design.md 1.6 KB
Context
The geoblock role currently runs on all servers (relay + landing) via site.yml. It installs ipset/iptables, downloads China CIDR lists from ipdeny.com, populates an ipset named cn-block, adds an iptables OUTPUT chain DROP rule, and sets up a daily cron refresh + systemd boot restore. CN destination routing is already handled at the Surge client level via policy/group rules, making the server-side block redundant.
Goals / Non-Goals
Goals:
- Remove all server-side CN destination blocking infrastructure
- Clean up all geoblock-related files, references, and specs
- Leave Surge client routing untouched
Non-Goals:
- No changes to Surge client config or routing rules
- No changes to other roles (base, shadowsocks, trojan)
Decisions
Remove the entire roles/geoblock/ directory rather than disabling it, since there is no reason to keep the code around. Remove the role reference from site.yml "Base server setup" play. Remove the geoblock-cn spec from openspec/specs/. Update README.md references.
Risks / Trade-offs
- [Servers may still have active ipset/iptables rules after this change] → The Ansible removal won't actively clean up runtime iptables rules. A manual
iptables -D OUTPUT -m set --match-set cn-block dst -j DROP && ipset destroy cn-blockmay be needed on existing servers, or a reboot will clear them. - [No server-side safety net for accidental CN traffic] → CN routing is handled by Surge client policies. If a client bypasses the proxy and connects directly to the server, the server could theoretically reach CN destinations. This is acceptable per user decision.