Mentions légales du service

Skip to content
Snippets Groups Projects
Verified Commit 7c150111 authored by Romain Garbage's avatar Romain Garbage
Browse files

head-node: Add token filtering for Gitlab integration with Cuirass.

* head-node.scm (%nginx-gitlab-token): New variable.
(operating-system): Add service.
* nginx-config/nginx-locations.conf: New include directive and new filter.
parent 8eb35e4f
No related branches found
No related tags found
1 merge request!18nginx: Add token filtering for Gitlab integration with Cuirass.
......@@ -368,6 +368,32 @@ export CUIRASS_LOGGING_LEVEL=${CUIRASS_LOGGING_LEVEL:-debug}\n"
"nginx-config/nginx-locations.conf")
"nginx-locations.conf")))))
(define %nginx-gitlab-token
;; Create /etc/nginx-tokens with a random token if it doesn't exist.
(simple-service 'nginx-gitlab-token
activation-service-type
#~(begin
(define file "/etc/nginx-tokens")
(define (make-random-list n)
(if (= n 0)
'()
(cons (integer->char
(+ (random 26) 97)) ;; ASCII code for a-z
(make-random-list (- n 1)))))
;; token is a random lowercase alphabetical
;; string containing 32 characters. This
;; corresponds to 1.90172e+45 different
;; combinations.
(define token
(list->string (make-random-list 32)))
(unless (file-exists? file)
(call-with-output-file file
(lambda (port)
(format port "set $GITLAB_TOKEN ~a;~%" token)
;; Ensure that the file is only readable by its owner.
(chmod port #o600)))))))
(define %nginx-mime-types
;; Provide /etc/nginx/mime.types (and a bunch of other files.)
(simple-service 'nginx-mime.types
......@@ -476,6 +502,7 @@ export CUIRASS_LOGGING_LEVEL=${CUIRASS_LOGGING_LEVEL:-debug}\n"
(file (file-append %nginx-config
"/nginx.conf"))))
%nginx-mime-types
%nginx-gitlab-token
(service certbot-service-type
(certbot-configuration
......
......@@ -11,6 +11,15 @@ location = /nix-cache-info { proxy_pass http://localhost:3000; }
# Cuirass.
# The included file should define the variable $GITLAB_TOKEN using the
# set directive: "set $GITLAB_TOKEN value;". It should be created
# manually.
include /etc/nginx-tokens;
location ~ ^/admin/gitlab/event {
# Filter using Gitlab token
if ($http_x_gitlab_token != $GITLAB_TOKEN) { return 403; }
proxy_pass http://localhost:8081;
}
location ~ ^/admin {
# Disallow access to unauthenticated clients.
if ($ssl_client_verify != SUCCESS) { return 403; }
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment