From c3adfa7e25882c7d883f1574bcedc62cfc0ca0b1 Mon Sep 17 00:00:00 2001
From: ashisgreat22 <dev@ashisgreat.xyz>
Date: Wed, 18 Mar 2026 21:53:05 +0100
Subject: [PATCH] Restrict incoming connections to DE via CrowdSec GeoIP

---
 modules/crowdsec.nix | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/modules/crowdsec.nix b/modules/crowdsec.nix
index 2d6f1fa..4b15ce9 100644
--- a/modules/crowdsec.nix
+++ b/modules/crowdsec.nix
@@ -91,6 +91,17 @@ in
 
       # Remediation profiles
       localConfig.profiles = [
+        {
+          name = "block_non_de";
+          filters = [ "Alert.Remediation == true && Alert.GetScope() == 'Ip' && Alert.Enriched.IsoCode != 'DE' && Alert.Enriched.IsoCode != ''" ];
+          decisions = [
+            {
+              type = "ban";
+              duration = "24h";
+            }
+          ];
+          on_success = "break";
+        }
         {
           name = "default_ip_remediation";
           filters = [ "Alert.Remediation == true && Alert.GetScope() == 'Ip'" ];
@@ -106,6 +117,9 @@ in
 
       # Hub collections for common attack patterns
       hub = {
+        parsers = [
+          "crowdsecurity/geoip-enrich"
+        ];
         collections = [
           "crowdsecurity/linux"
           "crowdsecurity/nginx"