chore: strip telegram/webhook actions, single compose file

- Remove telegram_notif.sh and all Telegram references
- Remove webhook.conf fail2ban action (dashboard webhook stays)
- docker-npm.conf: iptables ban/unban only, no lifecycle hooks
- Merge docker-compose.cloudflare.yml into docker-compose.yml
  CF_EMAIL/CF_APIKEY always present — fill in to enable WAF banning
- Remove TELEGRAM_BOT_TOKEN/TELEGRAM_CHAT_ID from compose
- Drop .env.example dependency — all config inline in compose file

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

fail2ban/action.d/docker-npm.conf

@@ -1,21 +1,12 @@
 [Definition]
 
-# ── Lifecycle notifications ───────────────────────────────────────────────────
-actionstart = bash /data/action.d/telegram_notif.sh -a start
-actionstop  = bash /data/action.d/telegram_notif.sh -a stop
+# Drops traffic two ways:
+# - DOCKER-USER: matches X-Forwarded-For header in forwarded packets (CDN/proxy setups)
+# - INPUT: drops direct connections at the host level
+# Requires xt_string kernel module on the host (modprobe xt_string).
 
-# ── Ban ───────────────────────────────────────────────────────────────────────
-# 1. DOCKER-USER: drops forwarded packets containing the banned IP in the
-#    X-Forwarded-For header — catches traffic coming through Cloudflare/CDN
-#    where the real client IP is forwarded as a header to NPM.
-# 2. INPUT: drops direct connections from the banned IP at the host level.
-# 3. Telegram notification (silent if TELEGRAM_BOT_TOKEN is unset).
 actionban = iptables -I DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP
             iptables -A INPUT -s <ip> -j DROP
-            bash /data/action.d/telegram_notif.sh -b <ip> -r "<name>"
 
-# ── Unban ─────────────────────────────────────────────────────────────────────
-# || true prevents failure if the rule was already removed (e.g. on restart).
 actionunban = iptables -D DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP || true
               iptables -D INPUT -s <ip> -j DROP || true
-              bash /data/action.d/telegram_notif.sh -u <ip>

fail2ban/action.d/telegram_notif.sh

@@ -1,54 +0,0 @@
-#!/bin/bash
-# ── Telegram notification hook for fail2ban ───────────────────────────────────
-# Called by docker-npm.conf on ban/unban/start/stop events.
-# Silently exits if TELEGRAM_BOT_TOKEN or TELEGRAM_CHAT_ID is not set.
-#
-# Usage:
-#   telegram_notif.sh -a start|stop
-#   telegram_notif.sh -b <ip> -r "<reason>"
-#   telegram_notif.sh -u <ip>
-#
-# Configure by setting in .env (passed into the container via docker-compose):
-#   TELEGRAM_BOT_TOKEN=123456:ABC-DEF...
-#   TELEGRAM_CHAT_ID=-100123456789
-# ─────────────────────────────────────────────────────────────────────────────
-
-BOT_TOKEN="${TELEGRAM_BOT_TOKEN:-}"
-CHAT_ID="${TELEGRAM_CHAT_ID:-}"
-
-# Exit silently if not configured — allows docker-npm action to work without Telegram
-[[ -z "$BOT_TOKEN" || -z "$CHAT_ID" ]] && exit 0
-
-send() {
-    curl -s -X POST "https://api.telegram.org/bot${BOT_TOKEN}/sendMessage" \
-        --data-urlencode "chat_id=${CHAT_ID}" \
-        --data-urlencode "text=$1" \
-        --data-urlencode "parse_mode=HTML" \
-        > /dev/null 2>&1 || true
-}
-
-# Parse flags
-ACTION="" BAN_IP="" REASON="" UNBAN_IP=""
-while getopts ":a:b:r:u:" opt; do
-    case $opt in
-        a) ACTION="$OPTARG"   ;;
-        b) BAN_IP="$OPTARG"   ;;
-        r) REASON="$OPTARG"   ;;
-        u) UNBAN_IP="$OPTARG" ;;
-    esac
-done
-
-case "$ACTION" in
-    start) send "🟢 <b>F2B Control Center started</b>"  ;;
-    stop)  send "🔴 <b>F2B Control Center stopped</b>"   ;;
-esac
-
-if [[ -n "$BAN_IP" ]]; then
-    MSG="🚫 <b>BANNED</b>: <code>${BAN_IP}</code>"
-    [[ -n "$REASON" ]] && MSG="${MSG} [${REASON}]"
-    send "$MSG"
-fi
-
-if [[ -n "$UNBAN_IP" ]]; then
-    send "✅ <b>UNBANNED</b>: <code>${UNBAN_IP}</code>"
-fi

fail2ban/action.d/webhook.conf

@@ -1,37 +0,0 @@
-# ── F2B Control Center — webhook action ──────────────────────────────────────
-#
-# Optional fail2ban action that POSTs a JSON payload to a webhook URL on
-# ban and unban events. Useful for Discord, Slack, n8n, or any HTTP endpoint.
-#
-# USAGE:
-#   Set WEBHOOK_URL in your .env file.
-#   Then add to any jail in jail.local:
-#
-#     action = %(action_)s
-#              webhook[url="%(webhook_url)s"]
-#
-#   And in [DEFAULT]:
-#     webhook_url = YOUR_WEBHOOK_URL
-#
-# This action is NOT enabled by default. The dashboard's ban webhook is
-# handled separately via the WEBHOOK_URL environment variable in server.js.
-# ─────────────────────────────────────────────────────────────────────────────
-
-[Definition]
-
-# Variable: webhook URL (set via jail.local or override)
-webhook_url = %(url)s
-
-actionban = curl -s -X POST \
-              -H "Content-Type: application/json" \
-              -d '{"action":"ban","ip":"<ip>","jail":"<name>","failures":<failures>,"ts":"'$(date -u +%%Y-%%m-%%dT%%H:%%M:%%SZ)'"}' \
-              "%(webhook_url)s" || true
-
-actionunban = curl -s -X POST \
-                -H "Content-Type: application/json" \
-                -d '{"action":"unban","ip":"<ip>","jail":"<name>","ts":"'$(date -u +%%Y-%%m-%%dT%%H:%%M:%%SZ)'"}' \
-                "%(webhook_url)s" || true
-
-[Init]
-name = default
-url  =