diff --git a/setup.sh b/setup.sh index 940c1ff..d090c4e 100755 --- a/setup.sh +++ b/setup.sh @@ -14,6 +14,8 @@ NC='\033[0m' # No Color ### === SETTINGS === ### SYSADMIN_USER="sysadmin" +CREATE_ADDITIONAL_USER="" +ADDITIONAL_USER="" USE_UFW="" USE_FAIL2BAN="" @@ -45,6 +47,50 @@ check_debian() { fi } +# Ask user about creating an additional user +ask_additional_user() { + echo "" + echo -e "${BLUE}=== Additional User Creation ===${NC}" + echo "This script will create the 'sysadmin' user by default." + echo "You can also create an additional user account if needed." + echo "" + read -p "Would you like to create an additional user account? (y/N): " create_user_choice + + if [[ "$create_user_choice" =~ ^[Yy]$ ]]; then + CREATE_ADDITIONAL_USER="yes" + echo "" + echo -e "${YELLOW}Enter username for the additional user:${NC}" + echo "(This user will also have sudo privileges)" + echo "" + while true; do + read -p "Username: " username_input + + # Validate username + if [[ -z "$username_input" ]]; then + echo -e "${RED}Username cannot be empty. Please try again.${NC}" + continue + elif [[ ! "$username_input" =~ ^[a-z][a-z0-9_-]*$ ]]; then + echo -e "${RED}Invalid username. Use lowercase letters, numbers, hyphens, and underscores only.${NC}" + echo -e "${RED}Username must start with a letter.${NC}" + continue + elif [[ "$username_input" == "$SYSADMIN_USER" ]]; then + echo -e "${RED}Username cannot be the same as sysadmin user. Please choose a different name.${NC}" + continue + elif id "$username_input" &>/dev/null; then + echo -e "${RED}User '$username_input' already exists. Please choose a different name.${NC}" + continue + else + ADDITIONAL_USER="$username_input" + log "Will create additional user: $ADDITIONAL_USER" + break + fi + done + else + CREATE_ADDITIONAL_USER="no" + log "Skipping additional user creation" + fi +} + # Ask user about firewall preferences ask_firewall_preferences() { echo "" @@ -131,6 +177,28 @@ create_sysadmin_user() { usermod -aG sudo "$SYSADMIN_USER" } +create_additional_user() { + if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then + log "Creating additional user: $ADDITIONAL_USER" + + if id "$ADDITIONAL_USER" &>/dev/null; then + warn "User $ADDITIONAL_USER already exists, skipping creation" + else + # Create user with home directory + useradd -m -s /bin/bash "$ADDITIONAL_USER" + log "User $ADDITIONAL_USER created successfully" + + # Set password for additional user + echo "Please set a password for user $ADDITIONAL_USER:" + passwd "$ADDITIONAL_USER" + fi + + # Add additional user to sudo group + log "Adding $ADDITIONAL_USER to sudo group..." + usermod -aG sudo "$ADDITIONAL_USER" + fi +} + configure_security() { # Disable root SSH login log "Disabling root SSH login..." @@ -148,7 +216,11 @@ configure_security() { echo "MaxAuthTries 3" echo "ClientAliveInterval 300" echo "ClientAliveCountMax 2" - echo "AllowUsers $SYSADMIN_USER" + if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then + echo "AllowUsers $SYSADMIN_USER $ADDITIONAL_USER" + else + echo "AllowUsers $SYSADMIN_USER" + fi } >> /etc/ssh/sshd_config # Remove/lock root password @@ -311,39 +383,45 @@ generate_ssh_keys() { read -p "Enter your email: " user_email # Generate SSH key for sysadmin user - generate_sysadmin_ssh_key "$user_email" + generate_user_ssh_key "$SYSADMIN_USER" "$user_email" + + # Generate SSH key for additional user if created + if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then + generate_user_ssh_key "$ADDITIONAL_USER" "$user_email" + fi # Generate SSH key for root user generate_root_ssh_key "$user_email" } -generate_sysadmin_ssh_key() { - local user_email="$1" - local sysadmin_home="/home/$SYSADMIN_USER" - local ssh_dir="$sysadmin_home/.ssh" +generate_user_ssh_key() { + local username="$1" + local user_email="$2" + local user_home="/home/$username" + local ssh_dir="$user_home/.ssh" local ssh_key="$ssh_dir/id_ed25519" - log "Setting up SSH key for user: $SYSADMIN_USER" + log "Setting up SSH key for user: $username" - # Create .ssh directory for sysadmin user if it doesn't exist + # Create .ssh directory for user if it doesn't exist if [ ! -d "$ssh_dir" ]; then - sudo -u "$SYSADMIN_USER" mkdir -p "$ssh_dir" - sudo -u "$SYSADMIN_USER" chmod 700 "$ssh_dir" + sudo -u "$username" mkdir -p "$ssh_dir" + sudo -u "$username" chmod 700 "$ssh_dir" fi if [ ! -f "$ssh_key.pub" ]; then - log "Generating SSH key for $SYSADMIN_USER..." + log "Generating SSH key for $username..." - # Generate SSH key as sysadmin user - sudo -u "$SYSADMIN_USER" ssh-keygen -t ed25519 -C "$user_email" -f "$ssh_key" -N "" + # Generate SSH key as user + sudo -u "$username" ssh-keygen -t ed25519 -C "$user_email" -f "$ssh_key" -N "" # Set proper permissions - sudo -u "$SYSADMIN_USER" chmod 600 "$ssh_key" - sudo -u "$SYSADMIN_USER" chmod 644 "$ssh_key.pub" + sudo -u "$username" chmod 600 "$ssh_key" + sudo -u "$username" chmod 644 "$ssh_key.pub" - log "SSH key generated successfully for $SYSADMIN_USER" + log "SSH key generated successfully for $username" else - warn "SSH key already exists for $SYSADMIN_USER" + warn "SSH key already exists for $username" fi } @@ -392,6 +470,18 @@ show_ssh_keys() { echo "----------------------------------------" echo "" + # Show additional user SSH key if created + if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then + local additional_home="/home/$ADDITIONAL_USER" + local additional_ssh_key="$additional_home/.ssh/id_ed25519.pub" + + echo -e "${YELLOW}ADDITIONAL USER ($ADDITIONAL_USER) SSH KEY:${NC}" + echo "----------------------------------------" + cat "$additional_ssh_key" + echo "----------------------------------------" + echo "" + fi + echo -e "${YELLOW}ROOT USER SSH KEY:${NC}" echo "----------------------------------------" cat "$root_ssh_key" @@ -399,8 +489,13 @@ show_ssh_keys() { echo "" echo -e "${YELLOW}Instructions:${NC}" - echo "1. Copy both keys above" - echo "2. Add both keys to your git server and any other systems you need access to" + if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then + echo "1. Copy all keys above" + echo "2. Add all keys to your git server and any other systems you need access to" + else + echo "1. Copy both keys above" + echo "2. Add both keys to your git server and any other systems you need access to" + fi echo "3. You can now use these keys for SSH authentication" echo "" read -p "Press Enter to continue..." @@ -489,7 +584,8 @@ main() { echo "This script will:" echo "1. Set up a secure Debian 12 system" echo "2. Create a sysadmin user with SSH key authentication" - echo "3. Generate SSH keys for both sysadmin and root users" + echo "3. Optionally create an additional user account" + echo "4. Generate SSH keys for all created users and root" echo "" read -p "Continue? (y/N): " confirm @@ -498,12 +594,14 @@ main() { exit 0 fi - # Ask for firewall preferences + # Ask for user and firewall preferences + ask_additional_user ask_firewall_preferences # System setup setup_system create_sysadmin_user + create_additional_user configure_security # SSH key setup