6 files changed, 295 insertions, 0 deletions

diff --git a/modules/apps/sproxy2.nix b/modules/apps/sproxy2.nix
new file mode 100644
index 0000000..de95847
--- /dev/null
+++ b/modules/apps/sproxy2.nix
@@ -0,0 +1,177 @@
+{ config, pkgs, lib, ... }:
+
+let
+
+  inherit (builtins) elem isBool isString;
+  inherit (lib)
+    concatMapStringsSep concatStringsSep filterAttrs imap
+    mapAttrsToList mkEnableOption mkIf mkOption optionalString ;
+  inherit (lib.types)
+    attrsOf bool enum int listOf nullOr path str submodule ;
+
+  explicit = filterAttrs (n: v: n != "_module" && v != null);
+  mandatory = t: mkOption { type = t; };
+  optional = t: mkOption { type = nullOr t; default = null; };
+  concatMapAttrsSep = s: f: attrs: concatStringsSep s (mapAttrsToList f attrs);
+
+  cfg = config.nixsap.apps.sproxy2;
+
+  show = v:
+         if isString v then ''"${v}"''
+    else if isBool v then (if v then "true" else "false")
+    else toString v;
+
+  top = concatMapAttrsSep "\n" (k: v: "${k}: ${show v}")
+    (filterAttrs (n: _:
+      ! elem n [
+        "backends"
+        "enable"
+        "oauth2"
+        "ssl_cert_chain"
+      ]
+    ) (explicit cfg));
+
+  configFile = with cfg; pkgs.writeText "sproxy.yml" ''
+    ---
+    ${top}
+
+    ${optionalString (ssl_cert_chain != [])
+    ''ssl_cert_chain:
+    ${concatMapStringsSep "\n" (f: "  - ${show f}") ssl_cert_chain}''}
+
+
+    oauth2:
+    ${concatMapAttrsSep "\n\n" (p: {client_id, client_secret, ...}: ''
+      ${"  ${p}"}:
+          client_id: ${show client_id}
+          client_secret: ${show client_secret}''
+    ) cfg.oauth2}
+
+
+    backends:
+    ${concatMapStringsSep "\n\n" (b:
+      let lines = mapAttrsToList (k: v: "${k}: ${show v}") (explicit b);
+          be = imap (i: l: "  " + (if i == 1 then "- ${l}" else "  ${l}")) lines;
+      in concatStringsSep "\n" be
+    ) cfg.backends}
+
+    ...
+  '';
+
+  keys = [ cfg.ssl_key cfg.pgpassfile ]
+       ++ mapAttrsToList (_: c: c.client_secret) (explicit cfg.oauth2)
+       ;
+
+  oauth2 = mkOption {
+    description = ''
+      OAuth2 providers. At least one is required.
+      Refer to Sproxy2 for supported providers.
+    '';
+    type = attrsOf (submodule {
+      options = {
+        client_id = mandatory str;
+        client_secret = mandatory path;
+      };
+    });
+  };
+
+  backends = mkOption {
+    description = ''
+      Backends. At least one is required.
+      Refer to Sproxy2 for description.
