mirror of
https://github.com/swissmakers/fail2ban-ui.git
synced 2026-04-11 13:47:05 +02:00
87 lines
3.7 KiB
YAML
87 lines
3.7 KiB
YAML
services:
|
|
fail2ban-local:
|
|
image: lscr.io/linuxserver/fail2ban:latest
|
|
container_name: DEV_fail2ban-local
|
|
cap_add:
|
|
# Required for fail2ban container: Allows to manage network interfaces and iptables from the container
|
|
- NET_ADMIN
|
|
# Required for fail2ban container: Allows to create raw sockets (needed for fail2ban.sock)
|
|
- NET_RAW
|
|
# Required for fail2ban container: Allows to run as root (needed to manage network interfaces and raw sockets)
|
|
- SYS_ADMIN
|
|
#privileged: true
|
|
network_mode: host # needed to add iptables rules to the host network
|
|
environment:
|
|
- TZ=Europe/Zurich
|
|
- VERBOSITY=-vv
|
|
volumes:
|
|
# To make sure linuxserver-fail2ban configs are persistent across container restarts (also needed by fail2ban-ui to modify configs)
|
|
- ./fail2ban-config-local:/config:z
|
|
# Directory that contains fail2ban.sock for communication between fail2ban-ui and fail2ban container
|
|
- ./f2b-run-local:/var/run/fail2ban:z
|
|
|
|
# Log sources for fail2ban container
|
|
- /var/log:/var/log:ro
|
|
- /var/log/httpd:/remotelogs/apache2:ro
|
|
|
|
# New: custom init + service hooks (read-only is recommended)
|
|
- ./fail2ban-ssh-custom-cont-init.d/20-fix-jail-enabled-key:/custom-cont-init.d/20-fix-jail-enabled-key:ro,z
|
|
restart: unless-stopped
|
|
|
|
|
|
fail2ban-ui:
|
|
#image: registry.swissmakers.ch/infra/fail2ban-ui:latest
|
|
image: localhost/fail2ban-ui:dev
|
|
container_name: DEV_fail2ban-ui
|
|
privileged: true
|
|
network_mode: host
|
|
environment:
|
|
- PORT=3080
|
|
- BIND_ADDRESS=172.16.10.18
|
|
|
|
volumes:
|
|
# Required for fail2ban-ui: Stores SQLite database, application settings, and SSH keys of the fail2ban-ui container
|
|
- ./config:/config:Z
|
|
# Mount persistent SSH keys directory
|
|
- ./ssh-keys:/config/.ssh:z
|
|
# Required for fail2ban-ui: Used for testing, that logpath is working, before enabeling a jail. Without this read only access the fail2ban-ui will not be able to enable jails (logpath-test would fail)
|
|
- /var/log:/var/log:ro
|
|
- /var/log/httpd:/remotelogs/apache2:ro # this mounts the apache2 logs of a RPM based system (e.g. Rocky Linux) to the default location set by linuxserver-fail2ban. (on debian based systems this is /var/log/apache2 and currently hardcoded in the linuxserver-fail2ban container)
|
|
|
|
# Required for compose-local fail2ban instance: We mount the same Fail2Ban config as the linuxserver-fail2ban container (under /config/fail2ban to fail2ban-ui can modify configs)
|
|
- ./fail2ban-config-local/fail2ban:/etc/fail2ban:z
|
|
# Required for compose-local fail2ban instance: Mount the same run directory that contains fail2ban.sock for communication between fail2ban-ui and the linuxserver-fail2ban container
|
|
- ./f2b-run-local:/var/run/fail2ban:z
|
|
|
|
restart: unless-stopped
|
|
|
|
|
|
fail2ban-ssh:
|
|
image: lscr.io/linuxserver/fail2ban:latest
|
|
container_name: DEV_fail2ban-ssh
|
|
cap_add:
|
|
- NET_ADMIN
|
|
- NET_RAW
|
|
network_mode: bridge
|
|
ports:
|
|
- "2222:22"
|
|
environment:
|
|
- TZ=Europe/Zurich
|
|
- VERBOSITY=-vv
|
|
- PUID=0
|
|
- PGID=0
|
|
# Install needed packages at startup (non-persistent, but simplest)
|
|
- DOCKER_MODS=linuxserver/mods:universal-package-install
|
|
- INSTALL_PACKAGES=openssh-server|sudo|acl|bash
|
|
volumes:
|
|
- ./fail2ban-config-ssh:/config:z
|
|
- /var/log:/var/log:ro
|
|
- /var/log/httpd:/remotelogs/apache2:ro
|
|
# Mount persistent SSH keys - shared between containers
|
|
- ./ssh-keys:/mnt/ssh-keys:z
|
|
|
|
# New: custom init + service hooks (read-only is recommended)
|
|
- ./fail2ban-ssh-custom-cont-init.d:/custom-cont-init.d:ro,z
|
|
- ./fail2ban-ssh-custom-services.d:/custom-services.d:ro,z
|
|
restart: unless-stopped
|