feat: plug-and-play refactor — docker-npm action, CF support, whitelist live-update

- Replace iptables-allports with docker-npm action (DOCKER-USER + xt_string
  X-Forwarded-For matching + INPUT chain) matching user's working setup
- Add telegram_notif.sh (deployed to /data/action.d/ at first run, user-editable)
- Add cloudflare.conf action; jail.cloudflare.local enabled via CF compose file
- Two compose files: docker-compose.yml (standard) and docker-compose.cloudflare.yml
- entrypoint: modprobe xt_string, DOCKER-USER chain check, CF jail auto-selection,
  telegram_notif.sh deployment to persistent volume on first run
- Fix whitelist live-update: addignoreip/delignoreip called alongside jail.local write
- Hardcode AUTOBAN_THR=75 and DEFAULT_DAYS=3 (remove env vars)
- Include Nginx Proxy Manager in both compose files with shared log bind mount
- Rewrite filters for actual NPM log format ([Client <HOST>] real IP extraction)
- Add DATA_DIR, Telegram, CF API key fields to .env.example

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

fail2ban/jail.local

@@ -1,46 +1,27 @@
-# ── F2B Control Center — fail2ban jail configuration ─────────────────────────
+# ── F2B Control Center — jail configuration (standard) ───────────────────────
 #
-# This file is written to /etc/fail2ban/jail.local on first container start.
-# After first run it is persisted in the f2b-config Docker volume so your
-# customisations survive image updates.
+# Installed to /etc/fail2ban/jail.local on first container start.
+# Persisted in the f2b-config Docker volume — survives image updates.
 #
-# IMPORTANT: The dashboard manages the `ignoreip` line automatically.
-#            Do not edit it by hand unless you are not using the dashboard.
+# WHITELIST: managed by the dashboard. The ignoreip line below is written by
+#   the entrypoint (from SUBNETS_TO_IGNORE) and updated live by the dashboard
+#   without restarting fail2ban.
 #
-# LOG FORMAT NOTE:
-#   The default filters expect Nginx Proxy Manager access logs that include
-#   the real client IP in a [Client X.X.X.X] field — the format produced
-#   when NPM forwards through Cloudflare or another proxy.
-#
-#   If your NPM logs have the client IP at the start of each line (standard
-#   nginx combined format), edit the failregex lines in each filter to use:
-#     failregex = ^<HOST> - - \[...
-#   See fail2ban/filter.d/*.conf for both patterns (commented examples included).
+# CLOUDFLARE: to also block IPs at the CF level, use docker-compose.cloudflare.yml
+#   instead of docker-compose.yml. It installs jail.cloudflare.local which
+#   adds the cloudflare action to every jail automatically.
 # ─────────────────────────────────────────────────────────────────────────────
 
 [DEFAULT]
-# Default ban duration (supports suffixes: s, m, h, d)
 bantime  = 1h
-
-# Time window in which maxretry violations trigger a ban
 findtime = 10m
-
-# Number of violations before banning
 maxretry = 5
 
-# IPs and subnets to never ban.
-# The dashboard appends whitelisted IPs here — do not remove this line.
-# The entrypoint script expands SUBNETS_TO_IGNORE from your .env on first run.
+# Populated by entrypoint from SUBNETS_TO_IGNORE env var on first run.
+# Updated live by the dashboard — do not edit by hand.
 ignoreip = 127.0.0.1/8 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
 
-# Default ban action: iptables-allports blocks all ports for banned IPs.
-# Requires NET_ADMIN capability (granted in docker-compose.yml) and
-# network_mode: host to affect host-level traffic.
-banaction = iptables-allports
-
 # ── NPM: Bad Bots ─────────────────────────────────────────────────────────────
-# Blocks known malicious scanners and exploit frameworks by User-Agent.
-# Stricter settings: low maxretry, long ban time.
 [badbot]
 enabled  = true
 filter   = badbot
@@ -48,11 +29,9 @@ logpath  = /nginx-logs/proxy-host-*_access.log
 bantime  = 24h
 findtime = 10m
 maxretry = 3
-action   = %(action_)s
+action   = docker-npm
 
 # ── NPM: HTTP Error Spamming ──────────────────────────────────────────────────
-# Bans IPs that generate a high volume of 4xx/5xx errors.
-# Useful for catching brute-force attempts, broken crawlers, and probes.
 [http-errors]
 enabled  = true
 filter   = http-errors
@@ -60,11 +39,9 @@ logpath  = /nginx-logs/proxy-host-*_access.log
 bantime  = 1h
 findtime = 5m
 maxretry = 15
-action   = %(action_)s
+action   = docker-npm
 
 # ── NPM: Exploit Probing ──────────────────────────────────────────────────────
-# Bans IPs requesting well-known vulnerable paths (.env, wp-admin, etc.).
-# These are almost always malicious — short maxretry, long ban.
 [npm-probe]
 enabled  = true
 filter   = npm-probe
@@ -72,11 +49,10 @@ logpath  = /nginx-logs/proxy-host-*_access.log
 bantime  = 48h
 findtime = 30m
 maxretry = 3
-action   = %(action_)s
+action   = docker-npm
 
 # ── Manual Bans ───────────────────────────────────────────────────────────────
-# Permanent bans added via the dashboard or `fail2ban-client set manual-bans banip`.
-# No automatic log-based detection — only manual entries via the dashboard.
+# Populated via dashboard or: fail2ban-client set manual-bans banip <IP>
 [manual-bans]
 enabled  = true
 filter   = manual-bans
@@ -84,11 +60,11 @@ logpath  = /dev/null
 bantime  = -1
 findtime = 1d
 maxretry = 1
-action   = %(action_)s
+action   = docker-npm
 
-# ── Recidive ──────────────────────────────────────────────────────────────────
-# Escalated bans for repeat offenders across any jail.
-# Disabled by default — enable if you want long-term blocks for persistent attackers.
+# ── Recidive — repeat offenders ───────────────────────────────────────────────
+# Escalates bans to 7d for IPs that get banned 3+ times within a day.
+# Enable once your other jails have been running for a while.
 [recidive]
 enabled  = false
 filter   = recidive
@@ -96,4 +72,4 @@ logpath  = /var/log/fail2ban.log
 bantime  = 7d
 findtime = 1d
 maxretry = 3
-action   = %(action_)s
+action   = docker-npm