mirror of
https://github.com/Ravinou/borgwarehouse
synced 2024-06-26 09:20:06 +02:00
feat: create repo with the same unix user
This commit is contained in:
parent
d8e5542aa4
commit
071e9733d2
|
@ -1,33 +1,44 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
# Shell created by Raven for BorgWarehouse.
|
||||
# This shell takes 3 arguments : [reponame] X [SSH pub key] X [quota]
|
||||
# This shell takes 2 arguments : [SSH pub key] X [quota]
|
||||
# Main steps are :
|
||||
# - check if args are present
|
||||
# - check the ssh pub key format
|
||||
# - check if borgbackup package is install
|
||||
# - generate a random username, check if it exists in /etc/passwd
|
||||
# - add the user (with random name), group, shell and home
|
||||
# - create a pool which is the folder where all the repositories for a user are located (only one by user for borgwarehouse usage)
|
||||
# - create the authorized_keys
|
||||
# - generate a random repositoryName
|
||||
# - add the SSH public key in the authorized_keys with borg restriction for repository and storage quota.
|
||||
# This simple method prevents the user from connecting to the server with a shell in SSH.
|
||||
# He can only use the borg command. Moreover, he will not be able to leave his repository or create a new one.
|
||||
# It is similar to a jail and that is the goal.
|
||||
|
||||
# WAITING resolve of this for quota... : https://github.com/borgbackup/borg/issues/7757
|
||||
|
||||
# Exit when any command fails
|
||||
set -e
|
||||
|
||||
# Load .env if exists
|
||||
if [[ -f .env ]]; then
|
||||
source .env
|
||||
fi
|
||||
|
||||
# Default value if .env not exists
|
||||
: "${home:=/home/borgwarehouse}"
|
||||
|
||||
# Some variables
|
||||
pool="${home}/repos"
|
||||
authorized_keys="${home}/.ssh/authorized_keys"
|
||||
|
||||
# Check args
|
||||
if [ "$1" == "" ] || [ "$2" == "" ] || [ "$3" == "" ];then
|
||||
echo "This shell takes 3 argument : Reponame, SSH Public Key, Quota in Go [e.g. : 10] "
|
||||
if [ "$1" == "" ] || [ "$2" == "" ];then
|
||||
echo "This shell takes 2 arguments : SSH Public Key, Quota in Go [e.g. : 10] "
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Check if the SSH public key is a valid format
|
||||
# This pattern validates SSH public keys for : rsa, ed25519, ed25519-sk
|
||||
pattern='(ssh-ed25519 AAAAC3NzaC1lZDI1NTE5|sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29t|ssh-rsa AAAAB3NzaC1yc2)[0-9A-Za-z+/]+[=]{0,3}(\s.*)?'
|
||||
if [[ ! "$2" =~ $pattern ]]
|
||||
if [[ ! "$1" =~ $pattern ]]
|
||||
then
|
||||
echo "Invalid public SSH KEY format. Provide a key in OpenSSH format (rsa, ed25519, ed25519-sk)"
|
||||
exit 2
|
||||
|
@ -39,39 +50,11 @@ if ! [ -x "$(command -v borg)" ]; then
|
|||
exit 3
|
||||
fi
|
||||
|
||||
# Generation of a random for username
|
||||
randUsername () {
|
||||
# Generation of a random for repositoryName
|
||||
randRepositoryName () {
|
||||
openssl rand -hex 4
|
||||
}
|
||||
user=$(randUsername)
|
||||
|
||||
# Check if the random is already a username.
|
||||
while grep -q "$user" /etc/passwd
|
||||
do
|
||||
user=$(randUsername)
|
||||
done
|
||||
|
||||
# Some variables
|
||||
home="/var/borgwarehouse/${user}"
|
||||
pool="${home}/repos"
|
||||
authorized_keys="${home}/.ssh/authorized_keys"
|
||||
|
||||
## add user and create homedirectory ${user} - [shell=/bin/bash home=${home} group=${group}]
|
||||
sudo useradd -d "${home}" -s "/bin/bash" -m --badname "${user}"
|
||||
|
||||
## Create directory ${home}/.ssh
|
||||
sudo mkdir -p "${home}/.ssh"
|
||||
|
||||
## Create autorized_keys file
|
||||
sudo touch "${home}/.ssh/authorized_keys"
|
||||
|
||||
## Create the repo
|
||||
sudo mkdir -p "${pool}/$1"
|
||||
|
||||
## Change permissions
|
||||
sudo chmod -R 750 "${home}"
|
||||
sudo chmod 600 "${authorized_keys}"
|
||||
sudo chown -R "${user}:borgwarehouse" "${home}"
|
||||
repositoryName=$(randRepositoryName)
|
||||
|
||||
## Check if authorized_keys exists
|
||||
if [ ! -f "${authorized_keys}" ];then
|
||||
|
@ -80,8 +63,8 @@ if [ ! -f "${authorized_keys}" ];then
|
|||
fi
|
||||
|
||||
## Add ssh public key in authorized_keys with borg restriction for only 1 repository (:$1) and storage quota
|
||||
restricted_authkeys="command=\"cd ${pool};borg serve --restrict-to-repository ${pool}/$1 --storage-quota $3G\",restrict $2"
|
||||
echo "$restricted_authkeys" | sudo tee "${authorized_keys}" >/dev/null
|
||||
restricted_authkeys="command=\"cd ${pool};borg serve --restrict-to-path ${pool}/${repositoryName} --storage-quota $2G\",restrict $1"
|
||||
echo "$restricted_authkeys" | tee -a "${authorized_keys}" >/dev/null
|
||||
|
||||
## Return the unix user
|
||||
echo "${user}"
|
||||
echo "${repositoryName}"
|
Loading…
Reference in a new issue