fix: move filter into jail settings (NixOS submodule doesn't pass string filters)

fix: http-botsearch logpath must be string, not list
fix: restructure fail2ban jails per NixOS module - recidive in jails, settings attr, str bantime
2026-05-01 11:59:33 +00:00 · 2026-05-01 04:02:06 +00:00 · 2026-05-01 03:59:32 +00:00 · 2026-05-01 03:57:21 +00:00 · 2026-05-01 03:55:09 +00:00 · 2026-05-01 03:52:57 +00:00
2 changed files with 54 additions and 33 deletions
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -5,6 +5,7 @@ This document outlines the development conventions for this NixOS-based infrastr
 ## Build & Deployment

 - **Build/Deploy:** Use `nixos-rebuild switch --flake .#<hostname>` to build and deploy the configuration for a specific host.
+- **CRITICAL — Validate before pushing:** Always `nix build --no-link '.#nixosConfigurations.<hostname>.config.system.build.toplevel'` (or `nh os build`) and confirm it succeeds before pushing any changes. Never push untested NixOS configs.
 - **Development Shell:** Activate the development environment with `nix develop`.

 ## Linting & Formatting
--- a/hosts/lazyworkhorse/configuration.nix
+++ b/hosts/lazyworkhorse/configuration.nix
@@ -314,9 +314,9 @@
  
  # Firewall - default deny, explicit allow
  networking.firewall = {
+    # Enable firewall with default deny policy (NixOS firewall denies all by default)
    enable = true;
    allowPing = true;
-    defaultAllow = false;
    
    # Only essential ports exposed to internet
    allowedTCPPorts = [
@@ -356,53 +356,73 @@
  # Fail2ban - automatic IP banning
  services.fail2ban = {
    enable = true;
-    maxRetry = 3;
-    findtime = 600;
-    bantime = 3600;
+    maxretry = 3;
+    bantime = "1h";
    banaction = "iptables-multiport";
    
-    # Ban repeat offenders for 1 week
-    recidive = {
-      enabled = true;
-      filter = "recidive";
-      logpath = "/var/log/fail2ban.log";
-      bantime = 604800;
-      findtime = 86400;
-      maxretry = 3;
-    };
-    
    jails = {
-      # SSH brute force protection
+      # SSH brute force protection (uses systemd journal backend)
      sshd = {
        enabled = true;
-        filter = "sshd";
-        port = "2424";
-        logpath = "/var/log/auth.log";
-        maxretry = 3;
-        bantime = 3600;
+        settings = {
+          filter = "sshd";
+          port = "2424";
+          maxretry = 3;
+          bantime = "1h";
+        };
      };
      
-      # HTTP authentication failures
+      # Recidive - ban repeat offenders for 1 week
+      recidive = {
+        enabled = true;
+        settings = {
+          filter = "recidive";
+          logpath = "/var/log/fail2ban.log";
+          bantime = "1w";
+          findtime = "1d";
+          maxretry = 3;
+        };
+      };
+      
+      # HTTP authentication failures (Traefik)
      http-auth = {
        enabled = true;
-        filter = "apache-auth";
-        port = "80,443";
-        logpath = "/var/log/traefik/access.log";
-        maxretry = 5;
-        bantime = 3600;
+        settings = {
+          filter = "traefik-auth";
+          port = "80,443";
+          logpath = "/var/log/traefik/access.log";
+          maxretry = 5;
+          bantime = "1h";
+        };
      };
      
-      # HTTP scanning/attacks
+      # HTTP scanning/attacks (Traefik)
      http-botsearch = {
        enabled = true;
-        filter = "apache-botsearch";
-        port = "80,443";
-        logpath = [ "/var/log/traefik/access.log" ];
-        maxretry = 2;
-        bantime = 7200;
+        settings = {
+          filter = "traefik-botsearch";
+          port = "80,443";
+          logpath = "/var/log/traefik/access.log";
+          maxretry = 2;
+          bantime = "2h";
+        };
      };
    };
  };
+  
+  # Custom fail2ban filters for Traefik
+  environment.etc."fail2ban/filter.d/traefik-auth.conf".text = ''
+    [Definition]
+    failregex = ^<HOST> -.*"(GET|POST|HEAD|PUT|DELETE).*" (401|403) \d+.*$
+    ignoreregex =
+  '';
+  
+  environment.etc."fail2ban/filter.d/traefik-botsearch.conf".text = ''
+    [Definition]
+    failregex = ^<HOST> -.*"(GET|POST|HEAD|PUT|DELETE).*" 404 \d+.*$
+                ^<HOST> -.*"(GET|POST|HEAD|PUT|DELETE).*/(\.|wp-|php|admin|login|xmlrpc|\.env|\.git|\.aws|\.azure).*" \d+.*$
+    ignoreregex =
+  '';

  # SSH hardening
  services.openssh.settings = {
@@ -470,7 +490,7 @@
  };

  # Audit logging
-  services.auditd.enable = true;
+  security.auditd.enable = true;
  
  # Fail2ban log directory
  systemd.tmpfiles.rules = [
Author	SHA1	Message	Date
Hermes Agent	bcebf18676	fix: move filter into jail settings (NixOS submodule doesn't pass string filters)	2026-05-01 11:59:33 +00:00
Hermes Agent	0370d784a0	fix: http-botsearch logpath must be string, not list	2026-05-01 04:02:06 +00:00
Hermes Agent	260b2d2756	fix: restructure fail2ban jails per NixOS module - recidive in jails, settings attr, str bantime	2026-05-01 03:59:32 +00:00
Hermes Agent	2477acdfc7	fix: services.fail2ban top-level options - no findtime, maxretry lowercase	2026-05-01 03:57:21 +00:00
Hermes Agent	81c25d3f20	fix: use security.auditd instead of services.auditd	2026-05-01 03:55:09 +00:00
Hermes Agent	9b1f467db9	fix: remove invalid networking.firewall.defaultAllow option	2026-05-01 03:52:57 +00:00
Hermes Agent	65fa778b2b	fix: add custom traefik fail2ban filters for http-auth and http-botsearch jails	2026-05-01 03:40:59 +00:00