nixpkgs/nixos/modules/services/networking/kippo.nix

# NixOS module for kippo honeypot ssh server
# See all the options for configuration details.
#
# Default port is 2222. Recommend using something like this for port redirection to default SSH port:
# networking.firewall.extraCommands = ''
#      iptables -t nat -A PREROUTING -i IN_IFACE -p tcp --dport 22 -j REDIRECT --to-port 2222'';
#
# Lastly: use this service at your own risk. I am working on a way to run this inside a VM.
{ config, lib, pkgs, ... }:
with lib;
let
  cfg = config.services.kippo;
in
rec {
  options = {
    services.kippo = {
      enable = mkOption {
        default = false;
        type = types.bool;
        description = ''Enable the kippo honeypot ssh server.'';
      };
      port = mkOption {
        default = 2222;
        type = types.int;
        description = ''TCP port number for kippo to bind to.'';
      };
      hostname = mkOption {
        default = "nas3";
        type = types.string;
        description = ''Hostname for kippo to present to SSH login'';
      };
      varPath = mkOption {
        default = "/var/lib/kippo";
        type = types.string;
        description = ''Path of read/write files needed for operation and configuration.'';
      };
      logPath = mkOption {
        default = "/var/log/kippo";
        type = types.string;
        description = ''Path of log files needed for operation and configuration.'';
      };
      pidPath = mkOption {
        default = "/run/kippo";
        type = types.string;
        description = ''Path of pid files needed for operation.'';
      };
      extraConfig = mkOption {
        default = "";
        type = types.string;
        description = ''Extra verbatim configuration added to the end of kippo.cfg.'';
      };
    };

  };
  config = mkIf cfg.enable {
    environment.systemPackages = with pkgs.pythonPackages; [
      python twisted_11 pycrypto pyasn1 ];

    environment.etc."kippo.cfg".text = ''
        # Automatically generated by NixOS.
        # See ${pkgs.kippo}/src/kippo.cfg for details.
        [honeypot]
        log_path = ${cfg.logPath}
        download_path = ${cfg.logPath}/dl
        filesystem_file = ${cfg.varPath}/honeyfs
        filesystem_file = ${cfg.varPath}/fs.pickle
        data_path = ${cfg.varPath}/data
        txtcmds_path = ${cfg.varPath}/txtcmds
        public_key = ${cfg.varPath}/keys/public.key
        private_key = ${cfg.varPath}/keys/private.key
        ssh_port = ${toString cfg.port}
        hostname = ${cfg.hostname}
        ${cfg.extraConfig}
    '';

    users.extraUsers = singleton {
      name = "kippo";
      description = "kippo web server privilege separation user";
      uid = 108; # why does config.ids.uids.kippo give an error?
    };
    users.extraGroups = singleton { name = "kippo";gid=108; };

    systemd.services.kippo = with pkgs; {
      description = "Kippo Web Server";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      environment.PYTHONPATH = "${pkgs.kippo}/src/:${pkgs.pythonPackages.pycrypto}/lib/python2.7/site-packages/:${pkgs.pythonPackages.pyasn1}/lib/python2.7/site-packages/:${pkgs.pythonPackages.python}/lib/python2.7/site-packages/:${pkgs.pythonPackages.twisted_11}/lib/python2.7/site-packages/:.";
      preStart = ''
        if [ ! -d ${cfg.varPath}/ ] ; then
            mkdir -p ${cfg.logPath}/tty
            mkdir -p ${cfg.logPath}/dl
            mkdir -p ${cfg.varPath}/keys
            cp ${pkgs.kippo}/src/honeyfs ${cfg.varPath} -r
            cp ${pkgs.kippo}/src/fs.pickle ${cfg.varPath}/fs.pickle
            cp ${pkgs.kippo}/src/data ${cfg.varPath} -r
            cp ${pkgs.kippo}/src/txtcmds ${cfg.varPath} -r

            chmod u+rw ${cfg.varPath} -R
            chown kippo.kippo ${cfg.varPath} -R
            chown kippo.kippo ${cfg.logPath} -R
            chmod u+rw ${cfg.logPath} -R
        fi
        if [ ! -d ${cfg.pidPath}/ ] ; then
            mkdir -p ${cfg.pidPath}
            chmod u+rw ${cfg.pidPath}
            chown kippo.kippo ${cfg.pidPath}
        fi
      '';

      serviceConfig.ExecStart = "${pkgs.pythonPackages.twisted_11}/bin/twistd -y ${pkgs.kippo}/src/kippo.tac --syslog --rundir=${cfg.varPath}/ --pidfile=${cfg.pidPath}/kippo.pid --prefix=kippo -n";
      serviceConfig.PermissionsStartOnly = true;
      serviceConfig.User = "kippo"; 
      serviceConfig.Group = "kippo"; 
    };
};
}
Adds kippo SSH honeypot 2014-01-11 17:15:11 -05:00			`# NixOS module for kippo honeypot ssh server`
			`# See all the options for configuration details.`
			`#`
			`# Default port is 2222. Recommend using something like this for port redirection to default SSH port:`
			`# networking.firewall.extraCommands = ''`
			`# iptables -t nat -A PREROUTING -i IN_IFACE -p tcp --dport 22 -j REDIRECT --to-port 2222'';`
			`#`
			`# Lastly: use this service at your own risk. I am working on a way to run this inside a VM.`
Rewrite ‘with pkgs.lib’ -> ‘with lib’ Using pkgs.lib on the spine of module evaluation is problematic because the pkgs argument depends on the result of module evaluation. To prevent an infinite recursion, pkgs and some of the modules are evaluated twice, which is inefficient. Using ‘with lib’ prevents this problem. 2014-04-14 16:26:48 +02:00			`{ config, lib, pkgs, ... }:`
			`with lib;`
Adds kippo SSH honeypot 2014-01-11 17:15:11 -05:00			`let`
			`cfg = config.services.kippo;`
			`in`
			`rec {`
			`options = {`
			`services.kippo = {`
			`enable = mkOption {`
			`default = false;`
types.uniq types.bool -> types.bool 2015-06-15 18:10:26 +02:00			`type = types.bool;`
Adds kippo SSH honeypot 2014-01-11 17:15:11 -05:00			`description = ''Enable the kippo honeypot ssh server.'';`
			`};`
			`port = mkOption {`
			`default = 2222;`
types.uniq types.int -> types.int types.int already implies uniqueness. 2015-06-15 18:11:32 +02:00			`type = types.int;`
Adds kippo SSH honeypot 2014-01-11 17:15:11 -05:00			`description = ''TCP port number for kippo to bind to.'';`
			`};`
			`hostname = mkOption {`
			`default = "nas3";`
			`type = types.string;`
			`description = ''Hostname for kippo to present to SSH login'';`
			`};`
			`varPath = mkOption {`
			`default = "/var/lib/kippo";`
			`type = types.string;`
			`description = ''Path of read/write files needed for operation and configuration.'';`
			`};`
			`logPath = mkOption {`
			`default = "/var/log/kippo";`
			`type = types.string;`
			`description = ''Path of log files needed for operation and configuration.'';`
			`};`
			`pidPath = mkOption {`
			`default = "/run/kippo";`
			`type = types.string;`
			`description = ''Path of pid files needed for operation.'';`
			`};`
			`extraConfig = mkOption {`
			`default = "";`
			`type = types.string;`
			`description = ''Extra verbatim configuration added to the end of kippo.cfg.'';`
			`};`
			`};`

