Exempt Matrix server from ntfy rate limit (#2135)

* Exempt Matrix server from ntfy rate limit Add the matrix fqdn and localhost to ntfy's exemption list. Also allow all ntfy rate limits to be configured through Ansible variables. * Fix names and formatting * fixes * tabs not spaces * Lint * Use raw tags instead of bracket soup
2022-11-24 14:12:43 -05:00 · 2022-11-24 14:12:43 -05:00 · 140acfcc5f
commit 140acfcc5f
parent 9c0cf5481a
3 changed files with 18 additions and 2 deletions
--- a/roles/custom/matrix-ntfy/defaults/main.yml
+++ b/roles/custom/matrix-ntfy/defaults/main.yml
@ -14,6 +14,14 @@ matrix_ntfy_docker_image_force_pull: "{{ matrix_ntfy_docker_image.endswith(':lat
 # Public facing base URL of the ntfy service
 matrix_ntfy_base_url: "https://{{ matrix_server_fqn_ntfy }}"

+# Rate limits
+
+matrix_ntfy_global_topic_limit: 15000  # default
+matrix_ntfy_visitor_subscription_limit: 30  # default
+matrix_ntfy_visitor_request_limit_burst: 60  # default
+matrix_ntfy_visitor_request_limit_replenish: "5s"  # default
+
+
 # Controls whether the container exposes its HTTP port (tcp/80 in the container).
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:2586"), or empty string to not expose.
--- a/roles/custom/matrix-ntfy/templates/ntfy/server.yml.j2
+++ b/roles/custom/matrix-ntfy/templates/ntfy/server.yml.j2
@ -2,3 +2,10 @@ base_url: {{ matrix_ntfy_base_url }}
 behind_proxy: true
 cache_file: /data/cache.db
 listen-http: :8080
+
+# Rate Limits
+global-topic-limit: {{ matrix_ntfy_global_topic_limit | to_json }}
+visitor-subscription-limit: {{ matrix_ntfy_visitor_subscription_limit | to_json }}
+
+visitor-request-limit-burst: {{ matrix_ntfy_visitor_request_limit_burst | to_json }}
+visitor-request-limit-replenish: "{{ matrix_ntfy_visitor_request_limit_replenish }}"
--- a/roles/custom/matrix-ntfy/templates/systemd/matrix-ntfy.service.j2
+++ b/roles/custom/matrix-ntfy/templates/systemd/matrix-ntfy.service.j2
@ -11,11 +11,12 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-ntfy 2>/dev/null || true'
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-ntfy 2>/dev/null || true'

-ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-ntfy \
+ExecStart={{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-ntfy \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
 			--read-only \
+			--env NTFY_VISITOR_REQUEST_LIMIT_EXEMPT_HOSTS={{matrix_server_fqn_matrix}},localhost,$(docker network inspect {{matrix_docker_network}} -f "{% raw %}{{ (index .IPAM.Config 0).Subnet }}{% endraw %}") \
 			{% for arg in matrix_ntfy_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
@ -26,7 +27,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name
 			--mount type=bind,src={{ matrix_ntfy_config_dir_path }},dst=/etc/ntfy,ro \
 			--mount type=bind,src={{ matrix_ntfy_data_path }},dst=/data \
 			{{ matrix_ntfy_docker_image }} \
-			serve
+			serve'

 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-ntfy 2>/dev/null || true'
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-ntfy 2>/dev/null || true'