| 1 | #!/bin/bash -ex |
| 2 | |
| 3 | # MUST be executed: |
| 4 | # - on deleuze |
| 5 | # - as a user with an /etc/sudoers line |
| 6 | # - member of "wheel" unix group on deleuze |
| 7 | # - while holding tickets for a user who can 'ssh -K' to mire |
| 8 | # - and is a member of "wheel" on mire |
| 9 | # - while holding tokens for a user who is: |
| 10 | # - a member of system:administrator |
| 11 | # - listed in 'bos listusers deleuze' |
| 12 | # - and who has been set up with Domtool admin privileges by: |
| 13 | # - running 'domtool-adduser $USER' while holding AFS admin tokens as |
| 14 | # someone who is already a Domtool admin |
| 15 | # - running 'domtool-admin grant $USER priv all' as someone who is already a |
| 16 | # Domtool admin |
| 17 | # (To bootstrap yourself into admindom: |
| 18 | # 1. Run '/etc/init.d/domtool-server stop' on deleuze. |
| 19 | # 2. Run '/etc/init.d/domtool-slave stop' on all Domtool slave machines |
| 20 | # (e.g., mire). |
| 21 | # 3. Edit ~domtool/acl, following the example of adamc_admin to grant |
| 22 | # yourself 'priv all'. |
| 23 | # 4. Run '/etc/init.d/domtool-server start' on deleuze. |
| 24 | # 5. Run '/etc/init.d/domtool-slave start' on all Domtool slave |
| 25 | # machines. |
| 26 | # 6. Run 'domtool-adduser' as above.) |
| 27 | |
| 28 | USER=$1 |
| 29 | |
| 30 | export PATH=$PATH:/afs/hcoop.net/common/bin/ |
| 31 | |
| 32 | if test -z "$USER"; then |
| 33 | echo "Invoke as create-user <USERNAME>" |
| 34 | exit 1 |
| 35 | fi |
| 36 | |
| 37 | # |
| 38 | # Helper functions |
| 39 | # |
| 40 | |
| 41 | # Run a command on both mire and deleuze; assumes that no escaping is |
| 42 | # needed. |
| 43 | function mire_and_deleuze() { |
| 44 | $* |
| 45 | ssh -K mire.hcoop.net $* |
| 46 | } |
| 47 | |
| 48 | function execute_on_fritz () { |
| 49 | ssh -K fritz.hcoop.net $* |
| 50 | } |
| 51 | |
| 52 | function execute_on_all_machines () { |
| 53 | $* |
| 54 | ssh -K mire.hcoop.net $* |
| 55 | ssh -K hopper.hcoop.net $* |
| 56 | ssh -K fritz.hcoop.net $* |
| 57 | } |
| 58 | |
| 59 | # |
| 60 | # Kerberos principals |
| 61 | # (creat kerberos principals: fred, fred/cgi, fred/mailfilter) |
| 62 | # |
| 63 | |
| 64 | # We use -randkey for user's main principal as well, to make sure that |
| 65 | # the creation process does not continue without having a main |
| 66 | # principal. (But you who want to set password for a user, don't |
| 67 | # worry - we'll invoke cpw later, so that it has the same effect |
| 68 | # as setting password right now - while it is more error tolerant). |
| 69 | |
| 70 | sudo kadmin.local -p root/admin -q "ank -policy user -randkey +requires_preauth $USER@HCOOP.NET" |
| 71 | sudo kadmin.local -p root/admin -q "modprinc -maxlife 1day $USER@HCOOP.NET" |
| 72 | sudo kadmin.local -p root/admin -q "ank -policy daemon -randkey +requires_preauth $USER/daemon@HCOOP.NET" |
| 73 | |
| 74 | # |
| 75 | # Create AFS users corresponding to krb5 principals. |
| 76 | # (fred/cgi principal == fred.cgi AFS user) |
| 77 | # |
| 78 | |
| 79 | pts cu $USER || true |
| 80 | ID=`pts examine $USER | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'` |
| 81 | pts cu $USER.daemon || true |
| 82 | ID_DAEMON=`pts examine $USER.daemon | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'` |
| 83 | |
| 84 | |
| 85 | # |
| 86 | # Construct various paths for later perusal. |
| 87 | # |
| 88 | |
| 89 | # (If it's not clear, for user fred, PATHBITS = f/fr/fred) |
| 90 | PATHBITS=`echo $USER | head -c 1`/`echo $USER | head -c 2`/$USER |
| 91 | HOMEPATH=/afs/hcoop.net/user/$PATHBITS |
| 92 | MAILPATH=/afs/hcoop.net/common/email/$PATHBITS |
| 93 | |
| 94 | # |
| 95 | # Create LDAP entries. (With the whole libnss-ptdb, I kind of |
| 96 | # lost the idea of what I want to do with LDAP, but we'll |
| 97 | # see with time how well it integrates...) |
| 98 | # The ID returned from AFS is important here, we want to make |
| 99 | # sure those IDs match. |
| 100 | # |
| 101 | |
| 102 | # USER entry |
| 103 | echo " |
| 104 | dn: uid=$USER,ou=People,dc=hcoop,dc=net |
| 105 | objectClass: top |
| 106 | objectClass: person |
| 107 | objectClass: posixAccount |
| 108 | cn: $USER |
| 109 | uid: $USER |
| 110 | gidNumber: $ID |
| 111 | sn: $USER |
| 112 | host: abulafia |
| 113 | host: mire |
| 114 | |
| 115 | dn: cn=$USER,ou=Group,dc=hcoop,dc=net |
| 116 | objectClass: top |
| 117 | objectClass: posixGroup |
| 118 | cn: $USER |
| 119 | gidNumber: $ID |
| 120 | memberUid: $USER |
| 121 | " | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true |
| 122 | |
| 123 | # USER.daemon entry |
| 124 | echo " |
| 125 | dn: uid=$USER.daemon,ou=People,dc=hcoop,dc=net |
| 126 | objectClass: top |
| 127 | objectClass: person |
| 128 | objectClass: posixAccount |
| 129 | cn: $USER.daemon |
| 130 | uid: $USER.daemon |
| 131 | gidNumber: $ID_DAEMON |
| 132 | sn: $USER.daemon |
| 133 | |
| 134 | dn: cn=$USER.daemon,ou=Group,dc=hcoop,dc=net |
| 135 | objectClass: top |
| 136 | objectClass: posixGroup |
| 137 | cn: $USER.daemon |
| 138 | gidNumber: $ID_DAEMON |
| 139 | memberUid: $USER.daemon |
| 140 | " | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true |
| 141 | |
| 142 | |
| 143 | # |
| 144 | # Export .mailfilter and .cgi keys to a keytab file |
| 145 | # |
| 146 | |
| 147 | # create a daemon keytab (used by /etc/exim4/get-token) |
| 148 | # *only* if it does not exist! |
| 149 | test -e /etc/keytabs/user.daemon/$USER || \ |
| 150 | sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/user.daemon/$USER $USER/daemon@HCOOP.NET" |
| 151 | |
| 152 | # Properly chown/mod keytab files (must be $USER:www-data) |
| 153 | sudo chown $USER:www-data /etc/keytabs/user.daemon/$USER |
| 154 | sudo chmod 440 /etc/keytabs/user.daemon/$USER |
| 155 | |
| 156 | # rsync keytabs |
| 157 | (cd /etc/keytabs |
| 158 | sudo tar clpf - user.daemon/$USER | \ |
| 159 | ssh mire.hcoop.net cd /etc/keytabs\; sudo tar xlpf -) |
| 160 | (cd /etc/keytabs |
| 161 | sudo tar clpf - user.daemon/$USER | \ |
| 162 | ssh hopper.hcoop.net cd /etc/keytabs\; sudo tar xlpf -) |
| 163 | |
| 164 | # |
| 165 | # Create/mount/set-perms on user's volumes (home, mail, databases, logs) |
| 166 | # |
| 167 | |
| 168 | # HOME VOLUME |
| 169 | if vos examine user.$USER.d 2>/dev/null; then |
| 170 | echo "Reactivating old volume (user.$USER.d)" |
| 171 | vos rename user.$USER.d user.$USER |
| 172 | fi |
| 173 | vos examine user.$USER 2>/dev/null || \ |
| 174 | vos create fritz.hcoop.net /vicepa user.$USER -maxquota 400000 |
| 175 | |
| 176 | mkdir -p `dirname $HOMEPATH` |
| 177 | fs ls $HOMEPATH || test -L $HOMEPATH || fs mkm $HOMEPATH user.$USER |
| 178 | chown $USER:nogroup $HOMEPATH |
| 179 | fs sa $HOMEPATH $USER all |
| 180 | fs sa $HOMEPATH system:anyuser l |
| 181 | |
| 182 | # Apache logs |
| 183 | mkdir -p $HOMEPATH/.logs |
| 184 | chown $USER:nogroup $HOMEPATH/.logs |
| 185 | mkdir -p $HOMEPATH/.logs/apache |
| 186 | chown $USER:nogroup $HOMEPATH/.logs/apache |
| 187 | fs sa $HOMEPATH/.logs/apache $USER.daemon rlwidk |
| 188 | mkdir -p $HOMEPATH/.logs/mail |
| 189 | fs sa $HOMEPATH/.logs/mail $USER.daemon rlwidk |
| 190 | chown $USER:nogroup $HOMEPATH/.logs/mail |
| 191 | |
| 192 | # public_html |
| 193 | test -e $HOMEPATH/public_html || \ |
| 194 | (mkdir -p $HOMEPATH/public_html; \ |
| 195 | chown $USER:nogroup $HOMEPATH/public_html; \ |
| 196 | fs sa $HOMEPATH/public_html system:anyuser none; \ |
| 197 | fs sa $HOMEPATH/public_html $USER.daemon rl) |
| 198 | |
| 199 | # .procmail.d |
| 200 | mkdir -p $HOMEPATH/.procmail.d |
| 201 | chown $USER:nogroup $HOMEPATH/.procmail.d |
| 202 | fs sa $HOMEPATH/.procmail.d system:anyuser rl |
| 203 | |
| 204 | # .public |
| 205 | mkdir -p $HOMEPATH/.public/ |
| 206 | chown $USER:nogroup $HOMEPATH/.public |
| 207 | fs sa $HOMEPATH/.public system:anyuser rl |
| 208 | |
| 209 | # .domtool |
| 210 | mkdir -p $HOMEPATH/.public/.domtool |
| 211 | chown $USER:nogroup $HOMEPATH/.public/.domtool |
| 212 | test -e $HOMEPATH/.domtool || \ |
| 213 | test -L $HOMEPATH/.domtool || \ |
| 214 | sudo -u $USER ln -s $HOMEPATH/.public/.domtool $HOMEPATH/.domtool |
| 215 | |
| 216 | # Gitweb hosting |
| 217 | test -L /var/cache/git/$USER || \ |
| 218 | sudo ln -s $HOMEPATH/.hcoop-git /var/cache/git/$USER |
| 219 | |
| 220 | # MAIL VOLUME |
| 221 | if vos examine mail.$USER.d 2>/dev/null; then |
| 222 | echo "Reactivating old volume (mail.$USER.d)" |
| 223 | vos rename mail.$USER.d mail.$USER |
| 224 | fi |
| 225 | vos examine mail.$USER 2>/dev/null || \ |
| 226 | vos create fritz.hcoop.net /vicepa mail.$USER -maxquota 400000 |
| 227 | |
| 228 | mkdir -p `dirname $MAILPATH` |
| 229 | fs ls $MAILPATH || fs mkm $MAILPATH mail.$USER |
| 230 | fs ls $HOMEPATH/Maildir || fs mkm $HOMEPATH/Maildir mail.$USER |
| 231 | chown $USER:nogroup $MAILPATH |
