services:
  # ============================================
  # ModSecurity WAF (Frente do NGINX)
  # ============================================
  modsecurity:
    image: owasp/modsecurity-crs:nginx-alpine
    container_name: modsecurity-waf
    restart: always
    ports:
      - "80:80"
      - "443:443"
    environment:
      - BACKEND=http://nginx-proxy:8080
      - PARANOIA=1
      - ANOMALY_INBOUND=5
      - ANOMALY_OUTBOUND=4
    volumes:
      - ./ssl:/etc/nginx/ssl:ro
      - modsec_logs:/var/log/modsecurity
    depends_on:
      - nginx-proxy

  # ============================================
  # NGINX Proxy (Backend do ModSecurity)
  # ============================================
  nginx-proxy:
    build: .
    container_name: nginx-proxy
    restart: always
    expose:
      - "8080"
    environment:
      - HOST_PUBLIC_IP=${HOST_PUBLIC_IP}
    volumes:
      - ./conf.d:/etc/nginx/conf.d
      - ./ssl:/etc/nginx/ssl
      - ./snippets:/etc/nginx/snippets
      - nginx_cache:/var/cache/nginx
      - nginx_logs:/var/log/nginx
      - ./certbot/conf:/etc/letsencrypt
      - ./certbot/www:/var/www/certbot

  # ============================================
  # Fail2ban (Lê logs e bane IPs)
  # ============================================
  fail2ban:
    image: crazymax/fail2ban:latest
    container_name: fail2ban
    restart: always
    network_mode: host
    cap_add:
      - NET_ADMIN
      - NET_RAW
    volumes:
      - ./fail2ban:/data
      - nginx_logs:/var/log/nginx:ro
      - modsec_logs:/var/log/modsecurity:ro

volumes:
  nginx_cache:
  nginx_logs:
  modsec_logs: