27 files changed, 1145 insertions, 0 deletions

diff --git a/guix/etc/nginx/sites-enabled/api-ssl.site b/guix/etc/nginx/sites-enabled/api-ssl.site
new file mode 100644
index 0000000..6f5fd69
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/api-ssl.site
@@ -0,0 +1,9 @@
+server {
+        listen 443 ssl;
+	listen   [::]:443 ssl; ## listen for ipv4; this line is default and implied
+ 	# 	listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	server_name api.taler.net
+	            www.api.taler.net;
+        rewrite ^ https://docs.taler.net$request_uri? permanent;
+}
diff --git a/guix/etc/nginx/sites-enabled/api.site b/guix/etc/nginx/sites-enabled/api.site
new file mode 100644
index 0000000..21e7efe
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/api.site
@@ -0,0 +1,8 @@
+server {
+  listen 80;
+  listen [::]:80;
+  server_name api.taler.net
+              www.api.taler.net;
+
+  rewrite ^ https://docs.taler.net$request_uri? permanent;
+}
diff --git a/guix/etc/nginx/sites-enabled/buildbot-ssl.site b/guix/etc/nginx/sites-enabled/buildbot-ssl.site
new file mode 100644
index 0000000..ba998bb
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/buildbot-ssl.site
@@ -0,0 +1,23 @@
+server {
+        listen 443 ssl;
+	listen   [::]:443 ssl; ## listen for ipv4; this line is default and implied
+ 	# 	listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	root /var/www/buildbot/;
+
+	# Make site accessible from http://localhost/
+	server_name buildbot.taler.net;
+	server_name www.buildbot.taler.net;
+	server_name bb.taler.net;
+        include conf.d/talerssl;
+
+	location / {
+	    proxy_pass http://127.0.0.1:8010;
+	    proxy_redirect off;
+	    proxy_set_header Host $host;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+	}
+
+        include conf.d/favicon_robots;
+}
diff --git a/guix/etc/nginx/sites-enabled/buildbot.site b/guix/etc/nginx/sites-enabled/buildbot.site
new file mode 100644
index 0000000..77eb805
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/buildbot.site
@@ -0,0 +1,14 @@
+server {
+	listen 80;
+	listen   [::]:80; ## listen for ipv4; this line is default and implied
+ 	# 	listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	root /var/www/buildbot/;
+
+	# Make site accessible from http://localhost/
+	server_name buildbot.taler.net;
+	server_name www.buildbot.taler.net;
+        server_name bb.taler.net;
+
+	rewrite ^ https://$server_name$request_uri? permanent;
+}
diff --git a/guix/etc/nginx/sites-enabled/decentralise-ssl.site b/guix/etc/nginx/sites-enabled/decentralise-ssl.site
new file mode 100644
index 0000000..9dd0470
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/decentralise-ssl.site
@@ -0,0 +1,14 @@
+server {
+        listen 443 ssl;
+	listen   [::]:443 ssl; ## listen for ipv4; this line is default and implied
+ 	# 	listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	root /var/www/decentralise;
+
+	# Make site accessible from http://localhost/
+	server_name www.decentralise.rennes.inria.fr;
+	server_name decentralise.rennes.inria.fr;
+        include conf.d/talerssl;
+
+	rewrite / http://www.inria.fr/en/teams/decentralise redirect;
+}
diff --git a/guix/etc/nginx/sites-enabled/decentralise.site b/guix/etc/nginx/sites-enabled/decentralise.site
new file mode 100644
index 0000000..b92fb0f
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/decentralise.site
@@ -0,0 +1,13 @@
+server {
+        listen 80;
+ 	listen   [::]:80; ## listen for ipv4; this line is default and implied
+ 	# 	listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	root /var/www/decentralise;
+
+	# Make site accessible from http://localhost/
+	server_name www.decentralise.rennes.inria.fr;
+	server_name decentralise.rennes.inria.fr;
+
+	rewrite / http://www.inria.fr/en/teams/decentralise redirect;
+}
diff --git a/guix/etc/nginx/sites-enabled/default.site b/guix/etc/nginx/sites-enabled/default.site
new file mode 100644
index 0000000..e295383
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/default.site
@@ -0,0 +1,18 @@
+# matched when no other server name matches
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    # server name must simply something invalid ...
+    server_name  _;
+    # drop connection, special nginx status code
+    return 444;
+}
+server {
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+    include conf.d/talerssl;
+    # server name must simply something invalid ...
+    server_name  _;
+    # drop connection, special nginx status code
+    return 444;
+}
diff --git a/guix/etc/nginx/sites-enabled/demo.site b/guix/etc/nginx/sites-enabled/demo.site
new file mode 100644
index 0000000..16d9698
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/demo.site
@@ -0,0 +1,159 @@
+server {
+  listen 80;
+  listen [::]:80;
+  server_name demo.taler.net
+              bank.demo.taler.net
+              shop.demo.taler.net
+              donations.demo.taler.net
+              survey.demo.taler.net
+              auditor.demo.taler.net
+              exchange.demo.taler.net;
+
+  # 301-based ridirects allows the user agent to *change* the
+  # method used in the second request.  This breaks all the API
+  # using POST, as some user agents do the second request using
+  # GET.  307 is meant to tell the user agent to not change the
+  # method in the second request.
+  if ($request_method = POST) { return 307 https://$host$request_uri; }
+  return 301 https://$host$request_uri;
+
+}
+
+
+server {
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  server_name auditor.demo.taler.net;
+  include conf.d/talerssl;
+  location / {
+    rewrite ^/$ /en/ redirect;
+    rewrite ^/(..)/$ /$1/index.html break;
+    recursive_error_pages on;
+    root /home/demo/auditor;
+  }
+  include conf.d/favicon_robots;
+}
+
+
+server {
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  server_name demo.taler.net www.demo.taler.net;
+  rewrite /javascript /javascript.html break;
+  include conf.d/talerssl;
+  location / {
+    rewrite ^/$ /en/ redirect;
+    rewrite ^/(..)/$ /$1/index.html break;
+    root /home/demo/landing/demo;
+  }
+
+  include conf.d/favicon_robots;
+}
+
+
+server {
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  server_name exchange.demo.taler.net;
+  root /dev/null;
+  include conf.d/talerssl;
+
+  location /admin {
+    proxy_pass http://unix:/home/demo/sockets/exchange-admin.http;
+    proxy_redirect off;
+    proxy_set_header Host $host;
+  }
+
+  location / {
+    proxy_pass http://unix:/home/demo/sockets/exchange.http:/;
+    proxy_redirect off;
+    proxy_set_header Host $host;
+  }
+}
+
+server {
+  listen 443 ssl;
+  listen 80;
+  listen [::]:443 ssl;
+  listen [::]:80;
+  server_name backend.demo.taler.net;
+  include conf.d/talerssl;
+
+  location /public {
+    proxy_redirect off;
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-Host "backend.demo.taler.net";
+    proxy_set_header X-Forwarded-Proto "https";
+    proxy_pass http://unix:/home/demo/sockets/merchant.http:/public;
+  }
+
+  location / {
+    # match the ApiKey part ignoring case, and the actual key
+    # with case-sensitivity on.
+    if ($http_authorization !~ "(?i)ApiKey (?-i)sandbox") {
+      return 401;
+    }
+    proxy_redirect off;
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-Host "backend.demo.taler.net";
+    proxy_set_header X-Forwarded-Proto "https";
+    proxy_pass http://unix:/home/demo/sockets/merchant.http:/;
+  }
+}
+
+
+server {
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  server_name donations.demo.taler.net;
+  include conf.d/talerssl;
+
+  location / {
+    uwsgi_pass unix:/home/demo/sockets/donations.uwsgi;
+    include /etc/nginx/uwsgi_params;
+  }
+
+  include conf.d/favicon_robots;
+}
+
+
+server {
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  server_name shop.demo.taler.net;
+  include conf.d/talerssl;
+
+  location / {
+    uwsgi_pass unix:/home/demo/sockets/shop.uwsgi;
+    include /etc/nginx/uwsgi_params;
+  }
+
+  include conf.d/favicon_robots;
+}
+
+
+server {
+  server_name survey.demo.taler.net;
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  include conf.d/talerssl;
+
+  location / {
+    uwsgi_pass unix:/home/demo/sockets/survey.uwsgi;
+    include /etc/nginx/uwsgi_params;
+  }
+}
+
+server {
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  server_name bank.demo.taler.net;
+  include conf.d/talerssl;
+
+  location / {
+    uwsgi_pass unix:/home/demo/sockets/bank.uwsgi;
+    include /etc/nginx/uwsgi_params;
+  }
+
+  include conf.d/favicon_robots;
+}
diff --git a/guix/etc/nginx/sites-enabled/docs-ssl.site b/guix/etc/nginx/sites-enabled/docs-ssl.site
new file mode 100644
index 0000000..923d703
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/docs-ssl.site
@@ -0,0 +1,69 @@
+server {
+        listen 443 ssl;
+        listen   [::]:443 ssl; ## listen for ipv4; this line is default and implied
+ 	# 	listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+        # Temporary, as this doesn't do i18n
+	root /home/docbuilder/build/docs-landing/;
+
+	# Make site accessible from http://localhost/
+	server_name docs.taler.net
+	            www.docs.taler.net;
+
+        include conf.d/talerssl;
+
+	location / {
+	    autoindex off;
+	    ssi off;
+#	    ssi_last_modified on;
+
+
+	    rewrite ^/$ /$index_redirect_uri/ redirect;
+	    rewrite ^/(..)/$ /$1/index.html break;
+	}
+
+
+        location /code/exchange {
+            alias /home/docbuilder/build/exchange/doxygen;
+        }
+
+        location /code/merchant {
+            alias /home/docbuilder/build/merchant-backend/doxygen;
+        }
+
+        location /onboarding {
+            alias /home/docbuilder/build/onboarding/;
+        }
+
+        location /bank {
+            alias /home/docbuilder/build/bank/manual;
+        }
+
+        location /backoffice {
+            alias /home/docbuilder/build/backoffice/;
+        }
+
+        location /exchange {
+            alias /home/docbuilder/build/exchange/manual;
+        }
+
+        location /merchant/backend {
+            alias /home/docbuilder/build/merchant-backend/manual;
+        }
+
+        location /merchant/frontend {
+            alias /home/docbuilder/build/merchant-frontend/;
+        }
+
+        location /api {
+            autoindex off;
+            alias /home/docbuilder/build/api/html;
+        }
+
+        # Associated to /api route.
