fail2ban: implement for caddy basic auth

services/caddy.nix

@@ -80,4 +80,21 @@ in
   networking.firewall.allowedUDPPorts = [
     service_configs.ports.https
   ];
+
+  # Protect Caddy basic auth endpoints from brute force attacks
+  services.fail2ban.jails.caddy-auth = {
+    enabled = true;
+    settings = {
+      backend = "auto";
+      port = "http,https";
+      logpath = "/var/log/caddy/access-*.log";
+      # defaults: maxretry=5, findtime=10m, bantime=10m
+    };
+    filter.Definition = {
+      # Match Caddy JSON logs with 401 Unauthorized status (failed basic auth)
+      failregex = ''^.*"remote_ip":"<HOST>".*"status":401.*$'';
+      ignoreregex = "";
+      datepattern = ''"ts":{Epoch}\.'';
+    };
+  };
 }