- docker-compose: add cap_add NET_ADMIN + NET_RAW — without these,
iptables commands inside the container silently fail (permission denied)
so bans were recorded in fail2ban but no rules were ever applied
- docker-npm.conf: add DOCKER-USER source IP rule so direct connections
to NPM are blocked (INPUT rule only covers host services, not containers)
xt_string rule now has || true so missing module doesn't abort the ban
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
gitea
4f0129053c