diff --git a/Dockerfile b/Dockerfile
index 2f4b7c1..2a62b2c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,19 +1,27 @@
-# ----- build -----
-FROM golang:1.24 AS builder
+# ---------- build ----------
+FROM golang:1.22-alpine AS builder
 WORKDIR /src
+RUN apk add --no-cache build-base  # gcc/make/musl-dev pour cgo
+
 COPY go.mod go.sum ./
 RUN go mod download
 
 COPY . .
-# Si ton main est à la racine (main.go), garde ./ ; sinon mets le chemin du main
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o /out/shelfy .
+# Si ton main est à la racine : "."
+# Sinon remplace le dernier "." par le chemin du package main.
+RUN CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -o /out/shelfy .
 
-# ----- runtime -----
+# ---------- runtime ----------
 FROM alpine:3.20
-# sh est présent (utile pour le "tee")
-RUN adduser -D -u 10001 appuser
+# utilitaires utiles (shell, certificats, timezone)
+RUN apk add --no-cache ca-certificates tzdata
+
 WORKDIR /app
 COPY --from=builder /out/shelfy /app/shelfy
-RUN chmod +x /app/shelfy && mkdir -p /app/data /app/upload /var/log/shelfy && chown -R appuser:appuser /app
-USER appuser
-ENTRYPOINT ["/bin/sh","-c","/app/shelfy 2>&1 | tee -a /var/log/shelfy/shelfy.log"]
+
+# Prépare les répertoires (DB, upload, logs)
+RUN mkdir -p /app/data /app/upload /var/log/shelfy \
+ && chmod -R 0775 /var/log/shelfy /app
+
+# Lance l'appli et duplique les logs vers un fichier pour Fail2ban
+ENTRYPOINT ["/bin/sh","-lc","/app/shelfy 2>&1 | tee -a /var/log/shelfy/shelfy.log"]
diff --git a/docker-compose.yml b/docker-compose.yml
index 919275c..810e2bc 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -9,14 +9,17 @@ services:
     working_dir: /app
     ports:
       - "8090:8080"
-      - "2121:2121"              # si tu gardes FTP
-      - "30000-30100:30000-30100" # si tu gardes FTP
-      - "2222:2222"              # SFTP
-
+      - "2121:2121"
+      - "30000-30100:30000-30100"
+      - "2222:2222"
     extra_hosts:
-      - "dockerhost:host-gateway" # accès à l'hôte depuis le conteneur
+      - "dockerhost:host-gateway"
+    environment:
+      - SHELFY_DATA_DIR=/app/data    # si ton code lit cette var (cf. patch précédent)
     volumes:
       - shelfy_upload:/app/upload
+      - shelfy_data:/app/data        # <-- volume pour SQLite
+      - shelfy_logs:/var/log/shelfy  # <-- logs lus par Fail2ban
     labels:
       - traefik.http.routers.shelfy.middlewares=webdav-allow-methods@docker
       - traefik.http.middlewares.webdav-allow-methods.headers.accesscontrolallowmethods=GET,PUT,POST,DELETE,PROPFIND,OPTIONS,LOCK,UNLOCK,HEAD
@@ -25,6 +28,25 @@ services:
       - 8.8.8.8
       - 1.1.1.1
     restart: unless-stopped
+    # ⚠️ Supprime la directive 'command:' ici, l'ENTRYPOINT du Dockerfile s'en charge.
+
+  fail2ban:
+    image: crazymax/fail2ban:latest
+    container_name: fail2ban
+    network_mode: host
+    cap_add:
+      - NET_ADMIN
+      - NET_RAW
+    environment:
+      - TZ=Europe/Paris
+      - F2B_LOG_TARGET=STDOUT
+      - F2B_DB_PURGE_AGE=1d
+    volumes:
+      - ./fail2ban:/data
+      - shelfy_logs:/var/log/shelfy:ro
+    restart: unless-stopped
 
 volumes:
   shelfy_upload:
+  shelfy_data:
+  shelfy_logs: