From b7958c76c28d89e90f38c1d37f8328d3ee9ee8da Mon Sep 17 00:00:00 2001
From: Silvio Rhatto <rhatto@riseup.net>
Date: Sat, 15 Nov 2025 10:19:23 -0300
Subject: Feat: configurable per-site rate limiting

---
 manifests/site.pp        | 10 ++++++++++
 manifests/site/config.pp |  5 +++++
 templates/site-ssl.erb   |  8 ++++++++
 3 files changed, 23 insertions(+)

diff --git a/manifests/site.pp b/manifests/site.pp
index 4455f45..737a210 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -11,6 +11,11 @@ define nginx::site(
   $cache_size      = '10m',
   $cache_inactive  = '600s',
   $cache_max_size  = '1m',
+  $rate_limit      = false,
+  $rate_limit_key  = '$binary_remote_addr',
+  $rate_limit_zone = $name,
+  $rate_limit_size = "10m",
+  $rate_limit_rate = "20r/s",
   $x_frame_options = 'DENY',
 ) {
   nginx::site::config { $name:
@@ -47,6 +52,11 @@ define nginx::site(
     cache_size      => $cache_size,
     cache_inactive  => $cache_inactive,
     cache_max_size  => $cache_max_size,
+    rate_limit      => $rate_limit,
+    rate_limit_key  => $rate_limit_key,
+    rate_limit_zone => $rate_limit_zone,
+    rate_limit_size => $rate_limit_size,
+    rate_limit_rate => $rate_limit_rate,
     x_frame_options => $x_frame_options,
     require        => $certbot ? {
       true => $ensure ? {
diff --git a/manifests/site/config.pp b/manifests/site/config.pp
index 0cdceea..c0e1809 100644
--- a/manifests/site/config.pp
+++ b/manifests/site/config.pp
@@ -10,6 +10,11 @@ define nginx::site::config(
   $cache_size      = '10m',
   $cache_inactive  = '600s',
   $cache_max_size  = '1m',
+  $rate_limit      = false,
+  $rate_limit_key  = '$binary_remote_addr',
+  $rate_limit_zone = $server_name,
+  $rate_limit_size = "10m",
+  $rate_limit_rate = "20r/s",
   $x_frame_options = 'DENY',
 ){
   case $source {
diff --git a/templates/site-ssl.erb b/templates/site-ssl.erb
index c852954..11a69dd 100644
--- a/templates/site-ssl.erb
+++ b/templates/site-ssl.erb
@@ -1,6 +1,9 @@
 <% if @cache == true -%>
 proxy_cache_path /var/cache/nginx/<%= @name %> levels=<%= @cache_levels %> keys_zone=<%= @name %>:<%= @cache_size %> inactive=<%= @cache_inactive %> max_size=<%= @cache_max_size %>;
 <% end -%>
+<% if @rate_limit == true and @rate_limit_zone == @server_name -%>
+limit_req_zone <%= @rate_limit_key %> zone=<%= @rate_limit_zone %>:<%= @rate_limit_size %> rate=<%= @rate_limit_rate %>;
+<% end -%>
 server {
   listen      443;
   server_name <%= @server_name %> <%= @aliases %>;
@@ -28,6 +31,11 @@ server {
 
     # cache config
     proxy_cache <%= @name %>;
+<% end -%>
+<% if @rate_limit == true -%>
+
+    # rate limiting
+    limit_req zone=<%= @rate_limit_zone %>;
 <% end -%>
   }
 }
-- 
cgit v1.2.3