gitea
920b69cfca
- Replace iptables-allports with docker-npm action (DOCKER-USER + xt_string X-Forwarded-For matching + INPUT chain) matching user's working setup - Add telegram_notif.sh (deployed to /data/action.d/ at first run, user-editable) - Add cloudflare.conf action; jail.cloudflare.local enabled via CF compose file - Two compose files: docker-compose.yml (standard) and docker-compose.cloudflare.yml - entrypoint: modprobe xt_string, DOCKER-USER chain check, CF jail auto-selection, telegram_notif.sh deployment to persistent volume on first run - Fix whitelist live-update: addignoreip/delignoreip called alongside jail.local write - Hardcode AUTOBAN_THR=75 and DEFAULT_DAYS=3 (remove env vars) - Include Nginx Proxy Manager in both compose files with shared log bind mount - Rewrite filters for actual NPM log format ([Client <HOST>] real IP extraction) - Add DATA_DIR, Telegram, CF API key fields to .env.example Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
47 lines
3.1 KiB
Plaintext
47 lines
3.1 KiB
Plaintext
# ── F2B Control Center — environment configuration ───────────────────────────
|
|
# cp .env.example .env then fill in your values.
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
|
|
# ── Data directory ────────────────────────────────────────────────────────────
|
|
# Host path where NPM data, logs, and certs are stored.
|
|
# NPM logs will be at: ${DATA_DIR}/npm/logs/proxy-host-*_access.log
|
|
DATA_DIR=./data
|
|
|
|
# ── Dashboard ─────────────────────────────────────────────────────────────────
|
|
# Port the dashboard listens on (direct host port — network_mode: host)
|
|
DASHBOARD_PORT=4000
|
|
|
|
# ── Network ───────────────────────────────────────────────────────────────────
|
|
# Comma-separated CIDRs to skip during log scanning and banning.
|
|
# Include your LAN, Docker bridge, and any other trusted networks.
|
|
SUBNETS_TO_IGNORE=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
|
|
|
|
# ── AbuseIPDB (optional but recommended) ─────────────────────────────────────
|
|
# Enables IP reputation lookups and the AUTO-BAN feature.
|
|
# Free API keys: https://www.abuseipdb.com/
|
|
ABUSEIPDB_API_KEY=
|
|
|
|
# ── Telegram notifications (optional) ────────────────────────────────────────
|
|
# Sends a message on ban/unban/start/stop events.
|
|
# 1. Create a bot via @BotFather → copy the token
|
|
# 2. Get your chat ID (send a message to the bot, then:
|
|
# curl https://api.telegram.org/bot<TOKEN>/getUpdates)
|
|
TELEGRAM_BOT_TOKEN=
|
|
TELEGRAM_CHAT_ID=
|
|
|
|
# ── Cloudflare (docker-compose.cloudflare.yml only) ───────────────────────────
|
|
# Required when using docker-compose.cloudflare.yml.
|
|
# Global API Key from: https://dash.cloudflare.com/profile/api-tokens
|
|
CF_EMAIL=
|
|
CF_APIKEY=
|
|
|
|
# ── Webhook (optional) ────────────────────────────────────────────────────────
|
|
# POST to this URL on every manual ban from the dashboard.
|
|
# Payload: { "action": "ban", "ip": "...", "jail": "manual-bans", "ts": "..." }
|
|
WEBHOOK_URL=
|
|
|
|
# ── Cloudflare whitelist sync (optional) ──────────────────────────────────────
|
|
# Path (inside the container) to a script run after any whitelist change.
|
|
# Mount your script into the container and set this path.
|
|
# CF_SYNC=/usr/local/bin/cloudflare-whitelist-sync.sh
|