kiaragrouwstra/infra
0
0
Fork 0
forked from the-distro/infra
Code Pull requests Activity

fix(buildbot): fix CORS properly

Browse source 
wildcards are not allowed in the headers.
We need to include credentials as well.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
This commit is contained in:
raito 2024-10-18 13:47:18 +02:00 committed by raito
parent 437293bdaa
commit e3129fec51
3 changed files with 13 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
hosts/buildbot-lix/default.nix
View file

@ -38,7 +38,9 @@
port = 2022; port = 2022;
username = "buildbot"; username = "buildbot";
}; };
cors.allowedOrigin = "gerrit.lix.systems"; cors.allowedOrigins = [
"https://*.lix.systems"
];
projects = [ projects = [
"lix" "lix"
"lix-installer" "lix-installer"

4
hosts/buildbot/default.nix
View file

@ -36,7 +36,9 @@
port = cfgGerrit.port; port = cfgGerrit.port;
username = "buildbot"; username = "buildbot";
}; };
cors.allowedOrigin = "cl.forkos.org"; cors.allowedOrigins = [
"https://*.forkos.org"
];
projects = [ projects = [
"buildbot-test" "buildbot-test"
"nixpkgs" "nixpkgs"

14
services/buildbot/default.nix
View file

@ -53,9 +53,9 @@ in
}; };
}; };
cors.allowedOrigin = mkOption { cors.allowedOrigins = mkOption {
type = types.str; type = types.listOf types.str;
example = "*.forkos.org"; example = [ "*.forkos.org" ];
description = "Allowed origin for Buildbot and NGINX for CORS without the protocol"; description = "Allowed origin for Buildbot and NGINX for CORS without the protocol";
}; };
@ -100,6 +100,7 @@ in
}; };
services.nginx = { services.nginx = {
recommendedProxySettings = true;
appendHttpConfig = '' appendHttpConfig = ''
# Our session stuff is too big with the TWISTED_COOKIE in addition. # Our session stuff is too big with the TWISTED_COOKIE in addition.
# Default is usually 4k or 8k. # Default is usually 4k or 8k.
@ -109,8 +110,8 @@ in
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
extraConfig = '' extraConfig = ''
# This is needed so that logged-in users in Buildbot can include their credentials in their requests.
add_header Access-Control-Allow-Credentials 'true' always; add_header Access-Control-Allow-Credentials 'true' always;
add_header Access-Control-Allow-Origin 'https://${cfg.cors.allowedOrigin}' always;
''; '';
}; };
}; };
@ -155,9 +156,8 @@ in
# we can replace all of this with automatic localworker generation on buildbot-nix side. # we can replace all of this with automatic localworker generation on buildbot-nix side.
workersFile = config.age.secrets.buildbot-workers.path; workersFile = config.age.secrets.buildbot-workers.path;
allowedOrigins = [ # We rely on NGINX to do the CORS dance.
cfg.cors.allowedOrigin allowedOrigins = cfg.cors.allowedOrigins;
];
buildMachines = map (n: { buildMachines = map (n: {
hostName = nodes.${n}.config.networking.fqdn; hostName = nodes.${n}.config.networking.fqdn;