mirror of
https://github.com/aarmea/fahrengit-451.git
synced 2026-03-22 08:58:15 +00:00
cf99cd50f2
Change written by Claude Sonnet 4.6: I need to set up a Git hosting service for personal projects where certain repositories need to be blocked using the locale corresponding to the user’s IP address. Here are my constraints: * The entire system will be running on a single VPS instance. I should be able to `docker compose up -d` the whole thing. * For each repository that this feature is enabled, I need to be able to set the blocked locales down to the state level, along with a custom HTTP status code and response body. * You may assume that the IP address of the request is where it actually came from — for this exercise, if the user uses a VPN to bypass the restriction, that is on them. * To simplify a reverse proxy setup, you may assume that all Git operations will happen over HTTPS. I will firewall off SSH access. * I will be using Let's Encrypt for HTTPS. Some suggestions from prior research: * nginx seems like a reasonable reverse proxy that supports all of the requirements, but you may use a different one if it is simpler to implement or maintain. * I can obtain a MaxMind API key to get a geo-IP lookup table. If you use this, you will need to add a service that automatically retrieves the table at a reasonable frequency. * Forgejo seems like a reasonable, lightweight Git service, but you may use a different one if you’re aware of one that actually supports these requirements out of the box. Write me a production-ready `docker-compose.yml` and supporting scripts or configuration scaffolding for me to implement this.
46 lines
2 KiB
YAML
46 lines
2 KiB
YAML
# geo_rules.yml
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
# Define geo-blocking rules per repository.
|
|
#
|
|
# Each entry targets a Forgejo repository identified by its URL path
|
|
# (/<owner>/<repo>). When a request for that repo (or any sub-path, e.g.
|
|
# /<owner>/<repo>.git or /<owner>/<repo>/raw/…) arrives from a blocked
|
|
# locale, nginx returns the configured HTTP status and body.
|
|
#
|
|
# Locale format:
|
|
# Country only : "US" (ISO 3166-1 alpha-2)
|
|
# Country+State : "US-CA" (ISO 3166-2, country + subdivision code)
|
|
#
|
|
# You can mix country-level and state-level rules in the same repo block.
|
|
# More-specific rules (state) take precedence over less-specific ones (country)
|
|
# because the watcher renders them first in the nginx map block.
|
|
#
|
|
# status: Any valid HTTP status code. 451 ("Unavailable For Legal Reasons")
|
|
# is the semantically correct choice for legal/jurisdiction blocks.
|
|
# body : Plain-text response body. Keep it short — it is embedded directly
|
|
# in the nginx config as a string literal.
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
|
|
repos:
|
|
|
|
- path: /alice/secret-project
|
|
rules:
|
|
- locales: ["US-CA", "US-TX"]
|
|
status: 451
|
|
body: "This repository is unavailable in your jurisdiction."
|
|
- locales: ["DE", "FR"]
|
|
status: 403
|
|
body: "Access to this repository is restricted in your country."
|
|
|
|
- path: /alice/another-repo
|
|
rules:
|
|
- locales: ["CN", "RU"]
|
|
status: 403
|
|
body: "Access denied."
|
|
|
|
# Template — copy and fill in for each additional repo:
|
|
# - path: /owner/repo-name
|
|
# rules:
|
|
# - locales: ["XX", "XX-YY"]
|
|
# status: 403
|
|
# body: "Access restricted."
|