services:
  # ============================================
  # ModSecurity WAF (Frente do NGINX)
  # ============================================
  modsecurity:
    image: owasp/modsecurity-crs:nginx-alpine
    container_name: modsecurity-waf
    restart: always
    ports:
      - "80:80"
      - "443:443"
    environment:
      - BACKEND=http://nginx-proxy:8080
      - PARANOIA=1
      - ANOMALY_INBOUND=5
      - ANOMALY_OUTBOUND=4
    volumes:
      - ./ssl:/etc/nginx/ssl:ro
      - modsec_logs:/var/log/modsecurity
      - ./modsec_rules:/etc/nginx/custom_rules
      - ./modsec.conf.template:/etc/nginx/templates/modsecurity.d/modsecurity.conf.template
    depends_on:
      - nginx-proxy
    extra_hosts:
      - "host.docker.internal:host-gateway"
      - "srvproxy001.itguys.com.br:172.16.254.1"
      - "srvproxy001:172.16.254.1"
      - "git.itguys.com.br:10.10.253.128"
      - "git:10.10.253.128"
      - "zammad.itguys.com.br:172.16.254.59"
      - "zammad:172.16.254.59"
      - "cloud.grupopralog.com.br:172.16.253.12"
      - "business.itguys.com.br:172.16.121.13"
      - "verbocloud.itguys.com.br:172.16.253.13"
      - "srvoffice001.itguys.com.br:172.16.253.101"
      - "srvoffice001:172.16.253.101"

  # ============================================
  # NGINX Proxy (Backend do ModSecurity)
  # ============================================
  nginx-proxy:
    build: .
    container_name: nginx-proxy
    restart: always
    expose:
      - "8080"
    environment:
      - HOST_PUBLIC_IP=${HOST_PUBLIC_IP}
    volumes:
      - ./conf.d:/etc/nginx/conf.d
      - ./ssl:/etc/nginx/ssl
      - ./snippets:/etc/nginx/snippets
      - nginx_cache:/var/cache/nginx
      - nginx_logs:/var/log/nginx
      - ./certbot/conf:/etc/letsencrypt
      - ./certbot/www:/var/www/certbot
    extra_hosts:
      - "host.docker.internal:host-gateway"
      - "server-254:10.10.253.254"
      - "gitea-server:10.10.253.128"
      - "srvproxy001.itguys.com.br:172.16.254.1"
      - "srvproxy001:172.16.254.1"
      - "git.itguys.com.br:10.10.253.128"
      - "git:10.10.253.128"
      - "zammad.itguys.com.br:172.16.254.59"
      - "zammad:172.16.254.59"
      - "cloud.grupopralog.com.br:172.16.253.12"
      - "business.itguys.com.br:172.16.121.13"
      - "verbocloud.itguys.com.br:172.16.253.13"
      - "srvoffice001.itguys.com.br:172.16.253.101"
      - "srvoffice001:172.16.253.101"

  # ============================================
  # Fail2ban (Lê logs e bane IPs)
  # ============================================
  fail2ban:
    image: crazymax/fail2ban:latest
    container_name: fail2ban
    restart: always
    network_mode: host
    cap_add:
      - NET_ADMIN
      - NET_RAW
    volumes:
      - ./fail2ban:/data
      - nginx_logs:/var/log/nginx:ro
      - modsec_logs:/var/log/modsecurity:ro

volumes:
  nginx_cache:
  nginx_logs:
  modsec_logs: