Adding domain monitoring for TLSA/SSHFP/CAA records

2025-12-18 14:43:13 -06:00
parent 49839d1333
commit 43f764e664
4 changed files with 42 additions and 1 deletions
--- a/roles/Sharingan/files/monit/scripts/check-domain
+++ b/roles/Sharingan/files/monit/scripts/check-domain
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+source /opt/aninix/Uniglot/Bash/dns.bash
+
+domain="$1"
+
+function checkTLSA() {
+    ### Usage: $0 "${domain}" tlsa _443._tcp
+    identity="$1"
+    git diff --no-index <(GenerateTLSA "${identity}" | sed 's/\s\+//g' | tr '[[:upper:]]' '[[:lower:]]' | sort) <(dig _443._tcp."${domain}" TLSA +short | sed 's/\s\+//g' | tr '[[:upper:]]' '[[:lower:]]' | sort)
+
+}
+
+function checkSSHFP() {
+    git diff --no-index <(GenerateSSHFP | sed 's/\s\+//g' | tr '[[:upper:]]' '[[:lower:]]' | sort) <(dig "${domain}" SSHFP +short | sed 's/\s\+//g' | tr '[[:upper:]]' '[[:lower:]]' | sort)
+}
+
+function checkCAA() {
+    ### Usage: $0 "${domain}" caa
+    caa="$(dig "${domain}" CAA +short)"
+    if [ "$caa" != '128 issue "letsencrypt.org"' ]; then
+        exit 1
+    else
+        exit 0
+    fi
+}
+
+case "$2" in
+  "tlsa") checkTLSA "$3" ;;
+  "sshfp") checkSSHFP ;;
+  "caa") checkCAA ;;
+esac