feat: plug-and-play refactor — docker-npm action, CF support, whitelist live-update

- Replace iptables-allports with docker-npm action (DOCKER-USER + xt_string
  X-Forwarded-For matching + INPUT chain) matching user's working setup
- Add telegram_notif.sh (deployed to /data/action.d/ at first run, user-editable)
- Add cloudflare.conf action; jail.cloudflare.local enabled via CF compose file
- Two compose files: docker-compose.yml (standard) and docker-compose.cloudflare.yml
- entrypoint: modprobe xt_string, DOCKER-USER chain check, CF jail auto-selection,
  telegram_notif.sh deployment to persistent volume on first run
- Fix whitelist live-update: addignoreip/delignoreip called alongside jail.local write
- Hardcode AUTOBAN_THR=75 and DEFAULT_DAYS=3 (remove env vars)
- Include Nginx Proxy Manager in both compose files with shared log bind mount
- Rewrite filters for actual NPM log format ([Client <HOST>] real IP extraction)
- Add DATA_DIR, Telegram, CF API key fields to .env.example

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

fail2ban/filter.d/npm-probe.conf

@@ -1,29 +1,12 @@
-# ── F2B Control Center — npm-probe filter ────────────────────────────────────
-#
-# Bans IPs probing for well-known vulnerable paths.
-# These requests almost always indicate automated exploit scanning — a single
-# hit warrants a long ban (configured to 48h / maxretry 3 in jail.local).
-#
-# Covered categories:
-#   - PHP-based CMS admin paths (WordPress, Joomla, etc.)
-#   - Common config/credential file leaks (.env, .git, etc.)
-#   - Java frameworks (actuator, Spring Boot, Struts)
-#   - Web shells and common RCE payloads
-#   - Device/router admin interfaces (HNAP, boaform)
-#   - PHPMyAdmin, Adminer, database tools
-#   - Path traversal attempts (../)
-#
-# LOG FORMAT:
-#   Primary pattern matches NPM logs with [Client IP] real-IP field.
-#   See badbot.conf for details on switching to standard nginx format.
-# ─────────────────────────────────────────────────────────────────────────────
-
 [Definition]
 
-# ── Primary: NPM [Client IP] format ──────────────────────────────────────────
-failregex = ^[^ ]+ - -[^\[]*\[[^\]]+\] "(?:GET|POST|HEAD|OPTIONS) (?:/.env(?:\.[^"]*)?|/.git(?:/[^"]*)?|/wp-login\.php|/wp-admin(?:/[^"]*)?|/xmlrpc\.php|/phpmyadmin(?:/[^"]*)?|/pma(?:/[^"]*)?|/adminer(?:\.php)?|/admin\.php|/config\.php|/setup\.php|/install\.php|/actuator(?:/[^"]*)?|/console|/manager/html|/invoker/JMXInvokerServlet|/solr(?:/[^"]*)?|/geoserver(?:/[^"]*)?|/boaform(?:/[^"]*)?|/HNAP1(?:/[^"]*)?|/cgi-bin/[^"]*|/shell\.php|/cmd\.php|/eval-stdin\.php|/[^"]*\.\./[^"]*) HTTP[^"]*" \d{3} .* \[Client <HOST>\]
+# ── NPM access log format ─────────────────────────────────────────────────────
+# Bans IPs probing for well-known vulnerable paths.
+# Default jail: 3 hits in 30 minutes → 48h ban (very aggressive, intentionally).
+#
+# PROXY_IP - - [date] "METHOD PATH HTTP/VER" STATUS BYTES "REFERER" "UA" [Client REAL_IP]
+# ─────────────────────────────────────────────────────────────────────────────
 
-# ── Alternative: standard nginx combined format ───────────────────────────────
-# failregex = ^<HOST> - -[^\[]*\[[^\]]+\] "(?:GET|POST|HEAD) (?:/.env|/.git|/wp-login\.php|/wp-admin|/xmlrpc\.php|/phpmyadmin|/pma|/adminer|/admin\.php|/actuator|/console|/boaform|/HNAP1|/cgi-bin/|/shell\.php) HTTP"
+failregex = ^\S+ - - \[[^\]]+\] "[A-Z]+ /(?:\.env[^"]*|\.git[^"]*|wp-login\.php[^"]*|wp-admin[^"]*|xmlrpc\.php[^"]*|phpmyadmin[^"]*|pma/[^"]*|adminer[^"]*|admin\.php[^"]*|config\.php[^"]*|setup\.php[^"]*|install\.php[^"]*|actuator[^"]*|console[^"]*|manager/html[^"]*|invoker/[^"]*|solr/[^"]*|geoserver/[^"]*|boaform/[^"]*|HNAP1[^"]*|cgi-bin/[^"]*|shell\.php[^"]*|cmd\.php[^"]*|eval-stdin\.php[^"]*)[^"]*" \d{3} \d+ "[^"]*" "[^"]*" \[Client <HOST>\]
 
 ignoreregex =