rate limit login pages for grafana and gitea

roles/firewall/templates/ip6tables.j2

@@ -48,11 +48,14 @@
 -A ICMP_FLOOD -j ACCEPT
 {% endif %}
 
-{% if firewall_dns_whitelist is defined %}
+{% if firewall_dns_whitelist is defined and
+      firewall_dns_whitelist | length %}
 -N ACCEPT_DNS
--A ACCEPT_DNS -m tcp -p tcp --dport 53 -m comment --comment "accept dns 53/tcp6" -j LOG_ACCEPT
--A ACCEPT_DNS -m udp -p udp --dport 53 -m comment --comment "accept dns 53/udp6" -j LOG_ACCEPT
--A ACCEPT_DNS -m comment --comment "ACCEPT_DNS default drop inet6" -j LOG_DROP
+{% for ip in firewall_dns_whitelist | ipv6 %}
+-A ACCEPT_DNS -m tcp -p tcp --dport 53 --source {{ ip }} -m comment --comment "accept {{ ip }} dns 53/tcp" -j LOG_ACCEPT
+-A ACCEPT_DNS -m udp -p udp --dport 53 --source {{ ip }} -m comment --comment "accept {{ ip }} dns 53/udp" -j LOG_ACCEPT
+{% endfor %}
+-A ACCEPT_DNS -m comment --comment "ACCEPT_DNS default drop" -j LOG_DROP
 {% endif %}
 
 -A INPUT -i lo -m comment --comment "lo accept all inet6" -j ACCEPT
@@ -69,10 +72,8 @@
 
 {% if firewall_dns_whitelist is defined and
       firewall_dns_whitelist | length %}
-{% for ip in firewall_dns_whitelist | ipv6 %}
--A INPUT -m tcp -p tcp --dport 53 --source {{ ip }} -m comment --comment "accept {{ ip }} dns 53/tcp6" -j ACCEPT_DNS
--A INPUT -m udp -p udp --dport 53 --source {{ ip }} -m comment --comment "accept {{ ip }} dns 53/udp6" -j ACCEPT_DNS
-{% endfor %}
+-A INPUT -m tcp -p tcp --dport 53 -m comment --comment "accept dns 53/tcp" -j ACCEPT_DNS
+-A INPUT -m udp -p udp --dport 53 -m comment --comment "accept dns 53/udp" -j ACCEPT_DNS
 {% endif %}
 
 -A INPUT -m state --state INVALID -m comment --comment "drop invalid inet6" -j DROP
@@ -133,6 +134,20 @@
 {% endfor %}
 {% endif %}
 
+{% if firewall_teleport_node_enabled | default(false) %}
+-A INPUT -p tcp -m tcp --dport 3022 -m state --state NEW -m comment --comment "accept 3022/tcp" -j ACCEPT
+{% endif %}
+
+{% if firewall_teleport_proxy_enabled | default(false) %}
+-A INPUT -p tcp -m tcp --dport 3023 -m state --state NEW -m comment --comment "accept 3023/tcp" -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 3024 -m state --state NEW -m comment --comment "accept 3024/tcp" -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 3080 -m state --state NEW -m comment --comment "accept 3080/tcp" -j ACCEPT
+{% endif %}
+
+{% if firewall_teleport_auth_enabled | default(false) %}
+-A INPUT -p tcp -m tcp --dport 3025 -m state --state NEW -m comment --comment "accept 3025/tcp" -j ACCEPT
+{% endif %}
+
 -A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "accept related/established inet6" -j ACCEPT
 
