archweb: tweak our rate limits

This tries to address two issues we have:

• Some folks retrieve the mirror status json every 4/5 seconds leading to ~ 8GB of bandwidth used per day. Now they will get banned by the nginx-limit-req jail of fail2ban
• Lower rate limits as they are too high, in reality loading an archlinux.org page has one request go to the backend. So the 20 requests limit is way too high. Lowering this has catched some silly wordpress/vulnerability scanners and they also get banned now by nginx-limit-req jail.

roles/archweb/templates/nginx.d.conf.j2

 # limit rss requests to 1 r/m
 limit_req_zone $binary_remote_addr zone=rsslimit:8m rate=1r/m;
 
-# limit general requests to 20 r/s to block DoS attempts.
-limit_req_zone $binary_remote_addr zone=archweblimit:10m rate=20r/s;
+# limit mirrors/status/json requests to 1 r/m
+limit_req_zone $binary_remote_addr zone=mirrorstatuslimit:8m rate=1r/m;
+
+# limit general requests to 10 r/s to block DoS attempts.
+limit_req_zone $binary_remote_addr zone=archweblimit:10m rate=10r/s;
 
 limit_req_status 429;
 
@@ -191,6 +194,19 @@ server {
         limit_req zone=rsslimit burst=10 nodelay;
     }
 
+    # Rate limit mirror status json endpoint
+    location /mirrors/status/json {
+        include uwsgi_params;
+        uwsgi_pass archweb;
+
+        uwsgi_cache archwebcache;
+        uwsgi_cache_revalidate on;
+        uwsgi_cache_key $cache_key;
+        add_header X-Cache-Status $upstream_cache_status;
+
+        limit_req zone=mirrorstatuslimit burst=10 nodelay;
+    }
+
     # Temporary redirects
     location /people/trusted-user-fellows/ {
         return 301 /people/package-maintainer-fellows/;