Avoid strange CSRF issues by running two redstring servers
This commit is contained in:
parent
f082b94011
commit
40a9aa5f53
|
@ -1,11 +1,12 @@
|
||||||
{pkgs, ...}:
|
# redstring server module
|
||||||
|
{ pkgs, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
# Import package
|
# Import package
|
||||||
redstringSource = builtins.fetchGit {
|
redstringSource = builtins.fetchGit {
|
||||||
url = "https://git.alogoulogoi.com/Jaculabilis/redstring.git";
|
url = "https://git.alogoulogoi.com/Jaculabilis/redstring.git";
|
||||||
ref = "master";
|
ref = "master";
|
||||||
rev = "440301d737b3c565b3860741d11097a7a5fcbfd1";
|
rev = "e5ea4f871c57c58f4986800122602ebb31347c9e";
|
||||||
};
|
};
|
||||||
redstring = pkgs.callPackage redstringSource {};
|
redstring = pkgs.callPackage redstringSource {};
|
||||||
|
|
||||||
|
@ -20,12 +21,21 @@ let
|
||||||
isSystemUser = true;
|
isSystemUser = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
# Create the config file in the nix store
|
# Create the public server config file in the nix store
|
||||||
redstringConfigAttrs = {
|
publicConfigAttrs = {
|
||||||
"root" = redstringData;
|
root = redstringData;
|
||||||
"password_file" = "${redstringDir}login";
|
edit = false;
|
||||||
|
};
|
||||||
|
publicConfig = pkgs.writeTextFile { name = "redstring-config-external.json"; text = (builtins.toJSON publicConfigAttrs); };
|
||||||
|
|
||||||
|
# Create the private server config file in the nix store
|
||||||
|
privateConfig = pkgs.writeTextFile {
|
||||||
|
name = "redstring-config-internal.json";
|
||||||
|
text = (builtins.toJSON {
|
||||||
|
root = redstringData;
|
||||||
|
edit = true;
|
||||||
|
});
|
||||||
};
|
};
|
||||||
redstringConfig = pkgs.writeTextFile { name = "redstring-config.json"; text = (builtins.toJSON redstringConfigAttrs); };
|
|
||||||
|
|
||||||
# Create a setup script to ensure the data directory exists
|
# Create a setup script to ensure the data directory exists
|
||||||
redstringSetup = pkgs.writeShellScriptBin "redstring-setup.sh" ''
|
redstringSetup = pkgs.writeShellScriptBin "redstring-setup.sh" ''
|
||||||
|
@ -37,14 +47,25 @@ let
|
||||||
chmod 700 ${redstringDir}
|
chmod 700 ${redstringDir}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
# Create a run script for the server
|
# Create a run script for the public server
|
||||||
redstringRun = pkgs.writeShellScriptBin "redstring-run.sh" ''
|
publicRun = pkgs.writeShellScriptBin "redstring-run-external.sh" ''
|
||||||
cd ${redstringDir}
|
cd ${redstringDir}
|
||||||
${redstring}/bin/gunicorn \
|
${redstring}/bin/gunicorn \
|
||||||
--bind=localhost:24144 \
|
--bind=localhost:24144 \
|
||||||
--workers=4 \
|
--workers=3 \
|
||||||
--log-level info \
|
--log-level debug \
|
||||||
--env REDSTRING_CONFIG=${redstringConfig} \
|
--env REDSTRING_CONFIG=${publicConfig} \
|
||||||
|
"redstring.server:wsgi()"
|
||||||
|
'';
|
||||||
|
|
||||||
|
# Create a run script for the private server
|
||||||
|
privateRun = pkgs.writeShellScriptBin "redstring-run-internal.sh" ''
|
||||||
|
cd ${redstringDir};
|
||||||
|
${redstring}/bin/gunicorn \
|
||||||
|
--bind=10.7.3.1:24145 \
|
||||||
|
--workers=3 \
|
||||||
|
--log-level debug \
|
||||||
|
--env REDSTRING_CONFIG=${privateConfig} \
|
||||||
"redstring.server:wsgi()"
|
"redstring.server:wsgi()"
|
||||||
'';
|
'';
|
||||||
in
|
in
|
||||||
|
@ -54,11 +75,11 @@ in
|
||||||
# Run the setup script on activation
|
# Run the setup script on activation
|
||||||
system.activationScripts.redstringSetup = "${redstringSetup}/bin/redstring-setup.sh";
|
system.activationScripts.redstringSetup = "${redstringSetup}/bin/redstring-setup.sh";
|
||||||
|
|
||||||
# Set up the inquisitor service
|
# Set up the public redstring service
|
||||||
systemd.services.redstring =
|
systemd.services."redstring-public" =
|
||||||
{
|
{
|
||||||
description = "redstring server";
|
description = "redstring public read-only server";
|
||||||
script = "${redstringRun}/bin/redstring-run.sh";
|
script = "${publicRun}/bin/redstring-run-external.sh";
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
User = "${redstringUser.name}";
|
User = "${redstringUser.name}";
|
||||||
Type = "simple";
|
Type = "simple";
|
||||||
|
@ -68,16 +89,30 @@ in
|
||||||
enable = true;
|
enable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
# Configure nginx to forward to the server at the docs subdomain
|
# Set up the private redstring service
|
||||||
|
systemd.services."redstring-private" =
|
||||||
|
{
|
||||||
|
description = "redstring private editable server";
|
||||||
|
script = "${privateRun}/bin/redstring-run-internal.sh";
|
||||||
|
serviceConfig = {
|
||||||
|
User = redstringUser.name;
|
||||||
|
Type = "simple";
|
||||||
|
};
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
after = [ "network.target" ];
|
||||||
|
enable = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
# Configure nginx to forward to the public server at the docs subdomain
|
||||||
services.nginx.virtualHosts."docs.alogoulogoi.com" = {
|
services.nginx.virtualHosts."docs.alogoulogoi.com" = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
access_log /var/log/nginx/access.docs.log;
|
access_log /var/log/nginx/access.docs.log;
|
||||||
'';
|
'';
|
||||||
locations."/".extraConfig = ''
|
locations."/".proxyPass = "http://localhost:24144";
|
||||||
proxy_buffering off;
|
|
||||||
proxy_pass http://localhost:24144/;
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Open the firewall to the private server's port
|
||||||
|
networking.firewall.allowedTCPPorts = [ 24145 ];
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue