tests: fix all fail2ban NixOS VM tests

- Add explicit iptables banaction in security.nix for test compatibility
- Force IPv4 in all curl requests to prevent IPv4/IPv6 mismatch issues
- Fix caddy test: use basic_auth directive (not basicauth)
- Override service ports in tests to match direct connections (not via Caddy)
- Vaultwarden: override ROCKET_ADDRESS and ROCKET_LOG for external access
- Immich: increase VM memory to 4GB for stability
- Jellyfin: create placeholder log file and reload fail2ban after startup
- Add tests.nix entries for all 6 fail2ban tests

All tests now pass: ssh, caddy, gitea, vaultwarden, immich, jellyfin

tests/fail2ban-caddy.nix

@@ -0,0 +1,103 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+pkgs.testers.runNixOSTest {
+  name = "fail2ban-caddy";
+
+  nodes = {
+    server =
+      { config, pkgs, lib, ... }:
+      {
+        imports = [
+          ../modules/security.nix
+        ];
+
+        # Set up Caddy with basic auth (minimal config, no production stuff)
+        # Using bcrypt hash generated with: caddy hash-password --plaintext testpass
+        services.caddy = {
+          enable = true;
+          virtualHosts.":80".extraConfig = ''
+            log {
+              output file /var/log/caddy/access-server.log
+              format json
+            }
+            basic_auth {
+              testuser $2a$14$XqaQlGTdmofswciqrLlMz.rv0/jiGQq8aU.fP6mh6gCGiLf6Cl3.a
+            }
+            respond "Authenticated!" 200
+          '';
+        };
+
+        # Add the fail2ban jail for caddy-auth (same as in services/caddy.nix)
+        services.fail2ban.jails.caddy-auth = {
+          enabled = true;
+          settings = {
+            backend = "auto";
+            port = "http,https";
+            logpath = "/var/log/caddy/access-*.log";
+            maxretry = 3; # Lower for testing
+          };
+          filter.Definition = {
+            failregex = ''^.*"remote_ip":"<HOST>".*"status":401.*$'';
+            ignoreregex = "";
+            datepattern = ''"ts":{Epoch}\.'';
+          };
+        };
+
+        # Create log directory and initial log file so fail2ban can start
+        systemd.tmpfiles.rules = [
+          "d /var/log/caddy 755 caddy caddy"
+          "f /var/log/caddy/access-server.log 644 caddy caddy"
+        ];
+
+        networking.firewall.allowedTCPPorts = [ 80 ];
+      };
+
+    client = {
+      environment.systemPackages = [ pkgs.curl ];
+    };
+  };
+
+  testScript = ''
+    import time
+    import re
+
+    start_all()
+    server.wait_for_unit("caddy.service")
+    server.wait_for_unit("fail2ban.service")
+    server.wait_for_open_port(80)
+    time.sleep(2)
+
+    with subtest("Verify caddy-auth jail is active"):
+        status = server.succeed("fail2ban-client status")
+        assert "caddy-auth" in status, f"caddy-auth jail not found in: {status}"
+
+    with subtest("Verify correct password works"):
+        # Use -4 to force IPv4 for consistency
+        result = client.succeed("curl -4 -s -u testuser:testpass http://server/")
+        print(f"Curl result: {result}")
+        assert "Authenticated" in result, f"Auth should succeed: {result}"
+
+    with subtest("Generate failed basic auth attempts"):
+        # Use -4 to force IPv4 for consistent IP tracking
+        for i in range(4):
+            client.execute("curl -4 -s -u testuser:wrongpass http://server/ || true")
+            time.sleep(1)
+
+    with subtest("Verify IP is banned"):
+        time.sleep(5)
+        status = server.succeed("fail2ban-client status caddy-auth")
+        print(f"caddy-auth jail status: {status}")
+        # Check that at least 1 IP is banned
+        match = re.search(r"Currently banned:\s*(\d+)", status)
+        assert match and int(match.group(1)) >= 1, f"Expected at least 1 banned IP, got: {status}"
+
+    with subtest("Verify banned client cannot connect"):
+        # Use -4 to test with same IP that was banned
+        exit_code = client.execute("curl -4 -s --max-time 3 http://server/ 2>&1")[0]
+        assert exit_code != 0, "Connection should be blocked"
+  '';
+}