1
1
Fork 0

Avoid strange CSRF issues by running two redstring servers

This commit is contained in:
Jaculabilis 2021-02-19 07:44:32 +00:00
parent f082b94011
commit 40a9aa5f53
1 changed files with 56 additions and 21 deletions

View File

@ -1,3 +1,4 @@
# redstring server module
{ pkgs, ... }:
let
@ -5,7 +6,7 @@ let
redstringSource = builtins.fetchGit {
url = "https://git.alogoulogoi.com/Jaculabilis/redstring.git";
ref = "master";
rev = "440301d737b3c565b3860741d11097a7a5fcbfd1";
rev = "e5ea4f871c57c58f4986800122602ebb31347c9e";
};
redstring = pkgs.callPackage redstringSource {};
@ -20,12 +21,21 @@ let
isSystemUser = true;
};
# Create the config file in the nix store
redstringConfigAttrs = {
"root" = redstringData;
"password_file" = "${redstringDir}login";
# Create the public server config file in the nix store
publicConfigAttrs = {
root = redstringData;
edit = false;
};
publicConfig = pkgs.writeTextFile { name = "redstring-config-external.json"; text = (builtins.toJSON publicConfigAttrs); };
# Create the private server config file in the nix store
privateConfig = pkgs.writeTextFile {
name = "redstring-config-internal.json";
text = (builtins.toJSON {
root = redstringData;
edit = true;
});
};
redstringConfig = pkgs.writeTextFile { name = "redstring-config.json"; text = (builtins.toJSON redstringConfigAttrs); };
# Create a setup script to ensure the data directory exists
redstringSetup = pkgs.writeShellScriptBin "redstring-setup.sh" ''
@ -37,14 +47,25 @@ let
chmod 700 ${redstringDir}
'';
# Create a run script for the server
redstringRun = pkgs.writeShellScriptBin "redstring-run.sh" ''
# Create a run script for the public server
publicRun = pkgs.writeShellScriptBin "redstring-run-external.sh" ''
cd ${redstringDir}
${redstring}/bin/gunicorn \
--bind=localhost:24144 \
--workers=4 \
--log-level info \
--env REDSTRING_CONFIG=${redstringConfig} \
--workers=3 \
--log-level debug \
--env REDSTRING_CONFIG=${publicConfig} \
"redstring.server:wsgi()"
'';
# Create a run script for the private server
privateRun = pkgs.writeShellScriptBin "redstring-run-internal.sh" ''
cd ${redstringDir};
${redstring}/bin/gunicorn \
--bind=10.7.3.1:24145 \
--workers=3 \
--log-level debug \
--env REDSTRING_CONFIG=${privateConfig} \
"redstring.server:wsgi()"
'';
in
@ -54,11 +75,11 @@ in
# Run the setup script on activation
system.activationScripts.redstringSetup = "${redstringSetup}/bin/redstring-setup.sh";
# Set up the inquisitor service
systemd.services.redstring =
# Set up the public redstring service
systemd.services."redstring-public" =
{
description = "redstring server";
script = "${redstringRun}/bin/redstring-run.sh";
description = "redstring public read-only server";
script = "${publicRun}/bin/redstring-run-external.sh";
serviceConfig = {
User = "${redstringUser.name}";
Type = "simple";
@ -68,16 +89,30 @@ in
enable = true;
};
# Configure nginx to forward to the server at the docs subdomain
# Set up the private redstring service
systemd.services."redstring-private" =
{
description = "redstring private editable server";
script = "${privateRun}/bin/redstring-run-internal.sh";
serviceConfig = {
User = redstringUser.name;
Type = "simple";
};
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
enable = true;
};
# Configure nginx to forward to the public server at the docs subdomain
services.nginx.virtualHosts."docs.alogoulogoi.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
access_log /var/log/nginx/access.docs.log;
'';
locations."/".extraConfig = ''
proxy_buffering off;
proxy_pass http://localhost:24144/;
'';
locations."/".proxyPass = "http://localhost:24144";
};
# Open the firewall to the private server's port
networking.firewall.allowedTCPPorts = [ 24145 ];
}