max / makenotwork

1.4 KB · 45 lines History Blame Raw

1	#!/bin/bash
2	# Setup SSH git access on the production VPS.
3	#
4	# Creates a `git` system user with /bin/sh shell, home directory at /opt/git/.
5	# SSH access is controlled by authorized_keys command= restrictions (managed
6	# by mnw-admin rebuild-keys), not by the login shell.
7	#
8	# Run as root on the production VPS.
9
10	set -euo pipefail
11
12	GIT_HOME="/opt/git"
13
14	# 1. Create git system user (shell=/bin/sh — security via authorized_keys command=)
15	if id git &>/dev/null; then
16	echo "git user already exists"
17	else
18	useradd --system --shell /bin/sh --home-dir "$GIT_HOME" --no-create-home git
19	echo "Created git user"
20	fi
21
22	# Ensure home dir and shell are set correctly
23	usermod --home "$GIT_HOME" --shell /bin/sh git
24
25	# 2. Set up SSH directory (authorized_keys managed by mnw-admin rebuild-keys)
26	mkdir -p "$GIT_HOME/.ssh"
27	touch "$GIT_HOME/.ssh/authorized_keys"
28	chmod 700 "$GIT_HOME/.ssh"
29	chmod 600 "$GIT_HOME/.ssh/authorized_keys"
30
31	# 3. Ensure /opt/git/ repos are owned by git user
32	chown -R git:git "$GIT_HOME"
33
34	# The makenotwork service needs read access to /opt/git/ for the web browser.
35	# The service runs as makenotwork user. Add makenotwork to git group for read access.
36	usermod -aG git makenotwork 2>/dev/null \|\| true
37
38	# Ensure group read on repo dirs
39	chmod -R g+rX "$GIT_HOME"
40
41	echo ""
42	echo "=== Git SSH setup complete ==="
43	echo ""
44	echo "Next: run setup-ssh-keys.sh to configure sudoers for authorized_keys management"
45