#! /usr/bin/env bash

#
# ssh admin user creation script
#
# https://gist.github.com/NickKelly1/a2f873394c084597744fec1a744b44d0
#
# usage:
# # curl -s https://gist.github.com/NickKelly1/a2f873394c084597744fec1a744b44d0/raw > admin-init.sh
# # chmod +x ./createuser.sh
# # ./createuser.sh
# # rm ./createuser.sh
#
# author: Nick Kelly
# created: 2022-04-24
# updated: 2022-04-24
#
# Goal:
#   - create a user that can log in via ssh
#   - the user should be part of the sudo group
#   - the user should have no password (so they don't need to remember & enter password to sudo)
#   - the users password should be deactivated (so password login is unavailable from remote and
#     from other users)
#

set -euo pipefail

echo
echo "==================================="
echo "=== Initialising new admin user ==="
echo "===     author: Nick Kelly      ==="
echo "===     created: 2022-04-24     ==="
echo "===     updated: 2022-04-24     ==="
echo "==================================="
echo

if [[ "$EUID" -ne 0 ]]; then
  echo "Error: Please run as root with sudo."
  exit 1
fi

ADMIN_USERNAME=
read -e -p "Admin username: " -i "admin" ADMIN_USERNAME
if [[ ! "${ADMIN_USERNAME}" ]]; then
  echo "Error: no username."
  exit 1;
fi

echo "Creating ${ADMIN_USERNAME}"
# gecos: non-interactive (don't ask for additional details)
# disabled-password: disable password login (still allow with sudo / ssh)
adduser --gecos "" --disabled-password "${ADMIN_USERNAME}"

# # remove password to let the user "sudo" without entering password
# echo "Removing ${ADMIN_USERNAME}'s password"
# passwd --delete "${ADMIN_USERNAME}"

# # disable user login (--disabled-password doesn't ?always work?)
# echo "Disabling password login to ${ADMIN_USERNAME}"
# usermod --lock "${ADMIN_USERNAME}"

echo "Adding ${ADMIN_USERNAME} to group: sudo"
usermod -a -G sudo "${ADMIN_USERNAME}"

echo "Removing sudo password requirement from ${ADMIN_USERNAME}"
if [[ -f "/etc/sudoers.d/${ADMIN_USERNAME}" ]]; then
  echo "Warning: /etc/sudoers.d/${ADMIN_USERNAME} already exists."
  echo "Warning: Not removing sudo password requirement."
else
  # remove sudo password requirement for ADMIN_USERNAME
  cat << EOF >> "/etc/sudoers.d/${ADMIN_USERNAME}"
${ADMIN_USERNAME} ALL=(ALL) NOPASSWD:ALL
EOF
fi

echo "Setting umask for $(umask -S)"
umask 077

echo "Creating .ssh directory"
mkdir "/home/${ADMIN_USERNAME}/.ssh"

echo "Creating .ssh/authorized_keys file"
touch "/home/${ADMIN_USERNAME}/.ssh/authorized_keys"

echo "Recursively setting ownership of .ssh directory"
chown -R "${ADMIN_USERNAME}:${ADMIN_USERNAME}" "/home/${ADMIN_USERNAME}/.ssh"

echo "Resetting umask for u=rwx,g=rwx,o=rx"
umask 002

echo "Finished."

echo "Next steps:"
echo "  - Put the users public ssh key into /home/${ADMIN_USERNAME}/.ssh/authorized_keys"
echo "    eg rsync --archive --chown ${ADMIN_USERNAME}:${ADMIN_USERNAME} ~/.ssh /home/${ADMIN_USERNAME}"