# ssh-notify.conf -- config for /opt/scripts/ntfy-ssh-login.sh (the pam_exec # SSH-login notifier). Installed at /etc/ssh-notify.conf (mode 0600 -- it may # hold a token). The harden scripts generate it from NTFY_* env vars; this is # the reference of every key. # Destination ntfy topic URL. REQUIRED -- the notifier is a no-op if empty. NTFY_URL="https://msg-1.srvno.de/canary" # Bearer token for publishing. Optional: leave empty if the topic allows # unauthenticated publish (e.g. read-gated). Kept here so it stays out of the # script and the file can be 0600. NTFY_TOKEN="" # Optional ntfy headers. NTFY_EMAIL="sysadmin@example.com" NTFY_TITLE="Bastion Notification" NTFY_PRIORITY="min" # Region tag added to X-Tags so you can tell which bastion/location fired the # alert (e.g. us-evi-1). The harden scripts default this to the region segment # of the host's own FQDN when present. NTFY_REGION="us-evi-1" # --- Who to notify for (security-level filter) --- # Space-separated group list: only notify when the logging-in user belongs to # one of these groups. Empty => notify for every login. NOTIFY_GROUPS="ssh-admins ssh-jumpers" # Optional per-group priority overrides: "group:priority" entries. Lets you, # e.g., page loudly for admins but whisper for routine jumpers. NOTIFY_PRIORITY_MAP="ssh-admins:high ssh-jumpers:min"