## Version 2023/02/16
#
# Fail2Ban action configuration for OPNsense
# Author: https://linuxserver.io/
#
# Please ensure jail.local permission are secure (640) as it contains your OPNsense API key
#
# OPNsense API Key/Secret guide: https://docs.opnsense.org/development/how-tos/api.html
#
# This action maintains an OPNsense HOST group alias.
#
# Configure OPNsense with:
# 							A correctly named empty HOST group alias.
# 							An associated firewall rule.
#
# In most instances the OPNsense rule will likely take the form of a INBOUND WAN DROP but specifics are left to user discretion.
#
# WARNING:	This action allows connections to default OPNsense installs deployed with self signed TLS certificates.
# 			If required disable this by setting `allow_insecure = false` in your `jail.local`
#

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
#actionstart = 

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
#actionstop = 

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
#actioncheck = 

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = curl <_allow_insecure> -s -u "<key>":"<secret>" -H "Content-Type: application/json" -d '{"address":"<ip>"}' https://<firewall>/api/firewall/alias_util/add/<alias>

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = curl <_allow_insecure> -s -u "<key>":"<secret>" -H "Content-Type: application/json" -d '{"address":"<ip>"}' https://<firewall>/api/firewall/alias_util/delete/<alias>

# Internal variable handler for `allow_insecure`
_allow_insecure = $(if [ '<allow_insecure>' = true ]; then echo ' -k '; else echo ''; fi;)

[Init]

# Option:  alias
# Notes.:  The OPNsense host group name to add the Fail2ban IP to.
# Values:  [ STRING ]
#
alias =

# Option:  firewall
# Notes.:  Your OPNsense IP or DNS name.
# Values:  [ STRING ]
#
firewall =

# Option:  key
# Notes.:  Your OPNsense user key.
# Values:  [ STRING ]
#
key = 

# Option:  secret
# Notes.:  Your OPNsense user secret.
# Values:  [ STRING ]
#
secret =

# Option:  allow_insecure
# Notes.:  Allow connections to default OPNsense installs deployed with self signed TLS certificates.
# Values:  [ BOOLEAN ]
#
allow_insecure = true