matrix: open (tokenless) registration + bot mitigations + #security alert

User-chosen fully-open registration on tuwunel (no CAPTCHA support; browser challenges break native clients). Bot defense is layered instead: - Traefik rate-limit Middleware on a path-scoped /register ingress carve-out, keyed on request Host (GLOBAL /register cap) not source IP — the host is reachable via both Cloudflare-IPv4 (CF-Connecting-IP) and IPv6-direct (HE tunnel, no CF header), so a per-source key let IPv6 bots bypass. 10/min, burst 20, per replica; CrowdSec is the hard backstop on both paths. - Loki ruler rule MatrixNewUserRegistered -> lane=security -> existing #security Slack receiver (matches "registered on this server", never the rejection line). tuwunel's admin bot also posts signups to the admin room. Dropped the REGISTRATION_TOKEN env (secret/matrix + ESO kept for revert). Applied via scripts/tg (matrix tier-1 + targeted monitoring configmap), so [ci skip] to avoid CI full-applying monitoring (unrelated grafana-acl drift). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-08 13:27:02 +00:00 · 2026-06-08 13:27:02 +00:00 · 6504911a77
commit 6504911a77
parent bb7bcf803b
3 changed files with 113 additions and 10 deletions
--- a/stacks/monitoring/modules/monitoring/loki.tf
+++ b/stacks/monitoring/modules/monitoring/loki.tf
@ -385,6 +385,26 @@ resource "kubernetes_config_map" "loki_alert_rules" {
              }
            },
          ]
+        },
+        {
+          # Matrix (tuwunel) — open registration is ON, so notify on every new
+          # signup. tuwunel logs `... New user "@x:..." registered on this server`
+          # only on SUCCESS (the disabled-path logs "Rejecting ... registration is
+          # disabled"), so this matcher never false-fires on rejected attempts.
+          # lane=security routes it to the existing #security Slack receiver.
+          name = "Matrix"
+          rules = [
+            {
+              alert  = "MatrixNewUserRegistered"
+              expr   = "sum(count_over_time({namespace=\"matrix\",container=\"matrix\"} |= \"registered on this server\" [10m])) > 0"
+              for    = "0m"
+              labels = { severity = "info", lane = "security" }
+              annotations = {
+                summary     = "New user registered on Matrix (tuwunel) — open registration is ON"
+                description = "A new account was created on matrix.viktorbarzin.me. See who with: kubectl -n matrix logs deploy/matrix | grep 'New user'. If unexpected/abuse, revert to token-gated registration in stacks/matrix."
+              }
+            },
+          ]
        }
      ]
    })