Create candidate registry at proxy

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>

roles/fedora-web/candidate-registry/files/passwd

@@ -0,0 +1 @@
+/C=US/ST=North Carolina/O=Fedora Project/OU=Fedora Builders/CN=containerbuild/emailAddress=buildsys@fedoraproject.org:xxj31ZMTZzkVA

roles/fedora-web/candidate-registry/tasks/main.yml

@@ -0,0 +1,17 @@
+- name: Copy over the Fedora Server CA cert
+  copy: src="{{ private }}/files/fedora-ca.cert" dest=/etc/pki/httpd/fedora-server-ca.cert
+        owner=root group=root mode=0644
+  notify:
+  - reload httpd
+  tags:
+  - fedora-web
+  - fedora-web/candidate-registry
+
+- name: Copy over the registry passwd
+  copy: src=passwd dest=/etc/httpd/conf.d/candidate-registry.fedoraproject.org/passwd
+        owner=root group=root mode=0644
+  notify:
+  - reload httpd
+  tags:
+  - fedora-web
+  - fedora-web/candidate-registry

roles/fedora-web/registry/files/passwd

@@ -1 +0,0 @@
-/C=US/ST=North Carolina/O=Fedora Project/OU=Fedora Builders/CN=containerbuild/emailAddress=buildsys@fedoraproject.org:xxj31ZMTZzkVA

roles/httpd/reverseproxy/templates/reversepassproxy.candidate-registry.conf

@@ -0,0 +1,32 @@
+RequestHeader set X-Forwarded-Scheme https early
+RequestHeader set X-Scheme https early
+RequestHeader set X-Forwarded-Proto https early
+ProxyPreserveHost On
+
+ProxyPass {{ localpath }} {{ proxyurl }}{{remotepath}}
+ProxyPassReverse {{ localpath }} {{ proxyurl }}{{remotepath}}
+
+SSLVerifyClient optional
+SSLVerifyDepth 1
+SSLCACertificateFile /etc/pki/httpd/fedora-server-ca.cert
+SSLOptions +FakeBasicAuth
+
+
+<Location /v2>
+  Order deny,allow
+  Allow from all
+  AuthName "Registry Authentication"
+  AuthType Basic
+  AuthUserFile /etc/httpd/conf.d/candidate-registry.fedoraproject.org/passwd
+
+  # Anyone can read
+  <Limit GET HEAD>
+    Require all granted
+  </Limit>
+
+  # Write access to docker-deployer only
+  <Limit POST PUT DELETE>
+    Require valid-user
+  </Limit>
+
+</Location>