+    '';
+    type = listOf (submodule {
+      options = {
+        address        = optional str;
+        conn_count     = optional int;
+        cookie_domain  = optional str;
+        cookie_max_age = optional int;
+        cookie_name    = optional str;
+        name           = optional str;
+        port           = optional int;
+        socket         = optional path;
+      };
+    });
+  };
+
+in {
+  options.nixsap.apps.sproxy2 = {
+    enable = mkEnableOption "sproxy2";
+    inherit oauth2 backends;
+    user = mkOption {
+      description = "User to run as";
+      type = str;
+      default = "sproxy2";
+    };
+    home = mkOption {
+      description = "Sproxy2 home directory for internal data";
+      type = path;
+      default = "/sproxy2";
+    };
+    listen = mkOption {
+      description = "TCP port to listen on";
+      type = int;
+      default = 443;
+    };
+    listen80 = mkOption {
+      description = "Whether to listen on port 80 (and redirect to HTTPS)";
+      type = bool;
+      default = true;
+    };
+    http2 = mkOption {
+      description = "Whether HTTP/2 is enabled";
+      type = nullOr bool;
+      default = null;
+    };
+    log_level = mkOption {
+      description = "Log level";
+      type = enum [ "error" "warn" "info" "debug" ];
+      default = "info";
+    };
+    database = mkOption {
+      description = "PostgreSQL connection string";
+      type = nullOr str;
+      default = null;
+      example = "host=db.example.net user=sproxy dbname=sproxy port=6000";
+    };
+    pgpassfile = mkOption {
+      description = "PostgreSQL password file (secret)";
+      type = nullOr path;
+      default = null;
+    };
+    ssl_key = mkOption {
+      description = "SSL key (PEM format) - secret";
+      type = path;
+    };
+    ssl_cert = mkOption {
+      description = "SSL certificate (PEM format)";
+      type = path;
+    };
+    ssl_cert_chain = mkOption {
+      description = "SSL certificate chain";
+      type = listOf path;
+      default = [];
+    };
+  };
+
+  config = mkIf cfg.enable {
+    nixsap.system.users.daemons = [ cfg.user ];
+    nixsap.deployment.keyrings.${cfg.user} = keys;
+    systemd.services.sproxy2 = {
+      description = "Sproxy2 secure HTTP proxy";
+      wantedBy = [ "multi-user.target" ];
+      wants = [ "keys.target" ];
+      after = [ "keys.target" "network.target" "local-fs.target" ];
+      preStart = ''
+        mkdir -p -- '${cfg.home}'
+        chown -Rc '${cfg.user}:${cfg.user}' -- '${cfg.home}'
+        chmod -Rc u=rwX,g=rX,o= -- '${cfg.home}'
+      '';
+      serviceConfig = {
+        ExecStart = "${pkgs.sproxy2}/bin/sproxy2 --config=${configFile}";
+        Restart = "always";
+      };
+    };
+  };
+}
+
diff --git a/modules/pkgs/sproxy2/default.nix b/modules/pkgs/sproxy2/default.nix
new file mode 100644
index 0000000..1e0bdf5
--- /dev/null
+++ b/modules/pkgs/sproxy2/default.nix
@@ -0,0 +1,16 @@
+{ haskellPackages }:
+
+/*
+  XXX: Sproxy2 need some libraries missed in nixpkgs 16.09
+*/
+
+let myHaskellPkgs = haskellPackages.override {
+  overrides = self: super: {
+    http-client     = self.callPackage ./http-client.nix {};
+    http-client-tls = self.callPackage ./http-client-tls.nix {};
+    http-conduit    = self.callPackage ./http-conduit.nix {};
+  };
+};
+
+in myHaskellPkgs.callPackage ./main.nix { }
+
diff --git a/modules/pkgs/sproxy2/http-client-tls.nix b/modules/pkgs/sproxy2/http-client-tls.nix
new file mode 100644
index 0000000..b89489f
--- /dev/null
+++ b/modules/pkgs/sproxy2/http-client-tls.nix
@@ -0,0 +1,18 @@
+{ mkDerivation, base, bytestring, case-insensitive, connection
+, cryptonite, data-default-class, exceptions, hspec, http-client
+, http-types, memory, network, stdenv, tls, transformers
+}:
+mkDerivation {
+  pname = "http-client-tls";
+  version = "0.3.3";
+  sha256 = "0r50h7lhrwmxcmiq5nw1rxnpda3k6mhz4jsd86m56ymai5lnf77c";
+  libraryHaskellDepends = [
+    base bytestring case-insensitive connection cryptonite
+    data-default-class exceptions http-client http-types memory network
+    tls transformers
+  ];
+  testHaskellDepends = [ base hspec http-client http-types ];
+  homepage = "https://github.com/snoyberg/http-client";
