ChlodAlejandro/system-user.sh

## system-user.sh
#!/bin/bash
# Make sure that you have a `cd` group for continuous deployment purposes.
# Also make sure that this group is already in the `sudoers.d` file, allowing
# sudo for systemctl operations ONLY (possibly git, if you want as well).

# This will output the SSH private key on your current directory.

# To delete the generated user, use `deluser --remove-home <username>`

# Tested on Debian 11.
# Usage: curl -sL "https://gist.github.com/ChlodAlejandro/8a3abbf00a80adeda48bd77f36052d86/raw" | sudo bash

# Safety is our number one priority.
set -euo pipefail

if [ "$EUID" -ne 0 ]
then
    echo "Please run this script as root."
fi

echo "This script will create a user and generate an SSH key for that user."
echo "Please input the name of the user. This is usually your project name."
echo -n "Name: "
read NEW_USER_NAME < /dev/tty

NEW_USER_HOME=/etc/cd.homes/$NEW_USER_NAME

if [ -z "$NEW_USER_NAME" ]
then
    echo "No user provided. Exiting..."
    exit
fi

set +e
id -u $NEW_USER_NAME > /dev/null
if [ $? -ne 0 ]
then
    set -e
    if [ ! -d "/etc/cd.homes" ]
    then
        echo ""
        echo ":: Making homes directory..."
        mkdir /etc/cd.homes
        if [ $? -ne 0 ]
        then
            echo "Failed to create homes directory!"
            echo "Please ensure that /etc/cd.homes/ is writable and is not a file."
            exit
        fi
    fi

    echo ""
    echo ":: Ensuring permissions on /etc/cd.homes/ ..."
    chown root:cd /etc/cd.homes/
    chmod 750 /etc/cd.homes/

    echo ""
    echo ":: Creating user..."

    adduser --system \
            --shell /usr/sbin/nologin \
            --home $NEW_USER_HOME \
            --disabled-password \
            --disabled-login \
            --group cd \
            $NEW_USER_NAME


    echo ""
    echo ":: Generating SSH key..."

    if [ ! -d "/etc/cd.homes/.ssh" ]
    then
        mkdir "$NEW_USER_HOME/.ssh/"
    fi
    ssh-keygen -t ed25519 -a 100 -C "Continuous Deployment SSH key" -f "$NEW_USER_HOME/.ssh/id_ed25519"

    echo ""
    echo ":: Key created: $NEW_USER_HOME/.ssh/id_ed25519"
    echo ":: Storing key in authorized_keys..."
    cat "$NEW_USER_HOME/.ssh/id_ed25519.pub" >> "$NEW_USER_HOME/.ssh/authorized_keys"

    echo ""
    echo ":: Setting up Git config..."
    sudo -u $NEW_USER_NAME git config --global pull.ff only

    echo ""
    echo ":: Securing permissions..."
    chown $NEW_USER_NAME:cd -R $NEW_USER_HOME
    chmod 750 -R "$NEW_USER_HOME"
    chmod 600 -R "$NEW_USER_HOME/.ssh"

    echo ""
    echo ":: Copying private key to current directory..."
    cp "$NEW_USER_HOME/.ssh/id_ed25519" "$PWD/$NEW_USER_NAME.id_ed25519"

    echo ""
    echo ""
    echo ""
    echo "Done!"
    echo "The private key for the user can be found at: $PWD/$NEW_USER_NAME.id_ed25519"
    echo "You can now import this as a secret on GitHub or GitLab."
    echo ""
    echo "Press ENTER to continue configuration, or Ctrl+C to stop here."
    echo ""
    read -s < /dev/tty
else
    set -e
    echo ""
    echo "WARNING: User already exists."
    echo ""
    echo "You can choose to continue with configuration or exit. If the user"
    echo "was not made with this script, this WILL cause issues."
    echo ""
    echo -n "Continue with configuration? (y/N): "
    read CONFIGURATION_ANYWAY < /dev/tty

    if [ "$CONFIGURATION_ANYWAY" != "y" ] && [ "$CONFIGURATION_ANYWAY" != "Y" ]
    then
        exit
    else
        echo ""
        echo ":: Continuing with configuration..."
    fi
fi

echo -n "Default PWD (leave unset to skip): "
read NEW_DEFAULT_PWD < /dev/tty

if [ ! -z $NEW_DEFAULT_PWD ]
then
    echo ""
    echo ":: Setting default PWD..."
    echo "cd $NEW_DEFAULT_PWD" >> "$NEW_USER_HOME/.profile"
    echo "source ~/.profile" >> "$NEW_USER_HOME/.bashrc"
fi

echo -n "Configure GitHub keys? (Y/n): "
read CONFIGURE_GITHUB < /dev/tty

if [ "$CONFIGURE_GITHUB" == "n" ] || [ "$CONFIGURE_GITHUB" == "N" ]
then
    echo "Skipping GitHub key authentication."
else
    GITHUB_KEY=`ssh-keygen -F github.com || ssh-keyscan github.com 2> /dev/null`
    GITHUB_FINGERPRINT=`echo $GITHUB_KEY | ssh-keygen -lf - | grep -o "SHA256:\S*"`

    echo "Please verify that the SSH keys are correct: "
    echo "  RSA:     SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8"
    echo "  ECDSA:   SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM"
    echo "  ED25519: SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU"
    echo "  DSA:     SHA256:br9IjFspm1vxR3iA35FWE+4VTyz1hYVLIE2t1/CeyWQ (before 11/16/2021 only)"
    echo ""
    echo "Received fingerprint: $GITHUB_FINGERPRINT"
    echo -n "Correct? (y/N): "

    read GITHUB_KEYS_OK < /dev/tty
    if [ "$GITHUB_KEYS_OK" == "y" ] || [ "$GITHUB_KEYS_OK" == "Y" ]
    then
        echo $GITHUB_KEY >> "$NEW_USER_HOME/.ssh/known_hosts_temp"
    else
        echo "Keys not trusted. Not adding GitHub keys to known_hosts."
    fi
fi

if [ -f "$NEW_USER_HOME/.ssh/known_hosts_temp" ]
then
    echo ""
    echo ":: Setting keys..."
    echo "$(cat $NEW_USER_HOME/.ssh/known_hosts_temp)" >> "$NEW_USER_HOME/.ssh/known_hosts"
    chmod 600 -R "$NEW_USER_HOME/.ssh"
fi
	#!/bin/bash
	# Make sure that you have a `cd` group for continuous deployment purposes.
	# Also make sure that this group is already in the `sudoers.d` file, allowing
	# sudo for systemctl operations ONLY (possibly git, if you want as well).

	# This will output the SSH private key on your current directory.

	# To delete the generated user, use `deluser --remove-home <username>`

	# Tested on Debian 11.
	# Usage: curl -sL "https://gist.github.com/ChlodAlejandro/8a3abbf00a80adeda48bd77f36052d86/raw" \| sudo bash

	# Safety is our number one priority.
	set -euo pipefail

	if [ "$EUID" -ne 0 ]
	then
	echo "Please run this script as root."
	fi

	echo "This script will create a user and generate an SSH key for that user."
	echo "Please input the name of the user. This is usually your project name."
	echo -n "Name: "
	read NEW_USER_NAME < /dev/tty

	NEW_USER_HOME=/etc/cd.homes/$NEW_USER_NAME

	if [ -z "$NEW_USER_NAME" ]
	then
	echo "No user provided. Exiting..."
	exit
	fi

	set +e
	id -u $NEW_USER_NAME > /dev/null
	if [ $? -ne 0 ]
	then
	set -e
	if [ ! -d "/etc/cd.homes" ]
	then
	echo ""
	echo ":: Making homes directory..."
	mkdir /etc/cd.homes
	if [ $? -ne 0 ]
	then
	echo "Failed to create homes directory!"
	echo "Please ensure that /etc/cd.homes/ is writable and is not a file."
	exit
	fi
	fi

	echo ""
	echo ":: Ensuring permissions on /etc/cd.homes/ ..."
	chown root:cd /etc/cd.homes/
	chmod 750 /etc/cd.homes/

	echo ""
	echo ":: Creating user..."

	adduser --system \
	--shell /usr/sbin/nologin \
	--home $NEW_USER_HOME \
	--disabled-password \
	--disabled-login \
	--group cd \
	$NEW_USER_NAME


	echo ""
	echo ":: Generating SSH key..."

	if [ ! -d "/etc/cd.homes/.ssh" ]
	then
	mkdir "$NEW_USER_HOME/.ssh/"
	fi
	ssh-keygen -t ed25519 -a 100 -C "Continuous Deployment SSH key" -f "$NEW_USER_HOME/.ssh/id_ed25519"

	echo ""
	echo ":: Key created: $NEW_USER_HOME/.ssh/id_ed25519"
	echo ":: Storing key in authorized_keys..."
	cat "$NEW_USER_HOME/.ssh/id_ed25519.pub" >> "$NEW_USER_HOME/.ssh/authorized_keys"

	echo ""
	echo ":: Setting up Git config..."
	sudo -u $NEW_USER_NAME git config --global pull.ff only

	echo ""
	echo ":: Securing permissions..."
	chown $NEW_USER_NAME:cd -R $NEW_USER_HOME
	chmod 750 -R "$NEW_USER_HOME"
	chmod 600 -R "$NEW_USER_HOME/.ssh"

	echo ""
	echo ":: Copying private key to current directory..."
	cp "$NEW_USER_HOME/.ssh/id_ed25519" "$PWD/$NEW_USER_NAME.id_ed25519"

	echo ""
	echo ""
	echo ""
	echo "Done!"
	echo "The private key for the user can be found at: $PWD/$NEW_USER_NAME.id_ed25519"
	echo "You can now import this as a secret on GitHub or GitLab."
	echo ""
	echo "Press ENTER to continue configuration, or Ctrl+C to stop here."
	echo ""
	read -s < /dev/tty
	else
	set -e
	echo ""
	echo "WARNING: User already exists."
	echo ""
	echo "You can choose to continue with configuration or exit. If the user"
	echo "was not made with this script, this WILL cause issues."
	echo ""
	echo -n "Continue with configuration? (y/N): "
	read CONFIGURATION_ANYWAY < /dev/tty

	if [ "$CONFIGURATION_ANYWAY" != "y" ] && [ "$CONFIGURATION_ANYWAY" != "Y" ]
	then
	exit
	else
	echo ""
	echo ":: Continuing with configuration..."
	fi
	fi

	echo -n "Default PWD (leave unset to skip): "
	read NEW_DEFAULT_PWD < /dev/tty

	if [ ! -z $NEW_DEFAULT_PWD ]
	then
	echo ""
	echo ":: Setting default PWD..."
	echo "cd $NEW_DEFAULT_PWD" >> "$NEW_USER_HOME/.profile"
	echo "source ~/.profile" >> "$NEW_USER_HOME/.bashrc"
	fi

	echo -n "Configure GitHub keys? (Y/n): "
	read CONFIGURE_GITHUB < /dev/tty

	if [ "$CONFIGURE_GITHUB" == "n" ] \|\| [ "$CONFIGURE_GITHUB" == "N" ]
	then
	echo "Skipping GitHub key authentication."
	else
	GITHUB_KEY=`ssh-keygen -F github.com \|\| ssh-keyscan github.com 2> /dev/null`
	GITHUB_FINGERPRINT=`echo $GITHUB_KEY \| ssh-keygen -lf - \| grep -o "SHA256:\S*"`

	echo "Please verify that the SSH keys are correct: "
	echo " RSA: SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8"
	echo " ECDSA: SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM"
	echo " ED25519: SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU"
	echo " DSA: SHA256:br9IjFspm1vxR3iA35FWE+4VTyz1hYVLIE2t1/CeyWQ (before 11/16/2021 only)"
	echo ""
	echo "Received fingerprint: $GITHUB_FINGERPRINT"
	echo -n "Correct? (y/N): "

	read GITHUB_KEYS_OK < /dev/tty
	if [ "$GITHUB_KEYS_OK" == "y" ] \|\| [ "$GITHUB_KEYS_OK" == "Y" ]
	then
	echo $GITHUB_KEY >> "$NEW_USER_HOME/.ssh/known_hosts_temp"
	else
	echo "Keys not trusted. Not adding GitHub keys to known_hosts."
	fi
	fi

	if [ -f "$NEW_USER_HOME/.ssh/known_hosts_temp" ]
	then
	echo ""
	echo ":: Setting keys..."
	echo "$(cat $NEW_USER_HOME/.ssh/known_hosts_temp)" >> "$NEW_USER_HOME/.ssh/known_hosts"
	chmod 600 -R "$NEW_USER_HOME/.ssh"
	fi