fix: refactor for Portainer GitOps compatibility (Dockerized configs + named volumes)

Dockerfile

@@ -5,6 +5,7 @@ RUN apk add --no-cache nginx nginx-mod-http-brotli nginx-mod-http-headers-more b
 
 # Copy custom config
 COPY nginx.conf /etc/nginx/nginx.conf
+COPY conf.d/ /etc/nginx/conf.d/
 
 # Copy snippets
 COPY snippets/ /etc/nginx/snippets/

Dockerfile.fail2ban

@@ -0,0 +1,4 @@
+FROM crazymax/fail2ban:latest
+
+# Copy fail2ban configurations
+COPY fail2ban/ /data/

Dockerfile.modsec

@@ -0,0 +1,7 @@
+FROM owasp/modsecurity-crs:nginx-alpine
+
+# Copy custom configuration template
+COPY modsec.conf.template /etc/nginx/templates/modsecurity.d/modsecurity.conf.template
+
+# Copy custom rules
+COPY modsec_rules/ /etc/nginx/custom_rules/

docker-compose.yml

@@ -3,7 +3,9 @@ services:
   # ModSecurity WAF (Frente do NGINX)
   # ============================================
   modsecurity:
-    image: owasp/modsecurity-crs:nginx-alpine
+    build:
+      context: .
+      dockerfile: Dockerfile.modsec
     container_name: modsecurity-waf
     restart: always
     ports:
@@ -15,10 +17,8 @@ services:
       - ANOMALY_INBOUND=5
       - ANOMALY_OUTBOUND=4
     volumes:
-      - ./ssl:/etc/nginx/ssl:ro
+      - ssl_data:/etc/nginx/ssl:ro
       - modsec_logs:/var/log/modsecurity
-      - ./modsec_rules:/etc/nginx/custom_rules
-      - ./modsec.conf.template:/etc/nginx/templates/modsecurity.d/modsecurity.conf.template
     depends_on:
       - nginx-proxy
     extra_hosts:
@@ -47,14 +47,11 @@ services:
     environment:
       - HOST_PUBLIC_IP=${HOST_PUBLIC_IP}
     volumes:
-      - ./conf.d:/etc/nginx/conf.d
+      - ssl_data:/etc/nginx/ssl
-      - ./ssl:/etc/nginx/ssl
-      - ./snippets:/etc/nginx/snippets
       - nginx_cache:/var/cache/nginx
       - nginx_logs:/var/log/nginx
-      - ./certbot/conf:/etc/letsencrypt
+      - certbot_data_conf:/etc/letsencrypt
-      - ./certbot/www:/var/www/certbot
+      - certbot_data_www:/var/www/certbot
-      - ./:/opt/repo
     extra_hosts:
       - "host.docker.internal:host-gateway"
       - "server-254:10.10.253.254"
@@ -75,7 +72,9 @@ services:
   # Fail2ban (Lê logs e bane IPs)
   # ============================================
   fail2ban:
-    image: crazymax/fail2ban:latest
+    build:
+      context: .
+      dockerfile: Dockerfile.fail2ban
     container_name: fail2ban
     restart: always
     network_mode: host
@@ -83,7 +82,6 @@ services:
       - NET_ADMIN
       - NET_RAW
     volumes:
-      - ./fail2ban:/data
       - nginx_logs:/var/log/nginx:ro
       - modsec_logs:/var/log/modsecurity:ro
 
@@ -91,3 +89,6 @@ volumes:
   nginx_cache:
   nginx_logs:
   modsec_logs:
+  ssl_data:
+  certbot_data_conf:
+  certbot_data_www:

scripts/pre-flight.sh

@@ -35,8 +35,8 @@ echo "[Pre-Flight] Running SSL renewal check..."
 /scripts/renew_ssl.sh
 
 # Setup Daily Cron for Renewal (run at 01:00)
-# Sync Git Repo every 5 minutes
+# Setup Daily Cron for Renewal (run at 01:00)
-echo "*/5 * * * * /scripts/git_sync.sh >> /var/log/nginx/git_sync.log 2>&1" >> /etc/crontabs/root
+echo "0 1 * * * /scripts/renew_ssl.sh >> /var/log/nginx/ssl_renew.log 2>&1" >> /etc/crontabs/root
 
 # Start Crond in background
 crond -b -l 8