From 2d917468ea84f49fdc8102ce0a10b45972114e1e Mon Sep 17 00:00:00 2001 From: Valentin Lab Date: Fri, 29 Mar 2024 10:20:53 +0100 Subject: [PATCH] new: [docker-host] add ``ntfy`` installation and connection --- docker-host/hooks/install.d/90-ntfy.sh | 100 +++++++++++++++ docker-host/src/bin/send | 166 +++++++++++++++++++++++++ docker-host/src/etc/ssh/ntfy-key | Bin 0 -> 1458 bytes 3 files changed, 266 insertions(+) create mode 100755 docker-host/hooks/install.d/90-ntfy.sh create mode 100755 docker-host/src/bin/send create mode 100644 docker-host/src/etc/ssh/ntfy-key diff --git a/docker-host/hooks/install.d/90-ntfy.sh b/docker-host/hooks/install.d/90-ntfy.sh new file mode 100755 index 0000000..dfcb96a --- /dev/null +++ b/docker-host/hooks/install.d/90-ntfy.sh @@ -0,0 +1,100 @@ +#!/bin/bash + +set -eux + +NTFY_BROKER="${NTFY_BROKER:-core-01.0k.io}" + + +## Uncipher ntfy key to destination + +umask 077 +ntfy_key_ciphered="src/etc/ssh/ntfy-key" +if [ ! -f "$ntfy_key_ciphered" ]; then + echo "Error: ciphered ntfy key not found" >&2 + exit 1 +fi + +ntfy_key_dest=/etc/ssh/ntfy-key +if [ ! -f "$ntfy_key_dest" ]; then + cat "$ntfy_key_ciphered" | + gpg -d --batch --yes --passphrase 'uniquepass' > "$ntfy_key_dest" || { + echo "Error while unpacking ntfy key to '${ntfy_key_dest}'" >&2 + exit 1 + } +fi + + +## Request token to ntfy server and add to config file + +known_host="/root/.ssh/known_hosts" +if ! ssh-keygen -F "$NTFY_BROKER" -f "$known_host" >/dev/null; then + ssh-keyscan -H "$NTFY_BROKER" >> "$known_host" || { + echo "Error while adding '$NTFY_BROKER' to known_hosts" >&2 + exit 1 + } +fi + +config_file="/etc/ntfy/ntfy.conf" +mkdir -p "${config_file%/*}" +if ! [ -f "$config_file" ]; then + touch "$config_file" || { + echo "Error: couldn’t create config file '$config_file'" >&2; + exit 1 + } +fi + +LOGIN="" +PASSWORD="" +source "$config_file" || { + echo "Error: couldn't source config file '$config_file'" >&2 + exit 1 +} + +## Note that we require the forcing of stdin to /dev/null to avoid +## the rest of the script to be vacuumed by the ssh command. +## This effect will only happen when launching this script in special +## conditions involving stdin. +cred=$(ssh -i "$ntfy_key_dest" ntfy@"${NTFY_BROKER}" \ + request-token "$LOGIN" "$PASSWORD" &2 + exit 1 +} + +## XXXvlab: ideally it should be received from the last call +server="https://ntfy.0k.io/" +login=$(printf "%q" "${cred%$'\n'*}") +password=$(printf "%q" "${cred#*$'\n'}") + +## check if password doesn't contain '%' + +for var in server login password; do + if [ "${!var}" == "''" ] || [[ "${!var}" == *$'\n'* ]]; then + echo "Error: empty or invalid multi-line values retrieved for '$var'" \ + "from ntfy server. Received:" >&2 + printf "%s" "$cred" | sed -r 's/^/ | /g' >&2 + exit 1 + fi + if [[ "${!var}" == *%* ]]; then + ## We need a separator char for sed replacement in the config file + echo "Error: forbidden character '%' found in $var" >&2 + exit 1 + fi + if grep -qE "^${var^^}=" "$config_file"; then + sed -ri "s%^${var^^}=.*$%${var^^}=\"${!var}\"%g" "$config_file" + else + echo "${var^^}=\"${!var}\"" >> "$config_file" + fi +done + + +if ! [ -f "/etc/ntfy/topics.yml" ]; then + cat <<'EOF' > /etc/ntfy/topics.yml +.*\.(emerg|alert|crit|err|warning|notice): + - ${LOGIN}_main +EOF +fi + + +## provide 'send' command + +cp -f "$PWD/src/bin/send" /usr/local/bin/send \ No newline at end of file diff --git a/docker-host/src/bin/send b/docker-host/src/bin/send new file mode 100755 index 0000000..f8b99de --- /dev/null +++ b/docker-host/src/bin/send @@ -0,0 +1,166 @@ +#!/bin/bash + +## Send a notification with NTFY and check if the config file is complete + +if [[ "$UID" == "0" ]]; then + NTFY_CONFIG_DIR="${NTFY_CONFIG_DIR:-/etc/ntfy}" +else + NTFY_CONFIG_DIR="${NTFY_CONFIG_DIR:-~/.config/ntfy}" +fi +NTFY_CONFIG_FILE="$NTFY_CONFIG_DIR/ntfy.conf" + +SERVER="https://ntfy.0k.io" + +[ -f "$NTFY_CONFIG_DIR/topics.yml" ] || { + echo "Error: no 'topics.yml' file found in $NTFY_CONFIG_DIR" >&2 + echo " Please setup the topics for the notification channels in this file." >&2 + exit 1 +} + +if ! [ -e "$NTFY_CONFIG_FILE" ]; then + mkdir -p "${NTFY_CONFIG_FILE%/*}" + ## default option to change if needed + echo "SERVER=$SERVER" > "$NTFY_CONFIG_FILE" +elif ! grep -q "^SERVER=" "$NTFY_CONFIG_FILE"; then + echo "SERVER=$SERVER" >> "$NTFY_CONFIG_FILE" +fi + +source "$NTFY_CONFIG_FILE" || { + echo "Error: could not source '$NTFY_CONFIG_FILE'" >&2 + exit 1 +} + +SERVER="${SERVER%/}" + +for var in SERVER LOGIN PASSWORD; do + if ! [ -v "$var" ]; then + echo "Error: missing $var in $NTFY_CONFIG_FILE" + exit 1 + fi +done + + +exname=${0##*/} +channels=() + +usage="$exname [options] MESSAGE" +help="\ + +Send MESSAGE with TITLE to the differents topics defined by a CHANNEL + +$exname will read the $NTFY_CONFIG_DIR/topics.yml for channel to +topics conversion. + + +Usage: + $usage + +Options: + -c CHANNEL Specify one or multiple channels. Default 'main'. + (can be provided mulitiple time) + -t TITLE Specify the title of the message. (it'll still be + prefixed with the hostname) + Default is empty + MESSAGE message to send. + -h Display this help and exit. + +" + +while [ "$#" -gt 0 ]; do + arg="$1" + shift + case "$arg" in + -h|--help) + echo "$help" + exit 0 + ;; + -c|--channel) + [ -n "$1" ] || { + echo "Error: no argument for channel option." >&2 + echo "$usage" >&2 + exit 1 + } + IFS=", " channels+=($1) + shift + ;; + -t|--title) + [ -n "$1" ] || { + echo "Error: no argument for title option." >&2 + echo "$usage" >&2 + exit 1 + } + title="$1" + shift + ;; + *) + [ -z "$message" ] && { message="$arg"; continue; } + echo "Error : Unexpected positional argument '$arg'." >&2 + echo "$usage" >&2 + exit 1 + ;; + esac +done + +[ -n "$message" ] || { + echo "Error: missing message." >&2 + echo "$usage" >&2 + exit 1 +} + +read-0() { + local eof='' IFS='' + while [ "$1" ]; do + read -r -d '' -- "$1" || eof=1 + shift + done + [ -z "$eof" ] +} + +curl_opts=( + -s + -u "$LOGIN:$PASSWORD" + -d "$message" +) + +title="[$(hostname)] $title" +title="${title%%+([[:space:]])}" +curl_opts+=(-H "Title: $title") + +declare -A sent_topic=() + +if [ "${#channels[@]}" -eq 0 ]; then + channels=("main") +fi + +for channel in "${channels[@]}"; do + channel_quoted=$(printf "%q" "$channel") + content=$(cat "$NTFY_CONFIG_DIR/topics.yml") + while read-0 channel_regex topics; do + [[ "$channel" =~ ^$channel_regex$ ]] || continue + rematch=("${BASH_REMATCH[@]}") + while read-0 topic; do + ttopic=$(printf "%s" "$topic" | yq "type") + if [ "$ttopic" != '!!str' ]; then + echo "Error: Unexpected '$ttopic' type for value of channel $channel." >&2 + exit 1 + fi + topic=$(printf "%s" "$topic" | yq -r " \"\" + .") + if ! [[ "$topic" =~ ^[a-zA-Z0-9\$\{\}*\ \,_.-]+$ ]]; then + echo "Error: Invalid topic value '$topic' expression in $channel channel." >&2 + exit 1 + fi + new_topics=($(set -- "${rematch[@]}"; eval echo "${topic//\*/\\*}")) + for new_topic in "${new_topics[@]}"; do + [ -n "${sent_topic["$new_topic"]}" ] && continue + sent_topic["$new_topic"]=1 + if ! out=$(curl "${curl_opts[@]}" "$SERVER/${new_topic}"); then + echo "Error: could not send message to $new_topic." >&2 + echo "curl command:" >&2 + echo " curl ${curl_opts[@]} $SERVER/${new_topic}" >&2 + echo "$out" | sed 's/^/ | /' >&2 + exit 1 + fi + done + done < <(printf "%s" "$topics" | yq e -0 '.[]') + done < <(printf "%s" "$content" | yq e -0 'to_entries | .[] | [.key, .value] |.[]') +done \ No newline at end of file diff --git a/docker-host/src/etc/ssh/ntfy-key b/docker-host/src/etc/ssh/ntfy-key new file mode 100644 index 0000000000000000000000000000000000000000..b971d3dd25b80ac1675c79abf36e1a3174cedafb GIT binary patch literal 1458 zcmV;j1x@;l4Fm}T0^7du>h-j)DF4#x0gDX*#5D)Ew5*OOtRQwr5acd>9IbY7=o&Sk z$(umP-(G~yHzZ^vvzPBT+`m@C1bRocFS?|1&3+F}US|*zaXMR=qmJ!tvvma4w&dRW z7yuyasRc|=`PiYHumZ82AMn5c3!whVlS$+46sfW?R~D6i#Oc?3HNE0R=;xkqp3cBt zIpclUIc}+$2=d0lZAjNk-E+uKb;p;_?(4IrR{IsCcDkN510bF>G5Y(+KUa1Zaj-LF zJSVu?a8S7By-%5u1`-l=G&*!PYfW%}y%a+O@6YHX-y#A8Uu=tW0;28#WY@p&8)KBU zV1rY-kepWf?U4@b2jzexFfEAj6~y{{>k)ff*KC8Ll|Cx-Gr18RLGckqplnz^+9yN> z3pVOLZe1(Rl5XI2+E~oJ7NcC(cvuc`Ly8G_gqG!0v;|Xdql|X%DZ>ascd*pk8{%tp zJ5$@<)dvooLVDu-q4tV#w+E>$jNhMssrXhN*PsNI>vL>c{wB|{Zv63XWAXi2hJ?of zSLk#vU517^W!uNin#3O)l0O;jUDZ{h+N8}ISsTa|N3HzZmzx6t#)m`U8R>;b=+59(%t)pKX* zF5Ub)y7D1MC{{^PrzcnOhMs^(JjQtA25Q=8?+3G(zuq1dt0=j?%<)-_g|9JyDWq(U z>t->BAgWI8{@C6^^lji)-*AdzQ9n@M^!dw2%Rra)h{~R}3sIIk+MjnTOG|umS55e& zy`QQ88p1D*reMx8*Ug!?8X;}PnXDSk-zw%0at;-(zaZ{JTmpWM@5kAmL;}t|&EkGS zU-PFt4ZylUNL#L}L1(|720}5+pg1n^w|2)+sR>Z!GDY6nSA_6z=!;w`Zs6EYc{&Fi zLw2S>?GFZsizi#Gelc;xlHKWHdezLAk$CG4Z3kF#pxnV}(q5rRO{Ro*od^X`&YrlG zmTjYL8+HufL(250^C!FRZLwU1Tmk~{tQa>0?1!I}P!?fxF# zfy2-CgDnhA?u$I`f(=<`v+(Sd^upvqlBjyU$_*TCqgL%3g)mZafr5S$OJ50+0H zc7(uPfOf~gObI{imn|qVX?+=|!Fv#kBXdhAXy_dw&GRQPUVmy&eb?dO zF$K2P7ycajz~4@Q6q{DCZX(K_onvQlo7i2Kc65z9jVGzx_K;g_3Ay>na4^oFZ}!oY z=uw1|2SRs^TfGrB2q|QT!ZbDywnkMEq9b3LbGC%1avW7mdqdxPSgUf$%m&(k76?>2 z>IT9rnNIX$i#?lvci3_F%^o52h?|<^^oVsTx=4iYU)K04SYQTbR8}qD>BUo)P8I`` zA6NvYWtR@6koiJ>t4-<}w|8ujfsSS42(%cxNIDp_*#;saao8FHdFDCJ0(!Uo=yH@R z)~|u4-T4zJth7X(cSMB6a(@cXVHd}{no@3x$o1CfkgJF4M$$K)aN-8rT;8X-4w>zbtnS5#?)0y@w5!%b zUHpW8p*13{l(EeN1OXZk9Vwu`4S?XG?6@qi_~swDfKQ!9-y>GOlzaOUdXX=Vs~BaZ z!O>{OvYOKFbcwmNr2^4v(Cd4uTpOj9viX0G#LklfF6!UZ?(jze)^``h