keycloak: block it

ded0919c · Kristian Klausen · c8a32ef1 · ded0919c · ded0919c · ded0919c
Commit ded0919c authored 1 year ago by Kristian Klausen
--- a/roles/keycloak/files/load-geopip2.conf
+++ b/roles/keycloak/files/load-geopip2.conf
+load_module /usr/lib/nginx/modules/ngx_http_geoip2_module.so;
--- a/roles/keycloak/meta/main.yml
+++ b/roles/keycloak/meta/main.yml
+dependencies:
+  - role: geoipupdate
+    vars:
+      geoipupdate_edition_ids: GeoLite2-Country
--- a/roles/keycloak/tasks/main.yml
+++ b/roles/keycloak/tasks/main.yml
 - name: Install keycloak
-  pacman: name=jre11-openjdk,keycloak,keycloak-archlinux-theme,keycloak-metrics-spi,keycloak-hcaptcha,python-passlib state=present
+  pacman: name=jre11-openjdk,keycloak,keycloak-archlinux-theme,keycloak-metrics-spi,keycloak-hcaptcha,python-passlib,nginx-mod-geoip2 state=present

 - name: Create postgres keycloak user
  postgresql_user: name="{{ vault_keycloak_db_user }}" password="{{ vault_keycloak_db_password }}"
@@ -74,6 +74,12 @@
 - name: Make nginx log dir
  file: path="/var/log/nginx/{{ keycloak_domain }}" state=directory owner=root mode=0755

+- name: Install toplevel-snippet
+  copy: src=load-geoip2.conf dest=/etc/nginx/toplevel-snippets/ owner=root group=root mode=0644
+  notify:
+    - Reload nginx
+  tags: ['nginx']
+
 - name: Set up nginx
  template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/keycloak.conf owner=root group=root mode=0644
  notify:

--- a/roles/keycloak/templates/nginx.d.conf.j2
+++ b/roles/keycloak/templates/nginx.d.conf.j2
+geoip2 /var/lib/GeoIP/GeoLite2-Country.mmdb {
+    auto_reload 1d;
+    $geoip2_data_country_code default=US country iso_code;
+}
+
+map $geoip2_data_country_code $allowed_country {
+    default yes;
+    BD no;
+}
+
 server {
    listen       80;
    listen       [::]:80;
@@ -59,6 +69,10 @@ server {
        proxy_buffer_size 8k;
    }

+    if ($allowed_country = no) {
+        return 444;
+    }
+
    location = / {
        return 301 https://$server_name/realms/archlinux/account;
    }