# Custom fail2ban action that bans IPs via an nginx deny list.
# Standard iptables banning won't work in Fly.io because $remote_addr
# is Fly's internal proxy IP. Instead, we write banned IPs to a file
# that nginx checks via a geo directive keyed on $http_fly_client_ip.

[Definition]

actionban = echo "<ip> 1;" >> /etc/nginx/forge-deny.conf && nginx -s reload

actionunban = sed -i '/<ip> 1;/d' /etc/nginx/forge-deny.conf && nginx -s reload

actionstart =
actionstop =
actioncheck =