4 changed files with 61 additions and 2 deletions
--- a/bundles/nginx/metadata.py
+++ b/bundles/nginx/metadata.py
@ -111,3 +111,42 @@ def letsencrypt(metadata):
            },
        },
    }
+
+
+@metadata_reactor.provides(
+    'nginx/vhosts',
+)
+def basic_auth_passwords(metadata):
+    return {
+        'nginx': {
+            'vhosts': {
+                domain: {
+                    'context': {
+                        'basic_auth': {
+                            user: {
+                                'password': str(repo.vault.password_for('basic_auth'+domain+user))
+                            }
+                                for user in metadata.get(f'nginx/vhosts/{domain}/context/basic_auth')
+                        },
+                    },
+                }
+                    for domain, vhost in metadata.get('nginx/vhosts').items()
+                    if metadata.get(f'nginx/vhosts/{domain}/context/basic_auth', None)
+            },
+        },
+    }
+
+
+@metadata_reactor.provides(
+    'nginx/htpasswd',
+)
+def htpasswd(metadata):
+    return {
+        'nginx': {
+            'htpasswd': {
+                repo.libs.htpasswd.line(name, data['password'], metadata.get('id')+domain, repo)
+                    for domain, vhost in metadata.get('nginx/vhosts').items()
+                    for name, data in metadata.get(f'nginx/vhosts/{domain}/context/basic_auth', {}).items()
+            },
+        },
+    }
--- a/bundles/rspamd/metadata.py
+++ b/bundles/rspamd/metadata.py
@ -30,8 +30,10 @@ def nginx_vhost(metadata):
                metadata.get('rspamd/hostname'): {
                    'content': 'nginx/proxy_pass.conf',
                    'context': {
-                        'target': 'http://localhost:9999',
-                        # 'target': 'http://localhost:11334',
+                        'target': 'http://localhost:11334',
+                        'basic_auth': {
+                            'rspamd': {},
+                        },
                    },
                },
            },
--- a/libs/htpasswd.py
+++ b/libs/htpasswd.py
@ -0,0 +1,17 @@
+import bcrypt
+from base64 import b64decode, b64encode
+from binascii import hexlify
+from hashlib import sha3_256
+
+def line(user, pw, salt, repo):
+    full_salt = str(repo.vault.password_for(user+pw+salt))
+    sha = sha3_256(full_salt.encode()).digest()
+    sha_base64 = b64encode(sha)[0:22]
+    salt_string = f"$2b$10${sha_base64.decode().replace('+', '.')}"
+    print(sha, sha_base64, salt_string)
+    hash = bcrypt.hashpw(
+        pw.encode(),
+        salt_string.encode()
+    ).decode()
+
+    return f'{user}:{hash}'
--- a/requirements.txt
+++ b/requirements.txt
@ -2,3 +2,4 @@ bundlewrap>=4.13.1
 pycryptodome
 PyNaCl
 PyYAML
+bcrypt