From 40a9aa5f53de3457419e432be43e0dc268b10acd Mon Sep 17 00:00:00 2001 From: Jaculabilis Date: Fri, 19 Feb 2021 07:44:32 +0000 Subject: [PATCH] Avoid strange CSRF issues by running two redstring servers --- redstring.nix | 77 +++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 56 insertions(+), 21 deletions(-) diff --git a/redstring.nix b/redstring.nix index 190164e..b52bacb 100644 --- a/redstring.nix +++ b/redstring.nix @@ -1,11 +1,12 @@ -{pkgs, ...}: +# redstring server module +{ pkgs, ... }: let # Import package redstringSource = builtins.fetchGit { url = "https://git.alogoulogoi.com/Jaculabilis/redstring.git"; ref = "master"; - rev = "440301d737b3c565b3860741d11097a7a5fcbfd1"; + rev = "e5ea4f871c57c58f4986800122602ebb31347c9e"; }; redstring = pkgs.callPackage redstringSource {}; @@ -20,12 +21,21 @@ let isSystemUser = true; }; - # Create the config file in the nix store - redstringConfigAttrs = { - "root" = redstringData; - "password_file" = "${redstringDir}login"; + # Create the public server config file in the nix store + publicConfigAttrs = { + root = redstringData; + edit = false; + }; + publicConfig = pkgs.writeTextFile { name = "redstring-config-external.json"; text = (builtins.toJSON publicConfigAttrs); }; + + # Create the private server config file in the nix store + privateConfig = pkgs.writeTextFile { + name = "redstring-config-internal.json"; + text = (builtins.toJSON { + root = redstringData; + edit = true; + }); }; - redstringConfig = pkgs.writeTextFile { name = "redstring-config.json"; text = (builtins.toJSON redstringConfigAttrs); }; # Create a setup script to ensure the data directory exists redstringSetup = pkgs.writeShellScriptBin "redstring-setup.sh" '' @@ -37,14 +47,25 @@ let chmod 700 ${redstringDir} ''; - # Create a run script for the server - redstringRun = pkgs.writeShellScriptBin "redstring-run.sh" '' + # Create a run script for the public server + publicRun = pkgs.writeShellScriptBin "redstring-run-external.sh" '' cd ${redstringDir} ${redstring}/bin/gunicorn \ --bind=localhost:24144 \ - --workers=4 \ - --log-level info \ - --env REDSTRING_CONFIG=${redstringConfig} \ + --workers=3 \ + --log-level debug \ + --env REDSTRING_CONFIG=${publicConfig} \ + "redstring.server:wsgi()" + ''; + + # Create a run script for the private server + privateRun = pkgs.writeShellScriptBin "redstring-run-internal.sh" '' + cd ${redstringDir}; + ${redstring}/bin/gunicorn \ + --bind=10.7.3.1:24145 \ + --workers=3 \ + --log-level debug \ + --env REDSTRING_CONFIG=${privateConfig} \ "redstring.server:wsgi()" ''; in @@ -54,11 +75,11 @@ in # Run the setup script on activation system.activationScripts.redstringSetup = "${redstringSetup}/bin/redstring-setup.sh"; - # Set up the inquisitor service - systemd.services.redstring = + # Set up the public redstring service + systemd.services."redstring-public" = { - description = "redstring server"; - script = "${redstringRun}/bin/redstring-run.sh"; + description = "redstring public read-only server"; + script = "${publicRun}/bin/redstring-run-external.sh"; serviceConfig = { User = "${redstringUser.name}"; Type = "simple"; @@ -68,16 +89,30 @@ in enable = true; }; - # Configure nginx to forward to the server at the docs subdomain + # Set up the private redstring service + systemd.services."redstring-private" = + { + description = "redstring private editable server"; + script = "${privateRun}/bin/redstring-run-internal.sh"; + serviceConfig = { + User = redstringUser.name; + Type = "simple"; + }; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + enable = true; + }; + + # Configure nginx to forward to the public server at the docs subdomain services.nginx.virtualHosts."docs.alogoulogoi.com" = { enableACME = true; forceSSL = true; extraConfig = '' access_log /var/log/nginx/access.docs.log; ''; - locations."/".extraConfig = '' - proxy_buffering off; - proxy_pass http://localhost:24144/; - ''; + locations."/".proxyPass = "http://localhost:24144"; }; + + # Open the firewall to the private server's port + networking.firewall.allowedTCPPorts = [ 24145 ]; }