2025-12-01 13:26:42 +01:00
services :
fail2ban-ui :
2026-01-11 20:38:02 +01:00
# Use pre-built image from Docker Hub (default)
image : swissmakers/fail2ban-ui:latest
# Alternative: Use Swissmakers registry (fallback)
# image: registry.swissmakers.ch/infra/fail2ban-ui:latest
2025-12-03 20:43:44 +01:00
2025-12-01 13:26:42 +01:00
# Or build from source (uncomment to use):
# build:
# context: .
# dockerfile: Dockerfile
2025-12-03 20:43:44 +01:00
2025-12-01 13:26:42 +01:00
container_name : fail2ban-ui
2025-12-15 13:44:41 +01:00
#privileged: true # needed if you want to use a container-local fail2ban instance (because fail2ban.sock is owned by root)
# a single all-in-one container is planned, currently you need to use the fail2ban container from linuxserver, see docker-compose-allinone.yml for an example
2025-12-01 13:26:42 +01:00
network_mode : host
2025-12-03 20:43:44 +01:00
2025-12-01 13:26:42 +01:00
environment :
2026-01-19 22:09:54 +01:00
# ============================================
# Basic Configuration
# ============================================
# Optional: Change this to use a different port for the web interface (default: 8080)
2025-12-01 13:26:42 +01:00
- PORT=8080
2025-12-30 17:08:20 +01:00
# Optional: Bind to a specific IP address (default: 0.0.0.0)
# This is useful when running with host networking to prevent exposing
# the web UI to unprotected networks. Set to a specific IP (e.g., 127.0.0.1
# or a specific interface IP) to restrict access.
# - BIND_ADDRESS=127.0.0.1
2026-01-19 22:09:54 +01:00
# ============================================
# Privacy Settings
# ============================================
# Optional: Disable external IP lookup for privacy (default: false).
# When set to true, the "Your ext. IP:" display will be hidden and no external IP lookup requests will be made.
# - DISABLE_EXTERNAL_IP_LOOKUP=true
# ============================================
# OIDC Authentication (Optional)
# ============================================
# Enable OIDC authentication to protect the web UI
# - OIDC_ENABLED=true
# OIDC Provider: keycloak, authentik, or pocketid
# - OIDC_PROVIDER=keycloak
# OIDC Issuer URL (required when OIDC_ENABLED=true)
# Examples:
# Keycloak: https://keycloak.example.com/realms/your-realm
# Authentik: https://authentik.example.com/application/o/your-client-slug/
# Pocket-ID: https://pocket-id.example.com
# - OIDC_ISSUER_URL=https://keycloak.example.com/realms/your-realm
# OIDC Client ID (required when OIDC_ENABLED=true)
# - OIDC_CLIENT_ID=fail2ban-ui
# OIDC Client Secret (required when OIDC_ENABLED=true)
# For Keycloak auto-configuration (development only), use:
# - OIDC_CLIENT_SECRET=auto-configured
# - OIDC_CLIENT_SECRET_FILE=/config/keycloak-client-secret
# Default for production:
# - OIDC_CLIENT_SECRET=your-client-secret
# OIDC Redirect URL (required when OIDC_ENABLED=true)
# This must match the redirect URI configured in your OIDC provider
# - OIDC_REDIRECT_URL=https://fail2ban-ui.example.com/auth/callback
# Optional: OIDC Scopes (default: openid,profile,email)
# Comma-separated list of scopes to request
# - OIDC_SCOPES=openid,profile,email,groups
# Optional: Session timeout in seconds (default: 3600 = 1 hour)
# - OIDC_SESSION_MAX_AGE=7200
# Optional: Session secret for cookie encryption
# If not provided, a random secret will be generated on startup.
# For production, it's recommended to set a fixed secret (32 bytes, base64-encoded)
# - OIDC_SESSION_SECRET=your-32-byte-base64-encoded-secret
# Optional: Skip TLS verification (dev only, default: false)
# Only use in development environments!
# - OIDC_SKIP_VERIFY=true
# Optional: Username claim (default: preferred_username)
# The claim to use as the username (e.g., email, preferred_username, sub)
# - OIDC_USERNAME_CLAIM=preferred_username
# Optional: Provider logout URL
# If not set, the logout URL will be auto-constructed using the standard OIDC logout endpoint: {issuer}/protocol/openid-connect/logout
# Examples:
# Keycloak: https://keycloak.example.com/realms/your-realm/protocol/openid-connect/logout
# Authentik: https://authentik.example.com/application/o/your-client-slug/protocol/openid-connect/logout
# Pocket-ID: https://pocket-id.example.com/protocol/openid-connect/logout
# - OIDC_LOGOUT_URL=https://keycloak.example.com/realms/your-realm/protocol/openid-connect/logout
2025-12-01 13:26:42 +01:00
volumes :
2025-12-15 13:44:41 +01:00
# Required for fail2ban-ui: Stores SQLite database, application settings, and SSH keys of the fail2ban-ui container
2025-12-01 13:26:42 +01:00
- /opt/podman-fail2ban-ui:/config:Z
2025-12-15 13:44:41 +01:00
# Required for fail2ban-ui: Used for testing, that logpath is working, before enabeling a jail. Without this read only access the fail2ban-ui will not be able to enable jails (logpath-test would fail)
- /var/log:/var/log:ro
2025-12-03 20:43:44 +01:00
2025-12-15 13:44:41 +01:00
# Required for local fail2ban instance: Fail2Ban configuration directory, needed for managing a local Fail2Ban instance (e.g. on host system) via fail2ban-ui
2025-12-01 13:26:42 +01:00
- /etc/fail2ban:/etc/fail2ban:Z
2025-12-15 13:44:41 +01:00
# Required for local fail2ban instance: Fail2Ban socket directory, needed for local Fail2Ban (e.g. on host system) for control via fail2ban-ui
2025-12-01 13:26:42 +01:00
- /var/run/fail2ban:/var/run/fail2ban
2025-12-03 20:43:44 +01:00
2025-12-15 13:44:41 +01:00
# Optional: Enables geographic IP analysis features via GeoIP databases (GeoIP must be installed and configured on the host system)
2025-12-01 13:26:42 +01:00
- /usr/share/GeoIP:/usr/share/GeoIP:ro
2025-12-15 13:44:41 +01:00
restart : unless-stopped
