feat: vps fail2ban + shared server-debug-tools module 🛡️

VPS public SSH: enable fail2ban with bantime-increment so brute-force
probers get evicted with exponential backoff (1h → 4h → 16h → 2.7d →
10.7d, capped at 30d). Default jail covers sshd; maxretry=5 in 10m.

server-debug-tools: htop, tcpdump, dnsutils, jq, curl. Imported by
sunken-ship + phantom-ship via flake.nixosModules.server-debug-tools.
These are the practical bits we'd otherwise pick up by enabling
clan.core.enableRecommendedDefaults — but the full clan defaults flip
systemd-networkd/resolved on, which broke dnsmasq + navidrome's resolv
.conf bind-mount on the homelab servers, so we cherry-pick instead.

nixos/hosts/vps-relay.nix

@@ -70,6 +70,23 @@
   networking.firewall.enable = true;
   networking.firewall.allowedTCPPorts = [ 22 80 443 ];
 
+  # fail2ban — public SSH gets brute-force probed within minutes of any
+  # cloud VM being created. Ban offending IPs after a few failures.
+  services.fail2ban = {
+    enable = true;
+    bantime = "1h";
+    bantime-increment = {
+      enable = true;
+      multipliers = "1 4 16 64 256";  # 1h, 4h, 16h, ~2.7d, ~10.7d
+      maxtime = "30d";
+    };
+    jails.sshd.settings = {
+      enabled = true;
+      maxretry = 5;
+      findtime = "10m";
+    };
+  };
+
   # --- Caddy reverse proxy --------------------------------------------
   # Subdomains → clan backends over ZeroTier. IPs are sunken-ship's /
   # phantom-ship's ZT IPv6; brackets required in URLs.