streamline building, proper makefile help

build/Dockerfile

@@ -6,8 +6,6 @@ RUN apk add --no-cache \
   rsync \
   shadow
 
-ADD get_pub_keys.sh /usr/local/sbin/get_pub_keys.sh
-ADD update_users.sh /usr/local/sbin/update_users.sh
-ADD run.sh /usr/local/sbin/run_ssh_box.sh
+COPY get_pub_keys.sh update_users.sh run_ssh_box.sh /usr/local/sbin/
 CMD bash /usr/local/sbin/run_ssh_box.sh
 

build/get_pub_keys.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 set -e
 idnr=$( id -u "$1" )
 

build/run_ssh_box.sh

@@ -3,12 +3,12 @@ set -exu
 shopt -s nullglob
 basedir=/var/ssh-box/
 test -f "$basedir"/ssh-cache/ssh_host_rsa_key || {
-    ssh-keygen -A
-    grep -v -e AuthorizedKeys -e PermitEmptyPasswords -e PasswordAuthentication \
-            -e Subsystem \
-        /etc/ssh/sshd_config > /etc/ssh/sshd_config.tmp
-    mv /etc/ssh/sshd_config.tmp /etc/ssh/sshd_config
-    cat <<EOF >> /etc/ssh/sshd_config
+  ssh-keygen -A
+  grep -v -e AuthorizedKeys -e PermitEmptyPasswords -e PasswordAuthentication \
+    -e Subsystem \
+    /etc/ssh/sshd_config > /etc/ssh/sshd_config.tmp
+  mv /etc/ssh/sshd_config.tmp /etc/ssh/sshd_config
+  cat <<EOF >> /etc/ssh/sshd_config
 AuthorizedKeysFile    /tmp/empty_keys
 AuthorizedKeysCommand /usr/local/sbin/get_pub_keys.sh
 AuthorizedKeysCommandUser root
@@ -16,7 +16,7 @@ PermitEmptyPasswords no
 PasswordAuthentication no
 Subsystem sftp /usr/lib/ssh/sftp-server -u 002
 EOF
-    rsync -va /etc/ssh/ "$basedir"/ssh-cache/
+  rsync -va /etc/ssh/ "$basedir"/ssh-cache/
 }
 mkdir -p "$basedir"/users "$basedir"/ssh-cache "$basedir"/home
 rsync -va --del "$basedir"/ssh-cache/ /etc/ssh/
@@ -33,10 +33,16 @@ if getent group box; then
 else
   groupadd -g $GRP box
 fi
+if getent group trusted; then
+  echo Trusted already added
+else
+  groupadd trusted
+fi
 
-rmdir /home
-chown root:root "$basedir"/home
-chmod 0711 "$basedir"/home
+
+rmdir /home || true
+chown root:trusted "$basedir"/home
+chmod 0751 "$basedir"/home
 ln -sfT "$basedir"/home /home
 
 touch /tmp/empty_keys
@@ -49,8 +55,7 @@ cat <<EOF > /etc/profile
 alias ll='ls -al'
 EOF
 
-echo "-~''~- SSH-Box ~-..-~" > /etc/motd
-echo "$NAME" >> /etc/motd
+echo "$NAME" > /etc/motd
 
 update_users.sh
 

build/update_users.sh

@@ -1,45 +1,91 @@
 #!/bin/bash
-set -e
+set -eu
 shopt -s nullglob
 
 echo updating users >&2
 
-function getpass() {
-    # Technically possible to set password from key file
-    #set +e
-    #grep -q ^'#passwd=' "$1" && {
-    #    local newpw=$( grep ^'#passwd=' "$1" | head -n1 )
-    #    newpw=${newpw:8}
-    #    printf "$newpw"
-    #    sed -i 's/^#passwd=.*/#passwd-is-set/' "$1"
-    #    return
-    #}
-    set -e
-    local LENGTH=64
-    LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | head -c $LENGTH
+function get_pass() {
+  # Technically possible to set password from key file
+  #set +e
+  #grep -q ^'#passwd=' "$1" && {
+  #    local newpw=$( grep ^'#passwd=' "$1" | head -n1 )
+  #    newpw=${newpw:8}
+  #    printf "$newpw"
+  #    sed -i 's/^#passwd=.*/#passwd-is-set/' "$1"
+  #    return
+  #}
+  # set -e
+  local LENGTH=64
+  LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | head -c $LENGTH
+}
+
+function get_readme() {
+  cat <<EOF
+# SSH Box home
+
+- data/  folder is shared to all users, group access is forced.
+- create any other folder to keep files to yourself.
+- don't mess things up.
+
+EOF
+
+}
+
+function validate_users() {
+  # users uid must be >=2000
+  # uid must be unique
+  # must be format   [number]-[alphanumeric]
+  for file in *; do
+    if [[ "$file" =~ ^([0-9]+)-([a-z][a-z0-9_]*)$ ]]; then
+      if [[ "${BASH_REMATCH[1]}" -lt 2000 ]]; then
+        echo "$file" has UID under 2000 >&2
+        exit 1
+      fi
+    else
+      echo files must be formatted " [number]-[alphanumeric]"
+      echo "$file" is not valid user definition >&2
+      exit 1
+    fi
+  done
+  duplicate_uid=$(
+    for file in *; do
+      if [[ "$file" =~ ^([0-9]+)-([a-z][a-z0-9_]*)$ ]]; then
+        echo "${BASH_REMATCH[1]}"
+      fi
+    done | sort | uniq -d
+  )
+  if [[ -n "$duplicate_uid" ]]; then
+    echo user definitions contain duplicate UID >&2
+    echo "$duplicate_uid" >&2
+    exit 1
+  fi
 }
 
 cd /var/ssh-box/users
+validate_users
+
 for file in *; do
-  echo $file
-  line=$file
-  if [[ "$line" = *".sh" ]]; then
-    continue
+  if [[ "$file" =~ ^([0-9]+)-([a-z][a-z0-9_]*)$ ]]; then
+    uid=${BASH_REMATCH[1]}
+    user=${BASH_REMATCH[2]}
+    echo UID: "${BASH_REMATCH[1]}" username: "${BASH_REMATCH[2]}" >&2
+    id $user > /dev/null 2>&1 || {
+      adduser -D -u $uid $user
+      pw=$( get_pass "$file" )
+      echo -e "$pw\n$pw" | passwd $user 2> /dev/null
+      mkdir -p "/home/$user/data"
+      chmod 0711 "/home/$user"
+      usermod -a -G box $user
+      if grep -q '^# .*trusted.*' "$file"; then
+        usermod -a -G trusted $user
+      fi
+    }
+    rm -f "/home/$user/.ssh/authorized_keys"
+    get_readme > "/home/$user/README.md"
+    chown -R "$user":box "/home/$user/data"
+    chmod -R u+rwX,g+rwX,o+X "/home/$user/data"
+    chmod 0600 "$file"
+    chown $USR "$file"
   fi
-  user=${line##*-}
-  uid=${line%%-*}
-  id $user > /dev/null 2>&1 || {
-        adduser -D -u $uid $user
-        pw=$( getpass "$file" )
-        echo -e "$pw\n$pw" | passwd $user
-        mkdir -p "/home/$user/data"
-        chmod 0711 "/home/$user"
-        usermod -a -G box $user
-  }
-  rm -f "/home/$user/.ssh/authorized_keys"
-  chown -R "$user":box "/home/$user/data"
-  chmod -R u+rwX,g+rwX,o+X "/home/$user/data"
-  chmod 0600 "$file"
-  chown $USR "$file"
 done
 chmod 0700 /var/ssh-box/users