diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 07754a8..1a724f9 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -60,6 +60,8 @@ global_ip_discover_register_pass: "{{ lookup('password', 'credentials/ip_discove global_interfaces_directory: "/etc/network/interfaces.d" +global_pamd: "/etc/pam.d" + global_ssh_configuration_directory: "/etc/ssh/" global_ssh_configuration_environment_directory: "{{ global_configuration_environment_directory }}/ssh" global_ssh_configuration_link_name: "config" diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml index 7b8c262..af99cce 100644 --- a/group_vars/all/vault.yml +++ b/group_vars/all/vault.yml @@ -1,18 +1,24 @@ $ANSIBLE_VAULT;1.1;AES256 -64333965353537646136656630316237636563383764356461623238323836383466313230333531 -6131306336633661373335653663613538633662663438360a343839666263396139343735333462 -62333564383633326131646533313566306534623539393533333366356264623562643438653231 -6133396364663765300a343766643036613262613062326532373738653538623333303933323237 -36313864346161356332663664386635333764393161646332643938623332386562313836653436 -63353136373866373238356334363762363961653964333565343364306135616363376565623536 -31353737643366353330343266613466343231653033336433343632353465353836616638636231 -34313138633238313839616139633431653630306338373065623961656462316432353966363661 -30393862373634373161326262363162343139313334613939613636633665613839353862346533 -34353366333733303363323164613934633634353866393831333566626565383036373964386633 -39316131363732353663626530333634616435316464633937656136386534383635643337323262 -33643336616237323533353639666465363563363437306232313266646238623130616235623265 -65323665383038343732643064316533666239633738666539373463626332386431303633333934 -65386662346361653232643437346663303362623834623063363061396361303861363739373139 -36346365366537356565373165663238626335616336373433343834346138656562333464323037 -65613336336135343938373064623766353666623763323364343836643262653032626230383566 -3466 +63343063643236623632373437303138303636643862323961633739653032376333386666626162 +3738366330393339303030373430653162616138383261370a393738326638663064323963366338 +31303332353439666363653839353932333338313830366566653534343739613036306465656137 +6366353730656230320a633334306135653163313435303037343138326137383765363666376262 +63353237396637386663663535646363366639313961343037656162336664343832656331393535 +33353534653738346331313034666237656630613439656164343234333161353939356435656634 +63396134356138323064313365366537336137646432636131353734343130653066383862346461 +66383364656233393839666462336661643730646633633135626331643366666135353437346633 +37633838373339363332633134386637303561366238353538643837386332636439383034333434 +31363866373161636431383862326137306466613361356337646133643630373332666434666133 +66366564383161376234343135616531613238613131363834313764363366326163333562303061 +31333734333336663037313333383632373130313631626533623139666265646530386464616135 +30363462623136393730616337306163663763616430303530306361393834303661613864313830 +33616161323535323865626639323132333131626662626161623234613136663961393063303739 +61353632373265363761636235313430383237363938396534666663353336383234663561373833 +63666364313539393831353833393763326432303035343830386663633534356362316130353866 +64383564666431343333626332356666633231653239363130386265363164356664326633623065 +61393636613162376334646661663232626534326562613235633434656466303435393233613233 +36666463316331366365643861633362386466663863316564656439633364616566373062306633 +66326464326138306130666631313830643236663134363166383264366139643861393565623537 +33376165396531323863626635323237363665363539613963376537373635323365616234313762 +66313934623631386432633861383136386464353932316534363836613038313934356331363737 +333931356137336563653162316563306636 diff --git a/roles/misc/ssh_tg_notify/defaults/main.yml b/roles/misc/ssh_tg_notify/defaults/main.yml new file mode 100644 index 0000000..f3b22d6 --- /dev/null +++ b/roles/misc/ssh_tg_notify/defaults/main.yml @@ -0,0 +1,7 @@ +--- + +notify_script: "{{ global_deployment_directory }}/ssh_notify/telegram.sh" + +# recipient_id +bot_key: "{{ global_ssh_notify_telegram_bot_key }}" +timeout: 10 diff --git a/roles/misc/ssh_tg_notify/tasks/main.yml b/roles/misc/ssh_tg_notify/tasks/main.yml new file mode 100644 index 0000000..4be05ab --- /dev/null +++ b/roles/misc/ssh_tg_notify/tasks/main.yml @@ -0,0 +1,31 @@ +--- + +- name: Install required packages + apt: + state: present + name: + - curl + - gawk + +- name: Create directory for notify script + file: + state: directory + path: "{{ notify_script | dirname }}" + owner: root + group: root + mode: u=rwx,g=rx,o= + +- name: Install notify script + template: + src: notify.sh + dest: "{{ notify_script }}" + owner: root + group: root + mode: u=rwx,g=rx,o= + +- name: Configure pam for ssh notify + lineinfile: + state: present + path: "{{ global_pamd }}/sshd" + regexp: "# Ansible: ssh_tg_notify$" + line: "session optional pam_exec.so {{ notify_script }} # Ansible: ssh_tg_notify" diff --git a/roles/misc/ssh_tg_notify/templates/notify.sh b/roles/misc/ssh_tg_notify/templates/notify.sh new file mode 100644 index 0000000..6af7096 --- /dev/null +++ b/roles/misc/ssh_tg_notify/templates/notify.sh @@ -0,0 +1,14 @@ +#!/bin/bash +# Modified version, original source: https://gitlab.com/snippets/1871482#note_188602535 + +USERID={{ recipient_id | quote }} +KEY={{ bot_key | quote }} + +TIMEOUT={{ timeout | quote }} +URL="https://api.telegram.org/bot$KEY/sendMessage" +if [ "$PAM_SERVICE" == "sshd" -a "$PAM_TYPE" == "open_session" -a "$PAM_USER" != "git" -a -z "$TMUX" ]; then + IP="$PAM_RHOST" + HOSTNAME=$(hostname --fqdn) + TEXT="Successful login from [$IP](https://ipinfo.io/$IP) for ${PAM_USER} @ ${HOSTNAME} ($(date "+%Y-%m-%d %H:%M"))" + curl -s --max-time $TIMEOUT -d "chat_id=$USERID" -d "disable_web_page_preview=1" -d "parse_mode=Markdown" -d "text=$TEXT" "$URL" > /dev/null +fi diff --git a/site.yml b/site.yml index bb54a59..8639c2f 100644 --- a/site.yml +++ b/site.yml @@ -46,6 +46,8 @@ password: "{{ zocker_password }}" authorized_keys: "{{ zocker_authorized_keys_url }}" sudo: yes + - role: misc/ssh_tg_notify + recipient_id: "{{ zocker_telegram_id }}" # Group specific configurations - name: Include configuration for group bwcloud