From 00f7f43ebd1fae4f06ed5356ef17712c58200599 Mon Sep 17 00:00:00 2001
From: Rene Mewissen <rene@tantooine.myfirewall.org>
Date: Thu, 2 Oct 2025 08:50:43 +0200
Subject: [PATCH] added ntfy alerts and removed sudo

---
 roles/bastionhost/tasks/main.yml              |  1 +
 .../tasks/system_setup/ntfy_alerts.yml        | 22 +++++++++++++++++++
 .../tasks/system_setup/package_hardening.yml  |  2 ++
 roles/bastionhost/vars/main.yml               |  4 ++++
 4 files changed, 29 insertions(+)
 create mode 100644 roles/bastionhost/tasks/system_setup/ntfy_alerts.yml
 create mode 100644 roles/bastionhost/vars/main.yml

diff --git a/roles/bastionhost/tasks/main.yml b/roles/bastionhost/tasks/main.yml
index b2ae7ed..ac9c77a 100644
--- a/roles/bastionhost/tasks/main.yml
+++ b/roles/bastionhost/tasks/main.yml
@@ -14,6 +14,7 @@
   - import_tasks: system_setup/package_hardening.yml
   - import_tasks: system_setup/user_hardening.yml
   - import_tasks: system_setup/aide.yml
+  - import_tasls: system_setup/ntfy_alerts.yml
 
   rescue:
     - set_fact: task_failed=true
diff --git a/roles/bastionhost/tasks/system_setup/ntfy_alerts.yml b/roles/bastionhost/tasks/system_setup/ntfy_alerts.yml
new file mode 100644
index 0000000..a953b2a
--- /dev/null
+++ b/roles/bastionhost/tasks/system_setup/ntfy_alerts.yml
@@ -0,0 +1,22 @@
+---
+- name: system setup | ntfy alerts | install curl
+  tags: ntfy,hardening,system
+  package:
+    name: curl
+    state: present
+
+- name: system setup | ntfy alerts | create ssh login alert script
+  tags: ntfy,hardening,system
+  copy:
+    dest: /etc/ssh/sshrc
+    owner: root
+    group: root
+    mode: '0755'
+    content: |
+      #!/bin/sh
+      # Managed by Ansible
+      # Send SSH login alert to ntfy topic.
+      
+      MESSAGE="{{ ntfy_ssh_login_message }}"
+      
+      curl -s -d "$MESSAGE" "{{ ntfy_url }}" > /dev/null
\ No newline at end of file
diff --git a/roles/bastionhost/tasks/system_setup/package_hardening.yml b/roles/bastionhost/tasks/system_setup/package_hardening.yml
index fb640da..38b1d7a 100644
--- a/roles/bastionhost/tasks/system_setup/package_hardening.yml
+++ b/roles/bastionhost/tasks/system_setup/package_hardening.yml
@@ -13,6 +13,7 @@
       - postfix
       - cups*
       - avahi-daemon
+      - sudo
       # Common utilities not required for a minimal system
       - popularity-contest
       - whoopsie
@@ -37,6 +38,7 @@
       - postfix
       - cups*
       - avahi
+      - sudo
     state: absent
   notify: Update_aide_database
   when: ansible_os_family == "RedHat"
\ No newline at end of file
diff --git a/roles/bastionhost/vars/main.yml b/roles/bastionhost/vars/main.yml
new file mode 100644
index 0000000..1ef8ad6
--- /dev/null
+++ b/roles/bastionhost/vars/main.yml
@@ -0,0 +1,4 @@
+---
+# Variables for ntfy alerts
+ntfy_url: "https://ntfy.sh/YOUR_TOPIC_HERE"
+ntfy_ssh_login_message: "SSH login on $(hostname) for user $USER from $(echo $SSH_CONNECTION | cut -d ' ' -f 1)"