4e612b51e5
Proxmox host nemá jq nainštalované. Parsovanie users.json prepísané na grep/sed/awk v ct/ubuntu.sh aj ubuntu-install.sh. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
148 lines
5.0 KiB
Bash
148 lines
5.0 KiB
Bash
#!/usr/bin/env bash
|
|
# Inštalačný skript pre Ubuntu 24.04 LXC kontajner
|
|
# Beží VNÚTRI kontajnera po jeho vytvorení
|
|
|
|
source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
|
|
color
|
|
verb_ip6
|
|
catch_errors
|
|
setting_up_container
|
|
network_check
|
|
update_os
|
|
|
|
# =============================================================================
|
|
# Inštalácia balíčkov
|
|
# =============================================================================
|
|
msg_info "Inštalujem dodatočné balíčky"
|
|
$STD apt-get install -y mc wget git curl openssh-server
|
|
msg_ok "Balíčky nainštalované"
|
|
|
|
# =============================================================================
|
|
# Vytvorenie užívateľov z USERS_JSON + SELECTED_USERS
|
|
# =============================================================================
|
|
if [[ -n "${USERS_JSON:-}" && -n "${SELECTED_USERS:-}" ]]; then
|
|
msg_info "Vytváram užívateľov"
|
|
|
|
# Parsovanie SELECTED_USERS (whiptail vracia "user1" "user2" formát)
|
|
selected_list=$(echo "$SELECTED_USERS" | tr -d '"')
|
|
|
|
# Parsovanie users.json bez jq — cez grep/sed/awk
|
|
# Prechádzame každý blok užívateľa
|
|
current_user=""
|
|
current_sudo="false"
|
|
current_keys=()
|
|
in_keys=false
|
|
|
|
while IFS= read -r line; do
|
|
# Detekcia username
|
|
if echo "$line" | grep -q '"username"'; then
|
|
# Ak máme predchádzajúceho užívateľa, spracuj ho
|
|
if [[ -n "$current_user" ]]; then
|
|
# Kontrola, či bol užívateľ vybraný
|
|
if echo "$selected_list" | grep -qw "$current_user"; then
|
|
# Vytvorenie užívateľa s náhodným heslom
|
|
random_pw=$(openssl rand -base64 16)
|
|
useradd -m -s /bin/bash "$current_user"
|
|
echo "${current_user}:${random_pw}" | chpasswd
|
|
|
|
# SSH kľúče
|
|
user_home="/home/${current_user}"
|
|
mkdir -p "${user_home}/.ssh"
|
|
chmod 700 "${user_home}/.ssh"
|
|
for key in "${current_keys[@]}"; do
|
|
echo "$key" >> "${user_home}/.ssh/authorized_keys"
|
|
done
|
|
chmod 600 "${user_home}/.ssh/authorized_keys"
|
|
chown -R "${current_user}:${current_user}" "${user_home}/.ssh"
|
|
|
|
# Sudo bez hesla
|
|
if [[ "$current_sudo" == "true" ]]; then
|
|
echo "${current_user} ALL=(ALL) NOPASSWD: ALL" > "/etc/sudoers.d/${current_user}"
|
|
chmod 440 "/etc/sudoers.d/${current_user}"
|
|
fi
|
|
|
|
msg_ok "Užívateľ vytvorený: ${current_user}"
|
|
fi
|
|
fi
|
|
current_user=$(echo "$line" | sed 's/.*"username"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/')
|
|
current_sudo="false"
|
|
current_keys=()
|
|
in_keys=false
|
|
fi
|
|
|
|
# Detekcia sudo
|
|
if echo "$line" | grep -q '"sudo"'; then
|
|
if echo "$line" | grep -q 'true'; then
|
|
current_sudo="true"
|
|
fi
|
|
fi
|
|
|
|
# Detekcia SSH kľúčov
|
|
if echo "$line" | grep -q '"ssh_keys"'; then
|
|
in_keys=true
|
|
continue
|
|
fi
|
|
if [[ "$in_keys" == true ]]; then
|
|
if echo "$line" | grep -q '\]'; then
|
|
in_keys=false
|
|
continue
|
|
fi
|
|
local key
|
|
key=$(echo "$line" | sed 's/.*"\(ssh-[^"]*\)".*/\1/')
|
|
[[ -n "$key" && "$key" != "$line" ]] && current_keys+=("$key")
|
|
fi
|
|
done <<< "$USERS_JSON"
|
|
|
|
# Spracuj posledného užívateľa
|
|
if [[ -n "$current_user" ]]; then
|
|
if echo "$selected_list" | grep -qw "$current_user"; then
|
|
random_pw=$(openssl rand -base64 16)
|
|
useradd -m -s /bin/bash "$current_user"
|
|
echo "${current_user}:${random_pw}" | chpasswd
|
|
|
|
user_home="/home/${current_user}"
|
|
mkdir -p "${user_home}/.ssh"
|
|
chmod 700 "${user_home}/.ssh"
|
|
for key in "${current_keys[@]}"; do
|
|
echo "$key" >> "${user_home}/.ssh/authorized_keys"
|
|
done
|
|
chmod 600 "${user_home}/.ssh/authorized_keys"
|
|
chown -R "${current_user}:${current_user}" "${user_home}/.ssh"
|
|
|
|
if [[ "$current_sudo" == "true" ]]; then
|
|
echo "${current_user} ALL=(ALL) NOPASSWD: ALL" > "/etc/sudoers.d/${current_user}"
|
|
chmod 440 "/etc/sudoers.d/${current_user}"
|
|
fi
|
|
|
|
msg_ok "Užívateľ vytvorený: ${current_user}"
|
|
fi
|
|
fi
|
|
fi
|
|
|
|
# =============================================================================
|
|
# SSH Hardening
|
|
# =============================================================================
|
|
msg_info "Konfigurujem SSH"
|
|
|
|
# Záloha pôvodnej konfigurácie
|
|
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
|
|
|
|
# Zakázať root login a prihlásenie heslom
|
|
sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
|
|
sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
|
|
sed -i 's/^#\?PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config
|
|
sed -i 's/^#\?ChallengeResponseAuthentication.*/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config
|
|
|
|
# Reštart SSH
|
|
systemctl enable ssh
|
|
systemctl restart ssh
|
|
|
|
msg_ok "SSH nakonfigurované (len kľúče, root zakázaný)"
|
|
|
|
# =============================================================================
|
|
# Štandardné dokončenie
|
|
# =============================================================================
|
|
motd_ssh
|
|
customize
|
|
cleanup_lxc
|