mirror of
https://github.com/kittywitch/nixfiles.git
synced 2026-02-09 04:19:19 -08:00
feat: add improved alerting for various things
This commit is contained in:
parent
ed4defc62f
commit
07ee692df8
GPG key ID:
465E64DECEA8CF0F
11 changed files with 414 additions and 137 deletions
|
|
@ -13,7 +13,7 @@
|
|||
config.users.users);
|
||||
};
|
||||
in {
|
||||
security.pam.enableSSHAgentAuth = true;
|
||||
security.pam.sshAgentAuth.enable = true;
|
||||
security.sudo.enable = true;
|
||||
security.pam.services.sudo.sshAgentAuth = true;
|
||||
users.users = {
|
||||
|
|
|
|||
32
nixos/common/login-notify.nix
Normal file
32
nixos/common/login-notify.nix
Normal file
|
|
@ -0,0 +1,32 @@
|
|||
{ pkgs, lib, config, ... }: let
|
||||
inherit (lib.modules) mkAfter mkDefault;
|
||||
in {
|
||||
sops.secrets.sshd-environment = {
|
||||
sopsFile = ./secrets.yaml;
|
||||
};
|
||||
security.pam.services.sshd.text = let
|
||||
notify = pkgs.writeShellScriptBin "notify" ''
|
||||
export $(cat ${config.sops.secrets.sshd-environment.path} | xargs)
|
||||
|
||||
if [ "$PAM_USER" = "deploy" ]; then
|
||||
if [ "$PAM_TYPE" = "open_session" ]; then
|
||||
message="''${PAM_RHOST} has opened an SSH session as part of doing a Nix deployment on ${config.networking.hostName}."
|
||||
elif [ "$PAM_TYPE" = "close_session" ]; then
|
||||
message="''${PAM_RHOST} has closed an SSH session as part of doing a Nix deployment on ${config.networking.hostName}."
|
||||
fi
|
||||
else
|
||||
if [ "$PAM_TYPE" = "open_session" ]; then
|
||||
message="''${PAM_RHOST} opened an SSH session with ${config.networking.hostName} as user ''${PAM_USER}."
|
||||
elif [ "$PAM_TYPE" = "close_session" ]; then
|
||||
message="''${PAM_RHOST} closed their SSH session with ${config.networking.hostName} for user ''${PAM_USER}."
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -n "$message" ]; then
|
||||
${pkgs.curl}/bin/curl -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"$message\"}" $DISCORD_WEBHOOK_LINK
|
||||
fi
|
||||
'';
|
||||
in mkDefault (mkAfter ''
|
||||
session required pam_exec.so seteuid ${notify}/bin/notify
|
||||
'');
|
||||
}
|
||||
96
nixos/common/secrets.yaml
Normal file
96
nixos/common/secrets.yaml
Normal file
|
|
@ -0,0 +1,96 @@
|
|||
sshd-environment: ENC[AES256_GCM,data:lyzzRDxyNzBgrLthPjdJoXgkniCwLXFZE/GMpLlRzeSvAUN6yc8sFYTmvZiCe/t/33Yr5+BtOhAUI5JzTYJ/kc3Dg4ziB4KbHP4ejPtAb6x2UbEHcN6euPogwXR8lpeO9zJE4gWFOHoYJ4bLa1wuCYgbNkjWDYYHGEoWAMVDU6XYRb3riV21WWIQO/DbC7mAgw==,iv:ZysLG3x0wlxuTYnJrGtrTkjjduMoEOyiWWuC1nRIp4I=,tag:mlNO2yo7JkV2O7A2Da+EjQ==,type:str]
|
||||
sops:
|
||||
shamir_threshold: 1
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1n4kdchmkk3rfkaknxhveqr2ftprdpgwckutt23y6u8639lazzuks77tgav
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtY29iK1hkSjlvR0xrd25l
|
||||
dzhkME5jZGkwSEJEVVBXUW1Dbytka3BONlJVCjZCc2FBbHZ3dU0xRGlXbXZKTDJJ
|
||||
R21rb2laOFJWN0d4Q3NjWjJYNm4vWk0KLS0tIHRxSkNCSDBORG1mMmRvdmtqazZV
|
||||
VWpqVkRJZEc3d25oVDE0VEV5Vy96SWsKNH+E3PS2nGtRVjNYW3dAS3eGatkhTP5h
|
||||
y+UWPIjQfh1uAmo6Fdh6biIcKZGQBOKEsaTcpHsBfWnMeue3nqf8mw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1cnu37d5fqyahh9vvc4hj6z6k8ur9ksuefln7sr6g3emmn927eutqxdawuh
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvemVLSGttZ1lyTkwreXhK
|
||||
ZDNjQzhnZDNJcTZsSWNBWWcvNDJVUkhPZENRCmQxdkY3MVdSWE95QUpUN1VFcTVW
|
||||
QnpCQmVoUTVCWlk3UWNTQkhJRUFXT3MKLS0tIFRGUTNlbVYrcjYwNUxrSjMvWDdN
|
||||
dDJHMC9NazFlQ0tTb0E3TzRIWklLNU0KMCNhW8DXGDWYm2mlzAyikHvgQctt+WJI
|
||||
1hDcVfEL0cDOpxL7/aqbtCdwQcGE0+suTbVs+pe6kFvgex/oHiiYpw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1nr0qds8w3gldmdvhwu0p6w2ys8f4sd0h3xy94h9dsafjzttaypxquzmswc
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtYnplUFIyZE1WNTBXSVJp
|
||||
eUNoRTFlZ01vTjMxcFRaU295M0R5U2pKT1h3CllZZmZROWsrSEZHSklqUXdGMWlN
|
||||
RkNXcVMxOGdzSmxBQlZRQTRiMnFxUkkKLS0tIDFKWnAvT3dobWxQOEU5aHBwMXVP
|
||||
czR0d1JpbkowUGJ3bHArREZ6WGlobjQKkxfq4O+LjtQTSsqmCCpjLaIJYB+9WI08
|
||||
2jnso1pI9oZ7sLkvN8vRnNO+9SORuuEpT6Hy7KybZM4UXpwnk/vvTw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age18hpxz0ghvswv9k30cle73prvnzrsuczqh87jjdk9fl50j3ddndmq9xae0n
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFajQ3ME5KVnFXeFMvRnF4
|
||||
VTRiUjB5aXBpTXZ1c2hVM29DbnFFck1SMEdVClE4NCt0MDBQMkdNQ0YzTFk4WWhK
|
||||
b0hmMmxubEU0WG9kZTJDQ1N6VDV5OGcKLS0tIHI5S052V21mS1VRZ2NTbTJ6Y1gr
|
||||
V0RWRDFRWmtLWGl3UHhjMXZ2Vm9YTm8K5T3Vy5/Ovmlm86yAZ8VCNjBKHqHCMvtr
|
||||
jkOcVEkK4Fqj9nWCLu0wl2ZVbtsANc72CnXmZwxHaAUIPdx9xWEhig==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1xgy03g3vjydsxcl0qpdgm8rahjcjq95ucxfwlgr22zwjx3p7jf2s9jk6u5
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6K1EvMXZZUHF4dHdkQisz
|
||||
K3NhL0hzTVBMUnhTK3VZaHVHUE1CNkFLTkNVCjNiSXl5MTMyQXczVkx5Q0l3VDUz
|
||||
MlpyK0U1b2RUSk1QNC9VTGVCSThHaFkKLS0tIHUrVzBEK0hhSVR1WVF5VTZnOGgz
|
||||
SWxOWktYVkZCNGVTZU9kaWFIbzVyb1EKkAGvXuomvWeTRWFM2kPfArqEpBL+NJ29
|
||||
GNDKxx3NQH0BEeudT7LZhj0mWn1963T8Yp2/4OiGvKYHQPUzHa5Q4A==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1fv5dafs4n3r5n83qm2hfz7xmnflsz0xf9r3saralrptpgf8mvuxq4t8k3u
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmM25pTFlrbEExQnpDT2dy
|
||||
NlpIT3FMWU9RVEx3VndHVGNVT1lYOTBKM3dVCmF5MU5ESEs1dTRmbFp6MmpyM2NN
|
||||
MGRTelBMSU1XK1NteE9lbUpFQW5wQlkKLS0tIHRWTFBwTXcxbnM3Q1BPT1lzWkdo
|
||||
U013SHFDeitxOThieXRjaTM4ei9sdWcKMnNtZUyguRGkvfqznbCdaqT8Q3BttPQo
|
||||
fsUAk4bofW4jLvj96JLBtB280atU8k0oIuZbuz1dEMINDtgvIfadTw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age120530yclr75k6nrzp6k5jjftj8j4q9v3533guupzk4ct86mjxszqg9e5t5
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtRldzUnRaUk05MVZob1VG
|
||||
cm1MeDNqUEgxbjJLb1hoQ004TVB1TzZWbkY4Ckl3N05ObHZsRXp2VUYwL0RKSlR4
|
||||
WVEyYlAxTDRtYWhGZE9SbUJaK1hDVzgKLS0tIDRLZ3BmMWlRMTR5c1hWOHByell6
|
||||
N0hTL1A1MVE2MldocTFWZzc1OENobkUKUseg2IGSClvmrq6vlnF1sCgYlUaH4Ke0
|
||||
sDdpVwg1b5WLwbZFeE/Ro1gRY3s+9iDFrU3Rh95R1KmigpMVYz1ILQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-07-04T21:22:16Z"
|
||||
mac: ENC[AES256_GCM,data:5obbMHWEPm7KhJGWXpsKvGI99sJCx8hScIbS2vo3Ua0fvTwML8tkC3gsfLwaZ0D3KGHN6qxyjvP8ajIoxRK2Lj6G2FOWo7gmNzw9ULu+kPj53dqbmy/c3EeZU3WFNaRFXiQx0C80k8YFzPXQAkF/X5NdaRYRL6BFvPRRuq83Uds=,iv:EaeI+Z3e/QZIlU+EIGg+9sDFPtcfnVs8TQvvROOujg4=,tag:+P6U0/+b4nkZNob5fJ6pkg==,type:str]
|
||||
pgp:
|
||||
- created_at: "2024-07-04T21:21:19Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA82M54yws73UAQ/9HQ2oLUOQb1YLxMFnDhezNbjXxdUlMULwKLllGxRJ4joC
|
||||
wonWbDL/AzXeK96ojI5xNZVGWFGnUArnpQRPpgHo/J8OKphSJ49oPxnDpuK2xa2x
|
||||
yVR0CxPxqWUovFUABhk12Fp8g0iMa/+/GU+UuGQsMn9ncIZ9btqeTEXX9cn/+IM1
|
||||
KWbfsuyYMtML13kSmKZDxazXE7v5RTlEf/VAGACqSuiVbZjUr7n/92spR1r3WKDj
|
||||
7FJB4hrnvyd4ShgxsQtb27U+9R2zgl5LioaIpNwrnsDy9LDgjzKLpzT6x/zp9m90
|
||||
Ws3A8sBsDQ2wE8nNi/uZUcIY9eNXsZQsTQqzE1vSrQsy8IgMJ7U7N2oXSezNlPPP
|
||||
Jnm+jAcbW/Qly7aqOEQb+BqGhe03b+UxZX6HxS8USiiRKP8E3l8e81Wc0IYP76uj
|
||||
CJWt7vhv2wCPMc8606BpvzFHH3fOIved/D+q+W8YBp43zJY4zMo00wBQd/az3z/P
|
||||
O0k5mZDnVldZLiUA8/oXdz5gd1VpuoJzEM2u8Fm5sjESVrscyX0NL9YQW9wW4n8G
|
||||
/0X0dXKnLf8aJKl0vU0zGNips+1lZUb+JRV8v6qPecgYvEyesRbeDjT96h1ZHD3S
|
||||
y/wjuV4G6NYNmWbpN3uffIyo0r9QylM8FQcuLdOyVS7Aj/GJyJQ7TsL/SCJSfGfS
|
||||
XgHcwNJhIQnBn2i0aZwPxkoBBSga8GP1IC8ezevpRseVgWWLDi0NwZK1vN1yBNze
|
||||
JXpve2W/4KtXvAql0u4UX5BTSlW5ew4FaBEJL/sE1RU80xvPiTtiINr1Y8g2Qww=
|
||||
=DFqp
|
||||
-----END PGP MESSAGE-----
|
||||
fp: CD8CE78CB0B3BDD4
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
||||
Loading…
Add table
Add a link
Reference in a new issue