infrastructure

mirror of https://gitlab.archlinux.org/archlinux/infrastructure.git synced 2025-01-18 08:06:16 +01:00

History

Kristian Klausen fca14fb161 bugbuddy: Use wireguard for connections from gitlab.archlinux.org There is no reason for exposing the service to the whole internet nor communicating without encryption. It could be fixed by restricting the firewall rule to the public IP of the gitlb server and running it over HTTPS or we could just use our existing WG network. To allow gitlab to send requests to a private network address, the IP has been allowlisted[1]. The endpoint also expects a "secret token"[2], so it won't accept events from e.g. users creating a webhook with the same URL. [1] https://docs.gitlab.com/ee/security/webhooks.html#allow-outbound-requests-to-certain-ip-addresses-and-domains [2] https://docs.gitlab.com/ee/user/project/integrations/webhooks.html#validate-payloads-by-using-a-secret-token	2023-10-16 22:14:10 +02:00
..
main.yml

Kristian Klausen fca14fb161

bugbuddy: Use wireguard for connections from gitlab.archlinux.org

There is no reason for exposing the service to the whole internet nor
communicating without encryption. It could be fixed by restricting the
firewall rule to the public IP of the gitlb server and running it over
HTTPS or we could just use our existing WG network.

To allow gitlab to send requests to a private network address, the IP
has been allowlisted[1]. The endpoint also expects a "secret token"[2],
so it won't accept events from e.g. users creating a webhook with the
same URL.

[1] https://docs.gitlab.com/ee/security/webhooks.html#allow-outbound-requests-to-certain-ip-addresses-and-domains
[2] https://docs.gitlab.com/ee/user/project/integrations/webhooks.html#validate-payloads-by-using-a-secret-token

2023-10-16 22:14:10 +02:00

main.yml