@matthesketh/fleet 1.6.0 → 1.7.0

package/scripts/guard/cf-snapshot

@@ -0,0 +1,124 @@
+#!/usr/bin/env python3
+"""
+snapshot all cloudflare zone state (dns records + zone settings) into a
+git repo at /var/lib/cf-snapshots/. each run commits a diff so we have a
+full audit trail of what changed and when.
+
+usage: cf-snapshot
+"""
+
+import json
+import subprocess
+import sys
+import urllib.request
+from pathlib import Path
+
+CLAUDE_CFG = Path("/root/.claude.json")
+SNAP_DIR = Path("/var/lib/cf-snapshots")
+
+
+def read_creds():
+    cfg = json.loads(CLAUDE_CFG.read_text())
+    env = cfg.get("mcpServers", {}).get("cloudflare-mcp", {}).get("env", {}) or {}
+    api_key = env.get("CLOUDFLARE_API_KEY")
+    email = env.get("CLOUDFLARE_EMAIL")
+    if not api_key or not email:
+        sys.exit("cf creds missing in /root/.claude.json")
+    return api_key, email
+
+
+def cf_get(url, api_key, email):
+    req = urllib.request.Request(url, headers={
+        "X-Auth-Email": email,
+        "X-Auth-Key": api_key,
+        "Content-Type": "application/json",
+    })
+    with urllib.request.urlopen(req, timeout=20) as r:
+        return json.loads(r.read())
+
+
+def list_zones(api_key, email):
+    out = []
+    page = 1
+    while True:
+        d = cf_get(
+            f"https://api.cloudflare.com/client/v4/zones?per_page=50&page={page}",
+            api_key, email,
+        )
+        out.extend(d.get("result") or [])
+        info = d.get("result_info") or {}
+        if page >= (info.get("total_pages") or 1):
+            break
+        page += 1
+    return out
+
+
+def snapshot_zone(zone, api_key, email):
+    zid = zone["id"]
+    name = zone["name"]
+    records = cf_get(
+        f"https://api.cloudflare.com/client/v4/zones/{zid}/dns_records?per_page=100",
+        api_key, email,
+    ).get("result") or []
+    settings = cf_get(
+        f"https://api.cloudflare.com/client/v4/zones/{zid}/settings",
+        api_key, email,
+    ).get("result") or []
+    # strip volatile fields so diffs are meaningful
+    pruned_records = []
+    for r in records:
+        pruned_records.append({
+            k: r.get(k) for k in
+            ("id", "type", "name", "content", "proxied", "ttl", "priority", "data")
+            if r.get(k) is not None
+        })
+    pruned_settings = [
+        {k: s.get(k) for k in ("id", "value")} for s in settings
+    ]
+    return {
+        "zone": {"id": zid, "name": name, "status": zone.get("status")},
+        "records": sorted(pruned_records, key=lambda x: (x.get("type", ""), x.get("name", ""))),
+        "settings": sorted(pruned_settings, key=lambda x: x.get("id", "")),
+    }
+
+
+def ensure_repo():
+    SNAP_DIR.mkdir(parents=True, exist_ok=True)
+    if not (SNAP_DIR / ".git").exists():
+        subprocess.run(["git", "init", "-q", "-b", "main", str(SNAP_DIR)], check=True)
+        subprocess.run(["git", "-C", str(SNAP_DIR), "config", "user.email", "cf-snapshot@local"], check=True)
+        subprocess.run(["git", "-C", str(SNAP_DIR), "config", "user.name", "cf-snapshot"], check=True)
+
+
+def main():
+    api_key, email = read_creds()
+    ensure_repo()
+    zones = list_zones(api_key, email)
+    written = 0
+    for z in zones:
+        snap = snapshot_zone(z, api_key, email)
+        path = SNAP_DIR / f"{z['name']}.json"
+        path.write_text(json.dumps(snap, indent=2, sort_keys=True) + "\n")
+        written += 1
+    subprocess.run(["git", "-C", str(SNAP_DIR), "add", "-A"], check=True)
+    diff = subprocess.run(
+        ["git", "-C", str(SNAP_DIR), "diff", "--cached", "--quiet"],
+        check=False,
+    )
+    if diff.returncode == 0:
+        return 0
+    msg = subprocess.run(
+        ["git", "-C", str(SNAP_DIR), "diff", "--cached", "--stat"],
+        check=True, capture_output=True, text=True,
+    ).stdout.strip()
+    subprocess.run(
+        ["git", "-C", str(SNAP_DIR), "commit", "-q", "-m", f"snapshot: {written} zones"],
+        check=True,
+    )
+    # alert if a meaningful change happened
+    subprocess.run(["/usr/local/sbin/notify", "cf-snapshot diff",
+                    msg[:1000] if msg else "(no diff stat)"], check=False)
+
+
+if __name__ == "__main__":
+    main()

package/scripts/guard/cron.d-cf-protect

@@ -0,0 +1,11 @@
+# cloudflare protection layer cron entries
+# - audit log monitor: every 15 min
+# - state snapshot: every 30 min (catches changes audit log misses)
+SHELL=/bin/bash
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+*/15 * * * * root /usr/local/sbin/cf-audit-monitor >> /var/log/cf-audit-monitor.log 2>&1
+*/30 * * * * root /usr/local/sbin/cf-snapshot >> /var/log/cf-snapshot.log 2>&1
+* * * * * fleet-guard /usr/local/sbin/fleet-guard execute >> /var/log/fleet-guard/execute.log 2>&1
+17 4 * * * root /usr/local/sbin/cert-expiry-watch >> /var/log/cert-expiry-watch.log 2>&1
+*/30 * * * * root /usr/local/sbin/dns-drift-watch >> /var/log/dns-drift-watch.log 2>&1

package/scripts/guard/dns-drift-watch

@@ -0,0 +1,138 @@
+#!/usr/bin/env python3
+"""
+dns-drift-watch — verifies that public dns resolution for each cloudflare-
+proxied hostname still resolves through cloudflare ip space. detects:
+- attacker repointing a record to a non-cf ip
+- accidental flipping of the proxied flag (orange to grey)
+- nameserver hijack at registrar level
+
+works against the latest snapshot in /var/lib/cf-snapshots. only checks A
+records that were proxied=true at snapshot time. queries 1.1.1.1, 8.8.8.8,
+and 9.9.9.9 for redundancy.
+
+on drift, creates a fleet-guard hold (kind=dns_drift) so you can approve
+or revert via telegram/imessage.
+"""
+
+import json
+import socket
+import subprocess
+import sys
+from pathlib import Path
+
+SNAP_DIR = Path("/var/lib/cf-snapshots")
+GUARD = "/usr/local/sbin/fleet-guard"
+NOTIFY = "/usr/local/sbin/notify"
+RESOLVERS = ["1.1.1.1", "8.8.8.8", "9.9.9.9"]
+
+# cloudflare's known v4 ranges. updated by /usr/local/sbin/refresh-cf-firewall.sh
+CF_V4_PATH = Path("/etc/iptables/rules.v4")
+
+
+def cf_ranges():
+    """parse cf v4 ranges from the iptables guard chain. fallback to bundled."""
+    if CF_V4_PATH.exists():
+        ranges = []
+        for line in CF_V4_PATH.read_text().splitlines():
+            if "CF-DOCKER-GUARD" in line and "-s " in line and "RETURN" in line:
+                parts = line.split()
+                for i, p in enumerate(parts):
+                    if p == "-s" and i + 1 < len(parts):
+                        ranges.append(parts[i + 1])
+        if ranges:
+            return ranges
+    # fallback: hardcoded list (cf publishes <20 ranges)
+    return [
+        "173.245.48.0/20", "103.21.244.0/22", "103.22.200.0/22",
+        "103.31.4.0/22", "141.101.64.0/18", "108.162.192.0/18",
+        "190.93.240.0/20", "188.114.96.0/20", "197.234.240.0/22",
+        "198.41.128.0/17", "162.158.0.0/15", "104.16.0.0/13",
+        "104.24.0.0/14", "172.64.0.0/13", "131.0.72.0/22",
+    ]
+
+
+def in_range(ip, ranges):
+    import ipaddress
+    addr = ipaddress.ip_address(ip)
+    for r in ranges:
+        try:
+            if addr in ipaddress.ip_network(r):
+                return True
+        except ValueError:
+            continue
+    return False
+
+
+def resolve(host, resolver):
+    try:
+        out = subprocess.run(
+            ["dig", "+short", "+tries=1", "+time=2", "A", host, f"@{resolver}"],
+            capture_output=True, text=True, timeout=5,
+        )
+        ips = [line.strip() for line in out.stdout.splitlines() if line.strip()]
+        # filter out cnames (lines that don't look like ipv4)
+        return [ip for ip in ips if ip.count(".") == 3 and all(p.isdigit() for p in ip.split("."))]
+    except Exception:
+        return []
+
+
+def check_zone(zone_path):
+    snap = json.loads(zone_path.read_text())
+    zone_name = snap["zone"]["name"]
+    drifts = []
+    proxied_a_records = [
+        r for r in snap.get("records", [])
+        if r.get("type") == "A" and r.get("proxied") is True
+    ]
+    cf = cf_ranges()
+    for r in proxied_a_records:
+        host = r.get("name")
+        if not host:
+            continue
+        all_ips = set()
+        for resolver in RESOLVERS:
+            all_ips.update(resolve(host, resolver))
+        if not all_ips:
+            # unresolvable — could be temporary, skip
+            continue
+        non_cf = [ip for ip in all_ips if not in_range(ip, cf)]
+        if non_cf:
+            drifts.append({
+                "host": host,
+                "expected": "cloudflare-proxied",
+                "got": sorted(all_ips),
+                "non_cf": non_cf,
+                "snapshot_content": r.get("content"),
+            })
+    return zone_name, drifts
+
+
+def main():
+    if not SNAP_DIR.exists():
+        sys.exit("no snapshot directory at /var/lib/cf-snapshots")
+
+    all_drifts = []
+    for path in sorted(SNAP_DIR.glob("*.json")):
+        zone, drifts = check_zone(path)
+        for d in drifts:
+            d["zone"] = zone
+            all_drifts.append(d)
+
+    if not all_drifts:
+        return 0
+
+    # one hold per drift
+    for d in all_drifts:
+        summary = f"DNS drift: {d['host']} resolves to non-CF IPs {d['non_cf']}"
+        try:
+            subprocess.run(
+                [GUARD, "hold", "dns_drift", summary, "--payload", json.dumps(d)],
+                check=False, timeout=15,
+            )
+        except Exception as e:
+            subprocess.run([NOTIFY, "dns-drift-watch hold failed", f"{e}\n{summary}"], check=False)
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())

package/scripts/guard/fleet-guard

@@ -0,0 +1,282 @@
+#!/usr/bin/env python3
+"""
+fleet-guard — pending-action queue with out-of-band approval.
+
+state layout under /var/lib/fleet-guard/:
+  pending/<token>.json   — awaiting approval. created by `hold`.
+  approved/<token>.json  — owner approved. picked up by executor.
+  processed/<token>.json — executor finished (success or fail).
+
+token format: 22-char base32 (random, single-use). 256 bits of entropy.
+
+cli verbs (all log to /var/log/fleet-guard/audit.jsonl):
+  hold <kind> <summary> [--payload '<json>']  create a pending hold + notify
+  list [pending|approved|processed]            list tokens with summaries
+  show <token>                                 dump one record
+  approve <token> [--actor <name>]             mark approved
+  reject <token>  [--actor <name>]             mark rejected (deletes record)
+  status                                       human summary
+  execute                                      run all approved actions
+
+approval is also mediated by the daemon (telegram callbacks/messages).
+this cli is the fallback path + ssh-session override.
+"""
+
+import argparse
+import base64
+import json
+import os
+import secrets
+import shutil
+import subprocess
+import sys
+import time
+from pathlib import Path
+from datetime import datetime, timezone
+
+ROOT = Path("/var/lib/fleet-guard")
+LOG = Path("/var/log/fleet-guard/audit.jsonl")
+NOTIFY = "/usr/local/sbin/notify"
+GUARD_CFG = Path("/etc/fleet/guard.json")
+DEFAULT_TTL = 600
+
+PENDING = ROOT / "pending"
+APPROVED = ROOT / "approved"
+PROCESSED = ROOT / "processed"
+
+
+def utcnow():
+    return datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
+
+
+def epoch():
+    return int(time.time())
+
+
+def log_event(event):
+    LOG.parent.mkdir(parents=True, exist_ok=True)
+    entry = {"ts": utcnow(), **event}
+    with LOG.open("a") as f:
+        f.write(json.dumps(entry, default=str) + "\n")
+
+
+def gen_token():
+    return base64.b32encode(secrets.token_bytes(14)).decode().rstrip("=")
+
+
+def load_cfg():
+    if not GUARD_CFG.exists():
+        return {}
+    try:
+        return json.loads(GUARD_CFG.read_text())
+    except Exception:
+        return {}
+
+
+def write_record(dirpath, token, record):
+    dirpath.mkdir(parents=True, exist_ok=True)
+    path = dirpath / f"{token}.json"
+    tmp = path.with_suffix(".json.tmp")
+    tmp.write_text(json.dumps(record, indent=2, sort_keys=True))
+    tmp.rename(path)
+    os.chmod(path, 0o600)
+    return path
+
+
+def find_token(token):
+    """search pending/approved/processed for a token"""
+    for d in (PENDING, APPROVED, PROCESSED):
+        p = d / f"{token}.json"
+        if p.exists():
+            return d, p
+    return None, None
+
+
+def cmd_hold(args):
+    token = gen_token()
+    cfg = load_cfg()
+    ttl = int(cfg.get("tokenTtlSeconds") or DEFAULT_TTL)
+    record = {
+        "token": token,
+        "kind": args.kind,
+        "summary": args.summary,
+        "payload": json.loads(args.payload) if args.payload else {},
+        "created_at": utcnow(),
+        "expires_at_epoch": epoch() + ttl,
+        "creator": os.environ.get("SUDO_USER") or os.environ.get("USER") or "unknown",
+        "creator_uid": os.getuid(),
+    }
+    write_record(PENDING, token, record)
+    log_event({"event": "hold_created", "token": token, "kind": args.kind, "summary": args.summary})
+
+    # notify owner
+    title = f"action held: {args.kind}"
+    body = (
+        f"{args.summary}\n"
+        f"approve: send `/approve {token}` to bot\n"
+        f"or: fleet-guard approve {token}\n"
+        f"expires in {ttl // 60}m"
+    )
+    try:
+        subprocess.run([NOTIFY, title, body], check=False, timeout=15)
+    except Exception:
+        pass
+    print(token)
+    return 0
+
+
+def cmd_list(args):
+    target = {"pending": PENDING, "approved": APPROVED, "processed": PROCESSED}.get(args.where, PENDING)
+    rows = []
+    if target.exists():
+        for path in sorted(target.glob("*.json")):
+            r = json.loads(path.read_text())
+            rows.append((r["token"], r.get("kind", "?"), r.get("summary", "")[:60]))
+    for t, k, s in rows:
+        print(f"{t}  {k:<20}  {s}")
+    if not rows:
+        print(f"(no records in {args.where})")
+    return 0
+
+
+def cmd_show(args):
+    _, path = find_token(args.token)
+    if not path:
+        print(f"token not found: {args.token}", file=sys.stderr)
+        return 1
+    print(path.read_text())
+    return 0
+
+
+def _expire_check(record):
+    return epoch() > int(record.get("expires_at_epoch", 0))
+
+
+def cmd_approve(args):
+    src, path = find_token(args.token)
+    if path is None:
+        print(f"token not found: {args.token}", file=sys.stderr)
+        return 1
+    if src != PENDING:
+        print(f"token not in pending state (in {src.name})", file=sys.stderr)
+        return 1
+    record = json.loads(path.read_text())
+    if _expire_check(record):
+        log_event({"event": "approve_expired", "token": args.token, "actor": args.actor})
+        path.unlink()
+        print("token expired", file=sys.stderr)
+        return 1
+    record["approved_at"] = utcnow()
+    record["approver"] = args.actor or os.environ.get("SUDO_USER") or os.environ.get("USER") or "cli"
+    write_record(APPROVED, args.token, record)
+    path.unlink()
+    log_event({"event": "approved", "token": args.token, "kind": record.get("kind"),
+               "approver": record["approver"]})
+    # acknowledge
+    try:
+        subprocess.run([NOTIFY, "approval recorded",
+                        f"{record.get('kind')} approved by {record['approver']}"],
+                       check=False, timeout=10)
+    except Exception:
+        pass
+    print(f"approved {args.token}")
+    return 0
+
+
+def cmd_reject(args):
+    src, path = find_token(args.token)
+    if path is None or src != PENDING:
+        print(f"token not in pending state", file=sys.stderr)
+        return 1
+    record = json.loads(path.read_text())
+    record["rejected_at"] = utcnow()
+    record["rejecter"] = args.actor or os.environ.get("SUDO_USER") or os.environ.get("USER") or "cli"
+    write_record(PROCESSED, args.token, {**record, "outcome": "rejected"})
+    path.unlink()
+    log_event({"event": "rejected", "token": args.token, "actor": record["rejecter"]})
+    print(f"rejected {args.token}")
+    return 0
+
+
+def cmd_status(args):
+    counts = {}
+    for name, d in (("pending", PENDING), ("approved", APPROVED), ("processed", PROCESSED)):
+        counts[name] = len(list(d.glob("*.json"))) if d.exists() else 0
+    print(f"pending={counts['pending']} approved={counts['approved']} processed={counts['processed']}")
+    if PENDING.exists():
+        for path in sorted(PENDING.glob("*.json")):
+            r = json.loads(path.read_text())
+            ttl = int(r.get("expires_at_epoch", 0)) - epoch()
+            print(f"  {r['token']}  {r.get('kind')}  ttl={ttl}s  {r.get('summary', '')[:60]}")
+    return 0
+
+
+def cmd_execute(args):
+    """invoke executor for each approved record. external script handles each kind."""
+    executor = "/usr/local/sbin/fleet-guard-execute"
+    if not Path(executor).exists():
+        print(f"executor not installed at {executor}", file=sys.stderr)
+        return 1
+    count = 0
+    for path in sorted(APPROVED.glob("*.json")):
+        record = json.loads(path.read_text())
+        try:
+            res = subprocess.run([executor], input=json.dumps(record), capture_output=True,
+                                 text=True, timeout=120)
+            ok = res.returncode == 0
+            outcome = "executed" if ok else "execute_failed"
+            record["executed_at"] = utcnow()
+            record["outcome"] = outcome
+            record["executor_stdout"] = res.stdout[-2000:]
+            record["executor_stderr"] = res.stderr[-2000:]
+            write_record(PROCESSED, record["token"], record)
+            path.unlink()
+            log_event({"event": outcome, "token": record["token"], "kind": record.get("kind")})
+            count += 1
+        except Exception as e:
+            log_event({"event": "execute_error", "token": record["token"], "err": str(e)})
+    print(f"processed {count} approvals")
+    return 0
+
+
+def main():
+    p = argparse.ArgumentParser(prog="fleet-guard")
+    sub = p.add_subparsers(dest="cmd", required=True)
+
+    sp = sub.add_parser("hold")
+    sp.add_argument("kind")
+    sp.add_argument("summary")
+    sp.add_argument("--payload", default="")
+    sp.set_defaults(fn=cmd_hold)
+
+    sp = sub.add_parser("list")
+    sp.add_argument("where", nargs="?", default="pending",
+                    choices=["pending", "approved", "processed"])
+    sp.set_defaults(fn=cmd_list)
+
+    sp = sub.add_parser("show")
+    sp.add_argument("token")
+    sp.set_defaults(fn=cmd_show)
+
+    sp = sub.add_parser("approve")
+    sp.add_argument("token")
+    sp.add_argument("--actor", default="")
+    sp.set_defaults(fn=cmd_approve)
+
+    sp = sub.add_parser("reject")
+    sp.add_argument("token")
+    sp.add_argument("--actor", default="")
+    sp.set_defaults(fn=cmd_reject)
+
+    sp = sub.add_parser("status")
+    sp.set_defaults(fn=cmd_status)
+
+    sp = sub.add_parser("execute")
+    sp.set_defaults(fn=cmd_execute)
+
+    args = p.parse_args()
+    sys.exit(args.fn(args))
+
+
+if __name__ == "__main__":
+    main()