install.rst
+readme=:INSTALL.html
+readme=:install.html
+readme=:INSTALL.htm
+readme=:install.htm
+readme=:INSTALL.txt
+readme=:install.txt
+readme=:INSTALL
+readme=:install
+
+
+# MIME types for serving raw content
+mimetype.html=text/html
+mimetype.gif=image/gif
+mimetype.jpg=image/jpeg
+mimetype.jpeg=image/jpeg
+mimetype.png=image/png
+mimetype.svg=image/svg+xml
+mimetype.pdf=application/pdf
diff --git a/historic/guix/etc/nginx/apps/drupal/admin_basic_auth.conf b/historic/guix/etc/nginx/apps/drupal/admin_basic_auth.conf
new file mode 100644
index 0000000..cc796ce
--- /dev/null
+++ b/historic/guix/etc/nginx/apps/drupal/admin_basic_auth.conf
@@ -0,0 +1,12 @@
+# -*- mode: nginx; mode: flyspell-prog;  ispell-local-dictionary: "american" -*-
+
+## Protect the /admin URIs with a basic auth.
+location ^~ /admin {
+    auth_basic "Restricted access"; #realm
+    auth_basic_user_file .htpasswd-users;
+
+    ## Include the specific FastCGI configuration. This is for a
+    ## FCGI backend like php-cgi or php-fpm.
+    include apps/drupal/fastcgi_drupal.conf;
+    fastcgi_pass phpcgi;
+}
diff --git a/historic/guix/etc/nginx/apps/drupal/cron_allowed_hosts.conf b/historic/guix/etc/nginx/apps/drupal/cron_allowed_hosts.conf
new file mode 100644
index 0000000..bdb3dd9
--- /dev/null
+++ b/historic/guix/etc/nginx/apps/drupal/cron_allowed_hosts.conf
@@ -0,0 +1,10 @@
+# -*- mode: nginx; mode:autopair; mode: flyspell-prog; ispell-local-dictionary: "american" -*-
+### Configuration file for specifying which hosts can invoke Drupal's
+### cron. This only applies if you're not using drush to run cron.
+
+geo $not_allowed_cron {
+    default 1;
+    ## Add your set of hosts.
+    127.0.0.1 0; # allow the localhost
+    192.168.1.0/24 0; # allow on an internal network
+}
diff --git a/historic/guix/etc/nginx/apps/drupal/drupal.conf b/historic/guix/etc/nginx/apps/drupal/drupal.conf
new file mode 100644
index 0000000..e65024f
--- /dev/null
+++ b/historic/guix/etc/nginx/apps/drupal/drupal.conf
@@ -0,0 +1,347 @@
+# -*- mode: nginx; mode: flyspell-prog;  ispell-local-dictionary: "american" -*-
+### Nginx configuration for Drupal. This configuration makes use of
+### drush (http:///drupal.org/project/drush) for site maintenance
+### and like tasks:
+###
+### 1. Run the cronjobs.
+### 2. Run the DB and code updates: drush up or drush upc followed by
+###    drush updb to run any DB updates required by the code upgrades
+###    that were performed.
+### 3. Disabling of xmlrpc.xml, install.php (needed only for
+###    installing the site) and update.php: all updates are now
+###    handled through drush.
+
+## The 'default' location.
+location / {
+
+    ## Drupal 404 from can impact performance. If using a module like
+    ## search404 then 404's *have *to be handled by Drupal. Uncomment to
+    ## relay the handling of 404's to Drupal.
+    ## error_page 404 /index.php;
+
+    ## Using a nested location is the 'correct' way to use regexes.
+
+    ## Regular private file serving (i.e. handled by Drupal).
+    location ^~ /system/files/ {
+        ## Include the specific FastCGI configuration. This is for a
+        ## FCGI backend like php-cgi or php-fpm.
+        include apps/drupal/fastcgi_drupal.conf;
+        fastcgi_pass phpcgi;
+
+        ## If proxying to apache comment the two lines above and
+        ## uncomment the two lines below.
+        #proxy_pass http://phpapache/index.php?q=$uri;
+        #proxy_set_header Connection '';
+
+        ## For not signaling a 404 in the error log whenever the
+        ## system/files directory is accessed add the line below.
+        ## Note that the 404 is the intended behavior.
+        log_not_found off;
+    }
+
+    ## Trying to access private files directly returns a 404.
+    location ^~ /sites/default/files/private/ {
+        internal;
+    }
+
+    ## Support for the file_force module
+    ## http://drupal.org/project/file_force.
+    location ^~ /system/files_force/ {
+        ## Include the specific FastCGI configuration. This is for a
+        ## FCGI backend like php-cgi or php-fpm.
+        include apps/drupal/fastcgi_drupal.conf;
+        fastcgi_pass phpcgi;
+
+        ## If proxying to apache comment the two lines above and
+        ## uncomment the two lines below.
+        #proxy_pass http://phpapache/index.php?q=$uri;
+        #proxy_set_header Connection '';
+
+        ## For not signaling a 404 in the error log whenever the
+        ## system/files directory is accessed add the line below.
+        ## Note that the 404 is the intended behavior.
+        log_not_found off;
+    }
+
+    ## If accessing an image generated by Drupal 6 imagecache, serve it
+    ## directly if available, if not relay the request to Drupal to (re)generate
+    ## the image.
+    location ~* /imagecache/ {
+        ## Image hotlinking protection. If you want hotlinking
+        ## protection for your images uncomment the following line.
+        #include apps/drupal/hotlinking_protection.conf;
+
+        access_log off;
+        expires 30d;
+        try_files $uri @drupal;
+    }
+
+    ## Drupal 7 generated image handling, i.e., imagecache in core. See:
+    ## http://drupal.org/node/371374.
+    location ~* /files/styles/ {
+        ## Image hotlinking protection. If you want hotlinking
+        ## protection for your images uncomment the following line.
+        #include apps/drupal/hotlinking_protection.conf;
+
+        access_log off;
+        expires 30d;
+        try_files $uri @drupal;
+    }
+
+    ## Advanced Aggregation module CSS
+    ## support. http://drupal.org/project/advagg.
+    location ^~ /sites/default/files/advagg_css/ {
+        expires max;
+        add_header ETag '';
+        add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT';
+        add_header Accept-Ranges '';
+
+        location ~* /sites/default/files/advagg_css/css[_[:alnum:]]+\.css$ {
+            access_log off;
+            try_files $uri @drupal;
+        }
+    }
+
+    ## Advanced Aggregation module JS
+    ## support. http://drupal.org/project/advagg.
+    location ^~ /sites/default/files/advagg_js/ {
+        expires max;
+        add_header ETag '';
+        add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT';
+        add_header Accept-Ranges '';
+
+        location ~* /sites/default/files/advagg_js/js[_[:alnum:]]+\.js$ {
+            access_log off;
+            try_files $uri @drupal;
+        }
+    }
+
+    ## All static files will be served directly.
+    location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ {
+
+        access_log off;
+        expires 30d;
+        ## No need to bleed constant updates. Send the all shebang in one
+        ## fell swoop.
+        tcp_nodelay off;
+        ## Set the OS file cache.
+        open_file_cache max=3000 inactive=120s;
+        open_file_cache_valid 45s;
+        open_file_cache_min_uses 2;
+        open_file_cache_errors off;
+    }
+
+    ## PDFs and powerpoint files handling.
+    location ~* ^.+\.(?:pdf|pptx?)$ {
+        expires 30d;
+        ## No need to bleed constant updates. Send the all shebang in one
+        ## fell swoop.
+        tcp_nodelay off;
+    }
+
+    ## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it.
+    location ^~ /sites/default/files/audio/mp3 {
+        location ~* ^/sites/default/files/audio/mp3/.*\.mp3$ {
+            directio 4k; # for XFS
+            ## If you're using ext3 or similar uncomment the line below and comment the above.
+            #directio 512; # for ext3 or similar (block alignments)
+            tcp_nopush off;
+#            aio on;
+            output_buffers 1 2M;
+        }
+    }
+
+    location ^~ /sites/default/files/audio/ogg {
+        location ~* ^/sites/default/files/audio/ogg/.*\.ogg$ {
+            directio 4k; # for XFS
+            ## If you're using ext3 or similar uncomment the line below and comment the above.
+            #directio 512; # for ext3 or similar (block alignments)
+            tcp_nopush off;
+#            aio on;
+            output_buffers 1 2M;
+        }
+    }
+
+    ## Pseudo streaming of FLV files:
+    ## http://wiki.nginx.org/HttpFlvStreamModule.
+    ## If pseudo streaming isn't working, try to comment
+    ## out in nginx.conf line with:
+    ## add_header X-Frame-Options SAMEORIGIN;
+    location ^~ /sites/default/files/video/flv {
+        location ~* ^/sites/default/files/video/flv/.*\.flv$ {
+#            flv;
+        }
+    }
+
+    ## Pseudo streaming of H264/AAC files. This requires an Nginx
+    ## version greater or equal to 1.0.7 for the stable branch and
+    ## greater or equal to 1.1.3 for the development branch.
+    ## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html.
+    location ^~ /sites/default/files/video/mp4 { # videos
+        location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ {
+#            mp4;
+#            mp4_buffer_size 1M;
+#            mp4_max_buffer_size 5M;
+        }
+    }
+
+    location ^~ /sites/default/files/audio/m4a { # audios
+        location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ {
+#            mp4;
+#            mp4_buffer_size 1M;
+#            mp4_max_buffer_size 5M;
+        }
+    }
+
+    ## Advanced Help module makes each module provided README available.
+    location ^~ /help/ {
+        location ~* ^/help/[^/]*/README\.txt$ {
+            ## Include the specific FastCGI configuration. This is for a
+            ## FCGI backend like php-cgi or php-fpm.
+            include apps/drupal/fastcgi_drupal.conf;
+            fastcgi_pass phpcgi;
+
+            ## If proxying to apache comment the two lines above and
+            ## uncomment the two lines below.
+            #proxy_pass http://phpapache/index.php?q=$uri;
+            #proxy_set_header Connection '';
+        }
+    }
+
+    ## Replicate the Apache <FilesMatch> directive of Drupal standard
+    ## .htaccess. Disable access to any code files. Return a 404 to curtail
+    ## information disclosure. Hide also the text files.
+    location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ {
+        return 404;
+    }
+
+    ## First we try the URI and relay to the /index.php?q=$uri&$args if not found.
+    try_files $uri @drupal;
+}
+
+########### Security measures ##########
+
+## Uncomment the line below if you want to enable basic auth for
+## access to all /admin URIs. Note that this provides much better
+## protection if use HTTPS. Since it can easily be eavesdropped if you
+## use HTTP.
+#include apps/drupal/admin_basic_auth.conf;
+
+## Restrict access to the strictly necessary PHP files. Reducing the
+## scope for exploits. Handling of PHP code and the Drupal event loop.
+location @drupal {
+    ## Include the FastCGI config.
+    include apps/drupal/fastcgi_drupal.conf;
+    fastcgi_pass phpcgi;
+
+    ## FastCGI microcache.
+#    include apps/drupal/microcache_fcgi.conf;
+    ## FCGI microcache for authenticated users also.
+    #include apps/drupal/microcache_fcgi_auth.conf;
+
+    ## If proxying to apache comment the two lines above and
+    ## uncomment the two lines below.
+    #proxy_pass http://phpapache/index.php?q=$uri;
+    #proxy_set_header Connection '';
+
+    ## Proxy microcache.
+    #include apps/drupal/microcache_proxy.conf;
+    ## Proxy microcache for authenticated users also.
+    #include apps/drupal/microcache_proxy_auth.conf;
+
+    ## Filefield Upload progress
+    ## http://drupal.org/project/filefield_nginx_progress support
+    ## through the NginxUploadProgress modules.
+#    track_uploads uploads 60s;
+}
+
+location @drupal-no-args {
+    ## Include the specific FastCGI configuration. This is for a
+    ## FCGI backend like php-cgi or php-fpm.
+    include apps/drupal/fastcgi_no_args_drupal.conf;
+    fastcgi_pass phpcgi;
+
+    ## FastCGI microcache.
+#    include apps/drupal/microcache_fcgi.conf;
+    ## FCGI microcache for authenticated users also.
+    #include apps/drupal/microcache_fcgi_auth.conf;
+
+    ## If proxying to apache comment the two lines above and
+    ## uncomment the two lines below.
+    #proxy_pass http://phpapache/index.php?q=$uri;
+    #proxy_set_header Connection '';
+
+    ## Proxy microcache.
+    #include apps/drupal/microcache_proxy.conf;
+    ## Proxy microcache for authenticated users also.
+    #include apps/drupal/microcache_proxy_auth.conf;
+}
+
+## Disallow access to .bzr, .git, .hg, .svn, .cvs directories: return
+## 404 as not to disclose information.
+location ^~ /.bzr {
+    return 404;
+}
+
+location ^~ /.git {
+    return 404;
+}
+
+location ^~ /.hg {
+    return 404;
+}
+
+location ^~ /.svn {
+    return 404;
+}
+
+location ^~ /.cvs {
+    return 404;
+}
+
+## Disallow access to patches directory.
+location ^~ /patches {
+    return 404;
+}
+
+## Disallow access to drush backup directory.
+location ^~ /backup {
+    return 404;
+}
+
+## Disable access logs for robots.txt.
+location = /robots.txt {
+    access_log off;
+    ## Add support for the robotstxt module
+    ## http://drupal.org/project/robotstxt.
+    try_files $uri @drupal-no-args;
+}
+
+## RSS feed support.
+location = /rss.xml {
+    try_files $uri @drupal-no-args;
+}
+
+## XML Sitemap support.
+location = /sitemap.xml {
+    try_files $uri @drupal-no-args;
+}
+
+## Support for favicon. Return an 1x1 transparent GIF if it doesn't
+## exist.
+location = /favicon.ico {
+    expires 30d;
+    try_files /favicon.ico @empty;
+}
+
+## Return an in memory 1x1 transparent GIF.
+location @empty {
+    expires 30d;
+    empty_gif;
+}
+
+## Any other attempt to access PHP files returns a 404.
+location ~* ^.+\.php$ {
+    return 404;
+}
+
diff --git a/historic/guix/etc/nginx/apps/drupal/drupal_boost.conf b/historic/guix/etc/nginx/apps/drupal/drupal_boost.conf
new file mode 100644
index 0000000..1cb10e1
--- /dev/null
+++ b/historic/guix/etc/nginx/apps/drupal/drupal_boost.conf
@@ -0,0 +1,377 @@
+# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*-
+### Nginx configuration for using Boost with Drupal. This
+### configuration makes use of drush (http:///drupal.org/project/drush)
+### for site maintenance and like tasks:
+###
+### 1. Run the cronjobs.
+### 2. Run the DB and code updates: drush up or drush upc followed by
+###    drush updb to run any DB updates required by the code upgrades
+###    that were performed.
+### 3. Disabling of xmlrpc.xml, install.php (needed only for
+###    installing the site) and update.php: all updates are now
+###    handled through drush.
+
+## The 'default' location.
+location / {
+
+    ## Drupal 404 from can impact performance. If using a module like
+    ## search404 then 404's *have *to be handled by Drupal. Uncomment to
+    ## relay the handling of 404's to Drupal.
+    ## error_page 404 /index.php;
+
+    ## Using a nested location is the 'correct' way to use regexes.
+
+    ## Regular private file serving (i.e. handled by Drupal).
+    location ^~ /system/files/ {
+        ## Include the specific FastCGI configuration. This is for a
+        ## FCGI backend like php-cgi or php-fpm.
+        include apps/drupal/fastcgi_drupal.conf;
+        fastcgi_pass phpcgi;
+
+        ## If proxying to apache comment the two lines above and
+        ## uncomment the line below.
+        #proxy_pass http://phpapache/index.php?q=$uri;
+        #proxy_set_header Connection '';
+
+        ## For not signaling a 404 in the error log whenever the
+        ## system/files directory is accessed add the line below.
+        ## Note that the 404 is the intended behavior.
+        log_not_found off;
+    }
+
+    ## Trying to access private files directly returns a 404.
+    location ^~ /sites/default/files/private/ {
+        internal;
+    }
+
+    ## Support for the file_force module
+    ## http://drupal.org/project/file_force.
+    location ^~ /system/files_force/ {
+        ## Include the specific FastCGI configuration. This is for a
+        ## FCGI backend like php-cgi or php-fpm.
+        include apps/drupal/fastcgi_drupal.conf;
+        fastcgi_pass phpcgi;
+
+        ## If proxying to apache comment the two lines above and
+        ## uncomment the line below.
+        #proxy_pass http://phpapache/index.php?q=$no_slash_uri;
+        #proxy_set_header Connection '';
+
+        ## For not signaling a 404 in the error log whenever the
+        ## system/files directory is accessed add the line below.
+        ## Note that the 404 is the intended behavior.
+        log_not_found off;
+    }
+
+    ## If accessing an image generated by Drupal 6 imagecache, serve it
+    ## directly if available, if not relay the request to Drupal to (re)generate
+    ## the image.
+    location ~* /imagecache/ {
+        ## Image hotlinking protection. If you want hotlinking
+        ## protection for your images uncomment the following line.
+        #include apps/drupal/hotlinking_protection.conf;
+
+        access_log off;
+        expires 30d;
+        try_files $uri @drupal;
+    }
+
+    ## Drupal 7 generated image handling, i.e., imagecache in core. See:
+    ## http://drupal.org/node/371374.
+    location ~* /files/styles/ {
+        ## Image hotlinking protection. If you want hotlinking
+        ## protection for your images uncomment the following line.
+        #include apps/drupal/hotlinking_protection.conf;
+
+        access_log off;
+        expires 30d;
+        try_files $uri @drupal;
+    }
+
+    ## Advanced Aggregation module CSS
+    ## support. http://drupal.org/project/advagg.
+    location ^~ /sites/default/files/advagg_css/ {
+        expires max;
+        add_header ETag '';
+        add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT';
+        add_header Accept-Ranges '';
+
+        location ~* /sites/default/files/advagg_css/css[_[:alnum:]]+\.css$ {
+            access_log off;
+            try_files $uri @drupal;
+        }
+    }
+
+    ## Advanced Aggregation module JS
+    ## support. http://drupal.org/project/advagg.
+    location ^~ /sites/default/files/advagg_js/ {
+        add_header Pragma '';
+        add_header Cache-Control 'public, max-age=946080000';
+        add_header Accept-Ranges '';
+
+        location ~* /sites/default/files/advagg_js/js[_[:alnum:]]+\.js$ {
+            access_log off;
+            try_files $uri @drupal;
+        }
+    }
+
+    ## All static files will be served directly.
+    location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ {
+        access_log off;
+        expires 30d;
+        ## No need to bleed constant updates. Send the all shebang in one
+        ## fell swoop.
+        tcp_nodelay off;
+    }
+
+    ## PDFs and powerpoint files handling.
+    location ~* ^.+\.(?:pdf|pptx?)$ {
+        expires 30d;
+        ## No need to bleed constant updates. Send the all shebang in one
+        ## fell swoop.
+        tcp_nodelay off;
+    }
+
+    ## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it.
+    location ^~ /sites/default/files/audio/mp3 {
+        location ~* ^/sites/default/files/audio/mp3/.*\.mp3$ {
+            directio 4k; # for XFS
+            ## If you're using ext3 or similar uncomment the line below and comment the above.
+            #directio 512; # for ext3 or similar (block alignments)
+            tcp_nopush off;
+            aio on;
+            output_buffers 1 2M;
+        }
+    }
+
+    location ^~ /sites/default/files/audio/ogg {
+        location ~* ^/sites/default/files/audio/ogg/.*\.ogg$ {
+            directio 4k; # for XFS
+            ## If you're using ext3 or similar uncomment the line below and comment the above.
+            #directio 512; # for ext3 or similar (block alignments)
+            tcp_nopush off;
+            aio on;
+            output_buffers 1 2M;
+        }
+    }
+
+    ## Pseudo streaming of FLV files:
+    ## http://wiki.nginx.org/HttpFlvStreamModule.
+    ## If pseudo streaming isn't working, try to comment
+    ## out in nginx.conf line with:
+    ## add_header X-Frame-Options SAMEORIGIN;
+    location ^~ /sites/default/files/video/flv {
+        location ~* ^/sites/default/files/video/flv/.*\.flv$ {
+            flv;
+        }
+    }
+
+    ## Pseudo streaming of H264/AAC files. This requires an Nginx
+    ## version greater or equal to 1.0.7 for the stable branch and
+    ## greater or equal to 1.1.3 for the development branch.
+    ## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html.
+    location ^~ /sites/default/files/video/mp4 { # videos
+        location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ {
+            mp4;
+            mp4_buffer_size 1M;
+            mp4_max_buffer_size 5M;
+        }
+    }
+
+    location ^~ /sites/default/files/audio/m4a { # audios
+        location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ {
+            mp4;
+            mp4_buffer_size 1M;
+            mp4_max_buffer_size 5M;
+        }
+    }
+
+    ## Advanced Help module makes each module provided README available.
+    location ^~ /help/ {
+        location ~* ^/help/[^/]*/README\.txt$ {
+            ## Include the specific FastCGI configuration. This is for a
+            ## FCGI backend like php-cgi or php-fpm.
+            include apps/drupal/fastcgi_drupal.conf;
+            fastcgi_pass phpcgi;
+
+            ## If proxying to apache comment the two lines above and
+            ## uncomment the line below.
+            #proxy_pass http://phpapache/index.php?q=$uri;
+        }
+    }
+
+    ## Replicate the Apache <FilesMatch> directive of Drupal standard
+    ## .htaccess. Disable access to any code files. Return a 404 to curtail
+    ## information disclosure. Hide also the text files.
+    location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ {
+        return 404;
+    }
+
+    ## First we try the URI and relay to the @cache if not found.
+    try_files $uri @cache;
+}
+
+## We define a named location for the cache.
+location @cache {
+    ## Boost compresses can the pages so we check it. Comment it out
+    ## if you don't have it enabled in Boost.
+    gzip_static on;
+
+    ## Error page handler for the case where $no_cache is 1. POST
+    ## request or authenticated.
+    error_page 418 = @drupal;
+
+    ## If $no_cache is 1 then it means that either we have a session
+    ## cookie or that the request method is POST. So serve the dynamic
+    ## page.
+    if ($no_cache) {
+        return 418; # I'm a teapot/I can't get no cachifaction
+    }
+
+    ## No caching for POST requests.
+    if ($request_method = POST) {
+        return 418;
+    }
+
+    # Now for some header tweaking. We use a date that differs
+    # from stock Drupal. Everyone seems to be using their
+    # birthdate. Why go against the grain?
+    add_header Expires "Tue, 13 Jun 1977 03:45:00 GMT";
+    # We bypass all delays in the post-check and pre-check
+    # parameters of Cache-Control. Both set to 0.
+    add_header Cache-Control "must-revalidate, post-check=0, pre-check=0";
+    # Funny...perhaps. Egocentric? Damn right!;
+    add_header X-Header "Boost Helás Avril 1.0";
+    ## Boost doesn't set a charset.
+    charset utf-8;
+
+    # We try each boost URI in succession, if every one of them
+    # fails then relay to Drupal.
+    try_files /cache/normal/$host${uri}_${args}.html /cache/perm/$host${uri}_.css /cache/perm/$host${uri}_.js /cache/$host/0$uri.html /cache/$host/0${uri}/index.html @drupal;
+}
+
+########### Security measures ##########
+
+## Uncomment the line below if you want to enable basic auth for
+## access to all /admin URIs. Note that this provides much better
+## protection if use HTTPS. Since it can easily be eavesdropped if you
+## use HTTP.
+#include apps/drupal/admin_basic_auth.conf;
+
+## Restrict access to the strictly necessary PHP files. Reducing the
+## scope for exploits. Handling of PHP code and the Drupal event loop.
+location @drupal {
+    ## Include the FastCGI config.
+    include apps/drupal/fastcgi_drupal.conf;
+    fastcgi_pass phpcgi;
+
+    ## FCGI microcache for authenticated users also.
+    include apps/drupal/microcache_fcgi_auth.conf;
+
+    ## To use Apache for serving PHP uncomment the line bellow and
+    ## comment out the above.
+    #proxy_pass http://phpapache/index.php?q=$uri&$args;
+    #proxy_set_header Connection '';
+    ## Proxy microcache for authenticated users also.
+    #include apps/drupal/microcache_proxy_auth.conf;
+
+    ## Filefield Upload progress
+    ## http://drupal.org/project/filefield_nginx_progress support
+    ## through the NginxUploadProgress modules.
+    track_uploads uploads 60s;
+}
+
+location @drupal-no-args {
+    ## Include the specific FastCGI configuration. This is for a
+    ## FCGI backend like php-cgi or php-fpm.
+    include apps/drupal/fastcgi_no_args_drupal.conf;
+    fastcgi_pass phpcgi;
+
+    ## FCGI microcache for authenticated users also.
+    include apps/drupal/microcache_fcgi_auth.conf;
+
+    ## If proxying to apache comment the two lines above and
+    ## uncomment the line below.
+    #proxy_pass http://phpapache/index.php?q=$uri;
+    #proxy_set_header Connection '';
+
+    ## Proxy microcache for authenticated users also.
+    #include apps/drupal/microcache_proxy_auth.conf;
+}
+
+## Disallow access to .bzr, .git, .hg, .svn, .cvs directories: return
+## 404 as not to disclose information.
+location ^~ /.bzr {
+    return 404;
+}
+
+location ^~ /.git {
+    return 404;
+}
+
+location ^~ /.hg {
+    return 404;
+}
+
+location ^~ /.svn {
+    return 404;
+}
+
+location ^~ /.cvs {
+    return 404;
+}
+
+## Disallow access to patches directory.
+location ^~ /patches {
+    return 404;
+}
+
+## Disallow access to drush backup directory.
+location ^~ /backup {
+    return 404;
+}
+
+## Disable access logs for robots.txt.
+location = /robots.txt {
+    access_log off;
+    ## Add support for the robotstxt module
+    ## http://drupal.org/project/robotstxt.
+    try_files $uri @drupal-no-args;
+}
+
+## RSS feed support.
+location = /rss.xml {
+    try_files $uri @drupal-no-args;
+}
+
+## XML Sitemap support.
+location = /sitemap.xml {
+    try_files $uri @drupal-no-args;
+}
+
+## Support for favicon. Return an 1x1 transparent GIF if it doesn't
+## exist.
+location = /favicon.ico {
+    expires 30d;
+    try_files /favicon.ico @empty;
+}
+
+## Return an in memory 1x1 transparent GIF.
+location @empty {
+    expires 30d;
+    empty_gif;
+}
+
+## Any other attempt to access PHP files returns a 404.
+location ~* ^.+\.php$ {
+    return 404;
+}
+
+## Boost stats.
+location = /boost_stats.php {
+    fastcgi_pass phpcgi;
+    ## To use Apache for serving PHP uncomment the line bellow and
+    ## comment out the above.
+    #proxy_pass http://phpapache;
+}
+
diff --git a/historic/guix/etc/nginx/apps/drupal/drupal_boost_escaped.conf b/historic/guix/etc/nginx/apps/drupal/drupal_boost_escaped.conf
new file mode 100644
index 0000000..36f5d98
--- /dev/null
+++ b/historic/guix/etc/nginx/apps/drupal/drupal_boost_escaped.conf
@@ -0,0 +1,382 @@
+# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*-
+### Nginx configuration for using Boost with Drupal. This
+### configuration makes use of drush (http:///drupal.org/project/drush)
+### for site maintenance and like tasks:
+###
+### 1. Run the cronjobs.
+### 2. Run the DB and code updates: drush up or drush upc followed by
+###    drush updb to run any DB updates required by the code upgrades
+###    that were performed.
+### 3. Disabling of xmlrpc.xml, install.php (needed only for
+###    installing the site) and update.php: all updates are now
+###    handled through drush.
+
+## To avoid the ugly rewrite we use Lua to escape the URI.
+set_by_lua $escaped_uri 'return ngx.escape_uri(ngx.var.uri)';
+
+## The 'default' location.
+location / {
+
+    ## Drupal 404 from can impact performance. If using a module like
+    ## search404 then 404's *have *to be handled by Drupal. Uncomment to
+    ## relay the handling of 404's to Drupal.
+    ## error_page 404 /index.php;
+
+    ## Using a nested location is the 'correct' way to use regexes.
+
+    ## Regular private file serving (i.e. handled by Drupal).
+    location ^~ /system/files/ {
+        ## Include the specific FastCGI configuration. This is for a
+        ## FCGI backend like php-cgi or php-fpm.
+        include apps/drupal/fastcgi_drupal.conf;
+        fastcgi_pass phpcgi;
+
+        ## If proxying to apache comment the two lines above and
+        ## uncomment the line below.
+        #proxy_pass http://phpapache/index.php?q=$escaped_uri;
+        #proxy_set_header Connection '';
+
+        ## For not signaling a 404 in the error log whenever the
+        ## system/files directory is accessed add the line below.
+        ## Note that the 404 is the intended behavior.
+        log_not_found off;
+    }
+
+    ## Trying to access private files directly returns a 404.
+    location ^~ /sites/default/files/private/ {
+        internal;
+    }
+
+    ## Support for the file_force module
+    ## http://drupal.org/project/file_force.
+    location ^~ /system/files_force/ {
+        ## Include the specific FastCGI configuration. This is for a
+        ## FCGI backend like php-cgi or php-fpm.
+        include apps/drupal/fastcgi_drupal.conf;
+        fastcgi_pass phpcgi;
+
+        ## If proxying to apache comment the two lines above and
+        ## uncomment the line below.
+        #proxy_pass http://phpapache/index.php?q=$no_slash_uri;
+        #proxy_set_header Connection '';
+
+        ## For not signaling a 404 in the error log whenever the
+        ## system/files directory is accessed add the line below.
+        ## Note that the 404 is the intended behavior.
+        log_not_found off;
+    }
+
+    ## If accessing an image generated by Drupal 6 imagecache, serve it
+    ## directly if available, if not relay the request to Drupal to (re)generate
+    ## the image.
+    location ~* /imagecache/ {
+        ## Image hotlinking protection. If you want hotlinking
+        ## protection for your images uncomment the following line.
+        #include apps/drupal/hotlinking_protection.conf;
+
+        access_log off;
+        expires 30d;
+        try_files $escaped_uri @drupal;
+    }
+
+    ## Drupal 7 generated image handling, i.e., imagecache in core. See:
+    ## http://drupal.org/node/371374.
+    location ~* /files/styles/ {
+        ## Image hotlinking protection. If you want hotlinking
+        ## protection for your images uncomment the following line.
+        #include apps/drupal/hotlinking_protection.conf;
+
+        access_log off;
+        expires 30d;
+        try_files $escaped_uri @drupal;
+    }
+
+    ## Advanced Aggregation module CSS
+    ## support. http://drupal.org/project/advagg.
+    location ^~ /sites/default/files/advagg_css/ {
+        expires max;
+        add_header ETag '';
+        add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT';
+        add_header Accept-Ranges '';
+
+        location ~* /sites/default/files/advagg_css/css[_[:alnum:]]+\.css$ {
+            access_log off;
+            try_files $escaped_uri @drupal;
+        }
+    }
+
+    ## Advanced Aggregation module JS
+    ## support. http://drupal.org/project/advagg.
+    location ^~ /sites/default/files/advagg_js/ {
+        add_header Pragma '';
+        add_header Cache-Control 'public, max-age=946080000';
+        add_header Accept-Ranges '';
+
+        location ~* /sites/default/files/advagg_js/js[_[:alnum:]]+\.js$ {
+            access_log off;
+            try_files $escaped_uri @drupal;
+        }
+    }
+
+    ## All static files will be served directly.
+    location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ {
+        access_log off;
+        expires 30d;
+        ## No need to bleed constant updates. Send the all shebang in one
+        ## fell swoop.
+        tcp_nodelay off;
+    }
+
+    ## PDFs and powerpoint files handling.
+    location ~* ^.+\.(?:pdf|pptx?)$ {
+        expires 30d;
+        ## No need to bleed constant updates. Send the all shebang in one
+        ## fell swoop.
+        tcp_nodelay off;
+    }
+
+    ## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it.
+    location ^~ /sites/default/files/audio/mp3 {
+        location ~* ^/sites/default/files/audio/mp3/.*\.mp3$ {
+            directio 4k; # for XFS
+            ## If you're using ext3 or similar uncomment the line below and comment the above.
+            #directio 512; # for ext3 or similar (block alignments)
+            tcp_nopush off;
+            aio on;
+            output_buffers 1 2M;
+        }
+    }
+
+    location ^~ /sites/default/files/audio/ogg {
+        location ~* ^/sites/default/files/audio/ogg/.*\.ogg$ {
+            directio 4k; # for XFS
+            ## If you're using ext3 or similar uncomment the line below and comment the above.
+            #directio 512; # for ext3 or similar (block alignments)
+            tcp_nopush off;
+            aio on;
+            output_buffers 1 2M;
+        }
+    }
+
+    ## Pseudo streaming of FLV files:
+    ## http://wiki.nginx.org/HttpFlvStreamModule.
+    ## If pseudo streaming isn't working, try to comment
+    ## out in nginx.conf line with:
+    ## add_header X-Frame-Options SAMEORIGIN;
+    location ^~ /sites/default/files/video/flv {
+        location ~* ^/sites/default/files/video/flv/.*\.flv$ {
+            flv;
+        }
+    }
+
+    ## Pseudo streaming of H264/AAC files. This requires an Nginx
+    ## version greater or equal to 1.0.7 for the stable branch and
+    ## greater or equal to 1.1.3 for the development branch.
+    ## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html.
+    location ^~ /sites/default/files/video/mp4 { # videos
+        location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ {
+            mp4;
+            mp4_buffer_size 1M;
+            mp4_max_buffer_size 5M;
+        }
+    }
+
+    location ^~ /sites/default/files/audio/m4a { # audios
+        location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ {
+            mp4;
+            mp4_buffer_size 1M;
+            mp4_max_buffer_size 5M;
+        }
+    }
+
+    ## Advanced Help module makes each module provided README available.
+    location ^~ /help/ {
+        location ~* ^/help/[^/]*/README\.txt$ {
+            ## Include the specific FastCGI configuration. This is for a
+            ## FCGI backend like php-cgi or php-fpm.
+            include apps/drupal/fastcgi_drupal.conf;
+            fastcgi_pass phpcgi;
+
+            ## If proxying to apache comment the two lines above and
+            ## uncomment the line below.
+            #proxy_pass http://phpapache/index.php?q=$escaped_uri;
+            #proxy_set_header Connection '';
+        }
+    }
+
+    ## Replicate the Apache <FilesMatch> directive of Drupal standard
+    ## .htaccess. Disable access to any code files. Return a 404 to curtail
+    ## information disclosure. Hide also the text files.
+    location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ {
+        return 404;
+    }
+
+    ## First we try the URI and relay to the @cache if not found.
+    try_files $escaped_uri @cache;
+}
+
+## We define a named location for the cache.
+location @cache {
+    ## Boost compresses can the pages so we check it. Comment it out
+    ## if you don't have it enabled in Boost.
+    gzip_static on;
+
+    ## Error page handler for the case where $no_cache is 1. POST
+    ## request or authenticated.
+    error_page 418 = @drupal;
+
+    ## If $no_cache is 1 then it means that either we have a session
+    ## cookie or that the request method is POST. So serve the dynamic
+    ## page.
+    if ($no_cache) {
+        return 418; # I'm a teapot/I can't get no cachifaction
+    }
+
+    ## No caching for POST requests.
+    if ($request_method = POST) {
+        return 418;
+    }
+
+    # Now for some header tweaking. We use a date that differs
+    # from stock Drupal. Everyone seems to be using their
+    # birthdate. Why go against the grain?
+    add_header Expires "Tue, 13 Jun 1977 03:45:00 GMT";
+    # We bypass all delays in the post-check and pre-check
+    # parameters of Cache-Control. Both set to 0.
+    add_header Cache-Control "must-revalidate, post-check=0, pre-check=0";
+    # Funny...perhaps. Egocentric? Damn right!;
+    add_header X-Header "Boost Helás Avril 1.0";
+    ## Boost doesn't set a charset.
+    charset utf-8;
+
+    # We try each boost URI in succession, if every one of them
+    # fails then relay to Drupal.
+    try_files /cache/normal/$host${uri}_${args}.html /cache/perm/$host${uri}_.css /cache/perm/$host${uri}_.js /cache/$host/0$escaped_uri.html /cache/$host/0${uri}/index.html @drupal;
+}
+
+########### Security measures ##########
+
+## Uncomment the line below if you want to enable basic auth for
+## access to all /admin URIs. Note that this provides much better
+## protection if use HTTPS. Since it can easily be eavesdropped if you
+## use HTTP.
+#include apps/drupal/admin_basic_auth.conf;
+
+## Restrict access to the strictly necessary PHP files. Reducing the
+## scope for exploits. Handling of PHP code and the Drupal event loop.
+location @drupal {
+    ## Include the FastCGI config.
+    include apps/drupal/fastcgi_drupal.conf;
+    fastcgi_pass phpcgi;
+
+    ## FCGI microcache for authenticated users also.
+    include apps/drupal/microcache_fcgi_auth.conf;
+
+    ## To use Apache for serving PHP uncomment the line bellow and
+    ## comment out the above.
+    #proxy_pass http://phpapache/index.php?q=$escaped_uri&$args;
+    #proxy_set_header Connection '';
+    ## Proxy microcache for authenticated users also.
+    #include apps/drupal/microcache_proxy_auth.conf;
+
+    ## Filefield Upload progress
+    ## http://drupal.org/project/filefield_nginx_progress support
+    ## through the NginxUploadProgress modules.
+    track_uploads uploads 60s;
+}
+
+location @drupal-no-args {
+    ## Include the specific FastCGI configuration. This is for a
+    ## FCGI backend like php-cgi or php-fpm.
+    include apps/drupal/fastcgi_no_args_drupal.conf;
+    fastcgi_pass phpcgi;
+
+    ## FCGI microcache for authenticated users also.
+    include apps/drupal/microcache_fcgi_auth.conf;
+
+    ## If proxying to apache comment the two lines above and
+    ## uncomment the line below.
+    #proxy_pass http://phpapache/index.php?q=$escaped_uri;
+    #proxy_set_header Connection '';
+
+    ## Proxy microcache for authenticated users also.
+    #include apps/drupal/microcache_proxy_auth.conf;
+}
+
+## Disallow access to .bzr, .git, .hg, .svn, .cvs directories: return
+## 404 as not to disclose information.
+location ^~ /.bzr {
+    return 404;
+}
+
+location ^~ /.git {
+    return 404;
+}
+
+location ^~ /.hg {
+    return 404;
+}
+
+location ^~ /.svn {
+    return 404;
+}
+
+location ^~ /.cvs {
+    return 404;
+}
+
+## Disallow access to patches directory.
+location ^~ /patches {
+    return 404;
+}
+
+## Disallow access to drush backup directory.
+location ^~ /backup {
+    return 404;
+}
+
+## Disable access logs for robots.txt.
+location = /robots.txt {
+    access_log off;
+    ## Add support for the robotstxt module
+    ## http://drupal.org/project/robotstxt.
+    try_files $uri @drupal-no-args;
+}
+
+## RSS feed support.
+location = /rss.xml {
+    try_files $escaped_uri @drupal-no-args;
+}
+
+## XML Sitemap support.
+location = /sitemap.xml {
+    try_files $escaped_uri @drupal-no-args;
+}
+
+## Support for favicon. Return an 1x1 transparent GIF if it doesn't
+## exist.
+location = /favicon.ico {
+    expires 30d;
+    try_files /favicon.ico @empty;
+}
+
+## Return an in memory 1x1 transparent GIF.
+location @empty {
+    expires 30d;
+    empty_gif;
+}
+
+## Any other attempt to access PHP files returns a 404.
+location ~* ^.+\.php$ {
+    return 404;
+}
+
+## Boost stats.
+location = /boost_stats.php {
+    fastcgi_pass phpcgi;
+    ## To use Apache for serving PHP uncomment the line bellow and
+    ## comment out the above.
+    #proxy_pass http://phpapache;
+    #proxy_set_header Connection '';
+}
+
diff --git a/historic/guix/etc/nginx/apps/drupal/drupal_cron_update.conf b/historic/guix/etc/nginx/apps/drupal/drupal_cron_update.conf
new file mode 100644
index 0000000..55500e9
--- /dev/null
+++ b/historic/guix/etc/nginx/apps/drupal/drupal_cron_update.conf
@@ -0,0 +1,40 @@
+# -*- mode: nginx; mode:autopair; mode: flyspell-prog; ispell-local-dictionary: "american" -*-
+### Configuration file for Drupal if you're not using drush to update your site or run cron.
+
+## XMLRPC. Comment out if not enabled.
+location = /xmlrpc.php {
+    fastcgi_pass phpcgi;
+    # To use Apache for serving PHP uncomment the line bellow and
+    # comment out the above.
+    #proxy_pass http://phpapache;
+}
+
+## Restrict cron access to a specific host.
+location = /cron.php {
+    ## If not allowed to run cron then issue a 404 and redirect to the
+    ## site root.
+    if ($not_allowed_cron) {
+        return 404 /;
+    }
+    fastcgi_pass phpcgi;
+    ## To use Apache for serving PHP uncomment the line bellow and
+    ## comment out the above.
+    #proxy_pass http://phpapache;
+}
+
+## Run the update from the web interface with Drupal 7.
+location = /authorize.php {
+    fastcgi_pass phpcgi;
+    ## To use Apache for serving PHP uncomment the line bellow and
+    ## comment out the above.
+    #proxy_pass http://phpapache;
+}
+
+location = /update.php {
+    auth_basic "Restricted Access"; # auth realm
+    auth_basic_user_file .htpasswd-users; # htpasswd file
+    fastcgi_pass phpcgi;
+    ## To use Apache for serving PHP uncomment the line bellow and
+    ## comment out the above.
+    #proxy_pass http://phpapache;
+}
diff --git a/historic/guix/etc/nginx/apps/drupal/drupal_escaped.conf b/historic/guix/etc/nginx/apps/drupal/drupal_escaped.conf
new file mode 100644
index 0000000..db08cc0
--- /dev/null
+++ b/historic/guix/etc/nginx/apps/drupal/drupal_escaped.conf
@@ -0,0 +1,347 @@
+# -*- mode: nginx; mode: flyspell-prog;  ispell-local-dictionary: "american" -*-
+### Nginx configuration for Drupal. This configuration makes use of
+### drush (http:///drupal.org/project/drush) for site maintenance
+### and like tasks:
+###
+### 1. Run the cronjobs.
+### 2. Run the DB and code updates: drush up or drush upc followed by
+###    drush updb to run any DB updates required by the code upgrades
+###    that were performed.
+### 3. Disabling of xmlrpc.xml, install.php (needed only for
+###    installing the site) and update.php: all updates are now
+###    handled through drush.
+
+## To avoid the ugly rewrite we use Lua to escape the URI.
+set_by_lua $escaped_uri 'return ngx.escape_uri(ngx.var.uri)';
+
+## The 'default' location.
+location / {
+
+    ## Drupal 404 from can impact performance. If using a module like
+    ## search404 then 404's *have *to be handled by Drupal. Uncomment to
+    ## relay the handling of 404's to Drupal.
+    ## error_page 404 /index.php;
+
+    ## Using a nested location is the 'correct' way to use regexes.
+
+    ## Regular private file serving (i.e. handled by Drupal).
+    location ^~ /system/files/ {
+        ## Include the specific FastCGI configuration. This is for a
+        ## FCGI backend like php-cgi or php-fpm.
+        include apps/drupal/fastcgi_drupal.conf;
+        fastcgi_pass phpcgi;
+
+        ## If proxying to apache comment the two lines above and
+        ## uncomment the line below.
+        #proxy_pass http://phpapache/index.php?q=$escaped_uri;
+        #proxy_set_header Connection '';
+
+        ## For not signaling a 404 in the error log whenever the
+        ## system/files directory is accessed add the line below.
+        ## Note that the 404 is the intended behavior.
+        log_not_found off;
+    }
+
+    ## Trying to access private files directly returns a 404.
+    location ^~ /sites/default/files/private/ {
+        internal;
+    }
+
+    ## Support for the file_force module
+    ## http://drupal.org/project/file_force.
+    location ^~ /system/files_force/ {
+        ## Include the specific FastCGI configuration. This is for a
+        ## FCGI backend like php-cgi or php-fpm.
+        include apps/drupal/fastcgi_drupal.conf;
+        fastcgi_pass phpcgi;
+
+        ## If proxying to apache comment the two lines above and
+        ## uncomment the line below.
+        #proxy_pass http://phpapache/index.php?q=$no_slash_uri;
+        #proxy_set_header Connection '';
+
+        ## For not signaling a 404 in the error log whenever the
+        ## system/files directory is accessed add the line below.
+        ## Note that the 404 is the intended behavior.
+        log_not_found off;
+    }
+
+    ## If accessing an image generated by Drupal 6 imagecache, serve it
+    ## directly if available, if not relay the request to Drupal to (re)generate
+    ## the image.
+    location ~* /imagecache/ {
+        ## Image hotlinking protection. If you want hotlinking
+        ## protection for your images uncomment the following line.
+        #include apps/drupal/hotlinking_protection.conf;
+
+        access_log off;
+        expires 30d;
+        try_files $escaped_uri @drupal;
+    }
+
+    ## Drupal 7 generated image handling, i.e., imagecache in core. See:
+    ## http://drupal.org/node/371374.
+    location ~* /files/styles/ {
+        ## Image hotlinking protection. If you want hotlinking
+        ## protection for your images uncomment the following line.
+        #include apps/drupal/hotlinking_protection.conf;
+
+        access_log off;
+        expires 30d;
+        try_files $escaped_uri @drupal;
+    }
+
+    ## Advanced Aggregation module CSS
+    ## support. http://drupal.org/project/advagg.
+    location ^~ /sites/default/files/advagg_css/ {
+        expires max;
+        add_header ETag '';
+        add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT';
+        add_header Accept-Ranges '';
+
+        location ~* /sites/default/files/advagg_css/css[_[:alnum:]]+\.css$ {
+            access_log off;
+            try_files $escaped_uri @drupal;
+        }
+    }
+
+    ## Advanced Aggregation module JS
+    ## support. http://drupal.org/project/advagg.
+    location ^~ /sites/default/files/advagg_js/ {
+        expires max;
+        add_header ETag '';
+        add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT';
+        add_header Accept-Ranges '';
+
+        location ~* /sites/default/files/advagg_js/js[_[:alnum:]]+\.js$ {
+            access_log off;
+            try_files $escaped_uri @drupal;
+        }
+    }
+
+    ## All static files will be served directly.
+    location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ {
+        access_log off;
+        expires 30d;
+        ## No need to bleed constant updates. Send the all shebang in one
+        ## fell swoop.
+        tcp_nodelay off;
+        ## Set the OS file cache.
+        open_file_cache max=3000 inactive=120s;
+        open_file_cache_valid 45s;
+        open_file_cache_min_uses 2;
+        open_file_cache_errors off;
+    }
+
+    ## PDFs and powerpoint files handling.
+    location ~* ^.+\.(?:pdf|pptx?)$ {
+        expires 30d;
+        ## No need to bleed constant updates. Send the all shebang in one
+        ## fell swoop.
+        tcp_nodelay off;
+    }
+
+    ## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it.
+    location ^~ /sites/default/files/audio/mp3 {
+        location ~* ^/sites/default/files/audio/mp3/.*\.mp3$ {
+            directio 4k; # for XFS
+            ## If you're using ext3 or similar uncomment the line below and comment the above.
+            #directio 512; # for ext3 or similar (block alignments)
+            tcp_nopush off;
+            aio on;
+            output_buffers 1 2M;
+        }
+    }
+
+    location ^~ /sites/default/files/audio/ogg {
+        location ~* ^/sites/default/files/audio/ogg/.*\.ogg$ {
+            directio 4k; # for XFS
+            ## If you're using ext3 or similar uncomment the line below and comment the above.
+            #directio 512; # for ext3 or similar (block alignments)
+            tcp_nopush off;
+            aio on;
+            output_buffers 1 2M;
+        }
+    }
+
+    ## Pseudo streaming of FLV files:
+    ## http://wiki.nginx.org/HttpFlvStreamModule.
+    ## If pseudo streaming isn't working, try to comment
+    ## out in nginx.conf line with:
+    ## add_header X-Frame-Options SAMEORIGIN;
+    location ^~ /sites/default/files/video/flv {
+        location ~* ^/sites/default/files/video/flv/.*\.flv$ {
+            flv;
+        }
+    }
+
+    ## Pseudo streaming of H264/AAC files. This requires an Nginx
+    ## version greater or equal to 1.0.7 for the stable branch and
+    ## greater or equal to 1.1.3 for the development branch.
+    ## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html.
+    location ^~ /sites/default/files/video/mp4 { # videos
+        location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ {
+            mp4;
+            mp4_buffer_size 1M;
+            mp4_max_buffer_size 5M;
+        }
+    }
+
+    location ^~ /sites/default/files/audio/m4a { # audios
+        location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ {
+            mp4;
+            mp4_buffer_size 1M;
+            mp4_max_buffer_size 5M;
+        }
+    }
+
+    ## Advanced Help module makes each module provided README available.
+    location ^~ /help/ {
+        location ~* ^/help/[^/]*/README\.txt$ {
+            ## Include the specific FastCGI configuration. This is for a
+            ## FCGI backend like php-cgi or php-fpm.
+            include apps/drupal/fastcgi_drupal.conf;
+            fastcgi_pass phpcgi;
+
+            ## If proxying to apache comment the two lines above and
+            ## uncomment the line below.
+            #proxy_pass http://phpapache/index.php?q=$escaped_uri;
+        }
+    }
+
+    ## Replicate the Apache <FilesMatch> directive of Drupal standard
+    ## .htaccess. Disable access to any code files. Return a 404 to curtail
+    ## information disclosure. Hide also the text files.
+    location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ {
+        return 404;
+    }
+
+    ## First we try the URI and relay to the /index.php?q=$escaped_uri&$args if not found.
+    try_files $escaped_uri @drupal;
+}
+
+########### Security measures ##########
+
+## Uncomment the line below if you want to enable basic auth for
+## access to all /admin URIs. Note that this provides much better
+## protection if use HTTPS. Since it can easily be eavesdropped if you
+## use HTTP.
+#include apps/drupal/admin_basic_auth.conf;
+
+## Restrict access to the strictly necessary PHP files. Reducing the
+## scope for exploits. Handling of PHP code and the Drupal event loop.
+location @drupal {
+    ## Include the FastCGI config.
+    include apps/drupal/fastcgi_drupal.conf;
+    fastcgi_pass phpcgi;
+
+    ## FastCGI microcache.
+    include apps/drupal/microcache_fcgi.conf;
+    ## FCGI microcache for authenticated users also.
+    #include apps/drupal/microcache_fcgi_auth.conf;
+
+    ## To use Apache for serving PHP uncomment the line bellow and
+    ## comment out the above.
+    #proxy_pass http://phpapache/index.php?q=$escaped_uri&$args;
+    #proxy_set_header Connection '';
+    ## Proxy microcache.
+    #include apps/drupal/microcache_proxy.conf;
+    ## Proxy microcache for authenticated users also.
+    #include apps/drupal/microcache_proxy_auth.conf;
+
+    ## Filefield Upload progress
+    ## http://drupal.org/project/filefield_nginx_progress support
+    ## through the NginxUploadProgress modules.
+    track_uploads uploads 60s;
+}
+
+location @drupal-no-args {
+    ## Include the specific FastCGI configuration. This is for a
+    ## FCGI backend like php-cgi or php-fpm.
+    include apps/drupal/fastcgi_no_args_drupal.conf;
+    fastcgi_pass phpcgi;
+
+    ## FastCGI microcache.
+    include apps/drupal/microcache_fcgi.conf;
+    ## FCGI microcache for authenticated users also.
+    #include apps/drupal/microcache_fcgi_auth.conf;
+
+    ## If proxying to apache comment the two lines above and
+    ## uncomment the line below.
+    #proxy_pass http://phpapache/index.php?q=$escaped_uri;
+    #proxy_set_header Connection '';
+
+    ## Proxy microcache.
+    #include apps/drupal/microcache_proxy.conf;
+    ## Proxy microcache for authenticated users also.
+    #include apps/drupal/microcache_proxy_auth.conf;
+}
+
+## Disallow access to .bzr, .git, .hg, .svn, .cvs directories: return
+## 404 as not to disclose information.
+location ^~ /.bzr {
+    return 404;
+}
+
+location ^~ /.git {
+    return 404;
+}
+
+location ^~ /.hg {
+    return 404;
+}
+
+location ^~ /.svn {
+    return 404;
+}
+
+location ^~ /.cvs {
+    return 404;
+}
+
+## Disallow access to patches directory.
+location ^~ /patches {
+    return 404;
+}
+
+## Disallow access to drush backup directory.
+location ^~ /backup {
+    return 404;
+}
+
+## Disable access logs for robots.txt.
+location = /robots.txt {
+    access_log off;
+    ## Add support for the robotstxt module
+    ## http://drupal.org/project/robotstxt.
+    try_files $uri @drupal-no-args;
+}
+
+## RSS feed support.
+location = /rss.xml {
+    try_files $escaped_uri @drupal-no-args;
+}
+
+## XML Sitemap support.
+location = /sitemap.xml {
+    try_files $escaped_uri @drupal-no-args;
+}
+
+## Support for favicon. Return an 1x1 transparent GIF if it doesn't
+## exist.
+location = /favicon.ico {
+    expires 30d;
+    try_files /favicon.ico @empty;
+}
+
+## Return an in memory 1x1 transparent GIF.
+location @empty {
+    expires 30d;
+    empty_gif;
+}
+
+## Any other attempt to access PHP files returns a 404.
+location ~* ^.+\.php$ {
+    return 404;
+}
+
diff --git a/historic/guix/etc/nginx/apps/drupal/drupal_install.conf b/historic/guix/etc/nginx/apps/drupal/drupal_install.conf
new file mode 100644
index 0000000..1f4f11b
--- /dev/null
+++ b/historic/guix/etc/nginx/apps/drupal/drupal_install.conf
@@ -0,0 +1,16 @@
+# -*- mode: nginx; mode: flyspell-prog;  ispell-local-dictionary: "american" -*-
+
+### Directives for installing drupal. This is for drupal 6 and 7.
+
+location = /install.php {
+    auth_basic "Restricted Access"; # auth realm
+    auth_basic_user_file .htpasswd-users; # htpasswd file
+    fastcgi_pass phpcgi;
+}
+
+## This is for drupal 8. There's a new location for the install file.
+location = /core/install.php {
+    auth_basic "Restricted Access"; # auth realm
+    auth_basic_user_file .htpasswd-users; # htpasswd file
+    fastcgi_pass phpcgi;
+}
diff --git a/historic/guix/etc/nginx/apps/drupal/drupal_upload_progress.conf b/historic/guix/etc/nginx/apps/drupal/drupal_upload_progress.conf
new file mode 100644
index 0000000..843fb06
--- /dev/null
+++ b/historic/guix/etc/nginx/apps/drupal/drupal_upload_progress.conf
@@ -0,0 +1,23 @@
+# -*- mode: nginx; mode: flyspell-prog;  ispell-current-dictionary: american -*-
+
+### Drupal 7 configuration for the Nginx Upload Progress module:
+### https://github.com/masterzen/nginx-upload-progress-module
+### This requires the Filefield Nginx Progress module:
+### http://drupal.org/project/filefield_nginx_progress.
+
+## The Nginx module wants ?X-Progress-ID query parameter so
+## that it report the progress of the upload through a GET
+## request. But the drupal form element makes use of clean
+## URLs in the POST.
+
+location ~ (?<upload_form_uri>.*)/x-progress-id:(?<upload_id>\d*) {
+    rewrite ^ $upload_form_uri?X-Progress-ID=$upload_id;
+}
+
+## Now the above rewrite must be matched by a location that
+## activates it and references the above defined upload
+## tracking zone.
+location ^~ /progress {
+    upload_progress_json_output;
+    report_uploads uploads;
+}
diff --git a/historic/guix/etc/nginx/apps/drupal/fastcgi_drupal.conf b/historic/guix/etc/nginx/apps/drupal/fastcgi_drupal.conf
new file mode 100644
index 0000000..be59f85
--- /dev/null
+++ b/historic/guix/etc/nginx/apps/drupal/fastcgi_drupal.conf
@@ -0,0 +1,43 @@
+#-*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*-
+### fastcgi configuration for serving private files.
+## 1. Parameters.
+fastcgi_param QUERY_STRING q=$uri&$args;
+fastcgi_param REQUEST_METHOD $request_method;
+fastcgi_param CONTENT_TYPE $content_type;
+fastcgi_param CONTENT_LENGTH $content_length;
+
+fastcgi_param SCRIPT_NAME /index.php;
+fastcgi_param REQUEST_URI $request_uri;
+fastcgi_param DOCUMENT_URI $document_uri;
+fastcgi_param DOCUMENT_ROOT $document_root;
+fastcgi_param SERVER_PROTOCOL $server_protocol;
+
+fastcgi_param GATEWAY_INTERFACE CGI/1.1;
+fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
+
+fastcgi_param REMOTE_ADDR $remote_addr;
+fastcgi_param REMOTE_PORT $remote_port;
+fastcgi_param SERVER_ADDR $server_addr;
+fastcgi_param SERVER_PORT $server_port;
+fastcgi_param SERVER_NAME $server_name;
+## PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param REDIRECT_STATUS 200;
+fastcgi_param SCRIPT_FILENAME $document_root/index.php;
+## HTTPS 'on' parameter.  This requires Nginx version 1.1.11 or
+## later. The if_not_empty flag was introduced in 1.1.11.  See:
+## http://nginx.org/en/CHANGES. If using a version that doesn't
+## support this comment out the line below.
+fastcgi_param HTTPS $fastcgi_https if_not_empty;
+## For Nginx versions below 1.1.11 uncomment the line below after commenting out the above.
+#fastcgi_param HTTPS $fastcgi_https;
+
+## 2. Nginx FCGI specific directives.
+fastcgi_buffers 256 4k;
+fastcgi_intercept_errors on;
+## Allow 4 hrs - pass timeout responsibility to upstream.
+fastcgi_read_timeout 14400;
+fastcgi_index index.php;
+## Hide the X-Drupal-Cache header provided by Pressflow.
+fastcgi_hide_header 'X-Drupal-Cache';
+## Hide the Drupal 7 header X-Generator.
+fastcgi_hide_header 'X-Generator';
diff --git a/historic/guix/etc/nginx/apps/drupal/fastcgi_no_args_drupal.conf b/historic/guix/etc/nginx/apps/drupal/fastcgi_no_args_drupal.conf
new file mode 100644
index 0000000..683e4ce
--- /dev/null
+++ b/historic/guix/etc/nginx/apps/drupal/fastcgi_no_args_drupal.conf
@@ -0,0 +1,43 @@
+#-*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*-
+### fastcgi configuration for serving private files.
+## 1. Parameters.
+fastcgi_param  QUERY_STRING       q=$uri;
+fastcgi_param  REQUEST_METHOD     $request_method;
+fastcgi_param  CONTENT_TYPE       $content_type;
+fastcgi_param  CONTENT_LENGTH     $content_length;
+
+fastcgi_param  SCRIPT_NAME        /index.php;
+fastcgi_param  REQUEST_URI        $request_uri;
+fastcgi_param  DOCUMENT_URI       $document_uri;
+fastcgi_param  DOCUMENT_ROOT      $document_root;
+fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+
+fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
+
+fastcgi_param  REMOTE_ADDR        $remote_addr;
+fastcgi_param  REMOTE_PORT        $remote_port;
+fastcgi_param  SERVER_ADDR        $server_addr;
+fastcgi_param  SERVER_PORT        $server_port;
+fastcgi_param  SERVER_NAME        $server_name;
+## PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param  REDIRECT_STATUS    200;
+fastcgi_param SCRIPT_FILENAME $document_root/index.php;
+## HTTPS 'on' parameter.  This requires Nginx version 1.1.11 or
+## later. The if_not_empty flag was introduced in 1.1.11.  See:
+## http://nginx.org/en/CHANGES. If using a version that doesn't
+## support this comment out the line below.
+fastcgi_param HTTPS $fastcgi_https if_not_empty;
+## For Nginx versions below 1.1.11 uncomment the line below after commenting out the above.
+#fastcgi_param HTTPS $fastcgi_https;
+
+## 2. Nginx FCGI specific directives.
+fastcgi_buffers 256 4k;
+fastcgi_intercept_errors on;
+## Allow 4 hrs - pass timeout responsibility to upstream.
+fastcgi_read_timeout 14400;
+fastcgi_index index.php;
+## Hide the X-Drupal-Cache header provided by Pressflow.
+fastcgi_hide_header 'X-Drupal-Cache';
+## Hide the Drupal 7 header X-Generator.
+fastcgi_hide_header 'X-Generator';
diff --git a/historic/guix/etc/nginx/apps/drupal/hotlinking_protection.conf b/historic/guix/etc/nginx/apps/drupal/hotlinking_protection.conf
new file mode 100644
index 0000000..f2926e1
--- /dev/null
+++ b/historic/guix/etc/nginx/apps/drupal/hotlinking_protection.conf
@@ -0,0 +1,10 @@
+# -*- mode: nginx; mode: flyspell-prog;  ispell-local-dictionary: "american" -*-
+
+### Hotlinking protection for images. Include it in any context you
+### want. Adjust the list of allowed referers to your liking.
+
+valid_referers none blocked *.example.com *.google.com my.site.com;
+
+if ($invalid_referer) {
+    return 200 "No image hotlinking allowed!\n";
+}
diff --git a/historic/guix/etc/nginx/apps/drupal/map_cache.conf b/historic/guix/etc/nginx/apps/drupal/map_cache.conf
new file mode 100644
index 0000000..8166fcd
--- /dev/null
+++ b/historic/guix/etc/nginx/apps/drupal/map_cache.conf
@@ -0,0 +1,39 @@
+# -*- mode: nginx; mode: flyspell-prog;  ispell-current-dictionary: american -*-
+
+### Testing if we should be serving content from cache or not. This is
+### needed for any Drupal setup that uses an external cache.
+
+## Let Ajax calls go through.
+map $uri $no_cache_ajax {
+    default 0;
+    /system/ajax 1;
+}
+
+## Testing for the session cookie being present. If there is then no
+## caching is to be done. Note that this is for someone using either
+## Drupal 7 pressflow or stock Drupal 6 core with no_anon
+## (http://drupal.org/project/no_anon).
+map $http_cookie $no_cache_cookie {
+    default 0;
+    ~SESS 1; # PHP session cookie
+}
+
+## Combine both results to get the cache bypassing mapping.
+map $no_cache_ajax$no_cache_cookie $no_cache {
+    default 1;
+    00 0;
+}
+
+## If you're using stock Drupal 6 without no_anon, i.e., there's a
+## session cookie being served even to anonymous users, then uncomment
+## the three lines below and comment the above map directive
+# map $http_cookie $no_cache {
+#     default 0;
+#     ~DRUPAL_UID 1; # DRUPAL_UID cookie set by Boost
+# }
+
+## Set a cache_uid variable for authenticated users.
+map $http_cookie $cache_uid {
+    default nil; # hommage to Lisp :)
+    ~SESS[[:alnum:]]+=(?<session_id>[[:graph:]]+) $session_id;
+}
diff --git a/historic/guix/etc/nginx/apps/drupal/microcache_fcgi.conf b/historic/guix/etc/nginx/apps/drupal/microcache_fcgi.conf
new file mode 100644
index 0000000..e7e8184
--- /dev/null
+++ b/historic/guix/etc/nginx/apps/drupal/microcache_fcgi.conf
@@ -0,0 +1,39 @@
+# -*- mode: nginx; mode: flyspell-prog;  ispell-local-dictionary: "american" -*-
+
+### Implementation of the microcache concept as presented here:
+### http://fennb.com/microcaching-speed-your-app-up-250x-with-no-n
+
+## The cache zone referenced.
+fastcgi_cache microcache;
+## The cache key.
+fastcgi_cache_key $scheme$request_method$host$request_uri;
+
+## For 200 and 301 make the cache valid for 1s seconds.
+fastcgi_cache_valid 200 301 1s;
+## For 302 make it valid for 1 minute.
+fastcgi_cache_valid 302 1m;
+## For 404 make it valid 1 second.
+fastcgi_cache_valid 404 1s;
+## If there are any upstream errors or the item has expired use
+## whatever it is available.
+fastcgi_cache_use_stale error timeout invalid_header updating http_500;
+## The Cache-Control and Expires headers should be delivered untouched
+## from the upstream to the client.
+fastcgi_ignore_headers Cache-Control Expires;
+## Bypass the cache.
+fastcgi_cache_bypass $no_cache;
+fastcgi_no_cache $no_cache;
+
+## To avoid any interaction with the cache control headers we expire
+## everything on this location immediately.
+expires epoch;
+
+## If you're using a Nginx version greater than 1.1.11 then uncomment
+## the line below. See:
+## http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_cache_lock
+## Cache locking mechanism for protecting the backend of too many
+## simultaneous requests.
+#fastcgi_cache_lock on;
+## The default timeout, i.e., the time to way before forwarding the
+## second request upstream if no reply as arrived in the meantime is 5s.
+#fastcgi_cache_lock_timeout 8000; # in miliseconds.
diff --git a/historic/guix/etc/nginx/apps/drupal/microcache_fcgi_auth.conf b/historic/guix/etc/nginx/apps/drupal/microcache_fcgi_auth.conf
new file mode 100644
index 0000000..7b2b7c3
--- /dev/null
+++ b/historic/guix/etc/nginx/apps/drupal/microcache_fcgi_auth.conf
@@ -0,0 +1,51 @@
+# -*- mode: nginx; mode: flyspell-prog;  ispell-local-dictionary: "american" -*-
+
+## The cache zone referenced.
+fastcgi_cache microcache;
+## The cache key.
+fastcgi_cache_key $cache_uid@$scheme$request_method$host$request_uri;
+
+## For 200 and 301 make the cache valid for 15s.
+fastcgi_cache_valid 200 301 15s;
+## For 302 make it valid for 1 minute.
+fastcgi_cache_valid 302 1m;
+## For 404 make it valid 1 second.
+fastcgi_cache_valid 404 1s;
+## If there are any upstream errors use whatever it is available.
+fastcgi_cache_use_stale error timeout invalid_header updating http_500;
+## The Cache-Control and Expires headers should be delivered untouched
+## from the upstream to the client.
+fastcgi_ignore_headers Cache-Control Expires;
+fastcgi_pass_header Set-Cookie;
+fastcgi_pass_header Cookie;
+## Bypass the cache.
+# fastcgi_cache_bypass $no_auth_cache;
+# fastcgi_no_cache $no_auth_cache;
+## Add a cache miss/hit status header.
+add_header X-Micro-Cache $upstream_cache_status;
+## To avoid any interaction with the cache control headers we expire
+## everything on this location immediately.
+expires epoch;
+
+## Enable clickjacking protection in modern browsers. Available in
+## IE8 also. See
+## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
+## This may conflicts with pseudo streaming (at least with Nginx version 1.0.12).
+## Uncomment the line below if you're not using media streaming.
+## For sites *not* using frames uncomment the line below.
+#add_header X-Frame-Options DENY;
+## For sites *using* frames uncomment the line below.
+#add_header X-Frame-Options SAMEORIGIN;
+
+## Block MIME type sniffing on IE.
+add_header X-Content-Options nosniff;
+
+## If you're using a Nginx version greater than 1.1.11 then uncomment
+## the line below. See:
+## http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_cache_lock
+## Cache locking mechanism for protecting the backend of too many
+## simultaneous requests.
+#fastcgi_cache_lock on;
+## The default timeout, i.e., the time to way before forwarding the
+## second request upstream if no reply as arrived in the meantime is 5s.
+#fastcgi_cache_lock_timeout 8000; # in miliseconds.
diff --git a/historic/guix/etc/nginx/apps/drupal/microcache_proxy.conf b/historic/guix/etc/nginx/apps/drupal/microcache_proxy.conf
new file mode 100644
index 0000000..6708684
--- /dev/null
+++ b/historic/guix/etc/nginx/apps/drupal/microcache_proxy.conf
@@ -0,0 +1,53 @@
+# -*- mode: nginx; mode: flyspell-prog;  ispell-local-dictionary: "american" -*-
+
+### Implementation of the microcache concept as presented here:
+### http://fennb.com/microcaching-speed-your-app-up-250x-with-no-n
+
+## The cache zone referenced.
+proxy_cache microcache;
+## The cache key.
+proxy_cache_key $host$request_uri;
+
+## For 200 and 301 make the cache valid for 15 seconds.
+proxy_cache_valid 200 301 15s;
+## For 302 make it valid for 1 minute.
+proxy_cache_valid 302 1m;
+## For 404 make it valid 1 second.
+proxy_cache_valid 404 1s;
+## If there are any upstream errors or the item has expired use
+## whatever it is available.
+proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
+## The Cache-Control and Expires headers should be delivered untouched
+## from the upstream to the client.
+proxy_ignore_headers Cache-Control Expires;
+## Bypass the cache.
+proxy_cache_bypass $no_cache;
+proxy_no_cache $no_cache;
+## Add a cache miss/hit status header.
+add_header X-Micro-Cache $upstream_cache_status;
+## To avoid any interaction with the cache control headers we expire
+## everything on this location immediately.
+expires epoch;
+
+## Enable clickjacking protection in modern browsers. Available in
+## IE8 also. See
+## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
+## This may conflicts with pseudo streaming (at least with Nginx version 1.0.12).
+## Uncomment the line below if you're not using media streaming.
+## For sites *not* using frames uncomment the line below.
+#add_header X-Frame-Options DENY;
+## For sites *using* frames uncomment the line below.
+#add_header X-Frame-Options SAMEORIGIN;
+
+## Block MIME type sniffing on IE.
+add_header X-Content-Options nosniff;
+
+## If you're using a Nginx version greater than 1.1.11 then uncomment
+## the line below. See:
+## http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_lock.
+## Cache locking mechanism for protecting the backendof too many
+## simultaneous requests.
+#proxy_cache_lock on;
+## The default timeout, i.e., the time to way before forwarding the
+## second request upstream if no reply as arrived in the meantime is 5s.
+# proxy_cache_lock_timeout 8000; # in miliseconds.
diff --git a/historic/guix/etc/nginx/apps/drupal/microcache_proxy_auth.conf b/historic/guix/etc/nginx/apps/drupal/microcache_proxy_auth.conf
new file mode 100644
index 0000000..e351b1b
--- /dev/null
+++ b/historic/guix/etc/nginx/apps/drupal/microcache_proxy_auth.conf
@@ -0,0 +1,54 @@
+# -*- mode: nginx; mode: flyspell-prog;  ispell-local-dictionary: "american" -*-
+
+### Implementation of the microcache concept as presented here:
+### http://fennb.com/microcaching-speed-your-app-up-250x-with-no-n
+
+## The cache zone referenced.
+proxy_cache microcache;
+## The cache key.
+proxy_cache_key $cache_uid@$host$request_uri;
+
+## For 200 and 301 make the cache valid for 15 seconds.
+proxy_cache_valid 200 301 15s;
+## For 302 make it valid for 1 minute.
+proxy_cache_valid 302 1m;
+## For 404 make it valid 1 second.
+proxy_cache_valid 404 1s;
+## If there are any upstream errors or the item has expired use
+## whatever it is available.
+proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
+## The Cache-Control and Expires headers should be delivered untouched
+## from the upstream to the client.
+proxy_ignore_headers Cache-Control Expires;
+proxy_pass_header Set-Cookie;
+proxy_pass_header Cookie;
+## Bypass the cache.
+proxy_cache_bypass $no_auth_cache;
+proxy_no_cache $no_auth_cache;
+## Add a cache miss/hit status header.
+add_header X-Micro-Cache $upstream_cache_status;
+## To avoid any interaction with the cache control headers we expire
+## everything on this location immediately.
+expires epoch;
+## Enable clickjacking protection in modern browsers. Available in
+## IE8 also. See
+## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
+## This may conflicts with pseudo streaming (at least with Nginx version 1.0.12).
+## Uncomment the line below if you're not using media streaming.
+## For sites *not* using frames uncomment the line below.
+#add_header X-Frame-Options DENY;
+## For sites *using* frames uncomment the line below.
+#add_header X-Frame-Options SAMEORIGIN;
+
+## Block MIME type sniffing on IE.
+add_header X-Content-Options nosniff;
+
+## If you're using a Nginx version greater than 1.1.11 then uncomment
+## the line below. See:
+## http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_lock.
+## Cache locking mechanism for protecting the backendof too many
+## simultaneous requests.
+#proxy_cache_lock on;
+## The default timeout, i.e., the time to way before forwarding the
+## second request upstream if no reply as arrived in the meantime is 5s.
+# proxy_cache_lock_timeout 8000; # in miliseconds.
diff --git a/historic/guix/etc/nginx/conf.d/favicon_robots b/historic/guix/etc/nginx/conf.d/favicon_robots
new file mode 100644
index 0000000..3c6e417
--- /dev/null
+++ b/historic/guix/etc/nginx/conf.d/favicon_robots
@@ -0,0 +1,11 @@
+location = /robots.txt {
+  root /var/www/robots-favicon;
+}
+
+location = /favicon.ico {
+  root /var/www/robots-favicon;
+}
+
+location = /static/web-common/favicon-taler.ico {
+  alias /var/www/robots-favicon/favicon.ico;
+}
diff --git a/historic/guix/etc/nginx/conf.d/talerssl b/historic/guix/etc/nginx/conf.d/talerssl
new file mode 100644
index 0000000..3c33de6
--- /dev/null
+++ b/historic/guix/etc/nginx/conf.d/talerssl
@@ -0,0 +1,14 @@
+ssl_certificate /etc/letsencrypt/live/taler.net/fullchain.pem;
+ssl_certificate_key /etc/letsencrypt/live/taler.net/privkey.pem;
+ssl_prefer_server_ciphers on;
+ssl_session_cache shared:SSL:10m;
+ssl_dhparam /etc/ssl/certs/dhparam.pem;
+ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
+ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+
+add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+add_header X-XSS-Protection "1; mode=block";
+add_header X-Frame-Options "SAMEORIGIN";
+add_header X-Content-Type-Options "nosniff";
+add_header Content-Security-Policy "default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; connect-src 'self' wss://buildbot.taler.net";
+add_header Referrer-Policy "same-origin";
diff --git a/historic/guix/etc/nginx/fastcgi.conf b/historic/guix/etc/nginx/fastcgi.conf
new file mode 100644
index 0000000..091738c
--- /dev/null
+++ b/historic/guix/etc/nginx/fastcgi.conf
@@ -0,0 +1,26 @@
+
+fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
+fastcgi_param  QUERY_STRING       $query_string;
+fastcgi_param  REQUEST_METHOD     $request_method;
+fastcgi_param  CONTENT_TYPE       $content_type;
+fastcgi_param  CONTENT_LENGTH     $content_length;
+
+fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
+fastcgi_param  REQUEST_URI        $request_uri;
+fastcgi_param  DOCUMENT_URI       $document_uri;
+fastcgi_param  DOCUMENT_ROOT      $document_root;
+fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+fastcgi_param  REQUEST_SCHEME     $scheme;
+fastcgi_param  HTTPS              $https if_not_empty;
+
+fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
+
+fastcgi_param  REMOTE_ADDR        $remote_addr;
+fastcgi_param  REMOTE_PORT        $remote_port;
+fastcgi_param  SERVER_ADDR        $server_addr;
+fastcgi_param  SERVER_PORT        $server_port;
+fastcgi_param  SERVER_NAME        $server_name;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param  REDIRECT_STATUS    200;
diff --git a/historic/guix/etc/nginx/fastcgi_params b/historic/guix/etc/nginx/fastcgi_params
new file mode 100644
index 0000000..28decb9
--- /dev/null
+++ b/historic/guix/etc/nginx/fastcgi_params
@@ -0,0 +1,25 @@
+
+fastcgi_param  QUERY_STRING       $query_string;
+fastcgi_param  REQUEST_METHOD     $request_method;
+fastcgi_param  CONTENT_TYPE       $content_type;
+fastcgi_param  CONTENT_LENGTH     $content_length;
+
+fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
+fastcgi_param  REQUEST_URI        $request_uri;
+fastcgi_param  DOCUMENT_URI       $document_uri;
+fastcgi_param  DOCUMENT_ROOT      $document_root;
+fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+fastcgi_param  REQUEST_SCHEME     $scheme;
+fastcgi_param  HTTPS              $https if_not_empty;
+
+fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
+
+fastcgi_param  REMOTE_ADDR        $remote_addr;
+fastcgi_param  REMOTE_PORT        $remote_port;
+fastcgi_param  SERVER_ADDR        $server_addr;
+fastcgi_param  SERVER_PORT        $server_port;
+fastcgi_param  SERVER_NAME        $server_name;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param  REDIRECT_STATUS    200;
diff --git a/historic/guix/etc/nginx/koi-utf b/historic/guix/etc/nginx/koi-utf
new file mode 100644
index 0000000..e7974ff
--- /dev/null
+++ b/historic/guix/etc/nginx/koi-utf
@@ -0,0 +1,109 @@
+
+# This map is not a full koi8-r <> utf8 map: it does not contain
+# box-drawing and some other characters.  Besides this map contains
+# several koi8-u and Byelorussian letters which are not in koi8-r.
+# If you need a full and standard map, use contrib/unicode2nginx/koi-utf
+# map instead.
+
+charset_map  koi8-r  utf-8 {
+
+    80  E282AC ; # euro
+
+    95  E280A2 ; # bullet
+
+    9A  C2A0 ;   # &nbsp;
+
+    9E  C2B7 ;   # &middot;
+
+    A3  D191 ;   # small yo
+    A4  D194 ;   # small Ukrainian ye
+
+    A6  D196 ;   # small Ukrainian i
+    A7  D197 ;   # small Ukrainian yi
+
+    AD  D291 ;   # small Ukrainian soft g
+    AE  D19E ;   # small Byelorussian short u
+
+    B0  C2B0 ;   # &deg;
+
+    B3  D081 ;   # capital YO
+    B4  D084 ;   # capital Ukrainian YE
+
+    B6  D086 ;   # capital Ukrainian I
+    B7  D087 ;   # capital Ukrainian YI
+
+    B9  E28496 ; # numero sign
+
+    BD  D290 ;   # capital Ukrainian soft G
+    BE  D18E ;   # capital Byelorussian short U
+
+    BF  C2A9 ;   # (C)
+
+    C0  D18E ;   # small yu
+    C1  D0B0 ;   # small a
+    C2  D0B1 ;   # small b
+    C3  D186 ;   # small ts
+    C4  D0B4 ;   # small d
+    C5  D0B5 ;   # small ye
+    C6  D184 ;   # small f
+    C7  D0B3 ;   # small g
+    C8  D185 ;   # small kh
+    C9  D0B8 ;   # small i
+    CA  D0B9 ;   # small j
+    CB  D0BA ;   # small k
+    CC  D0BB ;   # small l
+    CD  D0BC ;   # small m
+    CE  D0BD ;   # small n
+    CF  D0BE ;   # small o
+
+    D0  D0BF ;   # small p
+    D1  D18F ;   # small ya
+    D2  D180 ;   # small r
+    D3  D181 ;   # small s
+    D4  D182 ;   # small t
+    D5  D183 ;   # small u
+    D6  D0B6 ;   # small zh
+    D7  D0B2 ;   # small v
+    D8  D18C ;   # small soft sign
+    D9  D18B ;   # small y
+    DA  D0B7 ;   # small z
+    DB  D188 ;   # small sh
+    DC  D18D ;   # small e
+    DD  D189 ;   # small shch
+    DE  D187 ;   # small ch
+    DF  D18A ;   # small hard sign
+
+    E0  D0AE ;   # capital YU
+    E1  D090 ;   # capital A
+    E2  D091 ;   # capital B
+    E3  D0A6 ;   # capital TS
+    E4  D094 ;   # capital D
+    E5  D095 ;   # capital YE
+    E6  D0A4 ;   # capital F
+    E7  D093 ;   # capital G
+    E8  D0A5 ;   # capital KH
+    E9  D098 ;   # capital I
+    EA  D099 ;   # capital J
+    EB  D09A ;   # capital K
+    EC  D09B ;   # capital L
+    ED  D09C ;   # capital M
+    EE  D09D ;   # capital N
+    EF  D09E ;   # capital O
+
+    F0  D09F ;   # capital P
+    F1  D0AF ;   # capital YA
+    F2  D0A0 ;   # capital R
+    F3  D0A1 ;   # capital S
+    F4  D0A2 ;   # capital T
+    F5  D0A3 ;   # capital U
+    F6  D096 ;   # capital ZH
+    F7  D092 ;   # capital V
+    F8  D0AC ;   # capital soft sign
+    F9  D0AB ;   # capital Y
+    FA  D097 ;   # capital Z
+    FB  D0A8 ;   # capital SH
+    FC  D0AD ;   # capital E
+    FD  D0A9 ;   # capital SHCH
+    FE  D0A7 ;   # capital CH
+    FF  D0AA ;   # capital hard sign
+}
diff --git a/historic/guix/etc/nginx/koi-win b/historic/guix/etc/nginx/koi-win
new file mode 100644
index 0000000..72afabe
--- /dev/null
+++ b/historic/guix/etc/nginx/koi-win
@@ -0,0 +1,103 @@
+
+charset_map  koi8-r  windows-1251 {
+
+    80  88 ; # euro
+
+    95  95 ; # bullet
+
+    9A  A0 ; # &nbsp;
+
+    9E  B7 ; # &middot;
+
+    A3  B8 ; # small yo
+    A4  BA ; # small Ukrainian ye
+
+    A6  B3 ; # small Ukrainian i
+    A7  BF ; # small Ukrainian yi
+
+    AD  B4 ; # small Ukrainian soft g
+    AE  A2 ; # small Byelorussian short u
+
+    B0  B0 ; # &deg;
+
+    B3  A8 ; # capital YO
+    B4  AA ; # capital Ukrainian YE
+
+    B6  B2 ; # capital Ukrainian I
+    B7  AF ; # capital Ukrainian YI
+
+    B9  B9 ; # numero sign
+
+    BD  A5 ; # capital Ukrainian soft G
+    BE  A1 ; # capital Byelorussian short U
+
+    BF  A9 ; # (C)
+
+    C0  FE ; # small yu
+    C1  E0 ; # small a
+    C2  E1 ; # small b
+    C3  F6 ; # small ts
+    C4  E4 ; # small d
+    C5  E5 ; # small ye
+    C6  F4 ; # small f
+    C7  E3 ; # small g
+    C8  F5 ; # small kh
+    C9  E8 ; # small i
+    CA  E9 ; # small j
+    CB  EA ; # small k
+    CC  EB ; # small l
+    CD  EC ; # small m
+    CE  ED ; # small n
+    CF  EE ; # small o
+
+    D0  EF ; # small p
+    D1  FF ; # small ya
+    D2  F0 ; # small r
+    D3  F1 ; # small s
+    D4  F2 ; # small t
+    D5  F3 ; # small u
+    D6  E6 ; # small zh
+    D7  E2 ; # small v
+    D8  FC ; # small soft sign
+    D9  FB ; # small y
+    DA  E7 ; # small z
+    DB  F8 ; # small sh
+    DC  FD ; # small e
+    DD  F9 ; # small shch
+    DE  F7 ; # small ch
+    DF  FA ; # small hard sign
+
+    E0  DE ; # capital YU
+    E1  C0 ; # capital A
+    E2  C1 ; # capital B
+    E3  D6 ; # capital TS
+    E4  C4 ; # capital D
+    E5  C5 ; # capital YE
+    E6  D4 ; # capital F
+    E7  C3 ; # capital G
+    E8  D5 ; # capital KH
+    E9  C8 ; # capital I
+    EA  C9 ; # capital J
+    EB  CA ; # capital K
+    EC  CB ; # capital L
+    ED  CC ; # capital M
+    EE  CD ; # capital N
+    EF  CE ; # capital O
+
+    F0  CF ; # capital P
+    F1  DF ; # capital YA
+    F2  D0 ; # capital R
+    F3  D1 ; # capital S
+    F4  D2 ; # capital T
+    F5  D3 ; # capital U
+    F6  C6 ; # capital ZH
+    F7  C2 ; # capital V
+    F8  DC ; # capital soft sign
+    F9  DB ; # capital Y
+    FA  C7 ; # capital Z
+    FB  D8 ; # capital SH
+    FC  DD ; # capital E
+    FD  D9 ; # capital SHCH
+    FE  D7 ; # capital CH
+    FF  DA ; # capital hard sign
+}
diff --git a/historic/guix/etc/nginx/mime.types b/historic/guix/etc/nginx/mime.types
new file mode 100644
index 0000000..89be9a4
--- /dev/null
+++ b/historic/guix/etc/nginx/mime.types
@@ -0,0 +1,89 @@
+
+types {
+    text/html                             html htm shtml;
+    text/css                              css;
+    text/xml                              xml;
+    image/gif                             gif;
+    image/jpeg                            jpeg jpg;
+    application/javascript                js;
+    application/atom+xml                  atom;
+    application/rss+xml                   rss;
+
+    text/mathml                           mml;
+    text/plain                            txt;
+    text/vnd.sun.j2me.app-descriptor      jad;
+    text/vnd.wap.wml                      wml;
+    text/x-component                      htc;
+
+    image/png                             png;
+    image/tiff                            tif tiff;
+    image/vnd.wap.wbmp                    wbmp;
+    image/x-icon                          ico;
+    image/x-jng                           jng;
+    image/x-ms-bmp                        bmp;
+    image/svg+xml                         svg svgz;
+    image/webp                            webp;
+
+    application/font-woff                 woff;
+    application/java-archive              jar war ear;
+    application/json                      json;
+    application/mac-binhex40              hqx;
+    application/msword                    doc;
+    application/pdf                       pdf;
+    application/postscript                ps eps ai;
+    application/rtf                       rtf;
+    application/vnd.apple.mpegurl         m3u8;
+    application/vnd.ms-excel              xls;
+    application/vnd.ms-fontobject         eot;
+    application/vnd.ms-powerpoint         ppt;
+    application/vnd.wap.wmlc              wmlc;
+    application/vnd.google-earth.kml+xml  kml;
+    application/vnd.google-earth.kmz      kmz;
+    application/x-7z-compressed           7z;
+    application/x-cocoa                   cco;
+    application/x-java-archive-diff       jardiff;
+    application/x-java-jnlp-file          jnlp;
+    application/x-makeself                run;
+    application/x-perl                    pl pm;
+    application/x-pilot                   prc pdb;
+    application/x-rar-compressed          rar;
+    application/x-redhat-package-manager  rpm;
+    application/x-sea                     sea;
+    application/x-shockwave-flash         swf;
+    application/x-stuffit                 sit;
+    application/x-tcl                     tcl tk;
+    application/x-x509-ca-cert            der pem crt;
+    application/x-xpinstall               xpi;
+    application/xhtml+xml                 xhtml;
+    application/xspf+xml                  xspf;
+    application/zip                       zip;
+
+    application/octet-stream              bin exe dll;
+    application/octet-stream              deb;
+    application/octet-stream              dmg;
+    application/octet-stream              iso img;
+    application/octet-stream              msi msp msm;
+
+    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
+    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
+    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;
+
+    audio/midi                            mid midi kar;
+    audio/mpeg                            mp3;
+    audio/ogg                             ogg;
+    audio/x-m4a                           m4a;
+    audio/x-realaudio                     ra;
+
+    video/3gpp                            3gpp 3gp;
+    video/mp2t                            ts;
+    video/mp4                             mp4;
+    video/mpeg                            mpeg mpg;
+    video/quicktime                       mov;
+    video/webm                            webm;
+    video/x-flv                           flv;
+    video/x-m4v                           m4v;
+    video/x-mng                           mng;
+    video/x-ms-asf                        asx asf;
+    video/x-ms-wmv                        wmv;
+    video/x-msvideo                       avi;
+}
diff --git a/historic/guix/etc/nginx/nginx.conf b/historic/guix/etc/nginx/nginx.conf
new file mode 100644
index 0000000..4b5de00
--- /dev/null
+++ b/historic/guix/etc/nginx/nginx.conf
@@ -0,0 +1,82 @@
+user nginx;
+worker_processes 4;
+pid /var/run/nginx.pid;
+
+events {
+	worker_connections 768;
+	# multi_accept on;
+}
+
+http {
+
+	##
+	# Basic Settings
+	##
+
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+	server_tokens off;
+
+	# server_names_hash_bucket_size 64;
+	# server_name_in_redirect off;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	##
+	# Logging Settings
+	##
+
+        log_format main '$remote_addr - $remote_user [$time_local] $host '
+            '"$request" $status $body_bytes_sent '
+            '"$http_referer" "$http_user_agent"';
+
+    client_body_temp_path /var/run/nginx/body_temp;
+    proxy_temp_path /var/run/nginx/proxy_temp;
+    fastcgi_temp_path /var/run/nginx/fastcgi_temp;
+    uwsgi_temp_path /var/run/nginx/uwsgi_temp;
+    scgi_temp_path /var/run/nginx/scgi_temp;
+    access_log /var/log/nginx/access.log main;
+    error_log /var/log/nginx/error.log notice;
+
+	##
+	# Gzip Settings
+	##
+
+	gzip on;
+	gzip_disable "msie6";
+
+	# gzip_vary on;
+	# gzip_proxied any;
+	# gzip_comp_level 6;
+	# gzip_buffers 16 8k;
+	# gzip_http_version 1.1;
+	# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
+
+        # This isn't entirely correct since it does
+        # not consider the weighting of languages, but
+        # for now it's good enough.
+        map $http_accept_language $index_redirect_uri {
+          default "en";
+          # prefer language that's first in the list
+          ~^en "en";
+          ~^de "de";
+          ~^fr "fr";
+          ~^es "it";
+          # if none matches, take one later in the list
+          ~,en "en";
+          ~,de "de";
+          ~,fr "fr";
+          ~,es "it";
+        }
+
+	##
+	# Virtual Host Configs
+	##
+
+	include conf.d/*.conf;
+	include sites-enabled/*.site;
+}
diff --git a/historic/guix/etc/nginx/proxy_params b/historic/guix/etc/nginx/proxy_params
new file mode 100644
index 0000000..df75bc5
--- /dev/null
+++ b/historic/guix/etc/nginx/proxy_params
@@ -0,0 +1,4 @@
+proxy_set_header Host $http_host;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;
diff --git a/historic/guix/etc/nginx/scgi_params b/historic/guix/etc/nginx/scgi_params
new file mode 100644
index 0000000..6d4ce4f
--- /dev/null
+++ b/historic/guix/etc/nginx/scgi_params
@@ -0,0 +1,17 @@
+
+scgi_param  REQUEST_METHOD     $request_method;
+scgi_param  REQUEST_URI        $request_uri;
+scgi_param  QUERY_STRING       $query_string;
+scgi_param  CONTENT_TYPE       $content_type;
+
+scgi_param  DOCUMENT_URI       $document_uri;
+scgi_param  DOCUMENT_ROOT      $document_root;
+scgi_param  SCGI               1;
+scgi_param  SERVER_PROTOCOL    $server_protocol;
+scgi_param  REQUEST_SCHEME     $scheme;
+scgi_param  HTTPS              $https if_not_empty;
+
+scgi_param  REMOTE_ADDR        $remote_addr;
+scgi_param  REMOTE_PORT        $remote_port;
+scgi_param  SERVER_PORT        $server_port;
+scgi_param  SERVER_NAME        $server_name;
diff --git a/historic/guix/etc/nginx/sites-available/blog-demo.site b/historic/guix/etc/nginx/sites-available/blog-demo.site
new file mode 100644
index 0000000..a48a036
--- /dev/null
+++ b/historic/guix/etc/nginx/sites-available/blog-demo.site
@@ -0,0 +1,43 @@
+server {
+	listen   80; ## listen for ipv4; this line is default and implied
+ 	# 	listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	server_name blog.demo.taler.net;
+
+	root /home/demo/merchant/src/frontend_blog;
+        index index.html;
+
+	# Make site accessible from http://localhost/
+
+	location / {
+            try_files $uri $uri/ =404;
+            rewrite /taler/pay /pay.php;
+            rewrite /taler/contract /generate_taler_contract.php;
+	
+	}
+
+	location /fullfillment {
+            rewrite /(.*) /$1.php;
+	
+	}
+        
+        location /articles {
+
+            internal;
+        }
+
+	location ~ \.php$ {
+
+        	fastcgi_pass unix:/var/run/php5-fpm.sock;
+		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+                include fastcgi_params;
+	
+        }
+
+       	location /backend {
+                rewrite /backend/(.*) /$1 break;
+	        proxy_pass http://127.0.0.1:19966;
+	        proxy_redirect off;
+	        proxy_set_header Host $host;
+	}
+}
diff --git a/historic/guix/etc/nginx/sites-available/default.site b/historic/guix/etc/nginx/sites-available/default.site
new file mode 100644
index 0000000..79e41e8
--- /dev/null
+++ b/historic/guix/etc/nginx/sites-available/default.site
@@ -0,0 +1,86 @@
+##
+# You should look at the following URL's in order to grasp a solid understanding
+# of Nginx configuration files in order to fully unleash the power of Nginx.
+# http://wiki.nginx.org/Pitfalls
+# http://wiki.nginx.org/QuickStart
+# http://wiki.nginx.org/Configuration
+#
+# Generally, you will want to move this file somewhere, and start with a clean
+# file but keep this around for reference. Or just disable in sites-enabled.
+#
+# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
+##
+
+# Default server configuration
+#
+server {
+	listen 80 default_server;
+	listen [::]:80 default_server;
+
+	# SSL configuration
+	#
+	# listen 443 ssl default_server;
+	# listen [::]:443 ssl default_server;
+	#
+	# Note: You should disable gzip for SSL traffic.
+	# See: https://bugs.debian.org/773332
+	#
+	# Read up on ssl_ciphers to ensure a secure configuration.
+	# See: https://bugs.debian.org/765782
+	#
+	# Self signed certs generated by the ssl-cert package
+	# Don't use them in a production server!
+	#
+	# include snippets/snakeoil.conf;
+
+	root /var/www/html;
+
+	# Add index.php to the list if you are using PHP
+	index index.html index.htm index.nginx-debian.html;
+
+	server_name _;
+
+	location / {
+		# First attempt to serve request as file, then
+		# as directory, then fall back to displaying a 404.
+		try_files $uri $uri/ =404;
+	}
+
+	# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
+	#
+	#location ~ \.php$ {
+	#	include snippets/fastcgi-php.conf;
+	#
+	#	# With php5-cgi alone:
+	#	fastcgi_pass 127.0.0.1:9000;
+	#	# With php5-fpm:
+	#	fastcgi_pass unix:/var/run/php5-fpm.sock;
+	#}
+
+	# deny access to .htaccess files, if Apache's document root
+	# concurs with nginx's one
+	#
+	#location ~ /\.ht {
+	#	deny all;
+	#}
+}
+
+
+# Virtual Host configuration for example.com
+#
+# You can move that to a different file under sites-available/ and symlink that
+# to sites-enabled/ to enable it.
+#
+#server {
+#	listen 80;
+#	listen [::]:80;
+#
+#	server_name example.com;
+#
+#	root /var/www/example.com;
+#	index index.html;
+#
+#	location / {
+#		try_files $uri $uri/ =404;
+#	}
+#}
diff --git a/historic/guix/etc/nginx/sites-available/drupal-demo-ssl.site b/historic/guix/etc/nginx/sites-available/drupal-demo-ssl.site
new file mode 100644
index 0000000..400020e
--- /dev/null
+++ b/historic/guix/etc/nginx/sites-available/drupal-demo-ssl.site
@@ -0,0 +1,49 @@
+server {
+	listen   443 ssl; ## listen for ipv4; this line is default and implied
+ 	# 	listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	server_name drupal.demo.taler.net;
+
+	root /home/demo/drupal-demo;
+
+	ssl_certificate /etc/letsencrypt/live/taler.net/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/taler.net/privkey.pem;
+	ssl_prefer_server_ciphers on;
+        ssl_session_cache shared:SSL:10m;
+        ssl_dhparam /etc/ssl/certs/dhparam.pem;
+	ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
+	ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+
+	add_header Strict-Transport-Security "max-age=63072000; preload";
+
+	# Make site accessible from http://localhost/
+
+#	location / {
+#            try_files $uri $uri/ =404;
+#            rewrite /taler/pay /pay.php;
+#            rewrite /taler/contract /generate_taler_contract.php;
+#	}
+
+#	location /fullfillment {
+#            rewrite /(.*) /$1.php;	
+#	}
+
+	location ~ \.php$ {
+		fastcgi_index index.php;
+        	fastcgi_pass unix:/var/run/php5-fpm.sock;
+		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+                include fastcgi_params;
+        }
+
+#      	location /backend {
+#                rewrite /backend/(.*) /$1 break;
+#	        proxy_pass http://127.0.0.1:19966;
+#	        proxy_redirect off;
+#	        proxy_set_header Host $host;
+#	}
+
+	client_max_body_size 10M;
+	client_body_buffer_size 128k;
+
+	include apps/drupal/drupal.conf;
+}
diff --git a/historic/guix/etc/nginx/sites-available/drupal-demo.site b/historic/guix/etc/nginx/sites-available/drupal-demo.site
new file mode 100644
index 0000000..d91c3f7
--- /dev/null
+++ b/historic/guix/etc/nginx/sites-available/drupal-demo.site
@@ -0,0 +1,40 @@
+server {
+	listen   80; ## listen for ipv4; this line is default and implied
+ 	# 	listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	server_name drupal.demo.taler.net;
+
+	root /home/demo/drupal-demo;
+
+	# Make site accessible from http://localhost/
+
+#	location / {
+#            try_files $uri $uri/ =404;
+#            rewrite /taler/pay /pay.php;
+#            rewrite /taler/contract /generate_taler_contract.php;
+#	}
+
+#	location /fullfillment {
+#            rewrite /(.*) /$1.php;
+#	}
+        
+
+	location ~ \.php$ {
+		fastcgi_index index.php;
+        	fastcgi_pass unix:/var/run/php5-fpm.sock;
+		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+                include fastcgi_params;
+        }
+
+#      	location /backend {
+#               rewrite /backend/(.*) /$1 break;
+#	        proxy_pass http://127.0.0.1:19966;
+#	        proxy_redirect off;
+#	        proxy_set_header Host $host;
+#	}
+
+	client_max_body_size 10M;
+	client_body_buffer_size 128k;
+
+	include apps/drupal/drupal.conf;
+}
diff --git a/historic/guix/etc/nginx/sites-available/ghm_videos.site b/historic/guix/etc/nginx/sites-available/ghm_videos.site
new file mode 100644
index 0000000..c438e7f
--- /dev/null
+++ b/historic/guix/etc/nginx/sites-available/ghm_videos.site
@@ -0,0 +1,25 @@
+server {
+	listen   80; ## listen for ipv4; this line is default and implied
+ 	# 	listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	root /var/www/taler.net;
+
+	# Make site accessible from http://localhost/
+	server_name taler.net;
+	server_name www.taler.net;
+
+	rewrite ^ https://$server_name$request_uri? permanent;
+
+#	location / {
+#	    autoindex off;
+#	    ssi on;
+##	    ssi_last_modified on;
+# 	    rewrite /citizens /citizens.html break;
+#	    rewrite /developers /developers.html break;
+#	    rewrite /merchants /merchants.html break;
+#            rewrite /governments /governments.html break;
+#            rewrite /investors /investors.html break;
+#            rewrite /about /about.html break;
+#	    rewrite /news /news.html break;
+#	}
+}
diff --git a/historic/guix/etc/nginx/sites-available/www.git-ssl.site b/historic/guix/etc/nginx/sites-available/www.git-ssl.site
new file mode 100644
index 0000000..4ac7cfa
--- /dev/null
+++ b/historic/guix/etc/nginx/sites-available/www.git-ssl.site
@@ -0,0 +1,25 @@
+server {
+       listen 443 ssl;
+       listen   [::]:443 ssl; ## listen for ipv4; this line is default and implied
+	# listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	# Make site accessible from http://localhost/
+	server_name www.git.taler.net;
+
+        include conf.d/talerssl;
+
+	location /index.cgi {
+            root /usr/share/gitweb/;
+
+            include fastcgi_params;
+            gzip off;
+	    fastcgi_param SCRIPT_NAME $uri;
+            fastcgi_param   GITWEB_CONFIG  /etc/gitweb.conf;
+            fastcgi_pass    unix:/var/run/fcgiwrap.socket;
+	}
+
+        location / {
+            root /usr/share/gitweb/;
+            index index.cgi;
+        }
+}
diff --git a/historic/guix/etc/nginx/sites-available/www.git.site b/historic/guix/etc/nginx/sites-available/www.git.site
new file mode 100644
index 0000000..26679be
--- /dev/null
+++ b/historic/guix/etc/nginx/sites-available/www.git.site
@@ -0,0 +1,24 @@
+server {
+       listen 80;
+	listen   [::]:80; ## listen for ipv4; this line is default and implied
+	# listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	# Make site accessible from http://localhost/
+	server_name www.git.taler.net;
+
+
+	location /index.cgi {
+            root /usr/share/gitweb/;
+
+            include fastcgi_params;
+            gzip off;
+	    fastcgi_param SCRIPT_NAME $uri;
+            fastcgi_param   GITWEB_CONFIG  /etc/gitweb.conf;
+            fastcgi_pass    unix:/var/run/fcgiwrap.socket;
+	}
+
+        location / {
+            root /usr/share/gitweb/;
+            index index.cgi;
+        }
+}
diff --git a/historic/guix/etc/nginx/sites-enabled/api-ssl.site b/historic/guix/etc/nginx/sites-enabled/api-ssl.site
new file mode 100644
index 0000000..6f5fd69
--- /dev/null
+++ b/historic/guix/etc/nginx/sites-enabled/api-ssl.site
@@ -0,0 +1,9 @@
+server {
+        listen 443 ssl;
+	listen   [::]:443 ssl; ## listen for ipv4; this line is default and implied
+ 	# 	listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	server_name api.taler.net
+	            www.api.taler.net;
+        rewrite ^ https://docs.taler.net$request_uri? permanent;
+}
diff --git a/historic/guix/etc/nginx/sites-enabled/api.site b/historic/guix/etc/nginx/sites-enabled/api.site
new file mode 100644
index 0000000..21e7efe
--- /dev/null
+++ b/historic/guix/etc/nginx/sites-enabled/api.site
@@ -0,0 +1,8 @@
+server {
+  listen 80;
+  listen [::]:80;
+  server_name api.taler.net
+              www.api.taler.net;
+
+  rewrite ^ https://docs.taler.net$request_uri? permanent;
+}
diff --git a/historic/guix/etc/nginx/sites-enabled/buildbot-ssl.site b/historic/guix/etc/nginx/sites-enabled/buildbot-ssl.site
new file mode 100644
index 0000000..ba998bb
--- /dev/null
+++ b/historic/guix/etc/nginx/sites-enabled/buildbot-ssl.site
@@ -0,0 +1,23 @@
+server {
+        listen 443 ssl;
+	listen   [::]:443 ssl; ## listen for ipv4; this line is default and implied
+ 	# 	listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	root /var/www/buildbot/;
+
+	# Make site accessible from http://localhost/
+	server_name buildbot.taler.net;
+	server_name www.buildbot.taler.net;
+	server_name bb.taler.net;
+        include conf.d/talerssl;
+
+	location / {
+	    proxy_pass http://127.0.0.1:8010;
+	    proxy_redirect off;
+	    proxy_set_header Host $host;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+	}
+
+        include conf.d/favicon_robots;
+}
diff --git a/historic/guix/etc/nginx/sites-enabled/buildbot.site b/historic/guix/etc/nginx/sites-enabled/buildbot.site
new file mode 100644
index 0000000..77eb805
--- /dev/null
+++ b/historic/guix/etc/nginx/sites-enabled/buildbot.site
@@ -0,0 +1,14 @@
+server {
+	listen 80;
+	listen   [::]:80; ## listen for ipv4; this line is default and implied
+ 	# 	listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	root /var/www/buildbot/;
+
+	# Make site accessible from http://localhost/
+	server_name buildbot.taler.net;
+	server_name www.buildbot.taler.net;
+        server_name bb.taler.net;
+
+	rewrite ^ https://$server_name$request_uri? permanent;
+}
diff --git a/historic/guix/etc/nginx/sites-enabled/decentralise-ssl.site b/historic/guix/etc/nginx/sites-enabled/decentralise-ssl.site
new file mode 100644
index 0000000..9dd0470
--- /dev/null
+++ b/historic/guix/etc/nginx/sites-enabled/decentralise-ssl.site
@@ -0,0 +1,14 @@
+server {
+        listen 443 ssl;
+	listen   [::]:443 ssl; ## listen for ipv4; this line is default and implied
+ 	# 	listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	root /var/www/decentralise;
+
+	# Make site accessible from http://localhost/
+	server_name www.decentralise.rennes.inria.fr;
+	server_name decentralise.rennes.inria.fr;
+        include conf.d/talerssl;
+
+	rewrite / http://www.inria.fr/en/teams/decentralise redirect;
+}
diff --git a/historic/guix/etc/nginx/sites-enabled/decentralise.site b/historic/guix/etc/nginx/sites-enabled/decentralise.site
new file mode 100644
index 0000000..b92fb0f
--- /dev/null
+++ b/historic/guix/etc/nginx/sites-enabled/decentralise.site
@@ -0,0 +1,13 @@
+server {
+        listen 80;
+ 	listen   [::]:80; ## listen for ipv4; this line is default and implied
+ 	# 	listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	root /var/www/decentralise;
+
+	# Make site accessible from http://localhost/
+	server_name www.decentralise.rennes.inria.fr;
+	server_name decentralise.rennes.inria.fr;
+
+	rewrite / http://www.inria.fr/en/teams/decentralise redirect;
+}
diff --git a/historic/guix/etc/nginx/sites-enabled/default.site b/historic/guix/etc/nginx/sites-enabled/default.site
new file mode 100644
index 0000000..2d88ab2
--- /dev/null
+++ b/historic/guix/etc/nginx/sites-enabled/default.site
@@ -0,0 +1,18 @@
+# matched when no other server name matches
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    # server name must simply something invalid ...
+    server_name  _;
+    # drop connection, special nginx status code
+    return 444;
+}
+# server {
+#     listen 443 ssl default_server;
+#     listen [::]:443 ssl default_server;
+#     include conf.d/talerssl;
+#     # server name must simply something invalid ...
+#     server_name  _;
+#     # drop connection, special nginx status code
+#     return 444;
+# }
diff --git a/historic/guix/etc/nginx/sites-enabled/demo.site b/historic/guix/etc/nginx/sites-enabled/demo.site
new file mode 100644
index 0000000..16d9698
--- /dev/null
+++ b/historic/guix/etc/nginx/sites-enabled/demo.site
@@ -0,0 +1,159 @@
+server {
+  listen 80;
+  listen [::]:80;
+  server_name demo.taler.net
+              bank.demo.taler.net
+              shop.demo.taler.net
+              donations.demo.taler.net
+              survey.demo.taler.net
+              auditor.demo.taler.net
+              exchange.demo.taler.net;
+
+  # 301-based ridirects allows the user agent to *change* the
+  # method used in the second request.  This breaks all the API
+  # using POST, as some user agents do the second request using
+  # GET.  307 is meant to tell the user agent to not change the
+  # method in the second request.
+  if ($request_method = POST) { return 307 https://$host$request_uri; }
+  return 301 https://$host$request_uri;
+
+}
+
+
+server {
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  server_name auditor.demo.taler.net;
+  include conf.d/talerssl;
+  location / {
+    rewrite ^/$ /en/ redirect;
+    rewrite ^/(..)/$ /$1/index.html break;
+    recursive_error_pages on;
+    root /home/demo/auditor;
+  }
+  include conf.d/favicon_robots;
+}
+
+
+server {
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  server_name demo.taler.net www.demo.taler.net;
+  rewrite /javascript /javascript.html break;
+  include conf.d/talerssl;
+  location / {
+    rewrite ^/$ /en/ redirect;
+    rewrite ^/(..)/$ /$1/index.html break;
+    root /home/demo/landing/demo;
+  }
+
+  include conf.d/favicon_robots;
+}
+
+
+server {
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  server_name exchange.demo.taler.net;
+  root /dev/null;
+  include conf.d/talerssl;
+
+  location /admin {
+    proxy_pass http://unix:/home/demo/sockets/exchange-admin.http;
+    proxy_redirect off;
+    proxy_set_header Host $host;
+  }
+
+  location / {
+    proxy_pass http://unix:/home/demo/sockets/exchange.http:/;
+    proxy_redirect off;
+    proxy_set_header Host $host;
+  }
+}
+
+server {
+  listen 443 ssl;
+  listen 80;
+  listen [::]:443 ssl;
+  listen [::]:80;
+  server_name backend.demo.taler.net;
+  include conf.d/talerssl;
+
+  location /public {
+    proxy_redirect off;
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-Host "backend.demo.taler.net";
+    proxy_set_header X-Forwarded-Proto "https";
+    proxy_pass http://unix:/home/demo/sockets/merchant.http:/public;
+  }
+
+  location / {
+    # match the ApiKey part ignoring case, and the actual key
+    # with case-sensitivity on.
+    if ($http_authorization !~ "(?i)ApiKey (?-i)sandbox") {
+      return 401;
+    }
+    proxy_redirect off;
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-Host "backend.demo.taler.net";
+    proxy_set_header X-Forwarded-Proto "https";
+    proxy_pass http://unix:/home/demo/sockets/merchant.http:/;
+  }
+}
+
+
+server {
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  server_name donations.demo.taler.net;
+  include conf.d/talerssl;
+
+  location / {
+    uwsgi_pass unix:/home/demo/sockets/donations.uwsgi;
+    include /etc/nginx/uwsgi_params;
+  }
+
+  include conf.d/favicon_robots;
+}
+
+
+server {
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  server_name shop.demo.taler.net;
+  include conf.d/talerssl;
+
+  location / {
+    uwsgi_pass unix:/home/demo/sockets/shop.uwsgi;
+    include /etc/nginx/uwsgi_params;
+  }
+
+  include conf.d/favicon_robots;
+}
+
+
+server {
+  server_name survey.demo.taler.net;
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  include conf.d/talerssl;
+
+  location / {
+    uwsgi_pass unix:/home/demo/sockets/survey.uwsgi;
+    include /etc/nginx/uwsgi_params;
+  }
+}
+
+server {
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  server_name bank.demo.taler.net;
+  include conf.d/talerssl;
+
+  location / {
+    uwsgi_pass unix:/home/demo/sockets/bank.uwsgi;
+    include /etc/nginx/uwsgi_params;
+  }
+
+  include conf.d/favicon_robots;
+}
diff --git a/historic/guix/etc/nginx/sites-enabled/docs-ssl.site b/historic/guix/etc/nginx/sites-enabled/docs-ssl.site
new file mode 100644
index 0000000..923d703
--- /dev/null
+++ b/historic/guix/etc/nginx/sites-enabled/docs-ssl.site
@@ -0,0 +1,69 @@
+server {
+        listen 443 ssl;
+        listen   [::]:443 ssl; ## listen for ipv4; this line is default and implied
+ 	# 	listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+        # Temporary, as this doesn't do i18n
+	root /home/docbuilder/build/docs-landing/;
+
+	# Make site accessible from http://localhost/
+	server_name docs.taler.net
+	            www.docs.taler.net;
+
+        include conf.d/talerssl;
+
+	location / {
+	    autoindex off;
+	    ssi off;
+#	    ssi_last_modified on;
+
+
+	    rewrite ^/$ /$index_redirect_uri/ redirect;
+	    rewrite ^/(..)/$ /$1/index.html break;
+	}
+
+
+        location /code/exchange {
+            alias /home/docbuilder/build/exchange/doxygen;
+        }
+
+        location /code/merchant {
+            alias /home/docbuilder/build/merchant-backend/doxygen;
+        }
+
+        location /onboarding {
+            alias /home/docbuilder/build/onboarding/;
+        }
+
+        location /bank {
+            alias /home/docbuilder/build/bank/manual;
+        }
+
+        location /backoffice {
+            alias /home/docbuilder/build/backoffice/;
+        }
+
+        location /exchange {
+            alias /home/docbuilder/build/exchange/manual;
+        }
+
+        location /merchant/backend {
+            alias /home/docbuilder/build/merchant-backend/manual;
+        }
+
+        location /merchant/frontend {
+            alias /home/docbuilder/build/merchant-frontend/;
+        }
+
+        location /api {
+            autoindex off;
+            alias /home/docbuilder/build/api/html;
+        }
+
+        # Associated to /api route.
+        location /_static {
+            alias /home/docbuilder/api/html/_static;
+        }
+
+        include conf.d/favicon_robots;
+}
diff --git a/historic/guix/etc/nginx/sites-enabled/docs.site b/historic/guix/etc/nginx/sites-enabled/docs.site
new file mode 100644
index 0000000..8e01608
--- /dev/null
+++ b/historic/guix/etc/nginx/sites-enabled/docs.site
@@ -0,0 +1,7 @@
+server {
+  listen 80;
+  listen [::]:80;
+  server_name docs.taler.net;
+
+  rewrite ^ https://$host$request_uri? permanent;
+}
diff --git a/historic/guix/etc/nginx/sites-enabled/env.site b/historic/guix/etc/nginx/sites-enabled/env.site
new file mode 100644
index 0000000..fbe31aa
--- /dev/null
+++ b/historic/guix/etc/nginx/sites-enabled/env.site
@@ -0,0 +1,85 @@
+server {
+  listen 80;
+  listen [::]:80;
+  server_name env.taler.net;
+  rewrite ^ https://$host$request_uri? permanent;
+}
+
+server {
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  server_name env.taler.net;
+  include conf.d/talerssl;
+  root /dev/null;
+  # rewrite_log on;
+
+  # add trailing slashes to apps
+  rewrite ^/(?<user>[a-zA-Z0-9-_]+)/(?<app>[a-zA-Z0-9-_]+)$ /$user/$app/ redirect;
+  # add trailing slashes to user
+  rewrite ^/(?<user>[a-zA-Z0-9-_]+)$ /$user/ redirect;
+  rewrite ^/(?<user>[a-zA-Z0-9-_]+)/$ /$user/en/ redirect;
+
+  # aliases to get from one page to the other
+  rewrite ^/(?<user>[a-zA-Z0-9-_]+)/(?<app>[a-zA-Z0-9-_]+)/landing /$user/ redirect;
+  rewrite ^/(?<user>[a-zA-Z0-9-_]+)/(?<app>[a-zA-Z0-9-_]+)/bank /$user/bank redirect;
+  rewrite ^/(?<user>[a-zA-Z0-9-_]+)/(?<app>[a-zA-Z0-9-_]+)/shop /$user/shop redirect;
+  rewrite ^/(?<user>[a-zA-Z0-9-_]+)/(?<app>[a-zA-Z0-9-_]+)/donations /$user/donations redirect;
+  rewrite ^/(?<user>[a-zA-Z0-9-_]+)/(?<app>[a-zA-Z0-9-_]+)/survey /$user/survey redirect;
+
+  location ~ ^/(?<user>[a-zA-Z0-9-_]+)/exchange/(?<req>.*) {
+    proxy_pass http://unix:/home/$user/sockets/exchange.http:/$req$is_args$args;
+    proxy_redirect off;
+    proxy_set_header Host $host;
+  }
+
+  location ~ ^/(?<user>[a-zA-Z0-9-_]+)/merchant-backend/(?<req>.*) {
+    proxy_pass http://unix:/home/$user/sockets/merchant.http:/$req;
+    proxy_redirect off;
+    proxy_set_header Host $host;
+  }
+
+  location ~ ^/(?<user>[a-zA-Z0-9-_]+)/bank(?<req>/?.*|)$ {
+    uwsgi_pass unix:/home/$user/sockets/bank.uwsgi;
+    include /etc/nginx/uwsgi_params;
+    uwsgi_param SCRIPT_NAME "/$user/bank/";
+    uwsgi_param PATH_INFO "$req";
+  }
+
+  location ~ ^/(?<user>[a-zA-Z0-9-_]+)/shop(?<req>/?.*|)$ {
+    uwsgi_pass unix:/home/$user/sockets/shop.uwsgi;
+    include /etc/nginx/uwsgi_params;
+    uwsgi_param SCRIPT_NAME "/$user/shop/";
+    uwsgi_param PATH_INFO "$req";
+  }
+
+  location ~ ^/(?<user>[a-zA-Z0-9-_]+)/donations(?<req>/.*|)$ {
+    uwsgi_pass unix:/home/$user/sockets/donations.uwsgi;
+    include /etc/nginx/uwsgi_params;
+    uwsgi_param SCRIPT_NAME "/$user/donations/";
+    uwsgi_param PATH_INFO "$req";
+  }
+
+  location ~ ^/(?<user>[a-zA-Z0-9-_]+)(?<req>/.*|)$ {
+    # add index.html
+    rewrite ^/(.*)/(..)/$ /$1/$2/index.html last;
+    # strip /user/
+    rewrite ^/([a-zA-Z0-9-_]+)/(.*)$ /$2 break;
+    root /home/$user/landing/demo;
+  }
+
+  location ~ ^/(?<user>[a-zA-Z0-9-_]+)/auditor(?<req>/.*|)$ {
+    uwsgi_pass unix:/home/$user/sockets/auditor.uwsgi;
+    include /etc/nginx/uwsgi_params;
+    uwsgi_param SCRIPT_NAME "/$user/";
+    uwsgi_param PATH_INFO "$req";
+  }
+
+  location ~ ^/(?<user>[a-zA-Z0-9-_]+)/survey(?<req>/.*|)$ {
+    uwsgi_pass unix:/home/$user/sockets/survey.uwsgi;
+    include /etc/nginx/uwsgi_params;
+    uwsgi_param SCRIPT_NAME "/$user/";
+    uwsgi_param PATH_INFO "$req";
+  }
+
+  include conf.d/favicon_robots;
+}
diff --git a/historic/guix/etc/nginx/sites-enabled/gauger-ssl.site b/historic/guix/etc/nginx/sites-enabled/gauger-ssl.site
new file mode 100644
index 0000000..e889b59
--- /dev/null
+++ b/historic/guix/etc/nginx/sites-enabled/gauger-ssl.site
@@ -0,0 +1,18 @@
+server {
+        listen 443 ssl;
+	listen   [::]:443 ssl; ## listen for ipv4; this line is default and implied
+ 	# 	listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	root /var/www/gauger/;
+
+	# Make site accessible from http://localhost/
+	server_name gauger.taler.net;
+	server_name www.gauger.taler.net;
+        include conf.d/talerssl;
+
+	location / {
+	    proxy_pass http://localhost:1801;
+	    proxy_redirect off;
+	    proxy_set_header Host $host;
+	}
+}
diff --git a/historic/guix/etc/nginx/sites-enabled/gauger.site b/historic/guix/etc/nginx/sites-enabled/gauger.site
new file mode 100644
index 0000000..967f9e9
--- /dev/null
+++ b/historic/guix/etc/nginx/sites-enabled/gauger.site
@@ -0,0 +1,17 @@
+server {
+        listen 80;
+	listen   [::]:80; ## listen for ipv4; this line is default and implied
+ 	# 	listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	root /var/www/gauger/;
+
+	# Make site accessible from http://localhost/
+	server_name gauger.taler.net;
+	server_name www.gauger.taler.net;
+
+	location / {
+	    proxy_pass http://localhost:1801;
+	    proxy_redirect off;
+	    proxy_set_header Host $host;
+	}
+}
diff --git a/historic/guix/etc/nginx/sites-enabled/git-ssl.site b/historic/guix/etc/nginx/sites-enabled/git-ssl.site
new file mode 100644
index 0000000..ea7cf0f
--- /dev/null
+++ b/historic/guix/etc/nginx/sites-enabled/git-ssl.site
@@ -0,0 +1,30 @@
+server {
+        listen 443 ssl;
+	listen [::]:443 ssl; ## listen for ipv4; this line is default and implied
+
+	root /srv/git;
+        server_name git.taler.net;
+        include conf.d/talerssl;
+
+        access_log /var/log/nginx/git.taler.net_access.log;
+        error_log /var/log/nginx/git.taler.net_error.log notice;
+
+	location ~ ^(.*?)\.git/(HEAD|info/refs|objects/.*|git-upload-pack)$ {
+	    include /etc/nginx/fastcgi_params;
+	    fastcgi_param SCRIPT_FILENAME /run/current-system/profile/libexec/git-core/git-http-backend;
+	    fastcgi_param GIT_PROJECT_ROOT /home/git/repositories;
+	    fastcgi_param PATH_INFO $uri;
+	    fastcgi_pass unix:/var/run/fcgiwrap.socket;
+	}
+
+	location /cgit {
+	    root /var/www;
+	}
+
+	location / {
+	    include /etc/nginx/fastcgi_params;
+	    fastcgi_param SCRIPT_FILENAME /run/current-system/profile/lib/cgit.cgi;
+	    fastcgi_param PATH_INFO $uri;
+	    fastcgi_pass unix:/var/run/fcgiwrap.socket;
+	}
+}
diff --git a/historic/guix/etc/nginx/sites-enabled/git.site b/historic/guix/etc/nginx/sites-enabled/git.site
new file mode 100644
index 0000000..e10fcc6
--- /dev/null
+++ b/historic/guix/etc/nginx/sites-enabled/git.site
@@ -0,0 +1,10 @@
+server {
+        listen 80;
+	listen   [::]:80; ## listen for ipv4; this line is default and implied
+	# listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	root /srv/git;
+	server_name git.taler.net;
+
+	rewrite ^ https://$server_name$request_uri? permanent;
+}
diff --git a/historic/guix/etc/nginx/sites-enabled/intranet-ssl.site b/historic/guix/etc/nginx/sites-enabled/intranet-ssl.site
new file mode 100644
index 0000000..3390403
--- /dev/null
+++ b/historic/guix/etc/nginx/sites-enabled/intranet-ssl.site
@@ -0,0 +1,15 @@
+server {
+        listen 443 ssl;
+	listen   [::]:443 ssl; ## listen for ipv4; this line is default and implied
+	# listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	root /var/git;
+	server_name intranet.taler.net;
+        include conf.d/talerssl;
+	location / {
+	    proxy_pass http://127.0.0.1:8018;
+	    proxy_redirect off;
+	    proxy_set_header Host $host;
+	    proxy_set_header HTTPS on;
+	}
+}
diff --git a/historic/guix/etc/nginx/sites-enabled/intranet.site b/historic/guix/etc/nginx/sites-enabled/intranet.site
new file mode 100644
index 0000000..66217db
--- /dev/null
+++ b/historic/guix/etc/nginx/sites-enabled/intranet.site
@@ -0,0 +1,10 @@
+server {
+	listen 80;
+	listen   [::]:80; ## listen for ipv4; this line is default and implied
+ 	# 	listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	# Make site accessible from http://localhost/
+	server_name intranet.taler.net;
+
+	rewrite ^ https://$server_name$request_uri? permanent;
+}
diff --git a/historic/guix/etc/nginx/sites-enabled/lcov-ssl.site b/historic/guix/etc/nginx/sites-enabled/lcov-ssl.site
new file mode 100644
index 0000000..0620bfe
--- /dev/null
+++ b/historic/guix/etc/nginx/sites-enabled/lcov-ssl.site
@@ -0,0 +1,20 @@
+server {
+        listen 443 ssl;
+	listen   [::]:443 ssl; ## listen for ipv4; this line is default and implied
+ 	# 	listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	root /var/www/lcov.taler.net/;
+
+	# Make site accessible from http://localhost/
+	server_name lcov.taler.net;
+	server_name www.lcov.taler.net;
+        include conf.d/talerssl;
+
+	location / {
+	    autoindex on;
+	    ssi off;
+#	    ssi_last_modified on;
+	}
+
+        include conf.d/favicon_robots;
+}
diff --git a/historic/guix/etc/nginx/sites-enabled/lcov.site b/historic/guix/etc/nginx/sites-enabled/lcov.site
new file mode 100644
index 0000000..979c387
--- /dev/null
+++ b/historic/guix/etc/nginx/sites-enabled/lcov.site
@@ -0,0 +1,19 @@
+server {
+        listen 80;
+	listen   [::]:80; ## listen for ipv4; this line is default and implied
+ 	# 	listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	root /var/www/lcov.taler.net/;
+
+	# Make site accessible from http://localhost/
+	server_name lcov.taler.net;
+	server_name www.lcov.taler.net;
+
+	location / {
+	    autoindex on;
+	    ssi off;
+#	    ssi_last_modified on;
+	}
+
+        include conf.d/favicon_robots;
+}
diff --git a/historic/guix/etc/nginx/sites-enabled/sandbox.site b/historic/guix/etc/nginx/sites-enabled/sandbox.site
new file mode 100644
index 0000000..9e32b17
--- /dev/null
+++ b/historic/guix/etc/nginx/sites-enabled/sandbox.site
@@ -0,0 +1,20 @@
+server {
+  listen 80;
+  listen [::]:80;
+  server_name sandbox.taler.net *.sandbox.taler.net;
+  rewrite ^ https://$host$request_uri? permanent;
+}
+
+server {
+  listen 443 ssl;
+  listen   [::]:443 ssl;
+
+  server_name sandbox.taler.net;
+  include conf.d/talerssl;
+
+  location / {
+    root /home/sandbox/sandbox_landing/;
+    autoindex off;
+    index index.html;
+  }
+}
diff --git a/historic/guix/etc/nginx/sites-enabled/test.site b/historic/guix/etc/nginx/sites-enabled/test.site
new file mode 100644
index 0000000..7c4f847
--- /dev/null
+++ b/historic/guix/etc/nginx/sites-enabled/test.site
@@ -0,0 +1,379 @@
+server {
+  listen 80;
+  listen [::]:80;
+  server_name test.taler.net
+              bank.test.taler.net
+              shop.test.taler.net
+              donations.test.taler.net
+              survey.test.taler.net
+              auditor.test.taler.net
+              exchange.test.taler.net
+              backoffice.test.taler.net;
+
+  # 301-based ridirects allows the user agent to *change* the
+  # method used in the second request.  This breaks all the API
+  # using POST, as some user agents do the second request using
+  # GET.  307 is meant to tell the user agent to not change the
+  # method in the second request.
+  if ($request_method = POST) { return 307 https://$host$request_uri; }
+  return 301 https://$host$request_uri;
+}
+
+server {
+  server_name test.taler.net www.test.taler.net;
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  rewrite /javascript /javascript.html break;
+  include conf.d/talerssl;
+  location @green {
+    add_header X-Taler-Deployment-Color green;
+    root /home/test-green/landing/demo;
+  }
+  location @blue {
+    add_header X-Taler-Deployment-Color blue;
+    root /home/test-blue/landing/demo;
+  }
+  location / {
+    # Redirection technique explainted at
+    # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
+    error_page 418 = @blue;
+    error_page 419 = @green;
+    rewrite ^/$ /en/ redirect;
+    rewrite ^/(..)/$ /$1/index.html break;
+    recursive_error_pages on;
+    if ($http_x_taler_deployment_color ~ "blue") { return 418; }
+    if ($http_x_taler_deployment_color ~ "green") { return 419; }
+    root /home/test/landing/demo;
+  }
+  include conf.d/favicon_robots;
+}
+
+
+server {
+  server_name auditor.test.taler.net;
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  root /dev/null;
+  include conf.d/talerssl;
+  location @green {
+    add_header X-Taler-Deployment-Color green;
+    root /home/test-green/auditor;
+  }
+  location @blue {
+    add_header X-Taler-Deployment-Color blue;
+    root /home/test-blue/auditor;
+  }
+  location / {
+    # Redirection technique explainted at
+    # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
+    error_page 418 = @blue;
+    error_page 419 = @green;
+    rewrite ^/$ /en/ redirect;
+    rewrite ^/(..)/$ /$1/index.html break;
+    recursive_error_pages on;
+    if ($http_x_taler_deployment_color ~ "blue") { return 418; }
+    if ($http_x_taler_deployment_color ~ "green") { return 419; }
+    root /home/test/auditor;
+  }
+  include conf.d/favicon_robots;
+}
+
+
+server {
+  server_name exchange.test.taler.net;
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  root /dev/null;
+  include conf.d/talerssl;
+  location @blue-admin {
+    add_header X-Taler-Deployment-Color blue;
+    proxy_pass http://unix:/home/test-blue/sockets/exchange-admin.http;
+    proxy_redirect off;
+    proxy_set_header Host $host;
+  }
+  location @green-admin {
+    add_header X-Taler-Deployment-Color green;
+    proxy_pass http://unix:/home/test-green/sockets/exchange-admin.http;
+    proxy_redirect off;
+    proxy_set_header Host $host;
+  }
+
+  location @blue {
+    add_header X-Taler-Deployment-Color blue;
+    proxy_pass http://unix:/home/test-blue/sockets/exchange.http;
+    proxy_redirect off;
+    proxy_set_header Host $host;
+  }
+
+  location @green {
+    add_header X-Taler-Deployment-Color green;
+    proxy_pass http://unix:/home/test-green/sockets/exchange.http;
+    proxy_redirect off;
+    proxy_set_header Host $host;
+  }
+
+  location /admin {
+    error_page 418 = @blue-admin;
+    error_page 419 = @green-admin;
+    recursive_error_pages on;
+    if ($http_x_taler_deployment_color ~ "blue") { return 418; }
+    if ($http_x_taler_deployment_color ~ "green") { return 419; }
+    proxy_pass http://unix:/home/test/sockets/exchange-admin.http;
+    proxy_redirect off;
+    proxy_set_header Host $host;
+  }
+
+  location / {
+    error_page 418 = @blue;
+    error_page 419 = @green;
+    recursive_error_pages on;
+    if ($http_x_taler_deployment_color ~ "blue") { return 418; }
+    if ($http_x_taler_deployment_color ~ "green") { return 419; }
+    proxy_pass http://unix:/home/test/sockets/exchange.http:/;
+    proxy_redirect off;
+    proxy_set_header Host $host;
+  }
+}
+
+
+server {
+  server_name shop.test.taler.net;
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  root /dev/null;
+  include conf.d/talerssl;
+
+  location @blue {
+    add_header X-Taler-Deployment-Color blue;
+    uwsgi_pass unix:/home/test-blue/sockets/shop.uwsgi;
+    include /etc/nginx/uwsgi_params;
+  }
+  location @green {
+    add_header X-Taler-Deployment-Color green;
+    uwsgi_pass unix:/home/test-green/sockets/shop.uwsgi;
+    include /etc/nginx/uwsgi_params;
+  }
+
+  location / {
+    # Redirection technique explainted at
+    # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
+    error_page 418 = @blue;
+    error_page 419 = @green;
+    recursive_error_pages on;
+    if ($http_x_taler_deployment_color ~ "blue") { return 418; }
+    if ($http_x_taler_deployment_color ~ "green") { return 419; }
+    uwsgi_pass unix:/home/test/sockets/shop.uwsgi;
+    include /etc/nginx/uwsgi_params;
+  }
+
+  include conf.d/favicon_robots;
+}
+
+
+server {
+  server_name playground.test.taler.net;
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  root /dev/null;
+  include conf.d/talerssl;
+
+  location @blue {
+    add_header X-Taler-Deployment-Color blue;
+    uwsgi_pass unix:/home/test-blue/sockets/playground.uwsgi;
+    include /etc/nginx/uwsgi_params;
+  }
+  location @green {
+    add_header X-Taler-Deployment-Color green;
+    uwsgi_pass unix:/home/test-green/sockets/playground.uwsgi;
+    include /etc/nginx/uwsgi_params;
+  }
+
+  location / {
+    # Redirection technique explainted at
+    # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
+    error_page 418 = @blue;
+    error_page 419 = @green;
+    recursive_error_pages on;
+    if ($http_x_taler_deployment_color ~ "blue") { return 418; }
+    if ($http_x_taler_deployment_color ~ "green") { return 419; }
+    uwsgi_pass unix:/home/test/sockets/playground.uwsgi;
+    include /etc/nginx/uwsgi_params;
+  }
+
+  include conf.d/favicon_robots;
+}
+
+
+server {
+  server_name backend.test.taler.net;
+  listen 443 ssl;
+  listen 80;
+  listen [::]:443 ssl;
+  listen [::]:80;
+  include conf.d/talerssl;
+
+  location @blue {
+    add_header X-Taler-Deployment-Color blue;
+    proxy_pass http://unix:/home/test-blue/sockets/merchant.http;
+    proxy_redirect off;
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-Host "backend.test.taler.net";
+    proxy_set_header X-Forwarded-Proto "https";
+  }
+  location @green {
+    add_header X-Taler-Deployment-Color green;
+    proxy_pass http://unix:/home/test-green/sockets/merchant.http;
+    proxy_redirect off;
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-Host "backend.test.taler.net";
+    proxy_set_header X-Forwarded-Proto "https";
+  }
+
+  location /public {
+    # Redirection technique explainted at
+    # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
+    error_page 418 = @blue;
+    error_page 419 = @green;
+    recursive_error_pages on;
+
+    if ($http_x_taler_deployment_color ~ "blue") { return 418; }
+    if ($http_x_taler_deployment_color ~ "green") { return 419; }
+    proxy_set_header X-Forwarded-Host "backend.test.taler.net";
+    proxy_set_header X-Forwarded-Proto "https";
+    proxy_pass http://unix:/home/test/sockets/merchant.http:/public;
+    proxy_redirect off;
+    proxy_set_header Host $host;
+  }
+
+  location / {
+    # Redirection technique explainted at
+    # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
+    error_page 418 = @blue;
+    error_page 419 = @green;
+    recursive_error_pages on;
+
+    # match the ApiKey part ignoring case, and the actual key
+    # with case-sensitivity on.
+    if ($http_authorization !~ "(?i)ApiKey (?-i)sandbox") {
+      return 401;
+    }
+
+    if ($http_x_taler_deployment_color ~ "blue") { return 418; }
+    if ($http_x_taler_deployment_color ~ "green") { return 419; }
+    proxy_set_header X-Forwarded-Host "backend.test.taler.net";
+    proxy_set_header X-Forwarded-Proto "https";
+    proxy_pass http://unix:/home/test/sockets/merchant.http:/;
+    proxy_redirect off;
+    proxy_set_header Host $host;
+  }
+}
+
+
+server {
+  server_name survey.test.taler.net;
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  include conf.d/talerssl;
+
+  location / {
+    uwsgi_pass unix:/home/test/sockets/survey.uwsgi;
+    include /etc/nginx/uwsgi_params;
+  }
+}
+
+server {
+  server_name donations.test.taler.net;
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  include conf.d/talerssl;
+
+  location @blue {
+    add_header X-Taler-Deployment-Color blue;
+    uwsgi_pass unix:/home/test-blue/sockets/donations.uwsgi;
+    include /etc/nginx/uwsgi_params;
+  }
+  location @green {
+    add_header X-Taler-Deployment-Color green;
+    uwsgi_pass unix:/home/test-green/sockets/donations.uwsgi;
+    include /etc/nginx/uwsgi_params;
+  }
+
+  location / {
+    # Redirection technique explainted at
+    # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
+    error_page 418 = @blue;
+    error_page 419 = @green;
+    recursive_error_pages on;
+    if ($http_x_taler_deployment_color ~ "blue") { return 418; }
+    if ($http_x_taler_deployment_color ~ "green") { return 419; }
+    uwsgi_pass unix:/home/test/sockets/donations.uwsgi;
+    include /etc/nginx/uwsgi_params;
+  }
+
+  include conf.d/favicon_robots;
+}
+
+
+server {
+  server_name bank.test.taler.net;
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  include conf.d/talerssl;
+
+  location @blue {
+    add_header X-Taler-Deployment-Color blue;
+    uwsgi_pass unix:/home/test-blue/sockets/bank.uwsgi;
+    include /etc/nginx/uwsgi_params;
+  }
+  location @green {
+    add_header X-Taler-Deployment-Color green;
+    uwsgi_pass unix:/home/test-green/sockets/bank.uwsgi;
+    include /etc/nginx/uwsgi_params;
+  }
+
+  location / {
+    # Redirection technique explainted at
+    # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
+    error_page 418 = @blue;
+    error_page 419 = @green;
+    recursive_error_pages on;
+    if ($http_x_taler_deployment_color ~ "blue") { return 418; }
+    if ($http_x_taler_deployment_color ~ "green") { return 419; }
+    uwsgi_pass unix:/home/test/sockets/bank.uwsgi;
+    include /etc/nginx/uwsgi_params;
+  }
+
+  include conf.d/favicon_robots;
+}
+
+server {
+  server_name backoffice.test.taler.net;
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  include conf.d/talerssl;
+
+  location @blue {
+    add_header X-Taler-Deployment-Color blue;
+    uwsgi_pass unix:/home/test-blue/sockets/backoffice.uwsgi;
+    include /etc/nginx/uwsgi_params;
+  }
+  location @green {
+    add_header X-Taler-Deployment-Color green;
+    uwsgi_pass unix:/home/test-green/sockets/backoffice.uwsgi;
+    include /etc/nginx/uwsgi_params;
+  }
+
+  location / {
+    # Redirection technique explainted at
+    # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
+    error_page 418 = @blue;
+    error_page 419 = @green;
+    recursive_error_pages on;
+    if ($http_x_taler_deployment_color ~ "blue") { return 418; }
+    if ($http_x_taler_deployment_color ~ "green") { return 419; }
+    uwsgi_pass unix:/home/test/sockets/backoffice.uwsgi;
+    include /etc/nginx/uwsgi_params;
+  }
+
+  include conf.d/favicon_robots;
+}
diff --git a/historic/guix/etc/nginx/sites-enabled/trollslayer.site b/historic/guix/etc/nginx/sites-enabled/trollslayer.site
new file mode 100644
index 0000000..1767fe6
--- /dev/null
+++ b/historic/guix/etc/nginx/sites-enabled/trollslayer.site
@@ -0,0 +1,16 @@
+server {
+       listen 80;
+       listen   [::]:80; ## listen for ipv4; this line is default and implied
+ 	# 	listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	root /var/www/trollslayer/;
+
+	# Make site accessible from http://localhost/
+	server_name trollslayer.decentralise.rennes.inria.fr;
+
+	location / {
+	    proxy_pass http://gnunet.org:20070/shell/;
+	    proxy_redirect off;
+	    proxy_set_header Host $host;
+	}
+}
diff --git a/historic/guix/etc/nginx/sites-enabled/www-ssl.site b/historic/guix/etc/nginx/sites-enabled/www-ssl.site
new file mode 100644
index 0000000..d7776b3
--- /dev/null
+++ b/historic/guix/etc/nginx/sites-enabled/www-ssl.site
@@ -0,0 +1,59 @@
+server {
+       listen 443 ssl;
+       listen	[::]:443 ssl; ## listen for ipv4; this line is default and implied
+	#listen	  [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+
+	# Make site accessible from http://localhost/
+	server_name taler.net;
+	server_name www.taler.net;
+	include conf.d/talerssl;
+
+	location / {
+	    root /home/docbuilder/www.taler.net;
+	    autoindex off;
+	    ssi on;
+	    #ssi_last_modified on;
+
+	    rewrite ^/$ /$index_redirect_uri/ redirect;
+
+	    rewrite ^/(..)/$ /$1/index.html break;
+
+	    rewrite ^/(help/empty-wallet)$ /$1.html break;
+	    rewrite ^/wallet-installation\.html$ /en/wallet.html redirect;
+            # just to get around cached old redirect
+	    rewrite ^/wallet\.en\.html$ /en/wallet.html redirect;
+	    rewrite ^/wallet$ /en/wallet.html redirect;
+	    rewrite ^/press$ /en/press.html redirect;
+	}
+
+        gzip on;
+        gzip_disable "msie6";
+        gzip_vary on;
+        gzip_proxied any;
+        gzip_comp_level 6;
+        gzip_buffers 16 8k;
+        gzip_http_version 1.1;
+        gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;
+
+
+	# Note: this will go to /var/www/(videos|releases), which we took out of Git
+	location /videos {
+	    root /var/www;
+            expires max;
+	}
+
+        location ~* /videos/.*\.(png|jpg|ogv|webm|gif|svg)$ {
+            root /var/www;
+            expires max;
+        }
+
+	location /releases {
+	    root /var/www;
+	    autoindex on;
+	}
+
+	location /files {
+	    root /var/www;
+	}
+}
diff --git a/historic/guix/etc/nginx/sites-enabled/www-stage.site b/historic/guix/etc/nginx/sites-enabled/www-stage.site
new file mode 100644
index 0000000..e8a988b
--- /dev/null
+++ b/historic/guix/etc/nginx/sites-enabled/www-stage.site
@@ -0,0 +1,78 @@
+server {
+	listen 80;
+	listen   [::]:80; ## listen for ipv4; this line is default and implied
+ 	# 	listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	root /home/docbuilder/stage.taler.net;
+
+	# Make site accessible from http://localhost/
+	server_name stage.taler.net;
+
+	rewrite ^ https://$server_name$request_uri? permanent;
+}
+
+server {
+       listen 443 ssl;
+       listen	[::]:443 ssl; ## listen for ipv4; this line is default and implied
+	#listen	  [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+
+	# Make site accessible from http://localhost/
+	server_name stage.taler.net;
+	include conf.d/talerssl;
+
+	location / {
+	    root /home/docbuilder/stage.taler.net;
+	    autoindex off;
+
+	    rewrite ^/$ /$index_redirect_uri/ redirect;
+
+	    rewrite ^/(..)/$ /$1/index.html break;
+
+	    rewrite ^/(help/empty-wallet)$ /$1.html break;
+	    rewrite ^/wallet-installation\.html$ /en/wallet.html redirect;
+            # just to get around cached old redirect
+	    rewrite ^/wallet\.en\.html$ /en/wallet.html redirect;
+ 	    rewrite ^/wallet$ /en/wallet.html redirect;
+            rewrite ^/press$ /en/press.html redirect;
+
+	}
+
+        gzip on;
+        gzip_disable "msie6";
+        gzip_vary on;
+        gzip_proxied any;
+        gzip_comp_level 6;
+        gzip_buffers 16 8k;
+        gzip_http_version 1.1;
+        gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;
+
+
+	# Note: this will go to /var/www/(videos|releases), which we took out of Git
+	location /videos {
+	    root /var/www;
+            expires max;
+	}
+
+        location ~* /videos/.*\.(png|jpg|ogv|webm|gif|svg)$ {
+            root /var/www;
+            expires max;
+        }
+
+        # FIXME: this location newest files are from Oct'16
+	location /releases {
+	    root /var/www;
+	    autoindex on;
+	}
+
+	location /files {
+	    root /var/www;
+	}
+
+        location ~* \.(png|jpg|jpeg|gif|ico|svg|js|css)$ {
+	    root /home/docbuilder/stage.taler.net;
+            expires 1y;
+        }
+
+
+}
diff --git a/historic/guix/etc/nginx/sites-enabled/www.git-ssl.site b/historic/guix/etc/nginx/sites-enabled/www.git-ssl.site
new file mode 100644
index 0000000..5ba4831
--- /dev/null
+++ b/historic/guix/etc/nginx/sites-enabled/www.git-ssl.site
@@ -0,0 +1,11 @@
+server {
+        listen 443 ssl;
+	listen   [::]:443 ssl; ## listen for ipv4; this line is default and implied
+	# listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	root /var/git;
+	server_name www.git.taler.net;
+        include conf.d/talerssl;
+
+	rewrite ^ https://git.taler.net/ permanent;
+}
diff --git a/historic/guix/etc/nginx/sites-enabled/www.git.site b/historic/guix/etc/nginx/sites-enabled/www.git.site
new file mode 100644
index 0000000..645923f
--- /dev/null
+++ b/historic/guix/etc/nginx/sites-enabled/www.git.site
@@ -0,0 +1,10 @@
+server {
+        listen 80;
+	listen   [::]:80; ## listen for ipv4; this line is default and implied
+	# listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	root /var/git;
+	server_name www.git.taler.net;
+
+	rewrite ^ https://git.taler.net/ permanent;
+}
diff --git a/historic/guix/etc/nginx/sites-enabled/www.site b/historic/guix/etc/nginx/sites-enabled/www.site
new file mode 100644
index 0000000..ae178e5
--- /dev/null
+++ b/historic/guix/etc/nginx/sites-enabled/www.site
@@ -0,0 +1,13 @@
+server {
+	listen 80;
+	listen   [::]:80; ## listen for ipv4; this line is default and implied
+ 	# 	listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	root /home/docbuilder/www.taler.net;
+
+	# Make site accessible from http://localhost/
+	server_name taler.net;
+	server_name www.taler.net;
+
+	rewrite ^ https://$server_name$request_uri? permanent;
+}
diff --git a/historic/guix/etc/nginx/uwsgi_params b/historic/guix/etc/nginx/uwsgi_params
new file mode 100644
index 0000000..09c732c
--- /dev/null
+++ b/historic/guix/etc/nginx/uwsgi_params
@@ -0,0 +1,17 @@
+
+uwsgi_param  QUERY_STRING       $query_string;
+uwsgi_param  REQUEST_METHOD     $request_method;
+uwsgi_param  CONTENT_TYPE       $content_type;
+uwsgi_param  CONTENT_LENGTH     $content_length;
+
+uwsgi_param  REQUEST_URI        $request_uri;
+uwsgi_param  PATH_INFO          $document_uri;
+uwsgi_param  DOCUMENT_ROOT      $document_root;
+uwsgi_param  SERVER_PROTOCOL    $server_protocol;
+uwsgi_param  REQUEST_SCHEME     $scheme;
+uwsgi_param  HTTPS              $https if_not_empty;
+
+uwsgi_param  REMOTE_ADDR        $remote_addr;
+uwsgi_param  REMOTE_PORT        $remote_port;
+uwsgi_param  SERVER_PORT        $server_port;
+uwsgi_param  SERVER_NAME        $server_name;
diff --git a/historic/guix/etc/nginx/win-utf b/historic/guix/etc/nginx/win-utf
new file mode 100644
index 0000000..774fd9f
--- /dev/null
+++ b/historic/guix/etc/nginx/win-utf
@@ -0,0 +1,125 @@
+# This map is not a full windows-1251 <> utf8 map: it does not
+# contain Serbian and Macedonian letters.	If you need a full map,
+# use contrib/unicode2nginx/win-utf map instead.
+
+charset_map	windows-1251	utf-8 {
+
+	82	E2809A; # single low-9 quotation mark
+
+	84	E2809E; # double low-9 quotation mark
+	85	E280A6; # ellipsis
+	86	E280A0; # dagger
+	87	E280A1; # double dagger
+	88	E282AC; # euro
+	89	E280B0; # per mille
+
+	91	E28098; # left single quotation mark
+	92	E28099; # right single quotation mark
+	93	E2809C; # left double quotation mark
+	94	E2809D; # right double quotation mark
+	95	E280A2; # bullet
+	96	E28093; # en dash
+	97	E28094; # em dash
+
+	99	E284A2; # trade mark sign
+
+	A0	C2A0;   # &nbsp;
+	A1	D18E;   # capital Byelorussian short U
+	A2	D19E;   # small Byelorussian short u
+
+	A4	C2A4;   # currency sign
+	A5	D290;   # capital Ukrainian soft G
+	A6	C2A6;   # borken bar
+	A7	C2A7;   # section sign
+	A8	D081;   # capital YO
+	A9	C2A9;   # (C)
+	AA	D084;   # capital Ukrainian YE
+	AB	C2AB;   # left-pointing double angle quotation mark
+	AC	C2AC;   # not sign
+	AD	C2AD;   # soft hypen
+	AE	C2AE;   # (R)
+	AF	D087;   # capital Ukrainian YI
+
+	B0	C2B0;   # &deg;
+	B1	C2B1;   # plus-minus sign
+	B2	D086;   # capital Ukrainian I
+	B3	D196;   # small Ukrainian i
+	B4	D291;   # small Ukrainian soft g
+	B5	C2B5;   # micro sign
+	B6	C2B6;   # pilcrow sign
+	B7	C2B7;   # &middot;
+	B8	D191;   # small yo
+	B9	E28496; # numero sign
+	BA	D194;   # small Ukrainian ye
+	BB	C2BB;   # right-pointing double angle quotation mark
+
+	BF	D197;   # small Ukrainian yi
+
+	C0	D090;   # capital A
+	C1	D091;   # capital B
+	C2	D092;   # capital V
+	C3	D093;   # capital G
+	C4	D094;   # capital D
+	C5	D095;   # capital YE
+	C6	D096;   # capital ZH
+	C7	D097;   # capital Z
+	C8	D098;   # capital I
+	C9	D099;   # capital J
+	CA	D09A;   # capital K
+	CB	D09B;   # capital L
+	CC	D09C;   # capital M
+	CD	D09D;   # capital N
+	CE	D09E;   # capital O
+	CF	D09F;   # capital P
+
+	D0	D0A0;   # capital R
+	D1	D0A1;   # capital S
+	D2	D0A2;   # capital T
+	D3	D0A3;   # capital U
+	D4	D0A4;   # capital F
+	D5	D0A5;   # capital KH
+	D6	D0A6;   # capital TS
+	D7	D0A7;   # capital CH
+	D8	D0A8;   # capital SH
+	D9	D0A9;   # capital SHCH
+	DA	D0AA;   # capital hard sign
+	DB	D0AB;   # capital Y
+	DC	D0AC;   # capital soft sign
+	DD	D0AD;   # capital E
+	DE	D0AE;   # capital YU
+	DF	D0AF;   # capital YA
+
+	E0	D0B0;   # small a
+	E1	D0B1;   # small b
+	E2	D0B2;   # small v
+	E3	D0B3;   # small g
+	E4	D0B4;   # small d
+	E5	D0B5;   # small ye
+	E6	D0B6;   # small zh
+	E7	D0B7;   # small z
+	E8	D0B8;   # small i
+	E9	D0B9;   # small j
+	EA	D0BA;   # small k
+	EB	D0BB;   # small l
+	EC	D0BC;   # small m
+	ED	D0BD;   # small n
+	EE	D0BE;   # small o
+	EF	D0BF;   # small p
+
+	F0	D180;   # small r
+	F1	D181;   # small s
+	F2	D182;   # small t
+	F3	D183;   # small u
+	F4	D184;   # small f
+	F5	D185;   # small kh
+	F6	D186;   # small ts
+	F7	D187;   # small ch
+	F8	D188;   # small sh
+	F9	D189;   # small shch
+	FA	D18A;   # small hard sign
+	FB	D18B;   # small y
+	FC	D18C;   # small soft sign
+	FD	D18D;   # small e
+	FE	D18E;   # small yu
+	FF	D18F;   # small ya
+}
diff --git a/historic/guix/fixed-fcgiwrap.scm b/historic/guix/fixed-fcgiwrap.scm
new file mode 100644
index 0000000..21b39d6
--- /dev/null
+++ b/historic/guix/fixed-fcgiwrap.scm
@@ -0,0 +1,161 @@
+(define-module (fixed-fcgiwrap)
+  #:use-module (ice-9 match)
+  #:use-module (ice-9 regex)
+  #:use-module (gnu services)
+  #:use-module (gnu packages admin)
+  #:use-module (gnu system shadow)
+  #:use-module (gnu packages web)
+  #:use-module (gnu services shepherd)
+  #:use-module (guix modules)
+  #:use-module (guix i18n)
+  #:use-module (guix records)
+  #:use-module (guix gexp)
+  #:export (fcgiwrap-configuration
+            fcgiwrap-service-type))
+
+
+;;;
+;;; Our definition of the fcgiwrap-service,
+;;; this should eventually go upstream.
+;;;
+
+
+(define-record-type* <fcgiwrap-configuration> fcgiwrap-configuration
+  make-fcgiwrap-configuration
+  fcgiwrap-configuration?
+  (package fcgiwrap-configuration-package ;<package>
+           (default fcgiwrap))
+  (socket fcgiwrap-configuration-socket
+          (default "tcp:127.0.0.1:9000"))
+  (user fcgiwrap-configuration-user
+        (default "fcgiwrap"))
+  (group fcgiwrap-configuration-group
+         (default "fcgiwrap"))
+  (log-file fcgiwrap-log-file
+            (default #f))
+  ;; boolean or octal mode integer
+  (adjusted-socket-permissions fcgiwrap-adjusted-socket-permissions?
+                               (default #f))
+  (ensure-socket-dir? fcgiwrap-ensure-socket-dir?
+                      (default #f)))
+
+(define fcgiwrap-accounts
+  (match-lambda
+    (($ <fcgiwrap-configuration> package socket user group)
+     (filter identity
+             (list
+              (and (equal? group "fcgiwrap")
+                   (user-group
+                    (name "fcgiwrap")
+                    (system? #t)))
+              (and (equal? user "fcgiwrap")
+                   (user-account
+                    (name "fcgiwrap")
+                    (group group)
+                    (system? #t)
+                    (comment "Fcgiwrap Daemon")
+                    (home-directory "/var/empty")
+                    (shell (file-append shadow "/sbin/nologin")))))))))
+
+(define (parse-fcgiwrap-socket s)
+  "Parse a fcgiwrap socket specification string into '(type args ...)"
+  (cond
+   ((string-prefix? "unix:" s)
+    (list 'unix (substring s 5)))
+   ((string-prefix? "tcp:" s)
+    (match (string-match "^tcp:([.0-9]+):([0-9]+)$" s)
+      ((? regexp-match? m)
+       (list
+        'tcp
+        (match:substring m 1)
+        (string->number (match:substring m 2))))
+      (_ (error "invalid tcp socket address"))))
+   ((string-prefix? "tcp6:" s)
+    (match (string-match "^tcp6:\\[(.*)\\]:([0-9]+)$" s)
+      ((? regexp-match? m)
+       (list
+        'tcp6
+        (match:substring m 1)
+        (string->number (match:substring m 2))))
+      (_ (error "invalid tcp6 socket address"))))
+   (else (error "unrecognized socket protocol"))))
+
+
+(define fcgiwrap-shepherd-service
+  (match-lambda
+    (($ <fcgiwrap-configuration> package socket user group log-file perm ensure-dir?)
+     (define parsed-socket (parse-fcgiwrap-socket socket))
+     (list
+      (shepherd-service
+       (provision '(fcgiwrap))
+       (documentation "Run the fcgiwrap daemon.")
+       (requirement '(networking))
+       (modules `((shepherd support) (ice-9 match) ,@%default-modules))
+       (start
+        #~(lambda args
+            (define (clean-up file)
+              (catch 'system-error
+                (lambda ()
+                  (delete-file file))
+                (lambda args
+                  (unless (= ENOENT (system-error-errno args))
+                    (apply throw args)))))
+            (define* (wait-for-file file #:key (max-delay 10))
+              (define start (current-time))
+	      (local-output "w: waiting for file ~s" file)
+              (let loop ()
+                (cond
+                 ((file-exists? file)
+		  (local-output "w: file ~s exists" file)
+		  #t)
+                 ((< (current-time) (+ start max-delay))
+		  (local-output "w: file ~s does not exist yet" file)
+                  (sleep 1)
+                  (loop))
+                 (else
+		   (local-output "w: file ~s: giving up" file)
+		   #f))))
+            (define (adjust-permissions file mode)
+              (match mode
+                (#t (chmod file #o660))
+                (n (chmod file n))
+                (#f 0)))
+            (define (ensure-socket-dir dir user group)
+              (unless (file-exists? dir)
+                (mkdir dir) ; FIXME: use mkdir-p instead?
+                (let ((uid (passwd:uid (getpwnam user)))
+                      (gid (group:gid (getgrnam group))))
+                  (chown dir uid gid))))
+            (define start-fcgiwrap
+              (make-forkexec-constructor
+               '(#$(file-append package "/sbin/fcgiwrap")
+                   "-s" #$socket)
+               #:user #$user
+               #:group #$group
+               #:log-file #$log-file))
+            (match '#$parsed-socket
+              (('unix path)
+               ;; Clean up socket, otherwise fcgiwrap might not start properly.
+               (clean-up path)
+               (when #$ensure-dir?
+                 (ensure-socket-dir (dirname path) #$user #$group))
+               (let ((pid (start-fcgiwrap))
+		     (socket-exists? (wait-for-file path)))
+		 (if socket-exists?
