diff options
Diffstat (limited to 'historic')
101 files changed, 5665 insertions, 0 deletions
diff --git a/historic/docker/README b/historic/docker/README new file mode 100644 index 0000000..6998ee3 --- /dev/null +++ b/historic/docker/README @@ -0,0 +1,90 @@ +=== Dockerizing the Exchange/Merchant === + +This section shows how to run a "dockerized" exchange/merchant. +The exchange uses postgresql (container) and is served +by nginx (container). The merchant instead depends on exchange +(container) and postgresql (container). + +The docker's tools needed are: docker, docker-compose, docker-machine. +Please refer to Docker's official documentation for their installation +instructions. + +Before starting to build the exchange/merchant's image, make sure a +docker-machine instance is up and running. + +1. Build the images. + +<COMPONENT> is either 'exchange' or 'merchant', depending on what is +to be built. + +From <THIS_REPO/docker/<COMPONENT>, give: + +# NOTE for 'merchant' build: as default, the merchant is configured +# to work with the 'demo' exchange running at exchange.demo.taler.net. +# Nonetheless, edit (before building) the files +# <THIS_REPO>/docker/merchant/exchange_{pub,url}.txt, in case the merchant +# needs to work with any other exchange. + +$ docker-compose build + +2. Launch the service. + +The following command launches the <COMPONENT> and all other services +it depends on. From the same directory as the previous step, issue: + +$ docker-compose up + +If everything worked as expected, you should see some live logging +from all the containers. +(Errors about existing roles/databases can be ignored.) + +3. Test + +Issue the following command to see if the <COMPONENT> has been +correctly installed and launched. + +# Some 'greeting' message should be returned. Note, the +# service runs on port 80. + +$ curl http://`docker-machine ip`/ + + +=== How to use these images === + +This section explains how to (1) build and (2) run individual +images -- that is often not useful to run services, as they need +to be "composed" in order to work properly. + +(1) is done by: + +$ docker build -t taler/base <THIS_REPO>/docker/base/ +$ docker build -t taler/exchange <THIS_REPO>/docker/exchange/ + +Note that the value passed to option -t is completely arbitrary. + +(2) is done by: + +$ docker run -it taler/exchange + +=== How to destroy them === + +Consider also the --no-cache option to force a rebuild. + + $ docker build --no-cache <THIS_REPO>/docker/base + +1. Stop all containers: + + $ docker stop $(docker ps -a -q) + + +2. If necessary, remove all containers: + + $ docker rm $(docker ps -a -q) + +3. Remove images: + + $ docker rmi -f $(docker images -q) + + +NOTE: for tripwire users, those commands are all defined + as aliases. diff --git a/historic/docker/TODO b/historic/docker/TODO new file mode 100644 index 0000000..387f758 --- /dev/null +++ b/historic/docker/TODO @@ -0,0 +1,28 @@ +Missing containers: + +- "standalone" ones: they actually *run* the + service and may also link to configuration on + the host machine when they are launched. + +- frontends + +- bank (more importantly needed to test the TGZ + which comes from 'make dist') + +- postgres (as a running service) + +- Feed configuration to exchange and merchant containers, + from outside (?) the container + +Missing compositions: + +Ideally, the Docker setting should instantiate two +Taler flavours: + +- Self-contained testing: all components ready to be + tested by the automated clicker, AKA they are a replacement + for what runs at *.{test,demo}.taler.net + +- Ready-to-ship: a composition that instantiates a fully + operational exchange or merchant, according to the customer + needs. diff --git a/historic/docker/base/Dockerfile b/historic/docker/base/Dockerfile new file mode 100644 index 0000000..39e2c32 --- /dev/null +++ b/historic/docker/base/Dockerfile @@ -0,0 +1,54 @@ +FROM debian:unstable + +RUN apt-get update && apt-get install -qqy \ + git \ + build-essential \ + autoconf \ + autopoint \ + libtool \ + libgcrypt20 \ + libgcrypt20-dev \ + libidn11-dev \ + zlib1g-dev \ + libunistring-dev \ + libjansson-dev \ + libpq-dev \ + libmicrohttpd-dev \ + libcurl4-gnutls-dev \ + python3 \ + python3-pip \ + postgresql + +# Needed to run the config generator +RUN pip3 install click + +ENV HOME /root + +RUN git clone https://gnunet.org/git/gnunet/ ~/gnunet \ + && git clone https://gnunet.org/git/libmicrohttpd/ ~/libmicrohttpd \ + && git clone git://taler.net/deployment ~/deployment + +WORKDIR $HOME/gnunet + +RUN ./bootstrap \ + && ./configure --with-libgnurl=/usr/local/ \ + && make \ + && make install + +WORKDIR $HOME/libmicrohttpd + +RUN ./bootstrap \ + && ./configure --disable-doc \ + && make \ + && make install + +# To run the config generator, need: +WORKDIR $HOME/deployment + +ENV LD_LIBRARY_PATH "/usr/local/lib" + +RUN export TALER_CONFIG_ENV="test" \ + && export TALER_CONFIG_CURRENCY="EUR" \ + && export LC_ALL="C.UTF-8" \ + && export LANG="C.UTF-8" \ + && ./bin/taler-deployment-config-generate diff --git a/historic/docker/base/README b/historic/docker/base/README new file mode 100644 index 0000000..573f4ef --- /dev/null +++ b/historic/docker/base/README @@ -0,0 +1,7 @@ +This image serves as a basis to build exchange and merchant +backend. It is responsible for installing the following packages: + +- GNUnet +- Libjansson +- Postgres +- ... diff --git a/historic/docker/debug/client/Dockerfile b/historic/docker/debug/client/Dockerfile new file mode 100644 index 0000000..5c3f0ee --- /dev/null +++ b/historic/docker/debug/client/Dockerfile @@ -0,0 +1,7 @@ +FROM debian:unstable + +RUN apt-get update && apt-get install -qqy postgresql + +COPY ./dbstart.sh / + +ENTRYPOINT ["./dbstart.sh"] diff --git a/historic/docker/debug/client/dbstart.sh b/historic/docker/debug/client/dbstart.sh new file mode 100755 index 0000000..a3d3726 --- /dev/null +++ b/historic/docker/debug/client/dbstart.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +su -c "createuser --host=dbcontainer root" postgres +su -c "createdb --host=dbcontainer talertest" postgres diff --git a/historic/docker/debug/docker-compose.yml b/historic/docker/debug/docker-compose.yml new file mode 100644 index 0000000..390f461 --- /dev/null +++ b/historic/docker/debug/docker-compose.yml @@ -0,0 +1,9 @@ +version: '2' +services: + client: + build: ./client + image: taler/debug/db + depends_on: + - dbcontainer + dbcontainer: + image: postgres diff --git a/historic/docker/debug/shell/Dockerfile b/historic/docker/debug/shell/Dockerfile new file mode 100644 index 0000000..24e8371 --- /dev/null +++ b/historic/docker/debug/shell/Dockerfile @@ -0,0 +1,4 @@ +FROM debian:unstable + +RUN apt-get update && apt-get install -qqy \ + postgresql diff --git a/historic/docker/exchange/Dockerfile b/historic/docker/exchange/Dockerfile new file mode 100644 index 0000000..d56754c --- /dev/null +++ b/historic/docker/exchange/Dockerfile @@ -0,0 +1,17 @@ +FROM taler/base + +RUN git clone git://taler.net/exchange ~/exchange + +WORKDIR $HOME/exchange + +RUN ./bootstrap \ + && ./configure CFLAGS='-ggdb -O0' \ + --with-libgnurl=/usr/local \ + --with-microhttpd=/usr/local \ + --with-gnunet=/usr/local \ + && make \ + && make install + +COPY ./entry_point.sh / + +ENTRYPOINT ["/entry_point.sh"] diff --git a/historic/docker/exchange/README b/historic/docker/exchange/README new file mode 100644 index 0000000..45ce7cb --- /dev/null +++ b/historic/docker/exchange/README @@ -0,0 +1,12 @@ +Launch the exchange, from the upper directory: + +1. Build the container: + + $ docker-compose build exchange + +2. Launch it + + $ docker-compose run -p 5555:8081 -p 5556:18080 exchange + + # Replace 5555, 5556 with the port which is to serve the normal + # and /admin services. diff --git a/historic/docker/exchange/docker-compose.yml b/historic/docker/exchange/docker-compose.yml new file mode 100644 index 0000000..284af86 --- /dev/null +++ b/historic/docker/exchange/docker-compose.yml @@ -0,0 +1,19 @@ +version: '2' +services: + exchange: + build: . + depends_on: + - dbcontainer + - base + image: taler/exchange + base: + build: ../base + image: taler/base + dbcontainer: + image: postgres + nginx: + build: ../nginx + depends_on: + - exchange + ports: + - "80:80" diff --git a/historic/docker/exchange/entry_point.sh b/historic/docker/exchange/entry_point.sh new file mode 100755 index 0000000..de21a39 --- /dev/null +++ b/historic/docker/exchange/entry_point.sh @@ -0,0 +1,23 @@ +#!/bin/bash + + +if ! test -a $HOME/shared-data/exchange/offline-keys/master.priv; then + echo "Regenerating all keys and db entries" + (su -c "createuser --host=dbcontainer root" - postgres | exit 0) + (su -c "createdb --host=dbcontainer talertest" - postgres | exit 0) + mkdir -p $HOME/shared-data/exchange/offline-keys/ + gnunet-ecc -g1 $HOME/shared-data/exchange/offline-keys/master.priv + taler-config -s exchangedb-postgres -o db_conn_str \ + -V "dbname=talertest host=dbcontainer" + taler-config -s exchange -o serve -V tcp + taler-config -s exchange -o port -V 8081 + taler-config -s exchange-admin -o serve -V tcp + taler-config -s exchange-admin -o port -V 18080 + taler-config -s exchange -o master_public_key \ + -V $(gnunet-ecc -p $HOME/shared-data/exchange/offline-keys/master.priv) + $HOME/deployment/bin/taler-deployment-config-sign + $HOME/deployment/bin/taler-deployment-keyup + taler-exchange-dbinit -r +fi + +taler-exchange-httpd diff --git a/historic/docker/merchant/Dockerfile b/historic/docker/merchant/Dockerfile new file mode 100644 index 0000000..b8d682b --- /dev/null +++ b/historic/docker/merchant/Dockerfile @@ -0,0 +1,19 @@ +FROM taler/exchange + +RUN git clone git://taler.net/merchant ~/merchant + +WORKDIR $HOME/merchant + +RUN ./bootstrap \ + && ./configure CFLAGS='-ggdb -O0' \ + --with-gnunet=/usr/local \ + --with-exchange=/usr/local \ + --with-microhttpd=/usr/local \ + && make \ + && make install + +COPY ./entry_point.sh / +COPY ./exchange_pub.txt / +COPY ./exchange_url.txt / + +ENTRYPOINT ["/entry_point.sh"] diff --git a/historic/docker/merchant/docker-compose.yml b/historic/docker/merchant/docker-compose.yml new file mode 100644 index 0000000..ccbfb70 --- /dev/null +++ b/historic/docker/merchant/docker-compose.yml @@ -0,0 +1,21 @@ +version: '2' +services: + merchant: + build: . + depends_on: + - dbcontainer + - exchange + ports: + - "80:9966" + base: + build: ../base + image: taler/base + dbcontainer: + image: postgres + exchange: + build: ../exchange + depends_on: + - dbcontainer + - base + image: taler/exchange + entrypoint: "true" diff --git a/historic/docker/merchant/entry_point.sh b/historic/docker/merchant/entry_point.sh new file mode 100755 index 0000000..515c318 --- /dev/null +++ b/historic/docker/merchant/entry_point.sh @@ -0,0 +1,13 @@ +#!/bin/bash + + +(su -c "createuser --host=dbcontainer root" - postgres | exit 0) +(su -c "createdb --host=dbcontainer talertest" - postgres | exit 0) +taler-config -s merchantdb-postgres -o config \ + -V "dbname=talertest host=dbcontainer" +taler-config -s merchant -o serve -V tcp +taler-config -s merchant -o port -V 9966 +taler-config -s merchant-exchange-test -o master_key -V $(cat /exchange_pub.txt|tr -d '\n') +taler-config -s merchant-exchange-test -o url -V $(cat /exchange_url.txt | tr -d '\n') +taler-merchant-dbinit -r +taler-merchant-httpd diff --git a/historic/docker/merchant/exchange_pub.txt b/historic/docker/merchant/exchange_pub.txt new file mode 100644 index 0000000..69f831b --- /dev/null +++ b/historic/docker/merchant/exchange_pub.txt @@ -0,0 +1 @@ +CQQZ9DY3MZ1ARMN5K1VKDETS04Y2QCKMMCFHZSWJWWVN82BTTH00 diff --git a/historic/docker/merchant/exchange_url.txt b/historic/docker/merchant/exchange_url.txt new file mode 100644 index 0000000..a2f087f --- /dev/null +++ b/historic/docker/merchant/exchange_url.txt @@ -0,0 +1 @@ +https://exchange.demo.taler.net/ diff --git a/historic/docker/nginx/Dockerfile b/historic/docker/nginx/Dockerfile new file mode 100644 index 0000000..5636699 --- /dev/null +++ b/historic/docker/nginx/Dockerfile @@ -0,0 +1,3 @@ +FROM nginx + +COPY ./proxy.conf /etc/nginx/conf.d/default.conf diff --git a/historic/docker/nginx/nginx.conf b/historic/docker/nginx/nginx.conf new file mode 100644 index 0000000..d9a2177 --- /dev/null +++ b/historic/docker/nginx/nginx.conf @@ -0,0 +1,33 @@ + +user nginx; +worker_processes 1; + +error_log /var/log/nginx/error.log warn; +pid /var/run/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} diff --git a/historic/docker/nginx/proxy.conf b/historic/docker/nginx/proxy.conf new file mode 100644 index 0000000..b4bf54a --- /dev/null +++ b/historic/docker/nginx/proxy.conf @@ -0,0 +1,14 @@ +server { + listen *:80; + root /dev/null; + + location / { + autoindex off; + proxy_pass http://exchange:8081; + } + + location /admin { + autoindex off; + proxy_pass http://exchange:18080; + } +} diff --git a/historic/docker/postgres/Dockerfile b/historic/docker/postgres/Dockerfile new file mode 100644 index 0000000..d3f2fcb --- /dev/null +++ b/historic/docker/postgres/Dockerfile @@ -0,0 +1 @@ +FROM postgres diff --git a/historic/docker/postgres/README b/historic/docker/postgres/README new file mode 100644 index 0000000..4584f0e --- /dev/null +++ b/historic/docker/postgres/README @@ -0,0 +1,3 @@ +This container is to run Postgres service. + +It has to create the "root" user and the "talertest" database. diff --git a/historic/docker/taler-full/Dockerfile b/historic/docker/taler-full/Dockerfile new file mode 100644 index 0000000..ac01271 --- /dev/null +++ b/historic/docker/taler-full/Dockerfile @@ -0,0 +1,59 @@ +FROM debian:jessie + +ENV PREFIX=/usr + +RUN apt-get update && apt-get install -y \ + git subversion \ + make \ + autoconf autopoint libtool texinfo \ + libgcrypt-dev libidn11-dev zlib1g-dev libunistring-dev \ + libjansson-dev \ + libsqlite3-dev \ + libpq-dev postgresql \ + python3-pip \ + \ + && \ + rm -rf /var/lib/apt/lists/* + +RUN pip3 install -U pip + +RUN git clone git://taler.net/deployment \ + && \ + deployment/bootstrap-hybrid + +RUN $HOME/deployment/taler-build/invalidate.sh \ + && \ + cd $HOME/deployment/taler-build && make; + +# cannot get $HOME to work +ENV PATH=/root/local/bin:$PATH + +RUN taler-config-generate -e -m -C PUDOS -m -e -w test \ + --bank-url https://bank.test.taler.net \ + --exchange-bank-account 2 \ + --merchant-bank-account 3 \ + --trusted + +RUN service postgresql start \ + && \ + su -c 'psql -c "CREATE ROLE root WITH SUPERUSER LOGIN"' postgres \ + && \ + su -c 'psql -c "CREATE DATABASE taler WITH OWNER root"' postgres \ + && \ + su -c 'psql -c "CREATE DATABASE talermerchant WITH OWNER root"' postgres + +RUN printf '#!/bin/bash \n \ + taler-exchange-keyup \ + && taler-exchange-keycheck \ + && service postgresql start \ + && taler-exchange-dbinit \ + && taler-exchange-httpd' > $HOME/local/bin/launch_exchange \ + && \ + chmod +x $HOME/local/bin/launch_exchange.sh + +RUN printf '#!/bin/bash \n \ + service postgresql start \ + && \ + taler-merchant-httpd' > $HOME/local/bin/launch_merchant \ + && \ + chmod +x $HOME/local/bin/launch_merchant.sh diff --git a/historic/docker/taler-full/README b/historic/docker/taler-full/README new file mode 100644 index 0000000..d5316aa --- /dev/null +++ b/historic/docker/taler-full/README @@ -0,0 +1,2 @@ +OBSOLETE. Kept around for the sole purpose of grasping +commands from it. diff --git a/historic/guix/build.sh b/historic/guix/build.sh new file mode 100755 index 0000000..d3ed1d2 --- /dev/null +++ b/historic/guix/build.sh @@ -0,0 +1,2 @@ +#!/bin/sh +guix system vm --no-build-hook --no-grafts config.scm diff --git a/historic/guix/config.scm b/historic/guix/config.scm new file mode 100644 index 0000000..2b4771d --- /dev/null +++ b/historic/guix/config.scm @@ -0,0 +1,302 @@ +;;; This file is part of GNU Taler. +;;; Copyright © 2018 GNUnet e.V. +;;; +;;; GNU Taler is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU Affero General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Taler is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU Affero General Public License for more details. +;;; +;;; You should have received a copy of the GNU Affero General Public License +;;; along with GNU Taler. If not, see <http://www.gnu.org/licenses/>. + +;; Load modules relative to the script name. +(eval-when (load compile eval) + (set! %load-path + (cons ((@ (guix utils) current-source-directory)) %load-path))) + +(use-modules + (srfi srfi-1) + (ice-9 match) + (gnu) + (guix) + (guix utils) + (guix gexp) + (guix records) + (guix modules) + ((gnu packages admin) #:select (shadow shepherd)) + (taler-helpers) + ((fixed-fcgiwrap) #:prefix fixed:)) + +(use-system-modules nss) +(use-service-modules networking + ssh + version-control + cgit + databases + admin + web + shepherd) +(use-package-modules base + bash + shells + web + tls) + +;;; Commentary: +;;; +;;; The GNU/Linux system that runs on gv.taler.net is defined here. + + + + + +;;; --- cron jobs start +(define %certbot-job + ;; LE cert renewal 7d / 2 + #~(job (lambda (now) + (next-day-from (next-hour-from now '(3)) + '(2 5))) + (string-append #$certbot "/bin/certbot renew"))) +;;; --- cron jobs end + +(define %my-deploy-hook + (programm-file "my-deploy-hook" + #~(let* ((pid (call-with-input-file "/var/run/nginx/pid" read)) + (cert-dir (getenv "RENEWED_LINEAGE")) + (privkey (string-append cert-dir "/privkey.pem"))) + (chmod privkey #o600) + (kill pid SIGHUP)))) + +;;; --- nginx start +;; TODO: Translate nginx code to guix nginx-service without a file +;; if possible wiht our config. +;; DOCUMENTATION: There are 2 ways to run nginx on GuixSD, we use +;; the way which allows us to work directly on nginx files instead +;; of generating them through Guix, for now. Every update of the +;; nginx config requires a reconfigure! +(define %nginx-deploy-hook + (program-file + "nginx-deploy-hook" + #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read))) + (kill pid SIGHUP)))) + +(define %nginx-config + (computed-file "nginx-config" + (with-imported-modules '((guix build utils)) + #~(begin + (use-modules (guix build utils)) + (mkdir #$output) + (chdir #$output) + (symlink #$(local-file "etc/nginx/nginx.conf") + "nginx.conf") + (mkdir "conf.d") + (copy-file #$(local-file "etc/nginx/conf.d/favicon_robots") + "conf.d/favicon_robots") + (copy-file #$(local-file "etc/nginx/conf.d/talerssl") + "conf.d/talerssl") + (mkdir "sites-enabled") + ;; (copy-file #$(local-file "etc/nginx/sites-enabled/git.site") + ;; "sites-enabled/git.site") + (copy-file #$(local-file "etc/nginx/sites-enabled/git-ssl.site") + "sites-enabled/git-ssl.site") + (copy-file #$(local-file "etc/nginx/sites-enabled/default.site") + "sites-enabled/default.site"))))) + +;; this includes defaults, so 'fastcgi' related files: +(define %nginx-mime-types + (simple-service 'nginx-mime.types + etc-service-type + `(("nginx" ,(file-append nginx "/share/nginx/conf"))))) + +(define %nginx-cache-activation + (simple-service 'nginx-/var/cache/nginx + activation-service-type + (with-imported-modules '((guix build utils)) + #~(begin + (use-modules (guix build utils)) + (mkdir-p "/var/cache/nginx"))))) +;;; --- nginx end + +(operating-system + (host-name "gv") + (timezone "Europe/Paris") + (locale "en_US.utf8") + (initrd-modules (cons* "megaraid_sas" %base-initrd-modules)) + (kernel-arguments (list "console=ttyS0" "console=tty0")) + + (bootloader (bootloader-configuration + (bootloader grub-bootloader) + (target "/dev/sda"))) + + (users + (cons* (user-account + (name "grothoff") + (comment "Christian Grothoff") + (group "users") + (supplementary-groups '("wheel" "netdev" "kvm")) + (home-directory "/home/grothoff")) + (user-account + (name "dold") + (comment "Florian Dold") + (group "users") + (supplementary-groups '("wheel" "netdev" "kvm")) + (home-directory "/home/dold")) + (user-account + (name "ng0") + (comment "Nils Gillmann") + (group "users") + (supplementary-groups '("wheel" "netdev" "kvm")) + (home-directory "/home/ng0")) + (user-account + (name "stanisci") + (comment "Marcello Stanisci") + (group "users") + (supplementary-groups '("wheel" "netdev" "kvm")) + (home-directory "/home/stanisci")) + (user-account + (name "git") + (comment "gitolite") + (group "git") + (home-directory "/home/git")) + %base-user-accounts)) + + (groups (cons (user-group (name "git")) + %base-groups)) + + (file-systems + (cons* (file-system + (device (uuid "304189db-f9df-4222-810d-94c993598c3b")) + (mount-point "/") + (type "ext4")) + %base-file-systems)) + + (packages + (append (map specification->package + '("mg" "cryptsetup" + "screen" "tmux" "wget" + "vim" "openssh" "openssl" + "nvi" + "postgresql" + "nss-certs" + "curl" "gnutls-dane" + "gitolite" + "acme-client" + #| "buildbot" |# + "fcgiwrap" + "python-future" + "python" "python-jinja2" + "python-sphinx")) + %base-packages)) + + ;; TODO: cgit service? + ;; TODO: gitolite service? + + (services + (cons* + (service static-networking-service-type + (list + (static-networking + (interface "enp4s0f1") + (ip "147.87.255.221") + (netmask "255.255.255.240") + (gateway "147.87.255.209") + (name-servers '("8.8.8.8"))))) + + (service special-files-service-type + ;; Using 'canonical-package' as bash and coreutils + ;; canonical packages are already a part of + ;; '%base-packages'. + `(("/bin/sh" ,(file-append (canonical-package bash) + "/bin/sh")) + ("/usr/bin/env" ,(file-append (canonical-package coreutils) + "/bin/env")) + ("/bin/ksh" ,(file-append (canonical-package loksh) + "/bin/ksh")))) + ;; TODO: Add git.taler.net + ;; TODO: acme-client cronjob for: + ;; taler.net www.taler.net api.taler.net lcov.taler.net + ;; git.taler.net gauger.taler.net buildbot.taler.net + ;; test.taler.net playground.test.taler.net + ;; auditor.test.taler.net auditor.demo.taler.net + ;; demo.taler.net shop.test.taler.net + ;; shop.demo.taler.net survey.test.taler.net + ;; survey.demo.taler.net donations.demo.taler.net + ;; backend.test.taler.net backend.demo.taler.net + ;; bank.test.taler.net bank.demo.taler.net + ;; www.git.taler.net exchange.demo.taler.net + ;; exchange.test.taler.net env.taler.net + ;; envs.taler.net blog.demo.taler.net + ;; blog.test.taler.net donations.test.taler.net + ;; docs.taler.net intranet.taler.net stage.taler.net + ;;(service certbot-service-type + ;; (certbot-configuration + ;; (email "cert-admin-taler@n0.is") + ;; (certificates + ;; (list + ;; (certificate-configuration + ;; (domains '("gv.taler.net")) + ;; (deploy-hook %my-deploy-hook))))))) + + (service openssh-service-type + (openssh-configuration + (x11-forwarding? #t) + (port-number 22) + (password-authentication? #f) + (permit-root-login 'without-password) + (authorized-keys + `(("root" ,(concat-local-files + "root.pub" + '("keys/ssh/grothoff.pub" + "keys/ssh/ng0.pub" + "keys/ssh/dold.pub" + "keys/ssh/stanisci.pub"))) + ("stanisci" ,(local-file "keys/ssh/stanisci.pub")) + ("dold" ,(local-file "keys/ssh/dold.pub")) + ("ng0" ,(local-file "keys/ssh/ng0.pub")) + ("grothoff" ,(local-file "keys/ssh/grothoff.pub")))))) + + ;; (service rottlog-service-type (rottlog-configuration)) + ;; (service mcron-service-type + ;; (mcron-configuration + ;; (jobs (list %gc-job %thing1)))) + (service postgresql-service-type) + (git-daemon-service + #:config (git-daemon-configuration + (user-path "git"))) + (service openntpd-service-type + (openntpd-configuration + (listen-on '("127.0.0.1" "::1")) + (sensor '("udcf0 correction 70000")) + (constraint-from '("www.gnu.org")) + (constraints-from '("https://www.google.com/")) + (allow-large-adjustment? #t))) + (service fixed:fcgiwrap-service-type + (fixed:fcgiwrap-configuration + (socket "unix:/var/run/fcgiwrap/fcgiwrap.socket") + (adjusted-socket-permissions #t) + (ensure-socket-dir? #t))) + ;;(service cgit-service-type + ;; (opaque-cgit-configuration + ;; (cgitrc "/etc/deployment/guix/etc/cgitrc"))) + (service nginx-service-type + (nginx-configuration + (file (file-append %nginx-config + "/nginx.conf")))) + %nginx-mime-types + %nginx-cache-activation + (modify-services %base-services + (guix-service-type + config => + (guix-configuration + (inherit config) + (substitute-urls + (cons* "https://berlin.guixsd.org" + %default-substitute-urls))))))) + + ;; Allow resolution of '.local' host names with mDNS. + (name-service-switch %mdns-host-lookup-nss)) diff --git a/historic/guix/custom-packages/postfix.scm b/historic/guix/custom-packages/postfix.scm new file mode 100644 index 0000000..9927145 --- /dev/null +++ b/historic/guix/custom-packages/postfix.scm @@ -0,0 +1,133 @@ +(define-module (custom-packages postfix) + #:use-module (gnu packages databases) + #:use-module (gnu packages m4) + #:use-module (gnu packages pcre) + #:use-module (gnu packages tls) + #:use-module (gnu packages cyrus-sasl) + #:use-module (gnu packages openldap) + #:use-module (guix) + #:use-module (guix utils) + #:use-module (guix build-system gnu) + #:use-module ((guix licenses) #:prefix license:)) + + +(define-public postfix + (package + (name "postfix") + (version "3.3.2") + (source (origin + (method url-fetch) + (uri (string-append + "http://cdn.postfix.johnriley.me/mirrors/postfix-release/official/postfix-" + version ".tar.gz")) + (sha256 (base32 + "0nxkszdgs6fs86j6w1lf3vhxvjh1hw2jmrii5icqx9a9xqgg74rw")))) + (native-inputs + `(("m4" ,m4))) + (inputs + `(("bdb" ,bdb) + ("openssl" ,openssl) + ("sqlite" ,sqlite) + ("pcre" ,pcre) + ("postgresql" ,postgresql) + ("openldap" ,openldap) + ("cyrus-sasl" ,cyrus-sasl) + ("lmdb" ,lmdb))) + (build-system gnu-build-system) + (arguments + `(#:tests? #f ; Postfix does not come with any tests. + #:phases + (modify-phases %standard-phases + (replace 'configure + ;; Postfix does not have a standard "./configure". + (lambda* (#:key outputs inputs configure-flags #:allow-other-keys) + (define (dir-setting name dir) + (string-append name "=" (assoc-ref outputs "out") dir)) + (invoke + "make" + "makefiles" + (string-append "SHELL=" (which "sh")) + (dir-setting "daemon_directory" "/libexec/postfix") + (dir-setting "shlib_directory" "/lib/postfix") + (dir-setting "command_directory" "/sbin") + (dir-setting "manpage_directory" "/share/man") + (dir-setting "newaliases_path" "/bin/newaliases") + (dir-setting "mailq_path" "/bin/mailq") + (dir-setting "sendmail_path" "/sbin/sendmail") + (string-append + "CCARGS=" + (string-join + (list + "-DHAS_DB" + "-DHAS_LMDB" + "-DHAS_PGSQL" + "-DHAS_PCRE" + "-DHAS_LDAP" + "-DHAS_SQLITE" + "-DUSE_TLS" + "-DUSE_SASL_AUTH" + "-DUSE_CYRUS_SASL" + ;; only the default, can be changed at run time + "-DDEF_SERVER_SASL_TYPE=\\\"dovecot\\\"" + "-DNO_NIS" + (string-append + "-I" + (assoc-ref inputs "cyrus-sasl") + "/include/sasl")) + " ")) + "shared=yes" + (string-append + "SHLIB_RPATH=-Wl,-rpath," + (assoc-ref outputs "out") + "/lib/postfix") + "dynamicmaps=yes" + "AUXLIBS=-ldb -lresolv -lssl -lcrypto -lsasl2" + "AUXLIBS_LMDB=-llmdb" + "AUXLIBS_LDAP=-lldap -llber" + "AUXLIBS_PCRE=-lpcre" + "AUXLIBS_PGSQL=-lpq" + "AUXLIBS_SQLITE=-lsqlite3 -lpthread"))) + (replace 'install + ;; Postfix's "make install" is interactive, we work around this + ;; by directly calling postfix-install with the right arguments. + (lambda* (#:key outputs inputs configure-flags #:allow-other-keys) + (substitute* "postfix-install" + (("^SHELL=/bin/sh$") "SHELL=sh") + (("^PATH=.*$") "")) + (setenv "LD_LIBRARY_PATH" + (string-append (getcwd) "/lib")) + (invoke + "sh" + "postfix-install" + (string-append "install_root=" (assoc-ref outputs "out")) + "daemon_directory=/libexec/postfix" + "command_directory=/sbin" + "manpage_directory=/share/man" + "newaliases_path=/bin/newaliases" + "mailq_path=/bin/mailq" + "sendmail_path=/sbin/sendmail" + "shlib_directory=/lib/postfix" + "-non-interactive" + "-package"))) + (add-after 'install 'patch-master-cf + ;; Make sure that the default main.cf does not contain wrong/confusing + ;; paths. + (lambda* (#:key outputs inputs configure-flags #:allow-other-keys) + (define comment + "# Note for Guix: This parameter should usually not be +# changed, as the compiled-in default in the postfix +# binaries already points to the Guix store.") + (substitute* (string-append + (assoc-ref outputs "out") + "/etc/postfix/main.cf") + (("^daemon_directory ?=" m) (string-append comment "\n#" m)))))))) + (synopsis "High-performance mail transport agent") + (description + "Postfix is Wietse Venema's mail transport agent that started + life as an alternative to the widely-used Sendmail program. + Postfix attempts to be fast, easy to administer, and secure, + while at the same time being sendmail compatible enough to + not upset existing users. Thus, the outside has a sendmail-ish + flavor, but the inside is completely different.") + (license license:ibmpl1.0) + (home-page "http://www.postfix.org/"))) diff --git a/historic/guix/etc/aliases b/historic/guix/etc/aliases new file mode 100644 index 0000000..6b76027 --- /dev/null +++ b/historic/guix/etc/aliases @@ -0,0 +1,110 @@ +# See man 5 aliases for format +postmaster: root +root: admin + +# Executive team +ceo: leon +cto: grothoff +cfo: clevel +clevel: ceo,cto + +# Generic contact address +contact: mail +mail: ceo,cto,sva + +# All system admins +admin: grothoff,dold,stanisci + +# Contact for translators +translation-volunteer: admin + +# Feedback +demo-feedback: admin +wallet: florian,tg +taler-bb: mstan +buildfailures: mstan,florian,grothoff + +# Special +protonmail: grothoff + +# ??? +msw: tg + +# For investors +invest: grothoff + +# Twitter registration (ask grothoff for PW if desired) +twitter: grothoff + +# Web server +www-data: grothoff,marcello + +# Language teams +it: marcello,fabrizio.biondi@inria.fr +fr: marcello, cecile.gayet95@gmail.com +de: grothoff,florian,sva,skuegel@web.de +es: martin.olivera@gmail.com,chicadelaire@gmail.com,fumiko@futeisha.org,severo@rednegra.net +cz: skuegel@web.de +tn: os@vink-io.com +ru: axel.denielt@gmail.com +tr: ozcan@oyd.org.tr + +# All language teams (to notify about new text) +translation-updates: it,de,fr,es,cz,tn,ru + +################################################## + +# Personal aliases +nana: nana_void@riseup.net +nk: nana +karlstetter: nana +nana.karlstetter: nana + +grothoff: grothoff@gnunet.org +christian: grothoff +christian.grothoff: grothoff +cg: grothoff + +leon: leon.schumacher@digitalekho.com +schumacher: leon +leon.schumacher: leon +ls: leon + +michael: michael.widmer@brinogroup.ch +widmer: michael +mw: michael +michael.widmer: michael + +tg: *@tg-x.net + +sva: g@besva.de +laengle: sva +bernadette: sva +bernadette.laengle: sva + +totakura: totakura@gnunet.org +sreeharsha.totakura: totakura + +dold: dold@in.tum.de +florian: dold +florian.dold: dold + +carlo: lynX@the.internet.is.psyced.org + +ben: benedikt.mueller@sys24.org +mueller: ben +ben.mueller: ben + +onete: cristina.onete@gmail.com +cristina: onete +cristina.onete: onete + +burdges: burdges@gnunet.org +jeff: burdges +jeff.burdges: burdges + +mstan: marcello.stanisci@inria.fr +marcello: mstan +stanisci: mstan + + diff --git a/historic/guix/etc/cgitrc b/historic/guix/etc/cgitrc new file mode 100644 index 0000000..4ddaf0c --- /dev/null +++ b/historic/guix/etc/cgitrc @@ -0,0 +1,73 @@ +# +# cgit config +# see cgitrc(5) for details +#readme=:README +virtual-root=/ +#cache-size=1000 + +# Highlight source code with python pygments-based highlighter +source-filter=/home/git/bin/cgit-syntax-highlighting.sh + +# Format org-mode, markdown, restructuredtext, manpages, text files, and html files +about-filter=/home/git/bin/cgit-about-formatting.sh +#about-filter=/usr/lib/cgit/filters/about-formatting.sh + +enable-filter-overrides=1 + +css=/cgit/cgit.css +logo=/cgit/cgit.png + +strict-export=git-daemon-export-ok +scan-path=/home/git/repositories + +clone-prefix=https://git.taler.net git://git.taler.net ssh://git@taler.net + +snapshots=tar.gz zip + +root-title=TALER Git Repositories +root-desc=Source code of various TALER-related projects +root-readme=/home/git/repositories/README.html +footer=/home/git/repositories/FOOTER.html + +readme=:README.org +readme=:readme.org +readme=:README.md +readme=:readme.md +readme=:README.mkd +readme=:readme.mkd +readme=:README.rst +readme=:readme.rst +readme=:README.html +readme=:readme.html +readme=:README.htm +readme=:readme.htm +readme=:README.txt +readme=:readme.txt +readme=:README +readme=:readme +readme=:INSTALL.org +readme=:install.org +readme=:INSTALL.md +readme=:install.md +readme=:INSTALL.mkd +readme=:install.mkd +readme=:INSTALL.rst +readme=:install.rst +readme=:INSTALL.html +readme=:install.html +readme=:INSTALL.htm +readme=:install.htm +readme=:INSTALL.txt +readme=:install.txt +readme=:INSTALL +readme=:install + + +# MIME types for serving raw content +mimetype.html=text/html +mimetype.gif=image/gif +mimetype.jpg=image/jpeg +mimetype.jpeg=image/jpeg +mimetype.png=image/png +mimetype.svg=image/svg+xml +mimetype.pdf=application/pdf diff --git a/historic/guix/etc/nginx/apps/drupal/admin_basic_auth.conf b/historic/guix/etc/nginx/apps/drupal/admin_basic_auth.conf new file mode 100644 index 0000000..cc796ce --- /dev/null +++ b/historic/guix/etc/nginx/apps/drupal/admin_basic_auth.conf @@ -0,0 +1,12 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- + +## Protect the /admin URIs with a basic auth. +location ^~ /admin { + auth_basic "Restricted access"; #realm + auth_basic_user_file .htpasswd-users; + + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; +} diff --git a/historic/guix/etc/nginx/apps/drupal/cron_allowed_hosts.conf b/historic/guix/etc/nginx/apps/drupal/cron_allowed_hosts.conf new file mode 100644 index 0000000..bdb3dd9 --- /dev/null +++ b/historic/guix/etc/nginx/apps/drupal/cron_allowed_hosts.conf @@ -0,0 +1,10 @@ +# -*- mode: nginx; mode:autopair; mode: flyspell-prog; ispell-local-dictionary: "american" -*- +### Configuration file for specifying which hosts can invoke Drupal's +### cron. This only applies if you're not using drush to run cron. + +geo $not_allowed_cron { + default 1; + ## Add your set of hosts. + 127.0.0.1 0; # allow the localhost + 192.168.1.0/24 0; # allow on an internal network +} diff --git a/historic/guix/etc/nginx/apps/drupal/drupal.conf b/historic/guix/etc/nginx/apps/drupal/drupal.conf new file mode 100644 index 0000000..e65024f --- /dev/null +++ b/historic/guix/etc/nginx/apps/drupal/drupal.conf @@ -0,0 +1,347 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- +### Nginx configuration for Drupal. This configuration makes use of +### drush (http:///drupal.org/project/drush) for site maintenance +### and like tasks: +### +### 1. Run the cronjobs. +### 2. Run the DB and code updates: drush up or drush upc followed by +### drush updb to run any DB updates required by the code upgrades +### that were performed. +### 3. Disabling of xmlrpc.xml, install.php (needed only for +### installing the site) and update.php: all updates are now +### handled through drush. + +## The 'default' location. +location / { + + ## Drupal 404 from can impact performance. If using a module like + ## search404 then 404's *have *to be handled by Drupal. Uncomment to + ## relay the handling of 404's to Drupal. + ## error_page 404 /index.php; + + ## Using a nested location is the 'correct' way to use regexes. + + ## Regular private file serving (i.e. handled by Drupal). + location ^~ /system/files/ { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## If proxying to apache comment the two lines above and + ## uncomment the two lines below. + #proxy_pass http://phpapache/index.php?q=$uri; + #proxy_set_header Connection ''; + + ## For not signaling a 404 in the error log whenever the + ## system/files directory is accessed add the line below. + ## Note that the 404 is the intended behavior. + log_not_found off; + } + + ## Trying to access private files directly returns a 404. + location ^~ /sites/default/files/private/ { + internal; + } + + ## Support for the file_force module + ## http://drupal.org/project/file_force. + location ^~ /system/files_force/ { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## If proxying to apache comment the two lines above and + ## uncomment the two lines below. + #proxy_pass http://phpapache/index.php?q=$uri; + #proxy_set_header Connection ''; + + ## For not signaling a 404 in the error log whenever the + ## system/files directory is accessed add the line below. + ## Note that the 404 is the intended behavior. + log_not_found off; + } + + ## If accessing an image generated by Drupal 6 imagecache, serve it + ## directly if available, if not relay the request to Drupal to (re)generate + ## the image. + location ~* /imagecache/ { + ## Image hotlinking protection. If you want hotlinking + ## protection for your images uncomment the following line. + #include apps/drupal/hotlinking_protection.conf; + + access_log off; + expires 30d; + try_files $uri @drupal; + } + + ## Drupal 7 generated image handling, i.e., imagecache in core. See: + ## http://drupal.org/node/371374. + location ~* /files/styles/ { + ## Image hotlinking protection. If you want hotlinking + ## protection for your images uncomment the following line. + #include apps/drupal/hotlinking_protection.conf; + + access_log off; + expires 30d; + try_files $uri @drupal; + } + + ## Advanced Aggregation module CSS + ## support. http://drupal.org/project/advagg. + location ^~ /sites/default/files/advagg_css/ { + expires max; + add_header ETag ''; + add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT'; + add_header Accept-Ranges ''; + + location ~* /sites/default/files/advagg_css/css[_[:alnum:]]+\.css$ { + access_log off; + try_files $uri @drupal; + } + } + + ## Advanced Aggregation module JS + ## support. http://drupal.org/project/advagg. + location ^~ /sites/default/files/advagg_js/ { + expires max; + add_header ETag ''; + add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT'; + add_header Accept-Ranges ''; + + location ~* /sites/default/files/advagg_js/js[_[:alnum:]]+\.js$ { + access_log off; + try_files $uri @drupal; + } + } + + ## All static files will be served directly. + location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ { + + access_log off; + expires 30d; + ## No need to bleed constant updates. Send the all shebang in one + ## fell swoop. + tcp_nodelay off; + ## Set the OS file cache. + open_file_cache max=3000 inactive=120s; + open_file_cache_valid 45s; + open_file_cache_min_uses 2; + open_file_cache_errors off; + } + + ## PDFs and powerpoint files handling. + location ~* ^.+\.(?:pdf|pptx?)$ { + expires 30d; + ## No need to bleed constant updates. Send the all shebang in one + ## fell swoop. + tcp_nodelay off; + } + + ## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it. + location ^~ /sites/default/files/audio/mp3 { + location ~* ^/sites/default/files/audio/mp3/.*\.mp3$ { + directio 4k; # for XFS + ## If you're using ext3 or similar uncomment the line below and comment the above. + #directio 512; # for ext3 or similar (block alignments) + tcp_nopush off; +# aio on; + output_buffers 1 2M; + } + } + + location ^~ /sites/default/files/audio/ogg { + location ~* ^/sites/default/files/audio/ogg/.*\.ogg$ { + directio 4k; # for XFS + ## If you're using ext3 or similar uncomment the line below and comment the above. + #directio 512; # for ext3 or similar (block alignments) + tcp_nopush off; +# aio on; + output_buffers 1 2M; + } + } + + ## Pseudo streaming of FLV files: + ## http://wiki.nginx.org/HttpFlvStreamModule. + ## If pseudo streaming isn't working, try to comment + ## out in nginx.conf line with: + ## add_header X-Frame-Options SAMEORIGIN; + location ^~ /sites/default/files/video/flv { + location ~* ^/sites/default/files/video/flv/.*\.flv$ { +# flv; + } + } + + ## Pseudo streaming of H264/AAC files. This requires an Nginx + ## version greater or equal to 1.0.7 for the stable branch and + ## greater or equal to 1.1.3 for the development branch. + ## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html. + location ^~ /sites/default/files/video/mp4 { # videos + location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ { +# mp4; +# mp4_buffer_size 1M; +# mp4_max_buffer_size 5M; + } + } + + location ^~ /sites/default/files/audio/m4a { # audios + location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ { +# mp4; +# mp4_buffer_size 1M; +# mp4_max_buffer_size 5M; + } + } + + ## Advanced Help module makes each module provided README available. + location ^~ /help/ { + location ~* ^/help/[^/]*/README\.txt$ { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## If proxying to apache comment the two lines above and + ## uncomment the two lines below. + #proxy_pass http://phpapache/index.php?q=$uri; + #proxy_set_header Connection ''; + } + } + + ## Replicate the Apache <FilesMatch> directive of Drupal standard + ## .htaccess. Disable access to any code files. Return a 404 to curtail + ## information disclosure. Hide also the text files. + location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ { + return 404; + } + + ## First we try the URI and relay to the /index.php?q=$uri&$args if not found. + try_files $uri @drupal; +} + +########### Security measures ########## + +## Uncomment the line below if you want to enable basic auth for +## access to all /admin URIs. Note that this provides much better +## protection if use HTTPS. Since it can easily be eavesdropped if you +## use HTTP. +#include apps/drupal/admin_basic_auth.conf; + +## Restrict access to the strictly necessary PHP files. Reducing the +## scope for exploits. Handling of PHP code and the Drupal event loop. +location @drupal { + ## Include the FastCGI config. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## FastCGI microcache. +# include apps/drupal/microcache_fcgi.conf; + ## FCGI microcache for authenticated users also. + #include apps/drupal/microcache_fcgi_auth.conf; + + ## If proxying to apache comment the two lines above and + ## uncomment the two lines below. + #proxy_pass http://phpapache/index.php?q=$uri; + #proxy_set_header Connection ''; + + ## Proxy microcache. + #include apps/drupal/microcache_proxy.conf; + ## Proxy microcache for authenticated users also. + #include apps/drupal/microcache_proxy_auth.conf; + + ## Filefield Upload progress + ## http://drupal.org/project/filefield_nginx_progress support + ## through the NginxUploadProgress modules. +# track_uploads uploads 60s; +} + +location @drupal-no-args { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_no_args_drupal.conf; + fastcgi_pass phpcgi; + + ## FastCGI microcache. +# include apps/drupal/microcache_fcgi.conf; + ## FCGI microcache for authenticated users also. + #include apps/drupal/microcache_fcgi_auth.conf; + + ## If proxying to apache comment the two lines above and + ## uncomment the two lines below. + #proxy_pass http://phpapache/index.php?q=$uri; + #proxy_set_header Connection ''; + + ## Proxy microcache. + #include apps/drupal/microcache_proxy.conf; + ## Proxy microcache for authenticated users also. + #include apps/drupal/microcache_proxy_auth.conf; +} + +## Disallow access to .bzr, .git, .hg, .svn, .cvs directories: return +## 404 as not to disclose information. +location ^~ /.bzr { + return 404; +} + +location ^~ /.git { + return 404; +} + +location ^~ /.hg { + return 404; +} + +location ^~ /.svn { + return 404; +} + +location ^~ /.cvs { + return 404; +} + +## Disallow access to patches directory. +location ^~ /patches { + return 404; +} + +## Disallow access to drush backup directory. +location ^~ /backup { + return 404; +} + +## Disable access logs for robots.txt. +location = /robots.txt { + access_log off; + ## Add support for the robotstxt module + ## http://drupal.org/project/robotstxt. + try_files $uri @drupal-no-args; +} + +## RSS feed support. +location = /rss.xml { + try_files $uri @drupal-no-args; +} + +## XML Sitemap support. +location = /sitemap.xml { + try_files $uri @drupal-no-args; +} + +## Support for favicon. Return an 1x1 transparent GIF if it doesn't +## exist. +location = /favicon.ico { + expires 30d; + try_files /favicon.ico @empty; +} + +## Return an in memory 1x1 transparent GIF. +location @empty { + expires 30d; + empty_gif; +} + +## Any other attempt to access PHP files returns a 404. +location ~* ^.+\.php$ { + return 404; +} + diff --git a/historic/guix/etc/nginx/apps/drupal/drupal_boost.conf b/historic/guix/etc/nginx/apps/drupal/drupal_boost.conf new file mode 100644 index 0000000..1cb10e1 --- /dev/null +++ b/historic/guix/etc/nginx/apps/drupal/drupal_boost.conf @@ -0,0 +1,377 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- +### Nginx configuration for using Boost with Drupal. This +### configuration makes use of drush (http:///drupal.org/project/drush) +### for site maintenance and like tasks: +### +### 1. Run the cronjobs. +### 2. Run the DB and code updates: drush up or drush upc followed by +### drush updb to run any DB updates required by the code upgrades +### that were performed. +### 3. Disabling of xmlrpc.xml, install.php (needed only for +### installing the site) and update.php: all updates are now +### handled through drush. + +## The 'default' location. +location / { + + ## Drupal 404 from can impact performance. If using a module like + ## search404 then 404's *have *to be handled by Drupal. Uncomment to + ## relay the handling of 404's to Drupal. + ## error_page 404 /index.php; + + ## Using a nested location is the 'correct' way to use regexes. + + ## Regular private file serving (i.e. handled by Drupal). + location ^~ /system/files/ { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## If proxying to apache comment the two lines above and + ## uncomment the line below. + #proxy_pass http://phpapache/index.php?q=$uri; + #proxy_set_header Connection ''; + + ## For not signaling a 404 in the error log whenever the + ## system/files directory is accessed add the line below. + ## Note that the 404 is the intended behavior. + log_not_found off; + } + + ## Trying to access private files directly returns a 404. + location ^~ /sites/default/files/private/ { + internal; + } + + ## Support for the file_force module + ## http://drupal.org/project/file_force. + location ^~ /system/files_force/ { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## If proxying to apache comment the two lines above and + ## uncomment the line below. + #proxy_pass http://phpapache/index.php?q=$no_slash_uri; + #proxy_set_header Connection ''; + + ## For not signaling a 404 in the error log whenever the + ## system/files directory is accessed add the line below. + ## Note that the 404 is the intended behavior. + log_not_found off; + } + + ## If accessing an image generated by Drupal 6 imagecache, serve it + ## directly if available, if not relay the request to Drupal to (re)generate + ## the image. + location ~* /imagecache/ { + ## Image hotlinking protection. If you want hotlinking + ## protection for your images uncomment the following line. + #include apps/drupal/hotlinking_protection.conf; + + access_log off; + expires 30d; + try_files $uri @drupal; + } + + ## Drupal 7 generated image handling, i.e., imagecache in core. See: + ## http://drupal.org/node/371374. + location ~* /files/styles/ { + ## Image hotlinking protection. If you want hotlinking + ## protection for your images uncomment the following line. + #include apps/drupal/hotlinking_protection.conf; + + access_log off; + expires 30d; + try_files $uri @drupal; + } + + ## Advanced Aggregation module CSS + ## support. http://drupal.org/project/advagg. + location ^~ /sites/default/files/advagg_css/ { + expires max; + add_header ETag ''; + add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT'; + add_header Accept-Ranges ''; + + location ~* /sites/default/files/advagg_css/css[_[:alnum:]]+\.css$ { + access_log off; + try_files $uri @drupal; + } + } + + ## Advanced Aggregation module JS + ## support. http://drupal.org/project/advagg. + location ^~ /sites/default/files/advagg_js/ { + add_header Pragma ''; + add_header Cache-Control 'public, max-age=946080000'; + add_header Accept-Ranges ''; + + location ~* /sites/default/files/advagg_js/js[_[:alnum:]]+\.js$ { + access_log off; + try_files $uri @drupal; + } + } + + ## All static files will be served directly. + location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ { + access_log off; + expires 30d; + ## No need to bleed constant updates. Send the all shebang in one + ## fell swoop. + tcp_nodelay off; + } + + ## PDFs and powerpoint files handling. + location ~* ^.+\.(?:pdf|pptx?)$ { + expires 30d; + ## No need to bleed constant updates. Send the all shebang in one + ## fell swoop. + tcp_nodelay off; + } + + ## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it. + location ^~ /sites/default/files/audio/mp3 { + location ~* ^/sites/default/files/audio/mp3/.*\.mp3$ { + directio 4k; # for XFS + ## If you're using ext3 or similar uncomment the line below and comment the above. + #directio 512; # for ext3 or similar (block alignments) + tcp_nopush off; + aio on; + output_buffers 1 2M; + } + } + + location ^~ /sites/default/files/audio/ogg { + location ~* ^/sites/default/files/audio/ogg/.*\.ogg$ { + directio 4k; # for XFS + ## If you're using ext3 or similar uncomment the line below and comment the above. + #directio 512; # for ext3 or similar (block alignments) + tcp_nopush off; + aio on; + output_buffers 1 2M; + } + } + + ## Pseudo streaming of FLV files: + ## http://wiki.nginx.org/HttpFlvStreamModule. + ## If pseudo streaming isn't working, try to comment + ## out in nginx.conf line with: + ## add_header X-Frame-Options SAMEORIGIN; + location ^~ /sites/default/files/video/flv { + location ~* ^/sites/default/files/video/flv/.*\.flv$ { + flv; + } + } + + ## Pseudo streaming of H264/AAC files. This requires an Nginx + ## version greater or equal to 1.0.7 for the stable branch and + ## greater or equal to 1.1.3 for the development branch. + ## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html. + location ^~ /sites/default/files/video/mp4 { # videos + location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ { + mp4; + mp4_buffer_size 1M; + mp4_max_buffer_size 5M; + } + } + + location ^~ /sites/default/files/audio/m4a { # audios + location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ { + mp4; + mp4_buffer_size 1M; + mp4_max_buffer_size 5M; + } + } + + ## Advanced Help module makes each module provided README available. + location ^~ /help/ { + location ~* ^/help/[^/]*/README\.txt$ { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## If proxying to apache comment the two lines above and + ## uncomment the line below. + #proxy_pass http://phpapache/index.php?q=$uri; + } + } + + ## Replicate the Apache <FilesMatch> directive of Drupal standard + ## .htaccess. Disable access to any code files. Return a 404 to curtail + ## information disclosure. Hide also the text files. + location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ { + return 404; + } + + ## First we try the URI and relay to the @cache if not found. + try_files $uri @cache; +} + +## We define a named location for the cache. +location @cache { + ## Boost compresses can the pages so we check it. Comment it out + ## if you don't have it enabled in Boost. + gzip_static on; + + ## Error page handler for the case where $no_cache is 1. POST + ## request or authenticated. + error_page 418 = @drupal; + + ## If $no_cache is 1 then it means that either we have a session + ## cookie or that the request method is POST. So serve the dynamic + ## page. + if ($no_cache) { + return 418; # I'm a teapot/I can't get no cachifaction + } + + ## No caching for POST requests. + if ($request_method = POST) { + return 418; + } + + # Now for some header tweaking. We use a date that differs + # from stock Drupal. Everyone seems to be using their + # birthdate. Why go against the grain? + add_header Expires "Tue, 13 Jun 1977 03:45:00 GMT"; + # We bypass all delays in the post-check and pre-check + # parameters of Cache-Control. Both set to 0. + add_header Cache-Control "must-revalidate, post-check=0, pre-check=0"; + # Funny...perhaps. Egocentric? Damn right!; + add_header X-Header "Boost Helás Avril 1.0"; + ## Boost doesn't set a charset. + charset utf-8; + + # We try each boost URI in succession, if every one of them + # fails then relay to Drupal. + try_files /cache/normal/$host${uri}_${args}.html /cache/perm/$host${uri}_.css /cache/perm/$host${uri}_.js /cache/$host/0$uri.html /cache/$host/0${uri}/index.html @drupal; +} + +########### Security measures ########## + +## Uncomment the line below if you want to enable basic auth for +## access to all /admin URIs. Note that this provides much better +## protection if use HTTPS. Since it can easily be eavesdropped if you +## use HTTP. +#include apps/drupal/admin_basic_auth.conf; + +## Restrict access to the strictly necessary PHP files. Reducing the +## scope for exploits. Handling of PHP code and the Drupal event loop. +location @drupal { + ## Include the FastCGI config. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## FCGI microcache for authenticated users also. + include apps/drupal/microcache_fcgi_auth.conf; + + ## To use Apache for serving PHP uncomment the line bellow and + ## comment out the above. + #proxy_pass http://phpapache/index.php?q=$uri&$args; + #proxy_set_header Connection ''; + ## Proxy microcache for authenticated users also. + #include apps/drupal/microcache_proxy_auth.conf; + + ## Filefield Upload progress + ## http://drupal.org/project/filefield_nginx_progress support + ## through the NginxUploadProgress modules. + track_uploads uploads 60s; +} + +location @drupal-no-args { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_no_args_drupal.conf; + fastcgi_pass phpcgi; + + ## FCGI microcache for authenticated users also. + include apps/drupal/microcache_fcgi_auth.conf; + + ## If proxying to apache comment the two lines above and + ## uncomment the line below. + #proxy_pass http://phpapache/index.php?q=$uri; + #proxy_set_header Connection ''; + + ## Proxy microcache for authenticated users also. + #include apps/drupal/microcache_proxy_auth.conf; +} + +## Disallow access to .bzr, .git, .hg, .svn, .cvs directories: return +## 404 as not to disclose information. +location ^~ /.bzr { + return 404; +} + +location ^~ /.git { + return 404; +} + +location ^~ /.hg { + return 404; +} + +location ^~ /.svn { + return 404; +} + +location ^~ /.cvs { + return 404; +} + +## Disallow access to patches directory. +location ^~ /patches { + return 404; +} + +## Disallow access to drush backup directory. +location ^~ /backup { + return 404; +} + +## Disable access logs for robots.txt. +location = /robots.txt { + access_log off; + ## Add support for the robotstxt module + ## http://drupal.org/project/robotstxt. + try_files $uri @drupal-no-args; +} + +## RSS feed support. +location = /rss.xml { + try_files $uri @drupal-no-args; +} + +## XML Sitemap support. +location = /sitemap.xml { + try_files $uri @drupal-no-args; +} + +## Support for favicon. Return an 1x1 transparent GIF if it doesn't +## exist. +location = /favicon.ico { + expires 30d; + try_files /favicon.ico @empty; +} + +## Return an in memory 1x1 transparent GIF. +location @empty { + expires 30d; + empty_gif; +} + +## Any other attempt to access PHP files returns a 404. +location ~* ^.+\.php$ { + return 404; +} + +## Boost stats. +location = /boost_stats.php { + fastcgi_pass phpcgi; + ## To use Apache for serving PHP uncomment the line bellow and + ## comment out the above. + #proxy_pass http://phpapache; +} + diff --git a/historic/guix/etc/nginx/apps/drupal/drupal_boost_escaped.conf b/historic/guix/etc/nginx/apps/drupal/drupal_boost_escaped.conf new file mode 100644 index 0000000..36f5d98 --- /dev/null +++ b/historic/guix/etc/nginx/apps/drupal/drupal_boost_escaped.conf @@ -0,0 +1,382 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- +### Nginx configuration for using Boost with Drupal. This +### configuration makes use of drush (http:///drupal.org/project/drush) +### for site maintenance and like tasks: +### +### 1. Run the cronjobs. +### 2. Run the DB and code updates: drush up or drush upc followed by +### drush updb to run any DB updates required by the code upgrades +### that were performed. +### 3. Disabling of xmlrpc.xml, install.php (needed only for +### installing the site) and update.php: all updates are now +### handled through drush. + +## To avoid the ugly rewrite we use Lua to escape the URI. +set_by_lua $escaped_uri 'return ngx.escape_uri(ngx.var.uri)'; + +## The 'default' location. +location / { + + ## Drupal 404 from can impact performance. If using a module like + ## search404 then 404's *have *to be handled by Drupal. Uncomment to + ## relay the handling of 404's to Drupal. + ## error_page 404 /index.php; + + ## Using a nested location is the 'correct' way to use regexes. + + ## Regular private file serving (i.e. handled by Drupal). + location ^~ /system/files/ { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## If proxying to apache comment the two lines above and + ## uncomment the line below. + #proxy_pass http://phpapache/index.php?q=$escaped_uri; + #proxy_set_header Connection ''; + + ## For not signaling a 404 in the error log whenever the + ## system/files directory is accessed add the line below. + ## Note that the 404 is the intended behavior. + log_not_found off; + } + + ## Trying to access private files directly returns a 404. + location ^~ /sites/default/files/private/ { + internal; + } + + ## Support for the file_force module + ## http://drupal.org/project/file_force. + location ^~ /system/files_force/ { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## If proxying to apache comment the two lines above and + ## uncomment the line below. + #proxy_pass http://phpapache/index.php?q=$no_slash_uri; + #proxy_set_header Connection ''; + + ## For not signaling a 404 in the error log whenever the + ## system/files directory is accessed add the line below. + ## Note that the 404 is the intended behavior. + log_not_found off; + } + + ## If accessing an image generated by Drupal 6 imagecache, serve it + ## directly if available, if not relay the request to Drupal to (re)generate + ## the image. + location ~* /imagecache/ { + ## Image hotlinking protection. If you want hotlinking + ## protection for your images uncomment the following line. + #include apps/drupal/hotlinking_protection.conf; + + access_log off; + expires 30d; + try_files $escaped_uri @drupal; + } + + ## Drupal 7 generated image handling, i.e., imagecache in core. See: + ## http://drupal.org/node/371374. + location ~* /files/styles/ { + ## Image hotlinking protection. If you want hotlinking + ## protection for your images uncomment the following line. + #include apps/drupal/hotlinking_protection.conf; + + access_log off; + expires 30d; + try_files $escaped_uri @drupal; + } + + ## Advanced Aggregation module CSS + ## support. http://drupal.org/project/advagg. + location ^~ /sites/default/files/advagg_css/ { + expires max; + add_header ETag ''; + add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT'; + add_header Accept-Ranges ''; + + location ~* /sites/default/files/advagg_css/css[_[:alnum:]]+\.css$ { + access_log off; + try_files $escaped_uri @drupal; + } + } + + ## Advanced Aggregation module JS + ## support. http://drupal.org/project/advagg. + location ^~ /sites/default/files/advagg_js/ { + add_header Pragma ''; + add_header Cache-Control 'public, max-age=946080000'; + add_header Accept-Ranges ''; + + location ~* /sites/default/files/advagg_js/js[_[:alnum:]]+\.js$ { + access_log off; + try_files $escaped_uri @drupal; + } + } + + ## All static files will be served directly. + location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ { + access_log off; + expires 30d; + ## No need to bleed constant updates. Send the all shebang in one + ## fell swoop. + tcp_nodelay off; + } + + ## PDFs and powerpoint files handling. + location ~* ^.+\.(?:pdf|pptx?)$ { + expires 30d; + ## No need to bleed constant updates. Send the all shebang in one + ## fell swoop. + tcp_nodelay off; + } + + ## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it. + location ^~ /sites/default/files/audio/mp3 { + location ~* ^/sites/default/files/audio/mp3/.*\.mp3$ { + directio 4k; # for XFS + ## If you're using ext3 or similar uncomment the line below and comment the above. + #directio 512; # for ext3 or similar (block alignments) + tcp_nopush off; + aio on; + output_buffers 1 2M; + } + } + + location ^~ /sites/default/files/audio/ogg { + location ~* ^/sites/default/files/audio/ogg/.*\.ogg$ { + directio 4k; # for XFS + ## If you're using ext3 or similar uncomment the line below and comment the above. + #directio 512; # for ext3 or similar (block alignments) + tcp_nopush off; + aio on; + output_buffers 1 2M; + } + } + + ## Pseudo streaming of FLV files: + ## http://wiki.nginx.org/HttpFlvStreamModule. + ## If pseudo streaming isn't working, try to comment + ## out in nginx.conf line with: + ## add_header X-Frame-Options SAMEORIGIN; + location ^~ /sites/default/files/video/flv { + location ~* ^/sites/default/files/video/flv/.*\.flv$ { + flv; + } + } + + ## Pseudo streaming of H264/AAC files. This requires an Nginx + ## version greater or equal to 1.0.7 for the stable branch and + ## greater or equal to 1.1.3 for the development branch. + ## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html. + location ^~ /sites/default/files/video/mp4 { # videos + location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ { + mp4; + mp4_buffer_size 1M; + mp4_max_buffer_size 5M; + } + } + + location ^~ /sites/default/files/audio/m4a { # audios + location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ { + mp4; + mp4_buffer_size 1M; + mp4_max_buffer_size 5M; + } + } + + ## Advanced Help module makes each module provided README available. + location ^~ /help/ { + location ~* ^/help/[^/]*/README\.txt$ { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## If proxying to apache comment the two lines above and + ## uncomment the line below. + #proxy_pass http://phpapache/index.php?q=$escaped_uri; + #proxy_set_header Connection ''; + } + } + + ## Replicate the Apache <FilesMatch> directive of Drupal standard + ## .htaccess. Disable access to any code files. Return a 404 to curtail + ## information disclosure. Hide also the text files. + location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ { + return 404; + } + + ## First we try the URI and relay to the @cache if not found. + try_files $escaped_uri @cache; +} + +## We define a named location for the cache. +location @cache { + ## Boost compresses can the pages so we check it. Comment it out + ## if you don't have it enabled in Boost. + gzip_static on; + + ## Error page handler for the case where $no_cache is 1. POST + ## request or authenticated. + error_page 418 = @drupal; + + ## If $no_cache is 1 then it means that either we have a session + ## cookie or that the request method is POST. So serve the dynamic + ## page. + if ($no_cache) { + return 418; # I'm a teapot/I can't get no cachifaction + } + + ## No caching for POST requests. + if ($request_method = POST) { + return 418; + } + + # Now for some header tweaking. We use a date that differs + # from stock Drupal. Everyone seems to be using their + # birthdate. Why go against the grain? + add_header Expires "Tue, 13 Jun 1977 03:45:00 GMT"; + # We bypass all delays in the post-check and pre-check + # parameters of Cache-Control. Both set to 0. + add_header Cache-Control "must-revalidate, post-check=0, pre-check=0"; + # Funny...perhaps. Egocentric? Damn right!; + add_header X-Header "Boost Helás Avril 1.0"; + ## Boost doesn't set a charset. + charset utf-8; + + # We try each boost URI in succession, if every one of them + # fails then relay to Drupal. + try_files /cache/normal/$host${uri}_${args}.html /cache/perm/$host${uri}_.css /cache/perm/$host${uri}_.js /cache/$host/0$escaped_uri.html /cache/$host/0${uri}/index.html @drupal; +} + +########### Security measures ########## + +## Uncomment the line below if you want to enable basic auth for +## access to all /admin URIs. Note that this provides much better +## protection if use HTTPS. Since it can easily be eavesdropped if you +## use HTTP. +#include apps/drupal/admin_basic_auth.conf; + +## Restrict access to the strictly necessary PHP files. Reducing the +## scope for exploits. Handling of PHP code and the Drupal event loop. +location @drupal { + ## Include the FastCGI config. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## FCGI microcache for authenticated users also. + include apps/drupal/microcache_fcgi_auth.conf; + + ## To use Apache for serving PHP uncomment the line bellow and + ## comment out the above. + #proxy_pass http://phpapache/index.php?q=$escaped_uri&$args; + #proxy_set_header Connection ''; + ## Proxy microcache for authenticated users also. + #include apps/drupal/microcache_proxy_auth.conf; + + ## Filefield Upload progress + ## http://drupal.org/project/filefield_nginx_progress support + ## through the NginxUploadProgress modules. + track_uploads uploads 60s; +} + +location @drupal-no-args { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_no_args_drupal.conf; + fastcgi_pass phpcgi; + + ## FCGI microcache for authenticated users also. + include apps/drupal/microcache_fcgi_auth.conf; + + ## If proxying to apache comment the two lines above and + ## uncomment the line below. + #proxy_pass http://phpapache/index.php?q=$escaped_uri; + #proxy_set_header Connection ''; + + ## Proxy microcache for authenticated users also. + #include apps/drupal/microcache_proxy_auth.conf; +} + +## Disallow access to .bzr, .git, .hg, .svn, .cvs directories: return +## 404 as not to disclose information. +location ^~ /.bzr { + return 404; +} + +location ^~ /.git { + return 404; +} + +location ^~ /.hg { + return 404; +} + +location ^~ /.svn { + return 404; +} + +location ^~ /.cvs { + return 404; +} + +## Disallow access to patches directory. +location ^~ /patches { + return 404; +} + +## Disallow access to drush backup directory. +location ^~ /backup { + return 404; +} + +## Disable access logs for robots.txt. +location = /robots.txt { + access_log off; + ## Add support for the robotstxt module + ## http://drupal.org/project/robotstxt. + try_files $uri @drupal-no-args; +} + +## RSS feed support. +location = /rss.xml { + try_files $escaped_uri @drupal-no-args; +} + +## XML Sitemap support. +location = /sitemap.xml { + try_files $escaped_uri @drupal-no-args; +} + +## Support for favicon. Return an 1x1 transparent GIF if it doesn't +## exist. +location = /favicon.ico { + expires 30d; + try_files /favicon.ico @empty; +} + +## Return an in memory 1x1 transparent GIF. +location @empty { + expires 30d; + empty_gif; +} + +## Any other attempt to access PHP files returns a 404. +location ~* ^.+\.php$ { + return 404; +} + +## Boost stats. +location = /boost_stats.php { + fastcgi_pass phpcgi; + ## To use Apache for serving PHP uncomment the line bellow and + ## comment out the above. + #proxy_pass http://phpapache; + #proxy_set_header Connection ''; +} + diff --git a/historic/guix/etc/nginx/apps/drupal/drupal_cron_update.conf b/historic/guix/etc/nginx/apps/drupal/drupal_cron_update.conf new file mode 100644 index 0000000..55500e9 --- /dev/null +++ b/historic/guix/etc/nginx/apps/drupal/drupal_cron_update.conf @@ -0,0 +1,40 @@ +# -*- mode: nginx; mode:autopair; mode: flyspell-prog; ispell-local-dictionary: "american" -*- +### Configuration file for Drupal if you're not using drush to update your site or run cron. + +## XMLRPC. Comment out if not enabled. +location = /xmlrpc.php { + fastcgi_pass phpcgi; + # To use Apache for serving PHP uncomment the line bellow and + # comment out the above. + #proxy_pass http://phpapache; +} + +## Restrict cron access to a specific host. +location = /cron.php { + ## If not allowed to run cron then issue a 404 and redirect to the + ## site root. + if ($not_allowed_cron) { + return 404 /; + } + fastcgi_pass phpcgi; + ## To use Apache for serving PHP uncomment the line bellow and + ## comment out the above. + #proxy_pass http://phpapache; +} + +## Run the update from the web interface with Drupal 7. +location = /authorize.php { + fastcgi_pass phpcgi; + ## To use Apache for serving PHP uncomment the line bellow and + ## comment out the above. + #proxy_pass http://phpapache; +} + +location = /update.php { + auth_basic "Restricted Access"; # auth realm + auth_basic_user_file .htpasswd-users; # htpasswd file + fastcgi_pass phpcgi; + ## To use Apache for serving PHP uncomment the line bellow and + ## comment out the above. + #proxy_pass http://phpapache; +} diff --git a/historic/guix/etc/nginx/apps/drupal/drupal_escaped.conf b/historic/guix/etc/nginx/apps/drupal/drupal_escaped.conf new file mode 100644 index 0000000..db08cc0 --- /dev/null +++ b/historic/guix/etc/nginx/apps/drupal/drupal_escaped.conf @@ -0,0 +1,347 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- +### Nginx configuration for Drupal. This configuration makes use of +### drush (http:///drupal.org/project/drush) for site maintenance +### and like tasks: +### +### 1. Run the cronjobs. +### 2. Run the DB and code updates: drush up or drush upc followed by +### drush updb to run any DB updates required by the code upgrades +### that were performed. +### 3. Disabling of xmlrpc.xml, install.php (needed only for +### installing the site) and update.php: all updates are now +### handled through drush. + +## To avoid the ugly rewrite we use Lua to escape the URI. +set_by_lua $escaped_uri 'return ngx.escape_uri(ngx.var.uri)'; + +## The 'default' location. +location / { + + ## Drupal 404 from can impact performance. If using a module like + ## search404 then 404's *have *to be handled by Drupal. Uncomment to + ## relay the handling of 404's to Drupal. + ## error_page 404 /index.php; + + ## Using a nested location is the 'correct' way to use regexes. + + ## Regular private file serving (i.e. handled by Drupal). + location ^~ /system/files/ { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## If proxying to apache comment the two lines above and + ## uncomment the line below. + #proxy_pass http://phpapache/index.php?q=$escaped_uri; + #proxy_set_header Connection ''; + + ## For not signaling a 404 in the error log whenever the + ## system/files directory is accessed add the line below. + ## Note that the 404 is the intended behavior. + log_not_found off; + } + + ## Trying to access private files directly returns a 404. + location ^~ /sites/default/files/private/ { + internal; + } + + ## Support for the file_force module + ## http://drupal.org/project/file_force. + location ^~ /system/files_force/ { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## If proxying to apache comment the two lines above and + ## uncomment the line below. + #proxy_pass http://phpapache/index.php?q=$no_slash_uri; + #proxy_set_header Connection ''; + + ## For not signaling a 404 in the error log whenever the + ## system/files directory is accessed add the line below. + ## Note that the 404 is the intended behavior. + log_not_found off; + } + + ## If accessing an image generated by Drupal 6 imagecache, serve it + ## directly if available, if not relay the request to Drupal to (re)generate + ## the image. + location ~* /imagecache/ { + ## Image hotlinking protection. If you want hotlinking + ## protection for your images uncomment the following line. + #include apps/drupal/hotlinking_protection.conf; + + access_log off; + expires 30d; + try_files $escaped_uri @drupal; + } + + ## Drupal 7 generated image handling, i.e., imagecache in core. See: + ## http://drupal.org/node/371374. + location ~* /files/styles/ { + ## Image hotlinking protection. If you want hotlinking + ## protection for your images uncomment the following line. + #include apps/drupal/hotlinking_protection.conf; + + access_log off; + expires 30d; + try_files $escaped_uri @drupal; + } + + ## Advanced Aggregation module CSS + ## support. http://drupal.org/project/advagg. + location ^~ /sites/default/files/advagg_css/ { + expires max; + add_header ETag ''; + add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT'; + add_header Accept-Ranges ''; + + location ~* /sites/default/files/advagg_css/css[_[:alnum:]]+\.css$ { + access_log off; + try_files $escaped_uri @drupal; + } + } + + ## Advanced Aggregation module JS + ## support. http://drupal.org/project/advagg. + location ^~ /sites/default/files/advagg_js/ { + expires max; + add_header ETag ''; + add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT'; + add_header Accept-Ranges ''; + + location ~* /sites/default/files/advagg_js/js[_[:alnum:]]+\.js$ { + access_log off; + try_files $escaped_uri @drupal; + } + } + + ## All static files will be served directly. + location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|svg)$ { + access_log off; + expires 30d; + ## No need to bleed constant updates. Send the all shebang in one + ## fell swoop. + tcp_nodelay off; + ## Set the OS file cache. + open_file_cache max=3000 inactive=120s; + open_file_cache_valid 45s; + open_file_cache_min_uses 2; + open_file_cache_errors off; + } + + ## PDFs and powerpoint files handling. + location ~* ^.+\.(?:pdf|pptx?)$ { + expires 30d; + ## No need to bleed constant updates. Send the all shebang in one + ## fell swoop. + tcp_nodelay off; + } + + ## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it. + location ^~ /sites/default/files/audio/mp3 { + location ~* ^/sites/default/files/audio/mp3/.*\.mp3$ { + directio 4k; # for XFS + ## If you're using ext3 or similar uncomment the line below and comment the above. + #directio 512; # for ext3 or similar (block alignments) + tcp_nopush off; + aio on; + output_buffers 1 2M; + } + } + + location ^~ /sites/default/files/audio/ogg { + location ~* ^/sites/default/files/audio/ogg/.*\.ogg$ { + directio 4k; # for XFS + ## If you're using ext3 or similar uncomment the line below and comment the above. + #directio 512; # for ext3 or similar (block alignments) + tcp_nopush off; + aio on; + output_buffers 1 2M; + } + } + + ## Pseudo streaming of FLV files: + ## http://wiki.nginx.org/HttpFlvStreamModule. + ## If pseudo streaming isn't working, try to comment + ## out in nginx.conf line with: + ## add_header X-Frame-Options SAMEORIGIN; + location ^~ /sites/default/files/video/flv { + location ~* ^/sites/default/files/video/flv/.*\.flv$ { + flv; + } + } + + ## Pseudo streaming of H264/AAC files. This requires an Nginx + ## version greater or equal to 1.0.7 for the stable branch and + ## greater or equal to 1.1.3 for the development branch. + ## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html. + location ^~ /sites/default/files/video/mp4 { # videos + location ~* ^/sites/default/files/video/mp4/.*\.(?:mp4|mov)$ { + mp4; + mp4_buffer_size 1M; + mp4_max_buffer_size 5M; + } + } + + location ^~ /sites/default/files/audio/m4a { # audios + location ~* ^/sites/default/files/audio/m4a/.*\.m4a$ { + mp4; + mp4_buffer_size 1M; + mp4_max_buffer_size 5M; + } + } + + ## Advanced Help module makes each module provided README available. + location ^~ /help/ { + location ~* ^/help/[^/]*/README\.txt$ { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## If proxying to apache comment the two lines above and + ## uncomment the line below. + #proxy_pass http://phpapache/index.php?q=$escaped_uri; + } + } + + ## Replicate the Apache <FilesMatch> directive of Drupal standard + ## .htaccess. Disable access to any code files. Return a 404 to curtail + ## information disclosure. Hide also the text files. + location ~* ^(?:.+\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template)$ { + return 404; + } + + ## First we try the URI and relay to the /index.php?q=$escaped_uri&$args if not found. + try_files $escaped_uri @drupal; +} + +########### Security measures ########## + +## Uncomment the line below if you want to enable basic auth for +## access to all /admin URIs. Note that this provides much better +## protection if use HTTPS. Since it can easily be eavesdropped if you +## use HTTP. +#include apps/drupal/admin_basic_auth.conf; + +## Restrict access to the strictly necessary PHP files. Reducing the +## scope for exploits. Handling of PHP code and the Drupal event loop. +location @drupal { + ## Include the FastCGI config. + include apps/drupal/fastcgi_drupal.conf; + fastcgi_pass phpcgi; + + ## FastCGI microcache. + include apps/drupal/microcache_fcgi.conf; + ## FCGI microcache for authenticated users also. + #include apps/drupal/microcache_fcgi_auth.conf; + + ## To use Apache for serving PHP uncomment the line bellow and + ## comment out the above. + #proxy_pass http://phpapache/index.php?q=$escaped_uri&$args; + #proxy_set_header Connection ''; + ## Proxy microcache. + #include apps/drupal/microcache_proxy.conf; + ## Proxy microcache for authenticated users also. + #include apps/drupal/microcache_proxy_auth.conf; + + ## Filefield Upload progress + ## http://drupal.org/project/filefield_nginx_progress support + ## through the NginxUploadProgress modules. + track_uploads uploads 60s; +} + +location @drupal-no-args { + ## Include the specific FastCGI configuration. This is for a + ## FCGI backend like php-cgi or php-fpm. + include apps/drupal/fastcgi_no_args_drupal.conf; + fastcgi_pass phpcgi; + + ## FastCGI microcache. + include apps/drupal/microcache_fcgi.conf; + ## FCGI microcache for authenticated users also. + #include apps/drupal/microcache_fcgi_auth.conf; + + ## If proxying to apache comment the two lines above and + ## uncomment the line below. + #proxy_pass http://phpapache/index.php?q=$escaped_uri; + #proxy_set_header Connection ''; + + ## Proxy microcache. + #include apps/drupal/microcache_proxy.conf; + ## Proxy microcache for authenticated users also. + #include apps/drupal/microcache_proxy_auth.conf; +} + +## Disallow access to .bzr, .git, .hg, .svn, .cvs directories: return +## 404 as not to disclose information. +location ^~ /.bzr { + return 404; +} + +location ^~ /.git { + return 404; +} + +location ^~ /.hg { + return 404; +} + +location ^~ /.svn { + return 404; +} + +location ^~ /.cvs { + return 404; +} + +## Disallow access to patches directory. +location ^~ /patches { + return 404; +} + +## Disallow access to drush backup directory. +location ^~ /backup { + return 404; +} + +## Disable access logs for robots.txt. +location = /robots.txt { + access_log off; + ## Add support for the robotstxt module + ## http://drupal.org/project/robotstxt. + try_files $uri @drupal-no-args; +} + +## RSS feed support. +location = /rss.xml { + try_files $escaped_uri @drupal-no-args; +} + +## XML Sitemap support. +location = /sitemap.xml { + try_files $escaped_uri @drupal-no-args; +} + +## Support for favicon. Return an 1x1 transparent GIF if it doesn't +## exist. +location = /favicon.ico { + expires 30d; + try_files /favicon.ico @empty; +} + +## Return an in memory 1x1 transparent GIF. +location @empty { + expires 30d; + empty_gif; +} + +## Any other attempt to access PHP files returns a 404. +location ~* ^.+\.php$ { + return 404; +} + diff --git a/historic/guix/etc/nginx/apps/drupal/drupal_install.conf b/historic/guix/etc/nginx/apps/drupal/drupal_install.conf new file mode 100644 index 0000000..1f4f11b --- /dev/null +++ b/historic/guix/etc/nginx/apps/drupal/drupal_install.conf @@ -0,0 +1,16 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- + +### Directives for installing drupal. This is for drupal 6 and 7. + +location = /install.php { + auth_basic "Restricted Access"; # auth realm + auth_basic_user_file .htpasswd-users; # htpasswd file + fastcgi_pass phpcgi; +} + +## This is for drupal 8. There's a new location for the install file. +location = /core/install.php { + auth_basic "Restricted Access"; # auth realm + auth_basic_user_file .htpasswd-users; # htpasswd file + fastcgi_pass phpcgi; +} diff --git a/historic/guix/etc/nginx/apps/drupal/drupal_upload_progress.conf b/historic/guix/etc/nginx/apps/drupal/drupal_upload_progress.conf new file mode 100644 index 0000000..843fb06 --- /dev/null +++ b/historic/guix/etc/nginx/apps/drupal/drupal_upload_progress.conf @@ -0,0 +1,23 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-current-dictionary: american -*- + +### Drupal 7 configuration for the Nginx Upload Progress module: +### https://github.com/masterzen/nginx-upload-progress-module +### This requires the Filefield Nginx Progress module: +### http://drupal.org/project/filefield_nginx_progress. + +## The Nginx module wants ?X-Progress-ID query parameter so +## that it report the progress of the upload through a GET +## request. But the drupal form element makes use of clean +## URLs in the POST. + +location ~ (?<upload_form_uri>.*)/x-progress-id:(?<upload_id>\d*) { + rewrite ^ $upload_form_uri?X-Progress-ID=$upload_id; +} + +## Now the above rewrite must be matched by a location that +## activates it and references the above defined upload +## tracking zone. +location ^~ /progress { + upload_progress_json_output; + report_uploads uploads; +} diff --git a/historic/guix/etc/nginx/apps/drupal/fastcgi_drupal.conf b/historic/guix/etc/nginx/apps/drupal/fastcgi_drupal.conf new file mode 100644 index 0000000..be59f85 --- /dev/null +++ b/historic/guix/etc/nginx/apps/drupal/fastcgi_drupal.conf @@ -0,0 +1,43 @@ +#-*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- +### fastcgi configuration for serving private files. +## 1. Parameters. +fastcgi_param QUERY_STRING q=$uri&$args; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME /index.php; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; +## PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; +fastcgi_param SCRIPT_FILENAME $document_root/index.php; +## HTTPS 'on' parameter. This requires Nginx version 1.1.11 or +## later. The if_not_empty flag was introduced in 1.1.11. See: +## http://nginx.org/en/CHANGES. If using a version that doesn't +## support this comment out the line below. +fastcgi_param HTTPS $fastcgi_https if_not_empty; +## For Nginx versions below 1.1.11 uncomment the line below after commenting out the above. +#fastcgi_param HTTPS $fastcgi_https; + +## 2. Nginx FCGI specific directives. +fastcgi_buffers 256 4k; +fastcgi_intercept_errors on; +## Allow 4 hrs - pass timeout responsibility to upstream. +fastcgi_read_timeout 14400; +fastcgi_index index.php; +## Hide the X-Drupal-Cache header provided by Pressflow. +fastcgi_hide_header 'X-Drupal-Cache'; +## Hide the Drupal 7 header X-Generator. +fastcgi_hide_header 'X-Generator'; diff --git a/historic/guix/etc/nginx/apps/drupal/fastcgi_no_args_drupal.conf b/historic/guix/etc/nginx/apps/drupal/fastcgi_no_args_drupal.conf new file mode 100644 index 0000000..683e4ce --- /dev/null +++ b/historic/guix/etc/nginx/apps/drupal/fastcgi_no_args_drupal.conf @@ -0,0 +1,43 @@ +#-*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- +### fastcgi configuration for serving private files. +## 1. Parameters. +fastcgi_param QUERY_STRING q=$uri; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME /index.php; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; +## PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; +fastcgi_param SCRIPT_FILENAME $document_root/index.php; +## HTTPS 'on' parameter. This requires Nginx version 1.1.11 or +## later. The if_not_empty flag was introduced in 1.1.11. See: +## http://nginx.org/en/CHANGES. If using a version that doesn't +## support this comment out the line below. +fastcgi_param HTTPS $fastcgi_https if_not_empty; +## For Nginx versions below 1.1.11 uncomment the line below after commenting out the above. +#fastcgi_param HTTPS $fastcgi_https; + +## 2. Nginx FCGI specific directives. +fastcgi_buffers 256 4k; +fastcgi_intercept_errors on; +## Allow 4 hrs - pass timeout responsibility to upstream. +fastcgi_read_timeout 14400; +fastcgi_index index.php; +## Hide the X-Drupal-Cache header provided by Pressflow. +fastcgi_hide_header 'X-Drupal-Cache'; +## Hide the Drupal 7 header X-Generator. +fastcgi_hide_header 'X-Generator'; diff --git a/historic/guix/etc/nginx/apps/drupal/hotlinking_protection.conf b/historic/guix/etc/nginx/apps/drupal/hotlinking_protection.conf new file mode 100644 index 0000000..f2926e1 --- /dev/null +++ b/historic/guix/etc/nginx/apps/drupal/hotlinking_protection.conf @@ -0,0 +1,10 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- + +### Hotlinking protection for images. Include it in any context you +### want. Adjust the list of allowed referers to your liking. + +valid_referers none blocked *.example.com *.google.com my.site.com; + +if ($invalid_referer) { + return 200 "No image hotlinking allowed!\n"; +} diff --git a/historic/guix/etc/nginx/apps/drupal/map_cache.conf b/historic/guix/etc/nginx/apps/drupal/map_cache.conf new file mode 100644 index 0000000..8166fcd --- /dev/null +++ b/historic/guix/etc/nginx/apps/drupal/map_cache.conf @@ -0,0 +1,39 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-current-dictionary: american -*- + +### Testing if we should be serving content from cache or not. This is +### needed for any Drupal setup that uses an external cache. + +## Let Ajax calls go through. +map $uri $no_cache_ajax { + default 0; + /system/ajax 1; +} + +## Testing for the session cookie being present. If there is then no +## caching is to be done. Note that this is for someone using either +## Drupal 7 pressflow or stock Drupal 6 core with no_anon +## (http://drupal.org/project/no_anon). +map $http_cookie $no_cache_cookie { + default 0; + ~SESS 1; # PHP session cookie +} + +## Combine both results to get the cache bypassing mapping. +map $no_cache_ajax$no_cache_cookie $no_cache { + default 1; + 00 0; +} + +## If you're using stock Drupal 6 without no_anon, i.e., there's a +## session cookie being served even to anonymous users, then uncomment +## the three lines below and comment the above map directive +# map $http_cookie $no_cache { +# default 0; +# ~DRUPAL_UID 1; # DRUPAL_UID cookie set by Boost +# } + +## Set a cache_uid variable for authenticated users. +map $http_cookie $cache_uid { + default nil; # hommage to Lisp :) + ~SESS[[:alnum:]]+=(?<session_id>[[:graph:]]+) $session_id; +} diff --git a/historic/guix/etc/nginx/apps/drupal/microcache_fcgi.conf b/historic/guix/etc/nginx/apps/drupal/microcache_fcgi.conf new file mode 100644 index 0000000..e7e8184 --- /dev/null +++ b/historic/guix/etc/nginx/apps/drupal/microcache_fcgi.conf @@ -0,0 +1,39 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- + +### Implementation of the microcache concept as presented here: +### http://fennb.com/microcaching-speed-your-app-up-250x-with-no-n + +## The cache zone referenced. +fastcgi_cache microcache; +## The cache key. +fastcgi_cache_key $scheme$request_method$host$request_uri; + +## For 200 and 301 make the cache valid for 1s seconds. +fastcgi_cache_valid 200 301 1s; +## For 302 make it valid for 1 minute. +fastcgi_cache_valid 302 1m; +## For 404 make it valid 1 second. +fastcgi_cache_valid 404 1s; +## If there are any upstream errors or the item has expired use +## whatever it is available. +fastcgi_cache_use_stale error timeout invalid_header updating http_500; +## The Cache-Control and Expires headers should be delivered untouched +## from the upstream to the client. +fastcgi_ignore_headers Cache-Control Expires; +## Bypass the cache. +fastcgi_cache_bypass $no_cache; +fastcgi_no_cache $no_cache; + +## To avoid any interaction with the cache control headers we expire +## everything on this location immediately. +expires epoch; + +## If you're using a Nginx version greater than 1.1.11 then uncomment +## the line below. See: +## http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_cache_lock +## Cache locking mechanism for protecting the backend of too many +## simultaneous requests. +#fastcgi_cache_lock on; +## The default timeout, i.e., the time to way before forwarding the +## second request upstream if no reply as arrived in the meantime is 5s. +#fastcgi_cache_lock_timeout 8000; # in miliseconds. diff --git a/historic/guix/etc/nginx/apps/drupal/microcache_fcgi_auth.conf b/historic/guix/etc/nginx/apps/drupal/microcache_fcgi_auth.conf new file mode 100644 index 0000000..7b2b7c3 --- /dev/null +++ b/historic/guix/etc/nginx/apps/drupal/microcache_fcgi_auth.conf @@ -0,0 +1,51 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- + +## The cache zone referenced. +fastcgi_cache microcache; +## The cache key. +fastcgi_cache_key $cache_uid@$scheme$request_method$host$request_uri; + +## For 200 and 301 make the cache valid for 15s. +fastcgi_cache_valid 200 301 15s; +## For 302 make it valid for 1 minute. +fastcgi_cache_valid 302 1m; +## For 404 make it valid 1 second. +fastcgi_cache_valid 404 1s; +## If there are any upstream errors use whatever it is available. +fastcgi_cache_use_stale error timeout invalid_header updating http_500; +## The Cache-Control and Expires headers should be delivered untouched +## from the upstream to the client. +fastcgi_ignore_headers Cache-Control Expires; +fastcgi_pass_header Set-Cookie; +fastcgi_pass_header Cookie; +## Bypass the cache. +# fastcgi_cache_bypass $no_auth_cache; +# fastcgi_no_cache $no_auth_cache; +## Add a cache miss/hit status header. +add_header X-Micro-Cache $upstream_cache_status; +## To avoid any interaction with the cache control headers we expire +## everything on this location immediately. +expires epoch; + +## Enable clickjacking protection in modern browsers. Available in +## IE8 also. See +## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header +## This may conflicts with pseudo streaming (at least with Nginx version 1.0.12). +## Uncomment the line below if you're not using media