commit f92bb4f96b434bc7ffdb8ae95164e665eb465e3a Author: Dustin C. Hatch Date: Wed Aug 13 15:45:03 2025 -0500 Initial commit diff --git a/host-provisioner.key b/host-provisioner.key new file mode 100644 index 0000000..04db65e --- /dev/null +++ b/host-provisioner.key @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICoOO/ZYMxRgmyvqZwGN3NM5pHyh3NBdC7iZrXIopt93 Host Provisioner diff --git a/notify-online.preset b/notify-online.preset new file mode 100644 index 0000000..9e2c2ec --- /dev/null +++ b/notify-online.preset @@ -0,0 +1 @@ +enable notify-online.service diff --git a/notify-online.service b/notify-online.service new file mode 100644 index 0000000..2321df1 --- /dev/null +++ b/notify-online.service @@ -0,0 +1,42 @@ +[Unit] +Description=Notify infrastructure services that this host is online +ConditionFirstBoot=yes +After=sshd.service +After=network-online.target +Wants=network-online.target +After=systemd-user-sessions.service + +[Service] +Type=exec +ExecStart=/usr/libexec/dch/notify-online +# Must run as root in order to read QEMU fw_config, so enable maximum +# sandbox restrictions. +CapabilityBoundingSet= +DeviceAllow= +DevicePolicy=closed +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +PrivateDevices=yes +PrivateUsers=yes +PrivateTmp=yes +ProcSubset=pid +ProtectClock=yes +ProtectControlGroups=yes +ProtectHome=yes +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectProc=invisible +ProtectSystem=strict +RestrictAddressFamilies=AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@privileged @resources + +[Install] +WantedBy=multi-user.target diff --git a/notify-online.sh b/notify-online.sh new file mode 100644 index 0000000..24fa5e3 --- /dev/null +++ b/notify-online.sh @@ -0,0 +1,13 @@ +#!/bin/sh + +set -- \ + -F "hostname=$(hostname -f)" \ + -F 'sshkeys=<-;type=text/plain' + +fw_cfg=/sys/firmware/qemu_fw_cfg/by_name/opt/dch/cfg-branch/raw +if [ -r "${fw_cfg}" ]; then + set -- "$@" -F branch="$(cat "${fw_cfg}")" +fi + +cat /etc/ssh/ssh_host_*_key.pub \ + | curl -fsS https://webhooks.pyrocufflink.blue/host/online "$@"