fix(buildbot): fix CORS properly

wildcards are not allowed in the headers.
We need to include credentials as well.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
This commit is contained in:
raito 2024-10-18 13:47:18 +02:00 committed by raito
parent 437293bdaa
commit e3129fec51
3 changed files with 13 additions and 9 deletions

View file

@ -38,7 +38,9 @@
port = 2022;
username = "buildbot";
};
cors.allowedOrigin = "gerrit.lix.systems";
cors.allowedOrigins = [
"https://*.lix.systems"
];
projects = [
"lix"
"lix-installer"

View file

@ -36,7 +36,9 @@
port = cfgGerrit.port;
username = "buildbot";
};
cors.allowedOrigin = "cl.forkos.org";
cors.allowedOrigins = [
"https://*.forkos.org"
];
projects = [
"buildbot-test"
"nixpkgs"

View file

@ -53,9 +53,9 @@ in
};
};
cors.allowedOrigin = mkOption {
type = types.str;
example = "*.forkos.org";
cors.allowedOrigins = mkOption {
type = types.listOf types.str;
example = [ "*.forkos.org" ];
description = "Allowed origin for Buildbot and NGINX for CORS without the protocol";
};
@ -100,6 +100,7 @@ in
};
services.nginx = {
recommendedProxySettings = true;
appendHttpConfig = ''
# Our session stuff is too big with the TWISTED_COOKIE in addition.
# Default is usually 4k or 8k.
@ -109,8 +110,8 @@ in
forceSSL = true;
enableACME = true;
extraConfig = ''
# This is needed so that logged-in users in Buildbot can include their credentials in their requests.
add_header Access-Control-Allow-Credentials 'true' always;
add_header Access-Control-Allow-Origin 'https://${cfg.cors.allowedOrigin}' always;
'';
};
};
@ -155,9 +156,8 @@ in
# we can replace all of this with automatic localworker generation on buildbot-nix side.
workersFile = config.age.secrets.buildbot-workers.path;
allowedOrigins = [
cfg.cors.allowedOrigin
];
# We rely on NGINX to do the CORS dance.
allowedOrigins = cfg.cors.allowedOrigins;
buildMachines = map (n: {
hostName = nodes.${n}.config.networking.fqdn;