create-user

   1 #!/bin/bash -ex
   2
   3 # MUST be executed:
   4 #  - on deleuze
   5 #  - as a user with an /etc/sudoers line
   6 #  - member of "wheel" unix group on deleuze
   7 #  - while holding tickets for a user who can 'ssh -K' to mire
   8 #     - and is a member of "wheel" on mire
   9 #  - while holding tokens for a user who is:
  10 #     - a member of system:administrator
  11 #     - listed in 'bos listusers deleuze'
  12
  13 USER=$1
  14
  15 export PATH=$PATH:/afs/hcoop.net/common/bin/
  16
  17 if test -z "$USER"; then
  18         echo "Invoke as create-user <USERNAME>"
  19         exit 1
  20 fi
  21
  22 #
  23 # Helper functions
  24 #
  25
  26 # Run a command on both mire and deleuze; assumes that no escaping is
  27 # needed.
  28 function mire_and_deleuze() {
  29     $*
  30     ssh mire.hcoop.net $*
  31 }
  32
  33 #
  34 # Kerberos principals
  35 # (creat kerberos principals: fred, fred/cgi, fred/mailfilter)
  36 #
  37
  38 # We use -randkey for user's main principal as well, to make sure that
  39 # the creation process does not continue without having a main
  40 # principal. (But you who want to set password for a user, don't
  41 # worry - we'll invoke cpw later, so that it has the same effect
  42 # as setting password right now - while it is more error tolerant).
  43
  44 sudo kadmin.local -p root/admin -q "ank -policy user -randkey +requires_preauth $USER@HCOOP.NET"
  45 sudo kadmin.local -p root/admin -q "modprinc -maxlife 1day $USER@HCOOP.NET"
  46 sudo kadmin.local -p root/admin -q "ank -policy daemon -randkey +requires_preauth $USER/daemon@HCOOP.NET"
  47
  48 #
  49 # Create AFS users corresponding to krb5 principals.
  50 # (fred/cgi principal == fred.cgi AFS user)
  51 #
  52
  53 pts cu $USER || true
  54 ID=`pts examine $USER | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
  55 pts cu $USER.daemon || true
  56 ID_DAEMON=`pts examine $USER.daemon | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
  57
  58
  59 #
  60 # Construct various paths for later perusal.
  61 #
  62
  63 # (If it's not clear, for user fred, PATHBITS = f/fr/fred)
  64 PATHBITS=`echo $USER | head -c 1`/`echo $USER | head -c 2`/$USER
  65 HOMEPATH=/afs/hcoop.net/user/$PATHBITS
  66 MAILPATH=/afs/hcoop.net/common/email/$PATHBITS
  67 DBPATH=/afs/hcoop.net/common/.databases/$PATHBITS
  68 PGDIR=$DBPATH/postgres
  69 MYSQLDIR=$DBPATH/mysql
  70
  71
  72 #
  73 # Create LDAP entries. (With the whole libnss-ptdb, I kind of
  74 # lost the idea of what I want to do with LDAP, but we'll
  75 # see with time how well it integrates...)
  76 # The ID returned from AFS is important here, we want to make
  77 # sure those IDs match.
  78 #
  79
  80 # USER entry
  81 echo "
  82 dn: uid=$USER,ou=People,dc=hcoop,dc=net
  83 objectClass: top
  84 objectClass: person
  85 objectClass: posixAccount
  86 cn: $USER
  87 uid: $USER
  88 gidNumber: $ID
  89 sn: $USER
  90 host: abulafia
  91 host: mire
  92
  93 dn: cn=$USER,ou=Group,dc=hcoop,dc=net
  94 objectClass: top
  95 objectClass: posixGroup
  96 cn: $USER
  97 gidNumber: $ID
  98 memberUid: $USER
  99 " | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true
 100
 101 # USER.daemon entry
 102 echo "
 103 dn: uid=$USER.daemon,ou=People,dc=hcoop,dc=net
 104 objectClass: top
 105 objectClass: person
 106 objectClass: posixAccount
 107 cn: $USER.daemon
 108 uid: $USER.daemon
 109 gidNumber: $ID_DAEMON
 110 sn: $USER.daemon
 111
 112 dn: cn=$USER.daemon,ou=Group,dc=hcoop,dc=net
 113 objectClass: top
 114 objectClass: posixGroup
 115 cn: $USER.daemon
 116 gidNumber: $ID_DAEMON
 117 memberUid: $USER.daemon
 118 " | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true
 119
 120
 121 #
 122 # Export .mailfilter and .cgi keys to a keytab file
 123 #
 124
 125 # create a daemon keytab (used by /etc/exim4/get-token)
 126 # *only* if it does not exist!
 127 test -e /etc/keytabs/user.daemon/$USER || \
 128   sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/user.daemon/$USER $USER/daemon@HCOOP.NET"
 129
 130 # Properly chown/mod keytab files (must be $USER:www-data)
 131 sudo chown $USER:www-data /etc/keytabs/user.daemon/$USER
 132 sudo chmod 440            /etc/keytabs/user.daemon/$USER
 133
 134 # rsync keytabs to mire
 135 (cd /etc/keytabs
 136    sudo tar clpf - user.daemon/$USER | \
 137      ssh mire.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
 138
 139 #
 140 # Create/mount/set-perms on user's volumes (home, mail, databases, logs)
 141 #
 142
 143 # HOME VOLUME
 144 vos examine user.$USER 2>/dev/null || \
 145   vos create deleuze.hcoop.net /vicepa user.$USER -maxquota 400000
 146 mkdir -p `dirname $HOMEPATH`
 147 fs ls $HOMEPATH || test -L $HOMEPATH || fs mkm $HOMEPATH user.$USER
 148 chown $USER:nogroup $HOMEPATH
 149 fs sa $HOMEPATH $USER            all
 150 fs sa $HOMEPATH system:anyuser   l
 151
 152 # Apache logs
 153 mkdir -p $HOMEPATH/.logs
 154 chown $USER:nogroup $HOMEPATH/.logs
 155 mkdir -p $HOMEPATH/.logs/apache
 156 chown $USER:nogroup $HOMEPATH/.logs/apache
 157 fs sa $HOMEPATH/.logs/apache $USER.daemon rlwidk
 158 mkdir -p $HOMEPATH/.logs/mail
 159 fs sa $HOMEPATH/.logs/mail $USER.daemon rlwidk
 160 chown $USER:nogroup $HOMEPATH/.logs/mail
 161
 162 # public_html
 163 mkdir -p $HOMEPATH/public_html
 164 chown $USER:nogroup $HOMEPATH/public_html
 165 fs sa $HOMEPATH/public_html system:anyuser rl
 166
 167 # .procmail.d
 168 mkdir -p $HOMEPATH/.procmail.d
 169 chown $USER:nogroup $HOMEPATH/.procmail.d
 170 fs sa $HOMEPATH/.procmail.d system:anyuser rl
 171
 172 # .public
 173 mkdir -p $HOMEPATH/.public/
 174 chown $USER:nogroup $HOMEPATH/.public
 175 fs sa $HOMEPATH/.public system:anyuser rl
 176
 177 # .domtool
 178 mkdir -p $HOMEPATH/.public/.domtool
 179 chown $USER:nogroup $HOMEPATH/.public/.domtool
 180 test -e $HOMEPATH/.domtool || \
 181     test -L $HOMEPATH/.domtool || \
 182         ln -s $HOMEPATH/.public/.domtool $HOMEPATH/.domtool
 183
 184 # MAIL VOLUME
 185 vos examine mail.$USER 2>/dev/null || \
 186   vos create deleuze.hcoop.net /vicepa mail.$USER -maxquota 400000
 187 mkdir -p `dirname $MAILPATH`
 188 fs ls $MAILPATH || fs mkm $MAILPATH         mail.$USER
 189 fs ls $HOMEPATH/Maildir || fs mkm $HOMEPATH/Maildir mail.$USER
 190 chown $USER:nogroup $MAILPATH
 191 chown $USER:nogroup $HOMEPATH/Maildir
 192 fs sa $MAILPATH $USER        all
 193 fs sa $MAILPATH $USER.daemon all
 194
 195 # Set up shared SpamAssassin folder
 196 if test -f $HOMEPATH/Maildir/shared-maildirs; then
 197     # Deal with case where user rsync'd their Maildir from fyodor
 198     pattern='^SpamAssassin      /home/spamd'
 199     file=$HOMEPATH/Maildir/shared-maildirs
 200     if grep $pattern $file; then
 201         sed -i -r -e \
 202             's!^(SpamAssassin   )/home/spamd!\1/var/local/lib/spamd!1' \
 203             $file
 204     fi
 205
 206 # This does not yet seem to be needed, and it triggers an AFS issue,
 207 # so I've commented it out --mwolson.