+        location /_static {
+            alias /home/docbuilder/api/html/_static;
+        }
+
+        include conf.d/favicon_robots;
+}
diff --git a/guix/etc/nginx/sites-enabled/docs.site b/guix/etc/nginx/sites-enabled/docs.site
new file mode 100644
index 0000000..8e01608
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/docs.site
@@ -0,0 +1,7 @@
+server {
+  listen 80;
+  listen [::]:80;
+  server_name docs.taler.net;
+
+  rewrite ^ https://$host$request_uri? permanent;
+}
diff --git a/guix/etc/nginx/sites-enabled/env.site b/guix/etc/nginx/sites-enabled/env.site
new file mode 100644
index 0000000..fbe31aa
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/env.site
@@ -0,0 +1,85 @@
+server {
+  listen 80;
+  listen [::]:80;
+  server_name env.taler.net;
+  rewrite ^ https://$host$request_uri? permanent;
+}
+
+server {
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  server_name env.taler.net;
+  include conf.d/talerssl;
+  root /dev/null;
+  # rewrite_log on;
+
+  # add trailing slashes to apps
+  rewrite ^/(?<user>[a-zA-Z0-9-_]+)/(?<app>[a-zA-Z0-9-_]+)$ /$user/$app/ redirect;
+  # add trailing slashes to user
+  rewrite ^/(?<user>[a-zA-Z0-9-_]+)$ /$user/ redirect;
+  rewrite ^/(?<user>[a-zA-Z0-9-_]+)/$ /$user/en/ redirect;
+
+  # aliases to get from one page to the other
+  rewrite ^/(?<user>[a-zA-Z0-9-_]+)/(?<app>[a-zA-Z0-9-_]+)/landing /$user/ redirect;
+  rewrite ^/(?<user>[a-zA-Z0-9-_]+)/(?<app>[a-zA-Z0-9-_]+)/bank /$user/bank redirect;
+  rewrite ^/(?<user>[a-zA-Z0-9-_]+)/(?<app>[a-zA-Z0-9-_]+)/shop /$user/shop redirect;
+  rewrite ^/(?<user>[a-zA-Z0-9-_]+)/(?<app>[a-zA-Z0-9-_]+)/donations /$user/donations redirect;
+  rewrite ^/(?<user>[a-zA-Z0-9-_]+)/(?<app>[a-zA-Z0-9-_]+)/survey /$user/survey redirect;
+
+  location ~ ^/(?<user>[a-zA-Z0-9-_]+)/exchange/(?<req>.*) {
+    proxy_pass http://unix:/home/$user/sockets/exchange.http:/$req$is_args$args;
+    proxy_redirect off;
+    proxy_set_header Host $host;
+  }
+
+  location ~ ^/(?<user>[a-zA-Z0-9-_]+)/merchant-backend/(?<req>.*) {
+    proxy_pass http://unix:/home/$user/sockets/merchant.http:/$req;
+    proxy_redirect off;
+    proxy_set_header Host $host;
+  }
+
+  location ~ ^/(?<user>[a-zA-Z0-9-_]+)/bank(?<req>/?.*|)$ {
+    uwsgi_pass unix:/home/$user/sockets/bank.uwsgi;
+    include /etc/nginx/uwsgi_params;
+    uwsgi_param SCRIPT_NAME "/$user/bank/";
+    uwsgi_param PATH_INFO "$req";
+  }
+
+  location ~ ^/(?<user>[a-zA-Z0-9-_]+)/shop(?<req>/?.*|)$ {
+    uwsgi_pass unix:/home/$user/sockets/shop.uwsgi;
+    include /etc/nginx/uwsgi_params;
+    uwsgi_param SCRIPT_NAME "/$user/shop/";
+    uwsgi_param PATH_INFO "$req";
+  }
+
+  location ~ ^/(?<user>[a-zA-Z0-9-_]+)/donations(?<req>/.*|)$ {
+    uwsgi_pass unix:/home/$user/sockets/donations.uwsgi;
+    include /etc/nginx/uwsgi_params;
+    uwsgi_param SCRIPT_NAME "/$user/donations/";
+    uwsgi_param PATH_INFO "$req";
+  }
+
+  location ~ ^/(?<user>[a-zA-Z0-9-_]+)(?<req>/.*|)$ {
+    # add index.html
+    rewrite ^/(.*)/(..)/$ /$1/$2/index.html last;
+    # strip /user/
+    rewrite ^/([a-zA-Z0-9-_]+)/(.*)$ /$2 break;
+    root /home/$user/landing/demo;
+  }
+
+  location ~ ^/(?<user>[a-zA-Z0-9-_]+)/auditor(?<req>/.*|)$ {
+    uwsgi_pass unix:/home/$user/sockets/auditor.uwsgi;
+    include /etc/nginx/uwsgi_params;
+    uwsgi_param SCRIPT_NAME "/$user/";
+    uwsgi_param PATH_INFO "$req";
+  }
+
+  location ~ ^/(?<user>[a-zA-Z0-9-_]+)/survey(?<req>/.*|)$ {
+    uwsgi_pass unix:/home/$user/sockets/survey.uwsgi;
+    include /etc/nginx/uwsgi_params;
+    uwsgi_param SCRIPT_NAME "/$user/";
+    uwsgi_param PATH_INFO "$req";
+  }
+
+  include conf.d/favicon_robots;
+}
diff --git a/guix/etc/nginx/sites-enabled/gauger-ssl.site b/guix/etc/nginx/sites-enabled/gauger-ssl.site
new file mode 100644
index 0000000..e889b59
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/gauger-ssl.site
@@ -0,0 +1,18 @@
+server {
+        listen 443 ssl;
+	listen   [::]:443 ssl; ## listen for ipv4; this line is default and implied
+ 	# 	listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	root /var/www/gauger/;
+
+	# Make site accessible from http://localhost/
+	server_name gauger.taler.net;
+	server_name www.gauger.taler.net;
+        include conf.d/talerssl;
+
+	location / {
+	    proxy_pass http://localhost:1801;
+	    proxy_redirect off;
+	    proxy_set_header Host $host;
+	}
+}
diff --git a/guix/etc/nginx/sites-enabled/gauger.site b/guix/etc/nginx/sites-enabled/gauger.site
new file mode 100644
index 0000000..967f9e9
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/gauger.site
@@ -0,0 +1,17 @@
+server {
+        listen 80;
+	listen   [::]:80; ## listen for ipv4; this line is default and implied
+ 	# 	listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	root /var/www/gauger/;
+
+	# Make site accessible from http://localhost/
+	server_name gauger.taler.net;
+	server_name www.gauger.taler.net;
+
+	location / {
+	    proxy_pass http://localhost:1801;
+	    proxy_redirect off;
+	    proxy_set_header Host $host;
+	}
+}
diff --git a/guix/etc/nginx/sites-enabled/git-ssl.site b/guix/etc/nginx/sites-enabled/git-ssl.site
new file mode 100644
index 0000000..673ced5
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/git-ssl.site
@@ -0,0 +1,31 @@
+server {
+        listen 443 ssl;
+	listen   [::]:443 ssl; ## listen for ipv4; this line is default and implied
+	# listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	root /var/git;
+	server_name git.taler.net;
+        include conf.d/talerssl;
+        
+        access_log /var/log/nginx/git.taler.net_access.log;
+        error_log /var/log/nginx/git.taler.net_error.log notice;
+
+	location ~ ^(.*?)\.git/(HEAD|info/refs|objects/.*|git-upload-pack)$ {
+	    include /etc/nginx/fastcgi_params;
+	    fastcgi_param   SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
+	    fastcgi_param   GIT_PROJECT_ROOT        /home/git/repositories;
+	    fastcgi_param   PATH_INFO               $uri;
+	    fastcgi_pass unix:/var/run/fcgiwrap.socket;
+	}
+
+	location /cgit {
+	    root /var/www;
+	}
+
+	location / {
+	    include /etc/nginx/fastcgi_params;
+	    fastcgi_param   SCRIPT_FILENAME /var/www/cgit/cgit.cgi;
+	    fastcgi_param   PATH_INFO               $uri;
+	    fastcgi_pass unix:/var/run/fcgiwrap.socket;
+	}
+}
diff --git a/guix/etc/nginx/sites-enabled/git.site b/guix/etc/nginx/sites-enabled/git.site
new file mode 100644
index 0000000..4c0c9ea
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/git.site
@@ -0,0 +1,10 @@
+server {
+        listen 80;
+	listen   [::]:80; ## listen for ipv4; this line is default and implied
+	# listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	root /var/git;
+	server_name git.taler.net;
+
+	rewrite ^ https://$server_name$request_uri? permanent;
+}
diff --git a/guix/etc/nginx/sites-enabled/intranet-ssl.site b/guix/etc/nginx/sites-enabled/intranet-ssl.site
new file mode 100644
index 0000000..3390403
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/intranet-ssl.site
@@ -0,0 +1,15 @@
+server {
+        listen 443 ssl;
+	listen   [::]:443 ssl; ## listen for ipv4; this line is default and implied
+	# listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	root /var/git;
+	server_name intranet.taler.net;
+        include conf.d/talerssl;
+	location / {
+	    proxy_pass http://127.0.0.1:8018;
+	    proxy_redirect off;
+	    proxy_set_header Host $host;
+	    proxy_set_header HTTPS on;
+	}
+}
diff --git a/guix/etc/nginx/sites-enabled/intranet.site b/guix/etc/nginx/sites-enabled/intranet.site
new file mode 100644
index 0000000..66217db
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/intranet.site
@@ -0,0 +1,10 @@
+server {
+	listen 80;
+	listen   [::]:80; ## listen for ipv4; this line is default and implied
+ 	# 	listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	# Make site accessible from http://localhost/
+	server_name intranet.taler.net;
+
+	rewrite ^ https://$server_name$request_uri? permanent;
+}
diff --git a/guix/etc/nginx/sites-enabled/lcov-ssl.site b/guix/etc/nginx/sites-enabled/lcov-ssl.site
new file mode 100644
index 0000000..0620bfe
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/lcov-ssl.site
@@ -0,0 +1,20 @@
+server {
+        listen 443 ssl;
+	listen   [::]:443 ssl; ## listen for ipv4; this line is default and implied
+ 	# 	listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	root /var/www/lcov.taler.net/;
+
+	# Make site accessible from http://localhost/
+	server_name lcov.taler.net;
+	server_name www.lcov.taler.net;
+        include conf.d/talerssl;
+
+	location / {
+	    autoindex on;
+	    ssi off;
+#	    ssi_last_modified on;
+	}
+
+        include conf.d/favicon_robots;
+}
diff --git a/guix/etc/nginx/sites-enabled/lcov.site b/guix/etc/nginx/sites-enabled/lcov.site
new file mode 100644
index 0000000..979c387
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/lcov.site
@@ -0,0 +1,19 @@
+server {
+        listen 80;
+	listen   [::]:80; ## listen for ipv4; this line is default and implied
