## ADDED Requirements

### Requirement: ipset and iptables are installed on all servers
The geoblock role SHALL ensure `ipset` and `iptables` packages are installed.

#### Scenario: Packages installed
- **WHEN** the geoblock role runs
- **THEN** `ipset` and `iptables` are installed and available

### Requirement: China IP CIDR list is downloaded
The geoblock role SHALL download the aggregated China CIDR list from ipdeny.com to a local file on each server.

#### Scenario: Initial download
- **WHEN** the geoblock role runs for the first time
- **THEN** the CN aggregated zone file is downloaded to a configurable path (default: `/etc/geoblock/cn.zone`)

### Requirement: ipset is populated with China CIDR ranges
The geoblock role SHALL create an ipset named `cn-block` of type `hash:net` and populate it with all CIDRs from the downloaded zone file.

#### Scenario: ipset created and loaded
- **WHEN** the geoblock update script runs
- **THEN** an ipset named `cn-block` exists containing all China CIDR entries
- **THEN** the set is created atomically (build temp set, swap, destroy old)

### Requirement: iptables blocks outbound to China IPs
The geoblock role SHALL add an iptables OUTPUT chain rule that drops packets matching the `cn-block` ipset.

#### Scenario: Outbound to China IP is dropped
- **WHEN** the server attempts to send a packet to an IP in the `cn-block` ipset
- **THEN** the packet is dropped by iptables

#### Scenario: Outbound to non-China IP is allowed
- **WHEN** the server attempts to send a packet to an IP NOT in the `cn-block` ipset
- **THEN** the packet is allowed through

### Requirement: CN IP list is refreshed daily via cron
The geoblock role SHALL configure a cron job that re-downloads the CN zone file and reloads the ipset daily.

#### Scenario: Daily refresh
- **WHEN** the cron job fires
- **THEN** the latest CN zone file is downloaded
- **THEN** the ipset is atomically reloaded with updated data

### Requirement: ipset is restored on boot
The geoblock role SHALL configure a systemd service that runs at boot to restore the ipset and iptables rule, ensuring the block survives reboots.

#### Scenario: Server reboots
- **WHEN** the server restarts
- **THEN** the geoblock systemd service loads the CN zone into ipset
- **THEN** the iptables OUTPUT rule referencing `cn-block` is applied

### Requirement: Geoblock role is applied to all servers
The geoblock role SHALL be applied to both relay and landing servers via `site.yml`.

#### Scenario: Both servers have geoblock
- **WHEN** `site.yml` is run
- **THEN** the geoblock role runs on hosts in both `relay` and `landing` groups