tomas/kvm-backup-runner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2501da142924b864b96dcae432a706b18ecd2dd1
kvm-backup-runner/setup_backup_user.sh
alzyras 2501da1429 Added create user scripts
2025-12-19 16:03:34 +02:00

91 lines
2.2 KiB
Bash
Raw Blame History

#!/usr/bin/env bash
set -euo pipefail
# ===============================
# Load environment
# ===============================
ENV_FILE="./.env"
if [[ ! -f "$ENV_FILE" ]]; then
echo "ERROR: .env file not found. Copy .env.tmpl to .env and edit it."
exit 1
fi
# shellcheck disable=SC1090
source "$ENV_FILE"
# ===============================
# Validate required variables
# ===============================
: "${BACKUP_USER:?missing}"
: "${PYTHON_BIN:?missing}"
: "${BACKUP_INSTALL_DIR:?missing}"
: "${BACKUP_RUNNER:?missing}"
: "${WRAPPER_PATH:?missing}"
RUNNER_PATH="$BACKUP_INSTALL_DIR/$BACKUP_RUNNER"
HOME_DIR="/home/$BACKUP_USER"
if [[ ! -x "$PYTHON_BIN" ]]; then
echo "ERROR: Python binary not executable: $PYTHON_BIN"
exit 1
fi
if [[ ! -f "$RUNNER_PATH" ]]; then
echo "ERROR: Runner not found: $RUNNER_PATH"
exit 1
fi
# ===============================
# Create user (no shell)
# ===============================
if ! id "$BACKUP_USER" >/dev/null 2>&1; then
useradd -m -d "$HOME_DIR" -s /usr/sbin/nologin "$BACKUP_USER"
fi
# ===============================
# SSH setup
# ===============================
install -d -m 700 "$HOME_DIR/.ssh"
touch "$HOME_DIR/.ssh/authorized_keys"
chmod 600 "$HOME_DIR/.ssh/authorized_keys"
chown -R "$BACKUP_USER:$BACKUP_USER" "$HOME_DIR/.ssh"
# ===============================
# Create root-owned wrapper
# ===============================
cat > "$WRAPPER_PATH" <<EOF
#!/usr/bin/env bash
exec "$PYTHON_BIN" "$RUNNER_PATH"
EOF
chown root:root "$WRAPPER_PATH"
chmod 750 "$WRAPPER_PATH"
# ===============================
# Lock sudo to wrapper ONLY
# ===============================
SUDOERS_FILE="/etc/sudoers.d/$BACKUP_USER"
cat > "$SUDOERS_FILE" <<EOF
$BACKUP_USER ALL=(root) NOPASSWD: $WRAPPER_PATH
EOF
chmod 440 "$SUDOERS_FILE"
# ===============================
# Fix runner permissions
# ===============================
chown root:root "$RUNNER_PATH"
chmod 750 "$RUNNER_PATH"
# ===============================
# Output next steps
# ===============================
echo
echo "User '$BACKUP_USER' created and locked down."
echo
echo "NEXT STEP (manual): add SSH public key:"
echo
echo "command=\"sudo $WRAPPER_PATH\",no-pty,no-port-forwarding,no-agent-forwarding,no-X11-forwarding <SSH_PUBLIC_KEY>"
echo
Reference in New Issue View Git Blame Copy Permalink