Initial commit

docker-compose.yml

@@ -0,0 +1,58 @@
+services:
+  nginx:
+    image: nginx:latest
+    container_name: nginx-main
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - ./data/nginx.conf/:/etc/nginx/nginx.conf:ro # Nginx should only read its config
+      - ./data/.htpasswd:/etc/nginx/.htpasswd:ro
+      - ./data/conf.d/:/etc/nginx/conf.d/:ro
+      - ./data/certbot/www:/var/www/certbot/:ro
+      - ./data/certbot/conf:/etc/letsencrypt/:ro
+      - /prod/data/docs/:/var/www/html/docs.nxs.solutions/:ro
+      - ./logs/:/var/log/nginx/:rw
+    networks:
+      - fast-services
+    restart: always
+
+  certbot:
+    image: certbot/certbot
+    container_name: certbot
+    # The container will not run automatically; it's used for one-off commands
+    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $!; done;'"
+    volumes:
+      # Must be read-write for certbot to place challenge files
+      - ./data/certbot/www:/var/www/certbot/:rw
+      # Must be read-write for certbot to store and renew certificates
+      - ./data/certbot/conf:/etc/letsencrypt/:rw
+    # Only runs when explicitly called or for renewal cronjob
+    restart: unless-stopped
+    networks:
+      - fast-services
+
+  fail2ban:
+      image: crazymax/fail2ban:latest
+      container_name: fail2ban
+      # Required for Fail2Ban to modify host firewall rules
+      network_mode: host
+      cap_add:
+        - NET_ADMIN
+        - NET_RAW
+      # Ensure it always restarts
+      restart: always
+      volumes:
+        # 1. Mount the Nginx logs from the host (Read-Only)
+        - ./logs:/var/log/nginx:ro
+        # 2. Persist Fail2Ban's configuration and database
+        - /var/log/auth.log:/var/log/auth.log:ro
+        - /prod/gitea/logs/access.log:/var/log/gitea/access.log:ro
+        - ./data/fail2ban:/data
+      environment:
+        # Optional: set timezone
+        - TZ=Europe/Berlin
+
+networks:
+  fast-services:
+    external: true