Avoid strange CSRF issues by running two redstring servers
This commit is contained in:
parent
f082b94011
commit
40a9aa5f53
@ -1,11 +1,12 @@
|
||||
{pkgs, ...}:
|
||||
# redstring server module
|
||||
{ pkgs, ... }:
|
||||
|
||||
let
|
||||
# Import package
|
||||
redstringSource = builtins.fetchGit {
|
||||
url = "https://git.alogoulogoi.com/Jaculabilis/redstring.git";
|
||||
ref = "master";
|
||||
rev = "440301d737b3c565b3860741d11097a7a5fcbfd1";
|
||||
rev = "e5ea4f871c57c58f4986800122602ebb31347c9e";
|
||||
};
|
||||
redstring = pkgs.callPackage redstringSource {};
|
||||
|
||||
@ -20,12 +21,21 @@ let
|
||||
isSystemUser = true;
|
||||
};
|
||||
|
||||
# Create the config file in the nix store
|
||||
redstringConfigAttrs = {
|
||||
"root" = redstringData;
|
||||
"password_file" = "${redstringDir}login";
|
||||
# Create the public server config file in the nix store
|
||||
publicConfigAttrs = {
|
||||
root = redstringData;
|
||||
edit = false;
|
||||
};
|
||||
publicConfig = pkgs.writeTextFile { name = "redstring-config-external.json"; text = (builtins.toJSON publicConfigAttrs); };
|
||||
|
||||
# Create the private server config file in the nix store
|
||||
privateConfig = pkgs.writeTextFile {
|
||||
name = "redstring-config-internal.json";
|
||||
text = (builtins.toJSON {
|
||||
root = redstringData;
|
||||
edit = true;
|
||||
});
|
||||
};
|
||||
redstringConfig = pkgs.writeTextFile { name = "redstring-config.json"; text = (builtins.toJSON redstringConfigAttrs); };
|
||||
|
||||
# Create a setup script to ensure the data directory exists
|
||||
redstringSetup = pkgs.writeShellScriptBin "redstring-setup.sh" ''
|
||||
@ -37,14 +47,25 @@ let
|
||||
chmod 700 ${redstringDir}
|
||||
'';
|
||||
|
||||
# Create a run script for the server
|
||||
redstringRun = pkgs.writeShellScriptBin "redstring-run.sh" ''
|
||||
# Create a run script for the public server
|
||||
publicRun = pkgs.writeShellScriptBin "redstring-run-external.sh" ''
|
||||
cd ${redstringDir}
|
||||
${redstring}/bin/gunicorn \
|
||||
--bind=localhost:24144 \
|
||||
--workers=4 \
|
||||
--log-level info \
|
||||
--env REDSTRING_CONFIG=${redstringConfig} \
|
||||
--workers=3 \
|
||||
--log-level debug \
|
||||
--env REDSTRING_CONFIG=${publicConfig} \
|
||||
"redstring.server:wsgi()"
|
||||
'';
|
||||
|
||||
# Create a run script for the private server
|
||||
privateRun = pkgs.writeShellScriptBin "redstring-run-internal.sh" ''
|
||||
cd ${redstringDir};
|
||||
${redstring}/bin/gunicorn \
|
||||
--bind=10.7.3.1:24145 \
|
||||
--workers=3 \
|
||||
--log-level debug \
|
||||
--env REDSTRING_CONFIG=${privateConfig} \
|
||||
"redstring.server:wsgi()"
|
||||
'';
|
||||
in
|
||||
@ -54,11 +75,11 @@ in
|
||||
# Run the setup script on activation
|
||||
system.activationScripts.redstringSetup = "${redstringSetup}/bin/redstring-setup.sh";
|
||||
|
||||
# Set up the inquisitor service
|
||||
systemd.services.redstring =
|
||||
# Set up the public redstring service
|
||||
systemd.services."redstring-public" =
|
||||
{
|
||||
description = "redstring server";
|
||||
script = "${redstringRun}/bin/redstring-run.sh";
|
||||
description = "redstring public read-only server";
|
||||
script = "${publicRun}/bin/redstring-run-external.sh";
|
||||
serviceConfig = {
|
||||
User = "${redstringUser.name}";
|
||||
Type = "simple";
|
||||
@ -68,16 +89,30 @@ in
|
||||
enable = true;
|
||||
};
|
||||
|
||||
# Configure nginx to forward to the server at the docs subdomain
|
||||
# Set up the private redstring service
|
||||
systemd.services."redstring-private" =
|
||||
{
|
||||
description = "redstring private editable server";
|
||||
script = "${privateRun}/bin/redstring-run-internal.sh";
|
||||
serviceConfig = {
|
||||
User = redstringUser.name;
|
||||
Type = "simple";
|
||||
};
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
enable = true;
|
||||
};
|
||||
|
||||
# Configure nginx to forward to the public server at the docs subdomain
|
||||
services.nginx.virtualHosts."docs.alogoulogoi.com" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
access_log /var/log/nginx/access.docs.log;
|
||||
'';
|
||||
locations."/".extraConfig = ''
|
||||
proxy_buffering off;
|
||||
proxy_pass http://localhost:24144/;
|
||||
'';
|
||||
locations."/".proxyPass = "http://localhost:24144";
|
||||
};
|
||||
|
||||
# Open the firewall to the private server's port
|
||||
networking.firewall.allowedTCPPorts = [ 24145 ];
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user