admin/homelab-manifests
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

added geoip annotations to immich and opengist ingresses

Browse Source
This commit is contained in:
authentik Default Admin
2026-01-20 16:58:18 +01:00
parent d35f6b490a
commit d0f24ade78
2 changed files with 97 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
opengist-system/opengist.yaml
+52
View File
@@ -165,6 +165,58 @@ metadata:
external-dns.alpha.kubernetes.io/hostname: paste.dooplex.hu,paste.home
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "100m"
# GeoIP-based access control
nginx.ingress.kubernetes.io/configuration-snippet: |
# GeoIP-based access control for OpenGist
# Allows Hungarian traffic everywhere, worldwide only for paste viewing
set $geo_allowed 0;
# Allow all Hungarian traffic
if ($geoip2_city_country_code = "HU") {
set $geo_allowed 1;
}
# Allow public gist viewing: /{username}/{32-lowercase-hex-chars}
if ($request_uri ~* "^/[a-zA-Z0-9_-]+/[a-f0-9]{32}$") {
set $geo_allowed 1;
}
# Allow raw view: /{username}/{32-hex}/raw/{filename}
if ($request_uri ~* "^/[a-zA-Z0-9_-]+/[a-f0-9]{32}/raw/") {
set $geo_allowed 1;
}
# Allow download: /{username}/{32-hex}/download
if ($request_uri ~* "^/[a-zA-Z0-9_-]+/[a-f0-9]{32}/download") {
set $geo_allowed 1;
}
# Allow revision viewing: /{username}/{32-hex}/rev/{revision}
if ($request_uri ~* "^/[a-zA-Z0-9_-]+/[a-f0-9]{32}/rev/[a-f0-9]+") {
set $geo_allowed 1;
}
# Allow embed view
if ($request_uri ~* "^/[a-zA-Z0-9_-]+/[a-f0-9]{32}/embed") {
set $geo_allowed 1;
}
# Allow static assets
if ($request_uri ~* "^/assets/") {
set $geo_allowed 1;
}
if ($request_uri ~* "^/favicon") {
set $geo_allowed 1;
}
if ($request_uri ~* "\.(css|js|woff2?|ttf|svg|png|ico)$") {
set $geo_allowed 1;
}
# Block non-allowed requests
if ($geo_allowed = 0) {
return 403 "Access restricted to Hungary";
}
spec:
ingressClassName: nginx-internal
rules: