Nicolas Cantu
088eab84b7
- Add ia_dev submodule (projects/smart_ide on forge 4nk) - Document APIs, orchestrator, gateway, local-office, rollout - Add systemd/scripts layout; relocate setup scripts - Remove obsolete nginx/enso-only docs from this repo scope
143 lines
4.2 KiB
Bash
Executable File
143 lines
4.2 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# Add SSH public key to ~/.ssh/authorized_keys on infrastructure hosts.
|
|
#
|
|
# Modes (pick one):
|
|
# ADD_KEY_LOCAL=1 — you are already SSH'd on the target host (e.g. 192.168.1.164): only
|
|
# update the current user's ~/.ssh/authorized_keys on this machine.
|
|
# LAN_DIRECT=1 — same LAN as hosts: ssh BACKEND_USER@192.168.1.x directly (no ProxyJump,
|
|
# no 4nk.myftp.biz). Host list includes proxy .100, backends, and .164.
|
|
# (default) — bastion JUMP then ProxyJump to each backend (Internet / standard doc).
|
|
#
|
|
# The key embedded below (desk@desk) is what gets appended remotely; client auth uses your
|
|
# existing keys (SSH_IDENTITY_FILE / agent).
|
|
#
|
|
# Run as the SSH user, not root: sudo uses /root/.ssh and causes Permission denied (publickey).
|
|
#
|
|
# Optional env:
|
|
# BACKEND_USER=ncantu
|
|
# JUMP=ncantu@4nk.myftp.biz # default jump host when LAN_DIRECT is unset
|
|
# SSH_IDENTITY_FILE=~/.ssh/id_ed25519
|
|
# SSH_VERBOSE=1
|
|
# EXTRA_LAN_IPS="192.168.1.42 ..." # space-separated, appended when LAN_DIRECT=1
|
|
# Usage:
|
|
# ADD_KEY_LOCAL=1 ./add-ssh-key.sh
|
|
# LAN_DIRECT=1 ./add-ssh-key.sh
|
|
|
|
set -euo pipefail
|
|
|
|
SSH_KEY="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDyLeCZh0tJ7rEp1sktpMlA2EaBBKBU5jNRMgboYAOsk desk@desk"
|
|
KEY_FINGERPRINT="AAAAC3NzaC1lZDI1NTE5AAAAIDyLeCZh0tJ7rEp1sktpMlA2EaBBKBU5jNRMgboYAOsk"
|
|
|
|
JUMP="${JUMP:-ncantu@4nk.myftp.biz}"
|
|
BACKEND_USER="${BACKEND_USER:-ncantu}"
|
|
|
|
BACKEND_IPS=(
|
|
"192.168.1.101" # test
|
|
"192.168.1.102" # pprod
|
|
"192.168.1.103" # prod
|
|
"192.168.1.104" # services
|
|
"192.168.1.105" # bitcoin
|
|
"192.168.1.173" # ia
|
|
)
|
|
|
|
LAN_IPS=(
|
|
"192.168.1.100" # proxy
|
|
"${BACKEND_IPS[@]}"
|
|
"192.168.1.164" # workstation / host 164 on LAN
|
|
)
|
|
|
|
SSH_OPTS=(
|
|
-o StrictHostKeyChecking=accept-new
|
|
)
|
|
if [ -n "${SSH_IDENTITY_FILE:-}" ]; then
|
|
idf="${SSH_IDENTITY_FILE/#\~/$HOME}"
|
|
SSH_OPTS+=(-i "$idf" -o IdentitiesOnly=yes)
|
|
fi
|
|
if [ -n "${SSH_VERBOSE:-}" ]; then
|
|
SSH_OPTS+=(-v)
|
|
fi
|
|
|
|
if [ "$(id -u)" -eq 0 ]; then
|
|
echo "Do not run this script with sudo/root: SSH will use /root/.ssh and fail with Permission denied (publickey)." >&2
|
|
exit 1
|
|
fi
|
|
|
|
add_key_to_current_user() {
|
|
local auth="${HOME}/.ssh/authorized_keys"
|
|
mkdir -p "${HOME}/.ssh"
|
|
chmod 700 "${HOME}/.ssh"
|
|
touch "${auth}"
|
|
chmod 600 "${auth}"
|
|
if ! grep -qF "${KEY_FINGERPRINT}" "${auth}" 2>/dev/null; then
|
|
printf '%s\n' "${SSH_KEY}" >> "${auth}"
|
|
echo "Key added (local user $(whoami)@$(hostname -f 2>/dev/null || hostname))"
|
|
else
|
|
echo "Key already present (local user $(whoami)@$(hostname -f 2>/dev/null || hostname))"
|
|
fi
|
|
}
|
|
|
|
run_add_key_remote() {
|
|
local -a ssh_cmd=("$@")
|
|
"${ssh_cmd[@]}" bash -s <<EOF
|
|
set -euo pipefail
|
|
KEY_FINGERPRINT='${KEY_FINGERPRINT}'
|
|
KEY_LINE='${SSH_KEY}'
|
|
AUTH="\${HOME}/.ssh/authorized_keys"
|
|
mkdir -p "\${HOME}/.ssh"
|
|
chmod 700 "\${HOME}/.ssh"
|
|
touch "\${AUTH}"
|
|
chmod 600 "\${AUTH}"
|
|
if ! grep -qF "\${KEY_FINGERPRINT}" "\${AUTH}" 2>/dev/null; then
|
|
printf '%s\n' "\${KEY_LINE}" >> "\${AUTH}"
|
|
echo "Key added"
|
|
else
|
|
echo "Key already present"
|
|
fi
|
|
EOF
|
|
}
|
|
|
|
if [ "${ADD_KEY_LOCAL:-0}" = "1" ]; then
|
|
echo "ADD_KEY_LOCAL=1: updating authorized_keys for current user only."
|
|
echo "Key: $SSH_KEY"
|
|
echo "Host: $(hostname) (${USER})"
|
|
add_key_to_current_user
|
|
exit 0
|
|
fi
|
|
|
|
if [ "${LAN_DIRECT:-0}" = "1" ]; then
|
|
echo "LAN_DIRECT=1: direct SSH on LAN (no ProxyJump / no bastion hostname)."
|
|
echo "Key: $SSH_KEY"
|
|
echo "User: ${BACKEND_USER}"
|
|
if [ -n "${EXTRA_LAN_IPS:-}" ]; then
|
|
# shellcheck disable=SC2206
|
|
extra_ips=( ${EXTRA_LAN_IPS} )
|
|
LAN_IPS+=( "${extra_ips[@]}" )
|
|
fi
|
|
for ip in "${LAN_IPS[@]}"; do
|
|
echo ""
|
|
echo "Processing: ${BACKEND_USER}@${ip}"
|
|
run_add_key_remote ssh "${SSH_OPTS[@]}" "${BACKEND_USER}@${ip}"
|
|
done
|
|
echo ""
|
|
echo "SSH key addition completed (LAN direct)."
|
|
exit 0
|
|
fi
|
|
|
|
echo "Adding SSH key to all servers (bastion + ProxyJump)..."
|
|
echo "Key: $SSH_KEY"
|
|
echo "Jump: $JUMP"
|
|
echo ""
|
|
|
|
echo "Processing bastion (proxy): ${JUMP}"
|
|
run_add_key_remote ssh "${SSH_OPTS[@]}" "$JUMP"
|
|
echo ""
|
|
|
|
for ip in "${BACKEND_IPS[@]}"; do
|
|
echo "Processing backend: ${BACKEND_USER}@${ip} (via ${JUMP})"
|
|
run_add_key_remote ssh "${SSH_OPTS[@]}" -J "$JUMP" "${BACKEND_USER}@${ip}"
|
|
echo ""
|
|
done
|
|
|
|
echo "SSH key addition completed for bastion and all listed backends."
|