pwyoung · April 29, 2025 18:44
diff --git a/setup-ansible-user-.sh b/setup-ansible-user-.sh
 #!/bin/bash

 if [[ $UID -ne 0 ]]; then
  echo "This script must be run as root."
  exit 1
 fi

 #DEBIAN_FRONTEND=noninteractive

 ################################################################################
 # Basic OS and main packages - combined into a single layer
 ################################################################################

 apt-get update && apt-get install -y --no-install-recommends \
    apt-transport-https \
    ca-certificates \
    locales \
    openssh-server \
    python3 \
    python3-pip \
    python3-venv \
    bash-completion \
    sudo \
    wget \
    curl \
    gnupg \
    git \
    make \
    jq \
    yq \
    sshpass \
    htop \
    tree \
    emacs-nox \
    nano \
    net-tools \
    iputils-ping \
    && locale-gen en_US.UTF-8 \
    && update-locale LANG=en_US.UTF-8 \
    && passwd -l root \
    && mkdir /var/run/sshd \
    && sed -i 's/^PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config \
    && apt-get clean \
    && apt-get autoremove -y \
    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

 ################################################################################
 # Ansible user setup
 ################################################################################

 # Create the ansible user
 USERNAME=ansible
 USER_UID=1200
 USER_GID=1200
 SSH_PORT=2222

 groupadd -g $USER_GID $USERNAME \
    && useradd -m -u $USER_UID -g $USER_GID $USERNAME \
    && usermod -aG sudo $USERNAME \
    && usermod -d /home/$USERNAME $USERNAME \
    && chsh -s /bin/bash $USERNAME \
    && echo "$USERNAME ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers \
    && mkdir -p /home/$USERNAME/.ssh \
    && chmod 700 /home/$USERNAME/.ssh \
    && touch /home/$USERNAME/.ssh/authorized_keys \
    && chmod 600 /home/$USERNAME/.ssh/authorized_keys \
    && mkdir /home/$USERNAME/.ssh_host_keys \
    && chown $USERNAME:$USERNAME /home/$USERNAME/.ssh_host_keys \
    && ssh-keygen -A -h \
    && ssh-keygen -t rsa -f /home/$USERNAME/.ssh_host_keys/ssh_host_rsa_key -N "" \
    && ssh-keygen -t ecdsa -f /home/$USERNAME/.ssh_host_keys/ssh_host_ecdsa_key -N "" \
    && ssh-keygen -t ed25519 -f /home/$USERNAME/.ssh_host_keys/ssh_host_ed25519_key -N "" \
    && chown $USERNAME:$USERNAME /home/$USERNAME/.ssh_host_keys/* \
    && echo "HostKey /home/$USERNAME/.ssh_host_keys/ssh_host_rsa_key" >> /home/$USERNAME/.sshd_config \
    && echo "HostKey /home/$USERNAME/.ssh_host_keys/ssh_host_ecdsa_key" >> /home/$USERNAME/.sshd_config \
    && echo "HostKey /home/$USERNAME/.ssh_host_keys/ssh_host_ed25519_key" >> /home/$USERNAME/.sshd_config \
    && echo "Port $SSH_PORT" >> /home/$USERNAME/.sshd_config \
    && echo "ListenAddress 0.0.0.0" >> /home/$USERNAME/.sshd_config \
    && echo "PermitRootLogin no" >> /home/$USERNAME/.sshd_config \
    && echo "PasswordAuthentication no" >> /home/$USERNAME/.sshd_config \
    && chown $USERNAME:$USERNAME /home/$USERNAME/.sshd_config \
    && chmod 600 /home/$USERNAME/.sshd_config \
    && git config --global init.defaultBranch main

 # Add SSH users
 GITHUB_USERS="pwyoung "
 for user in $GITHUB_USERS; do \
        echo "# $user" >> /home/$USERNAME/.ssh/authorized_keys; \
        curl -s "https://github.com/$user.keys" >> /home/$USERNAME/.ssh/authorized_keys; \
    done

 echo "ansible:ansible" | chpasswd


 ################################################################################
 # Shell configuration
 ################################################################################

 echo "alias ll='ls -alF'" >> /home/$USERNAME/.bashrc && \
    echo "alias la='ls -A'" >> /home/$USERNAME/.bashrc && \
    echo "alias l='ls -CF'" >> /home/$USERNAME/.bashrc && \
    echo "alias grep='grep --color=auto'" >> /home/$USERNAME/.bashrc && \
    echo "alias ..='cd ..'" >> /home/$USERNAME/.bashrc && \
    echo "alias ...='cd ../..'" >> /home/$USERNAME/.bashrc && \
    echo "alias now='date +%Y-%m-%d_%H-%M-%S'" >> /home/$USERNAME/.bashrc && \
    echo "if [ -f /etc/bash_completion ] && ! shopt -oq posix; then . /etc/bash_completion; fi" >> /home/$USERNAME/.bashrc && \
    echo "if [ -d /etc/bash_completion.d ]; then for i in /etc/bash_completion.d/*; do if [ -f \$i ]; then . \$i; fi; done; unset i; fi" >> /home/$USERNAME/.bashrc && \
    echo "" >> /home/$USERNAME/.bashrc

 ################################################################################
 # Platform-specific binaries - combined into a single layer
 ################################################################################

 # Hardware platform (e.g. amd64 or arm64)
 HW=amd64
 SOPS_VERSION=3.8.1
 AGE_VERSION=1.1.1
 KUBECTL_VERSION=1.29.2

 curl -LO https://github.com/getsops/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.linux.${HW} \
    && install -m 555 sops-v${SOPS_VERSION}.linux.${HW} /usr/local/bin/sops \
    && rm sops-v${SOPS_VERSION}.linux.${HW} \
    && wget -q https://github.com/FiloSottile/age/releases/download/v${AGE_VERSION}/age-v${AGE_VERSION}-linux-${HW}.tar.gz \
    && tar -xzf age-v${AGE_VERSION}-linux-${HW}.tar.gz \
    && mv age/age /usr/local/bin/ \
    && mv age/age-keygen /usr/local/bin/ \
    && rm -rf age-v${AGE_VERSION}-linux-${HW}.tar.gz age \
    && curl -LO "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${HW}/kubectl" \
    && install -m 555 kubectl /usr/local/bin/kubectl \
    && rm kubectl


 chown -R $USERNAME:$USERNAME /home/$USERNAME

 # Run the SSH server as the user 'ansible'
 #sudo su - ansible bash -c 'nohup /usr/sbin/sshd -D -f ~/.sshd_config > ~/sshd.log 2>&1 & echo $! > ~/sshd.pid'
	#!/bin/bash

	if [[ $UID -ne 0 ]]; then
	echo "This script must be run as root."
	exit 1
	fi

	#DEBIAN_FRONTEND=noninteractive

	################################################################################
	# Basic OS and main packages - combined into a single layer
	################################################################################

	apt-get update && apt-get install -y --no-install-recommends \
	apt-transport-https \
	ca-certificates \
	locales \
	openssh-server \
	python3 \
	python3-pip \
	python3-venv \
	bash-completion \
	sudo \
	wget \
	curl \
	gnupg \
	git \
	make \
	jq \
	yq \
	sshpass \
	htop \
	tree \
	emacs-nox \
	nano \
	net-tools \
	iputils-ping \
	&& locale-gen en_US.UTF-8 \
	&& update-locale LANG=en_US.UTF-8 \
	&& passwd -l root \
	&& mkdir /var/run/sshd \
	&& sed -i 's/^PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config \
	&& apt-get clean \
	&& apt-get autoremove -y \
	&& rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

	################################################################################
	# Ansible user setup
	################################################################################

	# Create the ansible user
	USERNAME=ansible
	USER_UID=1200
	USER_GID=1200
	SSH_PORT=2222

	groupadd -g $USER_GID $USERNAME \
	&& useradd -m -u $USER_UID -g $USER_GID $USERNAME \
	&& usermod -aG sudo $USERNAME \
	&& usermod -d /home/$USERNAME $USERNAME \
	&& chsh -s /bin/bash $USERNAME \
	&& echo "$USERNAME ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers \
	&& mkdir -p /home/$USERNAME/.ssh \
	&& chmod 700 /home/$USERNAME/.ssh \
	&& touch /home/$USERNAME/.ssh/authorized_keys \
	&& chmod 600 /home/$USERNAME/.ssh/authorized_keys \
	&& mkdir /home/$USERNAME/.ssh_host_keys \
	&& chown $USERNAME:$USERNAME /home/$USERNAME/.ssh_host_keys \
	&& ssh-keygen -A -h \
	&& ssh-keygen -t rsa -f /home/$USERNAME/.ssh_host_keys/ssh_host_rsa_key -N "" \
	&& ssh-keygen -t ecdsa -f /home/$USERNAME/.ssh_host_keys/ssh_host_ecdsa_key -N "" \
	&& ssh-keygen -t ed25519 -f /home/$USERNAME/.ssh_host_keys/ssh_host_ed25519_key -N "" \
	&& chown $USERNAME:$USERNAME /home/$USERNAME/.ssh_host_keys/* \
	&& echo "HostKey /home/$USERNAME/.ssh_host_keys/ssh_host_rsa_key" >> /home/$USERNAME/.sshd_config \
	&& echo "HostKey /home/$USERNAME/.ssh_host_keys/ssh_host_ecdsa_key" >> /home/$USERNAME/.sshd_config \
	&& echo "HostKey /home/$USERNAME/.ssh_host_keys/ssh_host_ed25519_key" >> /home/$USERNAME/.sshd_config \
	&& echo "Port $SSH_PORT" >> /home/$USERNAME/.sshd_config \
	&& echo "ListenAddress 0.0.0.0" >> /home/$USERNAME/.sshd_config \
	&& echo "PermitRootLogin no" >> /home/$USERNAME/.sshd_config \
	&& echo "PasswordAuthentication no" >> /home/$USERNAME/.sshd_config \
	&& chown $USERNAME:$USERNAME /home/$USERNAME/.sshd_config \
	&& chmod 600 /home/$USERNAME/.sshd_config \
	&& git config --global init.defaultBranch main

	# Add SSH users
	GITHUB_USERS="pwyoung "
	for user in $GITHUB_USERS; do \
	echo "# $user" >> /home/$USERNAME/.ssh/authorized_keys; \
	curl -s "https://github.com/$user.keys" >> /home/$USERNAME/.ssh/authorized_keys; \
	done

	echo "ansible:ansible" \| chpasswd


	################################################################################
	# Shell configuration
	################################################################################

	echo "alias ll='ls -alF'" >> /home/$USERNAME/.bashrc && \
	echo "alias la='ls -A'" >> /home/$USERNAME/.bashrc && \
	echo "alias l='ls -CF'" >> /home/$USERNAME/.bashrc && \
	echo "alias grep='grep --color=auto'" >> /home/$USERNAME/.bashrc && \
	echo "alias ..='cd ..'" >> /home/$USERNAME/.bashrc && \
	echo "alias ...='cd ../..'" >> /home/$USERNAME/.bashrc && \
	echo "alias now='date +%Y-%m-%d_%H-%M-%S'" >> /home/$USERNAME/.bashrc && \
	echo "if [ -f /etc/bash_completion ] && ! shopt -oq posix; then . /etc/bash_completion; fi" >> /home/$USERNAME/.bashrc && \
	echo "if [ -d /etc/bash_completion.d ]; then for i in /etc/bash_completion.d/*; do if [ -f \$i ]; then . \$i; fi; done; unset i; fi" >> /home/$USERNAME/.bashrc && \
	echo "" >> /home/$USERNAME/.bashrc

	################################################################################
	# Platform-specific binaries - combined into a single layer
	################################################################################

	# Hardware platform (e.g. amd64 or arm64)
	HW=amd64
	SOPS_VERSION=3.8.1
	AGE_VERSION=1.1.1
	KUBECTL_VERSION=1.29.2

	curl -LO https://github.com/getsops/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.linux.${HW} \
	&& install -m 555 sops-v${SOPS_VERSION}.linux.${HW} /usr/local/bin/sops \
	&& rm sops-v${SOPS_VERSION}.linux.${HW} \
	&& wget -q https://github.com/FiloSottile/age/releases/download/v${AGE_VERSION}/age-v${AGE_VERSION}-linux-${HW}.tar.gz \
	&& tar -xzf age-v${AGE_VERSION}-linux-${HW}.tar.gz \
	&& mv age/age /usr/local/bin/ \
	&& mv age/age-keygen /usr/local/bin/ \
	&& rm -rf age-v${AGE_VERSION}-linux-${HW}.tar.gz age \
	&& curl -LO "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${HW}/kubectl" \
	&& install -m 555 kubectl /usr/local/bin/kubectl \
	&& rm kubectl


	chown -R $USERNAME:$USERNAME /home/$USERNAME

	# Run the SSH server as the user 'ansible'
	#sudo su - ansible bash -c 'nohup /usr/sbin/sshd -D -f ~/.sshd_config > ~/sshd.log 2>&1 & echo $! > ~/sshd.pid'