streaming. +## For sites *not* using frames uncomment the line below. +#add_header X-Frame-Options DENY; +## For sites *using* frames uncomment the line below. +#add_header X-Frame-Options SAMEORIGIN; + +## Block MIME type sniffing on IE. +add_header X-Content-Options nosniff; + +## If you're using a Nginx version greater than 1.1.11 then uncomment +## the line below. See: +## http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_cache_lock +## Cache locking mechanism for protecting the backend of too many +## simultaneous requests. +#fastcgi_cache_lock on; +## The default timeout, i.e., the time to way before forwarding the +## second request upstream if no reply as arrived in the meantime is 5s. +#fastcgi_cache_lock_timeout 8000; # in miliseconds. diff --git a/historic/guix/etc/nginx/apps/drupal/microcache_proxy.conf b/historic/guix/etc/nginx/apps/drupal/microcache_proxy.conf new file mode 100644 index 0000000..6708684 --- /dev/null +++ b/historic/guix/etc/nginx/apps/drupal/microcache_proxy.conf @@ -0,0 +1,53 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- + +### Implementation of the microcache concept as presented here: +### http://fennb.com/microcaching-speed-your-app-up-250x-with-no-n + +## The cache zone referenced. +proxy_cache microcache; +## The cache key. +proxy_cache_key $host$request_uri; + +## For 200 and 301 make the cache valid for 15 seconds. +proxy_cache_valid 200 301 15s; +## For 302 make it valid for 1 minute. +proxy_cache_valid 302 1m; +## For 404 make it valid 1 second. +proxy_cache_valid 404 1s; +## If there are any upstream errors or the item has expired use +## whatever it is available. +proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504; +## The Cache-Control and Expires headers should be delivered untouched +## from the upstream to the client. +proxy_ignore_headers Cache-Control Expires; +## Bypass the cache. +proxy_cache_bypass $no_cache; +proxy_no_cache $no_cache; +## Add a cache miss/hit status header. +add_header X-Micro-Cache $upstream_cache_status; +## To avoid any interaction with the cache control headers we expire +## everything on this location immediately. +expires epoch; + +## Enable clickjacking protection in modern browsers. Available in +## IE8 also. See +## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header +## This may conflicts with pseudo streaming (at least with Nginx version 1.0.12). +## Uncomment the line below if you're not using media streaming. +## For sites *not* using frames uncomment the line below. +#add_header X-Frame-Options DENY; +## For sites *using* frames uncomment the line below. +#add_header X-Frame-Options SAMEORIGIN; + +## Block MIME type sniffing on IE. +add_header X-Content-Options nosniff; + +## If you're using a Nginx version greater than 1.1.11 then uncomment +## the line below. See: +## http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_lock. +## Cache locking mechanism for protecting the backendof too many +## simultaneous requests. +#proxy_cache_lock on; +## The default timeout, i.e., the time to way before forwarding the +## second request upstream if no reply as arrived in the meantime is 5s. +# proxy_cache_lock_timeout 8000; # in miliseconds. diff --git a/historic/guix/etc/nginx/apps/drupal/microcache_proxy_auth.conf b/historic/guix/etc/nginx/apps/drupal/microcache_proxy_auth.conf new file mode 100644 index 0000000..e351b1b --- /dev/null +++ b/historic/guix/etc/nginx/apps/drupal/microcache_proxy_auth.conf @@ -0,0 +1,54 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- + +### Implementation of the microcache concept as presented here: +### http://fennb.com/microcaching-speed-your-app-up-250x-with-no-n + +## The cache zone referenced. +proxy_cache microcache; +## The cache key. +proxy_cache_key $cache_uid@$host$request_uri; + +## For 200 and 301 make the cache valid for 15 seconds. +proxy_cache_valid 200 301 15s; +## For 302 make it valid for 1 minute. +proxy_cache_valid 302 1m; +## For 404 make it valid 1 second. +proxy_cache_valid 404 1s; +## If there are any upstream errors or the item has expired use +## whatever it is available. +proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504; +## The Cache-Control and Expires headers should be delivered untouched +## from the upstream to the client. +proxy_ignore_headers Cache-Control Expires; +proxy_pass_header Set-Cookie; +proxy_pass_header Cookie; +## Bypass the cache. +proxy_cache_bypass $no_auth_cache; +proxy_no_cache $no_auth_cache; +## Add a cache miss/hit status header. +add_header X-Micro-Cache $upstream_cache_status; +## To avoid any interaction with the cache control headers we expire +## everything on this location immediately. +expires epoch; +## Enable clickjacking protection in modern browsers. Available in +## IE8 also. See +## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header +## This may conflicts with pseudo streaming (at least with Nginx version 1.0.12). +## Uncomment the line below if you're not using media streaming. +## For sites *not* using frames uncomment the line below. +#add_header X-Frame-Options DENY; +## For sites *using* frames uncomment the line below. +#add_header X-Frame-Options SAMEORIGIN; + +## Block MIME type sniffing on IE. +add_header X-Content-Options nosniff; + +## If you're using a Nginx version greater than 1.1.11 then uncomment +## the line below. See: +## http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_lock. +## Cache locking mechanism for protecting the backendof too many +## simultaneous requests. +#proxy_cache_lock on; +## The default timeout, i.e., the time to way before forwarding the +## second request upstream if no reply as arrived in the meantime is 5s. +# proxy_cache_lock_timeout 8000; # in miliseconds. diff --git a/historic/guix/etc/nginx/conf.d/favicon_robots b/historic/guix/etc/nginx/conf.d/favicon_robots new file mode 100644 index 0000000..3c6e417 --- /dev/null +++ b/historic/guix/etc/nginx/conf.d/favicon_robots @@ -0,0 +1,11 @@ +location = /robots.txt { + root /var/www/robots-favicon; +} + +location = /favicon.ico { + root /var/www/robots-favicon; +} + +location = /static/web-common/favicon-taler.ico { + alias /var/www/robots-favicon/favicon.ico; +} diff --git a/historic/guix/etc/nginx/conf.d/talerssl b/historic/guix/etc/nginx/conf.d/talerssl new file mode 100644 index 0000000..3c33de6 --- /dev/null +++ b/historic/guix/etc/nginx/conf.d/talerssl @@ -0,0 +1,14 @@ +ssl_certificate /etc/letsencrypt/live/taler.net/fullchain.pem; +ssl_certificate_key /etc/letsencrypt/live/taler.net/privkey.pem; +ssl_prefer_server_ciphers on; +ssl_session_cache shared:SSL:10m; +ssl_dhparam /etc/ssl/certs/dhparam.pem; +ssl_protocols TLSv1.2 TLSv1.1 TLSv1; +ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + +add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; +add_header X-XSS-Protection "1; mode=block"; +add_header X-Frame-Options "SAMEORIGIN"; +add_header X-Content-Type-Options "nosniff"; +add_header Content-Security-Policy "default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; connect-src 'self' wss://buildbot.taler.net"; +add_header Referrer-Policy "same-origin"; diff --git a/historic/guix/etc/nginx/fastcgi.conf b/historic/guix/etc/nginx/fastcgi.conf new file mode 100644 index 0000000..091738c --- /dev/null +++ b/historic/guix/etc/nginx/fastcgi.conf @@ -0,0 +1,26 @@ + +fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param REQUEST_SCHEME $scheme; +fastcgi_param HTTPS $https if_not_empty; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; + +# PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; diff --git a/historic/guix/etc/nginx/fastcgi_params b/historic/guix/etc/nginx/fastcgi_params new file mode 100644 index 0000000..28decb9 --- /dev/null +++ b/historic/guix/etc/nginx/fastcgi_params @@ -0,0 +1,25 @@ + +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param REQUEST_SCHEME $scheme; +fastcgi_param HTTPS $https if_not_empty; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; + +# PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; diff --git a/historic/guix/etc/nginx/koi-utf b/historic/guix/etc/nginx/koi-utf new file mode 100644 index 0000000..e7974ff --- /dev/null +++ b/historic/guix/etc/nginx/koi-utf @@ -0,0 +1,109 @@ + +# This map is not a full koi8-r <> utf8 map: it does not contain +# box-drawing and some other characters. Besides this map contains +# several koi8-u and Byelorussian letters which are not in koi8-r. +# If you need a full and standard map, use contrib/unicode2nginx/koi-utf +# map instead. + +charset_map koi8-r utf-8 { + + 80 E282AC ; # euro + + 95 E280A2 ; # bullet + + 9A C2A0 ; # + + 9E C2B7 ; # · + + A3 D191 ; # small yo + A4 D194 ; # small Ukrainian ye + + A6 D196 ; # small Ukrainian i + A7 D197 ; # small Ukrainian yi + + AD D291 ; # small Ukrainian soft g + AE D19E ; # small Byelorussian short u + + B0 C2B0 ; # ° + + B3 D081 ; # capital YO + B4 D084 ; # capital Ukrainian YE + + B6 D086 ; # capital Ukrainian I + B7 D087 ; # capital Ukrainian YI + + B9 E28496 ; # numero sign + + BD D290 ; # capital Ukrainian soft G + BE D18E ; # capital Byelorussian short U + + BF C2A9 ; # (C) + + C0 D18E ; # small yu + C1 D0B0 ; # small a + C2 D0B1 ; # small b + C3 D186 ; # small ts + C4 D0B4 ; # small d + C5 D0B5 ; # small ye + C6 D184 ; # small f + C7 D0B3 ; # small g + C8 D185 ; # small kh + C9 D0B8 ; # small i + CA D0B9 ; # small j + CB D0BA ; # small k + CC D0BB ; # small l + CD D0BC ; # small m + CE D0BD ; # small n + CF D0BE ; # small o + + D0 D0BF ; # small p + D1 D18F ; # small ya + D2 D180 ; # small r + D3 D181 ; # small s + D4 D182 ; # small t + D5 D183 ; # small u + D6 D0B6 ; # small zh + D7 D0B2 ; # small v + D8 D18C ; # small soft sign + D9 D18B ; # small y + DA D0B7 ; # small z + DB D188 ; # small sh + DC D18D ; # small e + DD D189 ; # small shch + DE D187 ; # small ch + DF D18A ; # small hard sign + + E0 D0AE ; # capital YU + E1 D090 ; # capital A + E2 D091 ; # capital B + E3 D0A6 ; # capital TS + E4 D094 ; # capital D + E5 D095 ; # capital YE + E6 D0A4 ; # capital F + E7 D093 ; # capital G + E8 D0A5 ; # capital KH + E9 D098 ; # capital I + EA D099 ; # capital J + EB D09A ; # capital K + EC D09B ; # capital L + ED D09C ; # capital M + EE D09D ; # capital N + EF D09E ; # capital O + + F0 D09F ; # capital P + F1 D0AF ; # capital YA + F2 D0A0 ; # capital R + F3 D0A1 ; # capital S + F4 D0A2 ; # capital T + F5 D0A3 ; # capital U + F6 D096 ; # capital ZH + F7 D092 ; # capital V + F8 D0AC ; # capital soft sign + F9 D0AB ; # capital Y + FA D097 ; # capital Z + FB D0A8 ; # capital SH + FC D0AD ; # capital E + FD D0A9 ; # capital SHCH + FE D0A7 ; # capital CH + FF D0AA ; # capital hard sign +} diff --git a/historic/guix/etc/nginx/koi-win b/historic/guix/etc/nginx/koi-win new file mode 100644 index 0000000..72afabe --- /dev/null +++ b/historic/guix/etc/nginx/koi-win @@ -0,0 +1,103 @@ + +charset_map koi8-r windows-1251 { + + 80 88 ; # euro + + 95 95 ; # bullet + + 9A A0 ; # + + 9E B7 ; # · + + A3 B8 ; # small yo + A4 BA ; # small Ukrainian ye + + A6 B3 ; # small Ukrainian i + A7 BF ; # small Ukrainian yi + + AD B4 ; # small Ukrainian soft g + AE A2 ; # small Byelorussian short u + + B0 B0 ; # ° + + B3 A8 ; # capital YO + B4 AA ; # capital Ukrainian YE + + B6 B2 ; # capital Ukrainian I + B7 AF ; # capital Ukrainian YI + + B9 B9 ; # numero sign + + BD A5 ; # capital Ukrainian soft G + BE A1 ; # capital Byelorussian short U + + BF A9 ; # (C) + + C0 FE ; # small yu + C1 E0 ; # small a + C2 E1 ; # small b + C3 F6 ; # small ts + C4 E4 ; # small d + C5 E5 ; # small ye + C6 F4 ; # small f + C7 E3 ; # small g + C8 F5 ; # small kh + C9 E8 ; # small i + CA E9 ; # small j + CB EA ; # small k + CC EB ; # small l + CD EC ; # small m + CE ED ; # small n + CF EE ; # small o + + D0 EF ; # small p + D1 FF ; # small ya + D2 F0 ; # small r + D3 F1 ; # small s + D4 F2 ; # small t + D5 F3 ; # small u + D6 E6 ; # small zh + D7 E2 ; # small v + D8 FC ; # small soft sign + D9 FB ; # small y + DA E7 ; # small z + DB F8 ; # small sh + DC FD ; # small e + DD F9 ; # small shch + DE F7 ; # small ch + DF FA ; # small hard sign + + E0 DE ; # capital YU + E1 C0 ; # capital A + E2 C1 ; # capital B + E3 D6 ; # capital TS + E4 C4 ; # capital D + E5 C5 ; # capital YE + E6 D4 ; # capital F + E7 C3 ; # capital G + E8 D5 ; # capital KH + E9 C8 ; # capital I + EA C9 ; # capital J + EB CA ; # capital K + EC CB ; # capital L + ED CC ; # capital M + EE CD ; # capital N + EF CE ; # capital O + + F0 CF ; # capital P + F1 DF ; # capital YA + F2 D0 ; # capital R + F3 D1 ; # capital S + F4 D2 ; # capital T + F5 D3 ; # capital U + F6 C6 ; # capital ZH + F7 C2 ; # capital V + F8 DC ; # capital soft sign + F9 DB ; # capital Y + FA C7 ; # capital Z + FB D8 ; # capital SH + FC DD ; # capital E + FD D9 ; # capital SHCH + FE D7 ; # capital CH + FF DA ; # capital hard sign +} diff --git a/historic/guix/etc/nginx/mime.types b/historic/guix/etc/nginx/mime.types new file mode 100644 index 0000000..89be9a4 --- /dev/null +++ b/historic/guix/etc/nginx/mime.types @@ -0,0 +1,89 @@ + +types { + text/html html htm shtml; + text/css css; + text/xml xml; + image/gif gif; + image/jpeg jpeg jpg; + application/javascript js; + application/atom+xml atom; + application/rss+xml rss; + + text/mathml mml; + text/plain txt; + text/vnd.sun.j2me.app-descriptor jad; + text/vnd.wap.wml wml; + text/x-component htc; + + image/png png; + image/tiff tif tiff; + image/vnd.wap.wbmp wbmp; + image/x-icon ico; + image/x-jng jng; + image/x-ms-bmp bmp; + image/svg+xml svg svgz; + image/webp webp; + + application/font-woff woff; + application/java-archive jar war ear; + application/json json; + application/mac-binhex40 hqx; + application/msword doc; + application/pdf pdf; + application/postscript ps eps ai; + application/rtf rtf; + application/vnd.apple.mpegurl m3u8; + application/vnd.ms-excel xls; + application/vnd.ms-fontobject eot; + application/vnd.ms-powerpoint ppt; + application/vnd.wap.wmlc wmlc; + application/vnd.google-earth.kml+xml kml; + application/vnd.google-earth.kmz kmz; + application/x-7z-compressed 7z; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-makeself run; + application/x-perl pl pm; + application/x-pilot prc pdb; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert der pem crt; + application/x-xpinstall xpi; + application/xhtml+xml xhtml; + application/xspf+xml xspf; + application/zip zip; + + application/octet-stream bin exe dll; + application/octet-stream deb; + application/octet-stream dmg; + application/octet-stream iso img; + application/octet-stream msi msp msm; + + application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; + application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; + + audio/midi mid midi kar; + audio/mpeg mp3; + audio/ogg ogg; + audio/x-m4a m4a; + audio/x-realaudio ra; + + video/3gpp 3gpp 3gp; + video/mp2t ts; + video/mp4 mp4; + video/mpeg mpeg mpg; + video/quicktime mov; + video/webm webm; + video/x-flv flv; + video/x-m4v m4v; + video/x-mng mng; + video/x-ms-asf asx asf; + video/x-ms-wmv wmv; + video/x-msvideo avi; +} diff --git a/historic/guix/etc/nginx/nginx.conf b/historic/guix/etc/nginx/nginx.conf new file mode 100644 index 0000000..4b5de00 --- /dev/null +++ b/historic/guix/etc/nginx/nginx.conf @@ -0,0 +1,82 @@ +user nginx; +worker_processes 4; +pid /var/run/nginx.pid; + +events { + worker_connections 768; + # multi_accept on; +} + +http { + + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + server_tokens off; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # Logging Settings + ## + + log_format main '$remote_addr - $remote_user [$time_local] $host ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; + + client_body_temp_path /var/run/nginx/body_temp; + proxy_temp_path /var/run/nginx/proxy_temp; + fastcgi_temp_path /var/run/nginx/fastcgi_temp; + uwsgi_temp_path /var/run/nginx/uwsgi_temp; + scgi_temp_path /var/run/nginx/scgi_temp; + access_log /var/log/nginx/access.log main; + error_log /var/log/nginx/error.log notice; + + ## + # Gzip Settings + ## + + gzip on; + gzip_disable "msie6"; + + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; + + # This isn't entirely correct since it does + # not consider the weighting of languages, but + # for now it's good enough. + map $http_accept_language $index_redirect_uri { + default "en"; + # prefer language that's first in the list + ~^en "en"; + ~^de "de"; + ~^fr "fr"; + ~^es "it"; + # if none matches, take one later in the list + ~,en "en"; + ~,de "de"; + ~,fr "fr"; + ~,es "it"; + } + + ## + # Virtual Host Configs + ## + + include conf.d/*.conf; + include sites-enabled/*.site; +} diff --git a/historic/guix/etc/nginx/proxy_params b/historic/guix/etc/nginx/proxy_params new file mode 100644 index 0000000..df75bc5 --- /dev/null +++ b/historic/guix/etc/nginx/proxy_params @@ -0,0 +1,4 @@ +proxy_set_header Host $http_host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; diff --git a/historic/guix/etc/nginx/scgi_params b/historic/guix/etc/nginx/scgi_params new file mode 100644 index 0000000..6d4ce4f --- /dev/null +++ b/historic/guix/etc/nginx/scgi_params @@ -0,0 +1,17 @@ + +scgi_param REQUEST_METHOD $request_method; +scgi_param REQUEST_URI $request_uri; +scgi_param QUERY_STRING $query_string; +scgi_param CONTENT_TYPE $content_type; + +scgi_param DOCUMENT_URI $document_uri; +scgi_param DOCUMENT_ROOT $document_root; +scgi_param SCGI 1; +scgi_param SERVER_PROTOCOL $server_protocol; +scgi_param REQUEST_SCHEME $scheme; +scgi_param HTTPS $https if_not_empty; + +scgi_param REMOTE_ADDR $remote_addr; +scgi_param REMOTE_PORT $remote_port; +scgi_param SERVER_PORT $server_port; +scgi_param SERVER_NAME $server_name; diff --git a/historic/guix/etc/nginx/sites-available/blog-demo.site b/historic/guix/etc/nginx/sites-available/blog-demo.site new file mode 100644 index 0000000..a48a036 --- /dev/null +++ b/historic/guix/etc/nginx/sites-available/blog-demo.site @@ -0,0 +1,43 @@ +server { + listen 80; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + server_name blog.demo.taler.net; + + root /home/demo/merchant/src/frontend_blog; + index index.html; + + # Make site accessible from http://localhost/ + + location / { + try_files $uri $uri/ =404; + rewrite /taler/pay /pay.php; + rewrite /taler/contract /generate_taler_contract.php; + + } + + location /fullfillment { + rewrite /(.*) /$1.php; + + } + + location /articles { + + internal; + } + + location ~ \.php$ { + + fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include fastcgi_params; + + } + + location /backend { + rewrite /backend/(.*) /$1 break; + proxy_pass http://127.0.0.1:19966; + proxy_redirect off; + proxy_set_header Host $host; + } +} diff --git a/historic/guix/etc/nginx/sites-available/default.site b/historic/guix/etc/nginx/sites-available/default.site new file mode 100644 index 0000000..79e41e8 --- /dev/null +++ b/historic/guix/etc/nginx/sites-available/default.site @@ -0,0 +1,86 @@ +## +# You should look at the following URL's in order to grasp a solid understanding +# of Nginx configuration files in order to fully unleash the power of Nginx. +# http://wiki.nginx.org/Pitfalls +# http://wiki.nginx.org/QuickStart +# http://wiki.nginx.org/Configuration +# +# Generally, you will want to move this file somewhere, and start with a clean +# file but keep this around for reference. Or just disable in sites-enabled. +# +# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. +## + +# Default server configuration +# +server { + listen 80 default_server; + listen [::]:80 default_server; + + # SSL configuration + # + # listen 443 ssl default_server; + # listen [::]:443 ssl default_server; + # + # Note: You should disable gzip for SSL traffic. + # See: https://bugs.debian.org/773332 + # + # Read up on ssl_ciphers to ensure a secure configuration. + # See: https://bugs.debian.org/765782 + # + # Self signed certs generated by the ssl-cert package + # Don't use them in a production server! + # + # include snippets/snakeoil.conf; + + root /var/www/html; + + # Add index.php to the list if you are using PHP + index index.html index.htm index.nginx-debian.html; + + server_name _; + + location / { + # First attempt to serve request as file, then + # as directory, then fall back to displaying a 404. + try_files $uri $uri/ =404; + } + + # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + # + #location ~ \.php$ { + # include snippets/fastcgi-php.conf; + # + # # With php5-cgi alone: + # fastcgi_pass 127.0.0.1:9000; + # # With php5-fpm: + # fastcgi_pass unix:/var/run/php5-fpm.sock; + #} + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + #location ~ /\.ht { + # deny all; + #} +} + + +# Virtual Host configuration for example.com +# +# You can move that to a different file under sites-available/ and symlink that +# to sites-enabled/ to enable it. +# +#server { +# listen 80; +# listen [::]:80; +# +# server_name example.com; +# +# root /var/www/example.com; +# index index.html; +# +# location / { +# try_files $uri $uri/ =404; +# } +#} diff --git a/historic/guix/etc/nginx/sites-available/drupal-demo-ssl.site b/historic/guix/etc/nginx/sites-available/drupal-demo-ssl.site new file mode 100644 index 0000000..400020e --- /dev/null +++ b/historic/guix/etc/nginx/sites-available/drupal-demo-ssl.site @@ -0,0 +1,49 @@ +server { + listen 443 ssl; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + server_name drupal.demo.taler.net; + + root /home/demo/drupal-demo; + + ssl_certificate /etc/letsencrypt/live/taler.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/taler.net/privkey.pem; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + ssl_protocols TLSv1.2 TLSv1.1 TLSv1; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + + add_header Strict-Transport-Security "max-age=63072000; preload"; + + # Make site accessible from http://localhost/ + +# location / { +# try_files $uri $uri/ =404; +# rewrite /taler/pay /pay.php; +# rewrite /taler/contract /generate_taler_contract.php; +# } + +# location /fullfillment { +# rewrite /(.*) /$1.php; +# } + + location ~ \.php$ { + fastcgi_index index.php; + fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include fastcgi_params; + } + +# location /backend { +# rewrite /backend/(.*) /$1 break; +# proxy_pass http://127.0.0.1:19966; +# proxy_redirect off; +# proxy_set_header Host $host; +# } + + client_max_body_size 10M; + client_body_buffer_size 128k; + + include apps/drupal/drupal.conf; +} diff --git a/historic/guix/etc/nginx/sites-available/drupal-demo.site b/historic/guix/etc/nginx/sites-available/drupal-demo.site new file mode 100644 index 0000000..d91c3f7 --- /dev/null +++ b/historic/guix/etc/nginx/sites-available/drupal-demo.site @@ -0,0 +1,40 @@ +server { + listen 80; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + server_name drupal.demo.taler.net; + + root /home/demo/drupal-demo; + + # Make site accessible from http://localhost/ + +# location / { +# try_files $uri $uri/ =404; +# rewrite /taler/pay /pay.php; +# rewrite /taler/contract /generate_taler_contract.php; +# } + +# location /fullfillment { +# rewrite /(.*) /$1.php; +# } + + + location ~ \.php$ { + fastcgi_index index.php; + fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include fastcgi_params; + } + +# location /backend { +# rewrite /backend/(.*) /$1 break; +# proxy_pass http://127.0.0.1:19966; +# proxy_redirect off; +# proxy_set_header Host $host; +# } + + client_max_body_size 10M; + client_body_buffer_size 128k; + + include apps/drupal/drupal.conf; +} diff --git a/historic/guix/etc/nginx/sites-available/ghm_videos.site b/historic/guix/etc/nginx/sites-available/ghm_videos.site new file mode 100644 index 0000000..c438e7f --- /dev/null +++ b/historic/guix/etc/nginx/sites-available/ghm_videos.site @@ -0,0 +1,25 @@ +server { + listen 80; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + root /var/www/taler.net; + + # Make site accessible from http://localhost/ + server_name taler.net; + server_name www.taler.net; + + rewrite ^ https://$server_name$request_uri? permanent; + +# location / { +# autoindex off; +# ssi on; +## ssi_last_modified on; +# rewrite /citizens /citizens.html break; +# rewrite /developers /developers.html break; +# rewrite /merchants /merchants.html break; +# rewrite /governments /governments.html break; +# rewrite /investors /investors.html break; +# rewrite /about /about.html break; +# rewrite /news /news.html break; +# } +} diff --git a/historic/guix/etc/nginx/sites-available/www.git-ssl.site b/historic/guix/etc/nginx/sites-available/www.git-ssl.site new file mode 100644 index 0000000..4ac7cfa --- /dev/null +++ b/historic/guix/etc/nginx/sites-available/www.git-ssl.site @@ -0,0 +1,25 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + # Make site accessible from http://localhost/ + server_name www.git.taler.net; + + include conf.d/talerssl; + + location /index.cgi { + root /usr/share/gitweb/; + + include fastcgi_params; + gzip off; + fastcgi_param SCRIPT_NAME $uri; + fastcgi_param GITWEB_CONFIG /etc/gitweb.conf; + fastcgi_pass unix:/var/run/fcgiwrap.socket; + } + + location / { + root /usr/share/gitweb/; + index index.cgi; + } +} diff --git a/historic/guix/etc/nginx/sites-available/www.git.site b/historic/guix/etc/nginx/sites-available/www.git.site new file mode 100644 index 0000000..26679be --- /dev/null +++ b/historic/guix/etc/nginx/sites-available/www.git.site @@ -0,0 +1,24 @@ +server { + listen 80; + listen [::]:80; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + # Make site accessible from http://localhost/ + server_name www.git.taler.net; + + + location /index.cgi { + root /usr/share/gitweb/; + + include fastcgi_params; + gzip off; + fastcgi_param SCRIPT_NAME $uri; + fastcgi_param GITWEB_CONFIG /etc/gitweb.conf; + fastcgi_pass unix:/var/run/fcgiwrap.socket; + } + + location / { + root /usr/share/gitweb/; + index index.cgi; + } +} diff --git a/historic/guix/etc/nginx/sites-enabled/api-ssl.site b/historic/guix/etc/nginx/sites-enabled/api-ssl.site new file mode 100644 index 0000000..6f5fd69 --- /dev/null +++ b/historic/guix/etc/nginx/sites-enabled/api-ssl.site @@ -0,0 +1,9 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + server_name api.taler.net + www.api.taler.net; + rewrite ^ https://docs.taler.net$request_uri? permanent; +} diff --git a/historic/guix/etc/nginx/sites-enabled/api.site b/historic/guix/etc/nginx/sites-enabled/api.site new file mode 100644 index 0000000..21e7efe --- /dev/null +++ b/historic/guix/etc/nginx/sites-enabled/api.site @@ -0,0 +1,8 @@ +server { + listen 80; + listen [::]:80; + server_name api.taler.net + www.api.taler.net; + + rewrite ^ https://docs.taler.net$request_uri? permanent; +} diff --git a/historic/guix/etc/nginx/sites-enabled/buildbot-ssl.site b/historic/guix/etc/nginx/sites-enabled/buildbot-ssl.site new file mode 100644 index 0000000..ba998bb --- /dev/null +++ b/historic/guix/etc/nginx/sites-enabled/buildbot-ssl.site @@ -0,0 +1,23 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + root /var/www/buildbot/; + + # Make site accessible from http://localhost/ + server_name buildbot.taler.net; + server_name www.buildbot.taler.net; + server_name bb.taler.net; + include conf.d/talerssl; + + location / { + proxy_pass http://127.0.0.1:8010; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + + include conf.d/favicon_robots; +} diff --git a/historic/guix/etc/nginx/sites-enabled/buildbot.site b/historic/guix/etc/nginx/sites-enabled/buildbot.site new file mode 100644 index 0000000..77eb805 --- /dev/null +++ b/historic/guix/etc/nginx/sites-enabled/buildbot.site @@ -0,0 +1,14 @@ +server { + listen 80; + listen [::]:80; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + root /var/www/buildbot/; + + # Make site accessible from http://localhost/ + server_name buildbot.taler.net; + server_name www.buildbot.taler.net; + server_name bb.taler.net; + + rewrite ^ https://$server_name$request_uri? permanent; +} diff --git a/historic/guix/etc/nginx/sites-enabled/decentralise-ssl.site b/historic/guix/etc/nginx/sites-enabled/decentralise-ssl.site new file mode 100644 index 0000000..9dd0470 --- /dev/null +++ b/historic/guix/etc/nginx/sites-enabled/decentralise-ssl.site @@ -0,0 +1,14 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + root /var/www/decentralise; + + # Make site accessible from http://localhost/ + server_name www.decentralise.rennes.inria.fr; + server_name decentralise.rennes.inria.fr; + include conf.d/talerssl; + + rewrite / http://www.inria.fr/en/teams/decentralise redirect; +} diff --git a/historic/guix/etc/nginx/sites-enabled/decentralise.site b/historic/guix/etc/nginx/sites-enabled/decentralise.site new file mode 100644 index 0000000..b92fb0f --- /dev/null +++ b/historic/guix/etc/nginx/sites-enabled/decentralise.site @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + root /var/www/decentralise; + + # Make site accessible from http://localhost/ + server_name www.decentralise.rennes.inria.fr; + server_name decentralise.rennes.inria.fr; + + rewrite / http://www.inria.fr/en/teams/decentralise redirect; +} diff --git a/historic/guix/etc/nginx/sites-enabled/default.site b/historic/guix/etc/nginx/sites-enabled/default.site new file mode 100644 index 0000000..2d88ab2 --- /dev/null +++ b/historic/guix/etc/nginx/sites-enabled/default.site @@ -0,0 +1,18 @@ +# matched when no other server name matches +server { + listen 80 default_server; + listen [::]:80 default_server; + # server name must simply something invalid ... + server_name _; + # drop connection, special nginx status code + return 444; +} +# server { +# listen 443 ssl default_server; +# listen [::]:443 ssl default_server; +# include conf.d/talerssl; +# # server name must simply something invalid ... +# server_name _; +# # drop connection, special nginx status code +# return 444; +# } diff --git a/historic/guix/etc/nginx/sites-enabled/demo.site b/historic/guix/etc/nginx/sites-enabled/demo.site new file mode 100644 index 0000000..16d9698 --- /dev/null +++ b/historic/guix/etc/nginx/sites-enabled/demo.site @@ -0,0 +1,159 @@ +server { + listen 80; + listen [::]:80; + server_name demo.taler.net + bank.demo.taler.net + shop.demo.taler.net + donations.demo.taler.net + survey.demo.taler.net + auditor.demo.taler.net + exchange.demo.taler.net; + + # 301-based ridirects allows the user agent to *change* the + # method used in the second request. This breaks all the API + # using POST, as some user agents do the second request using + # GET. 307 is meant to tell the user agent to not change the + # method in the second request. + if ($request_method = POST) { return 307 https://$host$request_uri; } + return 301 https://$host$request_uri; + +} + + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name auditor.demo.taler.net; + include conf.d/talerssl; + location / { + rewrite ^/$ /en/ redirect; + rewrite ^/(..)/$ /$1/index.html break; + recursive_error_pages on; + root /home/demo/auditor; + } + include conf.d/favicon_robots; +} + + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name demo.taler.net www.demo.taler.net; + rewrite /javascript /javascript.html break; + include conf.d/talerssl; + location / { + rewrite ^/$ /en/ redirect; + rewrite ^/(..)/$ /$1/index.html break; + root /home/demo/landing/demo; + } + + include conf.d/favicon_robots; +} + + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name exchange.demo.taler.net; + root /dev/null; + include conf.d/talerssl; + + location /admin { + proxy_pass http://unix:/home/demo/sockets/exchange-admin.http; + proxy_redirect off; + proxy_set_header Host $host; + } + + location / { + proxy_pass http://unix:/home/demo/sockets/exchange.http:/; + proxy_redirect off; + proxy_set_header Host $host; + } +} + +server { + listen 443 ssl; + listen 80; + listen [::]:443 ssl; + listen [::]:80; + server_name backend.demo.taler.net; + include conf.d/talerssl; + + location /public { + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host "backend.demo.taler.net"; + proxy_set_header X-Forwarded-Proto "https"; + proxy_pass http://unix:/home/demo/sockets/merchant.http:/public; + } + + location / { + # match the ApiKey part ignoring case, and the actual key + # with case-sensitivity on. + if ($http_authorization !~ "(?i)ApiKey (?-i)sandbox") { + return 401; + } + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host "backend.demo.taler.net"; + proxy_set_header X-Forwarded-Proto "https"; + proxy_pass http://unix:/home/demo/sockets/merchant.http:/; + } +} + + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name donations.demo.taler.net; + include conf.d/talerssl; + + location / { + uwsgi_pass unix:/home/demo/sockets/donations.uwsgi; + include /etc/nginx/uwsgi_params; + } + + include conf.d/favicon_robots; +} + + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name shop.demo.taler.net; + include conf.d/talerssl; + + location / { + uwsgi_pass unix:/home/demo/sockets/shop.uwsgi; + include /etc/nginx/uwsgi_params; + } + + include conf.d/favicon_robots; +} + + +server { + server_name survey.demo.taler.net; + listen 443 ssl; + listen [::]:443 ssl; + include conf.d/talerssl; + + location / { + uwsgi_pass unix:/home/demo/sockets/survey.uwsgi; + include /etc/nginx/uwsgi_params; + } +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name bank.demo.taler.net; + include conf.d/talerssl; + + location / { + uwsgi_pass unix:/home/demo/sockets/bank.uwsgi; + include /etc/nginx/uwsgi_params; + } + + include conf.d/favicon_robots; +} diff --git a/historic/guix/etc/nginx/sites-enabled/docs-ssl.site b/historic/guix/etc/nginx/sites-enabled/docs-ssl.site new file mode 100644 index 0000000..923d703 --- /dev/null +++ b/historic/guix/etc/nginx/sites-enabled/docs-ssl.site @@ -0,0 +1,69 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + # Temporary, as this doesn't do i18n + root /home/docbuilder/build/docs-landing/; + + # Make site accessible from http://localhost/ + server_name docs.taler.net + www.docs.taler.net; + + include conf.d/talerssl; + + location / { + autoindex off; + ssi off; +# ssi_last_modified on; + + + rewrite ^/$ /$index_redirect_uri/ redirect; + rewrite ^/(..)/$ /$1/index.html break; + } + + + location /code/exchange { + alias /home/docbuilder/build/exchange/doxygen; + } + + location /code/merchant { + alias /home/docbuilder/build/merchant-backend/doxygen; + } + + location /onboarding { + alias /home/docbuilder/build/onboarding/; + } + + location /bank { + alias /home/docbuilder/build/bank/manual; + } + + location /backoffice { + alias /home/docbuilder/build/backoffice/; + } + + location /exchange { + alias /home/docbuilder/build/exchange/manual; + } + + location /merchant/backend { + alias /home/docbuilder/build/merchant-backend/manual; + } + + location /merchant/frontend { + alias /home/docbuilder/build/merchant-frontend/; + } + + location /api { + autoindex off; + alias /home/docbuilder/build/api/html; + } + + # Associated to /api route. + location /_static { + alias /home/docbuilder/api/html/_static; + } + + include conf.d/favicon_robots; +} diff --git a/historic/guix/etc/nginx/sites-enabled/docs.site b/historic/guix/etc/nginx/sites-enabled/docs.site new file mode 100644 index 0000000..8e01608 --- /dev/null +++ b/historic/guix/etc/nginx/sites-enabled/docs.site @@ -0,0 +1,7 @@ +server { + listen 80; + listen [::]:80; + server_name docs.taler.net; + + rewrite ^ https://$host$request_uri? permanent; +} diff --git a/historic/guix/etc/nginx/sites-enabled/env.site b/historic/guix/etc/nginx/sites-enabled/env.site new file mode 100644 index 0000000..fbe31aa --- /dev/null +++ b/historic/guix/etc/nginx/sites-enabled/env.site @@ -0,0 +1,85 @@ +server { + listen 80; + listen [::]:80; + server_name env.taler.net; + rewrite ^ https://$host$request_uri? permanent; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name env.taler.net; + include conf.d/talerssl; + root /dev/null; + # rewrite_log on; + + # add trailing slashes to apps + rewrite ^/(?<user>[a-zA-Z0-9-_]+)/(?<app>[a-zA-Z0-9-_]+)$ /$user/$app/ redirect; + # add trailing slashes to user + rewrite ^/(?<user>[a-zA-Z0-9-_]+)$ /$user/ redirect; + rewrite ^/(?<user>[a-zA-Z0-9-_]+)/$ /$user/en/ redirect; + + # aliases to get from one page to the other + rewrite ^/(?<user>[a-zA-Z0-9-_]+)/(?<app>[a-zA-Z0-9-_]+)/landing /$user/ redirect; + rewrite ^/(?<user>[a-zA-Z0-9-_]+)/(?<app>[a-zA-Z0-9-_]+)/bank /$user/bank redirect; + rewrite ^/(?<user>[a-zA-Z0-9-_]+)/(?<app>[a-zA-Z0-9-_]+)/shop /$user/shop redirect; + rewrite ^/(?<user>[a-zA-Z0-9-_]+)/(?<app>[a-zA-Z0-9-_]+)/donations /$user/donations redirect; + rewrite ^/(?<user>[a-zA-Z0-9-_]+)/(?<app>[a-zA-Z0-9-_]+)/survey /$user/survey redirect; + + location ~ ^/(?<user>[a-zA-Z0-9-_]+)/exchange/(?<req>.*) { + proxy_pass http://unix:/home/$user/sockets/exchange.http:/$req$is_args$args; + proxy_redirect off; + proxy_set_header Host $host; + } + + location ~ ^/(?<user>[a-zA-Z0-9-_]+)/merchant-backend/(?<req>.*) { + proxy_pass http://unix:/home/$user/sockets/merchant.http:/$req; + proxy_redirect off; + proxy_set_header Host $host; + } + + location ~ ^/(?<user>[a-zA-Z0-9-_]+)/bank(?<req>/?.*|)$ { + uwsgi_pass unix:/home/$user/sockets/bank.uwsgi; + include /etc/nginx/uwsgi_params; + uwsgi_param SCRIPT_NAME "/$user/bank/"; + uwsgi_param PATH_INFO "$req"; + } + + location ~ ^/(?<user>[a-zA-Z0-9-_]+)/shop(?<req>/?.*|)$ { + uwsgi_pass unix:/home/$user/sockets/shop.uwsgi; + include /etc/nginx/uwsgi_params; + uwsgi_param SCRIPT_NAME "/$user/shop/"; + uwsgi_param PATH_INFO "$req"; + } + + location ~ ^/(?<user>[a-zA-Z0-9-_]+)/donations(?<req>/.*|)$ { + uwsgi_pass unix:/home/$user/sockets/donations.uwsgi; + include /etc/nginx/uwsgi_params; + uwsgi_param SCRIPT_NAME "/$user/donations/"; + uwsgi_param PATH_INFO "$req"; + } + + location ~ ^/(?<user>[a-zA-Z0-9-_]+)(?<req>/.*|)$ { + # add index.html + rewrite ^/(.*)/(..)/$ /$1/$2/index.html last; + # strip /user/ + rewrite ^/([a-zA-Z0-9-_]+)/(.*)$ /$2 break; + root /home/$user/landing/demo; + } + + location ~ ^/(?<user>[a-zA-Z0-9-_]+)/auditor(?<req>/.*|)$ { + uwsgi_pass unix:/home/$user/sockets/auditor.uwsgi; + include /etc/nginx/uwsgi_params; + uwsgi_param SCRIPT_NAME "/$user/"; + uwsgi_param PATH_INFO "$req"; + } + + location ~ ^/(?<user>[a-zA-Z0-9-_]+)/survey(?<req>/.*|)$ { + uwsgi_pass unix:/home/$user/sockets/survey.uwsgi; + include /etc/nginx/uwsgi_params; + uwsgi_param SCRIPT_NAME "/$user/"; + uwsgi_param PATH_INFO "$req"; + } + + include conf.d/favicon_robots; +} diff --git a/historic/guix/etc/nginx/sites-enabled/gauger-ssl.site b/historic/guix/etc/nginx/sites-enabled/gauger-ssl.site new file mode 100644 index 0000000..e889b59 --- /dev/null +++ b/historic/guix/etc/nginx/sites-enabled/gauger-ssl.site @@ -0,0 +1,18 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + root /var/www/gauger/; + + # Make site accessible from http://localhost/ + server_name gauger.taler.net; + server_name www.gauger.taler.net; + include conf.d/talerssl; + + location / { + proxy_pass http://localhost:1801; + proxy_redirect off; + proxy_set_header Host $host; + } +} diff --git a/historic/guix/etc/nginx/sites-enabled/gauger.site b/historic/guix/etc/nginx/sites-enabled/gauger.site new file mode 100644 index 0000000..967f9e9 --- /dev/null +++ b/historic/guix/etc/nginx/sites-enabled/gauger.site @@ -0,0 +1,17 @@ +server { + listen 80; + listen [::]:80; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + root /var/www/gauger/; + + # Make site accessible from http://localhost/ + server_name gauger.taler.net; + server_name www.gauger.taler.net; + + location / { + proxy_pass http://localhost:1801; + proxy_redirect off; + proxy_set_header Host $host; + } +} diff --git a/historic/guix/etc/nginx/sites-enabled/git-ssl.site b/historic/guix/etc/nginx/sites-enabled/git-ssl.site new file mode 100644 index 0000000..ea7cf0f --- /dev/null +++ b/historic/guix/etc/nginx/sites-enabled/git-ssl.site @@ -0,0 +1,30 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; ## listen for ipv4; this line is default and implied + + root /srv/git; + server_name git.taler.net; + include conf.d/talerssl; + + access_log /var/log/nginx/git.taler.net_access.log; + error_log /var/log/nginx/git.taler.net_error.log notice; + + location ~ ^(.*?)\.git/(HEAD|info/refs|objects/.*|git-upload-pack)$ { + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME /run/current-system/profile/libexec/git-core/git-http-backend; + fastcgi_param GIT_PROJECT_ROOT /home/git/repositories; + fastcgi_param PATH_INFO $uri; + fastcgi_pass unix:/var/run/fcgiwrap.socket; + } + + location /cgit { + root /var/www; + } + + location / { + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME /run/current-system/profile/lib/cgit.cgi; + fastcgi_param PATH_INFO $uri; + fastcgi_pass unix:/var/run/fcgiwrap.socket; + } +} diff --git a/historic/guix/etc/nginx/sites-enabled/git.site b/historic/guix/etc/nginx/sites-enabled/git.site new file mode 100644 index 0000000..e10fcc6 --- /dev/null +++ b/historic/guix/etc/nginx/sites-enabled/git.site @@ -0,0 +1,10 @@ +server { + listen 80; + listen [::]:80; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + root /srv/git; + server_name git.taler.net; + + rewrite ^ https://$server_name$request_uri? permanent; +} diff --git a/historic/guix/etc/nginx/sites-enabled/intranet-ssl.site b/historic/guix/etc/nginx/sites-enabled/intranet-ssl.site new file mode 100644 index 0000000..3390403 --- /dev/null +++ b/historic/guix/etc/nginx/sites-enabled/intranet-ssl.site @@ -0,0 +1,15 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + root /var/git; + server_name intranet.taler.net; + include conf.d/talerssl; + location / { + proxy_pass http://127.0.0.1:8018; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header HTTPS on; + } +} diff --git a/historic/guix/etc/nginx/sites-enabled/intranet.site b/historic/guix/etc/nginx/sites-enabled/intranet.site new file mode 100644 index 0000000..66217db --- /dev/null +++ b/historic/guix/etc/nginx/sites-enabled/intranet.site @@ -0,0 +1,10 @@ +server { + listen 80; + listen [::]:80; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + # Make site accessible from http://localhost/ + server_name intranet.taler.net; + + rewrite ^ https://$server_name$request_uri? permanent; +} diff --git a/historic/guix/etc/nginx/sites-enabled/lcov-ssl.site b/historic/guix/etc/nginx/sites-enabled/lcov-ssl.site new file mode 100644 index 0000000..0620bfe --- /dev/null +++ b/historic/guix/etc/nginx/sites-enabled/lcov-ssl.site @@ -0,0 +1,20 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + root /var/www/lcov.taler.net/; + + # Make site accessible from http://localhost/ + server_name lcov.taler.net; + server_name www.lcov.taler.net; + include conf.d/talerssl; + + location / { + autoindex on; + ssi off; +# ssi_last_modified on; + } + + include conf.d/favicon_robots; +} diff --git a/historic/guix/etc/nginx/sites-enabled/lcov.site b/historic/guix/etc/nginx/sites-enabled/lcov.site new file mode 100644 index 0000000..979c387 --- /dev/null +++ b/historic/guix/etc/nginx/sites-enabled/lcov.site @@ -0,0 +1,19 @@ +server { + listen 80; + listen [::]:80; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + root /var/www/lcov.taler.net/; + + # Make site accessible from http://localhost/ + server_name lcov.taler.net; + server_name www.lcov.taler.net; + + location / { + autoindex on; + ssi off; +# ssi_last_modified on; + } + + include conf.d/favicon_robots; +} diff --git a/historic/guix/etc/nginx/sites-enabled/sandbox.site b/historic/guix/etc/nginx/sites-enabled/sandbox.site new file mode 100644 index 0000000..9e32b17 --- /dev/null +++ b/historic/guix/etc/nginx/sites-enabled/sandbox.site @@ -0,0 +1,20 @@ +server { + listen 80; + listen [::]:80; + server_name sandbox.taler.net *.sandbox.taler.net; + rewrite ^ https://$host$request_uri? permanent; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name sandbox.taler.net; + include conf.d/talerssl; + + location / { + root /home/sandbox/sandbox_landing/; + autoindex off; + index index.html; + } +} diff --git a/historic/guix/etc/nginx/sites-enabled/test.site b/historic/guix/etc/nginx/sites-enabled/test.site new file mode 100644 index 0000000..7c4f847 --- /dev/null +++ b/historic/guix/etc/nginx/sites-enabled/test.site @@ -0,0 +1,379 @@ +server { + listen 80; + listen [::]:80; + server_name test.taler.net + bank.test.taler.net + shop.test.taler.net + donations.test.taler.net + survey.test.taler.net + auditor.test.taler.net + exchange.test.taler.net + backoffice.test.taler.net; + + # 301-based ridirects allows the user agent to *change* the + # method used in the second request. This breaks all the API + # using POST, as some user agents do the second request using + # GET. 307 is meant to tell the user agent to not change the + # method in the second request. + if ($request_method = POST) { return 307 https://$host$request_uri; } + return 301 https://$host$request_uri; +} + +server { + server_name test.taler.net www.test.taler.net; + listen 443 ssl; + listen [::]:443 ssl; + rewrite /javascript /javascript.html break; + include conf.d/talerssl; + location @green { + add_header X-Taler-Deployment-Color green; + root /home/test-green/landing/demo; + } + location @blue { + add_header X-Taler-Deployment-Color blue; + root /home/test-blue/landing/demo; + } + location / { + # Redirection technique explainted at + # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/ + error_page 418 = @blue; + error_page 419 = @green; + rewrite ^/$ /en/ redirect; + rewrite ^/(..)