# ── F2B Control Center — Cloudflare stack ────────────────────────────────────
#
# Identical to docker-compose.yml with CF credentials added.
# Bans are enforced at BOTH the iptables level AND the Cloudflare WAF level.
#
# SETUP:
#   1. cp .env.example .env
#   2. Fill in CF_EMAIL and CF_APIKEY in .env
#   3. docker-compose -f docker-compose.cloudflare.yml up -d
#
# On first start the entrypoint detects CF_EMAIL/CF_APIKEY and installs
# jail.cloudflare.local instead of jail.local, enabling the cloudflare
# action for all jails automatically.
#
# IMPORTANT: If you have already started the standard compose and have an
#   existing f2b-config volume, delete it first so the CF jail config is
#   installed fresh:
#     docker-compose down
#     docker volume rm f2b-control-center_f2b-config
#     docker-compose -f docker-compose.cloudflare.yml up -d
# ─────────────────────────────────────────────────────────────────────────────

version: "3.9"

services:

  # ── Nginx Proxy Manager ─────────────────────────────────────────────────────
  npm:
    image: jc21/nginx-proxy-manager:latest
    container_name: nginx-proxy-manager
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
      - "81:81"
    volumes:
      - ${DATA_DIR:-./data}/npm:/data
      - ${DATA_DIR:-./data}/npm/logs:/data/logs
      - ${DATA_DIR:-./data}/letsencrypt:/etc/letsencrypt

  # ── F2B Control Center ──────────────────────────────────────────────────────
  f2b-control-center:
    build: .
    image: f2b-control-center:latest
    container_name: f2b-control-center
    restart: unless-stopped
    depends_on:
      - npm
    network_mode: host

    environment:
      PORT:               "${DASHBOARD_PORT:-4000}"
      ABUSEIPDB_API_KEY:  "${ABUSEIPDB_API_KEY:-}"
      SUBNETS_TO_IGNORE:  "${SUBNETS_TO_IGNORE:-10.0.0.0/8,172.16.0.0/12,192.168.0.0/16}"
      WEBHOOK_URL:        "${WEBHOOK_URL:-}"
      TELEGRAM_BOT_TOKEN: "${TELEGRAM_BOT_TOKEN:-}"
      TELEGRAM_CHAT_ID:   "${TELEGRAM_CHAT_ID:-}"
      # ── Cloudflare credentials ──────────────────────────────────────────────
      # Required: your Cloudflare account email
      CF_EMAIL:   "${CF_EMAIL}"
      # Required: your Cloudflare Global API Key
      # https://dash.cloudflare.com/profile/api-tokens → "Global API Key"
      CF_APIKEY:  "${CF_APIKEY}"
      # Internal paths
      LOG_DIR:       "/nginx-logs"
      FAIL2BAN_LOG:  "/var/log/fail2ban.log"
      JAIL_LOCAL:    "/etc/fail2ban/jail.local"
      MANUAL_JAIL:   "manual-bans"
      BAN_HIST_FILE: "/data/ban-history.json"

    volumes:
      - ${DATA_DIR:-./data}/npm/logs:/nginx-logs:ro
      - f2b-data:/data
      - f2b-config:/etc/fail2ban

volumes:
  f2b-data:
  f2b-config: