771cc58076
VPS public SSH: enable fail2ban with bantime-increment so brute-force probers get evicted with exponential backoff (1h → 4h → 16h → 2.7d → 10.7d, capped at 30d). Default jail covers sshd; maxretry=5 in 10m. server-debug-tools: htop, tcpdump, dnsutils, jq, curl. Imported by sunken-ship + phantom-ship via flake.nixosModules.server-debug-tools. These are the practical bits we'd otherwise pick up by enabling clan.core.enableRecommendedDefaults — but the full clan defaults flip systemd-networkd/resolved on, which broke dnsmasq + navidrome's resolv .conf bind-mount on the homelab servers, so we cherry-pick instead.
15 lines
575 B
Nix
15 lines
575 B
Nix
# A small set of network/process debugging tools that we'd otherwise
|
|
# pick up from `clan.core.enableRecommendedDefaults = true`. The full
|
|
# clan defaults also flip systemd-networkd / systemd-resolved on, which
|
|
# breaks dnsmasq + navidrome's resolv.conf bind-mount, so we opted out
|
|
# fleet-wide and added just the useful packages explicitly here.
|
|
{ pkgs, ... }:
|
|
{
|
|
environment.systemPackages = with pkgs; [
|
|
htop # process monitor
|
|
tcpdump # packet capture
|
|
dnsutils # dig, nslookup, host
|
|
jq # JSON parser
|
|
curl # HTTP client
|
|
];
|
|
}
|