7faa9098de
Restructure around a single entry point (automations.sh) with a Gum wizard and a self-extracting bundle for repo-less installs. Add scripts/oslib.sh so the provisioning scripts (setup-host, harden-ssh, harden-jumphost, sshuser) run on Alpine/Debian/Alma; seed root keys from globals/. - ntfy SSH-login alerts (user, source IP, key, region, jump target) via pam_exec - daily auto-updates with AUTO_REBOOT=idle (reboots only when no SSH active) and opt-in Alpine stable-branch upgrades - generic + per-deployment cloud-init; Gitea release workflow on tag - README/LICENSE/.gitignore/.gitattributes (force LF); repo URLs -> Gitea
32 lines
1.3 KiB
Plaintext
32 lines
1.3 KiB
Plaintext
# ssh-notify.conf -- config for /opt/scripts/ntfy-ssh-login.sh (the pam_exec
|
|
# SSH-login notifier). Installed at /etc/ssh-notify.conf (mode 0600 -- it may
|
|
# hold a token). The harden scripts generate it from NTFY_* env vars; this is
|
|
# the reference of every key.
|
|
|
|
# Destination ntfy topic URL. REQUIRED -- the notifier is a no-op if empty.
|
|
NTFY_URL="https://msg-1.srvno.de/canary"
|
|
|
|
# Bearer token for publishing. Optional: leave empty if the topic allows
|
|
# unauthenticated publish (e.g. read-gated). Kept here so it stays out of the
|
|
# script and the file can be 0600.
|
|
NTFY_TOKEN=""
|
|
|
|
# Optional ntfy headers.
|
|
NTFY_EMAIL="sysadmin@example.com"
|
|
NTFY_TITLE="Bastion Notification"
|
|
NTFY_PRIORITY="min"
|
|
|
|
# Region tag added to X-Tags so you can tell which bastion/location fired the
|
|
# alert (e.g. us-evi-1). The harden scripts default this to the region segment
|
|
# of the host's own FQDN when present.
|
|
NTFY_REGION="us-evi-1"
|
|
|
|
# --- Who to notify for (security-level filter) ---
|
|
# Space-separated group list: only notify when the logging-in user belongs to
|
|
# one of these groups. Empty => notify for every login.
|
|
NOTIFY_GROUPS="ssh-admins ssh-jumpers"
|
|
|
|
# Optional per-group priority overrides: "group:priority" entries. Lets you,
|
|
# e.g., page loudly for admins but whisper for routine jumpers.
|
|
NOTIFY_PRIORITY_MAP="ssh-admins:high ssh-jumpers:min"
|