 -A INPUT -m comment --comment "default drop inet6" -j LOG_DROP
@@ -150,5 +165,4 @@ COMMIT
 -A OUTPUT -o lo -j NOTRACK
 {% endif %}
 COMMIT
-
 # vim: tw=0

roles/firewall/templates/iptables.j2

@@ -48,13 +48,34 @@
 -A ICMP_FLOOD -j ACCEPT
 {% endif %}
 
-{% if firewall_dns_whitelist is defined %}
+{% if firewall_dns_whitelist is defined and
+      firewall_dns_whitelist | length %}
 -N ACCEPT_DNS
--A ACCEPT_DNS -m tcp -p tcp --dport 53 -m comment --comment "accept dns 53/tcp" -j LOG_ACCEPT
--A ACCEPT_DNS -m udp -p udp --dport 53 -m comment --comment "accept dns 53/udp" -j LOG_ACCEPT
+{% for ip in firewall_dns_whitelist | ipv4 %}
+-A ACCEPT_DNS -m tcp -p tcp --dport 53 --source {{ ip }} -m comment --comment "accept {{ ip }} dns 53/tcp" -j LOG_ACCEPT
+-A ACCEPT_DNS -m udp -p udp --dport 53 --source {{ ip }} -m comment --comment "accept {{ ip }} dns 53/udp" -j LOG_ACCEPT
+{% endfor %}
 -A ACCEPT_DNS -m comment --comment "ACCEPT_DNS default drop" -j LOG_DROP
 {% endif %}
 
+{% if firewall_influx_whitelist is defined and
+      firewall_influx_whitelist | length %}
+-N ACCEPT_INFLUX
+{% for ip in firewall_influx_whitelist | ipv4 %}
+-A ACCEPT_INFLUX -m tcp -p tcp --dport 8086 --source {{ ip }} -m comment --comment "accept {{ ip }} influxdb 8086/tcp" -j LOG_ACCEPT
+{% endfor %}
+-A ACCEPT_INFLUX -m comment --comment "ACCEPT_INFLUX default drop" -j LOG_DROP
+{% endif %}
+
+{% if firewall_syslog_whitelist is defined and
+      firewall_syslog_whitelist | length %}
+-N ACCEPT_SYSLOG
+{% for ip in firewall_syslog_whitelist | ipv4 %}
+-A ACCEPT_SYSLOG -m tcp -p tcp --dport 514 --source {{ ip }} -m comment --comment "accept {{ ip }} syslog 514/tcp" -j LOG_ACCEPT
+{% endfor %}
+-A ACCEPT_SYSLOG -m comment --comment "ACCEPT_SYSLOG default drop" -j LOG_DROP
+{% endif %}
+
 -A INPUT -i lo -m comment --comment "lo accept all" -j ACCEPT
 
 {% if firewall_ssh_whitelist | length %}
@@ -69,10 +90,18 @@
 
 {% if firewall_dns_whitelist is defined and
       firewall_dns_whitelist | length %}
-{% for ip in firewall_dns_whitelist | ipv4 %}
--A INPUT -m tcp -p tcp --dport 53 --source {{ ip }} -m comment --comment "accept {{ ip }} dns 53/tcp" -j ACCEPT_DNS
--A INPUT -m udp -p udp --dport 53 --source {{ ip }} -m comment --comment "accept {{ ip }} dns 53/udp" -j ACCEPT_DNS
-{% endfor %}
+-A INPUT -m tcp -p tcp --dport 53 -m comment --comment "accept dns 53/tcp" -j ACCEPT_DNS
+-A INPUT -m udp -p udp --dport 53 -m comment --comment "accept dns 53/udp" -j ACCEPT_DNS
+{% endif %}
+
+{% if firewall_influx_whitelist is defined and
+      firewall_influx_whitelist | length %}
+-A INPUT -m tcp -p tcp --dport 8086 -m comment --comment "accept influx 8086/tcp" -j ACCEPT_INFLUX
+{% endif %}
+
+{% if firewall_syslog_whitelist is defined and
+      firewall_syslog_whitelist | length %}
+-A INPUT -m tcp -p tcp --dport 514 -m comment --comment "accept syslog 514/tcp" -j ACCEPT_SYSLOG
 {% endif %}
 
 -A INPUT -m state --state INVALID -m comment --comment "drop invalid" -j DROP
@@ -119,6 +148,20 @@
 {% endfor %}
 {% endif %}
 
