ansible-proxy-chain/openspec/changes/archive/2026-04-22-remove-server-geoblock/proposal.md

Why

The server-side geoblock role that blocks outbound traffic to China destinations via ipset/iptables is no longer needed. CN destination routing is already handled at the Surge client level via policy rules, making the server-side block redundant.

What Changes

• Remove geoblock role from site.yml
• Delete roles/geoblock/ directory entirely (tasks, templates, handlers, defaults)
• Remove the geoblock-cn spec from openspec/specs/

Surge client-side routing rules (in surge-client.conf.j2) remain unchanged.

Capabilities

New Capabilities

Modified Capabilities

• geoblock-cn: REMOVED — server-side CN destination blocking via ipset/iptables is being removed entirely

Impact

• site.yml: geoblock role removed from the "Base server setup" play
• roles/geoblock/: entire directory deleted
• openspec/specs/geoblock-cn/: spec removed
• README.md: any references to geoblock should be updated
• Surge client config and routing: no change