Update example docker compose files

2026-04-11 13:47:05 +02:00 · 2025-12-15 13:44:41 +01:00
parent 94242a6ba1
commit 55ccb5a32b
2 changed files with 62 additions and 20 deletions
--- a/docker-compose-allinone.example.yml
+++ b/docker-compose-allinone.example.yml
@@ -0,0 +1,49 @@
+services:
+  fail2ban:
+    image: lscr.io/linuxserver/fail2ban:latest
+    container_name: fail2ban
+    cap_add:
+      # Required for fail2ban container: Allows to manage network interfaces and iptables from the container
+      - NET_ADMIN
+      # Required for fail2ban container: Allows to create raw sockets (needed for fail2ban.sock)
+      - NET_RAW
+      # Required for fail2ban container: Allows to run as root (needed to manage network interfaces and raw sockets)
+      - SYS_ADMIN
+    #privileged: true
+    network_mode: host # needed to add iptables rules to the host network
+    environment:
+      - TZ=Europe/Zurich
+      - VERBOSITY=-vv
+    volumes:
+      # To make sure linuxserver-fail2ban configs are persistent across container restarts (also needed by fail2ban-ui to modify configs)
+      - ./fail2ban-config:/config:z
+      # Directory that contains fail2ban.sock for communication between fail2ban-ui and fail2ban container
+      - ./f2b-run:/var/run/fail2ban:z
+
+      # Log sources for fail2ban container
+      - /var/log:/var/log:ro
+      - /var/log/httpd:/remotelogs/apache2:ro
+    restart: unless-stopped
+
+  fail2ban-ui:
+    image: registry.swissmakers.ch/infra/fail2ban-ui:latest
+    #image: localhost/fail2ban-ui:dev
+    container_name: fail2ban-ui
+    #privileged: true
+    network_mode: host
+    environment:
+      - PORT=3080
+    volumes:
+      # Required for fail2ban-ui: Stores SQLite database, application settings, and SSH keys of the fail2ban-ui container
+      - ./config:/config:Z
+      # Required for fail2ban-ui: Used for testing, that logpath is working, before enabeling a jail. Without this read only access the fail2ban-ui will not be able to enable jails (logpath-test would fail)
+      - /var/log:/var/log:ro
+      - /var/log/httpd:/remotelogs/apache2:ro # this mounts the apache2 logs of a RPM based system (e.g. Rocky Linux) to the default location set by linuxserver-fail2ban. (on debian based systems this is /var/log/apache2 and currently hardcoded in the linuxserver-fail2ban container)
+
+      # Required for compose-local fail2ban instance: We mount the same Fail2Ban config as the linuxserver-fail2ban container (under /config/fail2ban to fail2ban-ui can modify configs)
+      - ./fail2ban-config/fail2ban:/etc/fail2ban:z
+      # Required for compose-local fail2ban instance: Mount the same run directory that contains fail2ban.sock for communication between fail2ban-ui and the linuxserver-fail2ban container
+      - ./f2b-run:/var/run/fail2ban:z
+
+    restart: unless-stopped
+ 
--- a/docker-compose.example.yml
+++ b/docker-compose.example.yml
@@ -1,5 +1,3 @@
-version: '3.8'
-
 services:
  fail2ban-ui:
    # Use pre-built image from registry
@@ -11,31 +9,26 @@ services:
    #   dockerfile: Dockerfile

    container_name: fail2ban-ui
+    #privileged: true # needed if you want to use a container-local fail2ban instance (because fail2ban.sock is owned by root)
+    # a single all-in-one container is planned, currently you need to use the fail2ban container from linuxserver, see docker-compose-allinone.yml for an example
    network_mode: host
-    restart: unless-stopped

    environment:
-      # Custom port (optional, defaults to 8080)
-      # Change this to use a different port for the web interface
+      # Change this to use a different port for the web interface (defaults is 8080)
      - PORT=8080

    volumes:
-      # Required: Configuration and database storage
-      # Stores SQLite database, application settings, and SSH keys
+      # Required for fail2ban-ui: Stores SQLite database, application settings, and SSH keys of the fail2ban-ui container
      - /opt/podman-fail2ban-ui:/config:Z
-
-      # Required: Fail2Ban configuration directory
-      # Needed for managing local Fail2Ban instance
-      - /etc/fail2ban:/etc/fail2ban:Z
-
-      # Required: Fail2Ban socket directory
-      # Needed for local Fail2Ban control socket access
-      - /var/run/fail2ban:/var/run/fail2ban
-
-      # Optional: System logs (read-only)
-      # Useful for filter testing and log analysis (or if planned to integrate fal2ban directly in this container)
+      # Required for fail2ban-ui: Used for testing, that logpath is working, before enabeling a jail. Without this read only access the fail2ban-ui will not be able to enable jails (logpath-test would fail)
      - /var/log:/var/log:ro

-      # Optional: GeoIP databases (read-only)
-      # Enables geographic IP analysis features (GeoIP must be installed and configured on the host)
+      # Required for local fail2ban instance: Fail2Ban configuration directory, needed for managing a local Fail2Ban instance (e.g. on host system) via fail2ban-ui
+      - /etc/fail2ban:/etc/fail2ban:Z
+      # Required for local fail2ban instance: Fail2Ban socket directory, needed for local Fail2Ban (e.g. on host system) for control via fail2ban-ui
+      - /var/run/fail2ban:/var/run/fail2ban
+
+      # Optional: Enables geographic IP analysis features via GeoIP databases (GeoIP must be installed and configured on the host system)
      - /usr/share/GeoIP:/usr/share/GeoIP:ro
+
+    restart: unless-stopped