From 2501da142924b864b96dcae432a706b18ecd2dd1 Mon Sep 17 00:00:00 2001
From: alzyras <tatiminskas@gmail.com>
Date: Fri, 19 Dec 2025 16:03:34 +0200
Subject: [PATCH] Added create user scripts

---
 .env.tmpl             |  15 +++++++
 .gitignore            |   3 ++
 Archive.zip           | Bin 0 -> 5625 bytes
 remove_backup_user.sh |  66 ++++++++++++++++++++++++++++++
 setup_backup_user.sh  |  91 ++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 175 insertions(+)
 create mode 100644 .env.tmpl
 create mode 100644 .gitignore
 create mode 100644 Archive.zip
 create mode 100644 remove_backup_user.sh
 create mode 100644 setup_backup_user.sh

diff --git a/.env.tmpl b/.env.tmpl
new file mode 100644
index 0000000..83c9de4
--- /dev/null
+++ b/.env.tmpl
@@ -0,0 +1,15 @@
+# Name of the restricted SSH user
+BACKUP_USER=backup-trigger
+
+# Absolute path to python binary (resolve once!)
+PYTHON_BIN=/usr/bin/python3
+
+# Absolute path where the repo is installed
+# (directory that contains run_backup.py)
+BACKUP_INSTALL_DIR=/usr/local/kvm-backup
+
+# Name of the python entrypoint file
+BACKUP_RUNNER=run_backup.py
+
+# Optional: fixed wrapper path (recommended)
+WRAPPER_PATH=/usr/local/bin/run-kvm-backup
\ No newline at end of file
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..ce10898
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,3 @@
+.env
+job-runner/*
+job-runner
\ No newline at end of file
diff --git a/Archive.zip b/Archive.zip
new file mode 100644
index 0000000000000000000000000000000000000000..79b137fc8c8612d395f6ddc4532af4c1dc730a6b
GIT binary patch
literal 5625
zcmc&&c|4SB8y<{Zj6$}uoMMQm#K=xYjC~oT7&6xE8OxM7OtQ<qgklhm?4pheSt?nx
zi|l)rLZp1}oUiXR<5Z`<KhBx=_x_&0=6bJtyYBmbbP*I_77z{a9C3~{0}=h0LA)R<
z%L|U4t`-+uoNerFJ&t<Vd3w`>$iQo4AQ12`5Xi`I4~V*6M%BJmN7a4{IMLz980*9#
zVC<tYaiLp^pD1Mc&~bHcl21ciD;G{IHJuTPh8oM9n2s$t{2-)3X;@;jG?_e`D_p6M
zzyJ1w7IU`)dBz#>=xhjjw4!#@G*+$(Yc^6Q;NI@4coI7aEnkkb+KGu8(Kj%+54Ni0
z(M3?x3||xBb^*8~0<Z2jt>Ff&v9QomQqeIm5j$$}Q-)y-RP8UISTES3tWe8Zn#g4)
z<aJ$t@@RGnK?oO_8y_U_eHh1e@<={DC0&6tO$@wKaD%$*ko{V%ZQTeFXtR3v5$H29
z#0x|VLK}^;wz8Ab)(q)lF`x$cQqwrK4PQh8+_Omd^X`fU<CkdIxj3P}5sJdkq1gE&
z6f%tdybwyPc1b3V&1MOOcCi<MNLd;3mU{a=3c*ccPb5p!vP&)qhFN>f7>V;kRMeHD