+ 	# 	listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	root /var/www/lcov.taler.net/;
+
+	# Make site accessible from http://localhost/
+	server_name lcov.taler.net;
+	server_name www.lcov.taler.net;
+
+	location / {
+	    autoindex on;
+	    ssi off;
+#	    ssi_last_modified on;
+	}
+
+        include conf.d/favicon_robots;
+}
diff --git a/guix/etc/nginx/sites-enabled/sandbox.site b/guix/etc/nginx/sites-enabled/sandbox.site
new file mode 100644
index 0000000..9e32b17
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/sandbox.site
@@ -0,0 +1,20 @@
+server {
+  listen 80;
+  listen [::]:80;
+  server_name sandbox.taler.net *.sandbox.taler.net;
+  rewrite ^ https://$host$request_uri? permanent;
+}
+
+server {
+  listen 443 ssl;
+  listen   [::]:443 ssl;
+
+  server_name sandbox.taler.net;
+  include conf.d/talerssl;
+
+  location / {
+    root /home/sandbox/sandbox_landing/;
+    autoindex off;
+    index index.html;
+  }
+}
diff --git a/guix/etc/nginx/sites-enabled/test.site b/guix/etc/nginx/sites-enabled/test.site
new file mode 100644
index 0000000..7c4f847
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/test.site
@@ -0,0 +1,379 @@
+server {
+  listen 80;
+  listen [::]:80;
+  server_name test.taler.net
+              bank.test.taler.net
+              shop.test.taler.net
+              donations.test.taler.net
+              survey.test.taler.net
+              auditor.test.taler.net
+              exchange.test.taler.net
+              backoffice.test.taler.net;
+
+  # 301-based ridirects allows the user agent to *change* the
+  # method used in the second request.  This breaks all the API
+  # using POST, as some user agents do the second request using
+  # GET.  307 is meant to tell the user agent to not change the
+  # method in the second request.
+  if ($request_method = POST) { return 307 https://$host$request_uri; }
+  return 301 https://$host$request_uri;
+}
+
+server {
+  server_name test.taler.net www.test.taler.net;
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  rewrite /javascript /javascript.html break;
+  include conf.d/talerssl;
+  location @green {
+    add_header X-Taler-Deployment-Color green;
+    root /home/test-green/landing/demo;
+  }
+  location @blue {
+    add_header X-Taler-Deployment-Color blue;
+    root /home/test-blue/landing/demo;
+  }
+  location / {
+    # Redirection technique explainted at
+    # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
+    error_page 418 = @blue;
+    error_page 419 = @green;
+    rewrite ^/$ /en/ redirect;
+    rewrite ^/(..)/$ /$1/index.html break;
+    recursive_error_pages on;
+    if ($http_x_taler_deployment_color ~ "blue") { return 418; }
+    if ($http_x_taler_deployment_color ~ "green") { return 419; }
+    root /home/test/landing/demo;
+  }
+  include conf.d/favicon_robots;
+}
+
+
+server {
+  server_name auditor.test.taler.net;
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  root /dev/null;
+  include conf.d/talerssl;
+  location @green {
+    add_header X-Taler-Deployment-Color green;
+    root /home/test-green/auditor;
+  }
+  location @blue {
+    add_header X-Taler-Deployment-Color blue;
+    root /home/test-blue/auditor;
+  }
+  location / {
+    # Redirection technique explainted at
+    # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
+    error_page 418 = @blue;
+    error_page 419 = @green;
+    rewrite ^/$ /en/ redirect;
+    rewrite ^/(..)/$ /$1/index.html break;
+    recursive_error_pages on;
+    if ($http_x_taler_deployment_color ~ "blue") { return 418; }
+    if ($http_x_taler_deployment_color ~ "green") { return 419; }
+    root /home/test/auditor;
+  }
+  include conf.d/favicon_robots;
+}
+
+
+server {
+  server_name exchange.test.taler.net;
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  root /dev/null;
+  include conf.d/talerssl;
+  location @blue-admin {
+    add_header X-Taler-Deployment-Color blue;
+    proxy_pass http://unix:/home/test-blue/sockets/exchange-admin.http;
+    proxy_redirect off;
+    proxy_set_header Host $host;
+  }
+  location @green-admin {
+    add_header X-Taler-Deployment-Color green;
+    proxy_pass http://unix:/home/test-green/sockets/exchange-admin.http;
+    proxy_redirect off;
+    proxy_set_header Host $host;
+  }
+
+  location @blue {
+    add_header X-Taler-Deployment-Color blue;
+    proxy_pass http://unix:/home/test-blue/sockets/exchange.http;
+    proxy_redirect off;
+    proxy_set_header Host $host;
+  }
+
+  location @green {
+    add_header X-Taler-Deployment-Color green;
+    proxy_pass http://unix:/home/test-green/sockets/exchange.http;
+    proxy_redirect off;
+    proxy_set_header Host $host;
+  }
+
+  location /admin {
+    error_page 418 = @blue-admin;
+    error_page 419 = @green-admin;
+    recursive_error_pages on;
+    if ($http_x_taler_deployment_color ~ "blue") { return 418; }
+    if ($http_x_taler_deployment_color ~ "green") { return 419; }
+    proxy_pass http://unix:/home/test/sockets/exchange-admin.http;
+    proxy_redirect off;
+    proxy_set_header Host $host;
+  }
+
+  location / {
+    error_page 418 = @blue;
+    error_page 419 = @green;
+    recursive_error_pages on;
+    if ($http_x_taler_deployment_color ~ "blue") { return 418; }
+    if ($http_x_taler_deployment_color ~ "green") { return 419; }
+    proxy_pass http://unix:/home/test/sockets/exchange.http:/;
+    proxy_redirect off;
+    proxy_set_header Host $host;
+  }
+}
+
+
+server {
+  server_name shop.test.taler.net;
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  root /dev/null;
+  include conf.d/talerssl;
+
+  location @blue {
+    add_header X-Taler-Deployment-Color blue;
+    uwsgi_pass unix:/home/test-blue/sockets/shop.uwsgi;
+    include /etc/nginx/uwsgi_params;
+  }
+  location @green {
+    add_header X-Taler-Deployment-Color green;
+    uwsgi_pass unix:/home/test-green/sockets/shop.uwsgi;
+    include /etc/nginx/uwsgi_params;
+  }
+
+  location / {
+    # Redirection technique explainted at
+    # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
+    error_page 418 = @blue;
+    error_page 419 = @green;
+    recursive_error_pages on;
+    if ($http_x_taler_deployment_color ~ "blue") { return 418; }
+    if ($http_x_taler_deployment_color ~ "green") { return 419; }
+    uwsgi_pass unix:/home/test/sockets/shop.uwsgi;
+    include /etc/nginx/uwsgi_params;
+  }
+
+  include conf.d/favicon_robots;
+}
+
+
+server {
+  server_name playground.test.taler.net;
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  root /dev/null;
+  include conf.d/talerssl;
+
+  location @blue {
+    add_header X-Taler-Deployment-Color blue;
+    uwsgi_pass unix:/home/test-blue/sockets/playground.uwsgi;
+    include /etc/nginx/uwsgi_params;
+  }
+  location @green {
+    add_header X-Taler-Deployment-Color green;
+    uwsgi_pass unix:/home/test-green/sockets/playground.uwsgi;
+    include /etc/nginx/uwsgi_params;
+  }
+
+  location / {
+    # Redirection technique explainted at
+    # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
+    error_page 418 = @blue;
+    error_page 419 = @green;
+    recursive_error_pages on;
+    if ($http_x_taler_deployment_color ~ "blue") { return 418; }
+    if ($http_x_taler_deployment_color ~ "green") { return 419; }
+    uwsgi_pass unix:/home/test/sockets/playground.uwsgi;
+    include /etc/nginx/uwsgi_params;
+  }
+
+  include conf.d/favicon_robots;
+}
+
+
+server {
+  server_name backend.test.taler.net;
+  listen 443 ssl;
+  listen 80;
+  listen [::]:443 ssl;
+  listen [::]:80;
+  include conf.d/talerssl;
+
+  location @blue {
+    add_header X-Taler-Deployment-Color blue;
+    proxy_pass http://unix:/home/test-blue/sockets/merchant.http;
+    proxy_redirect off;
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-Host "backend.test.taler.net";
+    proxy_set_header X-Forwarded-Proto "https";
+  }
+  location @green {
+    add_header X-Taler-Deployment-Color green;
+    proxy_pass http://unix:/home/test-green/sockets/merchant.http;
+    proxy_redirect off;
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-Host "backend.test.taler.net";
+    proxy_set_header X-Forwarded-Proto "https";
+  }
+
+  location /public {
+    # Redirection technique explainted at
+    # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
+    error_page 418 = @blue;
+    error_page 419 = @green;
+    recursive_error_pages on;
+
+    if ($http_x_taler_deployment_color ~ "blue") { return 418; }
+    if ($http_x_taler_deployment_color ~ "green") { return 419; }
+    proxy_set_header X-Forwarded-Host "backend.test.taler.net";
+    proxy_set_header X-Forwarded-Proto "https";
+    proxy_pass http://unix:/home/test/sockets/merchant.http:/public;
+    proxy_redirect off;
+    proxy_set_header Host $host;
+  }
+
+  location / {
+    # Redirection technique explainted at
+    # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
+    error_page 418 = @blue;
+    error_page 419 = @green;
+    recursive_error_pages on;
+
+    # match the ApiKey part ignoring case, and the actual key
+    # with case-sensitivity on.
+    if ($http_authorization !~ "(?i)ApiKey (?-i)sandbox") {
+      return 401;
+    }
+
+    if ($http_x_taler_deployment_color ~ "blue") { return 418; }
+    if ($http_x_taler_deployment_color ~ "green") { return 419; }
+    proxy_set_header X-Forwarded-Host "backend.test.taler.net";
+    proxy_set_header X-Forwarded-Proto "https";
+    proxy_pass http://unix:/home/test/sockets/merchant.http:/;
+    proxy_redirect off;
+    proxy_set_header Host $host;
+  }
+}
+
+
+server {
+  server_name survey.test.taler.net;
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  include conf.d/talerssl;
+
+  location / {
+    uwsgi_pass unix:/home/test/sockets/survey.uwsgi;
+    include /etc/nginx/uwsgi_params;
+  }
+}
+
+server {
+  server_name donations.test.taler.net;
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  include conf.d/talerssl;
+
+  location @blue {
+    add_header X-Taler-Deployment-Color blue;
+    uwsgi_pass unix:/home/test-blue/sockets/donations.uwsgi;
+    include /etc/nginx/uwsgi_params;
+  }
+  location @green {
+    add_header X-Taler-Deployment-Color green;
+    uwsgi_pass unix:/home/test-green/sockets/donations.uwsgi;
+    include /etc/nginx/uwsgi_params;
+  }
+
+  location / {
+    # Redirection technique explainted at
+    # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
+    error_page 418 = @blue;
+    error_page 419 = @green;
+    recursive_error_pages on;
+    if ($http_x_taler_deployment_color ~ "blue") { return 418; }
+    if ($http_x_taler_deployment_color ~ "green") { return 419; }
+    uwsgi_pass unix:/home/test/sockets/donations.uwsgi;
+    include /etc/nginx/uwsgi_params;
+  }
+
+  include conf.d/favicon_robots;
+}
+
+
+server {
+  server_name bank.test.taler.net;
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  include conf.d/talerssl;
+
+  location @blue {
+    add_header X-Taler-Deployment-Color blue;
+    uwsgi_pass unix:/home/test-blue/sockets/bank.uwsgi;
+    include /etc/nginx/uwsgi_params;
+  }
+  location @green {
+    add_header X-Taler-Deployment-Color green;
+    uwsgi_pass unix:/home/test-green/sockets/bank.uwsgi;
+    include /etc/nginx/uwsgi_params;
+  }
+
+  location / {
+    # Redirection technique explainted at
+    # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
+    error_page 418 = @blue;
+    error_page 419 = @green;
+    recursive_error_pages on;
+    if ($http_x_taler_deployment_color ~ "blue") { return 418; }
+    if ($http_x_taler_deployment_color ~ "green") { return 419; }
+    uwsgi_pass unix:/home/test/sockets/bank.uwsgi;
+    include /etc/nginx/uwsgi_params;
+  }
+
+  include conf.d/favicon_robots;
+}
+
+server {
+  server_name backoffice.test.taler.net;
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  include conf.d/talerssl;
+
+  location @blue {
+    add_header X-Taler-Deployment-Color blue;
+    uwsgi_pass unix:/home/test-blue/sockets/backoffice.uwsgi;
+    include /etc/nginx/uwsgi_params;
+  }
+  location @green {
+    add_header X-Taler-Deployment-Color green;
+    uwsgi_pass unix:/home/test-green/sockets/backoffice.uwsgi;
+    include /etc/nginx/uwsgi_params;
+  }
+
+  location / {
+    # Redirection technique explainted at
+    # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
+    error_page 418 = @blue;
+    error_page 419 = @green;
+    recursive_error_pages on;
+    if ($http_x_taler_deployment_color ~ "blue") { return 418; }
+    if ($http_x_taler_deployment_color ~ "green") { return 419; }
+    uwsgi_pass unix:/home/test/sockets/backoffice.uwsgi;
+    include /etc/nginx/uwsgi_params;
+  }
+
+  include conf.d/favicon_robots;
+}
diff --git a/guix/etc/nginx/sites-enabled/trollslayer.site b/guix/etc/nginx/sites-enabled/trollslayer.site
new file mode 100644
index 0000000..1767fe6
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/trollslayer.site
@@ -0,0 +1,16 @@
+server {
+       listen 80;
+       listen   [::]:80; ## listen for ipv4; this line is default and implied
+ 	# 	listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	root /var/www/trollslayer/;
+
+	# Make site accessible from http://localhost/
+	server_name trollslayer.decentralise.rennes.inria.fr;
+
+	location / {
+	    proxy_pass http://gnunet.org:20070/shell/;
+	    proxy_redirect off;
+	    proxy_set_header Host $host;
+	}
+}
diff --git a/guix/etc/nginx/sites-enabled/www-ssl.site b/guix/etc/nginx/sites-enabled/www-ssl.site
new file mode 100644
index 0000000..d7776b3
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/www-ssl.site
@@ -0,0 +1,59 @@
+server {
+       listen 443 ssl;
+       listen	[::]:443 ssl; ## listen for ipv4; this line is default and implied
+	#listen	  [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+
+	# Make site accessible from http://localhost/
+	server_name taler.net;
+	server_name www.taler.net;
+	include conf.d/talerssl;
+
+	location / {
+	    root /home/docbuilder/www.taler.net;
+	    autoindex off;
+	    ssi on;
+	    #ssi_last_modified on;
+
