Restrict incoming connections to DE via CrowdSec GeoIP

modules/crowdsec.nix

@@ -91,6 +91,17 @@ in
 
       # Remediation profiles
       localConfig.profiles = [
+        {
+          name = "block_non_de";
+          filters = [ "Alert.Remediation == true && Alert.GetScope() == 'Ip' && Alert.Enriched.IsoCode != 'DE' && Alert.Enriched.IsoCode != ''" ];
+          decisions = [
+            {
+              type = "ban";
+              duration = "24h";
+            }
+          ];
+          on_success = "break";
+        }
         {
           name = "default_ip_remediation";
           filters = [ "Alert.Remediation == true && Alert.GetScope() == 'Ip'" ];
@@ -106,6 +117,9 @@ in
 
       # Hub collections for common attack patterns
       hub = {
+        parsers = [
+          "crowdsecurity/geoip-enrich"
+        ];
         collections = [
           "crowdsecurity/linux"
           "crowdsecurity/nginx"