From 1e823ccc3c9ef61111af1008e159b58eaccee2cd Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Thu, 10 Oct 2024 22:01:54 +0000 Subject: [PATCH] reenable crowdsec and fix real ip for clients[ci skip] --- modules/kubernetes/main.tf | 8 ++++---- modules/kubernetes/nginx-ingress/main.tf | 19 +++++++++++++------ modules/kubernetes/paperless-ngx/main.tf | 1 + 3 files changed, 18 insertions(+), 10 deletions(-) diff --git a/modules/kubernetes/main.tf b/modules/kubernetes/main.tf index 2be5e436..88373bbf 100644 --- a/modules/kubernetes/main.tf +++ b/modules/kubernetes/main.tf @@ -361,10 +361,10 @@ module "nginx-ingress" { crowdsec_captcha_site_key = var.ingress_crowdsec_captcha_site_key } -# module "crowdsec" { -# source = "./crowdsec" -# tls_secret_name = var.tls_secret_name -# } +module "crowdsec" { + source = "./crowdsec" + tls_secret_name = var.tls_secret_name +} # Seems like it needs S3 even if pg is local... # module "resume" { diff --git a/modules/kubernetes/nginx-ingress/main.tf b/modules/kubernetes/nginx-ingress/main.tf index 06762b84..6323bae6 100644 --- a/modules/kubernetes/nginx-ingress/main.tf +++ b/modules/kubernetes/nginx-ingress/main.tf @@ -310,7 +310,9 @@ resource "kubernetes_config_map" "ingress_nginx_controller" { } } data = { - allow-snippet-annotations = true + allow-snippet-annotations = true + # limit-req-status-code = 429 + # limit-conn-status-code = 429 enable-modsecurity = true enable-owasp-modsecurity-crs = false modsecurity-snippet : <<-EOT @@ -326,9 +328,9 @@ resource "kubernetes_config_map" "ingress_nginx_controller" { setvar:tx.block_harvester_ip=1,\ setvar:tx.block_spammer_ip=1" EOT - # plugins = "crowdsec" - plugins = "" - lua-shared-dicts = "crowdsec_cache: 500m" + plugins = "crowdsec" + # plugins = "" + lua-shared-dicts = "crowdsec_cache: 50m" server-snippet : <<-EOT lua_ssl_trusted_certificate "/etc/ssl/certs/ca-certificates.crt"; # Captcha #resolver local=on ipv6=off valid=600s; @@ -365,7 +367,8 @@ resource "kubernetes_service" "ingress_nginx_controller" { "app.kubernetes.io/instance" = "ingress-nginx" "app.kubernetes.io/name" = "ingress-nginx" } - type = "LoadBalancer" + type = "LoadBalancer" + external_traffic_policy = "Local" // see https://metallb.universe.tf/usage/ # ip_families = ["IPv4"] } } @@ -452,6 +455,8 @@ resource "kubernetes_deployment" "ingress_nginx_controller" { value = "http://crowdsec-service.crowdsec.svc.cluster.local:8080" } env { + // if you can't connect with bouncer not found, regenerate api key with: + // "cscli bouncers add nginx" on the lapi name = "API_KEY" value = var.crowdsec_api_key } @@ -488,7 +493,9 @@ resource "kubernetes_deployment" "ingress_nginx_controller" { name = "BOUNCER_CONFIG" value = "/crowdsec/crowdsec-bouncer.conf" } - command = ["sh", "-c", "sh /docker_start.sh; mkdir -p /lua_plugins/crowdsec/; cp -r /crowdsec /lua_plugins/; chown -R 101:101 /lua_plugins/"] + # command = ["sh", "-c", "sh /docker_start.sh; mkdir -p /lua_plugins/crowdsec/; cp -r /crowdsec /lua_plugins/; chown -R 101:101 /lua_plugins/"] + command = ["sh", "-c", "sh /docker_start.sh; mkdir -p /lua_plugins/crowdsec/; cp -R /crowdsec/* /lua_plugins/crowdsec/"] + volume_mount { name = "crowdsec" mount_path = "/lua_plugins" diff --git a/modules/kubernetes/paperless-ngx/main.tf b/modules/kubernetes/paperless-ngx/main.tf index eb03c1be..ac1c5e35 100644 --- a/modules/kubernetes/paperless-ngx/main.tf +++ b/modules/kubernetes/paperless-ngx/main.tf @@ -142,6 +142,7 @@ resource "kubernetes_ingress_v1" "paperless-ngx" { annotations = { "kubernetes.io/ingress.class" = "nginx" "nginx.ingress.kubernetes.io/proxy-body-size" : "100000m" + # "nginx.ingress.kubernetes.io/limit-rpm": "5" } }