feat: vps fail2ban + shared server-debug-tools module 🛡️

VPS public SSH: enable fail2ban with bantime-increment so brute-force
probers get evicted with exponential backoff (1h → 4h → 16h → 2.7d →
10.7d, capped at 30d). Default jail covers sshd; maxretry=5 in 10m.

server-debug-tools: htop, tcpdump, dnsutils, jq, curl. Imported by
sunken-ship + phantom-ship via flake.nixosModules.server-debug-tools.
These are the practical bits we'd otherwise pick up by enabling
clan.core.enableRecommendedDefaults — but the full clan defaults flip
systemd-networkd/resolved on, which broke dnsmasq + navidrome's resolv
.conf bind-mount on the homelab servers, so we cherry-pick instead.

flake-modules/clan.nix

@@ -126,6 +126,7 @@ in {
         clanHostsModule
         ../nixos/hosts/sunken-ship.nix
         config.flake.nixosModules.dotfiles-rebuild
+        config.flake.nixosModules.server-debug-tools
         inputs.home-manager.nixosModules.home-manager
         (hmModule {
           user = "danny";
@@ -165,6 +166,7 @@ in {
         inputs.nix-openclaw.nixosModules.openclaw-gateway
         ../nixos/hosts/phantom-ship.nix
         config.flake.nixosModules.dotfiles-rebuild
+        config.flake.nixosModules.server-debug-tools
         inputs.home-manager.nixosModules.home-manager
         (hmModule {
           user = "danny";

flake-modules/nixos-modules.nix

@@ -4,4 +4,5 @@
 #   modules = [ config.flake.nixosModules.dotfiles-rebuild ];
 { ... }: {
   flake.nixosModules.dotfiles-rebuild = ../modules/dotfiles-rebuild.nix;
+  flake.nixosModules.server-debug-tools = ../modules/server-debug-tools.nix;
 }

modules/server-debug-tools.nix

@@ -0,0 +1,15 @@
+# A small set of network/process debugging tools that we'd otherwise
+# pick up from `clan.core.enableRecommendedDefaults = true`. The full
+# clan defaults also flip systemd-networkd / systemd-resolved on, which
+# breaks dnsmasq + navidrome's resolv.conf bind-mount, so we opted out
+# fleet-wide and added just the useful packages explicitly here.
+{ pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    htop       # process monitor
+    tcpdump    # packet capture
+    dnsutils   # dig, nslookup, host
+    jq         # JSON parser
+    curl       # HTTP client
+  ];
+}

nixos/hosts/vps-relay.nix

@@ -70,6 +70,23 @@
   networking.firewall.enable = true;
   networking.firewall.allowedTCPPorts = [ 22 80 443 ];
 
+  # fail2ban — public SSH gets brute-force probed within minutes of any
+  # cloud VM being created. Ban offending IPs after a few failures.
+  services.fail2ban = {
+    enable = true;
+    bantime = "1h";
+    bantime-increment = {
+      enable = true;
+      multipliers = "1 4 16 64 256";  # 1h, 4h, 16h, ~2.7d, ~10.7d
+      maxtime = "30d";
+    };
+    jails.sshd.settings = {
+      enabled = true;
+      maxretry = 5;
+      findtime = "10m";
+    };
+  };
+
   # --- Caddy reverse proxy --------------------------------------------
   # Subdomains → clan backends over ZeroTier. IPs are sunken-ship's /
   # phantom-ship's ZT IPv6; brackets required in URLs.