services:
  fail2ban:
    image: lscr.io/linuxserver/fail2ban:latest
    container_name: fail2ban
    cap_add:
      # Required for fail2ban container: Allows to manage network interfaces and iptables from the container
      - NET_ADMIN
      # Required for fail2ban container: Allows to create raw sockets (needed for fail2ban.sock)
      - NET_RAW
      # Required for fail2ban container: Allows to run as root (needed to manage network interfaces and raw sockets)
      - SYS_ADMIN
    #privileged: true
    network_mode: host # needed to add iptables rules to the host network
    environment:
      - TZ=Europe/Zurich
      - VERBOSITY=-vv
    volumes:
      # To make sure linuxserver-fail2ban configs are persistent across container restarts (also needed by fail2ban-ui to modify configs)
      - ./fail2ban-config:/config:z
      # Directory that contains fail2ban.sock for communication between fail2ban-ui and fail2ban container
      - ./f2b-run:/var/run/fail2ban:z

      # Log sources for fail2ban container
      - /var/log:/var/log:ro
      - /var/log/httpd:/remotelogs/apache2:ro
    restart: unless-stopped

  fail2ban-ui:
    # Use pre-built image from Docker Hub (default)
    image: swissmakers/fail2ban-ui:latest
    # Alternative: Use Swissmakers registry (fallback)
    # image: registry.swissmakers.ch/infra/fail2ban-ui:latest
    # Or build from source (uncomment to use):
    # image: localhost/fail2ban-ui:dev
    container_name: fail2ban-ui
    privileged: true # needed because the fail2ban-ui container needs to modify the fail2ban config owned by root inside the linuxserver-fail2ban container
    network_mode: host
    environment:
      # Optional: Change this to use a different port for the web interface (defaults is 8080)
      - PORT=3080
      # Optional: Bind to a specific IP address (default: 0.0.0.0)
      # This is useful when running with host networking to prevent exposing
      # the web UI to unprotected networks. Set to a specific IP (e.g., 127.0.0.1
      # or a specific interface IP) to restrict access.
      # - BIND_ADDRESS=127.0.0.1
    volumes:
      # Required for fail2ban-ui: Stores SQLite database, application settings, and SSH keys of the fail2ban-ui container
      - ./config:/config:Z
      # Required for fail2ban-ui: Used for testing, that logpath is working, before enabeling a jail. Without this read only access the fail2ban-ui will not be able to enable jails (logpath-test would fail)
      - /var/log:/var/log:ro
      - /var/log/httpd:/remotelogs/apache2:ro # this mounts the apache2 logs of a RPM based system (e.g. Rocky Linux) to the default location set by linuxserver-fail2ban. (on debian based systems this is /var/log/apache2 and currently hardcoded in the linuxserver-fail2ban container)

      # Required for compose-local fail2ban instance: We mount the same Fail2Ban config as the linuxserver-fail2ban container (under /config/fail2ban to fail2ban-ui can modify configs)
      - ./fail2ban-config/fail2ban:/etc/fail2ban:z
      # Required for compose-local fail2ban instance: Mount the same run directory that contains fail2ban.sock for communication between fail2ban-ui and the linuxserver-fail2ban container
      - ./f2b-run:/var/run/fail2ban:z

    restart: unless-stopped