From 12c47e9e034ecb4a99a81780218beb8ace2f32e9 Mon Sep 17 00:00:00 2001
From: Sander van der Burg <svanderburg@gmail.com>
Date: Fri, 5 Mar 2021 22:11:09 +0100
Subject: [PATCH] Add reverse proxy service with basic authentication

---
 README.md                                     |  4 ++
 example-deployments/disnix/processes-bare.nix |  4 --
 .../disnix/processes-with-tomcat-mysql.nix    | 13 +++++-
 .../basic-auth-reverse-proxy-apache.nix       | 45 +++++++++++++++++++
 .../apache/reverse-proxy-apache.nix           |  5 ++-
 services-agnostic/constructors.nix            |  5 +++
 6 files changed, 70 insertions(+), 6 deletions(-)
 create mode 100644 services-agnostic/apache/basic-auth-reverse-proxy-apache.nix

diff --git a/README.md b/README.md
index fb63185..69652e9 100644
--- a/README.md
+++ b/README.md
@@ -29,6 +29,10 @@ systems that consist of multiple processes:
   MySQL, PostgreSQL, Nginx, the Apache HTTP server, `svnserve`, Docker etc.
 * `hydra`: demonstrates how to deploy [Hydra](https://nixos.org/hydra): the
   Nix-based continuous integration system
+* `disnix` demonstrates how to deploy [Disnix](https://github.com/svanderburg/disnix)
+  including container provider services and the
+  [DisnixWebService](https://github.com/svanderburg/DisnixWebService) providing
+  remote deployment support via a web service.
 
 Deploying the example systems
 =============================
diff --git a/example-deployments/disnix/processes-bare.nix b/example-deployments/disnix/processes-bare.nix
index fb1b789..32896c6 100644
--- a/example-deployments/disnix/processes-bare.nix
+++ b/example-deployments/disnix/processes-bare.nix
@@ -14,10 +14,6 @@ let
   constructors = import ../../services-agnostic/constructors.nix {
     inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager;
   };
-
-  containerProviderConstructors = import ../../service-containers-agnostic/constructors.nix {
-    inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir spoolDir forceDisableUserChange processManager;
-  };
 in
 rec {
   sshd = {
diff --git a/example-deployments/disnix/processes-with-tomcat-mysql.nix b/example-deployments/disnix/processes-with-tomcat-mysql.nix
index 5ac3ce3..97e06a0 100644
--- a/example-deployments/disnix/processes-with-tomcat-mysql.nix
+++ b/example-deployments/disnix/processes-with-tomcat-mysql.nix
@@ -42,11 +42,22 @@ rec {
   };
 
   apache = {
-    pkg = constructors.reverseProxyApache {
+    pkg = constructors.basicAuthReverseProxyApache {
       dependency = tomcat;
       serverAdmin = "admin@localhost";
       targetProtocol = "ajp";
       portPropertyName = "ajpPort";
+
+      authName = "DisnixWebService";
+      authUserFile = pkgs.stdenv.mkDerivation {
+        name = "htpasswd";
+        buildInputs = [ pkgs.apacheHttpd ];
+        buildCommand = ''
+          htpasswd -cb ./htpasswd admin secret
+          mv htpasswd $out
+        '';
+      };
+      requireUser = "admin";
     };
   };
 
diff --git a/services-agnostic/apache/basic-auth-reverse-proxy-apache.nix b/services-agnostic/apache/basic-auth-reverse-proxy-apache.nix
new file mode 100644
index 0000000..14e2613
--- /dev/null
+++ b/services-agnostic/apache/basic-auth-reverse-proxy-apache.nix
@@ -0,0 +1,45 @@
+{createManagedProcess, stdenv, lib, runCommand, apacheHttpd, php, writeTextFile, logDir, runtimeDir, cacheDir, forceDisableUserChange}:
+
+{ instanceSuffix ? ""
+, instanceName ? "apache${instanceSuffix}"
+, port ? 80
+, serverName ? "localhost"
+, serverAdmin
+, documentRoot ? ../http-server-common/webapp
+, enablePHP ? false
+, enableCGI ? false
+, targetProtocol ? "http"
+, portPropertyName ? "port"
+, dependency
+, modules ? []
+, authName
+, authUserFile ? null
+, authGroupFile ? null
+, requireUser ? null
+, requireGroup ? null
+, extraConfig ? ""
+, postInstall ? ""
+}:
+
+import ./reverse-proxy-apache.nix {
+  inherit createManagedProcess stdenv lib runCommand apacheHttpd php writeTextFile logDir runtimeDir cacheDir forceDisableUserChange;
+} {
+  inherit instanceSuffix instanceName port serverName serverAdmin documentRoot enablePHP enableCGI targetProtocol portPropertyName dependency modules extraConfig postInstall;
+  extraProxySettings = ''
+    AuthType basic
+    AuthName "${authName}"
+    AuthBasicProvider file
+  ''
+  + lib.optionalString (authUserFile != null) ''
+    AuthUserFile ${authUserFile}
+  ''
+  + lib.optionalString (authGroupFile != null) ''
+    AuthGroupFile ${authGroupFile}
+  ''
+  + lib.optionalString (requireUser != null) ''
+    Require user ${requireUser}
+  ''
+  + lib.optionalString (requireGroup != null) ''
+    Require group ${requireGroup}
+  '';
+}
diff --git a/services-agnostic/apache/reverse-proxy-apache.nix b/services-agnostic/apache/reverse-proxy-apache.nix
index b853034..422aa0f 100644
--- a/services-agnostic/apache/reverse-proxy-apache.nix
+++ b/services-agnostic/apache/reverse-proxy-apache.nix
@@ -11,6 +11,8 @@
 , targetProtocol ? "http"
 , portPropertyName ? "port"
 , dependency
+, modules ? []
+, extraProxySettings ? ""
 , extraConfig ? ""
 , postInstall ? ""
 }:
@@ -40,11 +42,12 @@ import ./simple-webapp-apache.nix {
     "slotmem_shm"
     "xml2enc"
     "watchdog"
-  ];
+  ] ++ modules;
   extraConfig = ''
     <Proxy *>
       Order deny,allow
       Allow from all
+      ${extraProxySettings}
     </Proxy>
 
     ProxyRequests     Off
diff --git a/services-agnostic/constructors.nix b/services-agnostic/constructors.nix
index c61ccdf..a4db4ff 100644
--- a/services-agnostic/constructors.nix
+++ b/services-agnostic/constructors.nix
@@ -32,6 +32,11 @@ in
     inherit (pkgs) stdenv lib runCommand apacheHttpd php writeTextFile;
   };
 
+  basicAuthReverseProxyApache = import ./apache/basic-auth-reverse-proxy-apache.nix {
+    inherit createManagedProcess logDir cacheDir runtimeDir forceDisableUserChange;
+    inherit (pkgs) stdenv lib runCommand apacheHttpd php writeTextFile;
+  };
+
   tomcat = import ./apache-tomcat {
     inherit createManagedProcess stateDir runtimeDir tmpDir forceDisableUserChange;
     inherit (pkgs) lib;