nixos/freshrss: authType option

This patch adds an `authType` option to enable configuring FreshRSS's `auth_type` parameter. Upstream documentation for this feature is located here: https://freshrss.github.io/FreshRSS/en/admins/09_AccessControl.html An accompanying NixOS test is provided to confirm this feature works as expected.
2023-07-16 14:47:27 -05:00 · 2023-07-16 14:47:27 -05:00 · c4d28ff161
commit c4d28ff161
parent b49c4f87f9
3 changed files with 64 additions and 19 deletions
--- a/nixos/modules/services/web-apps/freshrss.nix
+++ b/nixos/modules/services/web-apps/freshrss.nix
@ -7,7 +7,7 @@ let
  poolName = "freshrss";
 in
 {
-  meta.maintainers = with maintainers; [ etu stunkymonkey ];
+  meta.maintainers = with maintainers; [ etu stunkymonkey mattchrist ];

  options.services.freshrss = {
    enable = mkEnableOption (mdDoc "FreshRSS feed reader");
@ -27,7 +27,8 @@ in
    };

    passwordFile = mkOption {
-      type = types.path;
+      type = types.nullOr types.path;
+      default = null;
      description = mdDoc "Password for the defaultUser for FreshRSS.";
      example = "/run/secrets/freshrss";
    };
@ -120,7 +121,13 @@ in
    user = mkOption {
      type = types.str;
      default = "freshrss";
-      description = lib.mdDoc "User under which Freshrss runs.";
+      description = lib.mdDoc "User under which FreshRSS runs.";
+    };
+
+    authType = mkOption {
+      type = types.enum [ "form" "http_auth" "none" ];
+      default = "form";
+      description = mdDoc "Authentication type for FreshRSS.";
    };
  };

@ -160,6 +167,14 @@ in
      };
    in
    mkIf cfg.enable {
+      assertions = mkIf (cfg.authType == "form") [
+        {
+          assertion = cfg.passwordFile != null;
+          message = ''
+            `passwordFile` must be supplied when using "form" authentication!
+          '';
+        }
+      ];
      # Set up a Nginx virtual host.
      services.nginx = mkIf (cfg.virtualHost != null) {
        enable = true;
@ -227,7 +242,7 @@ in
          settingsFlags = concatStringsSep " \\\n    "
            (mapAttrsToList (k: v: "${k} ${toString v}") {
              "--default_user" = ''"${cfg.defaultUser}"'';
-              "--auth_type" = ''"form"'';
+              "--auth_type" = ''"${cfg.authType}"'';
              "--base_url" = ''"${cfg.baseUrl}"'';
              "--language" = ''"${cfg.language}"'';
              "--db-type" = ''"${cfg.database.type}"'';
@ -255,20 +270,30 @@ in
            FRESHRSS_DATA_PATH = cfg.dataDir;
          };

-          script = ''
-            # do installation or reconfigure
-            if test -f ${cfg.dataDir}/config.php; then
-              # reconfigure with settings
-              ./cli/reconfigure.php ${settingsFlags}
-              ./cli/update-user.php --user ${cfg.defaultUser} --password "$(cat ${cfg.passwordFile})"
-            else
-              # check correct folders in data folder
-              ./cli/prepare.php
-              # install with settings
-              ./cli/do-install.php ${settingsFlags}
-              ./cli/create-user.php --user ${cfg.defaultUser} --password "$(cat ${cfg.passwordFile})"
-            fi
-          '';
+          script =
+            let
+              userScriptArgs = ''--user ${cfg.defaultUser} --password "$(cat ${cfg.passwordFile})"'';
+              updateUserScript = optionalString (cfg.authType == "form") ''
+                ./cli/update-user.php ${userScriptArgs}
+              '';
+              createUserScript = optionalString (cfg.authType == "form") ''
+                ./cli/create-user.php ${userScriptArgs}
+              '';
+            in
+            ''
+              # do installation or reconfigure
+              if test -f ${cfg.dataDir}/config.php; then
+                # reconfigure with settings
+                ./cli/reconfigure.php ${settingsFlags}
+                ${updateUserScript}
+              else
+                # check correct folders in data folder
+                ./cli/prepare.php
+                # install with settings
+                ./cli/do-install.php ${settingsFlags}
+                ${createUserScript}
+              fi
+            '';
        };

      systemd.services.freshrss-updater = {
--- a/nixos/tests/freshrss-http-auth.nix
+++ b/nixos/tests/freshrss-http-auth.nix
@ -0,0 +1,20 @@
+import ./make-test-python.nix ({ lib, pkgs, ... }: {
+  name = "freshrss";
+  meta.maintainers = with lib.maintainers; [ mattchrist ];
+
+  nodes.machine = { pkgs, ... }: {
+    services.freshrss = {
+      enable = true;
+      baseUrl = "http://localhost";
+      dataDir = "/srv/freshrss";
+      authType = "http_auth";
+    };
+  };
+
+  testScript = ''
+    machine.wait_for_unit("multi-user.target")
+    machine.wait_for_open_port(80)
+    response = machine.succeed("curl -vvv -s -H 'Host: freshrss' -H 'Remote-User: testuser' http://127.0.0.1:80/i/")
+    assert 'Account: testuser' in response, "http_auth method didn't work."
+  '';
+})
--- a/pkgs/servers/web-apps/freshrss/default.nix
+++ b/pkgs/servers/web-apps/freshrss/default.nix
@ -18,7 +18,7 @@ stdenvNoCC.mkDerivation rec {
  };

  passthru.tests = {
-    inherit (nixosTests) freshrss-sqlite freshrss-pgsql;
+    inherit (nixosTests) freshrss-sqlite freshrss-pgsql freshrss-http-auth;
  };

  buildInputs = [ php ];