Add EU and trusted country lists for Caddy access control

Define separate lists for EU and trusted countries in group vars. Update
Caddyfile template to support EU, trusted, and combined allow lists.
Switch Sathub domains to use combined country allow list.

ansible/group_vars/servers.yml

@@ -2,26 +2,77 @@
 flatpaks: false
 install_ui_apps: false
 
+# European countries for EU-specific access control
+eu_countries_codes:
+    - AL # Albania
+    - AD # Andorra
+    - AM # Armenia
+    - AT # Austria
+    - AZ # Azerbaijan
+    # - BY # Belarus (Belarus is disabled due to geopolitical reasons)
+    - BE # Belgium
+    - BA # Bosnia and Herzegovina
+    - BG # Bulgaria
+    - HR # Croatia
+    - CY # Cyprus
+    - CZ # Czech Republic
+    - DK # Denmark
+    - EE # Estonia
+    - FI # Finland
+    - FR # France
+    - GE # Georgia
+    - DE # Germany
+    - GR # Greece
+    - HU # Hungary
+    - IS # Iceland
+    - IE # Ireland
+    - IT # Italy
+    - XK # Kosovo
+    - LV # Latvia
+    - LI # Liechtenstein
+    - LT # Lithuania
+    - LU # Luxembourg
+    - MK # North Macedonia
+    - MT # Malta
+    - MD # Moldova
+    - MC # Monaco
+    - ME # Montenegro
+    - NL # Netherlands
+    - NO # Norway
+    - PL # Poland
+    - PT # Portugal
+    - RO # Romania
+    # - RU # Russia (Russia is disabled due to geopolitical reasons)
+    - SM # San Marino
+    - RS # Serbia
+    - SK # Slovakia
+    - SI # Slovenia
+    - ES # Spain
+    - SE # Sweden
+    - CH # Switzerland
+    - TR # Turkey
+    - UA # Ukraine
+    - GB # United Kingdom
+    - VA # Vatican City
+
+# Trusted non-EU countries for extended access control
+trusted_countries_codes:
+    - US # United States
+    - AU # Australia
+    - NZ # New Zealand
+    - JP # Japan
+
 # Countries that are allowed to access the server Caddy reverse proxy
 allowed_countries_codes:
-  - US # United States
+    - US # United States
-  - CA # Canada
+    - GB # United Kingdom
-  - GB # United Kingdom
+    - DE # Germany
-  - DE # Germany
+    - FR # France
-  - FR # France
+    - IT # Italy
-  - ES # Spain
+    - NL # Netherlands
-  - IT # Italy
+    - JP # Japan
-  - NL # Netherlands
+    - KR # South Korea
-  - AU # Australia
+    - CH # Switzerland
-  - NZ # New Zealand
-  - JP # Japan
-  - KR # South Korea
-  - SK # Slovakia
-  - FI # Finland
-  - DK # Denmark
-  - SG # Singapore
-  - AT # Austria
-  - CH # Switzerland
 
 # IP ranges for blocked countries (generated automatically)
 # This will be populated by the country blocking script

ansible/tasks/servers/services/caddy/Caddyfile.j2

@@ -28,22 +28,74 @@
 }
 {% endif %}
 
-# European country allow list - allows all European countries
+# European country allow list - allows all European countries only
+{% if eu_countries_codes | default([]) | length > 0 %}
 (eu_country_allow) {
-    @allowed_local {
+    @eu_allowed_local {
         remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1
     }
-    @not_allowed_countries {
+    @eu_not_allowed_countries {
         not remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1
         not {
             maxmind_geolocation {
                 db_path "/etc/caddy/geoip/GeoLite2-Country.mmdb"
-                allow_countries AL AD AM AT AZ BY BE BA BG HR CY CZ DK EE FI FR GE DE GR HU IS IE IT XK LV LI LT LU MK MT MD MC ME NL NO PL PT RO SM RS SK SI ES SE CH TR UA GB VA
+                allow_countries {{ eu_countries_codes | join(' ') }}
             }
         }
     }
-    respond @not_allowed_countries "Access denied" 403
+    respond @eu_not_allowed_countries "Access denied" 403
 }
+{% else %}
+(eu_country_allow) {
+    # EU country allow list disabled
+}
+{% endif %}
+
+# Trusted country allow list - allows US, Australia, New Zealand, and Japan
+{% if trusted_countries_codes | default([]) | length > 0 %}
+(trusted_country_allow) {
+    @trusted_allowed_local {
+        remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1
+    }
+    @trusted_not_allowed_countries {
+        not remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1
+        not {
+            maxmind_geolocation {
+                db_path "/etc/caddy/geoip/GeoLite2-Country.mmdb"
+                allow_countries {{ trusted_countries_codes | join(' ') }}
+            }
+        }
+    }
+    respond @trusted_not_allowed_countries "Access denied" 403
+}
+{% else %}
+(trusted_country_allow) {
+    # Trusted country allow list disabled
+}
+{% endif %}
+
+# Sathub country allow list - combines EU and trusted countries
+{% if eu_countries_codes | default([]) | length > 0 and trusted_countries_codes | default([]) | length > 0 %}
+(sathub_country_allow) {
+    @sathub_allowed_local {
+        remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1
+    }
+    @sathub_not_allowed_countries {
+        not remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1
+        not {
+            maxmind_geolocation {
+                db_path "/etc/caddy/geoip/GeoLite2-Country.mmdb"
+                allow_countries {{ (eu_countries_codes + trusted_countries_codes) | join(' ') }}
+            }
+        }
+    }
+    respond @sathub_not_allowed_countries "Access denied" 403
+}
+{% else %}
+(sathub_country_allow) {
+    # Sathub country allow list disabled
+}
+{% endif %}
 
 {% if inventory_hostname == 'mennos-server' %}
 git.mvl.sh {
@@ -89,7 +141,7 @@ beszel.vleeuwen.me {
 }
 
 sathub.de {
-   import eu_country_allow
+   import sathub_country_allow
 
    handle {
        reverse_proxy sathub-frontend:4173
@@ -110,13 +162,13 @@ sathub.de {
 }
 
 api.sathub.de {
-   import eu_country_allow
+   import sathub_country_allow
    reverse_proxy sathub-backend:4001
    tls {{ caddy_email }}
 }
 
 sathub.nl {
-   import eu_country_allow
+   import sathub_country_allow
    redir https://sathub.de{uri}
    tls {{ caddy_email }}
 }