+{% if firewall_teleport_node_enabled | default(false) %}
+-A INPUT -p tcp -m tcp --dport 3022 -m state --state NEW -m comment --comment "accept 3022/tcp" -j ACCEPT
+{% endif %}
+
+{% if firewall_teleport_proxy_enabled | default(false) %}
+-A INPUT -p tcp -m tcp --dport 3023 -m state --state NEW -m comment --comment "accept 3023/tcp" -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 3024 -m state --state NEW -m comment --comment "accept 3024/tcp" -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 3080 -m state --state NEW -m comment --comment "accept 3080/tcp" -j ACCEPT
+{% endif %}
+
+{% if firewall_teleport_auth_enabled | default(false) %}
+-A INPUT -p tcp -m tcp --dport 3025 -m state --state NEW -m comment --comment "accept 3025/tcp" -j ACCEPT
+{% endif %}
+
 -A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "accept related/established" -j ACCEPT
 
 -A INPUT -m comment --comment "default drop" -j LOG_DROP

roles/gitea/tasks/nginx.yaml

@@ -1,17 +1,8 @@
 - name: configure nginx
   template:
     src: nginx.conf.j2
-    dest: /etc/nginx/sites-available/gitea
+    dest: "{{ nginx_conf_d_path }}/gitea.conf"
     owner: root
     group: root
     mode: 0644
   notify: reload nginx
-
-- name: activate site
-  file:
-    src: /etc/nginx/sites-available/gitea
-    dest: /etc/nginx/sites-enabled/gitea
-    owner: root
-    group: root
-    state: link
-  notify: reload nginx

roles/gitea/templates/nginx.conf.j2

@@ -1,3 +1,16 @@
+# {{ ansible_managed }}
+
+limit_req_zone $binary_remote_addr zone=req_gitea_login:10m rate=10r/m;
+
+upstream gitea_backend {
+{% if gitea_config.server.protocol is defined and
+      gitea_config.server.protocol == 'unix' %}
+    server unix:{{ gitea_config.server.http_addr }};
+{% else %}
+    server 127.0.0.1:{{ gitea_port }};
+{% endif %}
+}
+
 server {
     listen 80;
 {% if ansible_all_ipv6_addresses | length %}
@@ -5,6 +18,9 @@ server {
 {% endif %}
     server_name {{ gitea_domain }};
 
+    access_log /var/log/nginx/gitea.access.log main;
+    error_log /var/log/nginx/gitea.error.log warn;
+
     location /.well-known/acme-challenge/ {
         root /var/www/html;
         try_files $uri =404;
@@ -27,6 +43,9 @@ server {
 {% endif %}
     server_name {{ gitea_domain }};
 
+    access_log /var/log/nginx/gitea.access.log main;
+    error_log /var/log/nginx/gitea.error.log warn;
+
 {% if gitea_ssl_certificate is defined %}
     ssl_certificate {{ gitea_ssl_certificate }};
 {% endif %}
@@ -37,13 +56,14 @@ server {
     ssl_dhparam {{ gitea_ssl_dhparam }};
 {% endif %}
 
+    location ~ /user\/login {
+        limit_req zone=req_gitea_login burst=10;
+        proxy_pass http://gitea_backend;
+    }
+
     location / {
-{% if gitea_config.server.protocol is defined and
-      gitea_config.server.protocol == 'unix' %}
-        proxy_pass http://unix:{{ gitea_config.server.http_addr }};
-{% else %}
-        proxy_pass http://localhost:{{ gitea_port }};
-{% endif %}
+        limit_req zone=req_bad_actors burst=10 nodelay;
+        proxy_pass http://gitea_backend;
     }
 }
 {% endif %}

roles/grafana/tasks/nginx.yaml

@@ -1,17 +1,8 @@
 - name: configure nginx
   template:
     src: nginx.conf.j2
-    dest: /etc/nginx/sites-available/grafana
+    dest: "{{ nginx_conf_d_path }}/grafana.conf"
     owner: root
     group: root
     mode: 0644
   notify: reload nginx
-
-- name: activate site
-  file:
-    src: /etc/nginx/sites-available/grafana
-    dest: /etc/nginx/sites-enabled/grafana
-    owner: root
-    group: root
-    state: link
-  notify: reload nginx

