Add initial version of sync script (#1)

locus313 · Copilot · web-flow · commit f879bb229032 · 2025-06-22T01:52:21.000-07:00
* Add initial version of sync script

* add per user temp file

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;

* remove tmp file inside loop

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;

* add log message function

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;

* add trap to always clean up temp file

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;

* check if auth key exists

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;

* use getent to get user home dir

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;

* use log_message function

* remove temp file clean as trap is already set

* replace echo with log_message

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;

* Update use of trap

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;

* replace echo with log_message

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;

* replace echo with log_message

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;

* replace echo with log_message

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;

* replace echo with log_message

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;

* replace echo with log_message

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;

* move user id check

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;

* remove redundant check

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;

* set temp file as local variable

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;

* add brackets

* remove brackets

* remove local

* remove comment

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;

---------

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;
diff --git a/README.md b/README.md
@@ -0,0 +1,19 @@
+# SSH Key Sync Script
+
+This Bash script pulls `authorized_keys` files from remote URLs and updates SSH access for multiple local users.
+
+## Features
+
+- Pull-based, no Git required
+- Supports multiple users
+- Designed for use with cron or systemd
+
+## Usage
+
+1. Edit the `USER_KEYS` array in `sync-ssh-keys.sh` to define users and their key URLs.
+2. Add to root's crontab:
+
+```cron
+*/15 * * * * /usr/local/bin/sync-ssh-keys.sh >> /var/log/ssh-key-sync.log 2>&1
+```
+
diff --git a/sync-ssh-keys.sh b/sync-ssh-keys.sh
@@ -0,0 +1,57 @@
+#!/bin/bash
+set -euo pipefail
+
+# === Configuration: user -> remote key file URL ===
+declare -A USER_KEYS=(
+  ["ubuntu"]="https://example.com/ssh-keys/ubuntu.authorized_keys"
+  ["devuser"]="https://example.com/ssh-keys/devuser.authorized_keys"
+  ["admin"]="https://example.com/ssh-keys/admin.authorized_keys"
+)
+
+log_message() {
+  local TIMESTAMP
+  TIMESTAMP="$(date '+%Y-%m-%d %H:%M:%S')"
+  echo "$TIMESTAMP: $1"
+}
+
+TMP_FILES=()
+trap 'rm -f "${TMP_FILES[@]}"' EXIT
+for USER in "${!USER_KEYS[@]}"; do
+  TMP_FILE=$(mktemp)
+  TMP_FILES+=("$TMP_FILE")
+  URL="${USER_KEYS[$USER]}"
+  # Ensure user exists
+  if ! id "$USER" &>/dev/null; then
+    log_message "User '$USER' does not exist. Skipping."
+    continue
+  fi
+  USER_HOME=$(getent passwd "$USER" | cut -d: -f6)
+  if [ -z "$USER_HOME" ]; then
+    log_message "Failed to determine home directory for user '$USER'. Skipping."
+    continue
+  fi
+  AUTH_KEYS="$USER_HOME/.ssh/authorized_keys"
+  SSH_DIR="$(dirname "$AUTH_KEYS")"
+
+  # Create .ssh directory if it doesn't exist
+  if [ ! -d "$SSH_DIR" ]; then
+    mkdir -p "$SSH_DIR"
+    chown "$USER:$USER" "$SSH_DIR"
+    chmod 700 "$SSH_DIR"
+    log_message "Created .ssh directory for user '$USER'"
+  fi
+
+  # Fetch remote key file
+  if curl -fsSL "$URL" -o "$TMP_FILE"; then
+    if [ ! -f "$AUTH_KEYS" ] || ! cmp -s "$TMP_FILE" "$AUTH_KEYS"; then
+      cp "$TMP_FILE" "$AUTH_KEYS"
+      chown "$USER:$USER" "$AUTH_KEYS"
+      chmod 600 "$AUTH_KEYS"
+      log_message "Updated authorized_keys for user '$USER'"
+    else
+      log_message "No changes for user '$USER'"
+    fi
+  else
+    log_message "Failed to download keys for '$USER' from $URL"
+  fi
+done
