From e14dd1d224e9d7c4f1e2834d70cd1cc1a9ccbf2e Mon Sep 17 00:00:00 2001 From: Menno van Leeuwen Date: Sun, 26 Oct 2025 00:21:27 +0000 Subject: [PATCH] Add EU and trusted country lists for Caddy access control Define separate lists for EU and trusted countries in group vars. Update Caddyfile template to support EU, trusted, and combined allow lists. Switch Sathub domains to use combined country allow list. --- ansible/group_vars/servers.yml | 87 +++++++++++++++---- .../tasks/servers/services/caddy/Caddyfile.j2 | 68 +++++++++++++-- 2 files changed, 129 insertions(+), 26 deletions(-) diff --git a/ansible/group_vars/servers.yml b/ansible/group_vars/servers.yml index f2f2121..bed20bb 100644 --- a/ansible/group_vars/servers.yml +++ b/ansible/group_vars/servers.yml @@ -2,26 +2,77 @@ flatpaks: false install_ui_apps: false +# European countries for EU-specific access control +eu_countries_codes: + - AL # Albania + - AD # Andorra + - AM # Armenia + - AT # Austria + - AZ # Azerbaijan + # - BY # Belarus (Belarus is disabled due to geopolitical reasons) + - BE # Belgium + - BA # Bosnia and Herzegovina + - BG # Bulgaria + - HR # Croatia + - CY # Cyprus + - CZ # Czech Republic + - DK # Denmark + - EE # Estonia + - FI # Finland + - FR # France + - GE # Georgia + - DE # Germany + - GR # Greece + - HU # Hungary + - IS # Iceland + - IE # Ireland + - IT # Italy + - XK # Kosovo + - LV # Latvia + - LI # Liechtenstein + - LT # Lithuania + - LU # Luxembourg + - MK # North Macedonia + - MT # Malta + - MD # Moldova + - MC # Monaco + - ME # Montenegro + - NL # Netherlands + - NO # Norway + - PL # Poland + - PT # Portugal + - RO # Romania + # - RU # Russia (Russia is disabled due to geopolitical reasons) + - SM # San Marino + - RS # Serbia + - SK # Slovakia + - SI # Slovenia + - ES # Spain + - SE # Sweden + - CH # Switzerland + - TR # Turkey + - UA # Ukraine + - GB # United Kingdom + - VA # Vatican City + +# Trusted non-EU countries for extended access control +trusted_countries_codes: + - US # United States + - AU # Australia + - NZ # New Zealand + - JP # Japan + # Countries that are allowed to access the server Caddy reverse proxy allowed_countries_codes: - - US # United States - - CA # Canada - - GB # United Kingdom - - DE # Germany - - FR # France - - ES # Spain - - IT # Italy - - NL # Netherlands - - AU # Australia - - NZ # New Zealand - - JP # Japan - - KR # South Korea - - SK # Slovakia - - FI # Finland - - DK # Denmark - - SG # Singapore - - AT # Austria - - CH # Switzerland + - US # United States + - GB # United Kingdom + - DE # Germany + - FR # France + - IT # Italy + - NL # Netherlands + - JP # Japan + - KR # South Korea + - CH # Switzerland # IP ranges for blocked countries (generated automatically) # This will be populated by the country blocking script diff --git a/ansible/tasks/servers/services/caddy/Caddyfile.j2 b/ansible/tasks/servers/services/caddy/Caddyfile.j2 index baaa866..17d0aff 100644 --- a/ansible/tasks/servers/services/caddy/Caddyfile.j2 +++ b/ansible/tasks/servers/services/caddy/Caddyfile.j2 @@ -28,22 +28,74 @@ } {% endif %} -# European country allow list - allows all European countries +# European country allow list - allows all European countries only +{% if eu_countries_codes | default([]) | length > 0 %} (eu_country_allow) { - @allowed_local { + @eu_allowed_local { remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1 } - @not_allowed_countries { + @eu_not_allowed_countries { not remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1 not { maxmind_geolocation { db_path "/etc/caddy/geoip/GeoLite2-Country.mmdb" - allow_countries AL AD AM AT AZ BY BE BA BG HR CY CZ DK EE FI FR GE DE GR HU IS IE IT XK LV LI LT LU MK MT MD MC ME NL NO PL PT RO SM RS SK SI ES SE CH TR UA GB VA + allow_countries {{ eu_countries_codes | join(' ') }} } } } - respond @not_allowed_countries "Access denied" 403 + respond @eu_not_allowed_countries "Access denied" 403 } +{% else %} +(eu_country_allow) { + # EU country allow list disabled +} +{% endif %} + +# Trusted country allow list - allows US, Australia, New Zealand, and Japan +{% if trusted_countries_codes | default([]) | length > 0 %} +(trusted_country_allow) { + @trusted_allowed_local { + remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1 + } + @trusted_not_allowed_countries { + not remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1 + not { + maxmind_geolocation { + db_path "/etc/caddy/geoip/GeoLite2-Country.mmdb" + allow_countries {{ trusted_countries_codes | join(' ') }} + } + } + } + respond @trusted_not_allowed_countries "Access denied" 403 +} +{% else %} +(trusted_country_allow) { + # Trusted country allow list disabled +} +{% endif %} + +# Sathub country allow list - combines EU and trusted countries +{% if eu_countries_codes | default([]) | length > 0 and trusted_countries_codes | default([]) | length > 0 %} +(sathub_country_allow) { + @sathub_allowed_local { + remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1 + } + @sathub_not_allowed_countries { + not remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1 + not { + maxmind_geolocation { + db_path "/etc/caddy/geoip/GeoLite2-Country.mmdb" + allow_countries {{ (eu_countries_codes + trusted_countries_codes) | join(' ') }} + } + } + } + respond @sathub_not_allowed_countries "Access denied" 403 +} +{% else %} +(sathub_country_allow) { + # Sathub country allow list disabled +} +{% endif %} {% if inventory_hostname == 'mennos-server' %} git.mvl.sh { @@ -89,7 +141,7 @@ beszel.vleeuwen.me { } sathub.de { - import eu_country_allow + import sathub_country_allow handle { reverse_proxy sathub-frontend:4173 @@ -110,13 +162,13 @@ sathub.de { } api.sathub.de { - import eu_country_allow + import sathub_country_allow reverse_proxy sathub-backend:4001 tls {{ caddy_email }} } sathub.nl { - import eu_country_allow + import sathub_country_allow redir https://sathub.de{uri} tls {{ caddy_email }} }