refactor(traefik): remove geoblock middleware in favor of crowdsec

Geoblocking is easily bypassed via VPNs and provides false security.
CrowdSec handles this better with behavioral detection.

README.md

@@ -18,7 +18,7 @@ Based upon [Misterio77's starter configs](https://github.com/Misterio77/nix-star
 * __Opt-in persistence with ephemeral btrfs root and 14-day snapshot retention.__
 * __Snapper automated snapshots with tiered retention (24h/7d/4w/12m).__
 * __Automated borgbackup of mutable service and container data.__
-* __Traefik reverse proxy with geoblock and crowdsec security middleware.__
+* __Traefik reverse proxy with crowdsec security middleware.__
 * __Secrets managed with agenix and rekeyed with yubikey.__
 * __Standalone nixvim configuration for neovim.__
 * __Custom haskell packages for xmonad & xmobar.__

nixos/viridian/services/traefik/default.nix

@@ -70,13 +70,7 @@
 
       # Install plugins
       experimental.plugins = {
-        # Block or allow requests based on their country of origin.
+        # Authorize or block requests from IPs based on their reputation and behaviour.
-        geoblock = {
-          moduleName = "github.com/PascalMinder/geoblock";
-          version = "v0.2.7";
-        };
-
-        # Authorize or block requests from IPs based on there reputation and behaviour.
         bouncer = {
           moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin";
           version = "v1.3.5";
@@ -101,7 +95,6 @@
 
           # Enable some middlewares on all routers that use this entrypoint
           http.middlewares = [
-            "geoblock@file"
             "crowdsec@file"
           ];
 

nixos/viridian/services/traefik/middlewares.nix

@@ -1,62 +1,6 @@
 {...}: {
   # Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your service
   services.traefik.dynamicConfigOptions.http.middlewares = {
-    # Restrict access based on geo-location
-    geoblock.plugin.geoblock = {
-      silentStartUp = "false";
-      allowLocalRequests = "true";
-      # If set to true will show a log message
-      logLocalRequests = "false";
-      logAllowedRequests = "false";
-      logApiRequests = "false";
-      # Application programming interface
-      api = "https://get.geojs.io/v1/ip/country/{ip}";
-      apiTimeoutMs = "750";
-      # Max size of least recently used cache
-      cacheSize = "25";
-      # OFAC (US) sanctions list
-      countries = [
-        "AF" # Afghanistan
-        "AL" # Albania
-        "BA" # Bosnia and Herzegovina
-        "BY" # Belarus
-        "CF" # Central African Republic (the)
-        "CN" # China
-        "CD" # Congo (the Democratic Republic of the)
-        "CU" # Cuba
-        "ET" # Ethiopia
-        "HK" # Hong Kong
-        "IR" # Iran (Islamic Republic of)
-        "IQ" # Iraq
-        "KP" # Korea (the Democratic People's Republic of)
-        "LB" # Lebanon
-        "LY" # Libya
-        "ML" # Mali
-        "ME" # Montenegro
-        "MM" # Myanmar
-        "MK" # Republic of North Macedonia
-        "NI" # Nicaragua
-        "RU" # Russian Federation (the)
-        "RS" # Serbia
-        "SO" # Somalia
-        "SS" # South Sudan
-        "SD" # Sudan (the)
-        "SY" # Syrian Arab Republic
-        "UA" # Ukraine
-        "VE" # Venezuela (Bolivarian Republic of)
-        "YE" # Yemen
-      ];
-      # Inverts filter logic
-      blackListMode = "true";
-      # Unknown Countries (IPs with no country association)
-      allowUnknownCountries = "false";
-      unknownCountryApiResponse = "nil";
-      # Adds the X-IPCountry header to the HTTP request header.
-      addCountryHeader = "false";
-      # Even if an IP stays in the cache for a period of a month, it must be fetch again after a month.
-      forceMonthlyUpdate = "true";
-    };
-
     # Intrusion Prevention System
     crowdsec.plugin.bouncer = {
       enabled = "true";