docker-compose-allinone.example.yml

services:
  fail2ban:
    image: lscr.io/linuxserver/fail2ban:latest
    container_name: fail2ban
    cap_add:
      # Required for fail2ban container: Allows to manage network interfaces and iptables from the container
      - NET_ADMIN
      # Required for fail2ban container: Allows to create raw sockets (needed for fail2ban.sock)
      - NET_RAW
      # Required for fail2ban container: Allows to run as root (needed to manage network interfaces and raw sockets)
      - SYS_ADMIN
    #privileged: true
    network_mode: host # needed to add iptables rules to the host network
    environment:
      - TZ=Europe/Zurich
      - VERBOSITY=-vv
    volumes:
      # To make sure linuxserver-fail2ban configs are persistent across container restarts (also needed by fail2ban-ui to modify configs)
      - ./fail2ban-config:/config:z
      # Directory that contains fail2ban.sock for communication between fail2ban-ui and fail2ban container
      - ./f2b-run:/var/run/fail2ban:z

      # Log sources for fail2ban container
      - /var/log:/var/log:ro
      - /var/log/httpd:/remotelogs/apache2:ro
    restart: unless-stopped

  fail2ban-ui:
    # Use pre-built image from Docker Hub (default)
    image: swissmakers/fail2ban-ui:latest
    # Alternative: Use Swissmakers registry (fallback)
    # image: registry.swissmakers.ch/infra/fail2ban-ui:latest
    # Or build from source (uncomment to use):
    # image: localhost/fail2ban-ui:dev
    container_name: fail2ban-ui
    privileged: true # needed because the fail2ban-ui container needs to modify the fail2ban config owned by root inside the linuxserver-fail2ban container
    network_mode: host
    environment:
      # ============================================
      # Basic Configuration
      # ============================================
      # Optional: Change this to use a different port for the web interface (default: 8080)
      - PORT=3080
      # Optional: Bind to a specific IP address (default: 0.0.0.0)
      # This is useful when running with host networking to prevent exposing
      # the web UI to unprotected networks. Set to a specific IP (e.g., 127.0.0.1
      # or a specific interface IP) to restrict access.
      # - BIND_ADDRESS=127.0.0.1

      # ============================================
      # Privacy Settings
      # ============================================
      # Optional: Disable external IP lookup for privacy (default: false).
      # When set to true, the "Your ext. IP:" display will be hidden and no external IP lookup requests will be made.
      # - DISABLE_EXTERNAL_IP_LOOKUP=true

      # ============================================
      # OIDC Authentication (Optional)
      # ============================================
      # Enable OIDC authentication to protect the web UI
      # - OIDC_ENABLED=true
      # OIDC Provider: keycloak, authentik, or pocketid
      # - OIDC_PROVIDER=keycloak
      # OIDC Issuer URL (required when OIDC_ENABLED=true)
      # Examples:
      #   Keycloak: https://keycloak.example.com/realms/your-realm
      #   Authentik: https://authentik.example.com/application/o/your-client-slug/
      #   Pocket-ID: https://pocket-id.example.com
      # - OIDC_ISSUER_URL=https://keycloak.example.com/realms/your-realm
      # OIDC Client ID (required when OIDC_ENABLED=true)
      # - OIDC_CLIENT_ID=fail2ban-ui
      # OIDC Client Secret (required when OIDC_ENABLED=true)
      # For Keycloak auto-configuration (development only), use:
      # - OIDC_CLIENT_SECRET=auto-configured
      # - OIDC_CLIENT_SECRET_FILE=/config/keycloak-client-secret
      # Default for production:
      # - OIDC_CLIENT_SECRET=your-client-secret
      # OIDC Redirect URL (required when OIDC_ENABLED=true)
      # This must match the redirect URI configured in your OIDC provider
      # - OIDC_REDIRECT_URL=https://fail2ban-ui.example.com/auth/callback
      # Optional: OIDC Scopes (default: openid,profile,email)
      # Comma-separated list of scopes to request
      # - OIDC_SCOPES=openid,profile,email,groups
      # Optional: Session timeout in seconds (default: 3600 = 1 hour)
      # - OIDC_SESSION_MAX_AGE=7200
      # Optional: Session secret for cookie encryption
      # If not provided, a random secret will be generated on startup.
      # For production, it's recommended to set a fixed secret (32 bytes, base64-encoded)
      # - OIDC_SESSION_SECRET=your-32-byte-base64-encoded-secret
      # Optional: Skip TLS verification (dev only, default: false)
      # Only use in development environments!
      # - OIDC_SKIP_VERIFY=true
      # Optional: Username claim (default: preferred_username)
      # The claim to use as the username (e.g., email, preferred_username, sub)
      # - OIDC_USERNAME_CLAIM=preferred_username
      # Optional: Provider logout URL
      # If not set, the logout URL will be auto-constructed using the standard OIDC logout endpoint: {issuer}/protocol/openid-connect/logout
      # Examples:
      #   Keycloak: https://keycloak.example.com/realms/your-realm/protocol/openid-connect/logout
      #   Authentik: https://authentik.example.com/application/o/your-client-slug/protocol/openid-connect/logout
      #   Pocket-ID: https://pocket-id.example.com/protocol/openid-connect/logout
      # - OIDC_LOGOUT_URL=https://keycloak.example.com/realms/your-realm/protocol/openid-connect/logout

