HCoop / clinton / scripts.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
create-user: Make .domtool symlink with correct ownership
[clinton/scripts.git] / create-user
... / ...
CommitLineData
1#!/bin/bash -ex
2
3# MUST be executed:
4# - on deleuze
5# - as a user with an /etc/sudoers line
6# - member of "wheel" unix group on deleuze
7# - while holding tickets for a user who can 'ssh -K' to mire
8# - and is a member of "wheel" on mire
9# - while holding tokens for a user who is:
10# - a member of system:administrator
11# - listed in 'bos listusers deleuze'
12# - and who has been set up with Domtool admin privileges by:
13# - running 'domtool-adduser $USER' while holding AFS admin tokens as
14# someone who is already a Domtool admin
15# - running 'domtool-admin grant $USER priv all' as someone who is already a
16# Domtool admin
17# (To bootstrap yourself into admindom:
18# 1. Run '/etc/init.d/domtool-server stop' on deleuze.
19# 2. Run '/etc/init.d/domtool-slave stop' on all Domtool slave machines
20# (e.g., mire).
21# 3. Edit ~domtool/acl, following the example of adamc_admin to grant
22# yourself 'priv all'.
23# 4. Run '/etc/init.d/domtool-server start' on deleuze.
24# 5. Run '/etc/init.d/domtool-slave start' on all Domtool slave
25# machines.
26# 6. Run 'domtool-adduser' as above.)
27
28USER=$1
29
30export PATH=$PATH:/afs/hcoop.net/common/bin/
31
32if test -z "$USER"; then
33 echo "Invoke as create-user <USERNAME>"
34 exit 1
35fi
36
37#
38# Helper functions
39#
40
41# Run a command on both mire and deleuze; assumes that no escaping is
42# needed.
43function mire_and_deleuze() {
44 $*
45 ssh mire.hcoop.net $*
46}
47
48#
49# Kerberos principals
50# (creat kerberos principals: fred, fred/cgi, fred/mailfilter)
51#
52
53# We use -randkey for user's main principal as well, to make sure that
54# the creation process does not continue without having a main
55# principal. (But you who want to set password for a user, don't
56# worry - we'll invoke cpw later, so that it has the same effect
57# as setting password right now - while it is more error tolerant).
58
59sudo kadmin.local -p root/admin -q "ank -policy user -randkey +requires_preauth $USER@HCOOP.NET"
60sudo kadmin.local -p root/admin -q "modprinc -maxlife 1day $USER@HCOOP.NET"
61sudo kadmin.local -p root/admin -q "ank -policy daemon -randkey +requires_preauth $USER/daemon@HCOOP.NET"
62
63#
64# Create AFS users corresponding to krb5 principals.
65# (fred/cgi principal == fred.cgi AFS user)
66#
67
68pts cu $USER || true
69ID=`pts examine $USER | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
70pts cu $USER.daemon || true
71ID_DAEMON=`pts examine $USER.daemon | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
72
73
74#
75# Construct various paths for later perusal.
76#
77
78# (If it's not clear, for user fred, PATHBITS = f/fr/fred)
79PATHBITS=`echo $USER | head -c 1`/`echo $USER | head -c 2`/$USER
80HOMEPATH=/afs/hcoop.net/user/$PATHBITS
81MAILPATH=/afs/hcoop.net/common/email/$PATHBITS
82DBPATH=/afs/hcoop.net/common/.databases/$PATHBITS
83PGDIR=$DBPATH/postgres
84MYSQLDIR=$DBPATH/mysql
85
86
87#
88# Create LDAP entries. (With the whole libnss-ptdb, I kind of
89# lost the idea of what I want to do with LDAP, but we'll
90# see with time how well it integrates...)
91# The ID returned from AFS is important here, we want to make
92# sure those IDs match.