+		     (adjust-permissions path #$perm)
+		     (local-output
+		       #$(G_ "fcgiwrap: warning: waiting for socket ~s failed")
+		       path))
+		 pid))
+              (_ (start-fcgiwrap)))))
+       (stop #~(make-kill-destructor)))))))
+
+(define fcgiwrap-service-type
+  (service-type (name 'fcgiwrap)
+                (extensions
+                 (list (service-extension shepherd-root-service-type
+                                          fcgiwrap-shepherd-service)
+                       (service-extension account-service-type
+                                          fcgiwrap-accounts)))
+                (default-value (fcgiwrap-configuration))))
+
diff --git a/historic/guix/keys/ssh/dold.pub b/historic/guix/keys/ssh/dold.pub
new file mode 100644
index 0000000..2414541
--- /dev/null
+++ b/historic/guix/keys/ssh/dold.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCwY5XSDyXVqobwR+UfQ0+lPJTVj8MchnOYAJWNC9xvks4s7ZapBkzbpxcnCi27hb31NBtXECgMCfbDI4HuaaphgbGZjOoIWQeMLn8yHCgo7WJT0KDm4o7nODl/6drgab9XmQKhobTtrzmM+MY+MPCSXNDGRk53rM8knT+8cuPsdafEUa67mTC0p/VQJOgX0JVUF45MfVUtl1914Uot22AMHChGGg+7EMPge9QV3z5ZlP9tzXLUkw28+dkeqkXhGgAtBu2alaAy+sxiRbVHVgedOQzYCmhfQZBly8wMBvlnnTNLK023jT9FAp6j2h9/mnfGaXncElzZqkqMTXTkLe1 dold
diff --git a/historic/guix/keys/ssh/grothoff.pub b/historic/guix/keys/ssh/grothoff.pub
new file mode 100644
index 0000000..6af38a5
--- /dev/null
+++ b/historic/guix/keys/ssh/grothoff.pub
@@ -0,0 +1 @@
+ssh-dss AAAAB3NzaC1kc3MAAAIBAPmoUwxO5VkAR2j7AJh1/UfySsvtqPJWlzZ4i33LoNis6KpaHn7JO9dEL/psg10ZAqqqFahcTvqFDeXjS5DBzOHWA/u0TgXj58i1rOO2TgmxKF3UatYfD51omlPvw3IcnTPIX+Dsiq/cDkJAHxBdAYo9KjFGu9hM090UN7rY/ykBP/VwKbA/9fg0ASPgGrRF7JRylpMu424c8CbvM/iMZCew2BeE21g1u6WgewJjLgWcdGH2r4GO2FPvHSUlVJJ/wXdCDweboPsB+CuiEmBVruKcbG+DJddRWe4L7aUnIHTL6/i85bNwyjQ/toS2PFBx0jp04OcMyF7PxcIeEYI1+cimH//XIo3eOESGjRWpOKJR+yWlxcg2rKTFuHDO1tTTgqC+e2Kcvp7XrQPf4RuBWtD2YRGUMtEhQhvt2+Qd7KDQuuYR8TPXhHEh/sh7pQkCR/I9ijkxiPTCINjwkLD9X6tdYhT0XtG13dweog6EDrxXjtiIM1XY+jfTYvXVmDIn/lzvEfnhMkErTu/ZXt8bGVIRC5THDASFdQTnsCnVc1OU6AH3xVKa3F9CzOCwhrJ2EpQQMc8022ltmBYu9wFF0HPDoe56mqKdNnHDeaLp8CCuf9pLMeih9csYJlAQ3GsOzX9WR044+JqbS+b/++lOZjJdFlUlONZu0F+166rX4pipAAAAFQCA2XLNDkiQ93HpAFgZmBbavTVdxQAAAgA8cpggPUORDfTcgWgcdrJCQz4bIaGKdD/KhiLu15FqF02WkBYC8xsySK8DHkS41bHiqLB8vM5Yh2FiTjpwIzpQ9QH74JSdncUMxYncEcHrlHulASQZ7fuNMFK5vK7XVY2zAjrsjP+/H3vLrEOBoiI625gpGMTLB8QILBBbkGTpQ3Ks6LSJqEQfsCHmGYUhtkIQjgWIzDyzvvAOCjKMjNpkFyEKLkUYIWajt5y8AaFW5uNeXBqk5ejV4Y4pUg67zOJt92moqK5TQWIEjL0kKM7lFMXZDZow+DQQ47q9NYPLWVAwgWGbCdvvewWkJ5+xMTbxfTZgcUmvXz1zc/yGXoeSLoL+iJKyqQgEi6Jv8a+TnnTZivoxIgWYd/uByUvsxZrMXNlc1MUTKNI5CnEz3Dprb+qHw36SXKymnhSgC2948YRTWqU9emR8qNG8EKOoisHX9EPq+Ex5/IJQh2UlSScpnt2xANtoAZuEt/P5W6Djq6UtwMyI8E6yycEP+myKR/JKnydzjtxWEQV9ytfIQQkndPCr49N3RnrVA47aoBzhUQfiLyWbYFpc/oTZRhL5X86Sm9dXDhIyaPslSM8/C0DqzfhqOw53XxROj2IAAu3Aqsg4mkSEwuPzv2PTj0KjagGIuz3J/71CpUOz+6CUWh+tCzkYC3joLYXh0v/MUVZ5JgAAAgEA9IO/Nv4zdZtHSN2RN1lEyGGi+Oi5mFS5Wjo/tsw3VM53H7HiyxVCE8mcLWT/UOEcG4uitonxTUypZGhNra7sTkbje5tuLVKF99e3W4/wV6aWwLpryeZL5BOhlnmTJsZPgTuu3A7eNnh+C45L5SW7qmXLgS8jl3CKqGdzl3XO+eB5oN8EIjWGk+VbD0iPVYobDEUOo1TCj5ZGUENw4R6lRXKsPtHDqa+iMGSUa6hQXaM13oJTI+P4Dr9WcUjqbceHT3LPoYs8dCT9rrqHDX4HGIJr9A6aV/djPVoloPgONQVfqW+xci+yUVYLp8Xdj2zC8P0NCOWiFzke1v7fFvDzs2stotAfXtLvCHje2W4rbpz6InKfbysOEc/o2ybeb2Pu9F6oIamd9qiZhCGog422YyNh1+w1sAvUCBHuF38zPHxDB2YgF4tf2K4kU++PAuZOxnsYLErZly9Nxm2uGKvgKAEgaeMEYR1jK1llRmiGPIapJZIk3cav8tLEP6MNTrjDB52D56DeLdPrgL3cUfLtGcZOJhyBTcz5W07kyGQyT7VZiqlErsg6KQxRzEda6DWNYCAMc32yj8kgEY5hCt7ei1cfyL1Wox61rrdchjGgBDxikVeUL/Sw5H8Yuh8o7j6sT1RHfui5kW5M0ykCjKMniDiOE4sBtVSHFouERamDKA0= grothoff@gnunet.org
diff --git a/historic/guix/keys/ssh/ng0.pub b/historic/guix/keys/ssh/ng0.pub
new file mode 100644
index 0000000..6d4c6e1
--- /dev/null
+++ b/historic/guix/keys/ssh/ng0.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOBsKO/O2K6Q2sQ1a6EVzQkcnI1QbWeQ14uuxn+MplGG ng0@khazad-dum-2016-04-17
diff --git a/historic/guix/keys/ssh/stanisci.pub b/historic/guix/keys/ssh/stanisci.pub
new file mode 100644
index 0000000..31a3c23
--- /dev/null
+++ b/historic/guix/keys/ssh/stanisci.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRIYb/6QP0HBsH9O0Y8gvthu+MWMu44fx0a2uw5R10bWNXALMQpBqAHImfv6X58KRKJYEnkpAcPHmiCmba8tvJo++UcyyEBQQfToFVmZv1afBBCg50pSv630SOaIVuLhpUcUyBkFYt4QFa2Eojj8+zrxEwjISQlRVcZMDwTk4icgSBJn3EL3TUQZp2as3EShU+3rtGEmyKdXgBMBpE0FU4xvSxtjAk1Nd4qAygR8nvWpK2ZeQRCF6sNLATK7iYOfdPNs10jK632pQc9CUE2NQ9bo4lz5pKRGUq3HBGTLmUWCkVCRSbTjiYfcJdNtkG4GKMyyJHDzlJJyzhCfJmmP1h stanisci
diff --git a/historic/guix/modules/sysadmin/people.scm b/historic/guix/modules/sysadmin/people.scm
new file mode 100644
index 0000000..121c268
--- /dev/null
+++ b/historic/guix/modules/sysadmin/people.scm
@@ -0,0 +1,73 @@
+;;; GNU Guix system administration tools.
+;;;
+;;; Copyright © 2016, 2017 Ludovic Courtès <ludo@gnu.org>
+;;;
+;;; This program is free software: you can redistribute it and/or modify
+;;; it under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation, either version 3 of the License, or
+;;; (at your option) any later version.
+;;;
+;;; This program is distributed in the hope that it will be useful,
+;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (sysadmin people)
+  #:use-module (guix gexp)
+  #:use-module (guix records)
+  #:use-module (gnu services)
+  #:use-module (gnu system shadow)
+  #:use-module (gnu services ssh)
+  #:use-module (gnu packages base)
+  #:use-module (ice-9 match)
+  #:export (sysadmin?
+            sysadmin
+            sysadmin-service-type))
+
+;;; Commentary:
+;;;
+;;; Declaration of system administrator user accounts.
+;;;
+;;; Code:
+
+(define-record-type* <sysadmin> sysadmin make-sysadmin
+  sysadmin?
+  (name            sysadmin-name)
+  (full-name       sysadmin-full-name)
+  (ssh-public-key  sysadmin-ssh-public-key)
+  (restricted?     sysadmin-restricted? (default #f)))
+
+(define (sysadmin->account sysadmin)
+  "Return the user account for SYSADMIN."
+  (match sysadmin
+    (($ <sysadmin> name comment _ restricted?)
+     (user-account
+      (name name)
+      (comment comment)
+      (group "users")
+      (supplementary-groups (if restricted?
+                                '()
+                                '("wheel" "kvm"))) ;sudoer
+      (home-directory (string-append "/home/" name))))))
+
+(define (sysadmin->authorized-key sysadmin)
+  "Return an authorized key tuple for SYSADMIN."
+  (list (sysadmin-name sysadmin)
+        (sysadmin-ssh-public-key sysadmin)))
+
+(define sysadmin-service-type
+  ;; The service that initializes sysadmin accounts.
+  (service-type
+   (name 'sysadmin)
+   (extensions (list (service-extension account-service-type
+                                        (lambda (lst)
+                                          (map sysadmin->account lst)))
+                     (service-extension openssh-service-type
+                                        (lambda (lst)
+                                          (map sysadmin->authorized-key
+                                               lst)))))))
+
+;;; people.scm ends here
diff --git a/historic/guix/modules/sysadmin/services.scm b/historic/guix/modules/sysadmin/services.scm
new file mode 100644
index 0000000..df2380d
--- /dev/null
+++ b/historic/guix/modules/sysadmin/services.scm
@@ -0,0 +1,143 @@
+;;; GNU Guix system administration tools.
+;;;
+;;; Copyright (C) Nils Gillmann <gillmann@n0.is>
+;;; Parts and pieces initially taken from Guix' maintenance repository:
+;;; Copyright © 2016, 2017, 2018 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2017, 2018 Ricardo Wurmus <rekado@elephly.net>
+;;;
+;;; This program is free software: you can redistribute it and/or modify
+;;; it under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation, either version 3 of the License, or
+;;; (at your option) any later version.
+;;;
+;;; This program is distributed in the hope that it will be useful,
+;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (sysadmin services)
+  #:use-module (guix gexp)
+  #:use-module (gnu services)
+  #:use-module (gnu services admin)
+  #:use-module (gnu services base)
+  #:use-module (gnu services cuirass)
+  #:use-module (gnu services mcron)
+  #:use-module (gnu services shepherd)
+  #:use-module (gnu services ssh)
+  #:use-module (gnu services web)
+  #:use-module (gnu packages linux)
+  #:use-module (gnu packages package-management)
+  #:use-module (gnu packages tls)
+  #:use-module (gnu packages web)
+  #:use-module (sysadmin people)
+  #:use-module (srfi srfi-1)
+  #:export (firewall-service
+            default-services))
+
+(define start-firewall
+  ;; Rules to throttle malicious SSH connection attempts.  This will allow at
+  ;; most 3 connections per minute from any host, and will block the host for
+  ;; another minute if this rate is exceeded.  Taken from
+  ;; <http://www.la-samhna.de/library/brutessh.html#3>.
+  #~(let ((iptables
+           (lambda (str)
+             (zero? (apply system*
+                           #$(file-append iptables
+                                          "/sbin/iptables")
+                           (string-tokenize str))))))
+      (format #t "Installing iptables SSH rules...~%")
+      (and (iptables "-A INPUT -p tcp --dport 22 -m state \
+  --state NEW -m recent --set --name SSH -j ACCEPT")
+           (iptables "-A INPUT -p tcp --dport 22 -m recent \
+  --update --seconds 60 --hitcount 4 --rttl \
+  --name SSH -j LOG --log-prefix SSH_brute_force")
+           (iptables "-A INPUT -p tcp --dport 22 -m recent \
+  --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP"))))
+
+(define firewall-service
+  ;; The "firewall".  Make it a Shepherd service because as an activation
+  ;; script it might run too early, before the Netfilter modules can be
+  ;; loaded for some reason.
+  (simple-service 'firewall shepherd-root-service-type
+                  (list (shepherd-service
+                         (provision '(firewall))
+                         (requirement '())
+                         (start #~(lambda ()
+                                    #$start-firewall))
+                         (respawn? #f)))))
+
+(define %nginx-config
+  ;; Our nginx configuration directory.  It expects 'guix publish' to be
+  ;; running on port 3000.
+  (computed-file "nginx-config"
+                 (with-imported-modules '((guix build utils))
+                   #~(begin
+                       (use-modules (guix build utils))
+
+                       (mkdir #$output)
+                       (chdir #$output)
+                       (symlink #$(local-file "nginx/berlin.conf")
+                                "berlin.conf")
+                       (copy-file #$(local-file
+                                     "nginx/bayfront-locations.conf")
+                                  "berlin-locations.conf")
+                       (substitute* "berlin-locations.conf"
+                         (("@WWWROOT@")
+                          #$(local-file "nginx/html/berlin" #:recursive? #t)))))))
+
+(define %nginx-cache-activation
+  ;; Make sure /var/cache/nginx exists on the first run.
+  (simple-service 'nginx-/var/cache/nginx
+                  activation-service-type
+                  (with-imported-modules '((guix build utils))
+                    #~(begin
+                        (use-modules (guix build utils))
+                        (mkdir-p "/var/cache/nginx")))))
+
+(define %nginx-mime-types
+  ;; Provide /etc/nginx/mime.types (and a bunch of other files.)
+  (simple-service 'nginx-mime.types
+                  etc-service-type
+                  `(("nginx" ,(file-append nginx "/share/nginx/conf")))))
+
+
+;; FIXME: Use certbot-service.
+;; Initial list of domains:
+;; taler.net www.taler.net api.taler.net lcov.taler.net git.taler.net
+;; gauger.taler.net buildbot.taler.net test.taler.net playground.test.taler.net
+;; auditor.test.taler.net auditor.demo.taler.net demo.taler.net shop.test.taler.net
+;; shop.demo.taler.net survey.test.taler.net survey.demo.taler.net
+;; donations.demo.taler.net backend.test.taler.net backend.demo.taler.net
+;; bank.test.taler.net bank.demo.taler.net www.git.taler.net
+;; exchange.demo.taler.net exchange.test.taler.net env.taler.net
+;; envs.taler.net blog.demo.taler.net blog.test.taler.net
+;; donations.test.taler.net docs.taler.net intranet.taler.net
+;; stage.taler.net
+
+(define %certbot-job
+;; Attempt to renew the Let's Encrypt certificate twice a week.
+  #~(job (lambda (now
+                  (next-day-from (next-hour-from now '(3))
+                                 '(2 5)))
+           (string-append #$certbot "/bin/certbot renew"))))
+
+(define* (default-services sysadmins #:key nginx-config-file)
+  "Return the list of default services."
+  (cons* (service rottlog-service-type (rottlog-configuration))
+         (service mcron-service-type
+                  (mcron-configuration
+                   (jobs (list %certbot-job))))
+         firewall-service
+
+         (service nginx-service-type
+                  (nginx-configuration
+                   (file nginx-config-file)))
+
+         %nginx-mime-type
+         %nginx-cache-activation
+
+         (service openssh-service-type)
+         (service sysadmin-service-type sysadmins)))
diff --git a/historic/guix/shepherd-with-sock.scm b/historic/guix/shepherd-with-sock.scm
new file mode 100644
index 0000000..a201c71
--- /dev/null
+++ b/historic/guix/shepherd-with-sock.scm
@@ -0,0 +1,237 @@
+(define-module (shepherd-with-sock)
+  #:use-module (ice-9 match)
+  #:use-module ((shepherd service)
+                #:select (handle-SIGCHLD read-pid-file))
+  #:use-module ((shepherd support)
+                #:select (catch-system-error))
+  #:use-module ((shepherd system)
+                #:select (max-file-descriptors))
+  #:export (make-forkexec-constructor))
+
+
+(define default-service-directory (@@ (shepherd service) default-service-directory))
+(define default-environment-variables (@@ (shepherd service) default-environment-variables))
+(define %pid-file-timeout (@@ (shepherd service) %pid-file-timeout))
+
+
+(define (clean-up-file file)
+  (when file
+    (catch 'system-error
+      (lambda ()
+        (delete-file file))
+      (lambda args
+        (unless (= ENOENT (system-error-errno args))
+          (apply throw args))))))
+
+
+(define (open-service-stdin stdin-socket)
+  (define (get-sock pf af . addr)
+    (let ((sock (socket pf SOCK_STREAM 0)))
+      (apply bind sock af addr)
+      (fileno sock)))
+  (match stdin-socket
+    (('unix sockpath)
+     (clean-up-file sockpath)
+     (get-sock PF_UNIX AF_UNIX sockpath))
+    (('tcp addr port)
+     (get-sock PF_INET AF_INET (inet-pton AF_INET addr) port))
+    (('tcp6 addr port)
+     (get-sock PF_INET6 AF_INET6 (inet-pton AF_INET6 addr) port))
+    (#f
+     ;; Make sure file descriptor zero is used, so we don't end up reusing
+     ;; it for something unrelated, which can confuse some packages.
+     (open-fdes "/dev/null" O_RDONLY))))
+
+
+(define* (exec-command command
+                       #:key
+                       (user #f)
+                       (group #f)
+                       (log-file #f)
+                       (directory (default-service-directory))
+                       (environment-variables (default-environment-variables))
+                       (stdin-socket #f))
+  "Run COMMAND as the current process from DIRECTORY, and with
+ENVIRONMENT-VARIABLES (a list of strings like \"PATH=/bin\".)  File
+descriptors 1 and 2 are kept as is or redirected to LOG-FILE if it's true,
+whereas file descriptor 0 (standard input) points to /dev/null; all other file
+descriptors are closed prior to yielding control to COMMAND.
+
+By default, COMMAND is run as the current user.  If the USER keyword
+argument is present and not false, change to USER immediately before
+invoking COMMAND.  USER may be a string, indicating a user name, or a
+number, indicating a user ID.  Likewise, COMMAND will be run under the
+current group, unless the GROUP keyword argument is present and not
+false."
+  (match command
+    ((program args ...)
+     ;; Become the leader of a new session and session group.
+     ;; Programs such as 'mingetty' expect this.
+     (setsid)
+
+     (chdir directory)
+     (environ environment-variables)
+
+     ;; Close all the file descriptors except stdout and stderr.
+     (let ((max-fd (max-file-descriptors)))
+       ;; Redirect stdin to use /dev/null or stdin-socket
+       (catch-system-error (close-fdes 0))
+
+       ;; Make sure file descriptor zero is always used, so we don't end up reusing
+       ;; it for something unrelated, which can confuse some packages.
+       (dup2 (open-service-stdin stdin-socket) 0)
+
+       (when log-file
+         (catch #t
+           (lambda ()
+             ;; Redirect stout and stderr to use LOG-FILE.
+             (catch-system-error (close-fdes 1))
+             (catch-system-error (close-fdes 2))
+             (dup2 (open-fdes log-file (logior O_CREAT O_WRONLY O_APPEND)) 1)
+             (dup2 1 2))
+           (lambda (key . args)
+             (format (current-error-port)
+                     "failed to open log-file ~s:~%" log-file)
+             (print-exception (current-error-port) #f key args)
+             (primitive-exit 1))))
+
+       ;; setgid must be done *before* setuid, otherwise the user will
+       ;; likely no longer have permissions to setgid.
+       (when group
+         (catch #t
+           (lambda ()
+             ;; Clear supplementary groups.
+             (setgroups #())
+             (setgid (group:gid (getgr group))))
+           (lambda (key . args)
+             (format (current-error-port)
+                     "failed to change to group ~s:~%" group)
+             (print-exception (current-error-port) #f key args)
+             (primitive-exit 1))))
+
+       (when user
+         (catch #t
+           (lambda ()
+             (setuid (passwd:uid (getpw user))))
+           (lambda (key . args)
+             (format (current-error-port)
+                     "failed to change to user ~s:~%" user)
+             (print-exception (current-error-port) #f key args)
+             (primitive-exit 1))))
+
+       ;; As the last action, close file descriptors.  Doing it last makes
+       ;; "error in the finalization thread: Bad file descriptor" issues
+       ;; unlikely on 2.2.
+       (let loop ((i 3))
+         (when (< i max-fd)
+           ;; First try to close any ports associated with file descriptor I.
+           ;; Otherwise the finalization thread might get around to closing
+           ;; those ports eventually, which will raise an EBADF exception (on
+           ;; 2.2), leading to messages like "error in the finalization
+           ;; thread: Bad file descriptor".
+           (for-each (lambda (port)
+                       (catch-system-error (close-port port)))
+                     (fdes->ports i))
+           (catch-system-error (close-fdes i))
+           (loop (+ i 1)))))
+
+     (catch 'system-error
+       (lambda ()
+         (apply execlp program program args))
+       (lambda args
+         (format (current-error-port)
+                 "exec of ~s failed: ~a~%"
+                 program (strerror (system-error-errno args)))
+         (primitive-exit 1))))))
+
+(define (ensure-sigchld-handler)
+  (unless (@@ (shepherd service) %sigchld-handler-installed?)
+    (sigaction SIGCHLD handle-SIGCHLD SA_NOCLDSTOP)
+    (set! (@@ (shepherd service) %sigchld-handler-installed?) #t)))
+
+(define* (fork+exec-command command
+                            #:key
+                            (user #f)
+                            (group #f)
+                            (log-file #f)
+                            (directory (default-service-directory))
+                            (environment-variables
+                             (default-environment-variables))
+                            (stdin-socket #f))
+  "Spawn a process that executed COMMAND as per 'exec-command', and return
+its PID."
+  (ensure-sigchld-handler)
+  ;; Install the SIGCHLD handler if this is the first fork+exec-command call
+  (let ((pid (primitive-fork)))
+    (if (zero? pid)
+        (exec-command command
+                      #:user user
+                      #:group group
+                      #:log-file log-file
+                      #:directory directory
+                      #:environment-variables environment-variables
+                      #:stdin-socket stdin-socket)
+        pid)))
+
+
+
+(define make-forkexec-constructor
+  (let ((warn-deprecated-form
+         ;; Until 0.1, this procedure took a rest list.
+         (lambda ()
+           (issue-deprecation-warning
+            "This 'make-forkexec-constructor' form is deprecated; use
+ (make-forkexec-constructor '(\"PROGRAM\" \"ARGS\"...)."))))
+    (case-lambda*
+     "Return a procedure that forks a child process, closes all file
+descriptors except the standard output and standard error descriptors, sets
+the current directory to @var{directory}, changes the environment to
+@var{environment-variables} (using the @code{environ} procedure), sets the
+current user to @var{user} and the current group to @var{group} unless they
+are @code{#f}, and executes @var{command} (a list of strings.)  The result of
+the procedure will be the PID of the child process.
+
+When @var{pid-file} is true, it must be the name of a PID file associated with
+the process being launched; the return value is the PID read from that file,
+once that file has been created.  If @var{pid-file} does not show up in less
+than @var{pid-file-timeout} seconds, the service is considered as failing to
+start."
+     ((command #:key
+               (user #f)
+               (group #f)
+               (directory (default-service-directory))
+               (environment-variables (default-environment-variables))
+               (pid-file #f)
+               (pid-file-timeout %pid-file-timeout)
+               (log-file #f)
+               (stdin-socket #f))
+      (let ((command (if (string? command)
+                         (begin
+                           (warn-deprecated-form)
+                           (list command))
+                         command)))
+        (lambda args
+          (clean-up-file pid-file)
+          (clean-up-file log-file)
+
+          (let ((pid (fork+exec-command command
+                                        #:user user
+                                        #:group group
+                                        #:log-file log-file
+                                        #:directory directory
+                                        #:environment-variables
+                                        environment-variables
+                                        #:stdin-socket stdin-socket)))
+            (if pid-file
+                (match (read-pid-file pid-file
+                                      #:max-delay pid-file-timeout)
+                  (#f
+                   (catch-system-error (kill pid SIGTERM))
+                   #f)
+                  ((? integer? pid)
+                   pid))
+                pid)))))
+     ((program . program-args)
+      ;; The old form, documented until 0.1 included.
+      (warn-deprecated-form)
+      (make-forkexec-constructor (cons program program-args))))))
diff --git a/historic/guix/taler-helpers.scm b/historic/guix/taler-helpers.scm
new file mode 100644
index 0000000..7f0b7c5
--- /dev/null
+++ b/historic/guix/taler-helpers.scm
@@ -0,0 +1,39 @@
+(define-module (taler-helpers)
+  #:use-module (guix)
+  #:use-module (guix utils)
+  #:use-module (ice-9 textual-ports)
+  #:export (concat-local-files))
+
+;;;
+;;; Helpers
+;;;
+
+(define (absolute-file-name file directory)
+  "Return the canonical absolute file name for FILE, which lives in the
+vicinity of DIRECTORY."
+  (canonicalize-path
+   (cond ((string-prefix? "/" file) file)
+         ((not directory) file)
+         ((string-prefix? "/" directory)
+          (string-append directory "/" file))
+         (else file))))
+
+(define (%%concat-local-files srcdir outname files)
+  (define (slurp f)
+    (call-with-input-file (absolute-file-name f srcdir) get-string-all))
+  (define (file-concat files)
+    (string-concatenate (map slurp files)))
+  (plain-file outname (file-concat files)))
+
+
+(define-syntax concat-local-files
+  (lambda (s)
+    (syntax-case s ()
+      ((_ outname files)
+       #'(%%concat-local-files (current-source-directory) outname files))
+      ((_)
+       #'(syntax-error "missing arguments"))
+      (id
+       (identifier? #'id)
+       #'(syntax-error
+          "'concat-local-files' is a macro and cannot be used like this")))))