tests: fix all fail2ban NixOS VM tests

- Add explicit iptables banaction in security.nix for test compatibility
- Force IPv4 in all curl requests to prevent IPv4/IPv6 mismatch issues
- Fix caddy test: use basic_auth directive (not basicauth)
- Override service ports in tests to match direct connections (not via Caddy)
- Vaultwarden: override ROCKET_ADDRESS and ROCKET_LOG for external access
- Immich: increase VM memory to 4GB for stability
- Jellyfin: create placeholder log file and reload fail2ban after startup
- Add tests.nix entries for all 6 fail2ban tests

All tests now pass: ssh, caddy, gitea, vaultwarden, immich, jellyfin

tests/fail2ban-vaultwarden.nix

@@ -0,0 +1,128 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  testServiceConfigs = {
+    zpool_ssds = "";
+    https = {
+      domain = "test.local";
+    };
+    ports = {
+      vaultwarden = 8222;
+    };
+    vaultwarden = {
+      path = "/var/lib/vaultwarden";
+    };
+  };
+
+  testLib = lib.extend (
+    final: prev: {
+      serviceMountWithZpool = serviceName: zpool: dirs: { ... }: { };
+    }
+  );
+
+  vaultwardenModule =
+    { config, pkgs, ... }:
+    {
+      imports = [
+        (import ../services/bitwarden.nix {
+          inherit config pkgs;
+          lib = testLib;
+          service_configs = testServiceConfigs;
+        })
+      ];
+    };
+in
+pkgs.testers.runNixOSTest {
+  name = "fail2ban-vaultwarden";
+
+  nodes = {
+    server =
+      { config, lib, pkgs, ... }:
+      {
+        imports = [
+          ../modules/security.nix
+          vaultwardenModule
+        ];
+
+        # Disable ZFS mount dependencies
+        systemd.services."vaultwarden-mounts".enable = lib.mkForce false;
+        systemd.services."backup-vaultwarden-mounts".enable = lib.mkForce false;
+        systemd.services.vaultwarden = {
+          wants = lib.mkForce [ ];
+          after = lib.mkForce [ ];
+          requires = lib.mkForce [ ];
+        };
+        systemd.services.backup-vaultwarden = {
+          wants = lib.mkForce [ ];
+          after = lib.mkForce [ ];
+          requires = lib.mkForce [ ];
+        };
+
+        # Override Vaultwarden settings for testing
+        # - Listen on all interfaces (not just localhost)
+        # - Enable logging at info level to capture failed login attempts
+        services.vaultwarden.config = {
+          ROCKET_ADDRESS = lib.mkForce "0.0.0.0";
+          ROCKET_LOG = lib.mkForce "info";
+        };
+
+        # Override for faster testing and correct port
+        services.fail2ban.jails.vaultwarden.settings = {
+          maxretry = lib.mkForce 3;
+          # In test, we connect directly to Vaultwarden port, not via Caddy
+          port = lib.mkForce "8222";
+        };
+
+        networking.firewall.allowedTCPPorts = [ 8222 ];
+      };
+
+    client = {
+      environment.systemPackages = [ pkgs.curl ];
+    };
+  };
+
+  testScript = ''
+    import time
+    import re
+
+    start_all()
+    server.wait_for_unit("vaultwarden.service")
+    server.wait_for_unit("fail2ban.service")
+    server.wait_for_open_port(8222)
+    time.sleep(2)
+
+    with subtest("Verify vaultwarden jail is active"):
+        status = server.succeed("fail2ban-client status")
+        assert "vaultwarden" in status, f"vaultwarden jail not found in: {status}"
+
+    with subtest("Generate failed login attempts"):
+        # Use -4 to force IPv4 for consistent IP tracking
+        for i in range(4):
+            client.execute("""
+                curl -4 -s -X POST 'http://server:8222/identity/connect/token' \
+                  -H 'Content-Type: application/x-www-form-urlencoded' \
+                  -H 'Bitwarden-Client-Name: web' \
+                  -H 'Bitwarden-Client-Version: 2024.1.0' \
+                  -d 'grant_type=password&username=bad@user.com&password=badpass&scope=api+offline_access&client_id=web&deviceType=10&deviceIdentifier=test&deviceName=test' \
+                  || true
+            """)
+            time.sleep(0.5)
+
+    with subtest("Verify IP is banned"):
+        time.sleep(3)
+        status = server.succeed("fail2ban-client status vaultwarden")
+        print(f"vaultwarden jail status: {status}")
+        # Check that at least 1 IP is banned
+        match = re.search(r"Currently banned:\s*(\d+)", status)
+        assert match and int(match.group(1)) >= 1, f"Expected at least 1 banned IP, got: {status}"
+
+    with subtest("Verify banned client cannot connect"):
+        # Use -4 to test with same IP that was banned
+        exit_code = client.execute("curl -4 -s --max-time 3 http://server:8222/ 2>&1")[0]
+        assert exit_code != 0, "Connection should be blocked"
+  '';
+}