			`};`
			`config = mkIf cfg.enable {`
			`environment.systemPackages = with pkgs.pythonPackages; [`
kippo: revert twisted dependency 2016-02-22 13:47:37 -05:00			`python twisted_11 pycrypto pyasn1 ];`
Adds kippo SSH honeypot 2014-01-11 17:15:11 -05:00
			`environment.etc."kippo.cfg".text = ''`
			`# Automatically generated by NixOS.`
			`# See ${pkgs.kippo}/src/kippo.cfg for details.`
			`[honeypot]`
			`log_path = ${cfg.logPath}`
			`download_path = ${cfg.logPath}/dl`
			`filesystem_file = ${cfg.varPath}/honeyfs`
			`filesystem_file = ${cfg.varPath}/fs.pickle`
			`data_path = ${cfg.varPath}/data`
			`txtcmds_path = ${cfg.varPath}/txtcmds`
			`public_key = ${cfg.varPath}/keys/public.key`
			`private_key = ${cfg.varPath}/keys/private.key`
			`ssh_port = ${toString cfg.port}`
			`hostname = ${cfg.hostname}`
			`${cfg.extraConfig}`
			`'';`

			`users.extraUsers = singleton {`
			`name = "kippo";`
			`description = "kippo web server privilege separation user";`
UID/GID fix for kippo 2014-03-12 03:32:56 -04:00			`uid = 108; # why does config.ids.uids.kippo give an error?`
Adds kippo SSH honeypot 2014-01-11 17:15:11 -05:00			`};`
UID/GID fix for kippo 2014-03-12 03:32:56 -04:00			`users.extraGroups = singleton { name = "kippo";gid=108; };`
Adds kippo SSH honeypot 2014-01-11 17:15:11 -05:00
			`systemd.services.kippo = with pkgs; {`
			`description = "Kippo Web Server";`
			`after = [ "network.target" ];`
			`wantedBy = [ "multi-user.target" ];`
kippo: revert twisted dependency 2016-02-22 13:47:37 -05:00			`environment.PYTHONPATH = "${pkgs.kippo}/src/:${pkgs.pythonPackages.pycrypto}/lib/python2.7/site-packages/:${pkgs.pythonPackages.pyasn1}/lib/python2.7/site-packages/:${pkgs.pythonPackages.python}/lib/python2.7/site-packages/:${pkgs.pythonPackages.twisted_11}/lib/python2.7/site-packages/:.";`
Adds kippo SSH honeypot 2014-01-11 17:15:11 -05:00			`preStart = ''`
kippo: fix check for pidPath 2015-08-07 01:01:22 -04:00			`if [ ! -d ${cfg.varPath}/ ] ; then`
Adds kippo SSH honeypot 2014-01-11 17:15:11 -05:00			`mkdir -p ${cfg.logPath}/tty`
			`mkdir -p ${cfg.logPath}/dl`
			`mkdir -p ${cfg.varPath}/keys`
			`cp ${pkgs.kippo}/src/honeyfs ${cfg.varPath} -r`
			`cp ${pkgs.kippo}/src/fs.pickle ${cfg.varPath}/fs.pickle`
			`cp ${pkgs.kippo}/src/data ${cfg.varPath} -r`
			`cp ${pkgs.kippo}/src/txtcmds ${cfg.varPath} -r`

			`chmod u+rw ${cfg.varPath} -R`
			`chown kippo.kippo ${cfg.varPath} -R`
			`chown kippo.kippo ${cfg.logPath} -R`
			`chmod u+rw ${cfg.logPath} -R`
			`fi`
kippo: fix check for pidPath 2015-08-07 01:01:22 -04:00			`if [ ! -d ${cfg.pidPath}/ ] ; then`
			`mkdir -p ${cfg.pidPath}`
			`chmod u+rw ${cfg.pidPath}`
			`chown kippo.kippo ${cfg.pidPath}`
			`fi`
Adds kippo SSH honeypot 2014-01-11 17:15:11 -05:00			`'';`

kippo: revert twisted dependency 2016-02-22 13:47:37 -05:00			`serviceConfig.ExecStart = "${pkgs.pythonPackages.twisted_11}/bin/twistd -y ${pkgs.kippo}/src/kippo.tac --syslog --rundir=${cfg.varPath}/ --pidfile=${cfg.pidPath}/kippo.pid --prefix=kippo -n";`
Adds kippo SSH honeypot 2014-01-11 17:15:11 -05:00			`serviceConfig.PermissionsStartOnly = true;`
			`serviceConfig.User = "kippo";`
			`serviceConfig.Group = "kippo";`
			`};`
			`};`
			`}`