services:
  nginx:
    image: nginx:latest
    container_name: nginx-main
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./data/nginx.conf/:/etc/nginx/nginx.conf:ro # Nginx should only read its config
      - ./data/.htpasswd:/etc/nginx/.htpasswd:ro
      - ./data/conf.d/:/etc/nginx/conf.d/:ro
      - ./data/certbot/www:/var/www/certbot/:ro
      - ./data/certbot/conf:/etc/letsencrypt/:ro
      - /prod/data/docs/:/var/www/html/docs.nxs.solutions/:ro
      - ./logs/:/var/log/nginx/:rw
    networks:
      - fast-services
    restart: always

  certbot:
    image: certbot/certbot
    container_name: certbot
    # The container will not run automatically; it's used for one-off commands
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $!; done;'"
    volumes:
      # Must be read-write for certbot to place challenge files
      - ./data/certbot/www:/var/www/certbot/:rw
      # Must be read-write for certbot to store and renew certificates
      - ./data/certbot/conf:/etc/letsencrypt/:rw
    # Only runs when explicitly called or for renewal cronjob
    restart: unless-stopped
    networks:
      - fast-services

  fail2ban:
      image: crazymax/fail2ban:latest
      container_name: fail2ban
      # Required for Fail2Ban to modify host firewall rules
      network_mode: host
      cap_add:
        - NET_ADMIN
        - NET_RAW
      # Ensure it always restarts
      restart: always
      volumes:
        # 1. Mount the Nginx logs from the host (Read-Only)
        - ./logs:/var/log/nginx:ro
        # 2. Persist Fail2Ban's configuration and database
        - /var/log/auth.log:/var/log/auth.log:ro
        - /prod/gitea/logs/access.log:/var/log/gitea/access.log:ro
        - ./data/fail2ban:/data
      environment:
        # Optional: set timezone
        - TZ=Europe/Berlin

networks:
  fast-services:
    external: true