nixos/freshrss: authType option

This patch adds an `authType` option to enable configuring FreshRSS's
`auth_type` parameter.
Upstream documentation for this feature is located here:
https://freshrss.github.io/FreshRSS/en/admins/09_AccessControl.html

An accompanying NixOS test is provided to confirm this feature works
as expected.

nixos/modules/services/web-apps/freshrss.nix

@@ -7,7 +7,7 @@ let
   poolName = "freshrss";
 in
 {
-  meta.maintainers = with maintainers; [ etu stunkymonkey ];
+  meta.maintainers = with maintainers; [ etu stunkymonkey mattchrist ];
 
   options.services.freshrss = {
     enable = mkEnableOption (mdDoc "FreshRSS feed reader");
@@ -27,7 +27,8 @@ in
     };
 
     passwordFile = mkOption {
-      type = types.path;
+      type = types.nullOr types.path;
+      default = null;
       description = mdDoc "Password for the defaultUser for FreshRSS.";
       example = "/run/secrets/freshrss";
     };
@@ -120,7 +121,13 @@ in
     user = mkOption {
       type = types.str;
       default = "freshrss";
-      description = lib.mdDoc "User under which Freshrss runs.";
+      description = lib.mdDoc "User under which FreshRSS runs.";
+    };
+
+    authType = mkOption {
+      type = types.enum [ "form" "http_auth" "none" ];
+      default = "form";
+      description = mdDoc "Authentication type for FreshRSS.";
     };
   };
 
@@ -160,6 +167,14 @@ in
       };
     in
     mkIf cfg.enable {
+      assertions = mkIf (cfg.authType == "form") [
+        {
+          assertion = cfg.passwordFile != null;
+          message = ''
+            `passwordFile` must be supplied when using "form" authentication!
+          '';
+        }
+      ];
       # Set up a Nginx virtual host.
       services.nginx = mkIf (cfg.virtualHost != null) {
         enable = true;
@@ -227,7 +242,7 @@ in
           settingsFlags = concatStringsSep " \\\n    "
             (mapAttrsToList (k: v: "${k} ${toString v}") {
               "--default_user" = ''"${cfg.defaultUser}"'';
-              "--auth_type" = ''"form"'';
+              "--auth_type" = ''"${cfg.authType}"'';
               "--base_url" = ''"${cfg.baseUrl}"'';
               "--language" = ''"${cfg.language}"'';
               "--db-type" = ''"${cfg.database.type}"'';
@@ -255,20 +270,30 @@ in
             FRESHRSS_DATA_PATH = cfg.dataDir;
           };
 
-          script = ''
+          script =
-            # do installation or reconfigure
+            let
-            if test -f ${cfg.dataDir}/config.php; then
+              userScriptArgs = ''--user ${cfg.defaultUser} --password "$(cat ${cfg.passwordFile})"'';
-              # reconfigure with settings
+              updateUserScript = optionalString (cfg.authType == "form") ''
-              ./cli/reconfigure.php ${settingsFlags}
+                ./cli/update-user.php ${userScriptArgs}
-              ./cli/update-user.php --user ${cfg.defaultUser} --password "$(cat ${cfg.passwordFile})"
+              '';
-            else
+              createUserScript = optionalString (cfg.authType == "form") ''
-              # check correct folders in data folder
+                ./cli/create-user.php ${userScriptArgs}
-              ./cli/prepare.php
+              '';
-              # install with settings
+            in
-              ./cli/do-install.php ${settingsFlags}
+            ''
-              ./cli/create-user.php --user ${cfg.defaultUser} --password "$(cat ${cfg.passwordFile})"
+              # do installation or reconfigure
-            fi
+              if test -f ${cfg.dataDir}/config.php; then
-          '';
+                # reconfigure with settings
+                ./cli/reconfigure.php ${settingsFlags}
+                ${updateUserScript}
+              else
+                # check correct folders in data folder
+                ./cli/prepare.php
+                # install with settings
+                ./cli/do-install.php ${settingsFlags}
+                ${createUserScript}
+              fi
+            '';
         };
 
       systemd.services.freshrss-updater = {

nixos/tests/freshrss-http-auth.nix

@@ -0,0 +1,20 @@
+import ./make-test-python.nix ({ lib, pkgs, ... }: {
+  name = "freshrss";
+  meta.maintainers = with lib.maintainers; [ mattchrist ];
+
+  nodes.machine = { pkgs, ... }: {
+    services.freshrss = {
+      enable = true;
+      baseUrl = "http://localhost";
+      dataDir = "/srv/freshrss";
+      authType = "http_auth";
+    };
+  };
+
+  testScript = ''
+    machine.wait_for_unit("multi-user.target")
+    machine.wait_for_open_port(80)
+    response = machine.succeed("curl -vvv -s -H 'Host: freshrss' -H 'Remote-User: testuser' http://127.0.0.1:80/i/")
+    assert 'Account: testuser' in response, "http_auth method didn't work."
+  '';
+})

pkgs/servers/web-apps/freshrss/default.nix

@@ -18,7 +18,7 @@ stdenvNoCC.mkDerivation rec {
   };
 
   passthru.tests = {
-    inherit (nixosTests) freshrss-sqlite freshrss-pgsql;
+    inherit (nixosTests) freshrss-sqlite freshrss-pgsql freshrss-http-auth;
   };
 
   buildInputs = [ php ];