Check in new re-create-all-users script
[clinton/scripts.git] / create-user
CommitLineData
d2462e94 1#!/bin/bash -ex
2
3# MUST be executed:
4# - on deleuze
5# - as a user with an /etc/sudoers line
64f69c08 6# - member of "wheel" unix group on deleuze
78725790 7# - while holding tickets for a user who can 'ssh -K' to mire
64f69c08 8# - and is a member of "wheel" on mire
d2462e94 9# - while holding tokens for a user who is:
10# - a member of system:administrator
11# - listed in 'bos listusers deleuze'
12
13USER=$1
14
15if test -z "$USER"; then
16 echo "Invoke as create-user <USERNAME>"
17 exit 1
18fi
19
20
21#
22# Kerberos principals
23# (creat kerberos principals: fred, fred/cgi, fred/mailfilter)
24#
25
26# We use -randkey for user's main principal as well, to make sure that
27# the creation process does not continue without having a main
28# principal. (But you who want to set password for a user, don't
29# worry - we'll invoke cpw later, so that it has the same effect
30# as setting password right now - while it is more error tolerant).
31
52e2a5b3 32sudo kadmin.local -p root/admin -q "ank -policy user -randkey +requires_preauth $USER@HCOOP.NET"
33sudo kadmin.local -p root/admin -q "ank -policy mailfilter -randkey +requires_preauth $USER/mailfilter@HCOOP.NET"
34sudo kadmin.local -p root/admin -q "ank -policy cgi -randkey +requires_preauth $USER/cgi@HCOOP.NET"
d2462e94 35
36#
37# Create AFS users corresponding to krb5 principals.
38# (fred/cgi principal == fred.cgi AFS user)
39#
40
41pts cu $USER || true
42ID=`pts examine $USER | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
43pts cu $USER.mailfilter $ID_MF || true
44ID_MF=`pts examine $USER.mailfilter | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
45pts cu $USER.cgi || true
46ID_CGI=`pts examine $USER.cgi | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
47
48
49#
50# Construct various paths for later perusal.
51#
52
53# (If it's not clear, for user fred, PATHBITS = f/fr/fred)
54PATHBITS=`echo $USER | head -c 1`/`echo $USER | head -c 2`/$USER
55HOMEPATH=/afs/hcoop.net/user/$PATHBITS
56MAILPATH=/afs/hcoop.net/common/email/$PATHBITS
64f69c08 57DBPATH=/afs/hcoop.net/common/.databases/$PATHBITS
d2462e94 58PGDIR=$DBPATH/postgres
59MYSQLDIR=$DBPATH/mysql
60
61
62#
63# Create LDAP entries. (With the whole libnss-ptdb, I kind of
64# lost the idea of what I want to do with LDAP, but we'll
65# see with time how well it integrates...)
66# The ID returned from AFS is important here, we want to make
67# sure those IDs match.
68#
69
70# USER entry
71echo "
72dn: uid=$USER,ou=People,dc=hcoop,dc=net
73objectClass: top
74objectClass: person
75objectClass: posixAccount
76cn: $USER
77uid: $USER
78gidNumber: $ID
d2462e94 79sn: $USER
80host: abulafia
81host: mire
82
83dn: cn=$USER,ou=Group,dc=hcoop,dc=net
84objectClass: top
85objectClass: posixGroup
86cn: $USER
87gidNumber: $ID
88memberUid: $USER
0963ebc5 89" | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true
d2462e94 90
91# USER.mailfilter entry
92echo "
93dn: uid=$USER.mailfilter,ou=People,dc=hcoop,dc=net
94objectClass: top
95objectClass: person
96objectClass: posixAccount
97cn: $USER.mailfilter
98uid: $USER.mailfilter
99gidNumber: $ID_MF
d2462e94 100sn: $USER.mailfilter
101
102dn: cn=$USER.mailfilter,ou=Group,dc=hcoop,dc=net
103objectClass: top
104objectClass: posixGroup
105cn: $USER.mailfilter
106gidNumber: $ID_MF
107memberUid: $USER.mailfilter
0963ebc5 108" | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true
d2462e94 109
110# USER.cgi entry
111echo "
112dn: uid=$USER.cgi,ou=People,dc=hcoop,dc=net
113objectClass: top
114objectClass: person
115objectClass: posixAccount
116cn: $USER.cgi
117uid: $USER.cgi
118gidNumber: $ID_CGI
d2462e94 119sn: $USER.cgi
120
121dn: cn=$USER.cgi,ou=Group,dc=hcoop,dc=net
122objectClass: top
123objectClass: posixGroup
124cn: $USER.cgi
125gidNumber: $ID_CGI
126memberUid: $USER.cgi
0963ebc5 127" | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true
d2462e94 128
129
130#
