Add global rate limiting

2026-02-10 09:07:43 -06:00
parent 10c3898b0b
commit 473b776166
5 changed files with 484 additions and 27 deletions
--- a/nix/application/containers.nix
+++ b/nix/application/containers.nix
@@ -146,7 +146,7 @@
      };

      vaultwarden = {
-        image = "vaultwarden/server:1.34.3";
+        image = "vaultwarden/server:1.35.2";
        ports = [ "40080:80" ];
        volumes = [
          "/home/sezycei/srv/containerdata/bitwarden/data:/data"
--- a/nix/application/headscale.nix
+++ b/nix/application/headscale.nix
@@ -5,7 +5,7 @@
    port = 35893;
    settings = { 
      dns = {
-        base_domain = "vpn.matri.cx";
+        base_domain = "ts.matri.cx";
        nameservers.global = ["192.168.0.130" "1.1.1.1"];
      };
      logtail.enabled = false; 
--- a/nix/application/nginx.nix
+++ b/nix/application/nginx.nix
@@ -2,6 +2,18 @@
  services.nginx = {
    enable = true;

+    appendHttpConfig = ''
+      log_format detailed '$remote_addr|||$remote_user|||$time_local|||'
+                          '$request|||$status|||$body_bytes_sent|||'
+                          '$http_referer|||$http_user_agent|||'
+                          '$request_time|||$upstream_response_time|||'
+                          '$http_x_forwarded_for|||$scheme|||$server_name';
+      error_log stderr;
+      access_log syslog:server=unix:/dev/log detailed;
+      #limit_req_status 429;
+      #limit_req_zone $binary_remote_addr zone=pri:40m rate=1r/s;
+    '';
+
    recommendedProxySettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
@@ -15,13 +27,16 @@
        };

        static = { dir }: base {
-          "/".root = dir;
+          "/" = {
+            root = dir;
+            extraConfig = globalRateLimiting;
+          };
        };

        proxied = { target, extra ? "" }: base {
          "/" = {
            proxyPass = target;
-            extraConfig = extra;
+            extraConfig = globalRateLimiting + extra;
          };
        };

@@ -29,14 +44,14 @@
          "/" = {
            proxyPass = target;
            basicAuthFile = auth;
-            extraConfig = extra;
+            extraConfig = globalRateLimiting + extra;
          };
        };

        proxiedLAN = { target, extra ? ""}: base {
          "/" = {
            proxyPass = target;
-            extraConfig = allowedLANAddrs + extra;
+            extraConfig = globalRateLimiting + allowedLANAddrs + extra;
          };
        };

@@ -46,6 +61,10 @@
          allow 100.64.0.0/24;
          deny all;
        '';
+
+        globalRateLimiting = ''
+          #limit_req zone=pri burst=20 nodelay;
+        '';
      in
      {
        "default.host" = { default = true; root = "/var/www/default";};
@@ -66,7 +85,7 @@
        "git.eversole.co" = proxied { target = "http://127.0.0.1:8027"; };
        "graf.matri.cx" = { # refer to /monitoring/nginx.nix
          root = "/var/www/graf.matri.cx";
-          extraConfig = allowedLANAddrs;
+          extraConfig = globalRateLimiting + allowedLANAddrs;
        };
        "home.matri.cx" = {
          forceSSL = true;