108 lines
2.7 KiB
Bash
108 lines
2.7 KiB
Bash
#!/usr/bin/env bash
|
||
set -euo pipefail
|
||
|
||
if [ "$(id -u)" -ne 0 ]; then
|
||
echo "❌ Must be run as root"
|
||
exit 1
|
||
fi
|
||
|
||
# --- ask for username ---
|
||
read -rp "Enter username to create: " NEWUSER
|
||
|
||
# --- ask for SSH public key ---
|
||
read -rp "Enter SSH public key (or path to pubkey file): " PUBKEYINPUT
|
||
if [ -f "$PUBKEYINPUT" ]; then
|
||
PUBKEY="$(cat "$PUBKEYINPUT")"
|
||
else
|
||
PUBKEY="$PUBKEYINPUT"
|
||
fi
|
||
|
||
# --- ensure user exists ---
|
||
if id "$NEWUSER" >/dev/null 2>&1; then
|
||
echo "✅ User $NEWUSER already exists"
|
||
else
|
||
echo "➕ Creating user $NEWUSER"
|
||
useradd -m -s /bin/bash "$NEWUSER"
|
||
fi
|
||
|
||
USERHOME=$(eval echo "~$NEWUSER")
|
||
|
||
# --- setup SSH authorized_keys ---
|
||
mkdir -p "$USERHOME/.ssh"
|
||
chmod 700 "$USERHOME/.ssh"
|
||
echo "$PUBKEY" > "$USERHOME/.ssh/authorized_keys"
|
||
chmod 600 "$USERHOME/.ssh/authorized_keys"
|
||
chown -R "$NEWUSER":"$NEWUSER" "$USERHOME/.ssh"
|
||
echo "✅ SSH key installed for $NEWUSER"
|
||
|
||
# --- ensure ourworld group exists ---
|
||
if getent group ourworld >/dev/null 2>&1; then
|
||
echo "✅ Group 'ourworld' exists"
|
||
else
|
||
echo "➕ Creating group 'ourworld'"
|
||
groupadd ourworld
|
||
fi
|
||
|
||
# --- add user to group ---
|
||
if id -nG "$NEWUSER" | grep -qw ourworld; then
|
||
echo "✅ $NEWUSER already in 'ourworld'"
|
||
else
|
||
usermod -aG ourworld "$NEWUSER"
|
||
echo "✅ Added $NEWUSER to 'ourworld' group"
|
||
fi
|
||
|
||
# --- setup /code ---
|
||
mkdir -p /code
|
||
chown root:ourworld /code
|
||
chmod 2775 /code # rwx for user+group, SGID bit so new files inherit group
|
||
echo "✅ /code prepared (group=ourworld, rwx for group, SGID bit set)"
|
||
|
||
# --- create login helper script for gpg-agent ---
|
||
PROFILE_SCRIPT="$USERHOME/.profile_gpgagent"
|
||
cat > "$PROFILE_SCRIPT" <<'EOF'
|
||
# Auto-start gpg-agent with SSH support if not running
|
||
mkdir -p "$HOME/.gnupg"
|
||
chmod 700 "$HOME/.gnupg"
|
||
|
||
# Always overwrite gpg-agent.conf with required config
|
||
cat > "$HOME/.gnupg/gpg-agent.conf" <<CONF
|
||
enable-ssh-support
|
||
default-cache-ttl 7200
|
||
max-cache-ttl 7200
|
||
CONF
|
||
|
||
# Kill old agent if any (so config is applied)
|
||
gpgconf --kill gpg-agent 2>/dev/null || true
|
||
|
||
# Launch gpg-agent
|
||
gpgconf --launch gpg-agent
|
||
|
||
# Export socket path so ssh-add works
|
||
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
|
||
|
||
# Load all private keys found in ~/.ssh
|
||
if [ -d "$HOME/.ssh" ]; then
|
||
for KEY in "$HOME"/.ssh/*; do
|
||
if [ -f "$KEY" ] && grep -q "PRIVATE KEY" "$KEY" 2>/dev/null; then
|
||
ssh-add "$KEY" >/dev/null 2>&1 && echo "🔑 Loaded key: $KEY"
|
||
fi
|
||
done
|
||
fi
|
||
|
||
# For interactive shells
|
||
if [[ $- == *i* ]]; then
|
||
echo "🔑 GPG Agent ready at \$SSH_AUTH_SOCK"
|
||
fi
|
||
|
||
EOF
|
||
|
||
chown "$NEWUSER":"$NEWUSER" "$PROFILE_SCRIPT"
|
||
chmod 644 "$PROFILE_SCRIPT"
|
||
|
||
# --- source it on login ---
|
||
if ! grep -q ".profile_gpgagent" "$USERHOME/.bashrc"; then
|
||
echo "[ -f ~/.profile_gpgagent ] && source ~/.profile_gpgagent" >> "$USERHOME/.bashrc"
|
||
fi
|
||
|
||
echo "🎉 Setup complete for user $NEWUSER"
|