reenable crowdsec and fix real ip for clients[ci skip]

2024-10-10 22:01:54 +00:00 · 2024-10-10 22:01:54 +00:00 · 1e823ccc3c
commit 1e823ccc3c
parent c3637cba26
3 changed files with 18 additions and 10 deletions
--- a/modules/kubernetes/main.tf
+++ b/modules/kubernetes/main.tf
@ -361,10 +361,10 @@ module "nginx-ingress" {
  crowdsec_captcha_site_key   = var.ingress_crowdsec_captcha_site_key
 }

-# module "crowdsec" {
-#   source          = "./crowdsec"
-#   tls_secret_name = var.tls_secret_name
-# }
+module "crowdsec" {
+  source          = "./crowdsec"
+  tls_secret_name = var.tls_secret_name
+}

 # Seems like it needs S3 even if pg is local...
 # module "resume" {
--- a/modules/kubernetes/nginx-ingress/main.tf
+++ b/modules/kubernetes/nginx-ingress/main.tf
@ -310,7 +310,9 @@ resource "kubernetes_config_map" "ingress_nginx_controller" {
    }
  }
  data = {
-    allow-snippet-annotations    = true
+    allow-snippet-annotations = true
+    # limit-req-status-code        = 429
+    # limit-conn-status-code       = 429
    enable-modsecurity           = true
    enable-owasp-modsecurity-crs = false
    modsecurity-snippet : <<-EOT
@ -326,9 +328,9 @@ resource "kubernetes_config_map" "ingress_nginx_controller" {
        setvar:tx.block_harvester_ip=1,\
        setvar:tx.block_spammer_ip=1"
        EOT
-    # plugins = "crowdsec"
-    plugins          = ""
-    lua-shared-dicts = "crowdsec_cache: 500m"
+    plugins = "crowdsec"
+    # plugins          = ""
+    lua-shared-dicts = "crowdsec_cache: 50m"
    server-snippet : <<-EOT
    lua_ssl_trusted_certificate "/etc/ssl/certs/ca-certificates.crt"; # Captcha
    #resolver local=on ipv6=off valid=600s;
@ -365,7 +367,8 @@ resource "kubernetes_service" "ingress_nginx_controller" {
      "app.kubernetes.io/instance"  = "ingress-nginx"
      "app.kubernetes.io/name"      = "ingress-nginx"
    }
-    type = "LoadBalancer"
+    type                    = "LoadBalancer"
+    external_traffic_policy = "Local" // see https://metallb.universe.tf/usage/
    # ip_families = ["IPv4"]
  }
 }
@ -452,6 +455,8 @@ resource "kubernetes_deployment" "ingress_nginx_controller" {
            value = "http://crowdsec-service.crowdsec.svc.cluster.local:8080"
          }
          env {
+            // if you can't connect with bouncer not found, regenerate api key with:
+            // "cscli bouncers add nginx" on the lapi
            name  = "API_KEY"
            value = var.crowdsec_api_key
          }
@ -488,7 +493,9 @@ resource "kubernetes_deployment" "ingress_nginx_controller" {
            name  = "BOUNCER_CONFIG"
            value = "/crowdsec/crowdsec-bouncer.conf"
          }
-          command = ["sh", "-c", "sh /docker_start.sh; mkdir -p /lua_plugins/crowdsec/; cp -r /crowdsec /lua_plugins/; chown -R 101:101 /lua_plugins/"]
+          # command = ["sh", "-c", "sh /docker_start.sh; mkdir -p /lua_plugins/crowdsec/; cp -r /crowdsec /lua_plugins/; chown -R 101:101 /lua_plugins/"]
+          command = ["sh", "-c", "sh /docker_start.sh; mkdir -p /lua_plugins/crowdsec/; cp -R /crowdsec/* /lua_plugins/crowdsec/"]
+
          volume_mount {
            name       = "crowdsec"
            mount_path = "/lua_plugins"
--- a/modules/kubernetes/paperless-ngx/main.tf
+++ b/modules/kubernetes/paperless-ngx/main.tf
@ -142,6 +142,7 @@ resource "kubernetes_ingress_v1" "paperless-ngx" {
    annotations = {
      "kubernetes.io/ingress.class" = "nginx"
      "nginx.ingress.kubernetes.io/proxy-body-size" : "100000m"
+      # "nginx.ingress.kubernetes.io/limit-rpm": "5"
    }
  }