| 232 | chown $USER:nogroup $HOMEPATH/Maildir |
| 233 | fs sa $MAILPATH $USER all |
| 234 | fs sa $MAILPATH $USER.daemon all |
| 235 | if test ! -e $MAILPATH/new; then |
| 236 | mkdir -p $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp |
| 237 | echo -e "This email account is provided as a service for HCoop members." \ |
| 238 | "\n\nTo learn how to use it, please visit the page" \ |
| 239 | "\n<http://wiki.hcoop.net/MemberManual/Email> on our website."| \ |
| 240 | mail -s "Welcome to your HCoop email store" \ |
| 241 | -e -a "From: postmaster@hcoop.net" \ |
| 242 | real-$USER |
| 243 | fi |
| 244 | chown $USER:nogroup $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp |
| 245 | |
| 246 | # Set up shared SpamAssassin folder |
| 247 | if test -f $HOMEPATH/Maildir/shared-maildirs; then |
| 248 | # Deal with case where user rsync'd their Maildir from fyodor |
| 249 | pattern='^SpamAssassin /home/spamd' |
| 250 | file=$HOMEPATH/Maildir/shared-maildirs |
| 251 | if grep $pattern $file; then |
| 252 | sed -i -r -e \ |
| 253 | 's!^(SpamAssassin )/home/spamd!\1/var/local/lib/spamd!1' \ |
| 254 | $file |
| 255 | fi |
| 256 | else |
| 257 | maildirmake --add SpamAssassin=/var/local/lib/spamd/Maildir \ |
| 258 | $HOMEPATH/Maildir |
| 259 | fi |
| 260 | |
| 261 | # Create database tablespaces |
| 262 | execute_on_fritz /afs/hcoop.net/common/etc/scripts/create-user-database $USER |
| 263 | |
| 264 | # |
| 265 | # Mount points for backup volumes |
| 266 | # |
| 267 | |
| 268 | mkdir -p `dirname /afs/hcoop.net/.old/user/$PATHBITS` |
| 269 | mkdir -p `dirname /afs/hcoop.net/.old/mail/$PATHBITS` |
| 270 | fs ls /afs/hcoop.net/.old/user/$PATHBITS || \ |
| 271 | fs mkm /afs/hcoop.net/.old/user/$PATHBITS user.$USER.backup |
| 272 | fs ls /afs/hcoop.net/.old/mail/$PATHBITS || \ |
| 273 | fs mkm /afs/hcoop.net/.old/mail/$PATHBITS mail.$USER.backup |
| 274 | vos release old |
| 275 | |
| 276 | # technically this might not be necessary, but for good measure... |
| 277 | vos syncserv fritz |
| 278 | vos syncvldb fritz |
| 279 | |
| 280 | # refresh volume location cache (takes ~2hrs otherwise) |
| 281 | execute_on_all_machines fs checkvolumes |
| 282 | |
| 283 | # |
| 284 | # Non-AFS files and directories |
| 285 | # |
| 286 | |
| 287 | # Make per-user apache DAV lock directory -- the directory must be |
| 288 | # both user and group-writable, which is silly. |
| 289 | mire_and_deleuze sudo mkdir -p /var/lock/apache2/dav/$USER |
| 290 | mire_and_deleuze sudo chown $USER:www-data /var/lock/apache2/dav/$USER |
| 291 | mire_and_deleuze sudo chmod ug=rwx,o= /var/lock/apache2/dav/$USER |
| 292 | |
| 293 | # |
| 294 | # Domtool integration |
| 295 | # |
| 296 | |
| 297 | domtool-adduser $USER |
| 298 | |
| 299 | # |
| 300 | # Subscribe user to our mailing lists. |
| 301 | # |
| 302 | echo $USER@hcoop.net | sudo -u list \ |
| 303 | /var/lib/mailman/bin/add_members -r - hcoop-announce |