Integrate anubis for gitea

redxen.eu/daemons/anubis/Containerfile

@@ -0,0 +1,7 @@
+FROM ghcr.io/techarohq/anubis
+
+ENV \
+	METRICS_BIND=:9103 \
+	SERVE_ROBOTS_TXT=true
+
+ADD botPolicy.json /data/cfg/botPolicy.json

redxen.eu/daemons/anubis/botPolicy.json

@@ -0,0 +1,24 @@
+{
+  "bots": [
+    {
+      "name": "well-known",
+      "path_regex": "^/.well-known/.*$",
+      "action": "ALLOW"
+    },
+    {
+      "name": "favicon",
+      "path_regex": "^/favicon.ico$",
+      "action": "ALLOW"
+    },
+    {
+      "name": "robots-txt",
+      "path_regex": "^/robots.txt$",
+      "action": "ALLOW"
+    },
+    {
+      "name": "generic-browser",
+      "user_agent_regex": "Mozilla",
+      "action": "CHALLENGE"
+    }
+  ]
+}

redxen.eu/daemons/gitea/base/config.ini

@@ -73,6 +73,7 @@ INTERNAL_TOKEN_URI              = file:/etc/gitea/internal_token
 IMPORT_LOCAL_PATHS              = false
 PASSWORD_COMPLEXITY             = lower,upper,digit
 PASSWORD_CHECK_PWN              = true
+REVERSE_PROXY_TRUSTED_PROXIES   = fd08::/48,10.30.0.0/16,fd09::/108,10.31.0.0/16
 
 [service]
 DISABLE_REGISTRATION            = true

redxen.eu/daemons/haproxy/main.cfg

@@ -95,6 +95,9 @@ frontend http
 	# Static ACME challenge
 	http-request return status 200 content-type text/plain lf-string "%[path,field(-1,/)].${ACCOUNT_THUMBPRINT}\n" if { path_beg '/.well-known/acme-challenge/' }
 
+	# Real IP
+	http-request set-header X-REAL-IP %[src]
+
 	http-response set-header X-Forwarded-Proto https
 	http-response set-header X-XSS-Protection 1;\ mode=block
 	http-response set-header X-Content-Type-Options nosniff
@@ -144,7 +147,7 @@ backend backend-stats
 backend backend-git
 	server-template gitea 1 _http._tcp.gitea-sv.redxen.svc.cluster.local
 	option httpchk GET / HTTP/1.1
-	http-check send hdr Host git.redxen.eu
+	http-check send hdr Host git.redxen.eu hdr X-Real-IP "::1"
 	timeout check 10s
 
 backend backend-btdown