Adds nixos-module.nix with services.oubliette options (enable, package,
settings, configFile) and a hardened systemd service. Exposes the module
as nixosModules.default in flake.nix.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Define version once in cmd/oubliette/main.go and use builtins.match
in flake.nix to extract it. Add versioning guidelines to CLAUDE.md.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add log_format config field ("text" default, "json" for structured
JSON output) to support machine-readable logging.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Use subtle.ConstantTimeCompare for static credential checks to
prevent timing side-channel attacks
- Cap failCounts (100k) and rememberedCreds (10k) maps with eviction
to prevent memory exhaustion from botnet-scale scanning
- Sweep expired credentials on each auth attempt
- Add configurable max_connections (default 500) with semaphore to
limit concurrent connections and prevent goroutine/fd exhaustion
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add core SSH server with password authentication, per-IP failure
tracking, credential memory with TTL, and static credential support.
Includes TOML config loading with validation, Ed25519 host key
auto-generation, and a Nix package output.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
