From 071e9733d2889addb4c5b7182ac890ed1b809d3b Mon Sep 17 00:00:00 2001 From: bsourisse Date: Sat, 19 Aug 2023 13:09:14 +0200 Subject: [PATCH] feat: create repo with the same unix user --- helpers/shells/createRepo.sh | 67 ++++++++++++++---------------------- 1 file changed, 25 insertions(+), 42 deletions(-) diff --git a/helpers/shells/createRepo.sh b/helpers/shells/createRepo.sh index f826035..34cd4b6 100755 --- a/helpers/shells/createRepo.sh +++ b/helpers/shells/createRepo.sh @@ -1,33 +1,44 @@ #!/usr/bin/env bash # Shell created by Raven for BorgWarehouse. -# This shell takes 3 arguments : [reponame] X [SSH pub key] X [quota] +# This shell takes 2 arguments : [SSH pub key] X [quota] # Main steps are : # - check if args are present # - check the ssh pub key format # - check if borgbackup package is install -# - generate a random username, check if it exists in /etc/passwd -# - add the user (with random name), group, shell and home -# - create a pool which is the folder where all the repositories for a user are located (only one by user for borgwarehouse usage) -# - create the authorized_keys +# - generate a random repositoryName # - add the SSH public key in the authorized_keys with borg restriction for repository and storage quota. # This simple method prevents the user from connecting to the server with a shell in SSH. # He can only use the borg command. Moreover, he will not be able to leave his repository or create a new one. # It is similar to a jail and that is the goal. +# WAITING resolve of this for quota... : https://github.com/borgbackup/borg/issues/7757 + # Exit when any command fails set -e +# Load .env if exists +if [[ -f .env ]]; then + source .env +fi + +# Default value if .env not exists +: "${home:=/home/borgwarehouse}" + +# Some variables +pool="${home}/repos" +authorized_keys="${home}/.ssh/authorized_keys" + # Check args -if [ "$1" == "" ] || [ "$2" == "" ] || [ "$3" == "" ];then - echo "This shell takes 3 argument : Reponame, SSH Public Key, Quota in Go [e.g. : 10] " +if [ "$1" == "" ] || [ "$2" == "" ];then + echo "This shell takes 2 arguments : SSH Public Key, Quota in Go [e.g. : 10] " exit 1 fi # Check if the SSH public key is a valid format # This pattern validates SSH public keys for : rsa, ed25519, ed25519-sk pattern='(ssh-ed25519 AAAAC3NzaC1lZDI1NTE5|sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29t|ssh-rsa AAAAB3NzaC1yc2)[0-9A-Za-z+/]+[=]{0,3}(\s.*)?' -if [[ ! "$2" =~ $pattern ]] +if [[ ! "$1" =~ $pattern ]] then echo "Invalid public SSH KEY format. Provide a key in OpenSSH format (rsa, ed25519, ed25519-sk)" exit 2 @@ -39,39 +50,11 @@ if ! [ -x "$(command -v borg)" ]; then exit 3 fi -# Generation of a random for username -randUsername () { +# Generation of a random for repositoryName +randRepositoryName () { openssl rand -hex 4 } -user=$(randUsername) - -# Check if the random is already a username. -while grep -q "$user" /etc/passwd -do - user=$(randUsername) -done - -# Some variables -home="/var/borgwarehouse/${user}" -pool="${home}/repos" -authorized_keys="${home}/.ssh/authorized_keys" - -## add user and create homedirectory ${user} - [shell=/bin/bash home=${home} group=${group}] -sudo useradd -d "${home}" -s "/bin/bash" -m --badname "${user}" - -## Create directory ${home}/.ssh -sudo mkdir -p "${home}/.ssh" - -## Create autorized_keys file -sudo touch "${home}/.ssh/authorized_keys" - -## Create the repo -sudo mkdir -p "${pool}/$1" - -## Change permissions -sudo chmod -R 750 "${home}" -sudo chmod 600 "${authorized_keys}" -sudo chown -R "${user}:borgwarehouse" "${home}" +repositoryName=$(randRepositoryName) ## Check if authorized_keys exists if [ ! -f "${authorized_keys}" ];then @@ -80,8 +63,8 @@ if [ ! -f "${authorized_keys}" ];then fi ## Add ssh public key in authorized_keys with borg restriction for only 1 repository (:$1) and storage quota -restricted_authkeys="command=\"cd ${pool};borg serve --restrict-to-repository ${pool}/$1 --storage-quota $3G\",restrict $2" -echo "$restricted_authkeys" | sudo tee "${authorized_keys}" >/dev/null +restricted_authkeys="command=\"cd ${pool};borg serve --restrict-to-path ${pool}/${repositoryName} --storage-quota $2G\",restrict $1" +echo "$restricted_authkeys" | tee -a "${authorized_keys}" >/dev/null ## Return the unix user -echo "${user}" +echo "${repositoryName}" \ No newline at end of file