fix: move filter into jail settings (NixOS submodule doesn't pass string filters)

AGENTS.md

@@ -5,6 +5,7 @@ This document outlines the development conventions for this NixOS-based infrastr
 ## Build & Deployment
 
 - **Build/Deploy:** Use `nixos-rebuild switch --flake .#<hostname>` to build and deploy the configuration for a specific host.
+- **CRITICAL — Validate before pushing:** Always `nix build --no-link '.#nixosConfigurations.<hostname>.config.system.build.toplevel'` (or `nh os build`) and confirm it succeeds before pushing any changes. Never push untested NixOS configs.
 - **Development Shell:** Activate the development environment with `nix develop`.
 
 ## Linting & Formatting

hosts/lazyworkhorse/configuration.nix

@@ -314,6 +314,7 @@
   
   # Firewall - default deny, explicit allow
   networking.firewall = {
+    # Enable firewall with default deny policy (NixOS firewall denies all by default)
     enable = true;
     allowPing = true;
     
@@ -360,11 +361,22 @@
     banaction = "iptables-multiport";
     
     jails = {
-      # Ban repeat offenders for 1 week
+      # SSH brute force protection (uses systemd journal backend)
+      sshd = {
+        enabled = true;
+        settings = {
+          filter = "sshd";
+          port = "2424";
+          maxretry = 3;
+          bantime = "1h";
+        };
+      };
+      
+      # Recidive - ban repeat offenders for 1 week
       recidive = {
         enabled = true;
-        filter = "recidive";
         settings = {
+          filter = "recidive";
           logpath = "/var/log/fail2ban.log";
           bantime = "1w";
           findtime = "1d";
@@ -372,21 +384,11 @@
         };
       };
       
-      # SSH brute force protection
-      sshd = {
-        enabled = true;
-        settings = {
-          port = "2424";
-          maxretry = 3;
-          bantime = "1h";
-        };
-      };
-      
-      # HTTP authentication failures
+      # HTTP authentication failures (Traefik)
       http-auth = {
         enabled = true;
-        filter = "apache-auth";
         settings = {
+          filter = "traefik-auth";
           port = "80,443";
           logpath = "/var/log/traefik/access.log";
           maxretry = 5;
@@ -394,11 +396,11 @@
         };
       };
       
-      # HTTP scanning/attacks
+      # HTTP scanning/attacks (Traefik)
       http-botsearch = {
         enabled = true;
-        filter = "apache-botsearch";
         settings = {
+          filter = "traefik-botsearch";
           port = "80,443";
           logpath = "/var/log/traefik/access.log";
           maxretry = 2;
@@ -407,6 +409,20 @@
       };
     };
   };
+  
+  # Custom fail2ban filters for Traefik
+  environment.etc."fail2ban/filter.d/traefik-auth.conf".text = ''
+    [Definition]
+    failregex = ^<HOST> -.*"(GET|POST|HEAD|PUT|DELETE).*" (401|403) \d+.*$
+    ignoreregex =
+  '';
+  
+  environment.etc."fail2ban/filter.d/traefik-botsearch.conf".text = ''
+    [Definition]
+    failregex = ^<HOST> -.*"(GET|POST|HEAD|PUT|DELETE).*" 404 \d+.*$
+                ^<HOST> -.*"(GET|POST|HEAD|PUT|DELETE).*/(\.|wp-|php|admin|login|xmlrpc|\.env|\.git|\.aws|\.azure).*" \d+.*$
+    ignoreregex =
+  '';
 
   # SSH hardening
   services.openssh.settings = {
@@ -474,7 +490,7 @@
   };
 
   # Audit logging
-  security.audit.enable = true;
+  security.auditd.enable = true;
   
   # Fail2ban log directory
   systemd.tmpfiles.rules = [