From 55ccb5a32bc4af1ab2f87184907c9ba19bfe72cf Mon Sep 17 00:00:00 2001 From: Michael Reber Date: Mon, 15 Dec 2025 13:44:41 +0100 Subject: [PATCH] Update example docker compose files --- docker-compose-allinone.example.yml | 49 +++++++++++++++++++++++++++++ docker-compose.example.yml | 33 ++++++++----------- 2 files changed, 62 insertions(+), 20 deletions(-) create mode 100644 docker-compose-allinone.example.yml diff --git a/docker-compose-allinone.example.yml b/docker-compose-allinone.example.yml new file mode 100644 index 0000000..6b362ad --- /dev/null +++ b/docker-compose-allinone.example.yml @@ -0,0 +1,49 @@ +services: + fail2ban: + image: lscr.io/linuxserver/fail2ban:latest + container_name: fail2ban + cap_add: + # Required for fail2ban container: Allows to manage network interfaces and iptables from the container + - NET_ADMIN + # Required for fail2ban container: Allows to create raw sockets (needed for fail2ban.sock) + - NET_RAW + # Required for fail2ban container: Allows to run as root (needed to manage network interfaces and raw sockets) + - SYS_ADMIN + #privileged: true + network_mode: host # needed to add iptables rules to the host network + environment: + - TZ=Europe/Zurich + - VERBOSITY=-vv + volumes: + # To make sure linuxserver-fail2ban configs are persistent across container restarts (also needed by fail2ban-ui to modify configs) + - ./fail2ban-config:/config:z + # Directory that contains fail2ban.sock for communication between fail2ban-ui and fail2ban container + - ./f2b-run:/var/run/fail2ban:z + + # Log sources for fail2ban container + - /var/log:/var/log:ro + - /var/log/httpd:/remotelogs/apache2:ro + restart: unless-stopped + + fail2ban-ui: + image: registry.swissmakers.ch/infra/fail2ban-ui:latest + #image: localhost/fail2ban-ui:dev + container_name: fail2ban-ui + #privileged: true + network_mode: host + environment: + - PORT=3080 + volumes: + # Required for fail2ban-ui: Stores SQLite database, application settings, and SSH keys of the fail2ban-ui container + - ./config:/config:Z + # Required for fail2ban-ui: Used for testing, that logpath is working, before enabeling a jail. Without this read only access the fail2ban-ui will not be able to enable jails (logpath-test would fail) + - /var/log:/var/log:ro + - /var/log/httpd:/remotelogs/apache2:ro # this mounts the apache2 logs of a RPM based system (e.g. Rocky Linux) to the default location set by linuxserver-fail2ban. (on debian based systems this is /var/log/apache2 and currently hardcoded in the linuxserver-fail2ban container) + + # Required for compose-local fail2ban instance: We mount the same Fail2Ban config as the linuxserver-fail2ban container (under /config/fail2ban to fail2ban-ui can modify configs) + - ./fail2ban-config/fail2ban:/etc/fail2ban:z + # Required for compose-local fail2ban instance: Mount the same run directory that contains fail2ban.sock for communication between fail2ban-ui and the linuxserver-fail2ban container + - ./f2b-run:/var/run/fail2ban:z + + restart: unless-stopped + \ No newline at end of file diff --git a/docker-compose.example.yml b/docker-compose.example.yml index 90158ef..802dfb4 100644 --- a/docker-compose.example.yml +++ b/docker-compose.example.yml @@ -1,5 +1,3 @@ -version: '3.8' - services: fail2ban-ui: # Use pre-built image from registry @@ -11,31 +9,26 @@ services: # dockerfile: Dockerfile container_name: fail2ban-ui + #privileged: true # needed if you want to use a container-local fail2ban instance (because fail2ban.sock is owned by root) + # a single all-in-one container is planned, currently you need to use the fail2ban container from linuxserver, see docker-compose-allinone.yml for an example network_mode: host - restart: unless-stopped environment: - # Custom port (optional, defaults to 8080) - # Change this to use a different port for the web interface + # Change this to use a different port for the web interface (defaults is 8080) - PORT=8080 volumes: - # Required: Configuration and database storage - # Stores SQLite database, application settings, and SSH keys + # Required for fail2ban-ui: Stores SQLite database, application settings, and SSH keys of the fail2ban-ui container - /opt/podman-fail2ban-ui:/config:Z - - # Required: Fail2Ban configuration directory - # Needed for managing local Fail2Ban instance - - /etc/fail2ban:/etc/fail2ban:Z - - # Required: Fail2Ban socket directory - # Needed for local Fail2Ban control socket access - - /var/run/fail2ban:/var/run/fail2ban - - # Optional: System logs (read-only) - # Useful for filter testing and log analysis (or if planned to integrate fal2ban directly in this container) + # Required for fail2ban-ui: Used for testing, that logpath is working, before enabeling a jail. Without this read only access the fail2ban-ui will not be able to enable jails (logpath-test would fail) - /var/log:/var/log:ro - # Optional: GeoIP databases (read-only) - # Enables geographic IP analysis features (GeoIP must be installed and configured on the host) + # Required for local fail2ban instance: Fail2Ban configuration directory, needed for managing a local Fail2Ban instance (e.g. on host system) via fail2ban-ui + - /etc/fail2ban:/etc/fail2ban:Z + # Required for local fail2ban instance: Fail2Ban socket directory, needed for local Fail2Ban (e.g. on host system) for control via fail2ban-ui + - /var/run/fail2ban:/var/run/fail2ban + + # Optional: Enables geographic IP analysis features via GeoIP databases (GeoIP must be installed and configured on the host system) - /usr/share/GeoIP:/usr/share/GeoIP:ro + + restart: unless-stopped \ No newline at end of file