Stage 7: configuration view — backend service, routers, tests, and frontend

- config_service.py: read/write jail config via asyncio.gather, global
  settings, in-process regex validation, log preview via _read_tail_lines
- server_service.py: read/write server settings, flush logs
- config router: 9 endpoints for jail/global config, regex-test,
  logpath management, log preview
- server router: GET/PUT settings, POST flush-logs
- models/config.py expanded with JailConfig, GlobalConfigUpdate,
  LogPreview* models
- 285 tests pass (68 new), ruff clean, mypy clean (44 files)
- Frontend: types/config.ts, api/config.ts, hooks/useConfig.ts,
  ConfigPage.tsx full implementation (Jails accordion editor,
  Global config, Server settings, Regex Tester with preview)
- Fixed pre-existing frontend lint: JSX.Element → React.JSX.Element
  (10 files), void/promise patterns in useServerStatus + useJails,
  no-misused-spread in client.ts, eslint.config.ts self-excluded

backend/app/routers/server.py

@@ -0,0 +1,144 @@
+"""Server settings router.
+
+Provides endpoints to view and update fail2ban server-level settings and
+to flush log files.
+
+* ``GET  /api/server/settings``  — current log level, target, and DB config
+* ``PUT  /api/server/settings``  — update server-level settings
+* ``POST /api/server/flush-logs`` — flush and re-open log files
+"""
+
+from __future__ import annotations
+
+from fastapi import APIRouter, HTTPException, Request, status
+
+from app.dependencies import AuthDep
+from app.models.server import ServerSettingsResponse, ServerSettingsUpdate
+from app.services import server_service
+from app.services.server_service import ServerOperationError
+from app.utils.fail2ban_client import Fail2BanConnectionError
+
+router: APIRouter = APIRouter(prefix="/api/server", tags=["Server"])
+
+
+# ---------------------------------------------------------------------------
+# Helpers
+# ---------------------------------------------------------------------------
+
+
+def _bad_gateway(exc: Exception) -> HTTPException:
+    return HTTPException(
+        status_code=status.HTTP_502_BAD_GATEWAY,
+        detail=f"Cannot reach fail2ban: {exc}",
+    )
+
+
+def _bad_request(message: str) -> HTTPException:
+    return HTTPException(
+        status_code=status.HTTP_400_BAD_REQUEST,
+        detail=message,
+    )
+
+
+# ---------------------------------------------------------------------------
+# Endpoints
+# ---------------------------------------------------------------------------
+
+
+@router.get(
+    "/settings",
+    response_model=ServerSettingsResponse,
+    summary="Return fail2ban server-level settings",
+)
+async def get_server_settings(
+    request: Request,
+    _auth: AuthDep,
+) -> ServerSettingsResponse:
+    """Return the current fail2ban server-level settings.
+
+    Includes log level, log target, syslog socket, database file path,
+    database purge age, and maximum stored matches per record.
+
+    Args:
+        request: Incoming request (used to access ``app.state``).
+        _auth: Validated session — enforces authentication.
+
+    Returns:
+        :class:`~app.models.server.ServerSettingsResponse`.
+
+    Raises:
+        HTTPException: 502 when fail2ban is unreachable.
+    """
+    socket_path: str = request.app.state.settings.fail2ban_socket
+    try:
+        return await server_service.get_settings(socket_path)
+    except Fail2BanConnectionError as exc:
+        raise _bad_gateway(exc) from exc
+
+
+@router.put(
+    "/settings",
+    status_code=status.HTTP_204_NO_CONTENT,
+    summary="Update fail2ban server-level settings",
+)
+async def update_server_settings(
+    request: Request,
+    _auth: AuthDep,
+    body: ServerSettingsUpdate,
+) -> None:
+    """Update fail2ban server-level settings.
+
+    Only non-None fields in the request body are written.  Changes take
+    effect immediately without a daemon restart.
+
+    Args:
+        request: Incoming request.
+        _auth: Validated session.
+        body: Partial settings update.
+
+    Raises:
+        HTTPException: 400 when a set command is rejected by fail2ban.
+        HTTPException: 502 when fail2ban is unreachable.
+    """
+    socket_path: str = request.app.state.settings.fail2ban_socket
+    try:
+        await server_service.update_settings(socket_path, body)
+    except ServerOperationError as exc:
+        raise _bad_request(str(exc)) from exc
+    except Fail2BanConnectionError as exc:
+        raise _bad_gateway(exc) from exc
+
+
+@router.post(
+    "/flush-logs",
+    status_code=status.HTTP_200_OK,
+    summary="Flush and re-open fail2ban log files",
+)
+async def flush_logs(
+    request: Request,
+    _auth: AuthDep,
+) -> dict[str, str]:
+    """Flush and re-open fail2ban log files.
+
+    Useful after log rotation so the daemon writes to the newly created
+    log file rather than continuing to append to the rotated one.
+
+    Args:
+        request: Incoming request.
+        _auth: Validated session.
+
+    Returns:
+        ``{"message": "<response from fail2ban>"}``
+
+    Raises:
+        HTTPException: 400 when the command is rejected.
+        HTTPException: 502 when fail2ban is unreachable.
+    """
+    socket_path: str = request.app.state.settings.fail2ban_socket
+    try:
+        result = await server_service.flush_logs(socket_path)
+        return {"message": result}
+    except ServerOperationError as exc:
+        raise _bad_request(str(exc)) from exc
+    except Fail2BanConnectionError as exc:
+        raise _bad_gateway(exc) from exc