Add fail2ban jail and filter for Vaultwarden

heimserver/configuration.nix

@@ -367,6 +367,19 @@
           findtime = 600;
         };
       };
+      "vaultwarden" = {
+        settings = {
+          enabled = true;
+          filter = "vaultwarden";
+          backend = "systemd"; # Crucial: Reads from journalctl
+          # Optimizes performance by only looking at logs with this identifier
+          # Based on your log: "heimserver immich[...]" -> identifier is "immich"
+          journalmatch = "_SYSTEMD_UNIT=vaultwarden.service + SYSLOG_IDENTIFIER=vaultwarden";
+          action = "iptables-allports";
+          maxretry = 5;
+          findtime = 600;
+        };
+      };
     };
   };
 
@@ -388,6 +401,13 @@
     ignoreregex =
   '';
   
+  environment.etc."fail2ban/filter.d/vaultwarden.local".text = ''
+    [Definition]
+    failregex = .*Username or password is incorrect\. Try again\. IP: <HOST>\. Username: .*
+
+    ignoreregex =
+  '';
+
   environment.etc."magic-update-script.sh".text = ''
     #!/usr/bin/env bash
     set -euo pipefail