From b3c038e1190af95f3938bd849d965e3be523eb6a Mon Sep 17 00:00:00 2001
From: David Papp <pappdav@gmail.com>
Date: Sat, 1 Nov 2025 00:04:25 +0100
Subject: [PATCH] Add Arxignis API integration to Fail2Ban with new action
 configuration

---
 ChangeLog                     |  1 +
 config/action.d/arxignis.conf | 68 +++++++++++++++++++++++++++++++++++
 2 files changed, 69 insertions(+)
 create mode 100644 config/action.d/arxignis.conf

diff --git a/ChangeLog b/ChangeLog
index d6588117..b6ab2ff8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -114,6 +114,7 @@ ver. 1.1.1-dev-1 (20??/??/??) - development nightly edition
 * `filter.d/sendmail-reject.conf` - also recognize "Domain of sender address ... does not resolve" (gh-4035)
 * `filter.d/vaultwarden.conf` - new filter and jail for Vaultwarden (gh-3979)
 * `fail2ban-regex` extended with new option `-i` or `--invert` to output not-matched lines by `-o` or `--out` (gh-4001)
+* `action.d/arxignis.conf` - Integrate with Arxignis Signal API.
 
 
 ver. 1.1.0 (2024/04/25) - object-found--norad-59479-cospar-2024-069a--altitude-36267km
diff --git a/config/action.d/arxignis.conf b/config/action.d/arxignis.conf
new file mode 100644
index 00000000..125dae1a
--- /dev/null
+++ b/config/action.d/arxignis.conf
@@ -0,0 +1,68 @@
+#
+# Arxignis API action file for Fail2Ban
+#
+# IMPORTANT
+#
+# Please set jail.local's permission to 640 because it contains your Arxignis API token.
+#
+# This action depends on curl (and optionally jq).
+#
+# To get your Arxignis API token, visit your Arxignis dashboard.
+#
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
+# Values:  CMD
+#
+actionstart =
+
+# Option:  actionstop
+# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
+# Values:  CMD
+#
+actionstop =
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck =
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionban = curl -s -o /dev/null -X POST https://api.arxignis.com/v1/signal \
+            -H 'Content-Type: application/json' \
+            -H 'Authorization: Bearer <axtoken>' \
+            -d '[{"type":"access_rules","action":"block","ip":"<ip>","expiration":<expiration>,"description":"Fail2Ban <name>","name":"Fail2Ban"}]'
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+# Note: Arxignis unban implementation depends on the API endpoint for removing rules.
+# If the API supports DELETE or a similar method, update this accordingly.
+actionunban = curl -s -o /dev/null -X POST https://api.arxignis.com/v1/signal \
+              -H 'Content-Type: application/json' \
+              -H 'Authorization: Bearer <axtoken>' \
+              -d '[{"type":"access_rules","action":"unblock","ip":"<ip>","expiration":0,"description":"Fail2Ban unban <name>","name":"Fail2Ban"}]'
+
+[Init]
+
+# Your Arxignis API Bearer token
+axtoken =
+
+# Expiration time
+expiration = <bantime>
+