|
3 | 3 | [](https://github.com/locus313/ssh-key-sync/actions) |
4 | 4 | [](LICENSE) |
5 | 5 | [](https://www.gnu.org/software/bash/) |
6 | | -[](https://github.com/locus313/ssh-key-sync/releases) |
| 6 | +[](https://github.com/locus313/ssh-key-sync/releases) |
7 | 7 |
|
8 | 8 | *Synchronize SSH authorized_keys for multiple users from various sources* |
9 | 9 |
|
@@ -244,6 +244,9 @@ For accessing private repositories, you'll need a GitHub Personal Access Token: |
244 | 244 |
|
245 | 245 | ## Automation |
246 | 246 |
|
| 247 | +> [!NOTE] |
| 248 | +> The script loads `users.conf` from the same directory as `sync-ssh-keys.sh`. When deploying to a path like `/opt/ssh-key-sync/`, ensure `users.conf` is placed in that same directory. |
| 249 | +
|
247 | 250 | ### Production Deployment with Cron |
248 | 251 |
|
249 | 252 | Set up automated synchronization for production environments: |
@@ -282,8 +285,8 @@ Create a robust systemd service with automatic restart and monitoring: |
282 | 285 | # Security settings |
283 | 286 | NoNewPrivileges=true |
284 | 287 | ProtectSystem=strict |
285 | | - ProtectHome=true |
286 | | - ReadWritePaths=/home /root |
| 288 | + ProtectHome=true # Makes home directories inaccessible by default |
| 289 | + ReadWritePaths=/home /root # Re-opens /home and /root so the script can write authorized_keys |
287 | 290 |
|
288 | 291 | [Install] |
289 | 292 | WantedBy=multi-user.target |
@@ -340,9 +343,12 @@ jobs: |
340 | 343 |
|
341 | 344 | - name: Sync SSH keys on target servers |
342 | 345 | run: | |
| 346 | + # Add the server's host key to known_hosts before connecting |
| 347 | + mkdir -p ~/.ssh |
| 348 | + ssh-keyscan -H "${{ secrets.SERVER_HOST }}" >> ~/.ssh/known_hosts |
343 | 349 | # Download and run ssh-key-sync |
344 | 350 | curl -fsSL https://raw.githubusercontent.com/locus313/ssh-key-sync/main/sync-ssh-keys.sh | \ |
345 | | - ssh -o StrictHostKeyChecking=no deploy@${{ secrets.SERVER_HOST }} 'cat > sync-ssh-keys.sh && chmod +x sync-ssh-keys.sh && sudo ./sync-ssh-keys.sh' |
| 351 | + ssh deploy@${{ secrets.SERVER_HOST }} 'cat > sync-ssh-keys.sh && chmod +x sync-ssh-keys.sh && sudo ./sync-ssh-keys.sh' |
346 | 352 | env: |
347 | 353 | GITHUB_TOKEN: ${{ secrets.SSH_SYNC_TOKEN }} |
348 | 354 | ``` |
@@ -544,9 +550,6 @@ bash -n sync-ssh-keys.sh |
544 | 550 |
|
545 | 551 | # With ShellCheck (recommended) |
546 | 552 | shellcheck sync-ssh-keys.sh |
547 | | - |
548 | | -# Test with dry-run mode (if implemented) |
549 | | -./sync-ssh-keys.sh --dry-run |
550 | 553 | ``` |
551 | 554 |
|
552 | 555 | ### Test Coverage |
|
0 commit comments