fix(buildbot): fix CORS properly
wildcards are not allowed in the headers. We need to include credentials as well. Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
This commit is contained in:
parent
437293bdaa
commit
e3129fec51
|
@ -38,7 +38,9 @@
|
|||
port = 2022;
|
||||
username = "buildbot";
|
||||
};
|
||||
cors.allowedOrigin = "gerrit.lix.systems";
|
||||
cors.allowedOrigins = [
|
||||
"https://*.lix.systems"
|
||||
];
|
||||
projects = [
|
||||
"lix"
|
||||
"lix-installer"
|
||||
|
|
|
@ -36,7 +36,9 @@
|
|||
port = cfgGerrit.port;
|
||||
username = "buildbot";
|
||||
};
|
||||
cors.allowedOrigin = "cl.forkos.org";
|
||||
cors.allowedOrigins = [
|
||||
"https://*.forkos.org"
|
||||
];
|
||||
projects = [
|
||||
"buildbot-test"
|
||||
"nixpkgs"
|
||||
|
|
|
@ -53,9 +53,9 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
cors.allowedOrigin = mkOption {
|
||||
type = types.str;
|
||||
example = "*.forkos.org";
|
||||
cors.allowedOrigins = mkOption {
|
||||
type = types.listOf types.str;
|
||||
example = [ "*.forkos.org" ];
|
||||
description = "Allowed origin for Buildbot and NGINX for CORS without the protocol";
|
||||
};
|
||||
|
||||
|
@ -100,6 +100,7 @@ in
|
|||
};
|
||||
|
||||
services.nginx = {
|
||||
recommendedProxySettings = true;
|
||||
appendHttpConfig = ''
|
||||
# Our session stuff is too big with the TWISTED_COOKIE in addition.
|
||||
# Default is usually 4k or 8k.
|
||||
|
@ -109,8 +110,8 @@ in
|
|||
forceSSL = true;
|
||||
enableACME = true;
|
||||
extraConfig = ''
|
||||
# This is needed so that logged-in users in Buildbot can include their credentials in their requests.
|
||||
add_header Access-Control-Allow-Credentials 'true' always;
|
||||
add_header Access-Control-Allow-Origin 'https://${cfg.cors.allowedOrigin}' always;
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
@ -155,9 +156,8 @@ in
|
|||
# we can replace all of this with automatic localworker generation on buildbot-nix side.
|
||||
workersFile = config.age.secrets.buildbot-workers.path;
|
||||
|
||||
allowedOrigins = [
|
||||
cfg.cors.allowedOrigin
|
||||
];
|
||||
# We rely on NGINX to do the CORS dance.
|
||||
allowedOrigins = cfg.cors.allowedOrigins;
|
||||
|
||||
buildMachines = map (n: {
|
||||
hostName = nodes.${n}.config.networking.fqdn;
|
||||
|
|
Loading…
Reference in a new issue