Avoid strange CSRF issues by running two redstring servers

redstring.nix

@@ -1,3 +1,4 @@
+# redstring server module
 { pkgs, ... }:
 
 let
@@ -5,7 +6,7 @@ let
   redstringSource = builtins.fetchGit {
     url = "https://git.alogoulogoi.com/Jaculabilis/redstring.git";
     ref = "master";
-    rev = "440301d737b3c565b3860741d11097a7a5fcbfd1";
+    rev = "e5ea4f871c57c58f4986800122602ebb31347c9e";
   };
   redstring = pkgs.callPackage redstringSource {};
 
@@ -20,12 +21,21 @@ let
     isSystemUser = true;
   };
 
-  # Create the config file in the nix store
-  redstringConfigAttrs = {
-    "root" = redstringData;
-    "password_file" = "${redstringDir}login";
+  # Create the public server config file in the nix store
+  publicConfigAttrs = {
+    root = redstringData;
+    edit = false;
+  };
+  publicConfig = pkgs.writeTextFile { name = "redstring-config-external.json"; text = (builtins.toJSON publicConfigAttrs); };
+
+  # Create the private server config file in the nix store
+  privateConfig = pkgs.writeTextFile {
+    name = "redstring-config-internal.json";
+    text = (builtins.toJSON {
+      root = redstringData;
+      edit = true;
+    });
   };
-  redstringConfig = pkgs.writeTextFile { name = "redstring-config.json"; text = (builtins.toJSON redstringConfigAttrs); };
 
   # Create a setup script to ensure the data directory exists
   redstringSetup = pkgs.writeShellScriptBin "redstring-setup.sh" ''
@@ -37,14 +47,25 @@ let
     chmod 700 ${redstringDir}
   '';
 
-  # Create a run script for the server
-  redstringRun = pkgs.writeShellScriptBin "redstring-run.sh" ''
+  # Create a run script for the public server
+  publicRun = pkgs.writeShellScriptBin "redstring-run-external.sh" ''
     cd ${redstringDir}
     ${redstring}/bin/gunicorn \
       --bind=localhost:24144 \
-      --workers=4 \
-      --log-level info \
-      --env REDSTRING_CONFIG=${redstringConfig} \
+      --workers=3 \
+      --log-level debug \
+      --env REDSTRING_CONFIG=${publicConfig} \
+      "redstring.server:wsgi()"
+  '';
+
+  # Create a run script for the private server
+  privateRun = pkgs.writeShellScriptBin "redstring-run-internal.sh" ''
+    cd ${redstringDir};
+    ${redstring}/bin/gunicorn \
+      --bind=10.7.3.1:24145 \
+      --workers=3 \
+      --log-level debug \
+      --env REDSTRING_CONFIG=${privateConfig} \
       "redstring.server:wsgi()"
   '';
 in
@@ -54,11 +75,11 @@ in
   # Run the setup script on activation
   system.activationScripts.redstringSetup = "${redstringSetup}/bin/redstring-setup.sh";
 
-  # Set up the inquisitor service
-  systemd.services.redstring =
+  # Set up the public redstring service
+  systemd.services."redstring-public" =
   {
-    description = "redstring server";
-    script = "${redstringRun}/bin/redstring-run.sh";
+    description = "redstring public read-only server";
+    script = "${publicRun}/bin/redstring-run-external.sh";
     serviceConfig = {
       User = "${redstringUser.name}";
       Type = "simple";
@@ -68,16 +89,30 @@ in
     enable = true;
   };
 
-  # Configure nginx to forward to the server at the docs subdomain
+  # Set up the private redstring service
+  systemd.services."redstring-private" =
+  {
+    description = "redstring private editable server";
+    script = "${privateRun}/bin/redstring-run-internal.sh";
+    serviceConfig = {
+      User = redstringUser.name;
+      Type = "simple";
+    };
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" ];
+    enable = true;
+  };
+
+  # Configure nginx to forward to the public server at the docs subdomain
   services.nginx.virtualHosts."docs.alogoulogoi.com" = {
     enableACME = true;
     forceSSL = true;
     extraConfig = ''
       access_log /var/log/nginx/access.docs.log;
     '';
-    locations."/".extraConfig = ''
-      proxy_buffering off;
-      proxy_pass http://localhost:24144/;
-    '';
+    locations."/".proxyPass = "http://localhost:24144";
   };
+
+  # Open the firewall to the private server's port
+  networking.firewall.allowedTCPPorts = [ 24145 ];
 }