gitea
920b69cfca
- Replace iptables-allports with docker-npm action (DOCKER-USER + xt_string X-Forwarded-For matching + INPUT chain) matching user's working setup - Add telegram_notif.sh (deployed to /data/action.d/ at first run, user-editable) - Add cloudflare.conf action; jail.cloudflare.local enabled via CF compose file - Two compose files: docker-compose.yml (standard) and docker-compose.cloudflare.yml - entrypoint: modprobe xt_string, DOCKER-USER chain check, CF jail auto-selection, telegram_notif.sh deployment to persistent volume on first run - Fix whitelist live-update: addignoreip/delignoreip called alongside jail.local write - Hardcode AUTOBAN_THR=75 and DEFAULT_DAYS=3 (remove env vars) - Include Nginx Proxy Manager in both compose files with shared log bind mount - Rewrite filters for actual NPM log format ([Client <HOST>] real IP extraction) - Add DATA_DIR, Telegram, CF API key fields to .env.example Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
79 lines
3.2 KiB
YAML
79 lines
3.2 KiB
YAML
# ── F2B Control Center — Cloudflare stack ────────────────────────────────────
|
|
#
|
|
# Identical to docker-compose.yml with CF credentials added.
|
|
# Bans are enforced at BOTH the iptables level AND the Cloudflare WAF level.
|
|
#
|
|
# SETUP:
|
|
# 1. cp .env.example .env
|
|
# 2. Fill in CF_EMAIL and CF_APIKEY in .env
|
|
# 3. docker-compose -f docker-compose.cloudflare.yml up -d
|
|
#
|
|
# On first start the entrypoint detects CF_EMAIL/CF_APIKEY and installs
|
|
# jail.cloudflare.local instead of jail.local, enabling the cloudflare
|
|
# action for all jails automatically.
|
|
#
|
|
# IMPORTANT: If you have already started the standard compose and have an
|
|
# existing f2b-config volume, delete it first so the CF jail config is
|
|
# installed fresh:
|
|
# docker-compose down
|
|
# docker volume rm f2b-control-center_f2b-config
|
|
# docker-compose -f docker-compose.cloudflare.yml up -d
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
|
|
version: "3.9"
|
|
|
|
services:
|
|
|
|
# ── Nginx Proxy Manager ─────────────────────────────────────────────────────
|
|
npm:
|
|
image: jc21/nginx-proxy-manager:latest
|
|
container_name: nginx-proxy-manager
|
|
restart: unless-stopped
|
|
ports:
|
|
- "80:80"
|
|
- "443:443"
|
|
- "81:81"
|
|
volumes:
|
|
- ${DATA_DIR:-./data}/npm:/data
|
|
- ${DATA_DIR:-./data}/npm/logs:/data/logs
|
|
- ${DATA_DIR:-./data}/letsencrypt:/etc/letsencrypt
|
|
|
|
# ── F2B Control Center ──────────────────────────────────────────────────────
|
|
f2b-control-center:
|
|
build: .
|
|
image: f2b-control-center:latest
|
|
container_name: f2b-control-center
|
|
restart: unless-stopped
|
|
depends_on:
|
|
- npm
|
|
network_mode: host
|
|
|
|
environment:
|
|
PORT: "${DASHBOARD_PORT:-4000}"
|
|
ABUSEIPDB_API_KEY: "${ABUSEIPDB_API_KEY:-}"
|
|
SUBNETS_TO_IGNORE: "${SUBNETS_TO_IGNORE:-10.0.0.0/8,172.16.0.0/12,192.168.0.0/16}"
|
|
WEBHOOK_URL: "${WEBHOOK_URL:-}"
|
|
TELEGRAM_BOT_TOKEN: "${TELEGRAM_BOT_TOKEN:-}"
|
|
TELEGRAM_CHAT_ID: "${TELEGRAM_CHAT_ID:-}"
|
|
# ── Cloudflare credentials ──────────────────────────────────────────────
|
|
# Required: your Cloudflare account email
|
|
CF_EMAIL: "${CF_EMAIL}"
|
|
# Required: your Cloudflare Global API Key
|
|
# https://dash.cloudflare.com/profile/api-tokens → "Global API Key"
|
|
CF_APIKEY: "${CF_APIKEY}"
|
|
# Internal paths
|
|
LOG_DIR: "/nginx-logs"
|
|
FAIL2BAN_LOG: "/var/log/fail2ban.log"
|
|
JAIL_LOCAL: "/etc/fail2ban/jail.local"
|
|
MANUAL_JAIL: "manual-bans"
|
|
BAN_HIST_FILE: "/data/ban-history.json"
|
|
|
|
volumes:
|
|
- ${DATA_DIR:-./data}/npm/logs:/nginx-logs:ro
|
|
- f2b-data:/data
|
|
- f2b-config:/etc/fail2ban
|
|
|
|
volumes:
|
|
f2b-data:
|
|
f2b-config:
|