# Oubliette

An SSH honeypot that logs login attempts, presents fake shells to "successful" logins, and tries to detect when a real human is poking around.

Named after the medieval dungeon - a place you throw people into and forget about them.

## Status

Early development. See `PLAN.md` for the roadmap.

## Usage

### Build

```sh
# With Nix
nix build

# With Go
nix develop -c go build ./cmd/oubliette
```

### Configure

Copy and edit the example config:

```sh
cp oubliette.toml.example oubliette.toml
```

Key settings:
- `ssh.listen_addr` — listen address (default `:2222`)
- `ssh.host_key_path` — Ed25519 host key, auto-generated if missing
- `auth.accept_after` — accept login after N failures per IP (default `10`)
- `auth.credential_ttl` — how long to remember accepted credentials (default `24h`)
- `auth.static_credentials` — always-accepted username/password pairs
- `storage.db_path` — SQLite database path (default `oubliette.db`)
- `storage.retention_days` — auto-prune records older than N days (default `90`)
- `storage.retention_interval` — how often to run retention (default `1h`)

### Run

```sh
./oubliette -config oubliette.toml
```

Test with:

```sh
ssh -o StrictHostKeyChecking=no -p 2222 root@localhost
```

### NixOS Module

Add the flake as an input and enable the service:

```nix
{
  services.oubliette = {
    enable = true;
    package = inputs.oubliette.packages.${system}.default;
    settings = {
      ssh.listen_addr = ":2222";
      auth.accept_after = 10;
      auth.static_credentials = [
        { username = "root"; password = "toor"; }
      ];
    };
  };
}
```

Alternatively, use `configFile` to pass a pre-written TOML file instead of `settings`.