131# Export .mailfilter and .cgi keys to a keytab file
132#
133
134# create a mailfilter keytab (used by /etc/exim4/get-token)
135sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/mailfilter/$USER $USER/mailfilter@HCOOP.NET"
7a7e31c9 136
d2462e94 137# create a cgi keytab
138sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/cgi/$USER $USER/cgi@HCOOP.NET"
139
140# Properly chown/mod keytab files (www-data must own the cgi keytab)
141sudo chown www-data:wheel /etc/keytabs/cgi/$USER
142sudo chown $USER:wheel /etc/keytabs/mailfilter/$USER
143sudo chmod 440 /etc/keytabs/cgi/$USER /etc/keytabs/mailfilter/$USER
144
7a7e31c9 145# rsync keytabs to mire
146rsync -e ssh -a /etc/keytabs/cgi/$USER mire.hcoop.net:/etc/keytabs/cgi/$USER
d2462e94 147
148#
149# Create/mount/set-perms on user's volumes (home, mail, databases, logs)
150#
151
152# HOME VOLUME
0963ebc5 153vos examine user.$USER 2>/dev/null || \
154 vos create deleuze.hcoop.net /vicepa user.$USER -maxquota 400000
d2462e94 155mkdir -p `dirname $HOMEPATH`
ef64fd5f 156fs ls $HOMEPATH || fs mkm $HOMEPATH user.$USER
d2462e94 157chown $USER $HOMEPATH
158fs sa $HOMEPATH $USER all
159fs sa $HOMEPATH system:anyuser rl
160
161# Apache logs
162mkdir -p $HOMEPATH/logs/apache
163fs sa $HOMEPATH/logs/apache $USER.cgi rlwidk
164
7a7e31c9 165# public_html
05033b52 166mkdir -p $HOMEPATH/public_html/
7a7e31c9 167fs sa $HOMEPATH/public_html system:anyuser rl
05033b52 168mkdir -p $HOMEPATH/.procmail.d/
169fs sa $HOMEPATH/.procmail.d/ system:anyuser rl
7a7e31c9 170
d2462e94 171# MAIL VOLUME
0963ebc5 172vos examine mail.$USER 2>/dev/null || \
173 vos create deleuze.hcoop.net /vicepa mail.$USER -maxquota 400000
d2462e94 174mkdir -p `dirname $MAILPATH`
ef64fd5f 175fs ls $MAILPATH || fs mkm $MAILPATH mail.$USER
176fs ls $HOMEPATH/Maildir || fs mkm $HOMEPATH/Maildir mail.$USER
d2462e94 177fs sa $MAILPATH $USER all
178fs sa $MAILPATH $USER.mailfilter all
179
180# DATABASE VOLUME
181if ! vos examine db.$USER >/dev/null 2>/dev/null; then
182 mkdir -p `dirname /afs/.hcoop.net/common/.databases/$PATHBITS`
183 vos create -server afs -partition a -name db.$USER -maxquota 400000
184 fs mkmount -dir /afs/.hcoop.net/common/.databases/$PATHBITS -vol db.$USER -rw
185 vos release common.databases
186 fs sa -dir $DBPATH -acl system:postgres l
187 fs sa -dir $DBPATH -acl system:mysql l
188 fs sa -dir $DBPATH -acl system:backup rl
189fi
190
191# Create postgres user and tablespace placeholder within volume
192if ! [ -d $PGDIR ]; then
193 mkdir -p $PGDIR
194 chown postgres:postgres $PGDIR
195 fs sa -dir $PGDIR -acl system:postgres write
196
197 sudo -u postgres psql -c "CREATE TABLESPACE user_$USER OWNER postgres LOCATION '$PGDIR'" template1
198fi
199
200# Create mysql user and databases placeholder within volume
201mkdir -p $MYSQLDIR
202chown mysql:mysql $MYSQLDIR
203fs sa -dir $MYSQLDIR -acl system:mysql write
204
205
206#
207# Mount points for backup volumes
208#
209
210mkdir -p `dirname /afs/hcoop.net/old/user/$PATHBITS`
211mkdir -p `dirname /afs/hcoop.net/old/mail/$PATHBITS`
ef64fd5f 212fs ls /afs/hcoop.net/old/user/$PATHBITS || \
0963ebc5 213 fs mkm /afs/hcoop.net/old/user/$PATHBITS user.$USER.backup
ef64fd5f 214fs ls /afs/hcoop.net/old/mail/$PATHBITS || \
0963ebc5 215 fs mkm /afs/hcoop.net/old/mail/$PATHBITS mail.$USER.backup
d2462e94 216
7fe272af 217# technically this might not be necessary, but for good measure...
d2462e94 218vos syncserv deleuze
219vos syncvldb deleuze
7fe272af 220
221# refresh volume location cache (takes ~2hrs otherwise)
d2462e94 222fs checkvolumes
7fe272af 223ssh mire.hcoop.net fs checkvolumes
d2462e94 224
e8f64a1b 225# Technically this is not idempotent. This is not *too* bad because
226# of the fact that in AFS non-system:administrators users can't change
227# the group/owner of a file anyways. However, users still might want
228# to know which other users created certain files (in, say, a dropbox
229# or something like that). FIMXE.
230chown -R $USER:nogroup $HOMEPATH
231chown -R $USER:nogroup $MAILPATH