+	    rewrite ^/$ /$index_redirect_uri/ redirect;
+
+	    rewrite ^/(..)/$ /$1/index.html break;
+
+	    rewrite ^/(help/empty-wallet)$ /$1.html break;
+	    rewrite ^/wallet-installation\.html$ /en/wallet.html redirect;
+            # just to get around cached old redirect
+	    rewrite ^/wallet\.en\.html$ /en/wallet.html redirect;
+	    rewrite ^/wallet$ /en/wallet.html redirect;
+	    rewrite ^/press$ /en/press.html redirect;
+	}
+
+        gzip on;
+        gzip_disable "msie6";
+        gzip_vary on;
+        gzip_proxied any;
+        gzip_comp_level 6;
+        gzip_buffers 16 8k;
+        gzip_http_version 1.1;
+        gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;
+
+
+	# Note: this will go to /var/www/(videos|releases), which we took out of Git
+	location /videos {
+	    root /var/www;
+            expires max;
+	}
+
+        location ~* /videos/.*\.(png|jpg|ogv|webm|gif|svg)$ {
+            root /var/www;
+            expires max;
+        }
+
+	location /releases {
+	    root /var/www;
+	    autoindex on;
+	}
+
+	location /files {
+	    root /var/www;
+	}
+}
diff --git a/guix/etc/nginx/sites-enabled/www-stage.site b/guix/etc/nginx/sites-enabled/www-stage.site
new file mode 100644
index 0000000..e8a988b
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/www-stage.site
@@ -0,0 +1,78 @@
+server {
+	listen 80;
+	listen   [::]:80; ## listen for ipv4; this line is default and implied
+ 	# 	listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	root /home/docbuilder/stage.taler.net;
+
+	# Make site accessible from http://localhost/
+	server_name stage.taler.net;
+
+	rewrite ^ https://$server_name$request_uri? permanent;
+}
+
+server {
+       listen 443 ssl;
+       listen	[::]:443 ssl; ## listen for ipv4; this line is default and implied
+	#listen	  [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+
+	# Make site accessible from http://localhost/
+	server_name stage.taler.net;
+	include conf.d/talerssl;
+
+	location / {
+	    root /home/docbuilder/stage.taler.net;
+	    autoindex off;
+
+	    rewrite ^/$ /$index_redirect_uri/ redirect;
+
+	    rewrite ^/(..)/$ /$1/index.html break;
+
+	    rewrite ^/(help/empty-wallet)$ /$1.html break;
+	    rewrite ^/wallet-installation\.html$ /en/wallet.html redirect;
+            # just to get around cached old redirect
+	    rewrite ^/wallet\.en\.html$ /en/wallet.html redirect;
+ 	    rewrite ^/wallet$ /en/wallet.html redirect;
+            rewrite ^/press$ /en/press.html redirect;
+
+	}
+
+        gzip on;
+        gzip_disable "msie6";
+        gzip_vary on;
+        gzip_proxied any;
+        gzip_comp_level 6;
+        gzip_buffers 16 8k;
+        gzip_http_version 1.1;
+        gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;
+
+
+	# Note: this will go to /var/www/(videos|releases), which we took out of Git
+	location /videos {
+	    root /var/www;
+            expires max;
+	}
+
+        location ~* /videos/.*\.(png|jpg|ogv|webm|gif|svg)$ {
+            root /var/www;
+            expires max;
+        }
+
+        # FIXME: this location newest files are from Oct'16
+	location /releases {
+	    root /var/www;
+	    autoindex on;
+	}
+
+	location /files {
+	    root /var/www;
+	}
+
+        location ~* \.(png|jpg|jpeg|gif|ico|svg|js|css)$ {
+	    root /home/docbuilder/stage.taler.net;
+            expires 1y;
+        }
+
+
+}
diff --git a/guix/etc/nginx/sites-enabled/www.git-ssl.site b/guix/etc/nginx/sites-enabled/www.git-ssl.site
new file mode 100644
index 0000000..5ba4831
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/www.git-ssl.site
@@ -0,0 +1,11 @@
+server {
+        listen 443 ssl;
+	listen   [::]:443 ssl; ## listen for ipv4; this line is default and implied
+	# listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	root /var/git;
+	server_name www.git.taler.net;
+        include conf.d/talerssl;
+
+	rewrite ^ https://git.taler.net/ permanent;
+}
diff --git a/guix/etc/nginx/sites-enabled/www.git.site b/guix/etc/nginx/sites-enabled/www.git.site
new file mode 100644
index 0000000..645923f
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/www.git.site
@@ -0,0 +1,10 @@
+server {
+        listen 80;
+	listen   [::]:80; ## listen for ipv4; this line is default and implied
+	# listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	root /var/git;
+	server_name www.git.taler.net;
+
+	rewrite ^ https://git.taler.net/ permanent;
+}
diff --git a/guix/etc/nginx/sites-enabled/www.site b/guix/etc/nginx/sites-enabled/www.site
new file mode 100644
index 0000000..ae178e5
--- /dev/null
+++ b/guix/etc/nginx/sites-enabled/www.site
@@ -0,0 +1,13 @@
+server {
+	listen 80;
+	listen   [::]:80; ## listen for ipv4; this line is default and implied
+ 	# 	listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
+
+	root /home/docbuilder/www.taler.net;
+
+	# Make site accessible from http://localhost/
+	server_name taler.net;
+	server_name www.taler.net;
+
+	rewrite ^ https://$server_name$request_uri? permanent;
+}