services:
  nginx:
    image: nginx:latest
    container_name: nginx-main
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./config/nginx/:/etc/nginx/:ro # Nginx should only read its config
      - ./data/auth/:/etc/nginx/auth:ro
      - ./data/certbot:/var/www/certbot/:ro
      - ./config/certbot:/etc/letsencrypt/:ro
      - ./data/www/html/:/var/www/html/:ro
      - ./logs/nginx/:/var/log/nginx/:rw
    networks:
      - fast-services
    restart: always

  certbot:
    image: certbot/certbot
    container_name: certbot
    # The container will not run automatically; it's used for one-off commands
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $!; done;'"
    volumes:
      # Must be read-write for certbot to place challenge files
      - ./data/certbot/:/var/www/certbot/:rw
      # Must be read-write for certbot to store and renew certificates
      - ./config/certbot/:/etc/letsencrypt/:rw
    # Only runs when explicitly called or for renewal cronjob
    restart: unless-stopped
    networks:
      - fast-services

  fail2ban:
      image: crazymax/fail2ban:latest
      container_name: fail2ban
      # Required for Fail2Ban to modify host firewall rules
      network_mode: host
      cap_add:
        - NET_ADMIN
        - NET_RAW
      # Ensure it always restarts
      restart: always
      volumes:
        - ./logs/nginx:/var/log/nginx:ro
        - ./data/fail2ban:/data
      environment:
        # Optional: set timezone
        - TZ=Europe/Berlin

networks:
  fast-services:
    external: true