Added role misc/ssh_tg_notify

- Added role to common site
- Added variables required to global vars and vault

group_vars/all/vars.yml

@@ -60,6 +60,8 @@ global_ip_discover_register_pass: "{{ lookup('password', 'credentials/ip_discove
 
 global_interfaces_directory: "/etc/network/interfaces.d"
 
+global_pamd: "/etc/pam.d"
+
 global_ssh_configuration_directory: "/etc/ssh/"
 global_ssh_configuration_environment_directory: "{{ global_configuration_environment_directory }}/ssh"
 global_ssh_configuration_link_name: "config"

group_vars/all/vault.yml

@@ -1,18 +1,24 @@
 $ANSIBLE_VAULT;1.1;AES256
-64333965353537646136656630316237636563383764356461623238323836383466313230333531
+63343063643236623632373437303138303636643862323961633739653032376333386666626162
-6131306336633661373335653663613538633662663438360a343839666263396139343735333462
+3738366330393339303030373430653162616138383261370a393738326638663064323963366338
-62333564383633326131646533313566306534623539393533333366356264623562643438653231
+31303332353439666363653839353932333338313830366566653534343739613036306465656137
-6133396364663765300a343766643036613262613062326532373738653538623333303933323237
+6366353730656230320a633334306135653163313435303037343138326137383765363666376262
-36313864346161356332663664386635333764393161646332643938623332386562313836653436
+63353237396637386663663535646363366639313961343037656162336664343832656331393535
-63353136373866373238356334363762363961653964333565343364306135616363376565623536
+33353534653738346331313034666237656630613439656164343234333161353939356435656634
-31353737643366353330343266613466343231653033336433343632353465353836616638636231
+63396134356138323064313365366537336137646432636131353734343130653066383862346461
-34313138633238313839616139633431653630306338373065623961656462316432353966363661
+66383364656233393839666462336661643730646633633135626331643366666135353437346633
-30393862373634373161326262363162343139313334613939613636633665613839353862346533
+37633838373339363332633134386637303561366238353538643837386332636439383034333434
-34353366333733303363323164613934633634353866393831333566626565383036373964386633
+31363866373161636431383862326137306466613361356337646133643630373332666434666133
-39316131363732353663626530333634616435316464633937656136386534383635643337323262
+66366564383161376234343135616531613238613131363834313764363366326163333562303061
-33643336616237323533353639666465363563363437306232313266646238623130616235623265
+31333734333336663037313333383632373130313631626533623139666265646530386464616135
-65323665383038343732643064316533666239633738666539373463626332386431303633333934
+30363462623136393730616337306163663763616430303530306361393834303661613864313830
-65386662346361653232643437346663303362623834623063363061396361303861363739373139
+33616161323535323865626639323132333131626662626161623234613136663961393063303739
-36346365366537356565373165663238626335616336373433343834346138656562333464323037
+61353632373265363761636235313430383237363938396534666663353336383234663561373833
-65613336336135343938373064623766353666623763323364343836643262653032626230383566
+63666364313539393831353833393763326432303035343830386663633534356362316130353866
-3466
+64383564666431343333626332356666633231653239363130386265363164356664326633623065
+61393636613162376334646661663232626534326562613235633434656466303435393233613233
+36666463316331366365643861633362386466663863316564656439633364616566373062306633
+66326464326138306130666631313830643236663134363166383264366139643861393565623537
+33376165396531323863626635323237363665363539613963376537373635323365616234313762
+66313934623631386432633861383136386464353932316534363836613038313934356331363737
+333931356137336563653162316563306636

roles/misc/ssh_tg_notify/defaults/main.yml

@@ -0,0 +1,7 @@
+---
+
+notify_script: "{{ global_deployment_directory }}/ssh_notify/telegram.sh"
+
+# recipient_id
+bot_key: "{{ global_ssh_notify_telegram_bot_key }}"
+timeout: 10

roles/misc/ssh_tg_notify/tasks/main.yml

@@ -0,0 +1,31 @@
+---
+
+- name: Install required packages
+  apt:
+    state: present
+    name:
+      - curl
+      - gawk
+
+- name: Create directory for notify script
+  file:
+    state: directory
+    path: "{{ notify_script | dirname }}"
+    owner: root
+    group: root
+    mode: u=rwx,g=rx,o=
+
+- name: Install notify script
+  template:
+    src: notify.sh
+    dest: "{{ notify_script }}"
+    owner: root
+    group: root
+    mode: u=rwx,g=rx,o=
+
+- name: Configure pam for ssh notify
+  lineinfile:
+    state: present
+    path: "{{ global_pamd }}/sshd"
+    regexp: "# Ansible: ssh_tg_notify$"
+    line: "session optional pam_exec.so {{ notify_script }} # Ansible: ssh_tg_notify"

roles/misc/ssh_tg_notify/templates/notify.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+# Modified version, original source: https://gitlab.com/snippets/1871482#note_188602535
+
+USERID={{ recipient_id | quote }}
+KEY={{ bot_key | quote }}
+
+TIMEOUT={{ timeout | quote }}
+URL="https://api.telegram.org/bot$KEY/sendMessage"
+if [ "$PAM_SERVICE" == "sshd" -a "$PAM_TYPE" == "open_session" -a "$PAM_USER" != "git" -a -z "$TMUX" ]; then
+    IP="$PAM_RHOST"
+    HOSTNAME=$(hostname --fqdn)
+    TEXT="Successful login from [$IP](https://ipinfo.io/$IP) for ${PAM_USER} @ ${HOSTNAME} ($(date "+%Y-%m-%d %H:%M"))"
+    curl -s --max-time $TIMEOUT -d "chat_id=$USERID" -d "disable_web_page_preview=1" -d "parse_mode=Markdown" -d "text=$TEXT" "$URL" > /dev/null
+fi

site.yml

@@ -46,6 +46,8 @@
       password: "{{ zocker_password }}"
       authorized_keys: "{{ zocker_authorized_keys_url }}"
       sudo: yes
+    - role: misc/ssh_tg_notify
+      recipient_id: "{{ zocker_telegram_id }}"
 
 # Group specific configurations
 - name: Include configuration for group bwcloud