93#
94
95# USER entry
96echo "
97dn: uid=$USER,ou=People,dc=hcoop,dc=net
98objectClass: top
99objectClass: person
100objectClass: posixAccount
101cn: $USER
102uid: $USER
103gidNumber: $ID
104sn: $USER
105host: abulafia
106host: mire
107
108dn: cn=$USER,ou=Group,dc=hcoop,dc=net
109objectClass: top
110objectClass: posixGroup
111cn: $USER
112gidNumber: $ID
113memberUid: $USER
114" | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true
115
116# USER.daemon entry
117echo "
118dn: uid=$USER.daemon,ou=People,dc=hcoop,dc=net
119objectClass: top
120objectClass: person
121objectClass: posixAccount
122cn: $USER.daemon
123uid: $USER.daemon
124gidNumber: $ID_DAEMON
125sn: $USER.daemon
126
127dn: cn=$USER.daemon,ou=Group,dc=hcoop,dc=net
128objectClass: top
129objectClass: posixGroup
130cn: $USER.daemon
131gidNumber: $ID_DAEMON
132memberUid: $USER.daemon
133" | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true
134
135
136#
137# Export .mailfilter and .cgi keys to a keytab file
138#
139
140# create a daemon keytab (used by /etc/exim4/get-token)
141# *only* if it does not exist!
142test -e /etc/keytabs/user.daemon/$USER || \
143 sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/user.daemon/$USER $USER/daemon@HCOOP.NET"
144
145# Properly chown/mod keytab files (must be $USER:www-data)
146sudo chown $USER:www-data /etc/keytabs/user.daemon/$USER
147sudo chmod 440 /etc/keytabs/user.daemon/$USER
148
149# rsync keytabs to mire
150(cd /etc/keytabs
151 sudo tar clpf - user.daemon/$USER | \
152 ssh mire.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
153
154#
155# Create/mount/set-perms on user's volumes (home, mail, databases, logs)
156#
157
158# HOME VOLUME
159vos examine user.$USER 2>/dev/null || \
160 vos create deleuze.hcoop.net /vicepa user.$USER -maxquota 400000
161mkdir -p `dirname $HOMEPATH`
162fs ls $HOMEPATH || test -L $HOMEPATH || fs mkm $HOMEPATH user.$USER
163chown $USER:nogroup $HOMEPATH
164fs sa $HOMEPATH $USER all
165fs sa $HOMEPATH system:anyuser l
166
167# Apache logs
168mkdir -p $HOMEPATH/.logs
169chown $USER:nogroup $HOMEPATH/.logs
170mkdir -p $HOMEPATH/.logs/apache
171chown $USER:nogroup $HOMEPATH/.logs/apache
172fs sa $HOMEPATH/.logs/apache $USER.daemon rlwidk
173mkdir -p $HOMEPATH/.logs/mail
174fs sa $HOMEPATH/.logs/mail $USER.daemon rlwidk
175chown $USER:nogroup $HOMEPATH/.logs/mail
176
177# public_html
178mkdir -p $HOMEPATH/public_html
179chown $USER:nogroup $HOMEPATH/public_html
180fs sa $HOMEPATH/public_html system:anyuser rl
181
182# .procmail.d
183mkdir -p $HOMEPATH/.procmail.d
184chown $USER:nogroup $HOMEPATH/.procmail.d
185fs sa $HOMEPATH/.procmail.d system:anyuser rl
186
187# .public
188mkdir -p $HOMEPATH/.public/
189chown $USER:nogroup $HOMEPATH/.public
190fs sa $HOMEPATH/.public system:anyuser rl
191
192# .domtool
193mkdir -p $HOMEPATH/.public/.domtool
194chown $USER:nogroup $HOMEPATH/.public/.domtool
195test -e $HOMEPATH/.domtool || \
196 test -L $HOMEPATH/.domtool || \
197 sudo -u $USER ln -s $HOMEPATH/.public/.domtool $HOMEPATH/.domtool
198
199# Gitweb hosting
200test -L /var/cache/git/$USER || \
201 sudo ln -s $HOMEPATH/.hcoop-git /var/cache/git/$USER
202
203# MAIL VOLUME
204vos examine mail.$USER 2>/dev/null || \
205 vos create deleuze.hcoop.net /vicepa mail.$USER -maxquota 400000
206mkdir -p `dirname $MAILPATH`
207fs ls $MAILPATH || fs mkm $MAILPATH mail.$USER
208fs ls $HOMEPATH/Maildir || fs mkm $HOMEPATH/Maildir mail.$USER
