traefik: rate-limit for forgejo (#176)

Reviewed-on: https://git.mgrote.net///mg/homeserver/pulls/176 Co-authored-by: Michael Grote <michael.grote@posteo.de> Co-committed-by: Michael Grote <michael.grote@posteo.de> remove ubuntu-pro-client set rate-limit higher and let... (#177) Reviewed-on: https://git.mgrote.net///mg/homeserver/pulls/177 Co-authored-by: Michael Grote <michael.grote@posteo.de> Co-committed-by: Michael Grote <michael.grote@posteo.de>
2024-09-12 10:28:47 +02:00 · 2024-09-12 10:28:47 +02:00 · 6b01cf8879
commit 6b01cf8879
parent 1fd038df2e
12 changed files with 44 additions and 17 deletions
--- a/docker-compose/traefik/file-provider.yml
+++ b/docker-compose/traefik/file-provider.yml
@ -5,6 +5,8 @@ http:
    router_gitea:
      rule: "Host(`git.mgrote.net`)"
      service: "service_gitea"
      middlewares:
        - "ratelimit"
      entrypoints:
        - entry_https
      tls:
@ -15,3 +17,12 @@ http:
      loadBalancer:
        servers:
          - url: "http://forgejo.mgrote.net:3000/"
 ###### middlewares #####
  middlewares:
    ratelimit:
      rateLimit:
        average: 10
        burst: 15
        sourceCriterion:
          ipStrategy:
            depth: 2
--- a/docker-compose/traefik/traefik.yml
+++ b/docker-compose/traefik/traefik.yml
@ -33,6 +33,8 @@ certificatesResolvers:
 log:
  level: INFO
 accessLog: {}
 api:
  insecure: true
  dashboard: true # unter Port 8081 erreichbar
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@ -7,6 +7,9 @@ file_header: |
  #----------------------------------------------------------------#
  #              This file is managed with ansible!                #
  #----------------------------------------------------------------#
 # für Zugriff auf nicht öffentliche git.mgrote.net-Repos
 ansible_forgejo_user: svc_ansible
 ansible_forgejo_user_pass: "{{ lookup('viczem.keepass.keepass', 'user_setup_forgejo_user_pass', 'password') }}" # user ist dem Repo als "Collaborator" + "RO" hinzugefügt worden
 ### mgrote_user_setup
 dotfiles:
@ -15,8 +18,7 @@ dotfiles:
  - user: root
    home: /root
 dotfiles_repo_url: https://git.mgrote.net/mg/dotfiles
-dotfiles_vim_vundle_repo_url: https://git.mgrote.net/mirrors/Vundle.vim.git
+dotfiles_vim_vundle_repo_url: "https://{{  ansible_forgejo_user | urlencode }}:{{ ansible_forgejo_user_pass | urlencode }}@git.mgrote.net/mirrors/Vundle.vim.git"
 ### mgrote_netplan
 netplan_configure: true
@ -146,6 +148,7 @@ apt_packages_absent:
  - ubuntu-advantage-tools
  - neofetch
  - graphviz
  - ubuntu-pro-client
 ### mgrote_zfs_sanoid
 sanoid_templates:
@ -199,6 +202,8 @@ sanoid_templates:
 sanoid_deb_url: http://docker10.mgrote.net:3344/sanoid_v2.2.0.deb
 ### mgrote_munin_node
 munin_node_plugins_repo_user: "{{ ansible_forgejo_user }}"
 munin_node_plugins_repo_user_pass: "{{ ansible_forgejo_user_pass }}"
 munin_node_bind_host: "0.0.0.0"
 munin_node_bind_port: "4949"
 munin_node_allowed_cidrs: [192.168.2.0/24]
--- a/group_vars/blocky.yml
+++ b/group_vars/blocky.yml
@ -24,7 +24,7 @@ apt_packages_extra:
  - libnet-dns-perl # für munin: dnsresponse_
 ### mgrote_user_setup
-dotfiles_vim_vundle_repo_url: http://192.168.2.42:3000/mirrors/Vundle.vim.git
+dotfiles_vim_vundle_repo_url: "http://{{ ansible_forgejo_user | urlencode }}:{{ ansible_forgejo_user_pass | urlencode }}@192.168.2.42:3000/mirrors/Vundle.vim.git"
 dotfiles:
  - user: mg
    home: /home/mg
--- a/group_vars/fileserver.yml
+++ b/group_vars/fileserver.yml
@ -64,3 +64,4 @@ apt_packages_absent:
  - snapd
  - ubuntu-advantage-tools
  - fwupd # weil LXC
  - ubuntu-pro-client
--- a/keepass_db.kdbx
+++ b/keepass_db.kdbx
--- a/roles/mgrote_munin_node/tasks/additional.yml
+++ b/roles/mgrote_munin_node/tasks/additional.yml
@ -1,15 +1,18 @@
 ---
- name: download additional plugins
+- name: Ensure additional plugins are downloaded
  ansible.builtin.get_url:
    url: "{{ item.src }}"
    dest: "{{ munin_plugin_src_path }}{{ item.name }}"
    mode: '0755'
    url_username: "{{ munin_node_plugins_repo_user | default(omit) }}"
    url_password: "{{ munin_node_plugins_repo_user_pass | default(omit) }}"
    force_basic_auth: true
  loop: "{{ munin_node_plugins }}"
  notify: restart munin-node
  no_log: true
  check_mode: false # damit werden auch im check-mode die Plugins heruntergeladen, sonst schlägt der nächste Task fehl
- name: enable additional plugins
+- name: Enable additional plugins
  ansible.builtin.file:
    src: "{{ munin_plugin_src_path }}{{ item.name }}"
    dest: "{{ munin_plugin_dest_path }}{{ item.name }}"
@ -18,7 +21,7 @@
  loop: "{{ munin_node_plugins }}"
  no_log: true
- name: copy additional plugin-config
+- name: Template additional plugin-config
  ansible.builtin.copy:
    content: "{{ item.config }}"
    dest: "{{ munin_plugin_conf_dest_path }}{{ item.name }}"
@ -30,7 +33,7 @@
  when: item.config is defined
  no_log: true
- name: Ensure munin-node is running.
