@matthesketh/fleet 1.2.0 → 1.7.0

package/scripts/guard/cert-expiry-watch

@@ -0,0 +1,109 @@
+#!/usr/bin/env python3
+"""
+cert-expiry-watch — sweeps /etc/letsencrypt/live and reports any cert
+that's expiring soon. tiered alerts:
+- < 14 days: notify (info)
+- < 3 days: hold (renewal probably broken — needs eyes)
+
+run from cron once a day.
+"""
+
+import re
+import subprocess
+import sys
+from datetime import datetime, timezone
+from pathlib import Path
+
+LIVE = Path("/etc/letsencrypt/live")
+GUARD = "/usr/local/sbin/fleet-guard"
+NOTIFY = "/usr/local/sbin/notify"
+
+
+def active_cert_paths():
+    """parse nginx -T output to find ssl_certificate paths actually in use.
+    returns set of resolved file paths (Path objects)."""
+    try:
+        out = subprocess.run(
+            ["nginx", "-T"], capture_output=True, text=True, timeout=10,
+        )
+    except Exception:
+        return None  # cannot determine — caller should fall back
+    if out.returncode != 0:
+        return None
+    paths = set()
+    for m in re.finditer(r"ssl_certificate\s+([^\s;]+);", out.stdout):
+        paths.add(Path(m.group(1)).resolve())
+    return paths
+
+
+def cert_is_active(cert_dir, active):
+    """check if any cert under cert_dir is referenced by nginx."""
+    if active is None:
+        return True  # nginx not parseable — fall back to flagging everything
+    candidates = [
+        cert_dir / "fullchain.pem",
+        cert_dir / "cert.pem",
+        cert_dir / "chain.pem",
+    ]
+    return any(p.resolve() in active for p in candidates if p.exists())
+
+
+def cert_not_after(path):
+    out = subprocess.run(
+        ["openssl", "x509", "-noout", "-enddate", "-in", str(path)],
+        capture_output=True, text=True, timeout=5,
+    )
+    if out.returncode != 0:
+        return None
+    line = out.stdout.strip()  # notAfter=Apr 25 12:34:56 2026 GMT
+    _, _, when = line.partition("=")
+    try:
+        return datetime.strptime(when.strip(), "%b %d %H:%M:%S %Y %Z").replace(tzinfo=timezone.utc)
+    except ValueError:
+        return None
+
+
+def main():
+    if not LIVE.exists():
+        return 0
+    now = datetime.now(timezone.utc)
+    active = active_cert_paths()
+    soon = []
+    critical = []
+    skipped_inactive = 0
+    for cert_dir in sorted(LIVE.iterdir()):
+        if not cert_dir.is_dir():
+            continue
+        cert_path = cert_dir / "cert.pem"
+        if not cert_path.exists():
+            continue
+        if not cert_is_active(cert_dir, active):
+            skipped_inactive += 1
+            continue
+        not_after = cert_not_after(cert_path)
+        if not not_after:
+            continue
+        days_left = (not_after - now).total_seconds() / 86400
+        item = {"name": cert_dir.name, "expires": not_after.isoformat(), "days": int(days_left)}
+        if days_left < 3:
+            critical.append(item)
+        elif days_left < 14:
+            soon.append(item)
+
+    if soon:
+        body = "\n".join(f"{i['name']}: {i['days']}d left ({i['expires']})" for i in soon)
+        subprocess.run([NOTIFY, "certs expiring soon", body], check=False)
+
+    for item in critical:
+        summary = f"cert {item['name']} expires in {item['days']}d — renewal probably broken"
+        subprocess.run(
+            [GUARD, "hold", "cert_expiry_critical", summary, "--payload",
+             '{"cert":"' + item["name"] + '"}'],
+            check=False,
+        )
+
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())

package/scripts/guard/cf-audit-monitor

@@ -0,0 +1,169 @@
+#!/usr/bin/env python3
+"""
+poll cloudflare audit log api and notify via telegram on each new event.
+- state: /var/lib/cf-audit/last-seen.txt (rfc3339 utc)
+- creds: read from /root/.claude.json (cloudflare-mcp env block)
+- runs from cron every 15m. on first run seeds the state to "now-1h".
+- categorises events: noise events are silently logged; everything else
+  fires a telegram message.
+"""
+
+import json
+import os
+import sys
+import time
+import urllib.request
+import urllib.parse
+from datetime import datetime, timedelta, timezone
+from pathlib import Path
+from subprocess import run
+
+CLAUDE_CFG = Path("/root/.claude.json")
+STATE_DIR = Path("/var/lib/cf-audit")
+STATE_FILE = STATE_DIR / "last-seen.txt"
+LOG_FILE = STATE_DIR / "events.jsonl"
+NOTIFIER = "/usr/local/sbin/notify"
+GUARD = "/usr/local/sbin/fleet-guard"
+
+# events that happen routinely and shouldn't page us
+NOISY_ACTIONS = {
+    "login",
+    "purge",
+    "challenge_solve",
+    "user_read",
+    "search",
+}
+
+# event action types that should always create a hold (require approval)
+# instead of merely notifying. these are the destructive / hijack-shaped ones.
+HOLD_ACTIONS = {
+    "zone_delete", "zone_create", "zone_settings_change",
+    "ns_change", "transfer_in", "transfer_out",
+    "member_add", "member_remove",
+    "api_token_create", "api_token_delete",
+    "ssl_change",
+}
+
+
+def read_creds():
+    with CLAUDE_CFG.open() as f:
+        cfg = json.load(f)
+    env = cfg.get("mcpServers", {}).get("cloudflare-mcp", {}).get("env", {}) or {}
+    api_key = env.get("CLOUDFLARE_API_KEY")
+    email = env.get("CLOUDFLARE_EMAIL")
+    if not api_key or not email:
+        sys.exit("cf creds missing in /root/.claude.json (mcpServers.cloudflare-mcp.env)")
+    # account id needed for v2 audit endpoint
+    inf_env = cfg.get("mcpServers", {}).get("infrastructure-mcp", {}).get("env", {}) or {}
+    account_id = inf_env.get("CLOUDFLARE_ACCOUNT_ID")
+    if not account_id:
+        sys.exit("CLOUDFLARE_ACCOUNT_ID missing in infrastructure-mcp env")
+    return api_key, email, account_id
+
+
+def load_since():
+    STATE_DIR.mkdir(parents=True, exist_ok=True)
+    if STATE_FILE.exists():
+        return STATE_FILE.read_text().strip()
+    # first run: pull last hour
+    return (datetime.now(timezone.utc) - timedelta(hours=1)).strftime("%Y-%m-%dT%H:%M:%SZ")
+
+
+def save_since(ts):
+    STATE_FILE.write_text(ts + "\n")
+
+
+def fetch_events(api_key, email, account_id, since):
+    # cf accounts audit log v1 endpoint (free plan compatible)
+    qs = urllib.parse.urlencode({
+        "since": since,
+        "before": datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ"),
+        "per_page": 100,
+    })
+    url = f"https://api.cloudflare.com/client/v4/accounts/{account_id}/audit_logs?{qs}"
+    req = urllib.request.Request(url, headers={
+        "X-Auth-Email": email,
+        "X-Auth-Key": api_key,
+        "Content-Type": "application/json",
+    })
+    with urllib.request.urlopen(req, timeout=20) as resp:
+        return json.loads(resp.read())
+
+
+def classify(action_type):
+    a = (action_type or "").lower()
+    if a in NOISY_ACTIONS:
+        return "noise"
+    return "alert"
+
+
+def notify(title, body):
+    run([NOTIFIER, title, body], check=False)
+
+
+def fmt_event(ev):
+    when = ev.get("when", "?")
+    who = (ev.get("actor") or {}).get("email") or "?"
+    ip = (ev.get("actor") or {}).get("ip") or "?"
+    action = (ev.get("action") or {}).get("type") or "?"
+    resource = (ev.get("resource") or {}).get("type") or "?"
+    res_id = (ev.get("resource") or {}).get("id") or ""
+    metadata = ev.get("metadata") or {}
+    extras = ", ".join(f"{k}={v}" for k, v in metadata.items() if k in ("name", "domain", "zone"))
+    line = f"{when}\n{action} {resource} by {who} from {ip}"
+    if res_id:
+        line += f"\nresource: {res_id}"
+    if extras:
+        line += f"\n{extras}"
+    return line
+
+
+def main():
+    api_key, email, account_id = read_creds()
+    since = load_since()
+    try:
+        data = fetch_events(api_key, email, account_id, since)
+    except Exception as e:
+        notify("cf-audit-monitor failed", f"fetch error: {e}")
+        sys.exit(1)
+    if not data.get("success", False):
+        errs = data.get("errors") or []
+        notify("cf-audit-monitor api error", json.dumps(errs)[:300])
+        sys.exit(1)
+
+    events = data.get("result") or []
+    STATE_DIR.mkdir(parents=True, exist_ok=True)
+    if events:
+        with LOG_FILE.open("a") as f:
+            for ev in events:
+                f.write(json.dumps(ev) + "\n")
+
+    alerts = [ev for ev in events if classify((ev.get("action") or {}).get("type")) == "alert"]
+    for ev in alerts:
+        action = (ev.get("action") or {}).get("type") or ""
+        if action in HOLD_ACTIONS:
+            # destructive — create a fleet-guard hold instead of just notifying.
+            # the cli itself fires the notification with approval token.
+            payload = {
+                "cf_event": ev,
+                "suggested_action": "review and approve to acknowledge",
+            }
+            try:
+                run([GUARD, "hold", f"cf_{action}", fmt_event(ev), "--payload",
+                     json.dumps(payload)], check=False, timeout=30)
+            except Exception as e:
+                notify("cf-audit hold-failed", f"{e}\n{fmt_event(ev)}")
+        else:
+            notify("cloudflare audit event", fmt_event(ev))
+
+    # advance cursor: latest "when" + 1s, or now if no events
+    if events:
+        latest = max(ev.get("when", "") for ev in events)
+        if latest:
+            save_since(latest)
+    else:
+        save_since(datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ"))
+
+
+if __name__ == "__main__":
+    main()

package/scripts/guard/cf-snapshot

@@ -0,0 +1,124 @@
+#!/usr/bin/env python3
+"""
+snapshot all cloudflare zone state (dns records + zone settings) into a
+git repo at /var/lib/cf-snapshots/. each run commits a diff so we have a
+full audit trail of what changed and when.
+
+usage: cf-snapshot
+"""
+
+import json
+import subprocess
+import sys
+import urllib.request
+from pathlib import Path
+
+CLAUDE_CFG = Path("/root/.claude.json")
+SNAP_DIR = Path("/var/lib/cf-snapshots")
+
+
+def read_creds():
+    cfg = json.loads(CLAUDE_CFG.read_text())
+    env = cfg.get("mcpServers", {}).get("cloudflare-mcp", {}).get("env", {}) or {}
+    api_key = env.get("CLOUDFLARE_API_KEY")
+    email = env.get("CLOUDFLARE_EMAIL")
+    if not api_key or not email:
+        sys.exit("cf creds missing in /root/.claude.json")
+    return api_key, email
+
+
+def cf_get(url, api_key, email):
+    req = urllib.request.Request(url, headers={
+        "X-Auth-Email": email,
+        "X-Auth-Key": api_key,
+        "Content-Type": "application/json",
+    })
+    with urllib.request.urlopen(req, timeout=20) as r:
+        return json.loads(r.read())
+
+
+def list_zones(api_key, email):
+    out = []
+    page = 1
+    while True:
+        d = cf_get(
+            f"https://api.cloudflare.com/client/v4/zones?per_page=50&page={page}",
+            api_key, email,
+        )
+        out.extend(d.get("result") or [])
+        info = d.get("result_info") or {}
+        if page >= (info.get("total_pages") or 1):
+            break
+        page += 1
+    return out
+
+
+def snapshot_zone(zone, api_key, email):
+    zid = zone["id"]
+    name = zone["name"]
+    records = cf_get(
+        f"https://api.cloudflare.com/client/v4/zones/{zid}/dns_records?per_page=100",
+        api_key, email,
+    ).get("result") or []
+    settings = cf_get(
+        f"https://api.cloudflare.com/client/v4/zones/{zid}/settings",
+        api_key, email,
+    ).get("result") or []
+    # strip volatile fields so diffs are meaningful
+    pruned_records = []
+    for r in records:
+        pruned_records.append({
+            k: r.get(k) for k in
+            ("id", "type", "name", "content", "proxied", "ttl", "priority", "data")
+            if r.get(k) is not None
+        })
+    pruned_settings = [
+        {k: s.get(k) for k in ("id", "value")} for s in settings
+    ]
+    return {
+        "zone": {"id": zid, "name": name, "status": zone.get("status")},
+        "records": sorted(pruned_records, key=lambda x: (x.get("type", ""), x.get("name", ""))),
+        "settings": sorted(pruned_settings, key=lambda x: x.get("id", "")),
+    }
+
+
+def ensure_repo():
+    SNAP_DIR.mkdir(parents=True, exist_ok=True)
+    if not (SNAP_DIR / ".git").exists():
+        subprocess.run(["git", "init", "-q", "-b", "main", str(SNAP_DIR)], check=True)
+        subprocess.run(["git", "-C", str(SNAP_DIR), "config", "user.email", "cf-snapshot@local"], check=True)
+        subprocess.run(["git", "-C", str(SNAP_DIR), "config", "user.name", "cf-snapshot"], check=True)
+
+
+def main():
+    api_key, email = read_creds()
+    ensure_repo()
+    zones = list_zones(api_key, email)
+    written = 0
+    for z in zones:
+        snap = snapshot_zone(z, api_key, email)
+        path = SNAP_DIR / f"{z['name']}.json"
+        path.write_text(json.dumps(snap, indent=2, sort_keys=True) + "\n")
+        written += 1
+    subprocess.run(["git", "-C", str(SNAP_DIR), "add", "-A"], check=True)
+    diff = subprocess.run(
+        ["git", "-C", str(SNAP_DIR), "diff", "--cached", "--quiet"],
+        check=False,
+    )
+    if diff.returncode == 0:
+        return 0
+    msg = subprocess.run(
+        ["git", "-C", str(SNAP_DIR), "diff", "--cached", "--stat"],
+        check=True, capture_output=True, text=True,
+    ).stdout.strip()
+    subprocess.run(
+        ["git", "-C", str(SNAP_DIR), "commit", "-q", "-m", f"snapshot: {written} zones"],
+        check=True,
+    )
+    # alert if a meaningful change happened
+    subprocess.run(["/usr/local/sbin/notify", "cf-snapshot diff",
+                    msg[:1000] if msg else "(no diff stat)"], check=False)
+
+
+if __name__ == "__main__":
+    main()

package/scripts/guard/cron.d-cf-protect

@@ -0,0 +1,11 @@
+# cloudflare protection layer cron entries
+# - audit log monitor: every 15 min
+# - state snapshot: every 30 min (catches changes audit log misses)
+SHELL=/bin/bash
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+*/15 * * * * root /usr/local/sbin/cf-audit-monitor >> /var/log/cf-audit-monitor.log 2>&1
+*/30 * * * * root /usr/local/sbin/cf-snapshot >> /var/log/cf-snapshot.log 2>&1
+* * * * * fleet-guard /usr/local/sbin/fleet-guard execute >> /var/log/fleet-guard/execute.log 2>&1
+17 4 * * * root /usr/local/sbin/cert-expiry-watch >> /var/log/cert-expiry-watch.log 2>&1
+*/30 * * * * root /usr/local/sbin/dns-drift-watch >> /var/log/dns-drift-watch.log 2>&1

package/scripts/guard/dns-drift-watch

@@ -0,0 +1,138 @@
+#!/usr/bin/env python3
+"""
+dns-drift-watch — verifies that public dns resolution for each cloudflare-
+proxied hostname still resolves through cloudflare ip space. detects:
+- attacker repointing a record to a non-cf ip
+- accidental flipping of the proxied flag (orange to grey)
+- nameserver hijack at registrar level
+
+works against the latest snapshot in /var/lib/cf-snapshots. only checks A
+records that were proxied=true at snapshot time. queries 1.1.1.1, 8.8.8.8,
+and 9.9.9.9 for redundancy.
+
+on drift, creates a fleet-guard hold (kind=dns_drift) so you can approve
+or revert via telegram/imessage.
+"""
+
+import json
+import socket
+import subprocess
+import sys
+from pathlib import Path
+
+SNAP_DIR = Path("/var/lib/cf-snapshots")
+GUARD = "/usr/local/sbin/fleet-guard"
+NOTIFY = "/usr/local/sbin/notify"
+RESOLVERS = ["1.1.1.1", "8.8.8.8", "9.9.9.9"]
+
+# cloudflare's known v4 ranges. updated by /usr/local/sbin/refresh-cf-firewall.sh
+CF_V4_PATH = Path("/etc/iptables/rules.v4")
+
+
+def cf_ranges():
+    """parse cf v4 ranges from the iptables guard chain. fallback to bundled."""
+    if CF_V4_PATH.exists():
+        ranges = []
+        for line in CF_V4_PATH.read_text().splitlines():
+            if "CF-DOCKER-GUARD" in line and "-s " in line and "RETURN" in line:
+                parts = line.split()
+                for i, p in enumerate(parts):
+                    if p == "-s" and i + 1 < len(parts):
+                        ranges.append(parts[i + 1])
+        if ranges:
+            return ranges
+    # fallback: hardcoded list (cf publishes <20 ranges)
+    return [
+        "173.245.48.0/20", "103.21.244.0/22", "103.22.200.0/22",
+        "103.31.4.0/22", "141.101.64.0/18", "108.162.192.0/18",
+        "190.93.240.0/20", "188.114.96.0/20", "197.234.240.0/22",
+        "198.41.128.0/17", "162.158.0.0/15", "104.16.0.0/13",
+        "104.24.0.0/14", "172.64.0.0/13", "131.0.72.0/22",
+    ]
+
+
+def in_range(ip, ranges):
+    import ipaddress
+    addr = ipaddress.ip_address(ip)
+    for r in ranges:
+        try:
+            if addr in ipaddress.ip_network(r):
+                return True
+        except ValueError:
+            continue
+    return False
+
+
+def resolve(host, resolver):
+    try:
+        out = subprocess.run(
+            ["dig", "+short", "+tries=1", "+time=2", "A", host, f"@{resolver}"],
+            capture_output=True, text=True, timeout=5,
+        )
+        ips = [line.strip() for line in out.stdout.splitlines() if line.strip()]
+        # filter out cnames (lines that don't look like ipv4)
+        return [ip for ip in ips if ip.count(".") == 3 and all(p.isdigit() for p in ip.split("."))]
+    except Exception:
+        return []
+
+
+def check_zone(zone_path):
+    snap = json.loads(zone_path.read_text())
+    zone_name = snap["zone"]["name"]
+    drifts = []
+    proxied_a_records = [
+        r for r in snap.get("records", [])
+        if r.get("type") == "A" and r.get("proxied") is True
+    ]
+    cf = cf_ranges()
+    for r in proxied_a_records:
+        host = r.get("name")
+        if not host:
+            continue
+        all_ips = set()
+        for resolver in RESOLVERS:
+            all_ips.update(resolve(host, resolver))
+        if not all_ips:
+            # unresolvable — could be temporary, skip
+            continue
+        non_cf = [ip for ip in all_ips if not in_range(ip, cf)]
+        if non_cf:
+            drifts.append({
+                "host": host,
+                "expected": "cloudflare-proxied",
+                "got": sorted(all_ips),
+                "non_cf": non_cf,
+                "snapshot_content": r.get("content"),
+            })
+    return zone_name, drifts
+
+
+def main():
+    if not SNAP_DIR.exists():
+        sys.exit("no snapshot directory at /var/lib/cf-snapshots")
+
+    all_drifts = []
+    for path in sorted(SNAP_DIR.glob("*.json")):
+        zone, drifts = check_zone(path)
+        for d in drifts:
+            d["zone"] = zone
+            all_drifts.append(d)
+
+    if not all_drifts:
+        return 0
+
+    # one hold per drift
+    for d in all_drifts:
+        summary = f"DNS drift: {d['host']} resolves to non-CF IPs {d['non_cf']}"
+        try:
+            subprocess.run(
+                [GUARD, "hold", "dns_drift", summary, "--payload", json.dumps(d)],
+                check=False, timeout=15,
+            )
+        except Exception as e:
+            subprocess.run([NOTIFY, "dns-drift-watch hold failed", f"{e}\n{summary}"], check=False)
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())