Add nginx reverse proxy configuration

2023-06-06 13:47:57 -07:00 · 2023-06-06 13:47:57 -07:00 · bf2aefd507
parent 86a8837305
commit bf2aefd507
2 changed files with 36 additions and 40 deletions
--- a/module.nix
+++ b/module.nix
@ -1,7 +1,7 @@
 flake: { config, lib, pkgs, ... }:

 let
-  inherit (lib) mapAttrsToList mkEnableOption mkMerge mkOption types;
+  inherit (lib) filterAttrs foldl imap1 mapAttrsToList mkEnableOption mkIf mkMerge mkOption types;
  intakeCfg = config.services.intake;
 in {
  options = {
@ -9,13 +9,19 @@ in {
      listen.addr = mkOption {
        type = types.str;
        default = "0.0.0.0";
-        description = "Listen address for the nginx entry point.";
+        description = "The listen address for the entry point to intake services. This endpoint will redirect to a local port based on the request's HTTP Basic Auth credentials.";
      };

      listen.port = mkOption {
        type = types.port;
-        default = 80;
-        description = "Listen port for the nginx entry point.";
+        default = 8032;
+        description = "The listen port for the entry point to intake services. This endpoint will redirect to a local port based on the request's HTTP Basic Auth credentials.";
+      };
+
+      internalPortStart = mkOption {
+        type = types.port;
+        default = 24130;
+        description = "The first port to use for internal service endpoints. A number of ports will be continguously allocated equal to the number of users with enabled intake services.";
      };

      users = mkOption {
@ -41,11 +47,18 @@ in {
    # Define the intake package and a python environment to run it from
    intake = flake.packages.${pkgs.stdenv.hostPlatform.system}.default;
    pythonEnv = pkgs.python38.withPackages (pypkgs: [ intake ]);
+
+    # Assign each user an internal port for their personal intake instance
+    enabledUsers = filterAttrs (userName: userCfg: userCfg.enable) intakeCfg.users;
+    enabledUserNames = mapAttrsToList (userName: userCfg: userName) enabledUsers;
+    userPortList = imap1 (i: userName: { ${userName} = i + intakeCfg.internalPortStart; }) enabledUserNames;
+    userPort = foldl (acc: val: acc // val) {} userPortList;
  in {
+    # Define a user service for each configured user
    systemd.services =
    let
      runScript = userName: pkgs.writeShellScript "intake-run.sh" ''
-        ${pythonEnv}/bin/intake run -d /home/${userName}/.local/share/intake
+        ${pythonEnv}/bin/intake run -d /home/${userName}/.local/share/intake --port ${toString userPort.${userName}}
      '';
      # systemd service definition for a single user, given `services.intake.users.userName` = `userCfg`
      userServiceConfig = userName: userCfg: {
@ -63,5 +76,22 @@ in {
        };
      };
    in mkMerge (mapAttrsToList userServiceConfig intakeCfg.users);
+
+    # Define an nginx reverse proxy to request auth
+    services.nginx = mkIf (enabledUsers != {}) {
+      enable = true;
+      virtualHosts."intake" = mkIf (enabledUsers != {}) {
+        listen = [ intakeCfg.listen ];
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:$target_port";
+          basicAuth = { alpha = "alpha"; beta = "beta"; };
+        };
+        extraConfig = foldl (acc: val: acc + val) "" (mapAttrsToList (userName: port: ''
+          if ($remote_user = "${userName}") {
+            set $target_port ${toString port};
+          }
+        '') userPort);
+      };
+    };
  };
 }
--- a/tests/demo.nix
+++ b/tests/demo.nix
@ -11,41 +11,7 @@ flake: { pkgs, ... }:

  services.intake.users.alpha.enable = true;

-  services.nginx.enable = true;
-  services.nginx.virtualHosts = {
-    alpha-fsid = {
-      listen = [ { addr = "localhost"; port = 8030; } ];
-      locations."/".tryFiles = "/dev/null @dummy";
-      locations."@dummy" = {
-        proxyPass = "http://127.0.0.1:5000";
-      };
-    };
-    beta-fsid = {
-      listen = [ { addr = "localhost"; port = 8031; } ];
-      locations."/".tryFiles = "/dev/null @dummy";
-      locations."@dummy" = {
-        return = "200 'youve reached beta'";
-        extraConfig = ''
-          add_header Content-Type text/plain always;
-        '';
-      };
-    };
-    redirector = {
-      listen = [ { addr = "localhost"; port = 8032; } ];
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:$target_port";
-        basicAuth = { alpha = "alpha"; beta = "beta"; };
-      };
-      extraConfig = ''
-        if ($remote_user ~ "alpha|^$") {
-          set $target_port 8030;
-        }
-        if ($remote_user = "beta") {
-          set $target_port 8031;
-        }
-      '';
-    };
-  };
+  services.intake.users.beta.enable = true;

  users.users.alpha = {
    isNormalUser = true;