209chown $USER:nogroup $MAILPATH
210chown $USER:nogroup $HOMEPATH/Maildir
211fs sa $MAILPATH $USER all
212fs sa $MAILPATH $USER.daemon all
213if test ! -e $MAILPATH/new; then
214 mkdir -p $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp
215 echo -e "This email account is provided as a service for HCoop members." \
216 "\n\nTo learn how to use it, please visit the page" \
217 "\n<http://wiki2.hcoop.net/MemberManual/Email> on our website."| \
218 mail -s "Welcome to your HCoop email store" \
219 -e -a "From: postmaster@hcoop.net" \
220 real-$USER
221fi
222chown $USER:nogroup $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp
223
224# Set up shared SpamAssassin folder
225if test -f $HOMEPATH/Maildir/shared-maildirs; then
226 # Deal with case where user rsync'd their Maildir from fyodor
227 pattern='^SpamAssassin /home/spamd'
228 file=$HOMEPATH/Maildir/shared-maildirs
229 if grep $pattern $file; then
230 sed -i -r -e \
231 's!^(SpamAssassin )/home/spamd!\1/var/local/lib/spamd!1' \
232 $file
233 fi
234else
235 maildirmake --add SpamAssassin=/var/local/lib/spamd/Maildir \
236 $HOMEPATH/Maildir
237fi
238
239# DATABASE VOLUME
240if ! vos examine db.$USER >/dev/null 2>/dev/null; then
241 mkdir -p `dirname /afs/.hcoop.net/common/.databases/$PATHBITS`
242 vos create -server afs -partition a -name db.$USER -maxquota 400000
243 fs mkmount -dir /afs/.hcoop.net/common/.databases/$PATHBITS -vol db.$USER -rw
244 vos release common.databases
245 fs sa -dir $DBPATH -acl system:postgres l
246 fs sa -dir $DBPATH -acl system:mysql l
247 fs sa -dir $DBPATH -acl system:backup rl
248fi
249
250# Create postgres user and tablespace placeholder within volume
251if ! test -d $PGDIR; then
252 mkdir -p $PGDIR
253 chown postgres:postgres $PGDIR
254 fs sa -dir $PGDIR -acl system:postgres write
255
256 sudo -u postgres psql -c "CREATE TABLESPACE user_$USER OWNER postgres LOCATION '$PGDIR'" template1
257fi
258
259# Create mysql user and databases placeholder within volume
260mkdir -p $MYSQLDIR
261chown mysql:mysql $MYSQLDIR
262fs sa -dir $MYSQLDIR -acl system:mysql write
263
264
265#
266# Mount points for backup volumes
267#
268
269mkdir -p `dirname /afs/hcoop.net/.old/user/$PATHBITS`
270mkdir -p `dirname /afs/hcoop.net/.old/mail/$PATHBITS`
271fs ls /afs/hcoop.net/.old/user/$PATHBITS || \
272 fs mkm /afs/hcoop.net/.old/user/$PATHBITS user.$USER.backup
273fs ls /afs/hcoop.net/.old/mail/$PATHBITS || \
274 fs mkm /afs/hcoop.net/.old/mail/$PATHBITS mail.$USER.backup
275vos release old
276
277# technically this might not be necessary, but for good measure...
278vos syncserv deleuze
279vos syncvldb deleuze
280
281# refresh volume location cache (takes ~2hrs otherwise)
282mire_and_deleuze fs checkvolumes
283
284#
285# Non-AFS files and directories
286#
287
288# Make per-user apache DAV lock directory -- the directory must be
289# both user and group-writable, which is silly.
290mire_and_deleuze sudo mkdir -p /var/lock/apache2/dav/$USER
291mire_and_deleuze sudo chown $USER:www-data /var/lock/apache2/dav/$USER
292mire_and_deleuze sudo chmod ug=rwx,o= /var/lock/apache2/dav/$USER
293
294#
295# Domtool integration
296#
297
298domtool-adduser $USER
299
300#
301# Subscribe user to our mailing lists.
302#
303echo $USER@hcoop.net | sudo -u list \
304 /var/lib/mailman/bin/add_members -r - hcoop-announce
Unnamed repository; edit this file to name it for gitweb.