pyrox.dev / nixpkgs
lol
fork atom

nixos/endlessh-go: init module

Azat Bahawi 99dc9b9c 3576b67e

+210
+7
nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
··· 241 241 </listitem> 242 242 <listitem> 243 243 <para> 244 + <link xlink:href="https://github.com/shizunge/endlessh-go">endlessh-go</link>, 245 + an SSH tarpit that exposes Prometheus metrics. Available as 246 + <link linkend="opt-services.endlessh-go.enable">services.endlessh-go</link>. 247 + </para> 248 + </listitem> 249 + <listitem> 250 + <para> 244 251 <link xlink:href="https://netbird.io">netbird</link>, a zero 245 252 configuration VPN. Available as 246 253 <link xlink:href="options.html#opt-services.netbird.enable">services.netbird</link>.
+2
nixos/doc/manual/release-notes/rl-2211.section.md
··· 87 87 88 88 - [alps](https://git.sr.ht/~migadu/alps), a simple and extensible webmail. Available as [services.alps](#opt-services.alps.enable). 89 89 90 + - [endlessh-go](https://github.com/shizunge/endlessh-go), an SSH tarpit that exposes Prometheus metrics. Available as [services.endlessh-go](#opt-services.endlessh-go.enable). 91 + 90 92 - [netbird](https://netbird.io), a zero configuration VPN. 91 93 Available as [services.netbird](options.html#opt-services.netbird.enable). 92 94
+1
nixos/modules/module-list.nix
··· 1000 1000 ./services/security/certmgr.nix 1001 1001 ./services/security/cfssl.nix 1002 1002 ./services/security/clamav.nix 1003 + ./services/security/endlessh-go.nix 1003 1004 ./services/security/fail2ban.nix 1004 1005 ./services/security/fprintd.nix 1005 1006 ./services/security/haka.nix
+138
nixos/modules/services/security/endlessh-go.nix
··· 1 + { config, lib, pkgs, ... }: 2 + 3 + with lib; 4 + 5 + let 6 + cfg = config.services.endlessh-go; 7 + in 8 + { 9 + options.services.endlessh-go = { 10 + enable = mkEnableOption (mdDoc "endlessh-go service"); 11 + 12 + listenAddress = mkOption { 13 + type = types.str; 14 + default = "0.0.0.0"; 15 + example = "[::]"; 16 + description = mdDoc '' 17 + Interface address to bind the endlessh-go daemon to SSH connections. 18 + ''; 19 + }; 20 + 21 + port = mkOption { 22 + type = types.port; 23 + default = 2222; 24 + example = 22; 25 + description = mdDoc '' 26 + Specifies on which port the endlessh-go daemon listens for SSH 27 + connections. 28 + 29 + Setting this to `22` may conflict with {option}`services.openssh`. 30 + ''; 31 + }; 32 + 33 + prometheus = { 34 + enable = mkEnableOption (mdDoc "Prometheus integration"); 35 + 36 + listenAddress = mkOption { 37 + type = types.str; 38 + default = "0.0.0.0"; 39 + example = "[::]"; 40 + description = mdDoc '' 41 + Interface address to bind the endlessh-go daemon to answer Prometheus 42 + queries. 43 + ''; 44 + }; 45 + 46 + port = mkOption { 47 + type = types.port; 48 + default = 2112; 49 + example = 9119; 50 + description = mdDoc '' 51 + Specifies on which port the endlessh-go daemon listens for Prometheus 52 + queries. 53 + ''; 54 + }; 55 + }; 56 + 57 + extraOptions = mkOption { 58 + type = with types; listOf str; 59 + default = [ ]; 60 + example = [ "-conn_type=tcp4" "-max_clients=8192" ]; 61 + description = mdDoc '' 62 + Additional command line options to pass to the endlessh-go daemon. 63 + ''; 64 + }; 65 + 66 + openFirewall = mkOption { 67 + type = types.bool; 68 + default = false; 69 + description = lib.mdDoc '' 70 + Whether to open a firewall port for the SSH listener. 71 + ''; 72 + }; 73 + }; 74 + 75 + config = mkIf cfg.enable { 76 + systemd.services.endlessh-go = { 77 + description = "SSH tarpit"; 78 + requires = [ "network.target" ]; 79 + wantedBy = [ "multi-user.target" ]; 80 + serviceConfig = 81 + let 82 + needsPrivileges = cfg.port < 1024 || cfg.prometheus.port < 1024; 83 + capabilities = [ "" ] ++ optionals needsPrivileges [ "CAP_NET_BIND_SERVICE" ]; 84 + rootDirectory = "/run/endlessh-go"; 85 + in 86 + { 87 + Restart = "always"; 88 + ExecStart = with cfg; concatStringsSep " " ([ 89 + "${pkgs.endlessh-go}/bin/endlessh-go" 90 + "-logtostderr" 91 + "-host=${listenAddress}" 92 + "-port=${toString port}" 93 + ] ++ optionals prometheus.enable [ 94 + "-enable_prometheus" 95 + "-prometheus_host=${prometheus.listenAddress}" 96 + "-prometheus_port=${toString prometheus.port}" 97 + ] ++ extraOptions); 98 + DynamicUser = true; 99 + RootDirectory = rootDirectory; 100 + BindReadOnlyPaths = [ builtins.storeDir ]; 101 + InaccessiblePaths = [ "-+${rootDirectory}" ]; 102 + RuntimeDirectory = baseNameOf rootDirectory; 103 + RuntimeDirectoryMode = "700"; 104 + AmbientCapabilities = capabilities; 105 + CapabilityBoundingSet = capabilities; 106 + UMask = "0077"; 107 + LockPersonality = true; 108 + MemoryDenyWriteExecute = true; 109 + NoNewPrivileges = true; 110 + PrivateDevices = true; 111 + PrivateTmp = true; 112 + PrivateUsers = !needsPrivileges; 113 + ProtectClock = true; 114 + ProtectControlGroups = true; 115 + ProtectHome = true; 116 + ProtectHostname = true; 117 + ProtectKernelLogs = true; 118 + ProtectKernelModules = true; 119 + ProtectKernelTunables = true; 120 + ProtectSystem = "strict"; 121 + ProtectProc = "noaccess"; 122 + ProcSubset = "pid"; 123 + RemoveIPC = true; 124 + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; 125 + RestrictNamespaces = true; 126 + RestrictRealtime = true; 127 + RestrictSUIDSGID = true; 128 + SystemCallArchitectures = "native"; 129 + SystemCallFilter = [ "@system-service" "~@resources" "~@privileged" ]; 130 + }; 131 + }; 132 + 133 + networking.firewall.allowedTCPPorts = with cfg; 134 + optionals openFirewall [ port prometheus.port ]; 135 + }; 136 + 137 + meta.maintainers = with maintainers; [ azahi ]; 138 + }
+1
nixos/tests/all-tests.nix
··· 142 142 ejabberd = handleTest ./xmpp/ejabberd.nix {}; 143 143 elk = handleTestOn ["x86_64-linux"] ./elk.nix {}; 144 144 emacs-daemon = handleTest ./emacs-daemon.nix {}; 145 + endlessh-go = handleTest ./endlessh-go.nix {}; 145 146 engelsystem = handleTest ./engelsystem.nix {}; 146 147 enlightenment = handleTest ./enlightenment.nix {}; 147 148 env = handleTest ./env.nix {};
+58
nixos/tests/endlessh-go.nix
··· 1 + import ./make-test-python.nix ({ lib, pkgs, ... }: 2 + { 3 + name = "endlessh-go"; 4 + meta.maintainers = with lib.maintainers; [ azahi ]; 5 + 6 + nodes = { 7 + server = { ... }: { 8 + services.endlessh-go = { 9 + enable = true; 10 + prometheus.enable = true; 11 + openFirewall = true; 12 + }; 13 + 14 + specialisation = { 15 + unprivileged.configuration = { 16 + services.endlessh-go = { 17 + port = 2222; 18 + prometheus.port = 9229; 19 + }; 20 + }; 21 + 22 + privileged.configuration = { 23 + services.endlessh-go = { 24 + port = 22; 25 + prometheus.port = 92; 26 + }; 27 + }; 28 + }; 29 + }; 30 + 31 + client = { pkgs, ... }: { 32 + environment.systemPackages = with pkgs; [ curl netcat ]; 33 + }; 34 + }; 35 + 36 + testScript = '' 37 + def activate_specialisation(name: str): 38 + server.succeed(f"/run/booted-system/specialisation/{name}/bin/switch-to-configuration test >&2") 39 + 40 + start_all() 41 + 42 + with subtest("Unprivileged"): 43 + activate_specialisation("unprivileged") 44 + server.wait_for_unit("endlessh-go.service") 45 + server.wait_for_open_port(2222) 46 + server.wait_for_open_port(9229) 47 + client.succeed("nc -dvW5 server 2222") 48 + client.succeed("curl -kv server:9229/metrics") 49 + 50 + with subtest("Privileged"): 51 + activate_specialisation("privileged") 52 + server.wait_for_unit("endlessh-go.service") 53 + server.wait_for_open_port(22) 54 + server.wait_for_open_port(92) 55 + client.succeed("nc -dvW5 server 22") 56 + client.succeed("curl -kv server:92/metrics") 57 + ''; 58 + })
+3
pkgs/servers/endlessh-go/default.nix
··· 1 1 { lib 2 2 , buildGoModule 3 3 , fetchFromGitHub 4 + , nixosTests 4 5 }: 5 6 6 7 buildGoModule rec { ··· 17 18 vendorSha256 = "sha256-YGVLntDnOX55IoIHIn0z1K7V/PhRLruEASfAGQsTUkk="; 18 19 19 20 ldflags = [ "-s" "-w" ]; 21 + 22 + passthru.tests = nixosTests.endlessh-go; 20 23 21 24 meta = with lib; { 22 25 description = "An implementation of endlessh exporting Prometheus metrics";