server:
  listen_address: 127.0.0.1:9080
  read_timeout: 5s
  write_timeout: 10s
  shutdown_timeout: 15s

storage:
  path: ./data/caddy-opnsense-blocker.db

investigation:
  enabled: true
  refresh_after: 24h
  timeout: 8s
  user_agent: caddy-opnsense-blocker/0.2
  spamhaus_enabled: true
  background_workers: 2
  background_poll_interval: 30s
  background_lookback: 0s
  background_batch_size: 256

opnsense:
  enabled: true
  base_url: https://router.example.test
  api_key_file: /run/secrets/opnsense-api-key
  api_secret_file: /run/secrets/opnsense-api-secret
  timeout: 8s
  insecure_skip_verify: false
  ensure_alias: true
  alias:
    name: blocked-ips
    type: host
    description: Managed by caddy-opnsense-blocker

profiles:
  public-web:
    auto_block: true
    min_status: 400
    max_status: 599
    block_unexpected_posts: true
    block_php_paths: true
    allowed_post_paths:
      - /search
    suspicious_path_prefixes:
      - /wp-admin
      - /wp-login.php
      - /.env
      - /.git
    excluded_cidrs:
      - 10.0.0.0/8
      - 127.0.0.0/8
    known_agents:
      - name: friendly-bot
        decision: allow
        user_agent_prefixes:
          - FriendlyBot/

  gitea:
    auto_block: false
    min_status: 400
    max_status: 599
    block_unexpected_posts: true
    block_php_paths: false
    allowed_post_paths:
      - /user/login
      - /user/sign_up
      - /user/forgot_password
    suspicious_path_prefixes:
      - /install.php
      - /.env
      - /.git

sources:
  - name: public-web
    path: /var/log/caddy/public-web-access.json
    profile: public-web
    initial_position: end
    poll_interval: 1s
    batch_size: 256

  - name: gitea
    path: /var/log/caddy/gitea-access.json
    profile: gitea
    initial_position: end
    poll_interval: 1s
    batch_size: 256