From 2efb214edd9191967756c9e5dd315ab3db121062 Mon Sep 17 00:00:00 2001 From: Felix Stupp Date: Sat, 3 Sep 2022 14:58:43 +0200 Subject: [PATCH] misc/ssh_tg_notify: Ignore messages from trusted VPN subnet --- group_vars/all/vars.yml | 3 +++ roles/common/tasks/helpers.yml | 11 +++++++++++ roles/common/tasks/packages.yml | 1 + roles/misc/ssh_tg_notify/defaults/main.yml | 2 ++ roles/misc/ssh_tg_notify/templates/notify.sh | 3 ++- 5 files changed, 19 insertions(+), 1 deletion(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 147a44f..2458b1f 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -20,6 +20,8 @@ zocker_authorized_keys_url: "https://git.banananet.work/zocker.keys" update_scripts_directory: "/root/update" +tailscale_vpn_subnet: "100.64.0.0/10" + backup_gpg_fingerprint: "73D09948B2392D688A45DC8393E1BD26F6B02FB7" backups_to_keep: 1 backups_directory: "/backups" @@ -62,6 +64,7 @@ global_dns_debug_ttl: "{{ 60 }}" # mostly used if has_debug_instance to allow sh global_ssh_key_directory: "{{ global_public_key_directory }}/ssh" global_ssh_host_key_directory: "{{ global_ssh_key_directory }}/hosts" +global_validate_python_script: "/usr/bin/python3 -m pylint --disable=C0114 %s" global_validate_shell_script: "/usr/bin/shellcheck %s" # TODO add "--format=" global_validate_sshd_config: "/usr/sbin/sshd -t -f %s" global_validate_sudoers_file: "/usr/sbin/visudo -c -f %s" diff --git a/roles/common/tasks/helpers.yml b/roles/common/tasks/helpers.yml index 87fb5c9..4156e72 100644 --- a/roles/common/tasks/helpers.yml +++ b/roles/common/tasks/helpers.yml @@ -24,6 +24,17 @@ tags: - backups +- name: Upload python helper scripts + copy: + src: "{{ item }}" + dest: "{{ global_helper_directory }}/{{ item }}" + owner: root + group: root + mode: "u=rwx,g=rx,o=rx" + validate: "{{ global_validate_python_script }}" + loop: + - check_subnet.py + - name: Build and upload template helper scripts template: src: "{{ item }}" diff --git a/roles/common/tasks/packages.yml b/roles/common/tasks/packages.yml index 914c85c..8ed4daf 100644 --- a/roles/common/tasks/packages.yml +++ b/roles/common/tasks/packages.yml @@ -24,6 +24,7 @@ - pv # Required for scripting - python3 - python3-apt # required for Ansible + - python3-ipy # required for helper check_subnet.py - python3-pip - python3-yaml # required for scripting - sed # required for scripting diff --git a/roles/misc/ssh_tg_notify/defaults/main.yml b/roles/misc/ssh_tg_notify/defaults/main.yml index b211de0..c611599 100644 --- a/roles/misc/ssh_tg_notify/defaults/main.yml +++ b/roles/misc/ssh_tg_notify/defaults/main.yml @@ -5,6 +5,8 @@ notify_script: "{{ notify_directory }}/telegram.sh" notify_cache_directory: "{{ notify_directory }}/cache" notify_users_directory: "{{ notify_directory }}/users" +trusted_vpn_subnet: "{{ tailscale_vpn_subnet }}" + # recipient_id bot_key: "{{ global_telegram_server_bot_key }}" timeout: 10 diff --git a/roles/misc/ssh_tg_notify/templates/notify.sh b/roles/misc/ssh_tg_notify/templates/notify.sh index d9e47d5..99f3bbc 100644 --- a/roles/misc/ssh_tg_notify/templates/notify.sh +++ b/roles/misc/ssh_tg_notify/templates/notify.sh @@ -4,6 +4,7 @@ USER_ID_DIR={{ notify_users_directory | quote }} CACHE_DIR={{ notify_cache_directory | quote }} KEY={{ bot_key | quote }} +VPN_SUBNET={{ trusted_vpn_subnet | quote }} TIMEOUT={{ timeout | quote }} @@ -17,7 +18,7 @@ sendMessage() { curl -s --max-time "$TIMEOUT" -H "Content-Type: application/x-www-form-urlencoded" -d "chat_id=$1" -d "disable_web_page_preview=1" -d "parse_mode=Markdown" -d "text=$2" "$URL" >/dev/null } -if [[ "$PAM_SERVICE" == "sshd" && "$PAM_TYPE" == "open_session" && "$PAM_USER" != "git" && -z "$TMUX" && -n "$PAM_RHOST" ]]; then +if [[ "$PAM_SERVICE" == "sshd" && "$PAM_TYPE" == "open_session" && "$PAM_USER" != "git" && -z "$TMUX" && -n "$PAM_RHOST" ]] && ! /ansible/helpers/check_subnet.py "$PAM_RHOST" "$VPN_SUBNET"; then IP="$PAM_RHOST" cache_file="${CACHE_DIR}/${IP}-${PAM_USER}" cache_mtime=$(stat --format="%Y" "$cache_file" 2>/dev/null)