baseline.sh

#!/bin/bash

# 

# Usage info
read -r -d '' helptext <<- EOF
	Usage: ${0##*/} [-gsvh] -k KEYFILE -r REMOTEHOST -u USERNAME
	Initialize a fresh, new DigitalOcean droplet.
	
	Required:
		
		-k, --keyfile KEYFILE           Path to SSH public key file to install.
		-r, --remotehost REMOTEHOST     Remote host to connect to and initialize.
		-u, --user USERNAME             User name to add.
	
	Optional:
	
	    -g, --group GROUPNAME           Add user to the specified group.
	    -s, --sudo                      Add user to /etc/sudoers.
	    -h, --help                      Display this help and exit.
	EOF

keyfile=""
remotehost=""
username=""
groupname=""
usesudo=0
verbose=0

# Process through the positional paramaters.
while :; do
	case $1 in
		-k|--keyfile)
			if [[ $2 ]]; then
				if [[ -f "$2" && -r "$2" ]]; then
					keyfile=$2
					shift 2
				else
					echo "Key file $2 doesn't exist or is not readable."
					exit 1
				fi
			else
				echo "Key file must be specified."
				exit 1
			fi
			;;
		
		-r|--remotehost)
			if [[ $2 ]]; then
				remotehost=$2
				shift 2
			else
				echo "Remote host must be specified."
				exit 1
			fi
			;;
		
		-g|--group)
			if [[ $2 ]]; then
				groupname=$2
				shift 2
			else
				echo "$1 Requires a group name."
				exit 1
			fi
			;;
		
		-u|--user)
			if [[ $2 ]]; then
				username=$2
				shift 2
			else
				echo "$1 Requires a user name."
				exit 1
			fi
			;;
		
		-s|--sudo)
			usesudo=1
			shift
			;;
		
		-h|--help)
			echo "$helptext"
			exit
			;;
		
		*)
			break
			;;
	esac
done

# Verify required information is present.
if [[ -z "$keyfile" ]]; then
	echo "A key file must be specified."
	exit 1
elif [[ -z "$username" ]]; then
	echo "A user name must be specified."
	exit 1
elif [[ -z "$remotehost" ]]; then
	echo "A remote host must be specified."
	exit 1
fi

# Tighten up OpenSSH security some. Allows root login via key only.
echo "Configuring OpenSSH"
read -r -d '' sedscript <<- EOF
	s/PermitRootLogin\syes/PermitRootLogin without-password/;
	s/#PasswordAuthentication\syes/PasswordAuthentication no/;
	s/X11Forwarding\syes/X11Forwarding no/
	EOF
ssh root@${remotehost} "sed -i.backup -e \"$sedscript\" /etc/ssh/sshd_config"

# Setup root user's ~/.ssh/ directory.
echo "Setting up /root/.ssh/"
ssh root@${remotehost} "install -d -m 700 /root/.ssh"
scp ${keyfile} root@${remotehost}:/root/.ssh/baseline.key
read -r -d '' sshcommands <<- EOF
	cat /root/.ssh/baseline.key >> /root/.ssh/authorized_keys
	chown root:root /root/.ssh/authorized_keys
	chmod 600 /root/.ssh/authorized_keys
	EOF
ssh root@${remotehost} "$sshcommands"

# Add and setup the new user.
echo "Setting up new user $username"
read -r -d '' sshcommands <<- EOF
	useradd -m -U -c $username -s /bin/bash $username
	install -d -m 700 -o $username -g $username /home/$username/.ssh
	cat /root/.ssh/baseline.key >> /home/$username/.ssh/authorized_keys
	chown $username:$username /home/$username/.ssh/authorized_keys
	chmod 600 /home/$username/.ssh/authorized_keys
	EOF
ssh root@${remotehost} "$sshcommands"

# Add user to sudoers.
if [[ $usesudo -eq 1 ]]; then
	echo "Adding $username to sudoers"
	ssh root@${remotehost} "echo '$username ALL=(ALL:ALL) NOPASSWD: ALL' >> /etc/sudoers"
fi

# Add user to a specified group.
if [[ $groupname ]]; then
	echo "Adding $username to $groupname"
	ssh root@${remotehost} "groupadd -f $groupname; usermod -aG $groupname $username"
fi

echo "Done. You may now `ssh $username@$remotehost`."