1
1
Fork 0

Avoid strange CSRF issues by running two redstring servers

This commit is contained in:
Jaculabilis 2021-02-19 07:44:32 +00:00
parent f082b94011
commit 40a9aa5f53
1 changed files with 56 additions and 21 deletions

View File

@ -1,3 +1,4 @@
# redstring server module
{ pkgs, ... }: { pkgs, ... }:
let let
@ -5,7 +6,7 @@ let
redstringSource = builtins.fetchGit { redstringSource = builtins.fetchGit {
url = "https://git.alogoulogoi.com/Jaculabilis/redstring.git"; url = "https://git.alogoulogoi.com/Jaculabilis/redstring.git";
ref = "master"; ref = "master";
rev = "440301d737b3c565b3860741d11097a7a5fcbfd1"; rev = "e5ea4f871c57c58f4986800122602ebb31347c9e";
}; };
redstring = pkgs.callPackage redstringSource {}; redstring = pkgs.callPackage redstringSource {};
@ -20,12 +21,21 @@ let
isSystemUser = true; isSystemUser = true;
}; };
# Create the config file in the nix store # Create the public server config file in the nix store
redstringConfigAttrs = { publicConfigAttrs = {
"root" = redstringData; root = redstringData;
"password_file" = "${redstringDir}login"; edit = false;
};
publicConfig = pkgs.writeTextFile { name = "redstring-config-external.json"; text = (builtins.toJSON publicConfigAttrs); };
# Create the private server config file in the nix store
privateConfig = pkgs.writeTextFile {
name = "redstring-config-internal.json";
text = (builtins.toJSON {
root = redstringData;
edit = true;
});
}; };
redstringConfig = pkgs.writeTextFile { name = "redstring-config.json"; text = (builtins.toJSON redstringConfigAttrs); };
# Create a setup script to ensure the data directory exists # Create a setup script to ensure the data directory exists
redstringSetup = pkgs.writeShellScriptBin "redstring-setup.sh" '' redstringSetup = pkgs.writeShellScriptBin "redstring-setup.sh" ''
@ -37,14 +47,25 @@ let
chmod 700 ${redstringDir} chmod 700 ${redstringDir}
''; '';
# Create a run script for the server # Create a run script for the public server
redstringRun = pkgs.writeShellScriptBin "redstring-run.sh" '' publicRun = pkgs.writeShellScriptBin "redstring-run-external.sh" ''
cd ${redstringDir} cd ${redstringDir}
${redstring}/bin/gunicorn \ ${redstring}/bin/gunicorn \
--bind=localhost:24144 \ --bind=localhost:24144 \
--workers=4 \ --workers=3 \
--log-level info \ --log-level debug \
--env REDSTRING_CONFIG=${redstringConfig} \ --env REDSTRING_CONFIG=${publicConfig} \
"redstring.server:wsgi()"
'';
# Create a run script for the private server
privateRun = pkgs.writeShellScriptBin "redstring-run-internal.sh" ''
cd ${redstringDir};
${redstring}/bin/gunicorn \
--bind=10.7.3.1:24145 \
--workers=3 \
--log-level debug \
--env REDSTRING_CONFIG=${privateConfig} \
"redstring.server:wsgi()" "redstring.server:wsgi()"
''; '';
in in
@ -54,11 +75,11 @@ in
# Run the setup script on activation # Run the setup script on activation
system.activationScripts.redstringSetup = "${redstringSetup}/bin/redstring-setup.sh"; system.activationScripts.redstringSetup = "${redstringSetup}/bin/redstring-setup.sh";
# Set up the inquisitor service # Set up the public redstring service
systemd.services.redstring = systemd.services."redstring-public" =
{ {
description = "redstring server"; description = "redstring public read-only server";
script = "${redstringRun}/bin/redstring-run.sh"; script = "${publicRun}/bin/redstring-run-external.sh";
serviceConfig = { serviceConfig = {
User = "${redstringUser.name}"; User = "${redstringUser.name}";
Type = "simple"; Type = "simple";
@ -68,16 +89,30 @@ in
enable = true; enable = true;
}; };
# Configure nginx to forward to the server at the docs subdomain # Set up the private redstring service
systemd.services."redstring-private" =
{
description = "redstring private editable server";
script = "${privateRun}/bin/redstring-run-internal.sh";
serviceConfig = {
User = redstringUser.name;
Type = "simple";
};
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
enable = true;
};
# Configure nginx to forward to the public server at the docs subdomain
services.nginx.virtualHosts."docs.alogoulogoi.com" = { services.nginx.virtualHosts."docs.alogoulogoi.com" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''
access_log /var/log/nginx/access.docs.log; access_log /var/log/nginx/access.docs.log;
''; '';
locations."/".extraConfig = '' locations."/".proxyPass = "http://localhost:24144";
proxy_buffering off;
proxy_pass http://localhost:24144/;
'';
}; };
# Open the firewall to the private server's port
networking.firewall.allowedTCPPorts = [ 24145 ];
} }