    volumes:
      # Required for fail2ban-ui: Stores SQLite database, application settings, and SSH keys of the fail2ban-ui container
      - ./config:/config:Z
      # Required for fail2ban-ui: Used for testing, that logpath is working, before enabeling a jail. Without this read only access the fail2ban-ui will not be able to enable jails (logpath-test would fail)
      - /var/log:/var/log:ro
      - /var/log/httpd:/remotelogs/apache2:ro # this mounts the apache2 logs of a RPM based system (e.g. Rocky Linux) to the default location set by linuxserver-fail2ban. (on debian based systems this is /var/log/apache2 and currently hardcoded in the linuxserver-fail2ban container)

      # Required for compose-local fail2ban instance: We mount the same Fail2Ban config as the linuxserver-fail2ban container (under /config/fail2ban to fail2ban-ui can modify configs)
      - ./fail2ban-config/fail2ban:/etc/fail2ban:z
      # Required for compose-local fail2ban instance: Mount the same run directory that contains fail2ban.sock for communication between fail2ban-ui and the linuxserver-fail2ban container
      - ./f2b-run:/var/run/fail2ban:z

    restart: unless-stopped
Update example docker compose files 2025-12-15 13:44:41 +01:00			`services:`
			`fail2ban:`
			`image: lscr.io/linuxserver/fail2ban:latest`
			`container_name: fail2ban`
			`cap_add:`
			`# Required for fail2ban container: Allows to manage network interfaces and iptables from the container`
			`- NET_ADMIN`
			`# Required for fail2ban container: Allows to create raw sockets (needed for fail2ban.sock)`
			`- NET_RAW`
			`# Required for fail2ban container: Allows to run as root (needed to manage network interfaces and raw sockets)`
			`- SYS_ADMIN`
			`#privileged: true`
			`network_mode: host # needed to add iptables rules to the host network`
			`environment:`
			`- TZ=Europe/Zurich`
			`- VERBOSITY=-vv`
			`volumes:`
			`# To make sure linuxserver-fail2ban configs are persistent across container restarts (also needed by fail2ban-ui to modify configs)`
			`- ./fail2ban-config:/config:z`
			`# Directory that contains fail2ban.sock for communication between fail2ban-ui and fail2ban container`
			`- ./f2b-run:/var/run/fail2ban:z`

			`# Log sources for fail2ban container`
			`- /var/log:/var/log:ro`
			`- /var/log/httpd:/remotelogs/apache2:ro`
			`restart: unless-stopped`

			`fail2ban-ui:`
Changed default image to swissmakers/fail2ban-ui:latest with swissmakers registry as a commented fallback 2026-01-11 20:38:02 +01:00			`# Use pre-built image from Docker Hub (default)`
			`image: swissmakers/fail2ban-ui:latest`
			`# Alternative: Use Swissmakers registry (fallback)`
			`# image: registry.swissmakers.ch/infra/fail2ban-ui:latest`
			`# Or build from source (uncomment to use):`
			`# image: localhost/fail2ban-ui:dev`
Update example docker compose files 2025-12-15 13:44:41 +01:00			`container_name: fail2ban-ui`
Make default jail state configurable 2025-12-15 18:57:50 +01:00			`privileged: true # needed because the fail2ban-ui container needs to modify the fail2ban config owned by root inside the linuxserver-fail2ban container`
Update example docker compose files 2025-12-15 13:44:41 +01:00			`network_mode: host`
			`environment:`
Add optional OIDC authentication with Keycloak, Authentik, and Pocket-ID support 2026-01-19 22:09:54 +01:00			`# ============================================`
			`# Basic Configuration`
			`# ============================================`
			`# Optional: Change this to use a different port for the web interface (default: 8080)`
Update example docker compose files 2025-12-15 13:44:41 +01:00			`- PORT=3080`
implemented bind address environment variable. 2025-12-30 17:08:20 +01:00			`# Optional: Bind to a specific IP address (default: 0.0.0.0)`
			`# This is useful when running with host networking to prevent exposing`
			`# the web UI to unprotected networks. Set to a specific IP (e.g., 127.0.0.1`
			`# or a specific interface IP) to restrict access.`
			`# - BIND_ADDRESS=127.0.0.1`
Add optional OIDC authentication with Keycloak, Authentik, and Pocket-ID support 2026-01-19 22:09:54 +01:00
			`# ============================================`
			`# Privacy Settings`
			`# ============================================`
			`# Optional: Disable external IP lookup for privacy (default: false).`
			`# When set to true, the "Your ext. IP:" display will be hidden and no external IP lookup requests will be made.`
			`# - DISABLE_EXTERNAL_IP_LOOKUP=true`

