From 56a9c5e91ab9b56e4fa543e7fa7d6c45e3157755 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=A3o=20Pedro=20Toledo?= <joao.goncalves@itguys.com.br>
Date: Fri, 6 Feb 2026 14:45:03 -0300
Subject: [PATCH] fix: isolate dynamic config (blacklist) to separate volume
 and bake static configs to prevent mount errors

---
 docker-compose.yml                          | 28 +++++++-------------
 fail2ban/data/action.d/nginx-blacklist.conf |  4 +--
 nginx/conf.d/test.local.conf                | 29 ---------------------
 nginx/dynamic/blacklist.conf                |  1 +
 nginx/nginx.conf                            |  2 +-
 5 files changed, 14 insertions(+), 50 deletions(-)
 delete mode 100644 nginx/conf.d/test.local.conf
 create mode 100644 nginx/dynamic/blacklist.conf

diff --git a/docker-compose.yml b/docker-compose.yml
index 47d64c7..699727b 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -10,26 +10,24 @@ services:
     #   - "122:122/tcp" # SSH
     volumes:
       # Volumes para Configurações (Persistência Interna)
-      # nginx.conf é copiado no Build para evitar erro de mount "not a directory"
-      # - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
+      # nginx.conf e snippets estáticos são "assados" na imagem (Dockerfile)
       
-      # Diretórios são montados para permitir hot-reload e Fail2Ban
-      - ./nginx/conf.d:/etc/nginx/conf.d
-      - ./nginx/snippets:/etc/nginx/snippets
-      - ./nginx/modsec:/etc/nginx/modsec
+      # Volume Compartilhado e Persistente (Blacklist Dinâmica)
+      - dynamic_conf:/etc/nginx/dynamic
       
       # Persistência de Dados e Certificados
       - ./ssl:/etc/nginx/ssl
       - ./certbot:/etc/letsencrypt
-      - ./logs:/var/log/nginx
+      - ./logs:/var/log/nginx:rw
       
       # Customização do Shell
       - ./.bashrc:/root/.bashrc:ro
     environment:
       - TZ=America/Sao_Paulo
 
+  # Sidecar Fail2Ban - Proteção
   fail2ban:
-    image: linuxserver/fail2ban:latest
+    image: lscr.io/linuxserver/fail2ban:latest
     container_name: fail2ban-sidecar
     network_mode: host
     cap_add:
@@ -39,19 +37,13 @@ services:
     volumes:
       - ./logs:/var/log/nginx:ro # Monitora os logs do Nginx
       - ./fail2ban/data:/config # Configurações do F2B
-      # A blacklist precisa ser persistente e compartilhada, então mantemos o mount apenas dela ou do snippets se precisarmos escrever
-      - ./nginx/snippets:/etc/nginx/snippets # Fail2Ban escreve aqui (blacklist.conf)
+      - dynamic_conf:/etc/nginx/dynamic # Escreve na Blacklist Dinâmica do Nginx
       - /var/run/docker.sock:/var/run/docker.sock # Para reload do Nginx
     user: root # Necessário para interagir com o socket
     environment:
-      - TZ=America/Sao_Paulo
       - PUID=1000
       - PGID=1000
+      - FAIL2BAN_LOGLEVEL=INFO
 
-  test-backend:
-    image: traefik/whoami
-    container_name: test-backend
-    restart: always
-    # Na network host, ele vai ouvir em uma porta alta para não conflitar
-    command: --port 8080
-    network_mode: host
+volumes:
+  dynamic_conf:
diff --git a/fail2ban/data/action.d/nginx-blacklist.conf b/fail2ban/data/action.d/nginx-blacklist.conf
index d9b700c..bd61514 100644
--- a/fail2ban/data/action.d/nginx-blacklist.conf
+++ b/fail2ban/data/action.d/nginx-blacklist.conf
@@ -2,5 +2,5 @@
 actionstart = touch /etc/nginx/snippets/blacklist.conf
 actionstop = 
 actioncheck = 
-actionban = echo "deny <ip>;" >> /etc/nginx/snippets/blacklist.conf && docker exec nginx-proxy nginx -s reload
-actionunban = sed -i "/deny <ip>;/d" /etc/nginx/snippets/blacklist.conf && docker exec nginx-proxy nginx -s reload
+actionban = echo "deny <ip>;" >> /etc/nginx/dynamic/blacklist.conf && docker exec nginx-proxy nginx -s reload
+actionunban = sed -i "/deny <ip>;/d" /etc/nginx/dynamic/blacklist.conf && docker exec nginx-proxy nginx -s reload
diff --git a/nginx/conf.d/test.local.conf b/nginx/conf.d/test.local.conf
deleted file mode 100644
index a064afc..0000000
--- a/nginx/conf.d/test.local.conf
+++ /dev/null
@@ -1,29 +0,0 @@
-upstream test_backend {
-    server 127.0.0.1:8080;
-    keepalive 32;
-}
-
-server {
-    listen 80;
-    server_name test.local;
-
-    access_log /var/log/nginx/test.local.access.log detailed_proxy;
-    error_log /var/log/nginx/test.local.error.log warn;
-
-    include snippets/well_known.conf;
-    include snippets/security_actions.conf;
-
-    location / {
-        proxy_pass http://test_backend;
-        include snippets/proxy_params.conf;
-        limit_req zone=global_limit burst=20 nodelay;
-        limit_req zone=punishment_limit burst=5 nodelay;
-    }
-
-    location ~* \.(webp|avif|heic|apng|jpg|jpeg|gif|png|ico|svg|mjs|js|ts|wasm|json|woff2?|ttf|otf|eot|css|less|scss)$ {
-        include snippets/cache_optimizer.conf;
-        add_header Cache-Control $cache_control_header;
-        proxy_cache_valid 200 1d;
-        proxy_pass http://test_backend;
-    }
-}
diff --git a/nginx/dynamic/blacklist.conf b/nginx/dynamic/blacklist.conf
new file mode 100644
index 0000000..beda02a
--- /dev/null
+++ b/nginx/dynamic/blacklist.conf
@@ -0,0 +1 @@
+# Blacklist dinâmica - Gerada pelo Fail2Ban
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index e350694..617ee23 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -58,7 +58,7 @@ http {
     include /etc/nginx/snippets/rate_limit.conf;
     
     # Ativação Global da Blacklist
-    include /etc/nginx/snippets/blacklist.conf;
+    include /etc/nginx/dynamic/blacklist.conf;
 
     # Site Configurations
     include /etc/nginx/conf.d/*.conf;