roles/grafana/templates/nginx.conf.j2

@@ -1,3 +1,11 @@
+# {{ ansible_managed }}
+
+limit_req_zone $binary_remote_addr zone=req_grafana_login:10m rate=10r/m;
+
+upstream grafana_backend {
+    server 127.0.0.1:{{ grafana_port }};
+}
+
 server {
     listen 80;
 {% if ansible_all_ipv6_addresses | length %}
@@ -5,6 +13,9 @@ server {
 {% endif %}
     server_name {{ grafana_domain }};
 
+    access_log /var/log/nginx/grafana.access.log main;
+    error_log /var/log/nginx/grafana.error.log warn;
+
     location /.well-known/acme-challenge/ {
         root /var/www/html;
         try_files $uri =404;
@@ -27,6 +38,9 @@ server {
 {% endif %}
     server_name {{ grafana_domain }};
 
+    access_log /var/log/nginx/grafana.access.log main;
+    error_log /var/log/nginx/grafana.error.log warn;
+
 {% if grafana_ssl_certificate is defined %}
     ssl_certificate {{ grafana_ssl_certificate }};
 {% endif %}
@@ -37,8 +51,14 @@ server {
     ssl_dhparam {{ grafana_ssl_dhparam }};
 {% endif %}
 
+    location /login {
+        limit_req zone=req_grafana_login burst=10;
+        proxy_pass http://grafana_backend;
+    }
+
     location / {
-        proxy_pass http://localhost:{{ grafana_port }};
+        limit_req zone=req_bad_actors burst=10 nodelay;
+        proxy_pass http://grafana_backend;
     }
 }
 {% endif %}

roles/minecraft/defaults/main.yaml

@@ -11,8 +11,8 @@ minecraft_port: 25565
 minecraft_user: minecraft
 minecraft_group: minecraft
 
-minecraft_jar_url: https://launcher.mojang.com/v1/objects/c5f6fb23c3876461d46ec380421e42b289789530/server.jar
-minecraft_jar_checksum: sha256:2902ed3ff84e4f810a2c0620c6b6df9c3ef8488b272c61274d5eac2433876f39
+minecraft_jar_url: https://launcher.mojang.com/v1/objects/f02f4473dbf152c23d7d484952121db0b36698cb/server.jar
+minecraft_jar_checksum: sha256:32e450e74c081aec06dcfbadfa5ba9aa1c7f370bd869e658caec0c3004f7ad5b
 
 minecraft_opt_path: /opt/minecraft
 minecraft_var_path: /var/opt/minecraft

roles/nginx/defaults/main.yaml

@@ -6,6 +6,21 @@ nginx_service_name: nginx
 nginx_service_state: started
 nginx_service_enabled: yes
 
+nginx_etc_path: /etc/nginx
+nginx_conf_d_path: "{{ nginx_etc_path }}/conf.d"
+nginx_mime_types_path: "{{ nginx_etc_path }}/mime.types"
+
+nginx_user: nginx
+nginx_worker_processes: auto
+nginx_error_log: /var/log/nginx/error.log warn
+nginx_access_log: /var/log/nginx/access.log main
+nginx_pid: /var/run/nginx.pid
+nginx_worker_connections: 1024
+nginx_default_type: application/octet-stream
+nginx_sendfile: "on"
+nginx_keepalive_timeout: 65
+nginx_gzip: "on"
+
 nginx_root: /var/www/html
 nginx_index:
   - index.html
@@ -14,3 +29,5 @@ nginx_index:
 
 nginx_acme_challenge_enabled: yes
 nginx_acme_challenge_path: /var/www/.acme-challenge
+
+nginx_conf_d: {}

roles/nginx/tasks/Debian.yaml

@@ -0,0 +1,12 @@
+---
+- name: install nginx apt key
+  apt_key:
+    keyserver: keyserver.ubuntu.com
+    id: "{{ nginx_repo_key_id }}"
+
+- name: install nginx apt repo
+  apt_repository:
+    repo: "deb http://nginx.org/packages/mainline/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} nginx"
+    update_cache: yes
+    filename: nginx
+    state: "{{ nginx_repo_state }}"

roles/nginx/tasks/main.yml

@@ -1,4 +1,28 @@
 ---
+- name: gather os specific variables
+  include_vars: "{{ lookup('first_found', possible_files) }}"
+  vars:
+    possible_files:
+      files:
+        - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
+        - "{{ ansible_distribution }}.yaml"
+        - "{{ ansible_os_family }}.yaml"
+        - "default.yaml"
+      paths:
+        - vars
+
+- name: include os specific tasks
+  include_tasks: "{{ lookup('first_found', possible_files) }}"
+  vars:
+    possible_files:
+      files:
+        - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
+        - "{{ ansible_distribution }}.yaml"
+        - "{{ ansible_os_family }}.yaml"
+        - "default.yaml"
+      paths:
+        - tasks
+
 - name: install passlib
   package:
     name: "{{ item }}"
@@ -12,10 +36,10 @@
     name: "{{ nginx_package_name }}"
     state: "{{ nginx_package_state }}"
 
-- name: configure default virtual host
+- name: configure nginx
   template:
-    src: default.j2
-    dest: /etc/nginx/sites-available/default
+    src: nginx.conf.j2
+    dest: "{{ nginx_etc_path }}/nginx.conf"
     owner: root
     group: root
     mode: 0644

roles/nginx/templates/nginx.conf.j2

@@ -0,0 +1,43 @@
+# {{ ansible_managed }}
+
+user {{ nginx_user }};
+worker_processes {{ nginx_worker_processes }};
+
+error_log {{ nginx_error_log }};
+pid {{ nginx_pid }};
+
+
+events {
+    worker_connections {{ nginx_worker_connections }};
+}
+
+
+http {
+    include {{ nginx_mime_types_path }};
+    default_type {{ nginx_default_type }};
+
+    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+                    '$status $body_bytes_sent "$http_referer" '
+                    '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log {{ nginx_access_log }};
+
+    sendfile {{ nginx_sendfile }};
+    #tcp_nopush on;
+
+    keepalive_timeout {{ nginx_keepalive_timeout }};
+    gzip {{ nginx_gzip }};
+
+    geo $bad_actors {
+        default 0;
+    }
+    
+    map $bad_actors $limit_key {
+        0 "";
+        1 $binary_remote_addr;
+    }
+    
+    limit_req_zone $limit_key zone=req_bad_actors:10m rate=5r/s;
+
+    include {{ nginx_conf_d_path }}/*.conf;
+}

roles/nginx/vars/Debian.yaml

@@ -0,0 +1,4 @@
+---
+nginx_repo_url: "http://nginx.org/packages/mainline/{{ ansible_distribution }} {{ ansible_distribution_release }} nginx"
+nginx_repo_state: present
+nginx_repo_key_id: 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62

roles/rsyslog/tasks/archival.yaml

@@ -68,5 +68,14 @@
     minute: "0"
     hour: "1"
     user: root
-    job: find /var/log/syslog/ -type f -name "*.log" -mtime +5 -exec xz {} \;
+    job: find /var/log/syslog/ -mindepth 4 -type f -name "*.log" -mtime +5 -exec xz {} \;
+    state: "{{ rsyslog_archival_format_enabled | ternary('present', 'absent') }}"
+
+- name: purge log cron job
+  cron:
+    name: purge syslog
+    minute: "0"
+    hour: "2"
+    user: root
+    job: find /var/log/syslog/ -mindepth 4 -type f -name "*.log" -mtime +90 -delete
     state: "{{ rsyslog_archival_format_enabled | ternary('present', 'absent') }}"

roles/util/defaults/main.yaml

@@ -26,6 +26,8 @@ util_packages:
     - spiped
     - mtr-tiny
     - traceroute
+    - iperf
+    - iperf3
   math:
     - bc
   misc: