misc/ssh_tg_notify: Ignore messages from trusted VPN subnet

2 years ago · 2efb214edd
parent c842c40c89
commit 2efb214edd
5 changed files with 19 additions and 1 deletions
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@ -20,6 +20,8 @@ zocker_authorized_keys_url: "https://git.banananet.work/zocker.keys"

 update_scripts_directory: "/root/update"

+tailscale_vpn_subnet: "100.64.0.0/10"
+
 backup_gpg_fingerprint: "73D09948B2392D688A45DC8393E1BD26F6B02FB7"
 backups_to_keep: 1
 backups_directory: "/backups"
@ -62,6 +64,7 @@ global_dns_debug_ttl: "{{ 60 }}" # mostly used if has_debug_instance to allow sh
 global_ssh_key_directory: "{{ global_public_key_directory }}/ssh"
 global_ssh_host_key_directory: "{{ global_ssh_key_directory }}/hosts"

+global_validate_python_script: "/usr/bin/python3 -m pylint --disable=C0114 %s"
 global_validate_shell_script: "/usr/bin/shellcheck %s" # TODO add "--format="
 global_validate_sshd_config: "/usr/sbin/sshd -t -f %s"
 global_validate_sudoers_file: "/usr/sbin/visudo -c -f %s"
--- a/roles/common/tasks/helpers.yml
+++ b/roles/common/tasks/helpers.yml
@ -24,6 +24,17 @@
  tags:
    - backups

+- name: Upload python helper scripts
+  copy:
+    src: "{{ item }}"
+    dest: "{{ global_helper_directory }}/{{ item }}"
+    owner: root
+    group: root
+    mode: "u=rwx,g=rx,o=rx"
+    validate: "{{ global_validate_python_script }}"
+  loop:
+    - check_subnet.py
+
 - name: Build and upload template helper scripts
  template:
    src: "{{ item }}"
--- a/roles/common/tasks/packages.yml
+++ b/roles/common/tasks/packages.yml
@ -24,6 +24,7 @@
      - pv # Required for scripting
      - python3
      - python3-apt # required for Ansible
+      - python3-ipy # required for helper check_subnet.py
      - python3-pip
      - python3-yaml # required for scripting
      - sed # required for scripting
--- a/roles/misc/ssh_tg_notify/defaults/main.yml
+++ b/roles/misc/ssh_tg_notify/defaults/main.yml
@ -5,6 +5,8 @@ notify_script: "{{ notify_directory }}/telegram.sh"
 notify_cache_directory: "{{ notify_directory }}/cache"
 notify_users_directory: "{{ notify_directory }}/users"

+trusted_vpn_subnet: "{{ tailscale_vpn_subnet }}"
+
 # recipient_id
 bot_key: "{{ global_telegram_server_bot_key }}"
 timeout: 10
--- a/roles/misc/ssh_tg_notify/templates/notify.sh
+++ b/roles/misc/ssh_tg_notify/templates/notify.sh
@ -4,6 +4,7 @@
 USER_ID_DIR={{ notify_users_directory | quote }}
 CACHE_DIR={{ notify_cache_directory | quote }}
 KEY={{ bot_key | quote }}
+VPN_SUBNET={{ trusted_vpn_subnet | quote }}

 TIMEOUT={{ timeout | quote }}

@ -17,7 +18,7 @@ sendMessage() {
    curl -s --max-time "$TIMEOUT" -H "Content-Type: application/x-www-form-urlencoded" -d "chat_id=$1" -d "disable_web_page_preview=1" -d "parse_mode=Markdown" -d "text=$2" "$URL" >/dev/null
 }

-if [[ "$PAM_SERVICE" == "sshd" && "$PAM_TYPE" == "open_session" && "$PAM_USER" != "git" && -z "$TMUX" && -n "$PAM_RHOST" ]]; then
+if [[ "$PAM_SERVICE" == "sshd" && "$PAM_TYPE" == "open_session" && "$PAM_USER" != "git" && -z "$TMUX" && -n "$PAM_RHOST" ]] && ! /ansible/helpers/check_subnet.py "$PAM_RHOST" "$VPN_SUBNET"; then
    IP="$PAM_RHOST"
    cache_file="${CACHE_DIR}/${IP}-${PAM_USER}"
    cache_mtime=$(stat --format="%Y" "$cache_file" 2>/dev/null)