feat: plug-and-play refactor — docker-npm action, CF support, whitelist live-update

- Replace iptables-allports with docker-npm action (DOCKER-USER + xt_string
  X-Forwarded-For matching + INPUT chain) matching user's working setup
- Add telegram_notif.sh (deployed to /data/action.d/ at first run, user-editable)
- Add cloudflare.conf action; jail.cloudflare.local enabled via CF compose file
- Two compose files: docker-compose.yml (standard) and docker-compose.cloudflare.yml
- entrypoint: modprobe xt_string, DOCKER-USER chain check, CF jail auto-selection,
  telegram_notif.sh deployment to persistent volume on first run
- Fix whitelist live-update: addignoreip/delignoreip called alongside jail.local write
- Hardcode AUTOBAN_THR=75 and DEFAULT_DAYS=3 (remove env vars)
- Include Nginx Proxy Manager in both compose files with shared log bind mount
- Rewrite filters for actual NPM log format ([Client <HOST>] real IP extraction)
- Add DATA_DIR, Telegram, CF API key fields to .env.example

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

entrypoint.sh

@@ -6,11 +6,33 @@ set -e
 
 echo "[f2b-cc] Starting F2B Control Center..."
 
+# ── Kernel module: xt_string (required for X-Forwarded-For matching) ──────────
+if modprobe xt_string 2>/dev/null; then
+    echo "[f2b-cc] xt_string kernel module loaded OK"
+else
+    echo "[f2b-cc] WARNING: xt_string module unavailable — X-Forwarded-For iptables rules will NOT work"
+    echo "[f2b-cc] Run 'modprobe xt_string' on the Docker host to fix this."
+fi
+
+# ── DOCKER-USER chain (must exist for the ban action to insert rules) ─────────
+if iptables -L DOCKER-USER -n > /dev/null 2>&1; then
+    echo "[f2b-cc] DOCKER-USER iptables chain found OK"
+else
+    echo "[f2b-cc] DOCKER-USER chain missing — creating it"
+    iptables -N DOCKER-USER 2>/dev/null || true
+fi
+
 # ── First-run: install default fail2ban config if none exists ─────────────────
 if [ ! -f /etc/fail2ban/jail.local ]; then
     echo "[f2b-cc] First run — installing default fail2ban configuration..."
     cp -r /etc/f2b-defaults/. /etc/fail2ban/
 
+    # Cloudflare credentials present → use the CF-enabled jail config
+    if [ -n "${CF_EMAIL}" ] && [ -n "${CF_APIKEY}" ]; then
+        echo "[f2b-cc] CF_EMAIL + CF_APIKEY detected — enabling Cloudflare jail config"
+        cp /etc/f2b-defaults/jail.cloudflare.local /etc/fail2ban/jail.local
+    fi
+
     # Apply SUBNETS_TO_IGNORE from environment into jail.local's ignoreip line
     if [ -n "${SUBNETS_TO_IGNORE}" ]; then
         IGNORE_LINE="ignoreip = 127.0.0.1/8 ::1 ${SUBNETS_TO_IGNORE}"
@@ -24,6 +46,16 @@ else
     echo "[f2b-cc] Using existing fail2ban configuration."
 fi
 
+# ── Deploy telegram_notif.sh to persistent volume (user-editable) ─────────────
+mkdir -p /data/action.d
+if [ ! -f /data/action.d/telegram_notif.sh ]; then
+    echo "[f2b-cc] Deploying telegram_notif.sh to /data/action.d/"
+    cp /etc/f2b-defaults/action.d/telegram_notif.sh /data/action.d/telegram_notif.sh
+    chmod +x /data/action.d/telegram_notif.sh
+else
+    echo "[f2b-cc] /data/action.d/telegram_notif.sh already present — skipping copy"
+fi
+
 # ── Ensure required directories and files exist ───────────────────────────────
 mkdir -p /data /var/log /var/run/fail2ban
 
@@ -33,7 +65,7 @@ touch /var/log/fail2ban.log
 # Ensure nginx-logs directory exists (warn if empty/unmounted)
 if [ ! -d /nginx-logs ] || [ -z "$(ls -A /nginx-logs 2>/dev/null)" ]; then
     echo "[f2b-cc] WARNING: /nginx-logs appears empty or unmounted."
-    echo "[f2b-cc] Set NPM_LOG_DIR in .env and mount your NPM log directory."
+    echo "[f2b-cc] Set DATA_DIR in .env so NPM logs are bind-mounted here."
     echo "[f2b-cc] Log scanning will not return results until logs are available."
     mkdir -p /nginx-logs
 fi