mirror of
https://github.com/aarmea/fahrengit-451.git
synced 2026-03-22 08:58:15 +00:00
cf99cd50f2
Change written by Claude Sonnet 4.6: I need to set up a Git hosting service for personal projects where certain repositories need to be blocked using the locale corresponding to the user’s IP address. Here are my constraints: * The entire system will be running on a single VPS instance. I should be able to `docker compose up -d` the whole thing. * For each repository that this feature is enabled, I need to be able to set the blocked locales down to the state level, along with a custom HTTP status code and response body. * You may assume that the IP address of the request is where it actually came from — for this exercise, if the user uses a VPN to bypass the restriction, that is on them. * To simplify a reverse proxy setup, you may assume that all Git operations will happen over HTTPS. I will firewall off SSH access. * I will be using Let's Encrypt for HTTPS. Some suggestions from prior research: * nginx seems like a reasonable reverse proxy that supports all of the requirements, but you may use a different one if it is simpler to implement or maintain. * I can obtain a MaxMind API key to get a geo-IP lookup table. If you use this, you will need to add a service that automatically retrieves the table at a reasonable frequency. * Forgejo seems like a reasonable, lightweight Git service, but you may use a different one if you’re aware of one that actually supports these requirements out of the box. Write me a production-ready `docker-compose.yml` and supporting scripts or configuration scaffolding for me to implement this.
56 lines
1.9 KiB
Docker
56 lines
1.9 KiB
Docker
# Build nginx with the ngx_http_geoip2_module baked in.
|
|
# The official nginx image ships without GeoIP2 support; we compile the
|
|
# dynamic module against the same nginx version used in the base image.
|
|
|
|
ARG NGINX_VERSION=1.27.4
|
|
|
|
FROM nginx:${NGINX_VERSION}-alpine AS builder
|
|
|
|
ARG NGINX_VERSION
|
|
|
|
RUN apk add --no-cache \
|
|
build-base \
|
|
git \
|
|
libmaxminddb-dev \
|
|
pcre2-dev \
|
|
openssl-dev \
|
|
zlib-dev \
|
|
linux-headers
|
|
|
|
# Clone the GeoIP2 nginx module at the tag matching the installed nginx
|
|
RUN git clone --depth 1 \
|
|
https://github.com/leev/ngx_http_geoip2_module.git \
|
|
/usr/src/ngx_http_geoip2_module
|
|
|
|
# Fetch the nginx source matching the base image version
|
|
RUN wget -q "http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz" \
|
|
-O /usr/src/nginx.tar.gz \
|
|
&& tar -xzf /usr/src/nginx.tar.gz -C /usr/src
|
|
|
|
WORKDIR /usr/src/nginx-${NGINX_VERSION}
|
|
|
|
# Build only the dynamic module (configure flags from `nginx -V`)
|
|
RUN eval $(nginx -V 2>&1 | grep 'configure arguments:' | sed 's/configure arguments://') && \
|
|
./configure \
|
|
$configure_args \
|
|
--add-dynamic-module=/usr/src/ngx_http_geoip2_module \
|
|
&& make modules
|
|
|
|
# ── Runtime image ─────────────────────────────────────────────────────────────
|
|
FROM nginx:${NGINX_VERSION}-alpine
|
|
|
|
# Runtime dependency for MaxMind DB
|
|
RUN apk add --no-cache libmaxminddb
|
|
|
|
# Copy the compiled dynamic module
|
|
COPY --from=builder \
|
|
/usr/src/nginx-${NGINX_VERSION}/objs/ngx_http_geoip2_module.so \
|
|
/usr/lib/nginx/modules/ngx_http_geoip2_module.so
|
|
|
|
# Main nginx config (loads the dynamic module at the top level)
|
|
COPY nginx.conf /etc/nginx/nginx.conf
|
|
|
|
# GeoIP map directory (populated by geoblock_watcher at runtime)
|
|
RUN mkdir -p /etc/nginx/geoblock
|
|
|
|
EXPOSE 80 443
|