From f313a6d32d5f663187d63b09c7ca90234ae1775c Mon Sep 17 00:00:00 2001
From: mjallen18 <matt.l.jallen@gmail.com>
Date: Mon, 21 Apr 2025 14:12:29 -0500
Subject: [PATCH] traefik geoblock

---
 hosts/nas/apps/traefik/default.nix | 61 +++++++++++++++++++-----------
 1 file changed, 38 insertions(+), 23 deletions(-)

diff --git a/hosts/nas/apps/traefik/default.nix b/hosts/nas/apps/traefik/default.nix
index 296937e..73876e9 100755
--- a/hosts/nas/apps/traefik/default.nix
+++ b/hosts/nas/apps/traefik/default.nix
@@ -92,6 +92,10 @@ in
             moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin";
             version = "v1.4.2";
           };
+          geoblock = {
+            moduleName = "github.com/PascalMinder/geoblock";
+            version = "v0.2.5";
+          };
         };
       };
     };
@@ -135,17 +139,28 @@ in
               };
             };
           };
-          # test-errors = {
-          #   errors = {
-          #     status = [
-          #       "500"
-          #       "501"
-          #       "503"
-          #       "505-599"
-          #     ];
-          #     service =
-          #   };
-          # }
+          whitelist-geoblock = {
+            plugin = {
+              geoblock = {
+                silentStartUp = false;
+                allowLocalRequests = true;
+                logLocalRequests = false;
+                logAllowedRequests = false;
+                logApiRequests = false;
+                api = "https://get.geojs.io/v1/ip/country/{ip}";
+                apiTimeoutMs = 500;
+                cacheSize = 25;
+                forceMonthlyUpdate = true;
+                allowUnknownCountries = false;
+                unknownCountryApiResponse = "nil";
+                blackListMode = false;
+                countries = [
+                  "CA"
+                  "US"
+                ];
+              };
+            };
+          };
         };
 
         services = {
@@ -216,7 +231,7 @@ in
             entryPoints = [ "websecure" ];
             rule = "HostRegexp(`{subdomain:[a-z]+}.mjallen.dev`) && PathPrefix(`/outpost.goauthentik.io/`)";
             service = "auth";
-            middlewares = [ "crowdsec" ];
+            middlewares = [ "crowdsec" "whitelist-geoblock" ];
             priority = 15;
             tls.certResolver = "letsencrypt";
           };
@@ -224,56 +239,56 @@ in
             entryPoints = [ "websecure" ];
             rule = "Host(`authentik.${domain}`)";
             service = "authentik";
-            middlewares = [ "crowdsec" ];
+            middlewares = [ "crowdsec" "whitelist-geoblock" ];
             tls.certResolver = "letsencrypt";
           };
           onlyoffice = {
             entryPoints = [ "websecure" ];
             rule = "Host(`office.${domain}`)";
             service = "onlyoffice";
-            middlewares = [ "crowdsec" "onlyoffice-websocket" ];
+            middlewares = [ "crowdsec" "whitelist-geoblock" "onlyoffice-websocket" ];
             tls.certResolver = "letsencrypt";
           };
           cloud = {
             entryPoints = [ "websecure" ];
             rule = "Host(`cloud.${domain}`)";
             service = "cloud";
-            middlewares = [ "crowdsec" ];
+            middlewares = [ "crowdsec" "whitelist-geoblock" ];
             tls.certResolver = "letsencrypt";
           };
           jellyfin = {
             entryPoints = [ "websecure" ];
             rule = "Host(`jellyfin.${domain}`)";
             service = "jellyfin";
-            middlewares = [ "crowdsec" ];
+            middlewares = [ "crowdsec" "whitelist-geoblock" ];
             tls.certResolver = "letsencrypt";
           };
           jellyseerr = {
             entryPoints = [ "websecure" ];
             rule = "Host(`jellyseerr.${domain}`)";
             service = "jellyseerr";
-            middlewares = [ "crowdsec" ];
+            middlewares = [ "crowdsec" "whitelist-geoblock" ];
             tls.certResolver = "letsencrypt";
           };
           gitea = {
             entryPoints = [ "websecure" ];
             rule = "Host(`gitea.${domain}`)";
             service = "gitea";
-            middlewares = [ "crowdsec" ];
+            middlewares = [ "crowdsec" "whitelist-geoblock" ];
             tls.certResolver = "letsencrypt";
           };
           actual = {
             entryPoints = [ "websecure" ];
             rule = "Host(`actual.${domain}`)";
             service = "actual";
-            middlewares = [ "crowdsec" ];
+            middlewares = [ "crowdsec" "whitelist-geoblock" ];
             tls.certResolver = "letsencrypt";
           };
           hass = {
             entryPoints = [ "websecure" ];
             rule = "Host(`hass.${domain}`)";
             service = "hass";
-            middlewares = [ "crowdsec" "authentik" ];
+            middlewares = [ "crowdsec" "whitelist-geoblock" "authentik" ];
             priority = 10;
             tls.certResolver = "letsencrypt";
           };
@@ -281,7 +296,7 @@ in
           #   entryPoints = [ "websecure" ];
           #   rule = "Host(`chat.${domain}`)";
           #   service = "chat";
-          #   # middlewares = [ "authentik" ];
+          #   middlewares = [ "authentik" "whitelist-geoblock" ];
           #   priority = 10;
           #   tls.certResolver = "letsencrypt";
           # };
@@ -289,7 +304,7 @@ in
             entryPoints = [ "websecure" ];
             rule = "Host(`cache.${domain}`)";
             service = "cache";
-            middlewares = [ "crowdsec" "authentik" ];
+            middlewares = [ "crowdsec" "whitelist-geoblock" "authentik" ];
             priority = 10;
             tls.certResolver = "letsencrypt";
           };
@@ -297,11 +312,11 @@ in
           #   entryPoints = ["websecure"];
           #   rule = "Host(`paperless.${domain}`)";
           #   service = "paperless";
+          #   middlewares = [ "crowdsec" "whitelist-geoblock" ];
           #   tls.certResolver = "letsencrypt";
           # };
         };
       };
     };
   };
-  # todo: fail2ban/etc
 }