Initial version of backup-manager.

[clinton/scripts.git] / create-user

#!/bin/bash -ex

# MUST be executed:
#  - on deleuze
#  - as a user with an /etc/sudoers line
#  - member of "wheel" unix group on deleuze
#  - while holding tickets for a user who can 'ssh -K' to mire
#     - and is a member of "wheel" on mire
#  - while holding tokens for a user who is:
#     - a member of system:administrator
#     - listed in 'bos listusers deleuze'
#  - and who has been set up with Domtool admin privileges by:
#     - running 'domtool-adduser $USER' while holding AFS admin tokens as
#       someone who is already a Domtool admin
#     - running 'domtool-admin grant $USER priv all' as someone who is already a
#       Domtool admin
#       (To bootstrap yourself into admindom:
#         1. Run '/etc/init.d/domtool-server stop' on deleuze.
#         2. Run '/etc/init.d/domtool-slave stop' on all Domtool slave machines
#            (e.g., mire).
#         3. Edit ~domtool/acl, following the example of adamc_admin to grant
#             yourself 'priv all'.
#         4. Run '/etc/init.d/domtool-server start' on deleuze.
#         5. Run '/etc/init.d/domtool-slave start' on all Domtool slave
#            machines.
#         6. Run 'domtool-adduser' as above.)

USER=$1

export PATH=$PATH:/afs/hcoop.net/common/bin/

if test -z "$USER"; then
	echo "Invoke as create-user <USERNAME>"
	exit 1
fi

#
# Helper functions
#

# Run a command on both mire and deleuze; assumes that no escaping is
# needed.
function mire_and_deleuze() {
    $*
    ssh mire.hcoop.net $*
}

#
# Kerberos principals
# (creat kerberos principals: fred, fred/cgi, fred/mailfilter)
#

# We use -randkey for user's main principal as well, to make sure that
# the creation process does not continue without having a main 
# principal. (But you who want to set password for a user, don't 
# worry - we'll invoke cpw later, so that it has the same effect
# as setting password right now - while it is more error tolerant).

sudo kadmin.local -p root/admin -q "ank -policy user -randkey +requires_preauth $USER@HCOOP.NET"
sudo kadmin.local -p root/admin -q "modprinc -maxlife 1day $USER@HCOOP.NET"
sudo kadmin.local -p root/admin -q "ank -policy daemon -randkey +requires_preauth $USER/daemon@HCOOP.NET"

#
# Create AFS users corresponding to krb5 principals.
# (fred/cgi principal == fred.cgi AFS user)
#

pts cu $USER || true
ID=`pts examine $USER | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
pts cu $USER.daemon || true
ID_DAEMON=`pts examine $USER.daemon | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`


#
# Construct various paths for later perusal.
#

# (If it's not clear, for user fred, PATHBITS = f/fr/fred)
PATHBITS=`echo $USER | head -c 1`/`echo $USER | head -c 2`/$USER
HOMEPATH=/afs/hcoop.net/user/$PATHBITS
MAILPATH=/afs/hcoop.net/common/email/$PATHBITS
DBPATH=/afs/hcoop.net/common/.databases/$PATHBITS
PGDIR=$DBPATH/postgres
MYSQLDIR=$DBPATH/mysql


#
# Create LDAP entries. (With the whole libnss-ptdb, I kind of
# lost the idea of what I want to do with LDAP, but we'll 
# see with time how well it integrates...)
# The ID returned from AFS is important here, we want to make
# sure those IDs match.
#

# USER entry
echo "
dn: uid=$USER,ou=People,dc=hcoop,dc=net
objectClass: top
objectClass: person
objectClass: posixAccount
cn: $USER
uid: $USER
gidNumber: $ID
sn: $USER
host: abulafia
host: mire

dn: cn=$USER,ou=Group,dc=hcoop,dc=net
objectClass: top
objectClass: posixGroup
cn: $USER
gidNumber: $ID
memberUid: $USER
" | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true

# USER.daemon entry
echo "
dn: uid=$USER.daemon,ou=People,dc=hcoop,dc=net
objectClass: top
objectClass: person
objectClass: posixAccount
cn: $USER.daemon
uid: $USER.daemon
gidNumber: $ID_DAEMON
sn: $USER.daemon

dn: cn=$USER.daemon,ou=Group,dc=hcoop,dc=net
objectClass: top
objectClass: posixGroup
cn: $USER.daemon
gidNumber: $ID_DAEMON
memberUid: $USER.daemon
" | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true


#
# Export .mailfilter and .cgi keys to a keytab file
#

# create a daemon keytab (used by /etc/exim4/get-token)
# *only* if it does not exist!
test -e /etc/keytabs/user.daemon/$USER || \
  sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/user.daemon/$USER $USER/daemon@HCOOP.NET"

# Properly chown/mod keytab files (must be $USER:www-data)
sudo chown $USER:www-data /etc/keytabs/user.daemon/$USER
sudo chmod 440            /etc/keytabs/user.daemon/$USER

# rsync keytabs to mire
(cd /etc/keytabs
   sudo tar clpf - user.daemon/$USER | \
     ssh mire.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)

#
# Create/mount/set-perms on user's volumes (home, mail, databases, logs)
#

# HOME VOLUME
vos examine user.$USER 2>/dev/null || \
  vos create deleuze.hcoop.net /vicepa user.$USER -maxquota 400000
mkdir -p `dirname $HOMEPATH`
fs ls $HOMEPATH || test -L $HOMEPATH || fs mkm $HOMEPATH user.$USER
chown $USER:nogroup $HOMEPATH
fs sa $HOMEPATH $USER            all
fs sa $HOMEPATH system:anyuser   l

# Apache logs
mkdir -p $HOMEPATH/.logs
chown $USER:nogroup $HOMEPATH/.logs
mkdir -p $HOMEPATH/.logs/apache
chown $USER:nogroup $HOMEPATH/.logs/apache
fs sa $HOMEPATH/.logs/apache $USER.daemon rlwidk
mkdir -p $HOMEPATH/.logs/mail
fs sa $HOMEPATH/.logs/mail $USER.daemon rlwidk
chown $USER:nogroup $HOMEPATH/.logs/mail

# public_html
mkdir -p $HOMEPATH/public_html
chown $USER:nogroup $HOMEPATH/public_html
# Support privatization of home dirs
#fs sa $HOMEPATH/public_html system:anyuser rl
fs sa $HOMEPATH/public_html $USER.daemon rl

# .procmail.d
mkdir -p $HOMEPATH/.procmail.d
chown $USER:nogroup $HOMEPATH/.procmail.d
fs sa $HOMEPATH/.procmail.d system:anyuser rl

# .public
mkdir -p $HOMEPATH/.public/
chown $USER:nogroup $HOMEPATH/.public
fs sa $HOMEPATH/.public system:anyuser rl

# .domtool
mkdir -p $HOMEPATH/.public/.domtool
chown $USER:nogroup $HOMEPATH/.public/.domtool
test -e $HOMEPATH/.domtool || \
    test -L $HOMEPATH/.domtool || \
        sudo -u $USER ln -s $HOMEPATH/.public/.domtool $HOMEPATH/.domtool

# Gitweb hosting
test -L /var/cache/git/$USER || \
    sudo ln -s $HOMEPATH/.hcoop-git /var/cache/git/$USER

# MAIL VOLUME
vos examine mail.$USER 2>/dev/null || \
  vos create deleuze.hcoop.net /vicepa mail.$USER -maxquota 400000
mkdir -p `dirname $MAILPATH`
fs ls $MAILPATH || fs mkm $MAILPATH         mail.$USER
fs ls $HOMEPATH/Maildir || fs mkm $HOMEPATH/Maildir mail.$USER
chown $USER:nogroup $MAILPATH
chown $USER:nogroup $HOMEPATH/Maildir
fs sa $MAILPATH $USER        all
fs sa $MAILPATH $USER.daemon all
if test ! -e $MAILPATH/new; then
    mkdir -p $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp
    echo -e "This email account is provided as a service for HCoop members." \
        "\n\nTo learn how to use it, please visit the page" \
        "\n<http://wiki.hcoop.net/MemberManual/Email> on our website."| \
        mail -s "Welcome to your HCoop email store" \
            -e -a "From: postmaster@hcoop.net" \
            real-$USER
fi
chown $USER:nogroup $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp

# Set up shared SpamAssassin folder
if test -f $HOMEPATH/Maildir/shared-maildirs; then
    # Deal with case where user rsync'd their Maildir from fyodor
    pattern='^SpamAssassin	/home/spamd'
    file=$HOMEPATH/Maildir/shared-maildirs
    if grep $pattern $file; then
        sed -i -r -e \
            's!^(SpamAssassin	)/home/spamd!\1/var/local/lib/spamd!1' \
            $file
    fi
else
    maildirmake --add SpamAssassin=/var/local/lib/spamd/Maildir \
        $HOMEPATH/Maildir
fi

# DATABASE VOLUME
if ! vos examine db.$USER >/dev/null 2>/dev/null; then
  mkdir -p `dirname /afs/.hcoop.net/common/.databases/$PATHBITS`
  vos create -server afs -partition a -name db.$USER -maxquota 400000
  fs mkmount -dir /afs/.hcoop.net/common/.databases/$PATHBITS -vol db.$USER -rw
  fs sa -dir $DBPATH -acl system:postgres l
  fs sa -dir $DBPATH -acl system:mysql    l
  fs sa -dir $DBPATH -acl system:backup   rl
fi

# Create postgres user and tablespace placeholder within volume
if ! test -d $PGDIR; then
  mkdir -p $PGDIR
  chown postgres:postgres $PGDIR
  fs sa -dir $PGDIR -acl system:postgres write

 sudo -u postgres psql -c "CREATE TABLESPACE user_$USER OWNER postgres LOCATION '$PGDIR'" template1
fi

# Create mysql user and databases placeholder within volume
mkdir -p $MYSQLDIR
chown mysql:mysql $MYSQLDIR
fs sa -dir $MYSQLDIR -acl system:mysql  write

vos release common.databases

#
# Mount points for backup volumes
#

mkdir -p `dirname /afs/hcoop.net/.old/user/$PATHBITS`
mkdir -p `dirname /afs/hcoop.net/.old/mail/$PATHBITS`
fs ls /afs/hcoop.net/.old/user/$PATHBITS || \
  fs mkm /afs/hcoop.net/.old/user/$PATHBITS user.$USER.backup
fs ls /afs/hcoop.net/.old/mail/$PATHBITS || \
  fs mkm /afs/hcoop.net/.old/mail/$PATHBITS mail.$USER.backup
vos release old

# technically this might not be necessary, but for good measure...
vos syncserv deleuze
vos syncvldb deleuze

# refresh volume location cache (takes ~2hrs otherwise)
mire_and_deleuze fs checkvolumes

#
# Non-AFS files and directories
#

# Make per-user apache DAV lock directory -- the directory must be
# both user and group-writable, which is silly.
mire_and_deleuze sudo mkdir -p /var/lock/apache2/dav/$USER
mire_and_deleuze sudo chown $USER:www-data /var/lock/apache2/dav/$USER
mire_and_deleuze sudo chmod ug=rwx,o= /var/lock/apache2/dav/$USER

#
# Domtool integration
#

domtool-adduser $USER

#
# Subscribe user to our mailing lists.
#
echo $USER@hcoop.net | sudo -u list \
    /var/lib/mailman/bin/add_members -r - hcoop-announce