fix: full audit pass — placeholder logs, jq, allowipv6, stale refs

- entrypoint: create proxy-host-placeholder_access.log if no NPM logs
  exist so fail2ban can start before any proxy hosts are configured
- docker-compose: remove :ro from nginx-logs mount (needed for placeholder)
- Dockerfile: add jq (required by cloudflare.conf actionunban)
- cloudflare.conf: replace python3 JSON parsing with jq; clean stale comments
- jail.local + jail.cloudflare.local: add allowipv6 = auto to suppress warning
- jail.cloudflare.local: remove stale .env and docker-compose.cloudflare.yml refs

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Dockerfile

@@ -23,6 +23,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
       iptables \
       ipset \
       curl \
+      jq \
     && rm -rf /var/lib/apt/lists/* \
     # Remove debian default jail (enables sshd which has no log file in container)
     && rm -f /etc/fail2ban/jail.d/defaults-debian.conf

docker-compose.yml

@@ -33,7 +33,7 @@ services:
       MANUAL_JAIL:   "manual-bans"
       BAN_HIST_FILE: "/data/ban-history.json"
     volumes:
-      - ./data/npm/logs:/nginx-logs:ro
+      - ./data/npm/logs:/nginx-logs
       - f2b-data:/data
       - f2b-config:/etc/fail2ban
 

entrypoint.sh

@@ -52,12 +52,13 @@ mkdir -p /data /var/log /var/run/fail2ban
 # Create fail2ban log file if it doesn't exist (prevents startup errors)
 touch /var/log/fail2ban.log
 
-# Ensure nginx-logs directory exists (warn if empty/unmounted)
-if [ ! -d /nginx-logs ] || [ -z "$(ls -A /nginx-logs 2>/dev/null)" ]; then
-    echo "[f2b-cc] WARNING: /nginx-logs appears empty or unmounted."
-    echo "[f2b-cc] Set DATA_DIR in .env so NPM logs are bind-mounted here."
-    echo "[f2b-cc] Log scanning will not return results until logs are available."
-    mkdir -p /nginx-logs
+# Ensure nginx-logs directory exists and has at least one file matching the glob.
+# fail2ban requires a matching file to exist at startup — create a placeholder
+# if NPM hasn't generated any proxy host logs yet.
+mkdir -p /nginx-logs
+if ! ls /nginx-logs/proxy-host-*_access.log > /dev/null 2>&1; then
+    echo "[f2b-cc] No NPM logs found — creating placeholder so fail2ban can start."
+    touch /nginx-logs/proxy-host-placeholder_access.log
 fi
 
 # ── Start supervisord (manages fail2ban + dashboard) ─────────────────────────

fail2ban/action.d/cloudflare.conf

@@ -1,22 +1,12 @@
 [Definition]
 
-# ── Cloudflare IP Access Rules action ────────────────────────────────────────
-#
 # Blocks/unblocks IPs at the Cloudflare account level via the Access Rules API.
-# When enabled, a ban will be enforced by Cloudflare before traffic even
-# reaches your server — the most effective layer for high-volume attackers.
+# Bans are enforced by Cloudflare before traffic reaches your server.
+# Enable by setting CF_EMAIL + CF_APIKEY in docker-compose.yml.
 #
-# SETUP:
-#   1. Get your Global API Key from:
-#      https://dash.cloudflare.com/profile/api-tokens
-#   2. Set CF_EMAIL and CF_APIKEY in your .env file
-#   3. Use docker-compose.cloudflare.yml instead of docker-compose.yml
-#
-# NOTE: This uses the user-level Access Rules API, which applies the block
-#       across all zones on your Cloudflare account. For zone-scoped rules,
-#       replace the URL with:
-#       https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/firewall/access_rules/rules
-# ─────────────────────────────────────────────────────────────────────────────
+# NOTE: Uses the user-level API — applies across all zones on your account.
+# For zone-scoped rules replace the URL with:
+#   https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/firewall/access_rules/rules
 
 actionban = curl -s -X POST \
               -H "X-Auth-Email: %(cf_email)s" \
@@ -30,7 +20,7 @@ actionunban = RULE_ID=$(curl -s \
                 -H "X-Auth-Email: %(cf_email)s" \
                 -H "X-Auth-Key: %(cf_apikey)s" \
                 "https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules?configuration_target=ip&configuration_value=<ip>&mode=block&page=1&per_page=1" | \
-                python3 -c "import sys,json; r=json.load(sys.stdin).get('result',[]); print(r[0]['id'] if r else '')" 2>/dev/null) ; \
+                jq -r '.result[0].id // empty' 2>/dev/null) ; \
               [ -n "$RULE_ID" ] && \
               curl -s -X DELETE \
                 -H "X-Auth-Email: %(cf_email)s" \
@@ -39,6 +29,5 @@ actionunban = RULE_ID=$(curl -s \
                 > /dev/null 2>&1 || true
 
 [Init]
-# Populated from environment via jail.local — do not set here
 cf_email  =
 cf_apikey =

fail2ban/jail.cloudflare.local

@@ -1,24 +1,20 @@
 # ── F2B Control Center — jail configuration (Cloudflare) ─────────────────────
-#
-# Used when CF_EMAIL and CF_APIKEY are set (docker-compose.cloudflare.yml).
-# Identical to jail.local but adds the cloudflare action to every jail so
-# bans are enforced at both the iptables and Cloudflare WAF levels.
-#
-# CF credentials are read from environment variables — no credentials are
-# stored in this file.
+# Installed when CF_EMAIL + CF_APIKEY are set in docker-compose.yml.
+# Adds the Cloudflare WAF action to every jail alongside iptables.
+# Credentials are injected from environment — not stored here.
 # ─────────────────────────────────────────────────────────────────────────────
 
 [DEFAULT]
-bantime  = 1h
-findtime = 10m
-maxretry = 5
+bantime    = 1h
+findtime   = 10m
+maxretry   = 5
+allowipv6  = auto
 
 # Populated by entrypoint from SUBNETS_TO_IGNORE env var on first run.
 # Updated live by the dashboard — do not edit by hand.
 ignoreip = 127.0.0.1/8 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
 
-# Cloudflare credentials — injected from environment at runtime.
-# Set CF_EMAIL and CF_APIKEY in your .env file.
+# Cloudflare credentials — set CF_EMAIL and CF_APIKEY in docker-compose.yml.
 cf_email  = %(ENV[CF_EMAIL])s
 cf_apikey = %(ENV[CF_APIKEY])s
 

fail2ban/jail.local

@@ -6,9 +6,10 @@
 # ─────────────────────────────────────────────────────────────────────────────
 
 [DEFAULT]
-bantime  = 1h
-findtime = 10m
-maxretry = 5
+bantime    = 1h
+findtime   = 10m
+maxretry   = 5
+allowipv6  = auto
 
 # Populated by entrypoint from SUBNETS_TO_IGNORE env var on first run.
 # Updated live by the dashboard — do not edit by hand.