admin/homelab-manifests
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

added geoip annotations to immich and opengist ingresses

Browse Source
This commit is contained in:
authentik Default Admin
2026-01-20 16:58:18 +01:00
parent d35f6b490a
commit d0f24ade78
2 changed files with 97 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
immich-system/immich.yaml
+45
View File
@@ -474,6 +474,51 @@ metadata:
external-dns.alpha.kubernetes.io/hostname: photos.dooplex.hu external-dns.alpha.kubernetes.io/hostname: photos.dooplex.hu
nginx.ingress.kubernetes.io/proxy-body-size: "0" nginx.ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/ssl-redirect: "true"
# GeoIP-based access control
nginx.ingress.kubernetes.io/configuration-snippet: |
# GeoIP-based access control for Immich
# Allows Hungarian traffic everywhere, worldwide only for /share/* paths
set $geo_allowed 0;
# Allow all Hungarian traffic
if ($geoip2_city_country_code = "HU") {
set $geo_allowed 1;
}
# Allow public share paths from anywhere
if ($request_uri ~* "^/share/") {
set $geo_allowed 1;
}
# API endpoints needed for shared content
if ($request_uri ~* "^/api/shared-links") {
set $geo_allowed 1;
}
# Assets for shared albums (thumbnails and originals)
if ($request_uri ~* "^/api/assets/.*/thumbnail") {
set $geo_allowed 1;
}
if ($request_uri ~* "^/api/assets/.*/original") {
set $geo_allowed 1;
}
# Static assets needed for share page rendering
if ($request_uri ~* "^/_app/") {
set $geo_allowed 1;
}
if ($request_uri ~* "^/favicon") {
set $geo_allowed 1;
}
if ($request_uri ~* "\.(js|css|woff2?|ttf|svg|png|ico)$") {
set $geo_allowed 1;
}
# Block non-allowed requests
if ($geo_allowed = 0) {
return 403 "Access restricted to Hungary";
}
namespace: immich-system namespace: immich-system
spec: spec:
ingressClassName: nginx-internal ingressClassName: nginx-internal
opengist-system/opengist.yaml
+52
View File
@@ -165,6 +165,58 @@ metadata:
external-dns.alpha.kubernetes.io/hostname: paste.dooplex.hu,paste.home external-dns.alpha.kubernetes.io/hostname: paste.dooplex.hu,paste.home
nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "100m" nginx.ingress.kubernetes.io/proxy-body-size: "100m"
# GeoIP-based access control
nginx.ingress.kubernetes.io/configuration-snippet: |
# GeoIP-based access control for OpenGist
# Allows Hungarian traffic everywhere, worldwide only for paste viewing
set $geo_allowed 0;
# Allow all Hungarian traffic
if ($geoip2_city_country_code = "HU") {
set $geo_allowed 1;
}
# Allow public gist viewing: /{username}/{32-lowercase-hex-chars}
if ($request_uri ~* "^/[a-zA-Z0-9_-]+/[a-f0-9]{32}$") {
set $geo_allowed 1;
}
# Allow raw view: /{username}/{32-hex}/raw/{filename}
if ($request_uri ~* "^/[a-zA-Z0-9_-]+/[a-f0-9]{32}/raw/") {
set $geo_allowed 1;
}
# Allow download: /{username}/{32-hex}/download
if ($request_uri ~* "^/[a-zA-Z0-9_-]+/[a-f0-9]{32}/download") {
set $geo_allowed 1;
}
# Allow revision viewing: /{username}/{32-hex}/rev/{revision}
if ($request_uri ~* "^/[a-zA-Z0-9_-]+/[a-f0-9]{32}/rev/[a-f0-9]+") {
set $geo_allowed 1;
}
# Allow embed view
if ($request_uri ~* "^/[a-zA-Z0-9_-]+/[a-f0-9]{32}/embed") {
set $geo_allowed 1;
}
# Allow static assets
if ($request_uri ~* "^/assets/") {
set $geo_allowed 1;
}
if ($request_uri ~* "^/favicon") {
set $geo_allowed 1;
}
if ($request_uri ~* "\.(css|js|woff2?|ttf|svg|png|ico)$") {
set $geo_allowed 1;
}
# Block non-allowed requests
if ($geo_allowed = 0) {
return 403 "Access restricted to Hungary";
}
spec: spec:
ingressClassName: nginx-internal ingressClassName: nginx-internal
rules: rules: