[Definition]

# ── Lifecycle notifications ───────────────────────────────────────────────────
actionstart = bash /data/action.d/telegram_notif.sh -a start
actionstop  = bash /data/action.d/telegram_notif.sh -a stop

# ── Ban ───────────────────────────────────────────────────────────────────────
# 1. DOCKER-USER: drops forwarded packets containing the banned IP in the
#    X-Forwarded-For header — catches traffic coming through Cloudflare/CDN
#    where the real client IP is forwarded as a header to NPM.
# 2. INPUT: drops direct connections from the banned IP at the host level.
# 3. Telegram notification (silent if TELEGRAM_BOT_TOKEN is unset).
actionban = iptables -I DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP
            iptables -A INPUT -s <ip> -j DROP
            bash /data/action.d/telegram_notif.sh -b <ip> -r "<name>"

# ── Unban ─────────────────────────────────────────────────────────────────────
# || true prevents failure if the rule was already removed (e.g. on restart).
actionunban = iptables -D DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP || true
              iptables -D INPUT -s <ip> -j DROP || true
              bash /data/action.d/telegram_notif.sh -u <ip>