feat: smart zomboid traffic filtering with packet-size detection

Replace per-IP hashlimit with smarter filtering that distinguishes
legitimate players from scanner bots based on packet behavior:
- Players send varied packet sizes (53, 37, 1472 bytes)
- Scanners only send 53-byte query packets

New firewall rule chain:
- Priority 2: Mark + ACCEPT non-query packets (verifies player)
- Priority 3: ACCEPT queries from verified IPs (1 hour TTL)
- Priority 4: LOG rate-limited queries from unverified IPs
- Priority 5: DROP rate-limited queries (2 burst, then 1/hour)

Also includes:
- Fail2ban zomboid jail with tighter thresholds (5 retries/4h, 1w ban)
- Graylog streams for zomboid-connections, zomboid-ratelimit, fail2ban
- GeoIP pipeline enrichment for zomboid traffic
- Fluent-bit inputs for ratelimit logs and fail2ban events
- Remove Legendary Katana mod (Workshop 3418366499) - removed from Steam
- Bump Immich to v2.5.0
- Fix fulfillr config (nil → null)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

ansible/roles/podman/templates/fluent-bit/fluent-bit.conf.j2

@@ -36,6 +36,27 @@
     Read_From_Tail  On
     Strip_Underscores On
 
+# =============================================================================
+# INPUT: Kernel firewall logs for Zomboid rate limiting
+# =============================================================================
+# Captures ZOMBOID_RATELIMIT firewall events for fail2ban monitoring
+[INPUT]
+    Name            systemd
+    Tag             firewall.zomboid.ratelimit
+    Systemd_Filter  _TRANSPORT=kernel
+    Read_From_Tail  On
+    Strip_Underscores On
+
+# =============================================================================
+# INPUT: Fail2ban actions (ban/unban events)
+# =============================================================================
+[INPUT]
+    Name            systemd
+    Tag             fail2ban.*
+    Systemd_Filter  _SYSTEMD_UNIT=fail2ban.service
+    Read_From_Tail  On
+    Strip_Underscores On
+
 # =============================================================================
 # INPUT: Caddy access logs (JSON format)
 # =============================================================================
@@ -93,6 +114,27 @@
     Record        source firewall
     Record        log_type zomboid_connection
 
+# Filter kernel logs to only keep ZOMBOID_RATELIMIT messages
+[FILTER]
+    Name          grep
+    Match         firewall.zomboid.ratelimit
+    Regex         MESSAGE ZOMBOID_RATELIMIT
+
+[FILTER]
+    Name          record_modifier
+    Match         firewall.zomboid.ratelimit
+    Record        host {{ ansible_hostname }}
+    Record        source firewall
+    Record        log_type zomboid_ratelimit
+
+# Fail2ban ban/unban events
+[FILTER]
+    Name          record_modifier
+    Match         fail2ban.*
+    Record        host {{ ansible_hostname }}
+    Record        source fail2ban
+    Record        log_type security
+
 # =============================================================================
 # OUTPUT: All logs to Graylog GELF UDP
 # =============================================================================

ansible/roles/podman/templates/fluent-bit/parsers.conf.j2

@@ -15,3 +15,10 @@
     Name        zomboid_firewall
     Format      regex
     Regex       ZOMBOID_CONN:.*SRC=(?<src_ip>[0-9.]+).*DST=(?<dst_ip>[0-9.]+).*DPT=(?<dst_port>[0-9]+)
+
+# Parse ZOMBOID_RATELIMIT firewall logs to extract source IP
+# Example: ZOMBOID_RATELIMIT: IN=enp0s31f6 OUT= MAC=... SRC=45.5.113.90 DST=192.168.1.10 ...
+[PARSER]
+    Name        zomboid_ratelimit
+    Format      regex
+    Regex       ZOMBOID_RATELIMIT:.*SRC=(?<src_ip>[0-9.]+).*DST=(?<dst_ip>[0-9.]+).*DPT=(?<dst_port>[0-9]+)

ansible/roles/podman/templates/fulfillr/production.json.j2

@@ -10,7 +10,7 @@
   },
   "tax": {
     "ein": "{{ fulfillr_tax_ein }}",
-    "ioss": nil
+    "ioss": null
   },
   "sender_address": {
     "city": "Newbury",