# Custom fail2ban action that bans IPs via an nginx deny list.
# Standard iptables banning won't work in Fly.io because $remote_addr
# is Fly's internal proxy IP. Instead, we write banned IPs to a file
# that nginx checks via a geo directive keyed on $http_fly_client_ip.
#
# The deny file is per-service: each jail sets `nginx_deny_file = ...`
# (see jail.d/*.conf) and a matching `geo $http_fly_client_ip $..._banned`
# block in nginx.conf includes the same path.

[Definition]

actionban = echo "<ip> 1;" >> <nginx_deny_file> && nginx -s reload

actionunban = sed -i '/<ip> 1;/d' <nginx_deny_file> && nginx -s reload

actionstart =
actionstop =
actioncheck =

[Init]

# Default for jails that don't override (preserves forge behaviour).
nginx_deny_file = /etc/nginx/forge-deny.conf