feat: plug-and-play refactor — docker-npm action, CF support, whitelist live-update

- Replace iptables-allports with docker-npm action (DOCKER-USER + xt_string
  X-Forwarded-For matching + INPUT chain) matching user's working setup
- Add telegram_notif.sh (deployed to /data/action.d/ at first run, user-editable)
- Add cloudflare.conf action; jail.cloudflare.local enabled via CF compose file
- Two compose files: docker-compose.yml (standard) and docker-compose.cloudflare.yml
- entrypoint: modprobe xt_string, DOCKER-USER chain check, CF jail auto-selection,
  telegram_notif.sh deployment to persistent volume on first run
- Fix whitelist live-update: addignoreip/delignoreip called alongside jail.local write
- Hardcode AUTOBAN_THR=75 and DEFAULT_DAYS=3 (remove env vars)
- Include Nginx Proxy Manager in both compose files with shared log bind mount
- Rewrite filters for actual NPM log format ([Client <HOST>] real IP extraction)
- Add DATA_DIR, Telegram, CF API key fields to .env.example

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

fail2ban/action.d/cloudflare.conf

@@ -0,0 +1,44 @@
+[Definition]
+
+# ── Cloudflare IP Access Rules action ────────────────────────────────────────
+#
+# Blocks/unblocks IPs at the Cloudflare account level via the Access Rules API.
+# When enabled, a ban will be enforced by Cloudflare before traffic even
+# reaches your server — the most effective layer for high-volume attackers.
+#
+# SETUP:
+#   1. Get your Global API Key from:
+#      https://dash.cloudflare.com/profile/api-tokens
+#   2. Set CF_EMAIL and CF_APIKEY in your .env file
+#   3. Use docker-compose.cloudflare.yml instead of docker-compose.yml
+#
+# NOTE: This uses the user-level Access Rules API, which applies the block
+#       across all zones on your Cloudflare account. For zone-scoped rules,
+#       replace the URL with:
+#       https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/firewall/access_rules/rules
+# ─────────────────────────────────────────────────────────────────────────────
+
+actionban = curl -s -X POST \
+              -H "X-Auth-Email: %(cf_email)s" \
+              -H "X-Auth-Key: %(cf_apikey)s" \
+              -H "Content-Type: application/json" \
+              -d "{\"mode\":\"block\",\"configuration\":{\"target\":\"ip\",\"value\":\"<ip>\"},\"notes\":\"f2b-cc: <name>\"}" \
+              "https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules" \
+              > /dev/null 2>&1 || true
+
+actionunban = RULE_ID=$(curl -s \
+                -H "X-Auth-Email: %(cf_email)s" \
+                -H "X-Auth-Key: %(cf_apikey)s" \
+                "https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules?configuration_target=ip&configuration_value=<ip>&mode=block&page=1&per_page=1" | \
+                python3 -c "import sys,json; r=json.load(sys.stdin).get('result',[]); print(r[0]['id'] if r else '')" 2>/dev/null) ; \
+              [ -n "$RULE_ID" ] && \
+              curl -s -X DELETE \
+                -H "X-Auth-Email: %(cf_email)s" \
+                -H "X-Auth-Key: %(cf_apikey)s" \
+                "https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules/$RULE_ID" \
+                > /dev/null 2>&1 || true
+
+[Init]
+# Populated from environment via jail.local — do not set here
+cf_email  =
+cf_apikey =

fail2ban/action.d/docker-npm.conf

@@ -0,0 +1,21 @@
+[Definition]
+
+# ── Lifecycle notifications ───────────────────────────────────────────────────
+actionstart = bash /data/action.d/telegram_notif.sh -a start
+actionstop  = bash /data/action.d/telegram_notif.sh -a stop
+
+# ── Ban ───────────────────────────────────────────────────────────────────────
+# 1. DOCKER-USER: drops forwarded packets containing the banned IP in the
+#    X-Forwarded-For header — catches traffic coming through Cloudflare/CDN
+#    where the real client IP is forwarded as a header to NPM.
+# 2. INPUT: drops direct connections from the banned IP at the host level.
+# 3. Telegram notification (silent if TELEGRAM_BOT_TOKEN is unset).
+actionban = iptables -I DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP
+            iptables -A INPUT -s <ip> -j DROP
+            bash /data/action.d/telegram_notif.sh -b <ip> -r "<name>"
+
+# ── Unban ─────────────────────────────────────────────────────────────────────
+# || true prevents failure if the rule was already removed (e.g. on restart).
+actionunban = iptables -D DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP || true
+              iptables -D INPUT -s <ip> -j DROP || true
+              bash /data/action.d/telegram_notif.sh -u <ip>

fail2ban/action.d/telegram_notif.sh

@@ -0,0 +1,54 @@
+#!/bin/bash
+# ── Telegram notification hook for fail2ban ───────────────────────────────────
+# Called by docker-npm.conf on ban/unban/start/stop events.
+# Silently exits if TELEGRAM_BOT_TOKEN or TELEGRAM_CHAT_ID is not set.
+#
+# Usage:
+#   telegram_notif.sh -a start|stop
+#   telegram_notif.sh -b <ip> -r "<reason>"
+#   telegram_notif.sh -u <ip>
+#
+# Configure by setting in .env (passed into the container via docker-compose):
+#   TELEGRAM_BOT_TOKEN=123456:ABC-DEF...
+#   TELEGRAM_CHAT_ID=-100123456789
+# ─────────────────────────────────────────────────────────────────────────────
+
+BOT_TOKEN="${TELEGRAM_BOT_TOKEN:-}"
+CHAT_ID="${TELEGRAM_CHAT_ID:-}"
+
+# Exit silently if not configured — allows docker-npm action to work without Telegram
+[[ -z "$BOT_TOKEN" || -z "$CHAT_ID" ]] && exit 0
+
+send() {
+    curl -s -X POST "https://api.telegram.org/bot${BOT_TOKEN}/sendMessage" \
+        --data-urlencode "chat_id=${CHAT_ID}" \
+        --data-urlencode "text=$1" \
+        --data-urlencode "parse_mode=HTML" \
+        > /dev/null 2>&1 || true
+}
+
+# Parse flags
+ACTION="" BAN_IP="" REASON="" UNBAN_IP=""
+while getopts ":a:b:r:u:" opt; do
+    case $opt in
+        a) ACTION="$OPTARG"   ;;
+        b) BAN_IP="$OPTARG"   ;;
+        r) REASON="$OPTARG"   ;;
+        u) UNBAN_IP="$OPTARG" ;;
+    esac
+done
+
+case "$ACTION" in
+    start) send "🟢 <b>F2B Control Center started</b>"  ;;
+    stop)  send "🔴 <b>F2B Control Center stopped</b>"   ;;
+esac
+
+if [[ -n "$BAN_IP" ]]; then
+    MSG="🚫 <b>BANNED</b>: <code>${BAN_IP}</code>"
+    [[ -n "$REASON" ]] && MSG="${MSG} [${REASON}]"
+    send "$MSG"
+fi
+
+if [[ -n "$UNBAN_IP" ]]; then
+    send "✅ <b>UNBANNED</b>: <code>${UNBAN_IP}</code>"
+fi