Added create user scripts
This commit is contained in:
15
.env.tmpl
Normal file
15
.env.tmpl
Normal file
@@ -0,0 +1,15 @@
|
||||
# Name of the restricted SSH user
|
||||
BACKUP_USER=backup-trigger
|
||||
|
||||
# Absolute path to python binary (resolve once!)
|
||||
PYTHON_BIN=/usr/bin/python3
|
||||
|
||||
# Absolute path where the repo is installed
|
||||
# (directory that contains run_backup.py)
|
||||
BACKUP_INSTALL_DIR=/usr/local/kvm-backup
|
||||
|
||||
# Name of the python entrypoint file
|
||||
BACKUP_RUNNER=run_backup.py
|
||||
|
||||
# Optional: fixed wrapper path (recommended)
|
||||
WRAPPER_PATH=/usr/local/bin/run-kvm-backup
|
||||
3
.gitignore
vendored
Normal file
3
.gitignore
vendored
Normal file
@@ -0,0 +1,3 @@
|
||||
.env
|
||||
job-runner/*
|
||||
job-runner
|
||||
BIN
Archive.zip
Normal file
BIN
Archive.zip
Normal file
Binary file not shown.
66
remove_backup_user.sh
Normal file
66
remove_backup_user.sh
Normal file
@@ -0,0 +1,66 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
# ===============================
|
||||
# Load environment
|
||||
# ===============================
|
||||
ENV_FILE="./.env"
|
||||
|
||||
if [[ ! -f "$ENV_FILE" ]]; then
|
||||
echo "ERROR: .env file not found. Cannot determine what to remove."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# shellcheck disable=SC1090
|
||||
source "$ENV_FILE"
|
||||
|
||||
# ===============================
|
||||
# Validate required variables
|
||||
# ===============================
|
||||
: "${BACKUP_USER:?missing}"
|
||||
: "${WRAPPER_PATH:?missing}"
|
||||
|
||||
HOME_DIR="/home/$BACKUP_USER"
|
||||
SUDOERS_FILE="/etc/sudoers.d/$BACKUP_USER"
|
||||
|
||||
echo "This will REMOVE the following:"
|
||||
echo " user: $BACKUP_USER"
|
||||
echo " home dir: $HOME_DIR"
|
||||
echo " sudo rule: $SUDOERS_FILE"
|
||||
echo " wrapper: $WRAPPER_PATH"
|
||||
echo
|
||||
read -rp "Type YES to continue: " CONFIRM
|
||||
|
||||
if [[ "$CONFIRM" != "YES" ]]; then
|
||||
echo "Aborted."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# ===============================
|
||||
# Remove SSH + user
|
||||
# ===============================
|
||||
if id "$BACKUP_USER" >/dev/null 2>&1; then
|
||||
userdel -r "$BACKUP_USER"
|
||||
echo "User $BACKUP_USER removed."
|
||||
else
|
||||
echo "User $BACKUP_USER does not exist. Skipping."
|
||||
fi
|
||||
|
||||
# ===============================
|
||||
# Remove sudoers rule
|
||||
# ===============================
|
||||
if [[ -f "$SUDOERS_FILE" ]]; then
|
||||
rm -f "$SUDOERS_FILE"
|
||||
echo "Removed sudoers file."
|
||||
fi
|
||||
|
||||
# ===============================
|
||||
# Remove wrapper
|
||||
# ===============================
|
||||
if [[ -f "$WRAPPER_PATH" ]]; then
|
||||
rm -f "$WRAPPER_PATH"
|
||||
echo "Removed wrapper script."
|
||||
fi
|
||||
|
||||
echo
|
||||
echo "Cleanup completed successfully."
|
||||
91
setup_backup_user.sh
Normal file
91
setup_backup_user.sh
Normal file
@@ -0,0 +1,91 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
# ===============================
|
||||
# Load environment
|
||||
# ===============================
|
||||
ENV_FILE="./.env"
|
||||
|
||||
if [[ ! -f "$ENV_FILE" ]]; then
|
||||
echo "ERROR: .env file not found. Copy .env.tmpl to .env and edit it."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# shellcheck disable=SC1090
|
||||
source "$ENV_FILE"
|
||||
|
||||
# ===============================
|
||||
# Validate required variables
|
||||
# ===============================
|
||||
: "${BACKUP_USER:?missing}"
|
||||
: "${PYTHON_BIN:?missing}"
|
||||
: "${BACKUP_INSTALL_DIR:?missing}"
|
||||
: "${BACKUP_RUNNER:?missing}"
|
||||
: "${WRAPPER_PATH:?missing}"
|
||||
|
||||
RUNNER_PATH="$BACKUP_INSTALL_DIR/$BACKUP_RUNNER"
|
||||
HOME_DIR="/home/$BACKUP_USER"
|
||||
|
||||
if [[ ! -x "$PYTHON_BIN" ]]; then
|
||||
echo "ERROR: Python binary not executable: $PYTHON_BIN"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [[ ! -f "$RUNNER_PATH" ]]; then
|
||||
echo "ERROR: Runner not found: $RUNNER_PATH"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# ===============================
|
||||
# Create user (no shell)
|
||||
# ===============================
|
||||
if ! id "$BACKUP_USER" >/dev/null 2>&1; then
|
||||
useradd -m -d "$HOME_DIR" -s /usr/sbin/nologin "$BACKUP_USER"
|
||||
fi
|
||||
|
||||
# ===============================
|
||||
# SSH setup
|
||||
# ===============================
|
||||
install -d -m 700 "$HOME_DIR/.ssh"
|
||||
touch "$HOME_DIR/.ssh/authorized_keys"
|
||||
chmod 600 "$HOME_DIR/.ssh/authorized_keys"
|
||||
chown -R "$BACKUP_USER:$BACKUP_USER" "$HOME_DIR/.ssh"
|
||||
|
||||
# ===============================
|
||||
# Create root-owned wrapper
|
||||
# ===============================
|
||||
cat > "$WRAPPER_PATH" <<EOF
|
||||
#!/usr/bin/env bash
|
||||
exec "$PYTHON_BIN" "$RUNNER_PATH"
|
||||
EOF
|
||||
|
||||
chown root:root "$WRAPPER_PATH"
|
||||
chmod 750 "$WRAPPER_PATH"
|
||||
|
||||
# ===============================
|
||||
# Lock sudo to wrapper ONLY
|
||||
# ===============================
|
||||
SUDOERS_FILE="/etc/sudoers.d/$BACKUP_USER"
|
||||
|
||||
cat > "$SUDOERS_FILE" <<EOF
|
||||
$BACKUP_USER ALL=(root) NOPASSWD: $WRAPPER_PATH
|
||||
EOF
|
||||
|
||||
chmod 440 "$SUDOERS_FILE"
|
||||
|
||||
# ===============================
|
||||
# Fix runner permissions
|
||||
# ===============================
|
||||
chown root:root "$RUNNER_PATH"
|
||||
chmod 750 "$RUNNER_PATH"
|
||||
|
||||
# ===============================
|
||||
# Output next steps
|
||||
# ===============================
|
||||
echo
|
||||
echo "User '$BACKUP_USER' created and locked down."
|
||||
echo
|
||||
echo "NEXT STEP (manual): add SSH public key:"
|
||||
echo
|
||||
echo "command=\"sudo $WRAPPER_PATH\",no-pty,no-port-forwarding,no-agent-forwarding,no-X11-forwarding <SSH_PUBLIC_KEY>"
|
||||
echo
|
||||
Reference in New Issue
Block a user