Give openappsec a try. It’s not entirely Open Source, howerver you don’t need to share anything with the company behind it (Check Point), and the solution “Just works” most of the time (fail2ban support included) without the hassle of adjusting a multitude of rules thanks to the use of AI. Just install and forget about it. I only had to create one custom rule, so the WAF would allow the upload of big files into my Nextcloud server. Keep in mind I only expose a couple of my own services to the Internet, that only me and couple of friends of mine will use, so I doubt I can be very representative here.
Depending on what you need either first or second solution may be better. In my company we use Netbox fork Nautobot along with Ansible. It’s Ansible that initiates the change and fills all the data properties in Nautobot. This way Ansible can also raise and close relevant change ticket at the right time. With your second solution it would be more difficult for us to properly work with change tickets in compliant way. If you ever intend to take compliance and ticketing system into account, then I would recommend going with first solution, otherwise both solutions are fine to me.