/$ /$1/index.html break; + recursive_error_pages on; + if ($http_x_taler_deployment_color ~ "blue") { return 418; } + if ($http_x_taler_deployment_color ~ "green") { return 419; } + root /home/test/landing/demo; + } + include conf.d/favicon_robots; +} + + +server { + server_name auditor.test.taler.net; + listen 443 ssl; + listen [::]:443 ssl; + root /dev/null; + include conf.d/talerssl; + location @green { + add_header X-Taler-Deployment-Color green; + root /home/test-green/auditor; + } + location @blue { + add_header X-Taler-Deployment-Color blue; + root /home/test-blue/auditor; + } + location / { + # Redirection technique explainted at + # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/ + error_page 418 = @blue; + error_page 419 = @green; + rewrite ^/$ /en/ redirect; + rewrite ^/(..)/$ /$1/index.html break; + recursive_error_pages on; + if ($http_x_taler_deployment_color ~ "blue") { return 418; } + if ($http_x_taler_deployment_color ~ "green") { return 419; } + root /home/test/auditor; + } + include conf.d/favicon_robots; +} + + +server { + server_name exchange.test.taler.net; + listen 443 ssl; + listen [::]:443 ssl; + root /dev/null; + include conf.d/talerssl; + location @blue-admin { + add_header X-Taler-Deployment-Color blue; + proxy_pass http://unix:/home/test-blue/sockets/exchange-admin.http; + proxy_redirect off; + proxy_set_header Host $host; + } + location @green-admin { + add_header X-Taler-Deployment-Color green; + proxy_pass http://unix:/home/test-green/sockets/exchange-admin.http; + proxy_redirect off; + proxy_set_header Host $host; + } + + location @blue { + add_header X-Taler-Deployment-Color blue; + proxy_pass http://unix:/home/test-blue/sockets/exchange.http; + proxy_redirect off; + proxy_set_header Host $host; + } + + location @green { + add_header X-Taler-Deployment-Color green; + proxy_pass http://unix:/home/test-green/sockets/exchange.http; + proxy_redirect off; + proxy_set_header Host $host; + } + + location /admin { + error_page 418 = @blue-admin; + error_page 419 = @green-admin; + recursive_error_pages on; + if ($http_x_taler_deployment_color ~ "blue") { return 418; } + if ($http_x_taler_deployment_color ~ "green") { return 419; } + proxy_pass http://unix:/home/test/sockets/exchange-admin.http; + proxy_redirect off; + proxy_set_header Host $host; + } + + location / { + error_page 418 = @blue; + error_page 419 = @green; + recursive_error_pages on; + if ($http_x_taler_deployment_color ~ "blue") { return 418; } + if ($http_x_taler_deployment_color ~ "green") { return 419; } + proxy_pass http://unix:/home/test/sockets/exchange.http:/; + proxy_redirect off; + proxy_set_header Host $host; + } +} + + +server { + server_name shop.test.taler.net; + listen 443 ssl; + listen [::]:443 ssl; + root /dev/null; + include conf.d/talerssl; + + location @blue { + add_header X-Taler-Deployment-Color blue; + uwsgi_pass unix:/home/test-blue/sockets/shop.uwsgi; + include /etc/nginx/uwsgi_params; + } + location @green { + add_header X-Taler-Deployment-Color green; + uwsgi_pass unix:/home/test-green/sockets/shop.uwsgi; + include /etc/nginx/uwsgi_params; + } + + location / { + # Redirection technique explainted at + # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/ + error_page 418 = @blue; + error_page 419 = @green; + recursive_error_pages on; + if ($http_x_taler_deployment_color ~ "blue") { return 418; } + if ($http_x_taler_deployment_color ~ "green") { return 419; } + uwsgi_pass unix:/home/test/sockets/shop.uwsgi; + include /etc/nginx/uwsgi_params; + } + + include conf.d/favicon_robots; +} + + +server { + server_name playground.test.taler.net; + listen 443 ssl; + listen [::]:443 ssl; + root /dev/null; + include conf.d/talerssl; + + location @blue { + add_header X-Taler-Deployment-Color blue; + uwsgi_pass unix:/home/test-blue/sockets/playground.uwsgi; + include /etc/nginx/uwsgi_params; + } + location @green { + add_header X-Taler-Deployment-Color green; + uwsgi_pass unix:/home/test-green/sockets/playground.uwsgi; + include /etc/nginx/uwsgi_params; + } + + location / { + # Redirection technique explainted at + # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/ + error_page 418 = @blue; + error_page 419 = @green; + recursive_error_pages on; + if ($http_x_taler_deployment_color ~ "blue") { return 418; } + if ($http_x_taler_deployment_color ~ "green") { return 419; } + uwsgi_pass unix:/home/test/sockets/playground.uwsgi; + include /etc/nginx/uwsgi_params; + } + + include conf.d/favicon_robots; +} + + +server { + server_name backend.test.taler.net; + listen 443 ssl; + listen 80; + listen [::]:443 ssl; + listen [::]:80; + include conf.d/talerssl; + + location @blue { + add_header X-Taler-Deployment-Color blue; + proxy_pass http://unix:/home/test-blue/sockets/merchant.http; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host "backend.test.taler.net"; + proxy_set_header X-Forwarded-Proto "https"; + } + location @green { + add_header X-Taler-Deployment-Color green; + proxy_pass http://unix:/home/test-green/sockets/merchant.http; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host "backend.test.taler.net"; + proxy_set_header X-Forwarded-Proto "https"; + } + + location /public { + # Redirection technique explainted at + # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/ + error_page 418 = @blue; + error_page 419 = @green; + recursive_error_pages on; + + if ($http_x_taler_deployment_color ~ "blue") { return 418; } + if ($http_x_taler_deployment_color ~ "green") { return 419; } + proxy_set_header X-Forwarded-Host "backend.test.taler.net"; + proxy_set_header X-Forwarded-Proto "https"; + proxy_pass http://unix:/home/test/sockets/merchant.http:/public; + proxy_redirect off; + proxy_set_header Host $host; + } + + location / { + # Redirection technique explainted at + # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/ + error_page 418 = @blue; + error_page 419 = @green; + recursive_error_pages on; + + # match the ApiKey part ignoring case, and the actual key + # with case-sensitivity on. + if ($http_authorization !~ "(?i)ApiKey (?-i)sandbox") { + return 401; + } + + if ($http_x_taler_deployment_color ~ "blue") { return 418; } + if ($http_x_taler_deployment_color ~ "green") { return 419; } + proxy_set_header X-Forwarded-Host "backend.test.taler.net"; + proxy_set_header X-Forwarded-Proto "https"; + proxy_pass http://unix:/home/test/sockets/merchant.http:/; + proxy_redirect off; + proxy_set_header Host $host; + } +} + + +server { + server_name survey.test.taler.net; + listen 443 ssl; + listen [::]:443 ssl; + include conf.d/talerssl; + + location / { + uwsgi_pass unix:/home/test/sockets/survey.uwsgi; + include /etc/nginx/uwsgi_params; + } +} + +server { + server_name donations.test.taler.net; + listen 443 ssl; + listen [::]:443 ssl; + include conf.d/talerssl; + + location @blue { + add_header X-Taler-Deployment-Color blue; + uwsgi_pass unix:/home/test-blue/sockets/donations.uwsgi; + include /etc/nginx/uwsgi_params; + } + location @green { + add_header X-Taler-Deployment-Color green; + uwsgi_pass unix:/home/test-green/sockets/donations.uwsgi; + include /etc/nginx/uwsgi_params; + } + + location / { + # Redirection technique explainted at + # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/ + error_page 418 = @blue; + error_page 419 = @green; + recursive_error_pages on; + if ($http_x_taler_deployment_color ~ "blue") { return 418; } + if ($http_x_taler_deployment_color ~ "green") { return 419; } + uwsgi_pass unix:/home/test/sockets/donations.uwsgi; + include /etc/nginx/uwsgi_params; + } + + include conf.d/favicon_robots; +} + + +server { + server_name bank.test.taler.net; + listen 443 ssl; + listen [::]:443 ssl; + include conf.d/talerssl; + + location @blue { + add_header X-Taler-Deployment-Color blue; + uwsgi_pass unix:/home/test-blue/sockets/bank.uwsgi; + include /etc/nginx/uwsgi_params; + } + location @green { + add_header X-Taler-Deployment-Color green; + uwsgi_pass unix:/home/test-green/sockets/bank.uwsgi; + include /etc/nginx/uwsgi_params; + } + + location / { + # Redirection technique explainted at + # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/ + error_page 418 = @blue; + error_page 419 = @green; + recursive_error_pages on; + if ($http_x_taler_deployment_color ~ "blue") { return 418; } + if ($http_x_taler_deployment_color ~ "green") { return 419; } + uwsgi_pass unix:/home/test/sockets/bank.uwsgi; + include /etc/nginx/uwsgi_params; + } + + include conf.d/favicon_robots; +} + +server { + server_name backoffice.test.taler.net; + listen 443 ssl; + listen [::]:443 ssl; + include conf.d/talerssl; + + location @blue { + add_header X-Taler-Deployment-Color blue; + uwsgi_pass unix:/home/test-blue/sockets/backoffice.uwsgi; + include /etc/nginx/uwsgi_params; + } + location @green { + add_header X-Taler-Deployment-Color green; + uwsgi_pass unix:/home/test-green/sockets/backoffice.uwsgi; + include /etc/nginx/uwsgi_params; + } + + location / { + # Redirection technique explainted at + # https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/ + error_page 418 = @blue; + error_page 419 = @green; + recursive_error_pages on; + if ($http_x_taler_deployment_color ~ "blue") { return 418; } + if ($http_x_taler_deployment_color ~ "green") { return 419; } + uwsgi_pass unix:/home/test/sockets/backoffice.uwsgi; + include /etc/nginx/uwsgi_params; + } + + include conf.d/favicon_robots; +} diff --git a/historic/guix/etc/nginx/sites-enabled/trollslayer.site b/historic/guix/etc/nginx/sites-enabled/trollslayer.site new file mode 100644 index 0000000..1767fe6 --- /dev/null +++ b/historic/guix/etc/nginx/sites-enabled/trollslayer.site @@ -0,0 +1,16 @@ +server { + listen 80; + listen [::]:80; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + root /var/www/trollslayer/; + + # Make site accessible from http://localhost/ + server_name trollslayer.decentralise.rennes.inria.fr; + + location / { + proxy_pass http://gnunet.org:20070/shell/; + proxy_redirect off; + proxy_set_header Host $host; + } +} diff --git a/historic/guix/etc/nginx/sites-enabled/www-ssl.site b/historic/guix/etc/nginx/sites-enabled/www-ssl.site new file mode 100644 index 0000000..d7776b3 --- /dev/null +++ b/historic/guix/etc/nginx/sites-enabled/www-ssl.site @@ -0,0 +1,59 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; ## listen for ipv4; this line is default and implied + #listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + + # Make site accessible from http://localhost/ + server_name taler.net; + server_name www.taler.net; + include conf.d/talerssl; + + location / { + root /home/docbuilder/www.taler.net; + autoindex off; + ssi on; + #ssi_last_modified on; + + rewrite ^/$ /$index_redirect_uri/ redirect; + + rewrite ^/(..)/$ /$1/index.html break; + + rewrite ^/(help/empty-wallet)$ /$1.html break; + rewrite ^/wallet-installation\.html$ /en/wallet.html redirect; + # just to get around cached old redirect + rewrite ^/wallet\.en\.html$ /en/wallet.html redirect; + rewrite ^/wallet$ /en/wallet.html redirect; + rewrite ^/press$ /en/press.html redirect; + } + + gzip on; + gzip_disable "msie6"; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript; + + + # Note: this will go to /var/www/(videos|releases), which we took out of Git + location /videos { + root /var/www; + expires max; + } + + location ~* /videos/.*\.(png|jpg|ogv|webm|gif|svg)$ { + root /var/www; + expires max; + } + + location /releases { + root /var/www; + autoindex on; + } + + location /files { + root /var/www; + } +} diff --git a/historic/guix/etc/nginx/sites-enabled/www-stage.site b/historic/guix/etc/nginx/sites-enabled/www-stage.site new file mode 100644 index 0000000..e8a988b --- /dev/null +++ b/historic/guix/etc/nginx/sites-enabled/www-stage.site @@ -0,0 +1,78 @@ +server { + listen 80; + listen [::]:80; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + root /home/docbuilder/stage.taler.net; + + # Make site accessible from http://localhost/ + server_name stage.taler.net; + + rewrite ^ https://$server_name$request_uri? permanent; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; ## listen for ipv4; this line is default and implied + #listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + + # Make site accessible from http://localhost/ + server_name stage.taler.net; + include conf.d/talerssl; + + location / { + root /home/docbuilder/stage.taler.net; + autoindex off; + + rewrite ^/$ /$index_redirect_uri/ redirect; + + rewrite ^/(..)/$ /$1/index.html break; + + rewrite ^/(help/empty-wallet)$ /$1.html break; + rewrite ^/wallet-installation\.html$ /en/wallet.html redirect; + # just to get around cached old redirect + rewrite ^/wallet\.en\.html$ /en/wallet.html redirect; + rewrite ^/wallet$ /en/wallet.html redirect; + rewrite ^/press$ /en/press.html redirect; + + } + + gzip on; + gzip_disable "msie6"; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript; + + + # Note: this will go to /var/www/(videos|releases), which we took out of Git + location /videos { + root /var/www; + expires max; + } + + location ~* /videos/.*\.(png|jpg|ogv|webm|gif|svg)$ { + root /var/www; + expires max; + } + + # FIXME: this location newest files are from Oct'16 + location /releases { + root /var/www; + autoindex on; + } + + location /files { + root /var/www; + } + + location ~* \.(png|jpg|jpeg|gif|ico|svg|js|css)$ { + root /home/docbuilder/stage.taler.net; + expires 1y; + } + + +} diff --git a/historic/guix/etc/nginx/sites-enabled/www.git-ssl.site b/historic/guix/etc/nginx/sites-enabled/www.git-ssl.site new file mode 100644 index 0000000..5ba4831 --- /dev/null +++ b/historic/guix/etc/nginx/sites-enabled/www.git-ssl.site @@ -0,0 +1,11 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + root /var/git; + server_name www.git.taler.net; + include conf.d/talerssl; + + rewrite ^ https://git.taler.net/ permanent; +} diff --git a/historic/guix/etc/nginx/sites-enabled/www.git.site b/historic/guix/etc/nginx/sites-enabled/www.git.site new file mode 100644 index 0000000..645923f --- /dev/null +++ b/historic/guix/etc/nginx/sites-enabled/www.git.site @@ -0,0 +1,10 @@ +server { + listen 80; + listen [::]:80; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + root /var/git; + server_name www.git.taler.net; + + rewrite ^ https://git.taler.net/ permanent; +} diff --git a/historic/guix/etc/nginx/sites-enabled/www.site b/historic/guix/etc/nginx/sites-enabled/www.site new file mode 100644 index 0000000..ae178e5 --- /dev/null +++ b/historic/guix/etc/nginx/sites-enabled/www.site @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; ## listen for ipv4; this line is default and implied + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + root /home/docbuilder/www.taler.net; + + # Make site accessible from http://localhost/ + server_name taler.net; + server_name www.taler.net; + + rewrite ^ https://$server_name$request_uri? permanent; +} diff --git a/historic/guix/etc/nginx/uwsgi_params b/historic/guix/etc/nginx/uwsgi_params new file mode 100644 index 0000000..09c732c --- /dev/null +++ b/historic/guix/etc/nginx/uwsgi_params @@ -0,0 +1,17 @@ + +uwsgi_param QUERY_STRING $query_string; +uwsgi_param REQUEST_METHOD $request_method; +uwsgi_param CONTENT_TYPE $content_type; +uwsgi_param CONTENT_LENGTH $content_length; + +uwsgi_param REQUEST_URI $request_uri; +uwsgi_param PATH_INFO $document_uri; +uwsgi_param DOCUMENT_ROOT $document_root; +uwsgi_param SERVER_PROTOCOL $server_protocol; +uwsgi_param REQUEST_SCHEME $scheme; +uwsgi_param HTTPS $https if_not_empty; + +uwsgi_param REMOTE_ADDR $remote_addr; +uwsgi_param REMOTE_PORT $remote_port; +uwsgi_param SERVER_PORT $server_port; +uwsgi_param SERVER_NAME $server_name; diff --git a/historic/guix/etc/nginx/win-utf b/historic/guix/etc/nginx/win-utf new file mode 100644 index 0000000..774fd9f --- /dev/null +++ b/historic/guix/etc/nginx/win-utf @@ -0,0 +1,125 @@ +# This map is not a full windows-1251 <> utf8 map: it does not +# contain Serbian and Macedonian letters. If you need a full map, +# use contrib/unicode2nginx/win-utf map instead. + +charset_map windows-1251 utf-8 { + + 82 E2809A; # single low-9 quotation mark + + 84 E2809E; # double low-9 quotation mark + 85 E280A6; # ellipsis + 86 E280A0; # dagger + 87 E280A1; # double dagger + 88 E282AC; # euro + 89 E280B0; # per mille + + 91 E28098; # left single quotation mark + 92 E28099; # right single quotation mark + 93 E2809C; # left double quotation mark + 94 E2809D; # right double quotation mark + 95 E280A2; # bullet + 96 E28093; # en dash + 97 E28094; # em dash + + 99 E284A2; # trade mark sign + + A0 C2A0; # + A1 D18E; # capital Byelorussian short U + A2 D19E; # small Byelorussian short u + + A4 C2A4; # currency sign + A5 D290; # capital Ukrainian soft G + A6 C2A6; # borken bar + A7 C2A7; # section sign + A8 D081; # capital YO + A9 C2A9; # (C) + AA D084; # capital Ukrainian YE + AB C2AB; # left-pointing double angle quotation mark + AC C2AC; # not sign + AD C2AD; # soft hypen + AE C2AE; # (R) + AF D087; # capital Ukrainian YI + + B0 C2B0; # ° + B1 C2B1; # plus-minus sign + B2 D086; # capital Ukrainian I + B3 D196; # small Ukrainian i + B4 D291; # small Ukrainian soft g + B5 C2B5; # micro sign + B6 C2B6; # pilcrow sign + B7 C2B7; # · + B8 D191; # small yo + B9 E28496; # numero sign + BA D194; # small Ukrainian ye + BB C2BB; # right-pointing double angle quotation mark + + BF D197; # small Ukrainian yi + + C0 D090; # capital A + C1 D091; # capital B + C2 D092; # capital V + C3 D093; # capital G + C4 D094; # capital D + C5 D095; # capital YE + C6 D096; # capital ZH + C7 D097; # capital Z + C8 D098; # capital I + C9 D099; # capital J + CA D09A; # capital K + CB D09B; # capital L + CC D09C; # capital M + CD D09D; # capital N + CE D09E; # capital O + CF D09F; # capital P + + D0 D0A0; # capital R + D1 D0A1; # capital S + D2 D0A2; # capital T + D3 D0A3; # capital U + D4 D0A4; # capital F + D5 D0A5; # capital KH + D6 D0A6; # capital TS + D7 D0A7; # capital CH + D8 D0A8; # capital SH + D9 D0A9; # capital SHCH + DA D0AA; # capital hard sign + DB D0AB; # capital Y + DC D0AC; # capital soft sign + DD D0AD; # capital E + DE D0AE; # capital YU + DF D0AF; # capital YA + + E0 D0B0; # small a + E1 D0B1; # small b + E2 D0B2; # small v + E3 D0B3; # small g + E4 D0B4; # small d + E5 D0B5; # small ye + E6 D0B6; # small zh + E7 D0B7; # small z + E8 D0B8; # small i + E9 D0B9; # small j + EA D0BA; # small k + EB D0BB; # small l + EC D0BC; # small m + ED D0BD; # small n + EE D0BE; # small o + EF D0BF; # small p + + F0 D180; # small r + F1 D181; # small s + F2 D182; # small t + F3 D183; # small u + F4 D184; # small f + F5 D185; # small kh + F6 D186; # small ts + F7 D187; # small ch + F8 D188; # small sh + F9 D189; # small shch + FA D18A; # small hard sign + FB D18B; # small y + FC D18C; # small soft sign + FD D18D; # small e + FE D18E; # small yu + FF D18F; # small ya +} diff --git a/historic/guix/fixed-fcgiwrap.scm b/historic/guix/fixed-fcgiwrap.scm new file mode 100644 index 0000000..21b39d6 --- /dev/null +++ b/historic/guix/fixed-fcgiwrap.scm @@ -0,0 +1,161 @@ +(define-module (fixed-fcgiwrap) + #:use-module (ice-9 match) + #:use-module (ice-9 regex) + #:use-module (gnu services) + #:use-module (gnu packages admin) + #:use-module (gnu system shadow) + #:use-module (gnu packages web) + #:use-module (gnu services shepherd) + #:use-module (guix modules) + #:use-module (guix i18n) + #:use-module (guix records) + #:use-module (guix gexp) + #:export (fcgiwrap-configuration + fcgiwrap-service-type)) + + +;;; +;;; Our definition of the fcgiwrap-service, +;;; this should eventually go upstream. +;;; + + +(define-record-type* <fcgiwrap-configuration> fcgiwrap-configuration + make-fcgiwrap-configuration + fcgiwrap-configuration? + (package fcgiwrap-configuration-package ;<package> + (default fcgiwrap)) + (socket fcgiwrap-configuration-socket + (default "tcp:127.0.0.1:9000")) + (user fcgiwrap-configuration-user + (default "fcgiwrap")) + (group fcgiwrap-configuration-group + (default "fcgiwrap")) + (log-file fcgiwrap-log-file + (default #f)) + ;; boolean or octal mode integer + (adjusted-socket-permissions fcgiwrap-adjusted-socket-permissions? + (default #f)) + (ensure-socket-dir? fcgiwrap-ensure-socket-dir? + (default #f))) + +(define fcgiwrap-accounts + (match-lambda + (($ <fcgiwrap-configuration> package socket user group) + (filter identity + (list + (and (equal? group "fcgiwrap") + (user-group + (name "fcgiwrap") + (system? #t))) + (and (equal? user "fcgiwrap") + (user-account + (name "fcgiwrap") + (group group) + (system? #t) + (comment "Fcgiwrap Daemon") + (home-directory "/var/empty") + (shell (file-append shadow "/sbin/nologin"))))))))) + +(define (parse-fcgiwrap-socket s) + "Parse a fcgiwrap socket specification string into '(type args ...)" + (cond + ((string-prefix? "unix:" s) + (list 'unix (substring s 5))) + ((string-prefix? "tcp:" s) + (match (string-match "^tcp:([.0-9]+):([0-9]+)$" s) + ((? regexp-match? m) + (list + 'tcp + (match:substring m 1) + (string->number (match:substring m 2)))) + (_ (error "invalid tcp socket address")))) + ((string-prefix? "tcp6:" s) + (match (string-match "^tcp6:\\[(.*)\\]:([0-9]+)$" s) + ((? regexp-match? m) + (list + 'tcp6 + (match:substring m 1) + (string->number (match:substring m 2)))) + (_ (error "invalid tcp6 socket address")))) + (else (error "unrecognized socket protocol")))) + + +(define fcgiwrap-shepherd-service + (match-lambda + (($ <fcgiwrap-configuration> package socket user group log-file perm ensure-dir?) + (define parsed-socket (parse-fcgiwrap-socket socket)) + (list + (shepherd-service + (provision '(fcgiwrap)) + (documentation "Run the fcgiwrap daemon.") + (requirement '(networking)) + (modules `((shepherd support) (ice-9 match) ,@%default-modules)) + (start + #~(lambda args + (define (clean-up file) + (catch 'system-error + (lambda () + (delete-file file)) + (lambda args + (unless (= ENOENT (system-error-errno args)) + (apply throw args))))) + (define* (wait-for-file file #:key (max-delay 10)) + (define start (current-time)) + (local-output "w: waiting for file ~s" file) + (let loop () + (cond + ((file-exists? file) + (local-output "w: file ~s exists" file) + #t) + ((< (current-time) (+ start max-delay)) + (local-output "w: file ~s does not exist yet" file) + (sleep 1) + (loop)) + (else + (local-output "w: file ~s: giving up" file) + #f)))) + (define (adjust-permissions file mode) + (match mode + (#t (chmod file #o660)) + (n (chmod file n)) + (#f 0))) + (define (ensure-socket-dir dir user group) + (unless (file-exists? dir) + (mkdir dir) ; FIXME: use mkdir-p instead? + (let ((uid (passwd:uid (getpwnam user))) + (gid (group:gid (getgrnam group)))) + (chown dir uid gid)))) + (define start-fcgiwrap + (make-forkexec-constructor + '(#$(file-append package "/sbin/fcgiwrap") + "-s" #$socket) + #:user #$user + #:group #$group + #:log-file #$log-file)) + (match '#$parsed-socket + (('unix path) + ;; Clean up socket, otherwise fcgiwrap might not start properly. + (clean-up path) + (when #$ensure-dir? + (ensure-socket-dir (dirname path) #$user #$group)) + (let ((pid (start-fcgiwrap)) + (socket-exists? (wait-for-file path))) + (if socket-exists? + (adjust-permissions path #$perm) + (local-output + #$(G_ "fcgiwrap: warning: waiting for socket ~s failed") + path)) + pid)) + (_ (start-fcgiwrap))))) + (stop #~(make-kill-destructor))))))) + +(define fcgiwrap-service-type + (service-type (name 'fcgiwrap) + (extensions + (list (service-extension shepherd-root-service-type + fcgiwrap-shepherd-service) + (service-extension account-service-type + fcgiwrap-accounts))) + (default-value (fcgiwrap-configuration)))) + diff --git a/historic/guix/keys/ssh/dold.pub b/historic/guix/keys/ssh/dold.pub new file mode 100644 index 0000000..2414541 --- /dev/null +++ b/historic/guix/keys/ssh/dold.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCwY5XSDyXVqobwR+UfQ0+lPJTVj8MchnOYAJWNC9xvks4s7ZapBkzbpxcnCi27hb31NBtXECgMCfbDI4HuaaphgbGZjOoIWQeMLn8yHCgo7WJT0KDm4o7nODl/6drgab9XmQKhobTtrzmM+MY+MPCSXNDGRk53rM8knT+8cuPsdafEUa67mTC0p/VQJOgX0JVUF45MfVUtl1914Uot22AMHChGGg+7EMPge9QV3z5ZlP9tzXLUkw28+dkeqkXhGgAtBu2alaAy+sxiRbVHVgedOQzYCmhfQZBly8wMBvlnnTNLK023jT9FAp6j2h9/mnfGaXncElzZqkqMTXTkLe1 dold diff --git a/historic/guix/keys/ssh/grothoff.pub b/historic/guix/keys/ssh/grothoff.pub new file mode 100644 index 0000000..6af38a5 --- /dev/null +++ b/historic/guix/keys/ssh/grothoff.pub @@ -0,0 +1 @@ +ssh-dss AAAAB3NzaC1kc3MAAAIBAPmoUwxO5VkAR2j7AJh1/UfySsvtqPJWlzZ4i33LoNis6KpaHn7JO9dEL/psg10ZAqqqFahcTvqFDeXjS5DBzOHWA/u0TgXj58i1rOO2TgmxKF3UatYfD51omlPvw3IcnTPIX+Dsiq/cDkJAHxBdAYo9KjFGu9hM090UN7rY/ykBP/VwKbA/9fg0ASPgGrRF7JRylpMu424c8CbvM/iMZCew2BeE21g1u6WgewJjLgWcdGH2r4GO2FPvHSUlVJJ/wXdCDweboPsB+CuiEmBVruKcbG+DJddRWe4L7aUnIHTL6/i85bNwyjQ/toS2PFBx0jp04OcMyF7PxcIeEYI1+cimH//XIo3eOESGjRWpOKJR+yWlxcg2rKTFuHDO1tTTgqC+e2Kcvp7XrQPf4RuBWtD2YRGUMtEhQhvt2+Qd7KDQuuYR8TPXhHEh/sh7pQkCR/I9ijkxiPTCINjwkLD9X6tdYhT0XtG13dweog6EDrxXjtiIM1XY+jfTYvXVmDIn/lzvEfnhMkErTu/ZXt8bGVIRC5THDASFdQTnsCnVc1OU6AH3xVKa3F9CzOCwhrJ2EpQQMc8022ltmBYu9wFF0HPDoe56mqKdNnHDeaLp8CCuf9pLMeih9csYJlAQ3GsOzX9WR044+JqbS+b/++lOZjJdFlUlONZu0F+166rX4pipAAAAFQCA2XLNDkiQ93HpAFgZmBbavTVdxQAAAgA8cpggPUORDfTcgWgcdrJCQz4bIaGKdD/KhiLu15FqF02WkBYC8xsySK8DHkS41bHiqLB8vM5Yh2FiTjpwIzpQ9QH74JSdncUMxYncEcHrlHulASQZ7fuNMFK5vK7XVY2zAjrsjP+/H3vLrEOBoiI625gpGMTLB8QILBBbkGTpQ3Ks6LSJqEQfsCHmGYUhtkIQjgWIzDyzvvAOCjKMjNpkFyEKLkUYIWajt5y8AaFW5uNeXBqk5ejV4Y4pUg67zOJt92moqK5TQWIEjL0kKM7lFMXZDZow+DQQ47q9NYPLWVAwgWGbCdvvewWkJ5+xMTbxfTZgcUmvXz1zc/yGXoeSLoL+iJKyqQgEi6Jv8a+TnnTZivoxIgWYd/uByUvsxZrMXNlc1MUTKNI5CnEz3Dprb+qHw36SXKymnhSgC2948YRTWqU9emR8qNG8EKOoisHX9EPq+Ex5/IJQh2UlSScpnt2xANtoAZuEt/P5W6Djq6UtwMyI8E6yycEP+myKR/JKnydzjtxWEQV9ytfIQQkndPCr49N3RnrVA47aoBzhUQfiLyWbYFpc/oTZRhL5X86Sm9dXDhIyaPslSM8/C0DqzfhqOw53XxROj2IAAu3Aqsg4mkSEwuPzv2PTj0KjagGIuz3J/71CpUOz+6CUWh+tCzkYC3joLYXh0v/MUVZ5JgAAAgEA9IO/Nv4zdZtHSN2RN1lEyGGi+Oi5mFS5Wjo/tsw3VM53H7HiyxVCE8mcLWT/UOEcG4uitonxTUypZGhNra7sTkbje5tuLVKF99e3W4/wV6aWwLpryeZL5BOhlnmTJsZPgTuu3A7eNnh+C45L5SW7qmXLgS8jl3CKqGdzl3XO+eB5oN8EIjWGk+VbD0iPVYobDEUOo1TCj5ZGUENw4R6lRXKsPtHDqa+iMGSUa6hQXaM13oJTI+P4Dr9WcUjqbceHT3LPoYs8dCT9rrqHDX4HGIJr9A6aV/djPVoloPgONQVfqW+xci+yUVYLp8Xdj2zC8P0NCOWiFzke1v7fFvDzs2stotAfXtLvCHje2W4rbpz6InKfbysOEc/o2ybeb2Pu9F6oIamd9qiZhCGog422YyNh1+w1sAvUCBHuF38zPHxDB2YgF4tf2K4kU++PAuZOxnsYLErZly9Nxm2uGKvgKAEgaeMEYR1jK1llRmiGPIapJZIk3cav8tLEP6MNTrjDB52D56DeLdPrgL3cUfLtGcZOJhyBTcz5W07kyGQyT7VZiqlErsg6KQxRzEda6DWNYCAMc32yj8kgEY5hCt7ei1cfyL1Wox61rrdchjGgBDxikVeUL/Sw5H8Yuh8o7j6sT1RHfui5kW5M0ykCjKMniDiOE4sBtVSHFouERamDKA0= grothoff@gnunet.org diff --git a/historic/guix/keys/ssh/ng0.pub b/historic/guix/keys/ssh/ng0.pub new file mode 100644 index 0000000..6d4c6e1 --- /dev/null +++ b/historic/guix/keys/ssh/ng0.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOBsKO/O2K6Q2sQ1a6EVzQkcnI1QbWeQ14uuxn+MplGG ng0@khazad-dum-2016-04-17 diff --git a/historic/guix/keys/ssh/stanisci.pub b/historic/guix/keys/ssh/stanisci.pub new file mode 100644 index 0000000..31a3c23 --- /dev/null +++ b/historic/guix/keys/ssh/stanisci.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRIYb/6QP0HBsH9O0Y8gvthu+MWMu44fx0a2uw5R10bWNXALMQpBqAHImfv6X58KRKJYEnkpAcPHmiCmba8tvJo++UcyyEBQQfToFVmZv1afBBCg50pSv630SOaIVuLhpUcUyBkFYt4QFa2Eojj8+zrxEwjISQlRVcZMDwTk4icgSBJn3EL3TUQZp2as3EShU+3rtGEmyKdXgBMBpE0FU4xvSxtjAk1Nd4qAygR8nvWpK2ZeQRCF6sNLATK7iYOfdPNs10jK632pQc9CUE2NQ9bo4lz5pKRGUq3HBGTLmUWCkVCRSbTjiYfcJdNtkG4GKMyyJHDzlJJyzhCfJmmP1h stanisci diff --git a/historic/guix/modules/sysadmin/people.scm b/historic/guix/modules/sysadmin/people.scm new file mode 100644 index 0000000..121c268 --- /dev/null +++ b/historic/guix/modules/sysadmin/people.scm @@ -0,0 +1,73 @@ +;;; GNU Guix system administration tools. +;;; +;;; Copyright © 2016, 2017 Ludovic Courtès <ludo@gnu.org> +;;; +;;; This program is free software: you can redistribute it and/or modify +;;; it under the terms of the GNU General Public License as published by +;;; the Free Software Foundation, either version 3 of the License, or +;;; (at your option) any later version. +;;; +;;; This program is distributed in the hope that it will be useful, +;;; but WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with this program. If not, see <http://www.gnu.org/licenses/>. + +(define-module (sysadmin people) + #:use-module (guix gexp) + #:use-module (guix records) + #:use-module (gnu services) + #:use-module (gnu system shadow) + #:use-module (gnu services ssh) + #:use-module (gnu packages base) + #:use-module (ice-9 match) + #:export (sysadmin? + sysadmin + sysadmin-service-type)) + +;;; Commentary: +;;; +;;; Declaration of system administrator user accounts. +;;; +;;; Code: + +(define-record-type* <sysadmin> sysadmin make-sysadmin + sysadmin? + (name sysadmin-name) + (full-name sysadmin-full-name) + (ssh-public-key sysadmin-ssh-public-key) + (restricted? sysadmin-restricted? (default #f))) + +(define (sysadmin->account sysadmin) + "Return the user account for SYSADMIN." + (match sysadmin + (($ <sysadmin> name comment _ restricted?) + (user-account + (name name) + (comment comment) + (group "users") + (supplementary-groups (if restricted? + '() + '("wheel" "kvm"))) ;sudoer + (home-directory (string-append "/home/" name)))))) + +(define (sysadmin->authorized-key sysadmin) + "Return an authorized key tuple for SYSADMIN." + (list (sysadmin-name sysadmin) + (sysadmin-ssh-public-key sysadmin))) + +(define sysadmin-service-type + ;; The service that initializes sysadmin accounts. + (service-type + (name 'sysadmin) + (extensions (list (service-extension account-service-type + (lambda (lst) + (map sysadmin->account lst))) + (service-extension openssh-service-type + (lambda (lst) + (map sysadmin->authorized-key + lst))))))) + +;;; people.scm ends here diff --git a/historic/guix/modules/sysadmin/services.scm b/historic/guix/modules/sysadmin/services.scm new file mode 100644 index 0000000..df2380d --- /dev/null +++ b/historic/guix/modules/sysadmin/services.scm @@ -0,0 +1,143 @@ +;;; GNU Guix system administration tools. +;;; +;;; Copyright (C) Nils Gillmann <gillmann@n0.is> +;;; Parts and pieces initially taken from Guix' maintenance repository: +;;; Copyright © 2016, 2017, 2018 Ludovic Courtès <ludo@gnu.org> +;;; Copyright © 2017, 2018 Ricardo Wurmus <rekado@elephly.net> +;;; +;;; This program is free software: you can redistribute it and/or modify +;;; it under the terms of the GNU General Public License as published by +;;; the Free Software Foundation, either version 3 of the License, or +;;; (at your option) any later version. +;;; +;;; This program is distributed in the hope that it will be useful, +;;; but WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with this program. If not, see <http://www.gnu.org/licenses/>. + +(define-module (sysadmin services) + #:use-module (guix gexp) + #:use-module (gnu services) + #:use-module (gnu services admin) + #:use-module (gnu services base) + #:use-module (gnu services cuirass) + #:use-module (gnu services mcron) + #:use-module (gnu services shepherd) + #:use-module (gnu services ssh) + #:use-module (gnu services web) + #:use-module (gnu packages linux) + #:use-module (gnu packages package-management) + #:use-module (gnu packages tls) + #:use-module (gnu packages web) + #:use-module (sysadmin people) + #:use-module (srfi srfi-1) + #:export (firewall-service + default-services)) + +(define start-firewall + ;; Rules to throttle malicious SSH connection attempts. This will allow at + ;; most 3 connections per minute from any host, and will block the host for + ;; another minute if this rate is exceeded. Taken from + ;; <http://www.la-samhna.de/library/brutessh.html#3>. + #~(let ((iptables + (lambda (str) + (zero? (apply system* + #$(file-append iptables + "/sbin/iptables") + (string-tokenize str)))))) + (format #t "Installing iptables SSH rules...~%") + (and (iptables "-A INPUT -p tcp --dport 22 -m state \ + --state NEW -m recent --set --name SSH -j ACCEPT") + (iptables "-A INPUT -p tcp --dport 22 -m recent \ + --update --seconds 60 --hitcount 4 --rttl \ + --name SSH -j LOG --log-prefix SSH_brute_force") + (iptables "-A INPUT -p tcp --dport 22 -m recent \ + --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP")))) + +(define firewall-service + ;; The "firewall". Make it a Shepherd service because as an activation + ;; script it might run too early, before the Netfilter modules can be + ;; loaded for some reason. + (simple-service 'firewall shepherd-root-service-type + (list (shepherd-service + (provision '(firewall)) + (requirement '()) + (start #~(lambda () + #$start-firewall)) + (respawn? #f))))) + +(define %nginx-config + ;; Our nginx configuration directory. It expects 'guix publish' to be + ;; running on port 3000. + (computed-file "nginx-config" + (with-imported-modules '((guix build utils)) + #~(begin + (use-modules (guix build utils)) + + (mkdir #$output) + (chdir #$output) + (symlink #$(local-file "nginx/berlin.conf") + "berlin.conf") + (copy-file #$(local-file + "nginx/bayfront-locations.conf") + "berlin-locations.conf") + (substitute* "berlin-locations.conf" + (("@WWWROOT@") + #$(local-file "nginx/html/berlin" #:recursive? #t))))))) + +(define %nginx-cache-activation + ;; Make sure /var/cache/nginx exists on the first run. + (simple-service 'nginx-/var/cache/nginx + activation-service-type + (with-imported-modules '((guix build utils)) + #~(begin + (use-modules (guix build utils)) + (mkdir-p "/var/cache/nginx"))))) + +(define %nginx-mime-types + ;; Provide /etc/nginx/mime.types (and a bunch of other files.) + (simple-service 'nginx-mime.types + etc-service-type + `(("nginx" ,(file-append nginx "/share/nginx/conf"))))) + + +;; FIXME: Use certbot-service. +;; Initial list of domains: +;; taler.net www.taler.net api.taler.net lcov.taler.net git.taler.net +;; gauger.taler.net buildbot.taler.net test.taler.net playground.test.taler.net +;; auditor.test.taler.net auditor.demo.taler.net demo.taler.net shop.test.taler.net +;; shop.demo.taler.net survey.test.taler.net survey.demo.taler.net +;; donations.demo.taler.net backend.test.taler.net backend.demo.taler.net +;; bank.test.taler.net bank.demo.taler.net www.git.taler.net +;; exchange.demo.taler.net exchange.test.taler.net env.taler.net +;; envs.taler.net blog.demo.taler.net blog.test.taler.net +;; donations.test.taler.net docs.taler.net intranet.taler.net +;; stage.taler.net + +(define %certbot-job +;; Attempt to renew the Let's Encrypt certificate twice a week. + #~(job (lambda (now + (next-day-from (next-hour-from now '(3)) + '(2 5))) + (string-append #$certbot "/bin/certbot renew")))) + +(define* (default-services sysadmins #:key nginx-config-file) + "Return the list of default services." + (cons* (service rottlog-service-type (rottlog-configuration)) + (service mcron-service-type + (mcron-configuration + (jobs (list %certbot-job)))) + firewall-service + + (service nginx-service-type + (nginx-configuration + (file nginx-config-file))) + + %nginx-mime-type + %nginx-cache-activation + + (service openssh-service-type) + (service sysadmin-service-type sysadmins))) diff --git a/historic/guix/shepherd-with-sock.scm b/historic/guix/shepherd-with-sock.scm new file mode 100644 index 0000000..a201c71 --- /dev/null +++ b/historic/guix/shepherd-with-sock.scm @@ -0,0 +1,237 @@ +(define-module (shepherd-with-sock) + #:use-module (ice-9 match) + #:use-module ((shepherd service) + #:select (handle-SIGCHLD read-pid-file)) + #:use-module ((shepherd support) + #:select (catch-system-error)) + #:use-module ((shepherd system) + #:select (max-file-descriptors)) + #:export (make-forkexec-constructor)) + + +(define default-service-directory (@@ (shepherd service) default-service-directory)) +(define default-environment-variables (@@ (shepherd service) default-environment-variables)) +(define %pid-file-timeout (@@ (shepherd service) %pid-file-timeout)) + + +(define (clean-up-file file) + (when file + (catch 'system-error + (lambda () + (delete-file file)) + (lambda args + (unless (= ENOENT (system-error-errno args)) + (apply throw args)))))) + + +(define (open-service-stdin stdin-socket) + (define (get-sock pf af . addr) + (let ((sock (socket pf SOCK_STREAM 0))) + (apply bind sock af addr) + (fileno sock))) + (match stdin-socket + (('unix sockpath) + (clean-up-file sockpath) + (get-sock PF_UNIX AF_UNIX sockpath)) + (('tcp addr port) + (get-sock PF_INET AF_INET (inet-pton AF_INET addr) port)) + (('tcp6 addr port) + (get-sock PF_INET6 AF_INET6 (inet-pton AF_INET6 addr) port)) + (#f + ;; Make sure file descriptor zero is used, so we don't end up reusing + ;; it for something unrelated, which can confuse some packages. + (open-fdes "/dev/null" O_RDONLY)))) + + +(define* (exec-command command + #:key + (user #f) + (group #f) + (log-file #f) + (directory (default-service-directory)) + (environment-variables (default-environment-variables)) + (stdin-socket #f)) + "Run COMMAND as the current process from DIRECTORY, and with +ENVIRONMENT-VARIABLES (a list of strings like \"PATH=/bin\".) File +descriptors 1 and 2 are kept as is or redirected to LOG-FILE if it's true, +whereas file descriptor 0 (standard input) points to /dev/null; all other file +descriptors are closed prior to yielding control to COMMAND. + +By default, COMMAND is run as the current user. If the USER keyword +argument is present and not false, change to USER immediately before +invoking COMMAND. USER may be a string, indicating a user name, or a +number, indicating a user ID. Likewise, COMMAND will be run under the +current group, unless the GROUP keyword argument is present and not +false." + (match command + ((program args ...) + ;; Become the leader of a new session and session group. + ;; Programs such as 'mingetty' expect this. + (setsid) + + (chdir directory) + (environ environment-variables) + + ;; Close all the file descriptors except stdout and stderr. + (let ((max-fd (max-file-descriptors))) + ;; Redirect stdin to use /dev/null or stdin-socket + (catch-system-error (close-fdes 0)) + + ;; Make sure file descriptor zero is always used, so we don't end up reusing + ;; it for something unrelated, which can confuse some packages. + (dup2 (open-service-stdin stdin-socket) 0) + + (when log-file + (catch #t + (lambda () + ;; Redirect stout and stderr to use LOG-FILE. + (catch-system-error (close-fdes 1)) + (catch-system-error (close-fdes 2)) + (dup2 (open-fdes log-file (logior O_CREAT O_WRONLY O_APPEND)) 1) + (dup2 1 2)) + (lambda (key . args) + (format (current-error-port) + "failed to open log-file ~s:~%" log-file) + (print-exception (current-error-port) #f key args) + (primitive-exit 1)))) + + ;; setgid must be done *before* setuid, otherwise the user will + ;; likely no longer have permissions to setgid. + (when group + (catch #t + (lambda () + ;; Clear supplementary groups. + (setgroups #()) + (setgid (group:gid (getgr group)))) + (lambda (key . args) + (format (current-error-port) + "failed to change to group ~s:~%" group) + (print-exception (current-error-port) #f key args) + (primitive-exit 1)))) + + (when user + (catch #t + (lambda () + (setuid (passwd:uid (getpw user)))) + (lambda (key . args) + (format (current-error-port) + "failed to change to user ~s:~%" user) + (print-exception (current-error-port) #f key args) + (primitive-exit 1)))) + + ;; As the last action, close file descriptors. Doing it last makes + ;; "error in the finalization thread: Bad file descriptor" issues + ;; unlikely on 2.2. + (let loop ((i 3)) + (when (< i max-fd) + ;; First try to close any ports associated with file descriptor I. + ;; Otherwise the finalization thread might get around to closing + ;; those ports eventually, which will raise an EBADF exception (on + ;; 2.2), leading to messages like "error in the finalization + ;; thread: Bad file descriptor". + (for-each (lambda (port) + (catch-system-error (close-port port))) + (fdes->ports i)) + (catch-system-error (close-fdes i)) + (loop (+ i 1))))) + + (catch 'system-error + (lambda () + (apply execlp program program args)) + (lambda args + (format (current-error-port) + "exec of ~s failed: ~a~%" + program (strerror (system-error-errno args))) + (primitive-exit 1)))))) + +(define (ensure-sigchld-handler) + (unless (@@ (shepherd service) %sigchld-handler-installed?) + (sigaction SIGCHLD handle-SIGCHLD SA_NOCLDSTOP) + (set! (@@ (shepherd service) %sigchld-handler-installed?) #t))) + +(define* (fork+exec-command command + #:key + (user #f) + (group #f) + (log-file #f) + (directory (default-service-directory)) + (environment-variables + (default-environment-variables)) + (stdin-socket #f)) + "Spawn a process that executed COMMAND as per 'exec-command', and return +its PID." + (ensure-sigchld-handler) + ;; Install the SIGCHLD handler if this is the first fork+exec-command call + (let ((pid (primitive-fork))) + (if (zero? pid) + (exec-command command + #:user user + #:group group + #:log-file log-file + #:directory directory + #:environment-variables environment-variables + #:stdin-socket stdin-socket) + pid))) + + + +(define make-forkexec-constructor + (let ((warn-deprecated-form + ;; Until 0.1, this procedure took a rest list. + (lambda () + (issue-deprecation-warning + "This 'make-forkexec-constructor' form is deprecated; use + (make-forkexec-constructor '(\"PROGRAM\" \"ARGS\"...).")))) + (case-lambda* + "Return a procedure that forks a child process, closes all file +descriptors except the standard output and standard error descriptors, sets +the current directory to @var{directory}, changes the environment to +@var{environment-variables} (using the @code{environ} procedure), sets the +current user to @var{user} and the current group to @var{group} unless they +are @code{#f}, and executes @var{command} (a list of strings.) The result of +the procedure will be the PID of the child process. + +When @var{pid-file} is true, it must be the name of a PID file associated with +the process being launched; the return value is the PID read from that file, +once that file has been created. If @var{pid-file} does not show up in less +than @var{pid-file-timeout} seconds, the service is considered as failing to +start." + ((command #:key + (user #f) + (group #f) + (directory (default-service-directory)) + (environment-variables (default-environment-variables)) + (pid-file #f) + (pid-file-timeout %pid-file-timeout) + (log-file #f) + (stdin-socket #f)) + (let ((command (if (string? command) + (begin + (warn-deprecated-form) + (list command)) + command))) + (lambda args + (clean-up-file pid-file) + (clean-up-file log-file) + + (let ((pid (fork+exec-command command + #:user user + #:group group + #:log-file log-file + #:directory directory + #:environment-variables + environment-variables + #:stdin-socket stdin-socket))) + (if pid-file + (match (read-pid-file pid-file + #:max-delay pid-file-timeout) + (#f + (catch-system-error (kill pid SIGTERM)) + #f) + ((? integer? pid) + pid)) + pid))))) + ((program . program-args) + ;; The old form, documented until 0.1 included. + (warn-deprecated-form) + (make-forkexec-constructor (cons program program-args)))))) diff --git a/historic/guix/taler-helpers.scm b/historic/guix/taler-helpers.scm new file mode 100644 index 0000000..7f0b7c5 --- /dev/null +++ b/historic/guix/taler-helpers.scm @@ -0,0 +1,39 @@ +(define-module (taler-helpers) + #:use-module (guix) + #:use-module (guix utils) + #:use-module (ice-9 textual-ports) + #:export (concat-local-files)) + +;;; +;;; Helpers +;;; + +(define (absolute-file-name file directory) + "Return the canonical absolute file name for FILE, which lives in the +vicinity of DIRECTORY." + (canonicalize-path + (cond ((string-prefix? "/" file) file) + ((not directory) file) + ((string-prefix? "/" directory) + (string-append directory "/" file)) + (else file)))) + +(define (%%concat-local-files srcdir outname files) + (define (slurp f) + (call-with-input-file (absolute-file-name f srcdir) get-string-all)) + (define (file-concat files) + (string-concatenate (map slurp files))) + (plain-file outname (file-concat files))) + + +(define-syntax concat-local-files + (lambda (s) + (syntax-case s () + ((_ outname files) + #'(%%concat-local-files (current-source-directory) outname files)) + ((_) + #'(syntax-error "missing arguments")) + (id + (identifier? #'id) + #'(syntax-error + "'concat-local-files' is a macro and cannot be used like this"))))) |