From d0f24ade78f63758f719b7e57a7010d6e462d731 Mon Sep 17 00:00:00 2001 From: kisfenyo Date: Tue, 20 Jan 2026 16:58:18 +0100 Subject: [PATCH] added geoip annotations to immich and opengist ingresses --- immich-system/immich.yaml | 45 ++++++++++++++++++++++++++++++ opengist-system/opengist.yaml | 52 +++++++++++++++++++++++++++++++++++ 2 files changed, 97 insertions(+) diff --git a/immich-system/immich.yaml b/immich-system/immich.yaml index 0c9cfdb..3ffc7ca 100644 --- a/immich-system/immich.yaml +++ b/immich-system/immich.yaml @@ -474,6 +474,51 @@ metadata: external-dns.alpha.kubernetes.io/hostname: photos.dooplex.hu nginx.ingress.kubernetes.io/proxy-body-size: "0" nginx.ingress.kubernetes.io/ssl-redirect: "true" + # GeoIP-based access control + nginx.ingress.kubernetes.io/configuration-snippet: | + # GeoIP-based access control for Immich + # Allows Hungarian traffic everywhere, worldwide only for /share/* paths + + set $geo_allowed 0; + + # Allow all Hungarian traffic + if ($geoip2_city_country_code = "HU") { + set $geo_allowed 1; + } + + # Allow public share paths from anywhere + if ($request_uri ~* "^/share/") { + set $geo_allowed 1; + } + + # API endpoints needed for shared content + if ($request_uri ~* "^/api/shared-links") { + set $geo_allowed 1; + } + + # Assets for shared albums (thumbnails and originals) + if ($request_uri ~* "^/api/assets/.*/thumbnail") { + set $geo_allowed 1; + } + if ($request_uri ~* "^/api/assets/.*/original") { + set $geo_allowed 1; + } + + # Static assets needed for share page rendering + if ($request_uri ~* "^/_app/") { + set $geo_allowed 1; + } + if ($request_uri ~* "^/favicon") { + set $geo_allowed 1; + } + if ($request_uri ~* "\.(js|css|woff2?|ttf|svg|png|ico)$") { + set $geo_allowed 1; + } + + # Block non-allowed requests + if ($geo_allowed = 0) { + return 403 "Access restricted to Hungary"; + } namespace: immich-system spec: ingressClassName: nginx-internal diff --git a/opengist-system/opengist.yaml b/opengist-system/opengist.yaml index fbe899f..e373240 100644 --- a/opengist-system/opengist.yaml +++ b/opengist-system/opengist.yaml @@ -165,6 +165,58 @@ metadata: external-dns.alpha.kubernetes.io/hostname: paste.dooplex.hu,paste.home nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/proxy-body-size: "100m" + # GeoIP-based access control + nginx.ingress.kubernetes.io/configuration-snippet: | + # GeoIP-based access control for OpenGist + # Allows Hungarian traffic everywhere, worldwide only for paste viewing + + set $geo_allowed 0; + + # Allow all Hungarian traffic + if ($geoip2_city_country_code = "HU") { + set $geo_allowed 1; + } + + # Allow public gist viewing: /{username}/{32-lowercase-hex-chars} + if ($request_uri ~* "^/[a-zA-Z0-9_-]+/[a-f0-9]{32}$") { + set $geo_allowed 1; + } + + # Allow raw view: /{username}/{32-hex}/raw/{filename} + if ($request_uri ~* "^/[a-zA-Z0-9_-]+/[a-f0-9]{32}/raw/") { + set $geo_allowed 1; + } + + # Allow download: /{username}/{32-hex}/download + if ($request_uri ~* "^/[a-zA-Z0-9_-]+/[a-f0-9]{32}/download") { + set $geo_allowed 1; + } + + # Allow revision viewing: /{username}/{32-hex}/rev/{revision} + if ($request_uri ~* "^/[a-zA-Z0-9_-]+/[a-f0-9]{32}/rev/[a-f0-9]+") { + set $geo_allowed 1; + } + + # Allow embed view + if ($request_uri ~* "^/[a-zA-Z0-9_-]+/[a-f0-9]{32}/embed") { + set $geo_allowed 1; + } + + # Allow static assets + if ($request_uri ~* "^/assets/") { + set $geo_allowed 1; + } + if ($request_uri ~* "^/favicon") { + set $geo_allowed 1; + } + if ($request_uri ~* "\.(css|js|woff2?|ttf|svg|png|ico)$") { + set $geo_allowed 1; + } + + # Block non-allowed requests + if ($geo_allowed = 0) { + return 403 "Access restricted to Hungary"; + } spec: ingressClassName: nginx-internal rules: