| 1 | #!/bin/bash -ex |
| 2 | |
| 3 | # MUST be executed: |
| 4 | # - on deleuze |
| 5 | # - as a user with an /etc/sudoers line |
| 6 | # - member of "wheel" unix group on deleuze |
| 7 | # - while holding tickets for a user who can 'ssh -K' to mire |
| 8 | # - and is a member of "wheel" on mire |
| 9 | # - while holding tokens for a user who is: |
| 10 | # - a member of system:administrator |
| 11 | # - listed in 'bos listusers deleuze' |
| 12 | |
| 13 | USER=$1 |
| 14 | |
| 15 | export PATH=$PATH:/afs/hcoop.net/common/bin/ |
| 16 | |
| 17 | if test -z "$USER"; then |
| 18 | echo "Invoke as create-user <USERNAME>" |
| 19 | exit 1 |
| 20 | fi |
| 21 | |
| 22 | # |
| 23 | # Helper functions |
| 24 | # |
| 25 | |
| 26 | # Run a command on both mire and deleuze; assumes that no escaping is |
| 27 | # needed. |
| 28 | function mire_and_deleuze() { |
| 29 | $* |
| 30 | ssh mire.hcoop.net $* |
| 31 | } |
| 32 | |
| 33 | # |
| 34 | # Kerberos principals |
| 35 | # (creat kerberos principals: fred, fred/cgi, fred/mailfilter) |
| 36 | # |
| 37 | |
| 38 | # We use -randkey for user's main principal as well, to make sure that |
| 39 | # the creation process does not continue without having a main |
| 40 | # principal. (But you who want to set password for a user, don't |
| 41 | # worry - we'll invoke cpw later, so that it has the same effect |
| 42 | # as setting password right now - while it is more error tolerant). |
| 43 | |
| 44 | sudo kadmin.local -p root/admin -q "ank -policy user -randkey +requires_preauth $USER@HCOOP.NET" |
| 45 | sudo kadmin.local -p root/admin -q "modprinc -maxlife 1day $USER@HCOOP.NET" |
| 46 | sudo kadmin.local -p root/admin -q "ank -policy daemon -randkey +requires_preauth $USER/daemon@HCOOP.NET" |
| 47 | |
| 48 | # |
| 49 | # Create AFS users corresponding to krb5 principals. |
| 50 | # (fred/cgi principal == fred.cgi AFS user) |
| 51 | # |
| 52 | |
| 53 | pts cu $USER || true |
| 54 | ID=`pts examine $USER | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'` |
| 55 | pts cu $USER.daemon || true |
| 56 | ID_DAEMON=`pts examine $USER.daemon | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'` |
| 57 | |
| 58 | |
| 59 | # |
| 60 | # Construct various paths for later perusal. |
| 61 | # |
| 62 | |
| 63 | # (If it's not clear, for user fred, PATHBITS = f/fr/fred) |
| 64 | PATHBITS=`echo $USER | head -c 1`/`echo $USER | head -c 2`/$USER |
| 65 | HOMEPATH=/afs/hcoop.net/user/$PATHBITS |
| 66 | MAILPATH=/afs/hcoop.net/common/email/$PATHBITS |
| 67 | DBPATH=/afs/hcoop.net/common/.databases/$PATHBITS |
| 68 | PGDIR=$DBPATH/postgres |
| 69 | MYSQLDIR=$DBPATH/mysql |
| 70 | |
| 71 | |
| 72 | # |
| 73 | # Create LDAP entries. (With the whole libnss-ptdb, I kind of |
| 74 | # lost the idea of what I want to do with LDAP, but we'll |
| 75 | # see with time how well it integrates...) |
| 76 | # The ID returned from AFS is important here, we want to make |
| 77 | # sure those IDs match. |
| 78 | # |
| 79 | |
| 80 | # USER entry |
| 81 | echo " |
| 82 | dn: uid=$USER,ou=People,dc=hcoop,dc=net |
| 83 | objectClass: top |
| 84 | objectClass: person |
| 85 | objectClass: posixAccount |
| 86 | cn: $USER |
| 87 | uid: $USER |
| 88 | gidNumber: $ID |
| 89 | sn: $USER |
| 90 | host: abulafia |
| 91 | host: mire |
| 92 | |
| 93 | dn: cn=$USER,ou=Group,dc=hcoop,dc=net |
| 94 | objectClass: top |
| 95 | objectClass: posixGroup |
| 96 | cn: $USER |
| 97 | gidNumber: $ID |
| 98 | memberUid: $USER |
| 99 | " | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true |
| 100 | |
| 101 | # USER.daemon entry |
| 102 | echo " |
| 103 | dn: uid=$USER.daemon,ou=People,dc=hcoop,dc=net |
| 104 | objectClass: top |
| 105 | objectClass: person |
| 106 | objectClass: posixAccount |
| 107 | cn: $USER.daemon |
| 108 | uid: $USER.daemon |
| 109 | gidNumber: $ID_DAEMON |
| 110 | sn: $USER.daemon |
| 111 | |
| 112 | dn: cn=$USER.daemon,ou=Group,dc=hcoop,dc=net |
| 113 | objectClass: top |
| 114 | objectClass: posixGroup |
| 115 | cn: $USER.daemon |
| 116 | gidNumber: $ID_DAEMON |
| 117 | memberUid: $USER.daemon |
| 118 | " | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true |
| 119 | |
| 120 | |
| 121 | # |
| 122 | # Export .mailfilter and .cgi keys to a keytab file |
| 123 | # |
| 124 | |
| 125 | # create a daemon keytab (used by /etc/exim4/get-token) |
| 126 | # *only* if it does not exist! |
| 127 | test -e /etc/keytabs/user.daemon/$USER || \ |
| 128 | sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/user.daemon/$USER $USER/daemon@HCOOP.NET" |
| 129 | |
| 130 | # Properly chown/mod keytab files (must be $USER:www-data) |
| 131 | sudo chown $USER:www-data /etc/keytabs/user.daemon/$USER |
| 132 | sudo chmod 440 /etc/keytabs/user.daemon/$USER |
| 133 | |
| 134 | # rsync keytabs to mire |
| 135 | (cd /etc/keytabs |
| 136 | sudo tar clpf - user.daemon/$USER | \ |
| 137 | ssh mire.hcoop.net cd /etc/keytabs\; sudo tar xlpf -) |
| 138 | |
| 139 | # |
| 140 | # Create/mount/set-perms on user's volumes (home, mail, databases, logs) |
| 141 | # |
| 142 | |
| 143 | # HOME VOLUME |
| 144 | vos examine user.$USER 2>/dev/null || \ |
| 145 | vos create deleuze.hcoop.net /vicepa user.$USER -maxquota 400000 |
| 146 | mkdir -p `dirname $HOMEPATH` |
| 147 | fs ls $HOMEPATH || test -L $HOMEPATH || fs mkm $HOMEPATH user.$USER |
| 148 | chown $USER:nogroup $HOMEPATH |
| 149 | fs sa $HOMEPATH $USER all |
| 150 | fs sa $HOMEPATH system:anyuser l |
| 151 | |
| 152 | # Apache logs |
| 153 | mkdir -p $HOMEPATH/.logs |
| 154 | chown $USER:nogroup $HOMEPATH/.logs |
| 155 | mkdir -p $HOMEPATH/.logs/apache |
| 156 | chown $USER:nogroup $HOMEPATH/.logs/apache |
| 157 | fs sa $HOMEPATH/.logs/apache $USER.daemon rlwidk |
| 158 | mkdir -p $HOMEPATH/.logs/mail |
| 159 | fs sa $HOMEPATH/.logs/mail $USER.daemon rlwidk |
| 160 | chown $USER:nogroup $HOMEPATH/.logs/mail |
| 161 | |
| 162 | # public_html |
| 163 | mkdir -p $HOMEPATH/public_html |
| 164 | chown $USER:nogroup $HOMEPATH/public_html |
| 165 | fs sa $HOMEPATH/public_html system:anyuser rl |
| 166 | |
| 167 | # .procmail.d |
| 168 | mkdir -p $HOMEPATH/.procmail.d |
| 169 | chown $USER:nogroup $HOMEPATH/.procmail.d |
| 170 | fs sa $HOMEPATH/.procmail.d system:anyuser rl |
| 171 | |
| 172 | # .public |
| 173 | mkdir -p $HOMEPATH/.public/ |
| 174 | chown $USER:nogroup $HOMEPATH/.public |
| 175 | fs sa $HOMEPATH/.public system:anyuser rl |
| 176 | |
| 177 | # .domtool |
| 178 | mkdir -p $HOMEPATH/.public/.domtool |
| 179 | chown $USER:nogroup $HOMEPATH/.public/.domtool |
| 180 | test -e $HOMEPATH/.domtool || \ |
| 181 | test -L $HOMEPATH/.domtool || \ |
| 182 | ln -s $HOMEPATH/.public/.domtool $HOMEPATH/.domtool |
| 183 | |
| 184 | # MAIL VOLUME |
| 185 | vos examine mail.$USER 2>/dev/null || \ |
| 186 | vos create deleuze.hcoop.net /vicepa mail.$USER -maxquota 400000 |
| 187 | mkdir -p `dirname $MAILPATH` |
| 188 | fs ls $MAILPATH || fs mkm $MAILPATH mail.$USER |
| 189 | fs ls $HOMEPATH/Maildir || fs mkm $HOMEPATH/Maildir mail.$USER |
| 190 | chown $USER:nogroup $MAILPATH |
| 191 | chown $USER:nogroup $HOMEPATH/Maildir |
| 192 | fs sa $MAILPATH $USER all |
| 193 | fs sa $MAILPATH $USER.daemon all |
| 194 | |
| 195 | # Set up shared SpamAssassin folder |
| 196 | if test -f $HOMEPATH/Maildir/shared-maildirs; then |
| 197 | # Deal with case where user rsync'd their Maildir from fyodor |
| 198 | pattern='^SpamAssassin /home/spamd' |
| 199 | file=$HOMEPATH/Maildir/shared-maildirs |
| 200 | if grep $pattern $file; then |
| 201 | sed -i -r -e \ |
| 202 | 's!^(SpamAssassin )/home/spamd!\1/var/local/lib/spamd!1' \ |
| 203 | $file |
| 204 | fi |
| 205 | |
| 206 | # This does not yet seem to be needed, and it triggers an AFS issue, |
| 207 | # so I've commented it out --mwolson. |
| 208 | # |
| 209 | NOTIFY=no |
| 210 | for dir in $HOMEPATH/Maildir/shared-folders/SpamAssassin/*; do |
| 211 | if ! test -d $dir; then |
| 212 | NOTIFY=yes |
| 213 | else |
| 214 | dest=/var/local/lib/spamd/Maildir/.$(basename $dir) |
| 215 | if test "$(readlink $dir/shared)" != "$dest"; then |
| 216 | ln -sf $dest $dir/shared |
| 217 | fi |
| 218 | fi |
| 219 | done |
| 220 | if test $NOTIFY = yes; then |
| 221 | # This is probably going overboard, but oh well |
| 222 | echo "$USER needs assistance on their shared spam dir" | \ |
| 223 | pagsh -c mail -s "[create-user] $USER needs assistance" \ |
| 224 | -e -a "From: admins@deleuze.hcoop.net" mwolson_admin |
| 225 | fi |
| 226 | |
| 227 | else |
| 228 | maildirmake --add SpamAssassin=/var/local/lib/spamd/Maildir \ |
| 229 | $HOMEPATH/Maildir |
| 230 | fi |
| 231 | |
| 232 | # DATABASE VOLUME |
| 233 | if ! vos examine db.$USER >/dev/null 2>/dev/null; then |
| 234 | mkdir -p `dirname /afs/.hcoop.net/common/.databases/$PATHBITS` |
| 235 | vos create -server afs -partition a -name db.$USER -maxquota 400000 |
| 236 | fs mkmount -dir /afs/.hcoop.net/common/.databases/$PATHBITS -vol db.$USER -rw |
| 237 | vos release common.databases |
| 238 | fs sa -dir $DBPATH -acl system:postgres l |
| 239 | fs sa -dir $DBPATH -acl system:mysql l |
| 240 | fs sa -dir $DBPATH -acl system:backup rl |
| 241 | fi |
| 242 | |
| 243 | # Create postgres user and tablespace placeholder within volume |
| 244 | if ! test -d $PGDIR; then |
| 245 | mkdir -p $PGDIR |
| 246 | chown postgres:postgres $PGDIR |
| 247 | fs sa -dir $PGDIR -acl system:postgres write |
| 248 | |
| 249 | sudo -u postgres psql -c "CREATE TABLESPACE user_$USER OWNER postgres LOCATION '$PGDIR'" template1 |
| 250 | fi |
| 251 | |
| 252 | # Create mysql user and databases placeholder within volume |
| 253 | mkdir -p $MYSQLDIR |
| 254 | chown mysql:mysql $MYSQLDIR |
| 255 | fs sa -dir $MYSQLDIR -acl system:mysql write |
| 256 | |
| 257 | |
| 258 | # |
| 259 | # Mount points for backup volumes |
| 260 | # |
| 261 | |
| 262 | mkdir -p `dirname /afs/hcoop.net/.old/user/$PATHBITS` |
| 263 | mkdir -p `dirname /afs/hcoop.net/.old/mail/$PATHBITS` |
| 264 | fs ls /afs/hcoop.net/.old/user/$PATHBITS || \ |
| 265 | fs mkm /afs/hcoop.net/.old/user/$PATHBITS user.$USER.backup |
| 266 | fs ls /afs/hcoop.net/.old/mail/$PATHBITS || \ |
| 267 | fs mkm /afs/hcoop.net/.old/mail/$PATHBITS mail.$USER.backup |
| 268 | vos release old |
| 269 | |
| 270 | # technically this might not be necessary, but for good measure... |
| 271 | vos syncserv deleuze |
| 272 | vos syncvldb deleuze |
| 273 | |
| 274 | # refresh volume location cache (takes ~2hrs otherwise) |
| 275 | mire_and_deleuze fs checkvolumes |
| 276 | |
| 277 | # |
| 278 | # Non-AFS files and directories |
| 279 | # |
| 280 | |
| 281 | # Make per-user apache DAV lock directory -- the directory must be |
| 282 | # both user and group-writable, which is silly. |
| 283 | mire_and_deleuze sudo mkdir -p /var/lock/apache2/dav/$USER |
| 284 | mire_and_deleuze sudo chown $USER:www-data /var/lock/apache2/dav/$USER |
| 285 | mire_and_deleuze sudo chmod ug=rwx,o= /var/lock/apache2/dav/$USER |
| 286 | |
| 287 | # |
| 288 | # Domtool integration |
| 289 | # |
| 290 | |
| 291 | domtool-adduser $USER |