Revert "refactor(traefik): remove geoblock middleware in favor of crowdsec"

This reverts commit c998c99bfc.

README.md

@@ -18,7 +18,7 @@ Based upon [Misterio77's starter configs](https://github.com/Misterio77/nix-star
 * __Opt-in persistence with ephemeral btrfs root and 14-day snapshot retention.__
 * __Snapper automated snapshots with tiered retention (24h/7d/4w/12m).__
 * __Automated borgbackup of mutable service and container data.__
-* __Traefik reverse proxy with crowdsec security middleware.__
+* __Traefik reverse proxy with geoblock and crowdsec security middleware.__
 * __Secrets managed with agenix and rekeyed with yubikey.__
 * __Standalone nixvim configuration for neovim.__
 * __Custom haskell packages for xmonad & xmobar.__

nixos/viridian/services/traefik/default.nix

@@ -70,7 +70,13 @@
 
       # Install plugins
       experimental.plugins = {
-        # Authorize or block requests from IPs based on their reputation and behaviour.
+        # Block or allow requests based on their country of origin.
+        geoblock = {
+          moduleName = "github.com/PascalMinder/geoblock";
+          version = "v0.2.7";
+        };
+
+        # Authorize or block requests from IPs based on there reputation and behaviour.
         bouncer = {
           moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin";
           version = "v1.3.5";
@@ -95,6 +101,7 @@
 
           # Enable some middlewares on all routers that use this entrypoint
           http.middlewares = [
+            "geoblock@file"
             "crowdsec@file"
           ];
 

nixos/viridian/services/traefik/middlewares.nix

@@ -1,6 +1,62 @@
 {...}: {
   # Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your service
   services.traefik.dynamicConfigOptions.http.middlewares = {
+    # Restrict access based on geo-location
+    geoblock.plugin.geoblock = {
+      silentStartUp = "false";
+      allowLocalRequests = "true";
+      # If set to true will show a log message
+      logLocalRequests = "false";
+      logAllowedRequests = "false";
+      logApiRequests = "false";
+      # Application programming interface
+      api = "https://get.geojs.io/v1/ip/country/{ip}";
+      apiTimeoutMs = "750";
+      # Max size of least recently used cache
+      cacheSize = "25";
+      # OFAC (US) sanctions list
+      countries = [
+        "AF" # Afghanistan
+        "AL" # Albania
+        "BA" # Bosnia and Herzegovina
+        "BY" # Belarus
+        "CF" # Central African Republic (the)
+        "CN" # China
+        "CD" # Congo (the Democratic Republic of the)
+        "CU" # Cuba
+        "ET" # Ethiopia
+        "HK" # Hong Kong
+        "IR" # Iran (Islamic Republic of)
+        "IQ" # Iraq
+        "KP" # Korea (the Democratic People's Republic of)
+        "LB" # Lebanon
+        "LY" # Libya
+        "ML" # Mali
+        "ME" # Montenegro
+        "MM" # Myanmar
+        "MK" # Republic of North Macedonia
+        "NI" # Nicaragua
+        "RU" # Russian Federation (the)
+        "RS" # Serbia
+        "SO" # Somalia
+        "SS" # South Sudan
+        "SD" # Sudan (the)
+        "SY" # Syrian Arab Republic
+        "UA" # Ukraine
+        "VE" # Venezuela (Bolivarian Republic of)
+        "YE" # Yemen
+      ];
+      # Inverts filter logic
+      blackListMode = "true";
+      # Unknown Countries (IPs with no country association)
+      allowUnknownCountries = "false";
+      unknownCountryApiResponse = "nil";
+      # Adds the X-IPCountry header to the HTTP request header.
+      addCountryHeader = "false";
+      # Even if an IP stays in the cache for a period of a month, it must be fetch again after a month.
+      forceMonthlyUpdate = "true";
+    };
+
     # Intrusion Prevention System
     crowdsec.plugin.bouncer = {
       enabled = "true";