feat: add improved alerting for various things

2026-02-09 12:29:19 -08:00 · 2024-07-05 12:28:09 -07:00 · 2024-07-05 12:28:09 -07:00 · 07ee692df8
commit 07ee692df8
parent ed4defc62f
11 changed files with 414 additions and 137 deletions
--- a/nixos/common/login-notify.nix
+++ b/nixos/common/login-notify.nix
@ -0,0 +1,32 @@
+{ pkgs, lib, config, ... }: let
+    inherit (lib.modules) mkAfter mkDefault;
+in {
+    sops.secrets.sshd-environment = {
+        sopsFile = ./secrets.yaml;
+    };
+security.pam.services.sshd.text = let
+    notify = pkgs.writeShellScriptBin "notify" ''
+        export $(cat ${config.sops.secrets.sshd-environment.path} | xargs)
+
+        if [ "$PAM_USER" = "deploy" ]; then
+            if [ "$PAM_TYPE" = "open_session" ]; then
+                message="''${PAM_RHOST} has opened an SSH session as part of doing a Nix deployment on ${config.networking.hostName}."
+            elif [ "$PAM_TYPE" = "close_session" ]; then
+                message="''${PAM_RHOST} has closed an SSH session as part of doing a Nix deployment on ${config.networking.hostName}."
+            fi
+        else
+            if [ "$PAM_TYPE" = "open_session" ]; then
+                message="''${PAM_RHOST} opened an SSH session with ${config.networking.hostName} as user ''${PAM_USER}."
+            elif [ "$PAM_TYPE" = "close_session" ]; then
+                message="''${PAM_RHOST} closed their SSH session with ${config.networking.hostName} for user ''${PAM_USER}."
+            fi
+        fi
+
+        if [ -n "$message" ]; then
+            ${pkgs.curl}/bin/curl -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"$message\"}" $DISCORD_WEBHOOK_LINK
+        fi
+    '';
+in mkDefault (mkAfter ''
+    session required pam_exec.so seteuid ${notify}/bin/notify
+'');
+}