version: "3.9"

services:
  shelfy:
    build:
      context: .
      dockerfile: Dockerfile
    container_name: shelfy-go
    working_dir: /app
    # ⚠️ Si LocalAI utilise 8080, tu as déjà mappé 8090:8080 côté HTTP, OK.
    ports:
      - "8090:8080"
      - "2121:2121"                # FTP (si utilisé)
      - "30000-30100:30000-30100"  # FTP passive (si utilisé)
      - "2222:2222"                # SFTP
    extra_hosts:
      - "dockerhost:host-gateway"
    volumes:
      - shelfy_upload:/app/upload
      - shelfy_logs:/var/log/shelfy          # <-- partage des logs avec Fail2ban
    labels:
      - traefik.http.routers.shelfy.middlewares=webdav-allow-methods@docker
      - traefik.http.middlewares.webdav-allow-methods.headers.accesscontrolallowmethods=GET,PUT,POST,DELETE,PROPFIND,OPTIONS,LOCK,UNLOCK,HEAD
      - traefik.http.middlewares.webdav-allow-methods.headers.accesscontrolallowheaders=Authorization,Depth,Content-Type,If-Modified-Since,User-Agent,Destination,Overwrite
    dns:
      - 8.8.8.8
      - 1.1.1.1
    restart: unless-stopped
    # ✅ Astuce simple pour avoir un fichier de log lisible par Fail2ban
    #    Remplace `./app` par ta commande/entrypoint réel si besoin.
    command: [ "sh", "-c", "./app 2>&1 | tee -a /var/log/shelfy/shelfy.log" ]

  fail2ban:
    image: crazymax/fail2ban:latest
    container_name: fail2ban
    # On bannit via iptables du host
    network_mode: host
    cap_add:
      - NET_ADMIN
      - NET_RAW
    environment:
      - TZ=Europe/Paris
      - F2B_LOG_TARGET=STDOUT
      - F2B_DB_PURGE_AGE=1d
    volumes:
      - ./fail2ban:/data                 # conf jails/filters persistantes
      - shelfy_logs:/var/log/shelfy:ro   # lit les logs de shelfy
    restart: unless-stopped

volumes:
  shelfy_upload:
  shelfy_logs: