From 3bfd9d5cdf7ae8bbb7eab9ff8f5fc0b1e7e50510 Mon Sep 17 00:00:00 2001
From: Michael Reber <michael.reber@swissmakers.ch>
Date: Wed, 21 Jan 2026 12:39:03 +0100
Subject: [PATCH] Add a small init hook to fix linuxserver.io syntax errors

---
 .../ssh_and_local/container-compose.yml       |  3 +++
 .../20-fix-jail-enabled-key                   | 26 +++++++++++++++++++
 2 files changed, 29 insertions(+)
 create mode 100755 development/ssh_and_local/fail2ban-ssh-custom-cont-init.d/20-fix-jail-enabled-key

diff --git a/development/ssh_and_local/container-compose.yml b/development/ssh_and_local/container-compose.yml
index b63c99d..05437e6 100644
--- a/development/ssh_and_local/container-compose.yml
+++ b/development/ssh_and_local/container-compose.yml
@@ -23,6 +23,9 @@ services:
       # Log sources for fail2ban container
       - /var/log:/var/log:ro
       - /var/log/httpd:/remotelogs/apache2:ro
+
+      # New: custom init + service hooks (read-only is recommended)
+      - ./fail2ban-ssh-custom-cont-init.d/20-fix-jail-enabled-key:/custom-cont-init.d/20-fix-jail-enabled-key:ro,z
     restart: unless-stopped
 
 
diff --git a/development/ssh_and_local/fail2ban-ssh-custom-cont-init.d/20-fix-jail-enabled-key b/development/ssh_and_local/fail2ban-ssh-custom-cont-init.d/20-fix-jail-enabled-key
new file mode 100755
index 0000000..d4dafbb
--- /dev/null
+++ b/development/ssh_and_local/fail2ban-ssh-custom-cont-init.d/20-fix-jail-enabled-key
@@ -0,0 +1,26 @@
+#!/usr/bin/with-contenv bash
+set -euo pipefail
+
+fix_file() {
+  local f="$1"
+  [ -f "$f" ] || return 0
+
+  # Only touch the file if it actually contains the wrong key at line start
+  if grep -Eq '^[[:space:]]*enable[[:space:]]*=' "$f"; then
+    echo "[custom-init] fixing key 'enable' -> 'enabled' in: $f"
+    cp -a "$f" "${f}.bak.$(date +%s)" || true
+
+    # BusyBox/Alpine-compatible sed (basic regex)
+    # Preserves indentation and spacing around '='
+    sed -i \
+      's/^\([[:space:]]*\)enable\([[:space:]]*=\)/\1enabled\2/' \
+      "$f"
+  fi
+}
+
+# These paths are typically the same in LSIO (since /etc/fail2ban -> /config/fail2ban),
+# but we list both to be safe in case of future changes.
+fix_file /etc/fail2ban/jail.d/dropbear.conf
+fix_file /etc/fail2ban/jail.d/selinux-ssh.conf
+fix_file /config/fail2ban/jail.d/dropbear.conf
+fix_file /config/fail2ban/jail.d/selinux-ssh.conf