zB^j+#Cj+g7PuZC`$@Vjco6Q=oao1cfoIAHa^x$&i0*L4EQ1JHTToL&|p&wt4(m{d=
zNcr3>TY&zJ@0!5z)e!uEHUEbH5AX8-o-h8#IDM-UDnGj)EDKaZ%Q414aR$W>xm;J3
zV2q;lnQq!VM0YK?AOs{BdZ3j_`8sY>;p5a)K1;6}<_Y~fXf2IUxi!OP^kcuJD6;r;
zg&CGG_^0~m8YP9Ei%ea|Y-rUtwgy)Bh9PgF;5_`Xea{yz`|Eh5pRq4KLI^^h%6P96
z5P%4hAndk-{i{Lvdz1d@7yw3qOn1eA9^mfaVkPSC>FkVl7yFtPaRQ#NQc$%goL|IX
zHxMhS6TV=65AvV(06~)rv80+zAnuNKa>1bgr(m8QX!mc3ffOKHr+}Am#vAJC42nbi
z+KOPB6^S9>^-68@oCd^Bu^<SO0?F@uUupuw*vN?54O|_`R#$r_jNDEb^70zFve6$*
zt%TMph6pQG1gTniv}FeV@|#3l<`WU-&bN$~%UgU;;<aJA%$DWCy47+qb*cT^+pEId
z;tI<`@jmIzuir2-zJ^lt3_jr)8o5fIn6>K9m{U!~2Je8)siaXSN7HD?G+)ZDV#+$*
zZNYsYMHw1oln!&{WMK0Rk$0SvrK1)!7nmb+iqy}M&S83t(_-68y)rZLe!Rri6Rp3{
z*{>6A%1^1ot>2XqFWzjK%&uo#iJjQU8!Zy6@93SimXD~vvr`S}p<5f5a<m%B9JSsH
zfBSTKJ(KI*(Z=4<?S<o<#k{?gR5jYHQw?2ZZtM+(Z^-UT6tni){nlooSOcFKJZEA;
zE5t`v)Kpe%4yF~&HrH#CceDh>t9AviUrZcObWp~-P|Q0e$u~I)ql80F-s+v)3O7y0
zi%6yUp6B2Uw~fB(ZLN{{$&mjt)41<i9#Z>GsPGB)2$xo|toevnCPg1>U!y?bdoib+
ztJ)j+MkdpD9`K!&VH$f+K3o((@Jm=9t@grw{W|-{ZX9<)*H=d0y;2WGpO4SNcUVkZ
zvPs%&<0!Qle<xSje#Hpd|Kx5F#|!5)rj<Y_Vih#`Q14og`@GSTAh^)}qrgQUD=Z?X
zk8GCV<-4h?sl7#wgL(JXv0U?_iEnIboF=ZC-n&wp1CP5qS+kA}<Wko(G>T~p)9<V|
zZcEOwbAls%R{Q_xxu%#w7X&#7G*3y~b9ZMeFKL<mbmIOS6{oyQa|pT*=*{PHJL>B5
zHHldGtowvB-q6f(P@KhYqe$0?T+&;+X_&ze+Mkf%sdZ+xST8i%$*1Ei0v?l^5WORR
z0D&2|;Y#H#@pK-kzT7lz+l4H!Z*7PR5q$Z3QXvZuxw(`+2Y&E(y;9WKjhGlt8}Aoe
zSd|y+H>LyYpQD64Avd!Y7M02x7N_So^Z03c%DUIw%itXM>7(UfxeY3V(aNErJMAIE
zW8V0_XDMkK84fPKJYcCX=}qsNQoa?P<VOaD5Y5pMf%T?+V5O(RU?WGBd4cdwMxA3_
z!pANh;xG>y!s%s3<iF+|d%B@6C-ii}Vb!y=@kUgxeZ%!zJs@9L<m`hKk;Se&Cm0f|
zV@BD58;hWQ73i-%^fY4q25+h82iD2vmpLGT(v$eHD3m1mJFT#G79($_R_ao(TBZ=s
zx-=<+xt*HAeVErW&Xs2*HG{5j9;<u6t#;j^Sp@U!;N%&5)w`!*iaJmaUWd|!Z7K?w
zSJf}x+5v1ccbGR;nzd6q`EC6_A)S>@eBgS%*l7LX27Y{W)!hSU5cJ?hC!6%5mk3UQ
zJLCS)x#8AY^g7(fy9QowrnA?~wKQueNG{vqnQEJMUTlhdam<ldQHS6Q$&M-$DwTSo
zZ$(_QO5|kutGW#JH*NTiMvt`i_PnK|rNyQz9@%%-Qajy-x%8nqf<7tC_zCYOoXsNh
zlA&EzmAEBNp%58n6xzec#$RlUEWb7tC8CPmKY_}nK_!12I^+!N@J1n>9Z!y8Ei{aw
zkV$K=YZcOWpQogwXU2+z)~j!Y4j5{v*@0AXA{+w+V<TOLxHgaIbB{Hh1n_3&$_pEG
zmddEQAXH)!m)9~qq4$@#xPje(daNg@$KAQStM~tKTK^k$D7&lku>f`GfxZMRBcDh2
z?=(KNzN)<~@Dk2=q>IadJj5?U$IY{#FrJOP>yzEKhM<N4YXlA&;M6V2CnXtCfwHaa
zs>=bI9a$wf|EPlba+6ovD><)eLGFXzxR~KR;|C|bTmy~fp!v1gIRBfImm*E4V8QL!
zZL}<$e4n^d63b<!YG=@DAXC}%(dMPw3BAX4Ctw#DGZgB{syr0c%w&Eove=<W(|_ad
z({YH^e;dlFcD@*vR2ELYpK~hnHJ*~<Mv(>rA-2j;Zt}p=S@@79MVDwfV}-<{Q>`~m
zBZad~6Yvt7R6#<QV>`@cXUa#)4;-dTZg)_9;k!y^8;;Ua>Rh6XjeC3`p#_fIvwS{w
zdD`ddvNLCEP6?0a$k8PI@R3i-j%MC+)tuC2Z!L>$2OeKjlAVo$mxYbW`;PC`3Va>V
z$CKs9zSSYJpmR4LZo6oazR}*{cW~(r8@sge_{PJN@1he!DL-Dg7ni@!BBlH)hn(bF
z*KC8@+KZwI1@3PysmCf0HezmbT6;BDtmTXQh?p6=YEO==9p}hz{wTM#Va{-<!b}gk
zZzCyeZ7NN|KV^%_pINa&pe|W$Caoz<ByieR=M<}eB&7g&h_Z^U@&FaNv69b5e9iVb
z>#>BDw5o{BCo8P%{m@kbma5J^mbnDg8s~dQjC@41^(XA~4$ZzP38p{c`P5JM_y@Q#
zowWLW2-tj4&AZuX$ip@3RIPJO7}j$;!&HN>+%YCe#!t*G-Jl<ohT3B*;IdZA2a{WC
zN^Bja=)Bl_c{<@`Z(m9C9y2q&-iM0<eG+fhp0B58-|pnX8B#JMO{A<Xxx?>r-5Q^5
z=!+VQSil+zrbnF4cDQjK-G|8y?Z@QK(ZPLun-XSe!Q;g|O*~>PhYODnt~adutz_14
zm2)g1D#6uk6!lecr)yJbHb2QaoG6IQvavJlu4?zW9nh6cm2E$a=Pht)Jv)(u3`|E3
zZnDI<XRB}i-qKS1!q|#E$<~IF{e6Z2L}wckxj$(?OlJ01BhCU!AGg>NaLcRt9`O(p
zc8ksrzdl>bi<qJJZN#O{8*TF8G1JP!7t~uknhuVdz0I|nUNFctkPa}2#j<I)snypm
zq+PvI+4_--pedLTwRlMi5NLvixX16VOCHi5|Fb3fPf80JISa*?s}AC817;9AVc+=U
zw-`V;{{DV|5=2J0_|Qd=!V+)u+$6BA0PIiQKz!v3gj)gPWt)-Y3z1}h693j#4PX-P
z2#8q|Fo{`nkYMToUFEN=e*&JcfD*5!dr06Jfdu>P>u>C!0As>hP0W}8Nz9m?1hNN!
z{43)hLnnlO_p(S&jII;|27Px21?c{F_xzF;1VCcCti*r;g8(2A-S6z8Ux6k}+{Cju
zF*H6P4wwdhZ0H7{30oqulL^qota*u8;{%idQ6OUde}9EAq7V-+#MyxlprQo~`0nrx
z5GM@X#KZ}Z#KeiS10T>yPfGk}(FyuTtc)xqZi!?7{n(TO@Fq+r#JmZ}#JqV(kOd$l
aynje%|NICg6(O-1foBWIwpjoQ1o{u(!?`yA

literal 0
HcmV?d00001

diff --git a/remove_backup_user.sh b/remove_backup_user.sh
new file mode 100644
index 0000000..ffa02b5
--- /dev/null
+++ b/remove_backup_user.sh
@@ -0,0 +1,66 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# ===============================
+# Load environment
+# ===============================
+ENV_FILE="./.env"
+
+if [[ ! -f "$ENV_FILE" ]]; then
+    echo "ERROR: .env file not found. Cannot determine what to remove."
+    exit 1
+fi
+
+# shellcheck disable=SC1090
+source "$ENV_FILE"
+
+# ===============================
+# Validate required variables
+# ===============================
+: "${BACKUP_USER:?missing}"
+: "${WRAPPER_PATH:?missing}"
+
+HOME_DIR="/home/$BACKUP_USER"
+SUDOERS_FILE="/etc/sudoers.d/$BACKUP_USER"
+
+echo "This will REMOVE the following:"
+echo "  user:        $BACKUP_USER"
+echo "  home dir:    $HOME_DIR"
+echo "  sudo rule:   $SUDOERS_FILE"
+echo "  wrapper:     $WRAPPER_PATH"
+echo
+read -rp "Type YES to continue: " CONFIRM
+
+if [[ "$CONFIRM" != "YES" ]]; then
+    echo "Aborted."
+    exit 1
+fi
+
+# ===============================
+# Remove SSH + user
+# ===============================
+if id "$BACKUP_USER" >/dev/null 2>&1; then
+    userdel -r "$BACKUP_USER"
+    echo "User $BACKUP_USER removed."
+else
+    echo "User $BACKUP_USER does not exist. Skipping."
+fi
+
+# ===============================
+# Remove sudoers rule
+# ===============================
+if [[ -f "$SUDOERS_FILE" ]]; then
+    rm -f "$SUDOERS_FILE"
+    echo "Removed sudoers file."
+fi
+
+# ===============================
+# Remove wrapper
+# ===============================
+if [[ -f "$WRAPPER_PATH" ]]; then
+    rm -f "$WRAPPER_PATH"
+    echo "Removed wrapper script."
+fi
+
+echo
+echo "Cleanup completed successfully."
\ No newline at end of file
diff --git a/setup_backup_user.sh b/setup_backup_user.sh
new file mode 100644
index 0000000..92536b8
--- /dev/null
+++ b/setup_backup_user.sh
@@ -0,0 +1,91 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# ===============================
+# Load environment
+# ===============================
+ENV_FILE="./.env"
+
+if [[ ! -f "$ENV_FILE" ]]; then
+    echo "ERROR: .env file not found. Copy .env.tmpl to .env and edit it."
+    exit 1
+fi
+
+# shellcheck disable=SC1090
+source "$ENV_FILE"
+
+# ===============================
+# Validate required variables
+# ===============================
+: "${BACKUP_USER:?missing}"
+: "${PYTHON_BIN:?missing}"
+: "${BACKUP_INSTALL_DIR:?missing}"
+: "${BACKUP_RUNNER:?missing}"
+: "${WRAPPER_PATH:?missing}"
+
+RUNNER_PATH="$BACKUP_INSTALL_DIR/$BACKUP_RUNNER"
+HOME_DIR="/home/$BACKUP_USER"
+
+if [[ ! -x "$PYTHON_BIN" ]]; then
+    echo "ERROR: Python binary not executable: $PYTHON_BIN"
+    exit 1
+fi
+
+if [[ ! -f "$RUNNER_PATH" ]]; then
+    echo "ERROR: Runner not found: $RUNNER_PATH"
+    exit 1
+fi
+
+# ===============================
+# Create user (no shell)
+# ===============================
+if ! id "$BACKUP_USER" >/dev/null 2>&1; then
+    useradd -m -d "$HOME_DIR" -s /usr/sbin/nologin "$BACKUP_USER"
+fi
+
+# ===============================
+# SSH setup
+# ===============================
+install -d -m 700 "$HOME_DIR/.ssh"
+touch "$HOME_DIR/.ssh/authorized_keys"
+chmod 600 "$HOME_DIR/.ssh/authorized_keys"
+chown -R "$BACKUP_USER:$BACKUP_USER" "$HOME_DIR/.ssh"
+
+# ===============================
+# Create root-owned wrapper
+# ===============================
+cat > "$WRAPPER_PATH" <<EOF
+#!/usr/bin/env bash
+exec "$PYTHON_BIN" "$RUNNER_PATH"
+EOF
+
+chown root:root "$WRAPPER_PATH"
+chmod 750 "$WRAPPER_PATH"
+
+# ===============================
+# Lock sudo to wrapper ONLY
+# ===============================
+SUDOERS_FILE="/etc/sudoers.d/$BACKUP_USER"
+
+cat > "$SUDOERS_FILE" <<EOF
+$BACKUP_USER ALL=(root) NOPASSWD: $WRAPPER_PATH
+EOF
+
+chmod 440 "$SUDOERS_FILE"
+
+# ===============================
+# Fix runner permissions
+# ===============================
+chown root:root "$RUNNER_PATH"
+chmod 750 "$RUNNER_PATH"
+
+# ===============================
+# Output next steps
+# ===============================
+echo
+echo "User '$BACKUP_USER' created and locked down."
+echo
+echo "NEXT STEP (manual): add SSH public key:"
+echo
+echo "command=\"sudo $WRAPPER_PATH\",no-pty,no-port-forwarding,no-agent-forwarding,no-X11-forwarding <SSH_PUBLIC_KEY>"
+echo
\ No newline at end of file