services: fail2ban: image: lscr.io/linuxserver/fail2ban:latest container_name: fail2ban cap_add: # Required for fail2ban container: Allows to manage network interfaces and iptables from the container - NET_ADMIN # Required for fail2ban container: Allows to create raw sockets (needed for fail2ban.sock) - NET_RAW # Required for fail2ban container: Allows to run as root (needed to manage network interfaces and raw sockets) - SYS_ADMIN #privileged: true network_mode: host # needed to add iptables rules to the host network environment: - TZ=Europe/Zurich - VERBOSITY=-vv volumes: # To make sure linuxserver-fail2ban configs are persistent across container restarts (also needed by fail2ban-ui to modify configs) - ./fail2ban-config:/config:z # Directory that contains fail2ban.sock for communication between fail2ban-ui and fail2ban container - ./f2b-run:/var/run/fail2ban:z # Log sources for fail2ban container - /var/log:/var/log:ro - /var/log/httpd:/remotelogs/apache2:ro restart: unless-stopped fail2ban-ui: # Use pre-built image from Docker Hub (default) image: swissmakers/fail2ban-ui:latest # Alternative: Use Swissmakers registry (fallback) # image: registry.swissmakers.ch/infra/fail2ban-ui:latest # Or build from source (uncomment to use): # image: localhost/fail2ban-ui:dev container_name: fail2ban-ui privileged: true # needed because the fail2ban-ui container needs to modify the fail2ban config owned by root inside the linuxserver-fail2ban container network_mode: host environment: # ============================================ # Basic Configuration # ============================================ # Optional: Change this to use a different port for the web interface (default: 8080) - PORT=3080 # Optional: Bind to a specific IP address (default: 0.0.0.0) # This is useful when running with host networking to prevent exposing # the web UI to unprotected networks. Set to a specific IP (e.g., 127.0.0.1 # or a specific interface IP) to restrict access. # - BIND_ADDRESS=127.0.0.1 # ============================================ # Privacy Settings # ============================================ # Optional: Disable external IP lookup for privacy (default: false). # When set to true, the "Your ext. IP:" display will be hidden and no external IP lookup requests will be made. # - DISABLE_EXTERNAL_IP_LOOKUP=true # ============================================ # OIDC Authentication (Optional) # ============================================ # Enable OIDC authentication to protect the web UI # - OIDC_ENABLED=true # OIDC Provider: keycloak, authentik, or pocketid # - OIDC_PROVIDER=keycloak # OIDC Issuer URL (required when OIDC_ENABLED=true) # Examples: # Keycloak: https://keycloak.example.com/realms/your-realm # Authentik: https://authentik.example.com/application/o/your-client-slug/ # Pocket-ID: https://pocket-id.example.com # - OIDC_ISSUER_URL=https://keycloak.example.com/realms/your-realm # OIDC Client ID (required when OIDC_ENABLED=true) # - OIDC_CLIENT_ID=fail2ban-ui # OIDC Client Secret (required when OIDC_ENABLED=true) # For Keycloak auto-configuration (development only), use: # - OIDC_CLIENT_SECRET=auto-configured # - OIDC_CLIENT_SECRET_FILE=/config/keycloak-client-secret # Default for production: # - OIDC_CLIENT_SECRET=your-client-secret # OIDC Redirect URL (required when OIDC_ENABLED=true) # This must match the redirect URI configured in your OIDC provider # - OIDC_REDIRECT_URL=https://fail2ban-ui.example.com/auth/callback # Optional: OIDC Scopes (default: openid,profile,email) # Comma-separated list of scopes to request # - OIDC_SCOPES=openid,profile,email,groups # Optional: Session timeout in seconds (default: 3600 = 1 hour) # - OIDC_SESSION_MAX_AGE=7200 # Optional: Session secret for cookie encryption # If not provided, a random secret will be generated on startup. # For production, it's recommended to set a fixed secret (32 bytes, base64-encoded) # - OIDC_SESSION_SECRET=your-32-byte-base64-encoded-secret # Optional: Skip TLS verification (dev only, default: false) # Only use in development environments! # - OIDC_SKIP_VERIFY=true # Optional: Username claim (default: preferred_username) # The claim to use as the username (e.g., email, preferred_username, sub) # - OIDC_USERNAME_CLAIM=preferred_username # Optional: Provider logout URL # If not set, the logout URL will be auto-constructed using the standard OIDC logout endpoint: {issuer}/protocol/openid-connect/logout # Examples: # Keycloak: https://keycloak.example.com/realms/your-realm/protocol/openid-connect/logout # Authentik: https://authentik.example.com/application/o/your-client-slug/protocol/openid-connect/logout # Pocket-ID: https://pocket-id.example.com/protocol/openid-connect/logout # - OIDC_LOGOUT_URL=https://keycloak.example.com/realms/your-realm/protocol/openid-connect/logout volumes: # Required for fail2ban-ui: Stores SQLite database, application settings, and SSH keys of the fail2ban-ui container - ./config:/config:Z # Required for fail2ban-ui: Used for testing, that logpath is working, before enabeling a jail. Without this read only access the fail2ban-ui will not be able to enable jails (logpath-test would fail) - /var/log:/var/log:ro - /var/log/httpd:/remotelogs/apache2:ro # this mounts the apache2 logs of a RPM based system (e.g. Rocky Linux) to the default location set by linuxserver-fail2ban. (on debian based systems this is /var/log/apache2 and currently hardcoded in the linuxserver-fail2ban container) # Required for compose-local fail2ban instance: We mount the same Fail2Ban config as the linuxserver-fail2ban container (under /config/fail2ban to fail2ban-ui can modify configs) - ./fail2ban-config/fail2ban:/etc/fail2ban:z # Required for compose-local fail2ban instance: Mount the same run directory that contains fail2ban.sock for communication between fail2ban-ui and the linuxserver-fail2ban container - ./f2b-run:/var/run/fail2ban:z restart: unless-stopped