From e3129fec5122a04af66f6286b4f8d10c30627d98 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Fri, 18 Oct 2024 13:47:18 +0200 Subject: [PATCH] fix(buildbot): fix CORS properly wildcards are not allowed in the headers. We need to include credentials as well. Signed-off-by: Raito Bezarius --- hosts/buildbot-lix/default.nix | 4 +++- hosts/buildbot/default.nix | 4 +++- services/buildbot/default.nix | 14 +++++++------- 3 files changed, 13 insertions(+), 9 deletions(-) diff --git a/hosts/buildbot-lix/default.nix b/hosts/buildbot-lix/default.nix index b270471..ae42e33 100644 --- a/hosts/buildbot-lix/default.nix +++ b/hosts/buildbot-lix/default.nix @@ -38,7 +38,9 @@ port = 2022; username = "buildbot"; }; - cors.allowedOrigin = "gerrit.lix.systems"; + cors.allowedOrigins = [ + "https://*.lix.systems" + ]; projects = [ "lix" "lix-installer" diff --git a/hosts/buildbot/default.nix b/hosts/buildbot/default.nix index 921a455..4af6cd1 100755 --- a/hosts/buildbot/default.nix +++ b/hosts/buildbot/default.nix @@ -36,7 +36,9 @@ port = cfgGerrit.port; username = "buildbot"; }; - cors.allowedOrigin = "cl.forkos.org"; + cors.allowedOrigins = [ + "https://*.forkos.org" + ]; projects = [ "buildbot-test" "nixpkgs" diff --git a/services/buildbot/default.nix b/services/buildbot/default.nix index 51a0621..160f321 100644 --- a/services/buildbot/default.nix +++ b/services/buildbot/default.nix @@ -53,9 +53,9 @@ in }; }; - cors.allowedOrigin = mkOption { - type = types.str; - example = "*.forkos.org"; + cors.allowedOrigins = mkOption { + type = types.listOf types.str; + example = [ "*.forkos.org" ]; description = "Allowed origin for Buildbot and NGINX for CORS without the protocol"; }; @@ -100,6 +100,7 @@ in }; services.nginx = { + recommendedProxySettings = true; appendHttpConfig = '' # Our session stuff is too big with the TWISTED_COOKIE in addition. # Default is usually 4k or 8k. @@ -109,8 +110,8 @@ in forceSSL = true; enableACME = true; extraConfig = '' + # This is needed so that logged-in users in Buildbot can include their credentials in their requests. add_header Access-Control-Allow-Credentials 'true' always; - add_header Access-Control-Allow-Origin 'https://${cfg.cors.allowedOrigin}' always; ''; }; }; @@ -155,9 +156,8 @@ in # we can replace all of this with automatic localworker generation on buildbot-nix side. workersFile = config.age.secrets.buildbot-workers.path; - allowedOrigins = [ - cfg.cors.allowedOrigin - ]; + # We rely on NGINX to do the CORS dance. + allowedOrigins = cfg.cors.allowedOrigins; buildMachines = map (n: { hostName = nodes.${n}.config.networking.fqdn;