+  description = "http-client backend using the connection package and tls library";
+  license = stdenv.lib.licenses.mit;
+}
diff --git a/modules/pkgs/sproxy2/http-client.nix b/modules/pkgs/sproxy2/http-client.nix
new file mode 100644
index 0000000..8dbd16c
--- /dev/null
+++ b/modules/pkgs/sproxy2/http-client.nix
@@ -0,0 +1,27 @@
+{ mkDerivation, array, async, base, base64-bytestring
+, blaze-builder, bytestring, case-insensitive, containers, cookie
+, deepseq, directory, exceptions, filepath, ghc-prim, hspec
+, http-types, mime-types, monad-control, network, network-uri
+, random, stdenv, streaming-commons, text, time, transformers, zlib
+}:
+mkDerivation {
+  pname = "http-client";
+  version = "0.5.3.3";
+  sha256 = "1kk4j5bg8fkw94c8r8b4ipxmia2arfkbbnhpgamcjy7m8mgbbblg";
+  libraryHaskellDepends = [
+    array base base64-bytestring blaze-builder bytestring
+    case-insensitive containers cookie deepseq exceptions filepath
+    ghc-prim http-types mime-types network network-uri random
+    streaming-commons text time transformers
+  ];
+  testHaskellDepends = [
+    async base base64-bytestring blaze-builder bytestring
+    case-insensitive containers deepseq directory hspec http-types
+    monad-control network network-uri streaming-commons text time
+    transformers zlib
+  ];
+  doCheck = false;
+  homepage = "https://github.com/snoyberg/http-client";
+  description = "An HTTP client engine";
+  license = stdenv.lib.licenses.mit;
+}
diff --git a/modules/pkgs/sproxy2/http-conduit.nix b/modules/pkgs/sproxy2/http-conduit.nix
new file mode 100644
index 0000000..76d670e
--- /dev/null
+++ b/modules/pkgs/sproxy2/http-conduit.nix
@@ -0,0 +1,29 @@
+{ mkDerivation, aeson, base, blaze-builder, bytestring
+, case-insensitive, conduit, conduit-extra, connection, cookie
+, data-default-class, exceptions, hspec, http-client
+, http-client-tls, http-types, HUnit, lifted-base, monad-control
+, mtl, network, resourcet, stdenv, streaming-commons, temporary
+, text, time, transformers, utf8-string, wai, wai-conduit, warp
+, warp-tls
+}:
+mkDerivation {
+  pname = "http-conduit";
+  version = "2.2.3";
+  sha256 = "1hqdzrr7vr2ylfjj61hayy9havhj5r2mym21815vzcvnzs01xrgf";
+  libraryHaskellDepends = [
+    aeson base bytestring conduit conduit-extra exceptions http-client
+    http-client-tls http-types lifted-base monad-control mtl resourcet
+    transformers
+  ];
+  testHaskellDepends = [
+    aeson base blaze-builder bytestring case-insensitive conduit
+    conduit-extra connection cookie data-default-class hspec
+    http-client http-types HUnit lifted-base network resourcet
+    streaming-commons temporary text time transformers utf8-string wai
+    wai-conduit warp warp-tls
+  ];
+  doCheck = false;
+  homepage = "http://www.yesodweb.com/book/http-conduit";
+  description = "HTTP client package with conduit interface and HTTPS support";
+  license = stdenv.lib.licenses.bsd3;
+}
diff --git a/modules/pkgs/sproxy2/main.nix b/modules/pkgs/sproxy2/main.nix
new file mode 100644
index 0000000..0de4cc0
--- /dev/null
+++ b/modules/pkgs/sproxy2/main.nix
@@ -0,0 +1,28 @@
+{ mkDerivation, aeson, base, base64-bytestring, blaze-builder
+, bytestring, cereal, conduit, containers, cookie, docopt, entropy
+, fetchgit, Glob, http-client, http-conduit, http-types
+, interpolatedstring-perl6, network, postgresql-simple
+, resource-pool, SHA, sqlite-simple, stdenv, text, time, unix
+, unordered-containers, wai, wai-conduit, warp, warp-tls, word8
+, yaml
+}:
+mkDerivation {
+  pname = "sproxy2";
+  version = "1.90.0";
+  src = fetchgit {
+    url = "https://github.com/ip1981/sproxy2.git";
+    sha256 = "1dpdaparvrd3ykwpac99wqfsnywqvbvscdj7j3v2xyc1sa4vbkda";
+    rev = "4a9f329a6ea9bfa03352ca0d9dd1d556b93bec36";
+  };
+  isLibrary = false;
+  isExecutable = true;
+  executableHaskellDepends = [
+    aeson base base64-bytestring blaze-builder bytestring cereal
+    conduit containers cookie docopt entropy Glob http-client
+    http-conduit http-types interpolatedstring-perl6 network
+    postgresql-simple resource-pool SHA sqlite-simple text time unix
+    unordered-containers wai wai-conduit warp warp-tls word8 yaml
+  ];
+  description = "Secure HTTP proxy for authenticating users via OAuth2";
+  license = stdenv.lib.licenses.mit;
+}