fix: move filter into jail settings (NixOS submodule doesn't pass string filters)

AGENTS.md

@@ -5,6 +5,7 @@ This document outlines the development conventions for this NixOS-based infrastr
 ## Build & Deployment
 
 - **Build/Deploy:** Use `nixos-rebuild switch --flake .#<hostname>` to build and deploy the configuration for a specific host.
+- **CRITICAL — Validate before pushing:** Always `nix build --no-link '.#nixosConfigurations.<hostname>.config.system.build.toplevel'` (or `nh os build`) and confirm it succeeds before pushing any changes. Never push untested NixOS configs.
 - **Development Shell:** Activate the development environment with `nix develop`.
 
 ## Linting & Formatting

hosts/lazyworkhorse/configuration.nix

@@ -364,8 +364,8 @@
       # SSH brute force protection (uses systemd journal backend)
       sshd = {
         enabled = true;
-        filter = "sshd";
         settings = {
+          filter = "sshd";
           port = "2424";
           maxretry = 3;
           bantime = "1h";
@@ -375,8 +375,8 @@
       # Recidive - ban repeat offenders for 1 week
       recidive = {
         enabled = true;
-        filter = "recidive";
         settings = {
+          filter = "recidive";
           logpath = "/var/log/fail2ban.log";
           bantime = "1w";
           findtime = "1d";
@@ -387,8 +387,8 @@
       # HTTP authentication failures (Traefik)
       http-auth = {
         enabled = true;
-        filter = "traefik-auth";
         settings = {
+          filter = "traefik-auth";
           port = "80,443";
           logpath = "/var/log/traefik/access.log";
           maxretry = 5;
@@ -399,8 +399,8 @@
       # HTTP scanning/attacks (Traefik)
       http-botsearch = {
         enabled = true;
-        filter = "traefik-botsearch";
         settings = {
+          filter = "traefik-botsearch";
           port = "80,443";
           logpath = "/var/log/traefik/access.log";
           maxretry = 2;