From bcebf18676abcf63411d678c57a410a61b83d972 Mon Sep 17 00:00:00 2001
From: Hermes Agent <hermes@lazyworkhorse.net>
Date: Fri, 1 May 2026 11:59:33 +0000
Subject: [PATCH] fix: move filter into jail settings (NixOS submodule doesn't
 pass string filters)

---
 AGENTS.md                             | 1 +
 hosts/lazyworkhorse/configuration.nix | 8 ++++----
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/AGENTS.md b/AGENTS.md
index 8459aa8..fe0de1d 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -5,6 +5,7 @@ This document outlines the development conventions for this NixOS-based infrastr
 ## Build & Deployment
 
 - **Build/Deploy:** Use `nixos-rebuild switch --flake .#<hostname>` to build and deploy the configuration for a specific host.
+- **CRITICAL — Validate before pushing:** Always `nix build --no-link '.#nixosConfigurations.<hostname>.config.system.build.toplevel'` (or `nh os build`) and confirm it succeeds before pushing any changes. Never push untested NixOS configs.
 - **Development Shell:** Activate the development environment with `nix develop`.
 
 ## Linting & Formatting
diff --git a/hosts/lazyworkhorse/configuration.nix b/hosts/lazyworkhorse/configuration.nix
index 7a180f8..3963650 100644
--- a/hosts/lazyworkhorse/configuration.nix
+++ b/hosts/lazyworkhorse/configuration.nix
@@ -364,8 +364,8 @@
       # SSH brute force protection (uses systemd journal backend)
       sshd = {
         enabled = true;
-        filter = "sshd";
         settings = {
+          filter = "sshd";
           port = "2424";
           maxretry = 3;
           bantime = "1h";
@@ -375,8 +375,8 @@
       # Recidive - ban repeat offenders for 1 week
       recidive = {
         enabled = true;
-        filter = "recidive";
         settings = {
+          filter = "recidive";
           logpath = "/var/log/fail2ban.log";
           bantime = "1w";
           findtime = "1d";
@@ -387,8 +387,8 @@
       # HTTP authentication failures (Traefik)
       http-auth = {
         enabled = true;
-        filter = "traefik-auth";
         settings = {
+          filter = "traefik-auth";
           port = "80,443";
           logpath = "/var/log/traefik/access.log";
           maxretry = 5;
@@ -399,8 +399,8 @@
       # HTTP scanning/attacks (Traefik)
       http-botsearch = {
         enabled = true;
-        filter = "traefik-botsearch";
         settings = {
+          filter = "traefik-botsearch";
           port = "80,443";
           logpath = "/var/log/traefik/access.log";
           maxretry = 2;