feat: plug-and-play refactor — docker-npm action, CF support, whitelist live-update

- Replace iptables-allports with docker-npm action (DOCKER-USER + xt_string X-Forwarded-For matching + INPUT chain) matching user's working setup - Add telegram_notif.sh (deployed to /data/action.d/ at first run, user-editable) - Add cloudflare.conf action; jail.cloudflare.local enabled via CF compose file - Two compose files: docker-compose.yml (standard) and docker-compose.cloudflare.yml - entrypoint: modprobe xt_string, DOCKER-USER chain check, CF jail auto-selection, telegram_notif.sh deployment to persistent volume on first run - Fix whitelist live-update: addignoreip/delignoreip called alongside jail.local write - Hardcode AUTOBAN_THR=75 and DEFAULT_DAYS=3 (remove env vars) - Include Nginx Proxy Manager in both compose files with shared log bind mount - Rewrite filters for actual NPM log format ([Client <HOST>] real IP extraction) - Add DATA_DIR, Telegram, CF API key fields to .env.example Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-20 15:08:06 +00:00
parent dd7f8dd1a2
commit 920b69cfca
14 changed files with 446 additions and 224 deletions
--- a/fail2ban/action.d/cloudflare.conf
+++ b/fail2ban/action.d/cloudflare.conf
@@ -0,0 +1,44 @@
+[Definition]
+
+# ── Cloudflare IP Access Rules action ────────────────────────────────────────
+#
+# Blocks/unblocks IPs at the Cloudflare account level via the Access Rules API.
+# When enabled, a ban will be enforced by Cloudflare before traffic even
+# reaches your server — the most effective layer for high-volume attackers.
+#
+# SETUP:
+#   1. Get your Global API Key from:
+#      https://dash.cloudflare.com/profile/api-tokens
+#   2. Set CF_EMAIL and CF_APIKEY in your .env file
+#   3. Use docker-compose.cloudflare.yml instead of docker-compose.yml
+#
+# NOTE: This uses the user-level Access Rules API, which applies the block
+#       across all zones on your Cloudflare account. For zone-scoped rules,
+#       replace the URL with:
+#       https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/firewall/access_rules/rules
+# ─────────────────────────────────────────────────────────────────────────────
+
+actionban = curl -s -X POST \
+              -H "X-Auth-Email: %(cf_email)s" \
+              -H "X-Auth-Key: %(cf_apikey)s" \
+              -H "Content-Type: application/json" \
+              -d "{\"mode\":\"block\",\"configuration\":{\"target\":\"ip\",\"value\":\"<ip>\"},\"notes\":\"f2b-cc: <name>\"}" \
+              "https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules" \
+              > /dev/null 2>&1 || true
+
+actionunban = RULE_ID=$(curl -s \
+                -H "X-Auth-Email: %(cf_email)s" \
+                -H "X-Auth-Key: %(cf_apikey)s" \
+                "https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules?configuration_target=ip&configuration_value=<ip>&mode=block&page=1&per_page=1" | \
+                python3 -c "import sys,json; r=json.load(sys.stdin).get('result',[]); print(r[0]['id'] if r else '')" 2>/dev/null) ; \
+              [ -n "$RULE_ID" ] && \
+              curl -s -X DELETE \
+                -H "X-Auth-Email: %(cf_email)s" \
+                -H "X-Auth-Key: %(cf_apikey)s" \
+                "https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules/$RULE_ID" \
+                > /dev/null 2>&1 || true
+
+[Init]
+# Populated from environment via jail.local — do not set here
+cf_email  =
+cf_apikey =