 208 #
 209 #     NOTIFY=no
 210 #     for dir in $HOMEPATH/Maildir/shared-folders/SpamAssassin/*; do
 211 #         if ! test -d $dir; then
 212 #             NOTIFY=yes
 213 #         else
 214 #             dest=/var/local/lib/spamd/Maildir/.$(basename $dir)
 215 #             if test "$(readlink $dir/shared)" != "$dest"; then
 216 #                 ln -sf $dest $dir/shared
 217 #             fi
 218 #         fi
 219 #     done
 220 #     if test $NOTIFY = yes; then
 221 #         # This is probably going overboard, but oh well
 222 #         echo "$USER needs assistance on their shared spam dir" | \
 223 #             mail -s "[create-user] $USER needs assistance" \
 224 #               -e -a "From: admins@deleuze.hcoop.net" mwolson_admin
 225 #     fi
 226
 227 else
 228     maildirmake --add SpamAssassin=/var/local/lib/spamd/Maildir \
 229         $HOMEPATH/Maildir
 230 fi
 231
 232 # DATABASE VOLUME
 233 if ! vos examine db.$USER >/dev/null 2>/dev/null; then
 234   mkdir -p `dirname /afs/.hcoop.net/common/.databases/$PATHBITS`
 235   vos create -server afs -partition a -name db.$USER -maxquota 400000
 236   fs mkmount -dir /afs/.hcoop.net/common/.databases/$PATHBITS -vol db.$USER -rw
 237   vos release common.databases
 238   fs sa -dir $DBPATH -acl system:postgres l
 239   fs sa -dir $DBPATH -acl system:mysql    l
 240   fs sa -dir $DBPATH -acl system:backup   rl
 241 fi
 242
 243 # Create postgres user and tablespace placeholder within volume
 244 if ! test -d $PGDIR; then
 245   mkdir -p $PGDIR
 246   chown postgres:postgres $PGDIR
 247   fs sa -dir $PGDIR -acl system:postgres write
 248
 249  sudo -u postgres psql -c "CREATE TABLESPACE user_$USER OWNER postgres LOCATION '$PGDIR'" template1
 250 fi
 251
 252 # Create mysql user and databases placeholder within volume
 253 mkdir -p $MYSQLDIR
 254 chown mysql:mysql $MYSQLDIR
 255 fs sa -dir $MYSQLDIR -acl system:mysql  write
 256
 257
 258 #
 259 # Mount points for backup volumes
 260 #
 261
 262 mkdir -p `dirname /afs/hcoop.net/.old/user/$PATHBITS`
 263 mkdir -p `dirname /afs/hcoop.net/.old/mail/$PATHBITS`
 264 fs ls /afs/hcoop.net/.old/user/$PATHBITS || \
 265   fs mkm /afs/hcoop.net/.old/user/$PATHBITS user.$USER.backup
 266 fs ls /afs/hcoop.net/.old/mail/$PATHBITS || \
 267   fs mkm /afs/hcoop.net/.old/mail/$PATHBITS mail.$USER.backup
 268 vos release old
 269
 270 # technically this might not be necessary, but for good measure...
 271 vos syncserv deleuze
 272 vos syncvldb deleuze
 273
 274 # refresh volume location cache (takes ~2hrs otherwise)
 275 mire_and_deleuze fs checkvolumes
 276
 277 #
 278 # Non-AFS files and directories
 279 #
 280
 281 # Make per-user apache DAV lock directory -- the directory must be
 282 # both user and group-writable, which is silly.
 283 mire_and_deleuze sudo mkdir -p /var/lock/apache2/dav/$USER
 284 mire_and_deleuze sudo chown $USER:www-data /var/lock/apache2/dav/$USER
 285 mire_and_deleuze sudo chmod ug=rwx,o= /var/lock/apache2/dav/$USER
 286
 287 #
 288 # Domtool integration
 289 #
 290
 291 domtool-adduser $USER