# Security Templates

This folder contains host-side security templates for public launch hardening.

## fail2ban (recommended baseline)
- Config location:
  - `docker/security/fail2ban/jail.d/fiddy-nginx.conf`
  - `docker/security/fail2ban/filter.d/fiddy-nginx-auth.conf`
- Purpose:
  - ban repeated abusive requests against auth, join, and invite endpoints.

## CrowdSec (optional alternative/complement)
- Config location:
  - `docker/security/crowdsec/acquis.yaml`
- Purpose:
  - ingest Nginx access/error logs with CrowdSec for broader behavior-based decisions.

## Notes
- Use either fail2ban or CrowdSec as your primary auto-ban control, or carefully run both with clear ownership of ban actions.
- Validate log paths match your deployment:
  - `/var/log/nginx/fiddy-access.log`
  - `/var/log/nginx/fiddy-error.log`