Last active
October 28, 2021 00:51
-
-
Save ChlodAlejandro/8a3abbf00a80adeda48bd77f36052d86 to your computer and use it in GitHub Desktop.
Create a system user and generate an SSH key for the user for continuous deployment.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Make sure that you have a `cd` group for continuous deployment purposes. | |
# Also make sure that this group is already in the `sudoers.d` file, allowing | |
# sudo for systemctl operations ONLY (possibly git, if you want as well). | |
# This will output the SSH private key on your current directory. | |
# To delete the generated user, use `deluser --remove-home <username>` | |
# Tested on Debian 11. | |
# Usage: curl -sL "https://gist.github.com/ChlodAlejandro/8a3abbf00a80adeda48bd77f36052d86/raw" | sudo bash | |
# Safety is our number one priority. | |
set -euo pipefail | |
if [ "$EUID" -ne 0 ] | |
then | |
echo "Please run this script as root." | |
fi | |
echo "This script will create a user and generate an SSH key for that user." | |
echo "Please input the name of the user. This is usually your project name." | |
echo -n "Name: " | |
read NEW_USER_NAME < /dev/tty | |
NEW_USER_HOME=/etc/cd.homes/$NEW_USER_NAME | |
if [ -z "$NEW_USER_NAME" ] | |
then | |
echo "No user provided. Exiting..." | |
exit | |
fi | |
set +e | |
id -u $NEW_USER_NAME > /dev/null | |
if [ $? -ne 0 ] | |
then | |
set -e | |
if [ ! -d "/etc/cd.homes" ] | |
then | |
echo "" | |
echo ":: Making homes directory..." | |
mkdir /etc/cd.homes | |
if [ $? -ne 0 ] | |
then | |
echo "Failed to create homes directory!" | |
echo "Please ensure that /etc/cd.homes/ is writable and is not a file." | |
exit | |
fi | |
fi | |
echo "" | |
echo ":: Ensuring permissions on /etc/cd.homes/ ..." | |
chown root:cd /etc/cd.homes/ | |
chmod 750 /etc/cd.homes/ | |
echo "" | |
echo ":: Creating user..." | |
adduser --system \ | |
--shell /usr/sbin/nologin \ | |
--home $NEW_USER_HOME \ | |
--disabled-password \ | |
--disabled-login \ | |
--group cd \ | |
$NEW_USER_NAME | |
echo "" | |
echo ":: Generating SSH key..." | |
if [ ! -d "/etc/cd.homes/.ssh" ] | |
then | |
mkdir "$NEW_USER_HOME/.ssh/" | |
fi | |
ssh-keygen -t ed25519 -a 100 -C "Continuous Deployment SSH key" -f "$NEW_USER_HOME/.ssh/id_ed25519" | |
echo "" | |
echo ":: Key created: $NEW_USER_HOME/.ssh/id_ed25519" | |
echo ":: Storing key in authorized_keys..." | |
cat "$NEW_USER_HOME/.ssh/id_ed25519.pub" >> "$NEW_USER_HOME/.ssh/authorized_keys" | |
echo "" | |
echo ":: Setting up Git config..." | |
sudo -u $NEW_USER_NAME git config --global pull.ff only | |
echo "" | |
echo ":: Securing permissions..." | |
chown $NEW_USER_NAME:cd -R $NEW_USER_HOME | |
chmod 750 -R "$NEW_USER_HOME" | |
chmod 600 -R "$NEW_USER_HOME/.ssh" | |
echo "" | |
echo ":: Copying private key to current directory..." | |
cp "$NEW_USER_HOME/.ssh/id_ed25519" "$PWD/$NEW_USER_NAME.id_ed25519" | |
echo "" | |
echo "" | |
echo "" | |
echo "Done!" | |
echo "The private key for the user can be found at: $PWD/$NEW_USER_NAME.id_ed25519" | |
echo "You can now import this as a secret on GitHub or GitLab." | |
echo "" | |
echo "Press ENTER to continue configuration, or Ctrl+C to stop here." | |
echo "" | |
read -s < /dev/tty | |
else | |
set -e | |
echo "" | |
echo "WARNING: User already exists." | |
echo "" | |
echo "You can choose to continue with configuration or exit. If the user" | |
echo "was not made with this script, this WILL cause issues." | |
echo "" | |
echo -n "Continue with configuration? (y/N): " | |
read CONFIGURATION_ANYWAY < /dev/tty | |
if [ "$CONFIGURATION_ANYWAY" != "y" ] && [ "$CONFIGURATION_ANYWAY" != "Y" ] | |
then | |
exit | |
else | |
echo "" | |
echo ":: Continuing with configuration..." | |
fi | |
fi | |
echo -n "Default PWD (leave unset to skip): " | |
read NEW_DEFAULT_PWD < /dev/tty | |
if [ ! -z $NEW_DEFAULT_PWD ] | |
then | |
echo "" | |
echo ":: Setting default PWD..." | |
echo "cd $NEW_DEFAULT_PWD" >> "$NEW_USER_HOME/.profile" | |
echo "source ~/.profile" >> "$NEW_USER_HOME/.bashrc" | |
fi | |
echo -n "Configure GitHub keys? (Y/n): " | |
read CONFIGURE_GITHUB < /dev/tty | |
if [ "$CONFIGURE_GITHUB" == "n" ] || [ "$CONFIGURE_GITHUB" == "N" ] | |
then | |
echo "Skipping GitHub key authentication." | |
else | |
GITHUB_KEY=`ssh-keygen -F github.com || ssh-keyscan github.com 2> /dev/null` | |
GITHUB_FINGERPRINT=`echo $GITHUB_KEY | ssh-keygen -lf - | grep -o "SHA256:\S*"` | |
echo "Please verify that the SSH keys are correct: " | |
echo " RSA: SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8" | |
echo " ECDSA: SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM" | |
echo " ED25519: SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU" | |
echo " DSA: SHA256:br9IjFspm1vxR3iA35FWE+4VTyz1hYVLIE2t1/CeyWQ (before 11/16/2021 only)" | |
echo "" | |
echo "Received fingerprint: $GITHUB_FINGERPRINT" | |
echo -n "Correct? (y/N): " | |
read GITHUB_KEYS_OK < /dev/tty | |
if [ "$GITHUB_KEYS_OK" == "y" ] || [ "$GITHUB_KEYS_OK" == "Y" ] | |
then | |
echo $GITHUB_KEY >> "$NEW_USER_HOME/.ssh/known_hosts_temp" | |
else | |
echo "Keys not trusted. Not adding GitHub keys to known_hosts." | |
fi | |
fi | |
if [ -f "$NEW_USER_HOME/.ssh/known_hosts_temp" ] | |
then | |
echo "" | |
echo ":: Setting keys..." | |
echo "$(cat $NEW_USER_HOME/.ssh/known_hosts_temp)" >> "$NEW_USER_HOME/.ssh/known_hosts" | |
chmod 600 -R "$NEW_USER_HOME/.ssh" | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment