From 3b4ad7c45cc6cf72746691af810b8d6b2a1b2954 Mon Sep 17 00:00:00 2001
From: Bastian de Byl <bastian@bdebyl.net>
Date: Fri, 25 Sep 2020 11:41:15 -0400
Subject: [PATCH] GitHub linguist .yml, fail2ban config fixes

---
 .gitattributes                                              | 1 +
 ansible/roles/common/files/fail2ban/jails/nginx.local       | 6 +++++-
 ansible/roles/common/files/fail2ban/jails/sshd.local        | 2 +-
 .../http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2  | 3 +++
 4 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/.gitattributes b/.gitattributes
index 6be7b46..e859268 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,2 +1,3 @@
 .pass.sh filter=git-crypt diff=git-crypt
 ansible/vars/vault.yml filter=git-crypt diff=git-crypt
+*.yml linguist-detectable
diff --git a/ansible/roles/common/files/fail2ban/jails/nginx.local b/ansible/roles/common/files/fail2ban/jails/nginx.local
index 585b2e4..2826281 100644
--- a/ansible/roles/common/files/fail2ban/jails/nginx.local
+++ b/ansible/roles/common/files/fail2ban/jails/nginx.local
@@ -1,9 +1,11 @@
 [nginx-limit-req]
 enabled = true
 port = http,https
+logpath = %(nginx_error_log)s
 findtime = 600
 bantime = 1w
 maxretry = 8
+ignoreip  = 127.0.0.1/32 192.168.1.0/24
 
 [nginx-http-auth]
 enabled = true
@@ -11,10 +13,12 @@ port = http,https
 logpath = %(nginx_error_log)s
 bantime = 2w
 maxretry = 5
+ignoreip  = 127.0.0.1/32 192.168.1.0/24
 
 [nginx-botsearch]
 enabled = true
 port = http,https
-logpath = %(nginx_error_log)s
+logpath = %(nginx_access_log)s
 bantime = 1w
 maxretry = 5
+ignoreip  = 127.0.0.1/32 192.168.1.0/24
diff --git a/ansible/roles/common/files/fail2ban/jails/sshd.local b/ansible/roles/common/files/fail2ban/jails/sshd.local
index 1965b7d..301b63a 100644
--- a/ansible/roles/common/files/fail2ban/jails/sshd.local
+++ b/ansible/roles/common/files/fail2ban/jails/sshd.local
@@ -6,5 +6,5 @@ backend   = systemd
 maxretry  = 5
 findtime  = 1d
 bantime   = 2w
-ignoreip  = 127.0.0.1/8 192.168.1.0/24
+ignoreip  = 127.0.0.1/32 192.168.1.0/24
 logpath   = %(sshd_log)s
diff --git a/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2 b/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2
index 0807735..bdeb554 100644
--- a/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2
+++ b/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2
@@ -8,6 +8,9 @@ server {
   server_name {{ ci_server_name }};
 
   add_header              Strict-Transport-Security max-age=6307200;
+  add_header              Allow "GET, POST, HEAD" always;
+
+  limit_except GET POST { deny all; }
 
   ssl_certificate         /etc/letsencrypt/live/{{ ci_server_name }}/fullchain.pem;
   ssl_certificate_key     /etc/letsencrypt/live/{{ ci_server_name }}/privkey.pem;