ansible-proxy-chain/openspec/changes/archive/2026-04-22-remove-server-geoblock/specs/geoblock-cn/spec.md

REMOVED Requirements

Requirement: ipset and iptables are installed on all servers

Reason: Server-side CN destination blocking is no longer needed; Surge client handles CN routing. Migration: No replacement. CN destination routing remains at the Surge client level.

Requirement: China IP CIDR list is downloaded

Reason: Server-side CN destination blocking is no longer needed. Migration: None required.

Requirement: ipset is populated with China CIDR ranges

Reason: Server-side CN destination blocking is no longer needed. Migration: Existing cn-block ipset will no longer be updated. It can be manually destroyed.

Requirement: iptables blocks outbound to China IPs

Reason: Server-side CN destination blocking is no longer needed. Migration: The OUTPUT chain DROP rule referencing cn-block can be manually removed.

Requirement: CN IP list is refreshed daily via cron

Reason: Server-side CN destination blocking is no longer needed. Migration: The cron job geoblock-refresh will be removed by Ansible.

Requirement: ipset is restored on boot

Reason: Server-side CN destination blocking is no longer needed. Migration: The geoblock systemd service will be removed by Ansible.

Requirement: Geoblock role is applied to all servers

Reason: Server-side CN destination blocking is no longer needed. Migration: The geoblock role is removed from site.yml.