summaryrefslogtreecommitdiff
path: root/setup-user.in
blob: 88f28b41e2cbbefea2324706ba6b085f78e069c7 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
#!/bin/sh

PREFIX=@PREFIX@
: ${LIBDIR=$PREFIX/lib}
. "$LIBDIR/libalpine.sh"

usage() {
	cat <<-__EOF__
		usage: setup-user [-h] [-a] [-u] [-f FULLNAME] [-g GROUPS] [-k SSHKEY] [USERNAME]

		Create user account

		options:
		 -a  Create admin user. Add to wheel group and set up doas
		 -h  Show this help
		 -f  Set full name for user
		 -g  Comma or space separated list of groups to add user to
		 -k  ssh key or URL to ssh key (eg. https://gitlab.alpinelinux.org/user.keys)
		     or 'none' for no key
		 -u  Unlock the user automatically (eg. creating the user non-interactively
		     with an ssh key for login)

		If USERNAME is not specified user will be prompted.
	__EOF__
	exit $1
}

while getopts "af:g:hk:u" opt; do
	case $opt in
		a) admin=1;;
		h) usage 0;;
		f) fullnameopt="$OPTARG";;
		g) groups="$OPTARG";;
		k) keysopt="$OPTARG";;
		u) forceunlock=1;;
		'?') usage "1" >&2;;
	esac
done
shift $(($OPTIND - 1))

if [ $# -gt 1 ]; then
	usage "1" >&2
elif [ $# -eq 1 ]; then
	username="$1"
	nopassword="-D"
else
	interactive=1
fi

while true; do
	fullname="$fullnameopt"
	if [ -n "$interactive" ] && [ -z "$username" ]; then
		if [ -n "$fullname" ]; then
			suggest=${fullname:+$(echo "$fullname" | sed -E 's/^(.).*\s+(.*)/\1\2/' | tr '[:upper:]' '[:lower:]')}
		else
			suggest=no
		fi
		ask "Setup a user? (enter a lower-case loginname, or 'no')" $suggest
		case "$resp" in
			no) exit 0;;
			*) username="$resp";;
		esac
	fi

	if [ -n "$interactive" ] && [ -z "$fullnameopt" ]; then
		ask "Full name for user $username" ${lastfullname:-$username}
		fullname="$resp"
		lastfullname="$resp"
	fi

	if [ -n "$fullname" ]; then
		$MOCK adduser -g "$fullname" $nopassword "$username" && break
	else
		$MOCK adduser $nopassword "$username" && break
	fi
	if ! [ -n "$interactive" ]; then
		exit 1
	fi
done

if [ -n "$interactive" ] && [ -z "$keysopt" ]; then
	suggest=none
	while true; do
		ask "Enter ssh key or URL for $username (or 'none')" $suggest
		case "$resp" in
			al)
				suggest="https://gitlab.alpinelinux.org/$username.keys"
				continue
				;;
			gl)
				suggest="https://gitlab.com/$username.keys"
				continue
				;;
			gh)
				suggest="https://github.com/$username.keys"
				continue
				;;
			none)
				break
				;;
			https://*|http://*)
				sshkeys=$(wget -q -O- $resp | grep ^ssh-)
				;;
			*)	sshkeys="$resp"
				;;
		esac
		if echo "$sshkeys" | grep -q ^ssh-; then
			break
		fi
		echo "Did not find any key in '$resp'"
	done
else
	case "$keysopt" in
		https://*|http://*)
			sshkeys=$(wget -q -O- "$keysopt" | grep ^ssh-);;
		none)
			sshkeys="" ;;
		*)
			sshkeys="$keysopt";;
	esac
	if [ -n "$sshkeys" ] && ! echo "$sshkeys" | grep -q ^ssh-; then
		echo "Could not find any keys in '$resp'" >&2
		exit 1
	fi
fi

if [ -n "$sshkeys" ] && [ "$sshkeys" != "none" ]; then
	mkdir -p "$ROOT"/home/$username/.ssh
	echo "$sshkeys" > "$ROOT"/home/$username/.ssh/authorized_keys
	$MOCK chown -R $username:$username "$ROOT"/home/$username/.ssh
fi

if [ -n "$groups" ] && [ "$groups" != "none" ]; then
	for i in $(echo $groups | tr ',' ' '); do
		$MOCK addgroup "$username" "$i" || exit
	done
fi

if [ -n "$admin" ]; then
	$MOCK apk add doas
	mkdir -p "$ROOT"/etc/doas.d
	echo "permit persist :wheel" >> "$ROOT"/etc/doas.d/doas.conf
	$MOCK addgroup "$username" "wheel" || exit
fi

if [ -n "$forceunlock" ]; then
	$MOCK passwd -u "$username" 2> /dev/null
fi