# ── F2B Control Center ────────────────────────────────────────────────────────
# Single-container image: Fail2Ban + Node.js dashboard + supervisord
#
# Build: docker build -t f2b-control-center .
# Run:   docker-compose up -d
# ─────────────────────────────────────────────────────────────────────────────

FROM node:18-slim

LABEL org.opencontainers.image.title="F2B Control Center" \
      org.opencontainers.image.description="Fail2Ban + dashboard for Nginx Proxy Manager" \
      org.opencontainers.image.licenses="MIT"

# ── System dependencies ───────────────────────────────────────────────────────
# fail2ban     – the core banning daemon
# supervisor   – process manager (runs fail2ban + node in one container)
# iptables     – default ban action backend (requires NET_ADMIN + NET_RAW)
# ipset        – optional; used by some fail2ban actions for performance
# curl         – used by the webhook action and healthcheck
RUN apt-get update && apt-get install -y --no-install-recommends \
      fail2ban \
      supervisor \
      iptables \
      ipset \
      curl \
      jq \
    && rm -rf /var/lib/apt/lists/* \
    # Remove debian default jail (enables sshd which has no log file in container)
    && rm -f /etc/fail2ban/jail.d/defaults-debian.conf

# ── Dashboard dependencies ────────────────────────────────────────────────────
WORKDIR /app
COPY dashboard/package*.json ./
RUN npm ci --omit=dev --prefer-offline

# ── Dashboard source ──────────────────────────────────────────────────────────
COPY dashboard/server.js ./
COPY dashboard/public    ./public/

# ── Default fail2ban config (copied to /etc/fail2ban on first run) ────────────
COPY fail2ban/ /etc/f2b-defaults/

# ── Process management ────────────────────────────────────────────────────────
COPY supervisor.conf /etc/supervisor/conf.d/f2b-control-center.conf

# ── Startup and health ────────────────────────────────────────────────────────
COPY entrypoint.sh  /entrypoint.sh
COPY healthcheck.sh /healthcheck.sh
COPY logwatch.sh    /logwatch.sh
RUN chmod +x /entrypoint.sh /healthcheck.sh /logwatch.sh

# ── Runtime directories ───────────────────────────────────────────────────────
RUN mkdir -p /data /nginx-logs /var/log /var/run/fail2ban

# ── Persistent volumes ────────────────────────────────────────────────────────
# /data          – ban-history.json and other app state
# /nginx-logs    – mount your NPM log directory here (read-only)
# /etc/fail2ban  – persists user-edited jail config across image updates
VOLUME ["/data", "/nginx-logs", "/etc/fail2ban"]

EXPOSE 4000

HEALTHCHECK --interval=30s --timeout=10s --start-period=25s --retries=3 \
    CMD /healthcheck.sh

ENTRYPOINT ["/entrypoint.sh"]