# Jail definition for the Familienarchiv login endpoint.
#
# Install: ln -sf /opt/familienarchiv/infra/fail2ban/jail.d/familienarchiv.conf \
#                 /etc/fail2ban/jail.d/familienarchiv.conf
#          ln -sf /opt/familienarchiv/infra/fail2ban/filter.d/familienarchiv-auth.conf \
#                 /etc/fail2ban/filter.d/familienarchiv-auth.conf
#          systemctl reload fail2ban
#
# Verify with:
#   fail2ban-client status familienarchiv-auth
#   fail2ban-regex /var/log/caddy/access.log familienarchiv-auth
#
# Tuning rationale:
#   - maxretry 10: legitimate users mistyping passwords don't trip the jail
#   - findtime 10m: rolling window that catches automated brute force
#   - bantime 30m: long enough to discourage scripted attacks, short
#                  enough that a user who fat-fingered their VPN comes
#                  back online within a coffee break

[familienarchiv-auth]
enabled  = true
# Override Debian's `backend = systemd` default (set in
# /etc/fail2ban/jail.d/defaults-debian.conf). Without this line our jail
# inherits the systemd backend, reads from journald, and never inspects
# Caddy's file-based JSON access log — i.e. brute-force protection is inert.
# `polling` works without inotify and is fine for one rotated log file.
backend  = polling
filter   = familienarchiv-auth
logpath  = /var/log/caddy/access.log
maxretry = 10
findtime = 10m
bantime  = 30m
action   = iptables-multiport[name=familienarchiv-auth, port="http,https"]