			`# ============================================`
			`# OIDC Authentication (Optional)`
			`# ============================================`
			`# Enable OIDC authentication to protect the web UI`
			`# - OIDC_ENABLED=true`
			`# OIDC Provider: keycloak, authentik, or pocketid`
			`# - OIDC_PROVIDER=keycloak`
			`# OIDC Issuer URL (required when OIDC_ENABLED=true)`
			`# Examples:`
			`# Keycloak: https://keycloak.example.com/realms/your-realm`
			`# Authentik: https://authentik.example.com/application/o/your-client-slug/`
			`# Pocket-ID: https://pocket-id.example.com`
			`# - OIDC_ISSUER_URL=https://keycloak.example.com/realms/your-realm`
			`# OIDC Client ID (required when OIDC_ENABLED=true)`
			`# - OIDC_CLIENT_ID=fail2ban-ui`
			`# OIDC Client Secret (required when OIDC_ENABLED=true)`
			`# For Keycloak auto-configuration (development only), use:`
			`# - OIDC_CLIENT_SECRET=auto-configured`
			`# - OIDC_CLIENT_SECRET_FILE=/config/keycloak-client-secret`
			`# Default for production:`
			`# - OIDC_CLIENT_SECRET=your-client-secret`
			`# OIDC Redirect URL (required when OIDC_ENABLED=true)`
			`# This must match the redirect URI configured in your OIDC provider`
			`# - OIDC_REDIRECT_URL=https://fail2ban-ui.example.com/auth/callback`
			`# Optional: OIDC Scopes (default: openid,profile,email)`
			`# Comma-separated list of scopes to request`
			`# - OIDC_SCOPES=openid,profile,email,groups`
			`# Optional: Session timeout in seconds (default: 3600 = 1 hour)`
			`# - OIDC_SESSION_MAX_AGE=7200`
			`# Optional: Session secret for cookie encryption`
			`# If not provided, a random secret will be generated on startup.`
			`# For production, it's recommended to set a fixed secret (32 bytes, base64-encoded)`
			`# - OIDC_SESSION_SECRET=your-32-byte-base64-encoded-secret`
			`# Optional: Skip TLS verification (dev only, default: false)`
			`# Only use in development environments!`
			`# - OIDC_SKIP_VERIFY=true`
			`# Optional: Username claim (default: preferred_username)`
			`# The claim to use as the username (e.g., email, preferred_username, sub)`
			`# - OIDC_USERNAME_CLAIM=preferred_username`
			`# Optional: Provider logout URL`
			`# If not set, the logout URL will be auto-constructed using the standard OIDC logout endpoint: {issuer}/protocol/openid-connect/logout`
			`# Examples:`
			`# Keycloak: https://keycloak.example.com/realms/your-realm/protocol/openid-connect/logout`
			`# Authentik: https://authentik.example.com/application/o/your-client-slug/protocol/openid-connect/logout`
			`# Pocket-ID: https://pocket-id.example.com/protocol/openid-connect/logout`
			`# - OIDC_LOGOUT_URL=https://keycloak.example.com/realms/your-realm/protocol/openid-connect/logout`

Update example docker compose files 2025-12-15 13:44:41 +01:00			`volumes:`
			`# Required for fail2ban-ui: Stores SQLite database, application settings, and SSH keys of the fail2ban-ui container`
			`- ./config:/config:Z`
			`# Required for fail2ban-ui: Used for testing, that logpath is working, before enabeling a jail. Without this read only access the fail2ban-ui will not be able to enable jails (logpath-test would fail)`
			`- /var/log:/var/log:ro`
			`- /var/log/httpd:/remotelogs/apache2:ro # this mounts the apache2 logs of a RPM based system (e.g. Rocky Linux) to the default location set by linuxserver-fail2ban. (on debian based systems this is /var/log/apache2 and currently hardcoded in the linuxserver-fail2ban container)`

			`# Required for compose-local fail2ban instance: We mount the same Fail2Ban config as the linuxserver-fail2ban container (under /config/fail2ban to fail2ban-ui can modify configs)`
			`- ./fail2ban-config/fail2ban:/etc/fail2ban:z`
			`# Required for compose-local fail2ban instance: Mount the same run directory that contains fail2ban.sock for communication between fail2ban-ui and the linuxserver-fail2ban container`
			`- ./f2b-run:/var/run/fail2ban:z`

			`restart: unless-stopped`