59 lines
1.9 KiB
YAML
59 lines
1.9 KiB
YAML
services:
|
|
nginx:
|
|
image: nginx:latest
|
|
container_name: nginx-main
|
|
ports:
|
|
- "80:80"
|
|
- "443:443"
|
|
volumes:
|
|
- ./data/nginx.conf/:/etc/nginx/nginx.conf:ro # Nginx should only read its config
|
|
- ./data/.htpasswd:/etc/nginx/.htpasswd:ro
|
|
- ./data/conf.d/:/etc/nginx/conf.d/:ro
|
|
- ./data/certbot/www:/var/www/certbot/:ro
|
|
- ./data/certbot/conf:/etc/letsencrypt/:ro
|
|
- /prod/data/docs/:/var/www/html/docs.nxs.solutions/:ro
|
|
- ./logs/:/var/log/nginx/:rw
|
|
networks:
|
|
- fast-services
|
|
restart: always
|
|
|
|
certbot:
|
|
image: certbot/certbot
|
|
container_name: certbot
|
|
# The container will not run automatically; it's used for one-off commands
|
|
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $!; done;'"
|
|
volumes:
|
|
# Must be read-write for certbot to place challenge files
|
|
- ./data/certbot/www:/var/www/certbot/:rw
|
|
# Must be read-write for certbot to store and renew certificates
|
|
- ./data/certbot/conf:/etc/letsencrypt/:rw
|
|
# Only runs when explicitly called or for renewal cronjob
|
|
restart: unless-stopped
|
|
networks:
|
|
- fast-services
|
|
|
|
fail2ban:
|
|
image: crazymax/fail2ban:latest
|
|
container_name: fail2ban
|
|
# Required for Fail2Ban to modify host firewall rules
|
|
network_mode: host
|
|
cap_add:
|
|
- NET_ADMIN
|
|
- NET_RAW
|
|
# Ensure it always restarts
|
|
restart: always
|
|
volumes:
|
|
# 1. Mount the Nginx logs from the host (Read-Only)
|
|
- ./logs:/var/log/nginx:ro
|
|
# 2. Persist Fail2Ban's configuration and database
|
|
- /var/log/auth.log:/var/log/auth.log:ro
|
|
- /prod/gitea/logs/access.log:/var/log/gitea/access.log:ro
|
|
- ./data/fail2ban:/data
|
|
environment:
|
|
# Optional: set timezone
|
|
- TZ=Europe/Berlin
|
|
|
|
networks:
|
|
fast-services:
|
|
external: true
|