fix: correct fail2ban options - use lower attr names, nested settings, proper types

AGENTS.md

@@ -5,7 +5,6 @@ This document outlines the development conventions for this NixOS-based infrastr
 ## Build & Deployment
 
 - **Build/Deploy:** Use `nixos-rebuild switch --flake .#<hostname>` to build and deploy the configuration for a specific host.
-- **CRITICAL — Validate before pushing:** Always `nix build --no-link '.#nixosConfigurations.<hostname>.config.system.build.toplevel'` (or `nh os build`) and confirm it succeeds before pushing any changes. Never push untested NixOS configs.
 - **Development Shell:** Activate the development environment with `nix develop`.
 
 ## Linting & Formatting

hosts/lazyworkhorse/configuration.nix

@@ -314,7 +314,6 @@
   
   # Firewall - default deny, explicit allow
   networking.firewall = {
-    # Enable firewall with default deny policy (NixOS firewall denies all by default)
     enable = true;
     allowPing = true;
     
@@ -361,22 +360,11 @@
     banaction = "iptables-multiport";
     
     jails = {
-      # SSH brute force protection (uses systemd journal backend)
-      sshd = {
-        enabled = true;
-        settings = {
-          filter = "sshd";
-          port = "2424";
-          maxretry = 3;
-          bantime = "1h";
-        };
-      };
-      
-      # Recidive - ban repeat offenders for 1 week
+      # Ban repeat offenders for 1 week
       recidive = {
         enabled = true;
-        settings = {
         filter = "recidive";
+        settings = {
           logpath = "/var/log/fail2ban.log";
           bantime = "1w";
           findtime = "1d";
@@ -384,11 +372,21 @@
         };
       };
       
-      # HTTP authentication failures (Traefik)
-      http-auth = {
+      # SSH brute force protection
+      sshd = {
         enabled = true;
         settings = {
-          filter = "traefik-auth";
+          port = "2424";
+          maxretry = 3;
+          bantime = "1h";
+        };
+      };
+      
+      # HTTP authentication failures
+      http-auth = {
+        enabled = true;
+        filter = "apache-auth";
+        settings = {
           port = "80,443";
           logpath = "/var/log/traefik/access.log";
           maxretry = 5;
@@ -396,11 +394,11 @@
         };
       };
       
-      # HTTP scanning/attacks (Traefik)
+      # HTTP scanning/attacks
       http-botsearch = {
         enabled = true;
+        filter = "apache-botsearch";
         settings = {
-          filter = "traefik-botsearch";
           port = "80,443";
           logpath = "/var/log/traefik/access.log";
           maxretry = 2;
@@ -410,20 +408,6 @@
     };
   };
 
-  # Custom fail2ban filters for Traefik
-  environment.etc."fail2ban/filter.d/traefik-auth.conf".text = ''
-    [Definition]
-    failregex = ^<HOST> -.*"(GET|POST|HEAD|PUT|DELETE).*" (401|403) \d+.*$
-    ignoreregex =
-  '';
-  
-  environment.etc."fail2ban/filter.d/traefik-botsearch.conf".text = ''
-    [Definition]
-    failregex = ^<HOST> -.*"(GET|POST|HEAD|PUT|DELETE).*" 404 \d+.*$
-                ^<HOST> -.*"(GET|POST|HEAD|PUT|DELETE).*/(\.|wp-|php|admin|login|xmlrpc|\.env|\.git|\.aws|\.azure).*" \d+.*$
-    ignoreregex =
-  '';
-
   # SSH hardening
   services.openssh.settings = {
     PermitRootLogin = "no";
@@ -490,7 +474,7 @@
   };
 
   # Audit logging
-  security.auditd.enable = true;
+  security.audit.enable = true;
   
   # Fail2ban log directory
   systemd.tmpfiles.rules = [