chore: strip telegram/webhook actions, single compose file

- Remove telegram_notif.sh and all Telegram references
- Remove webhook.conf fail2ban action (dashboard webhook stays)
- docker-npm.conf: iptables ban/unban only, no lifecycle hooks
- Merge docker-compose.cloudflare.yml into docker-compose.yml
  CF_EMAIL/CF_APIKEY always present — fill in to enable WAF banning
- Remove TELEGRAM_BOT_TOKEN/TELEGRAM_CHAT_ID from compose
- Drop .env.example dependency — all config inline in compose file

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docker-compose.yml

@@ -1,21 +1,10 @@
-# ── F2B Control Center — standard stack ──────────────────────────────────────
-#
-# Includes: Nginx Proxy Manager + Fail2Ban + dashboard
-#
-# QUICK START:
-#   cp .env.example .env
-#   # edit .env — at minimum review DATA_DIR and SUBNETS_TO_IGNORE
-#   docker-compose up -d
-#
-# CLOUDFLARE:
-#   To also ban at the CF WAF level, use docker-compose.cloudflare.yml instead.
-# ─────────────────────────────────────────────────────────────────────────────
+# F2B Control Center — edit values below, then: docker-compose up -d
+# Cloudflare WAF banning: fill in CF_EMAIL + CF_APIKEY — activates automatically.
 
 version: "3.9"
 
 services:
 
-  # ── Nginx Proxy Manager ─────────────────────────────────────────────────────
   npm:
     image: jc21/nginx-proxy-manager:latest
     container_name: nginx-proxy-manager
@@ -23,13 +12,11 @@ services:
     ports:
       - "80:80"
       - "443:443"
-      - "81:81"          # NPM admin UI (change or restrict in production)
+      - "81:81"
     volumes:
-      - ${DATA_DIR:-./data}/npm:/data
-      - ${DATA_DIR:-./data}/npm/logs:/data/logs   # shared with f2b (see below)
-      - ${DATA_DIR:-./data}/letsencrypt:/etc/letsencrypt
+      - ./data/npm:/data
+      - ./data/letsencrypt:/etc/letsencrypt
 
-  # ── F2B Control Center ──────────────────────────────────────────────────────
   f2b-control-center:
     build: .
     image: f2b-control-center:latest
@@ -37,31 +24,22 @@ services:
     restart: unless-stopped
     depends_on:
       - npm
-
-    # Host network mode is required so fail2ban's iptables rules affect the
-    # host network stack — blocking traffic before it reaches NPM containers.
     network_mode: host
-
     environment:
-      PORT:               "${DASHBOARD_PORT:-4000}"
-      ABUSEIPDB_API_KEY:  "${ABUSEIPDB_API_KEY:-}"
-      SUBNETS_TO_IGNORE:  "${SUBNETS_TO_IGNORE:-10.0.0.0/8,172.16.0.0/12,192.168.0.0/16}"
-      WEBHOOK_URL:        "${WEBHOOK_URL:-}"
-      TELEGRAM_BOT_TOKEN: "${TELEGRAM_BOT_TOKEN:-}"
-      TELEGRAM_CHAT_ID:   "${TELEGRAM_CHAT_ID:-}"
-      # Internal paths — only change if you remap volumes
+      PORT:              "4000"
+      SUBNETS_TO_IGNORE: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
+      ABUSEIPDB_API_KEY: ""   # optional — enables threat scoring & auto-ban
+      WEBHOOK_URL:       ""   # optional — POST on every manual ban
+      CF_EMAIL:          ""   # optional — Cloudflare account email (enables WAF banning)
+      CF_APIKEY:         ""   # optional — Cloudflare Global API Key
       LOG_DIR:       "/nginx-logs"
       FAIL2BAN_LOG:  "/var/log/fail2ban.log"
       JAIL_LOCAL:    "/etc/fail2ban/jail.local"
       MANUAL_JAIL:   "manual-bans"
       BAN_HIST_FILE: "/data/ban-history.json"
-
     volumes:
-      # NPM logs — read-only. Shared with NPM via bind mount above.
-      - ${DATA_DIR:-./data}/npm/logs:/nginx-logs:ro
-      # Persistent app state (ban history)
+      - ./data/npm/logs:/nginx-logs:ro
       - f2b-data:/data
-      # Fail2ban config — persists across image updates
       - f2b-config:/etc/fail2ban
 
 volumes: