Caddy: blocked IP ranges involved in spam. Thanks to ProjectSegfault

README.md

@@ -14,7 +14,9 @@ They are deployed with [Compose files](templates/compose) and load balanced acco
 
 ## Configurations
 
-Our SearXNG instance uses a custom [settings.yml](templates/conf/settings.yml.j2) that always include upstream changes. It is updated by hand with reference to [Pussthecat.org's configuration](https://github.com/PussTheCat-org/PussTheCat.org-Configs/tree/master/Services/SearXNG). Thanks to [TheFrenchGhosty](https://github.com/PussTheCat-org).
+Our caddy server blocks IP ranges that have been involved in mass spams. The [block range file](https://github.com/ProjectSegfault/ansible/blob/master/privfrontends/blocked-ranges.yaml) is created by [ProjectSegfault](https://projectsegfau.lt/). Thanks to their team.
+
+Our SearXNG instance uses a custom [settings.yml](templates/conf/settings.yml.j2). It is updated by hand with reference to [Pussthecat.org's configuration](https://github.com/PussTheCat-org/PussTheCat.org-Configs/tree/master/Services/SearXNG). Thanks to [TheFrenchGhosty](https://github.com/PussTheCat-org).
 
 Data of our Privatebin, Etherpad, and Gitea instances are backed up periodically.
 

config-tasks/caddy.yaml

@@ -10,6 +10,29 @@
         - not geolite.stat.exists
       tags: never
 
+# ----------------------------------------------------------------------------------------------------
+
+    - name: Install yq on control host
+      apt:
+        name:
+          - yq
+        state: latest
+        install_recommends: false
+      delegate_to: "{{ control_host }}"
+
+    - name: Curl IP block range file by ProjectSegfault
+      command: curl --output /tmp/blocked-ranges.yaml https://raw.githubusercontent.com/ProjectSegfault/ansible/master/privfrontends/blocked-ranges.yaml
+      delegate_to: "{{ control_host }}"
+
+    - name: Read IP block range file by ProjectSegfault
+      ansible.builtin.shell: "yq -e '.blocked_ranges' /tmp/blocked-ranges.yaml"
+      register: result
+      delegate_to: "{{ control_host }}"
+
+    - name: Parse IP block range file by ProjectSegfault
+      set_fact:
+        blocked_ranges: "{{ result.stdout | from_yaml }}"
+
 # ----------------------------------------------------------------------------------------------------
 
     - name: Set up Caddyfile

templates/conf/Caddyfile.j2

@@ -92,6 +92,11 @@
 			header_up X-Forwarded-Proto {http.request.scheme}
 		}
 	}
+
+	# IP block range by ProjectSegfault
+	@denied client_ip {{ blocked_ranges }}
+	respond @denied "Unfortunately, your IP is part of a range that has been involved in mass spam to our servers. If you think our action was a mistake, please email us." 403
+
 }
 
 # ----------------------------------------------------------------------------------------------------
@@ -100,6 +105,7 @@
 
 *.{$HOSTNAME} {
 
+
 	log {
 		output discard
 	}
@@ -121,6 +127,10 @@
 		-Server
 	}
 
+	# IP block range by ProjectSegfault
+	@denied client_ip {{ blocked_ranges }}
+	respond @denied "Unfortunately, your IP is part of a range that has been involved in mass spam to our servers. If you think our action was a mistake, please email us." 403
+
 	@about host about.{$HOSTNAME}
 	handle @about {
 		root * /www

vars/services.yaml

@@ -1,12 +1,10 @@
-compose:
-  oracle1:
-    - redlib
-  oracle2:
-    - redlib
-  oracle3:
-    - redlib
+config:
   oracle4:
-    - redlib
+    - caddy
+
+compose:
+  oracle4:
+    - caddy
 
 # ----------------------------------------------------------------------------------------------------