Add fail2ban configuration for SSH and Forgejo on Trantor

- Configure fail2ban with progressive ban times (1h base, up to 10000h max)
- Add SSH jail with password authentication disabled
- Add Forgejo jail using systemd journal backend
- Ignore private networks and Tailscale IPs
- Set Forgejo to 10 retries per hour, 15min initial ban

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

hosts/trantor/fail2ban.nix

@@ -0,0 +1,43 @@
+{ config, pkgs, ... }:
+
+{
+  services.fail2ban = {
+    enable = true;
+    maxretry = 5;
+    ignoreIP = [
+      "127.0.0.0/8"
+      "::1"
+      "10.0.0.0/8"
+      "172.16.0.0/12"
+      "192.168.0.0/16"
+      "100.64.0.0/10"
+    ];
+
+    bantime = "1h";
+    bantime-increment = {
+      enable = true;
+      multipliers = "1 2 4 8 16 32 64";
+      maxtime = "10000h";
+      overalljails = true;
+    };
+
+    jails.forgejo = {
+      settings = {
+        enabled = true;
+        filter = "forgejo";
+        backend = "systemd";
+        maxretry = 10;
+        findtime = "1h";
+        bantime = "15m";
+      };
+    };
+  };
+
+  # Custom fail2ban filter for Forgejo using systemd journal
+  environment.etc."fail2ban/filter.d/forgejo.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
+    [Definition]
+    journalmatch = _SYSTEMD_UNIT=forgejo.service
+    failregex = Failed authentication attempt for .+ from <HOST>:\d+:
+    ignoreregex =
+  '');
+}