HCoop Git - clinton/scripts.git/blame_incremental

... / ...

Commit	Line	Data
	1	#!/bin/bash -ex
	2
	3	# MUST be executed:
	4	# - on deleuze
	5	# - as a user with an /etc/sudoers line
	6	# - member of "wheel" unix group on deleuze
	7	# - while holding tickets for a user who can 'ssh -K' to mire
	8	# - and is a member of "wheel" on mire
	9	# - while holding tokens for a user who is:
	10	# - a member of system:administrator
	11	# - listed in 'bos listusers deleuze'
	12
	13	USER=$1
	14
	15	if test -z "$USER"; then
	16	echo "Invoke as create-user <USERNAME>"
	17	exit 1
	18	fi
	19
	20
	21	#
	22	# Kerberos principals
	23	# (creat kerberos principals: fred, fred/cgi, fred/mailfilter)
	24	#
	25
	26	# We use -randkey for user's main principal as well, to make sure that
	27	# the creation process does not continue without having a main
	28	# principal. (But you who want to set password for a user, don't
	29	# worry - we'll invoke cpw later, so that it has the same effect
	30	# as setting password right now - while it is more error tolerant).
	31
	32	sudo kadmin.local -p root/admin -q "ank -policy user -randkey +requires_preauth $USER@HCOOP.NET"
	33	sudo kadmin.local -p root/admin -q "ank -policy mailfilter -randkey +requires_preauth $USER/mailfilter@HCOOP.NET"
	34	sudo kadmin.local -p root/admin -q "ank -policy cgi -randkey +requires_preauth $USER/cgi@HCOOP.NET"
	35
	36	#
	37	# Create AFS users corresponding to krb5 principals.
	38	# (fred/cgi principal == fred.cgi AFS user)
	39	#
	40
	41	pts cu $USER \|\| true
	42	ID=`pts examine $USER \| head -n1 \| sed 's_., id: __' \| sed 's_,.*__'`
	43	pts cu $USER.mailfilter $ID_MF \|\| true
	44	ID_MF=`pts examine $USER.mailfilter \| head -n1 \| sed 's_., id: __' \| sed 's_,.*__'`
	45	pts cu $USER.cgi \|\| true
	46	ID_CGI=`pts examine $USER.cgi \| head -n1 \| sed 's_., id: __' \| sed 's_,.*__'`
	47
	48
	49	#
	50	# Construct various paths for later perusal.
	51	#
	52
	53	# (If it's not clear, for user fred, PATHBITS = f/fr/fred)
	54	PATHBITS=`echo $USER \| head -c 1`/`echo $USER \| head -c 2`/$USER
	55	HOMEPATH=/afs/hcoop.net/user/$PATHBITS
	56	MAILPATH=/afs/hcoop.net/common/email/$PATHBITS
	57	DBPATH=/afs/hcoop.net/common/.databases/$PATHBITS
	58	PGDIR=$DBPATH/postgres
	59	MYSQLDIR=$DBPATH/mysql
	60
	61
	62	#
	63	# Create LDAP entries. (With the whole libnss-ptdb, I kind of
	64	# lost the idea of what I want to do with LDAP, but we'll
	65	# see with time how well it integrates...)
	66	# The ID returned from AFS is important here, we want to make
	67	# sure those IDs match.
	68	#
	69
	70	# USER entry
	71	echo "
	72	dn: uid=$USER,ou=People,dc=hcoop,dc=net
	73	objectClass: top
	74	objectClass: person
	75	objectClass: posixAccount
	76	cn: $USER
	77	uid: $USER
	78	gidNumber: $ID
	79	sn: $USER
	80	host: abulafia
	81	host: mire
	82
	83	dn: cn=$USER,ou=Group,dc=hcoop,dc=net
	84	objectClass: top
	85	objectClass: posixGroup
	86	cn: $USER
	87	gidNumber: $ID
	88	memberUid: $USER
	89	" \| sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret \|\| true
	90
	91	# USER.mailfilter entry
	92	echo "
	93	dn: uid=$USER.mailfilter,ou=People,dc=hcoop,dc=net
	94	objectClass: top
	95	objectClass: person
	96	objectClass: posixAccount
	97	cn: $USER.mailfilter
	98	uid: $USER.mailfilter
	99	gidNumber: $ID_MF
	100	sn: $USER.mailfilter
	101
	102	dn: cn=$USER.mailfilter,ou=Group,dc=hcoop,dc=net
	103	objectClass: top
	104	objectClass: posixGroup
	105	cn: $USER.mailfilter
	106	gidNumber: $ID_MF
	107	memberUid: $USER.mailfilter
	108	" \| sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret \|\| true
	109
	110	# USER.cgi entry
	111	echo "
	112	dn: uid=$USER.cgi,ou=People,dc=hcoop,dc=net
	113	objectClass: top
	114	objectClass: person
	115	objectClass: posixAccount
	116	cn: $USER.cgi
	117	uid: $USER.cgi
	118	gidNumber: $ID_CGI
	119	sn: $USER.cgi
	120
	121	dn: cn=$USER.cgi,ou=Group,dc=hcoop,dc=net
	122	objectClass: top
	123	objectClass: posixGroup
	124	cn: $USER.cgi
	125	gidNumber: $ID_CGI
	126	memberUid: $USER.cgi
	127	" \| sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret \|\| true
	128
	129
	130	#
	131	# Export .mailfilter and .cgi keys to a keytab file
	132	#
	133
	134	# create a mailfilter keytab (used by /etc/exim4/get-token)
	135	sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/mailfilter/$USER $USER/mailfilter@HCOOP.NET"
	136
	137	# create a cgi keytab
	138	sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/cgi/$USER $USER/cgi@HCOOP.NET"
	139
	140	# Properly chown/mod keytab files (www-data must own the cgi keytab)
	141	sudo chown www-data:wheel /etc/keytabs/cgi/$USER
	142	sudo chown $USER:wheel /etc/keytabs/mailfilter/$USER
	143	sudo chmod 440 /etc/keytabs/cgi/$USER /etc/keytabs/mailfilter/$USER
	144
	145	# rsync keytabs to mire
	146	rsync -e ssh -a /etc/keytabs/cgi/$USER mire.hcoop.net:/etc/keytabs/cgi/$USER
	147
	148	#
	149	# Create/mount/set-perms on user's volumes (home, mail, databases, logs)
	150	#
	151
	152	# HOME VOLUME
	153	vos examine user.$USER 2>/dev/null \|\| \
	154	vos create deleuze.hcoop.net /vicepa user.$USER -maxquota 400000
	155	mkdir -p `dirname $HOMEPATH`
	156	fs ls $HOMEPATH \|\| fs mkm $HOMEPATH user.$USER
	157	chown $USER $HOMEPATH
	158	fs sa $HOMEPATH $USER all
	159	fs sa $HOMEPATH system:anyuser rl
	160
	161	# Apache logs
	162	mkdir -p $HOMEPATH/logs/apache
	163	fs sa $HOMEPATH/logs/apache $USER.cgi rlwidk
	164
	165	# public_html
	166	mkdir -p $HOMEPATH/public_html/
	167	fs sa $HOMEPATH/public_html system:anyuser rl
	168	mkdir -p $HOMEPATH/.procmail.d/
	169	fs sa $HOMEPATH/.procmail.d/ system:anyuser rl
	170
	171	# MAIL VOLUME
	172	vos examine mail.$USER 2>/dev/null \|\| \
	173	vos create deleuze.hcoop.net /vicepa mail.$USER -maxquota 400000
	174	mkdir -p `dirname $MAILPATH`
	175	fs ls $MAILPATH \|\| fs mkm $MAILPATH mail.$USER
	176	fs ls $HOMEPATH/Maildir \|\| fs mkm $HOMEPATH/Maildir mail.$USER
	177	fs sa $MAILPATH $USER all
	178	fs sa $MAILPATH $USER.mailfilter all
	179
	180	# DATABASE VOLUME
	181	if ! vos examine db.$USER >/dev/null 2>/dev/null; then
	182	mkdir -p `dirname /afs/.hcoop.net/common/.databases/$PATHBITS`
	183	vos create -server afs -partition a -name db.$USER -maxquota 400000
	184	fs mkmount -dir /afs/.hcoop.net/common/.databases/$PATHBITS -vol db.$USER -rw
	185	vos release common.databases
	186	fs sa -dir $DBPATH -acl system:postgres l
	187	fs sa -dir $DBPATH -acl system:mysql l
	188	fs sa -dir $DBPATH -acl system:backup rl
	189	fi
	190
	191	# Create postgres user and tablespace placeholder within volume
	192	if ! [ -d $PGDIR ]; then
	193	mkdir -p $PGDIR
	194	chown postgres:postgres $PGDIR
	195	fs sa -dir $PGDIR -acl system:postgres write
	196
	197	sudo -u postgres psql -c "CREATE TABLESPACE user_$USER OWNER postgres LOCATION '$PGDIR'" template1
	198	fi
	199
	200	# Create mysql user and databases placeholder within volume
	201	mkdir -p $MYSQLDIR
	202	chown mysql:mysql $MYSQLDIR
	203	fs sa -dir $MYSQLDIR -acl system:mysql write
	204
	205
	206	#
	207	# Mount points for backup volumes
	208	#
	209
	210	mkdir -p `dirname /afs/hcoop.net/old/user/$PATHBITS`
	211	mkdir -p `dirname /afs/hcoop.net/old/mail/$PATHBITS`
	212	fs ls /afs/hcoop.net/old/user/$PATHBITS \|\| \
	213	fs mkm /afs/hcoop.net/old/user/$PATHBITS user.$USER.backup
	214	fs ls /afs/hcoop.net/old/mail/$PATHBITS \|\| \
	215	fs mkm /afs/hcoop.net/old/mail/$PATHBITS mail.$USER.backup
	216
	217	# technically this might not be necessary, but for good measure...
	218	vos syncserv deleuze
	219	vos syncvldb deleuze
	220
	221	# refresh volume location cache (takes ~2hrs otherwise)
	222	fs checkvolumes
	223	ssh mire.hcoop.net fs checkvolumes
	224
	225	# Technically this is not idempotent. This is not too bad because
	226	# of the fact that in AFS non-system:administrators users can't change
	227	# the group/owner of a file anyways. However, users still might want
	228	# to know which other users created certain files (in, say, a dropbox
	229	# or something like that). FIMXE.
	230	chown -R $USER:nogroup $HOMEPATH
	231	chown -R $USER:nogroup $MAILPATH