AniNIX/Kapisi
3
0
Fork 0
Code Issues 30 Pull Requests 1 Projects 1 Releases Wiki Activity

Adding domain monitoring for TLSA/SSHFP/CAA records

Browse Source
This commit is contained in:
DarkFeather
2025-12-18 14:43:13 -06:00
parent 49839d1333
commit 43f764e664
4 changed files with 42 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
roles/Sharingan/files/monit/checks/domain Normal file
View File

@@ -0,0 +1,8 @@
check program domain-tlsa with path "/etc/monit.d/scripts/check-domain aninix.net tlsa aninix.net-0002"
if status != 0 for 5 times within 5 cycles then exec "/etc/monit.d/scripts/critical TLSA records do not match -- regenerate and update"
check program domain-sshfp with path "/etc/monit.d/scripts/check-domain aninix.net sshfp"
if status != 0 for 5 times within 5 cycles then exec "/etc/monit.d/scripts/critical SSHFP records do not match -- regenerate and update"
check program domain-caa with path "/etc/monit.d/scripts/check-domain aninix.net caa"
if status != 0 for 5 times within 5 cycles then exec "/etc/monit.d/scripts/critical CAA record does not match -- regenerate and update"

1
roles/Sharingan/files/monit/hostdefs/Yggdrasil
View File

@@ -3,3 +3,4 @@ include "/etc/monit.d/checks/watcher-of-watchers"
include "/etc/monit.d/checks/warrant-canary"
include "/etc/monit.d/checks/grimoire"
include "/etc/monit.d/checks/automated_response"
include "/etc/monit.d/checks/domain"

32
roles/Sharingan/files/monit/scripts/check-domain Executable file
View File

@@ -0,0 +1,32 @@
#!/bin/bash
source /opt/aninix/Uniglot/Bash/dns.bash
domain="$1"
function checkTLSA() {
### Usage: $0 "${domain}" tlsa _443._tcp
identity="$1"
git diff --no-index <(GenerateTLSA "${identity}" | sed 's/\s\+//g' | tr '[[:upper:]]' '[[:lower:]]' | sort) <(dig _443._tcp."${domain}" TLSA +short | sed 's/\s\+//g' | tr '[[:upper:]]' '[[:lower:]]' | sort)
}
function checkSSHFP() {
git diff --no-index <(GenerateSSHFP | sed 's/\s\+//g' | tr '[[:upper:]]' '[[:lower:]]' | sort) <(dig "${domain}" SSHFP +short | sed 's/\s\+//g' | tr '[[:upper:]]' '[[:lower:]]' | sort)
}
function checkCAA() {
### Usage: $0 "${domain}" caa
caa="$(dig "${domain}" CAA +short)"
if [ "$caa" != '128 issue "letsencrypt.org"' ]; then
exit 1
else
exit 0
fi
}
case "$2" in
"tlsa") checkTLSA "$3" ;;
"sshfp") checkSSHFP ;;
"caa") checkCAA ;;
esac