+- name: Ensure munin-node is running
  ansible.builtin.service:
    name: munin-node
    state: started
--- a/roles/mgrote_munin_node/tasks/install.yml
+++ b/roles/mgrote_munin_node/tasks/install.yml
@ -1,5 +1,5 @@
 ---
- name: install packages
+- name: Ensure packages are installed
  ansible.builtin.apt:
    name: munin-node
    state: present
@ -7,7 +7,7 @@
    - munin-node-configure --shell
    - munin-node-configure --shell - 2
- name: create directories
+- name: Ensure directories exist
  ansible.builtin.file:
    path: "{{ item }}"
    state: directory
@ -15,11 +15,10 @@
    group: root
    mode: "0755"
  loop:
    - /etc/munin
    - /etc/munin/plugin-conf.d
    - /etc/munin/plugins
- name: Copy munin-node configuration.
+- name: Template munin-node configuration
  ansible.builtin.template:
    src: munin-node.conf.j2
    dest: /etc/munin/munin-node.conf
--- a/roles/mgrote_munin_node/tasks/main.yml
+++ b/roles/mgrote_munin_node/tasks/main.yml
@ -1,11 +1,14 @@
 ---
 - name: include install-tasks
  ansible.builtin.include_tasks: install.yml
 - name: include user tasks
  ansible.builtin.include_tasks: user.yml
 - name: include plugin-tasks
  ansible.builtin.include_tasks: additional.yml
  when: munin_node_plugins is defined
 - name: include remove-tasks
  ansible.builtin.include_tasks: remove.yml
  when: munin_node_disabled_plugins is defined
--- a/roles/mgrote_munin_node/tasks/remove.yml
+++ b/roles/mgrote_munin_node/tasks/remove.yml
@ -1,5 +1,5 @@
 ---
- name: remove unwanted plugins
+- name: Ensure unwanted plugins are absent
  ansible.builtin.file:
    path: "{{ munin_plugin_dest_path }}{{ item }}"
    state: absent
@ -7,7 +7,7 @@
  notify: restart munin-node
  when: munin_node_disabled_plugins is defined
- name: remove additional plugin-config
+- name: Ensure additional plugin-config is absent
  ansible.builtin.file:
    state: absent
    dest: "{{ munin_plugin_conf_dest_path }}{{ item }}"
--- a/roles/mgrote_munin_node/tasks/user.yml
+++ b/roles/mgrote_munin_node/tasks/user.yml
@ -1,11 +1,11 @@
 ---
- name: ensure group exists
+- name: Ensure group exists
  become: true
  ansible.builtin.group:
    name: "{{ munin_user_group }}"
    state: present
- name: ensure user exists
+- name: Ensure user exists
  become: true
  ansible.builtin.user:
    name: munin
@ -13,7 +13,7 @@
    shell: /usr/sbin/nologin
    create_home: false
- name: add user to sudoers
+- name: Ensure user is added to sudoers
  become: true
  ansible.builtin.blockinfile:
    path: /etc/sudoers
--- a/roles/mgrote_user_setup/defaults/main.yml
+++ b/roles/mgrote_user_setup/defaults/main.yml
@ -5,5 +5,8 @@ dotfiles:
    - user: root
      home: /root
-dotfiles_vim_vundle_repo_url: https://git.mgrote.net/mirrors/Vundle.vim.git
+ansible_forgejo_user: svc_ansible
 ansible_forgejo_user_pass: "{{ lookup('viczem.keepass.keepass', 'user_setup_forgejo_user_pass', 'password') }}" # user ist dem Repo als "Collaborator" + "RO" hinzugefügt worden
 dotfiles_vim_vundle_repo_url: "https://{{ ansible_forgejo_user | urlencode }}:{{ ansible_forgejo_user_pass | urlencode }}@git.mgrote.net/mirrors/Vundle.vim.git"
 dotfiles_repo_url: https://git.mgrote.net/mg/dotfiles