potentially fix fail2ban

services/caddy.nix

@@ -92,13 +92,14 @@ in
 
       # Ignore local network IPs - NAT hairpinning causes all LAN traffic to
       # appear from the router IP (192.168.1.1). Banning it blocks all internal access.
-      # Browser subrequests for static assets (favicon.ico, etc.) without Authorization
-      # headers cause 401s that quickly trigger the ban threshold.
       ignoreip = "127.0.0.1/8 ::1 192.168.1.0/24";
     };
     filter.Definition = {
-      # Match Caddy JSON logs with 401 Unauthorized status (failed basic auth)
-      failregex = ''^.*"remote_ip":"<HOST>".*"status":401.*$'';
+      # Only match 401s where an Authorization header was actually sent.
+      # Without this, the normal HTTP Basic Auth challenge-response flow
+      # (browser probes without credentials, gets 401, then resends with
+      # credentials) counts every page visit as a "failure."
+      failregex = ''^.*"remote_ip":"<HOST>".*"Authorization":\["REDACTED"\].*"status":401.*$'';
       ignoreregex = "";
       datepattern = ''"ts":{Epoch}\.'';
     };