7ad5114d48eccbe3a73d5a5c6acbf6302c6c1ccf
[clinton/scripts.git] / create-user
1 #!/bin/bash -ex
2
3 # MUST be executed:
4 # - on deleuze
5 # - as a user with an /etc/sudoers line
6 # - member of "wheel" unix group on deleuze
7 # - while holding tickets for a user who can 'ssh -K' to mire
8 # - and is a member of "wheel" on mire
9 # - while holding tokens for a user who is:
10 # - a member of system:administrator
11 # - listed in 'bos listusers deleuze'
12 # - and who has been set up with Domtool admin privileges by:
13 # - running 'domtool-adduser $USER' while holding AFS admin tokens as
14 # someone who is already a Domtool admin
15 # - running 'domtool-admin grant $USER priv all' as someone who is already a
16 # Domtool admin
17 # (To bootstrap yourself into admindom:
18 # 1. Run '/etc/init.d/domtool-server stop' on deleuze.
19 # 2. Run '/etc/init.d/domtool-slave stop' on all Domtool slave machines
20 # (e.g., mire).
21 # 3. Edit ~domtool/acl, following the example of adamc_admin to grant
22 # yourself 'priv all'.
23 # 4. Run '/etc/init.d/domtool-server start' on deleuze.
24 # 5. Run '/etc/init.d/domtool-slave start' on all Domtool slave
25 # machines.
26 # 6. Run 'domtool-adduser' as above.)
27
28 USER=$1
29
30 export PATH=$PATH:/afs/hcoop.net/common/bin/
31
32 if test -z "$USER"; then
33 echo "Invoke as create-user <USERNAME>"
34 exit 1
35 fi
36
37 #
38 # Helper functions
39 #
40
41 # Run a command on both mire and deleuze; assumes that no escaping is
42 # needed.
43 function mire_and_deleuze() {
44 $*
45 ssh mire.hcoop.net $*
46 }
47
48 #
49 # Kerberos principals
50 # (creat kerberos principals: fred, fred/cgi, fred/mailfilter)
51 #
52
53 # We use -randkey for user's main principal as well, to make sure that
54 # the creation process does not continue without having a main
55 # principal. (But you who want to set password for a user, don't
56 # worry - we'll invoke cpw later, so that it has the same effect
57 # as setting password right now - while it is more error tolerant).
58
59 sudo kadmin.local -p root/admin -q "ank -policy user -randkey +requires_preauth $USER@HCOOP.NET"
60 sudo kadmin.local -p root/admin -q "modprinc -maxlife 1day $USER@HCOOP.NET"
61 sudo kadmin.local -p root/admin -q "ank -policy daemon -randkey +requires_preauth $USER/daemon@HCOOP.NET"
62
63 #
64 # Create AFS users corresponding to krb5 principals.
65 # (fred/cgi principal == fred.cgi AFS user)
66 #
67
68 pts cu $USER || true
69 ID=`pts examine $USER | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
70 pts cu $USER.daemon || true
71 ID_DAEMON=`pts examine $USER.daemon | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
72
73
74 #
75 # Construct various paths for later perusal.
76 #
77
78 # (If it's not clear, for user fred, PATHBITS = f/fr/fred)
79 PATHBITS=`echo $USER | head -c 1`/`echo $USER | head -c 2`/$USER
80 HOMEPATH=/afs/hcoop.net/user/$PATHBITS
81 MAILPATH=/afs/hcoop.net/common/email/$PATHBITS
82 DBPATH=/afs/hcoop.net/common/.databases/$PATHBITS
83 PGDIR=$DBPATH/postgres
84 MYSQLDIR=$DBPATH/mysql
85
86
87 #
88 # Create LDAP entries. (With the whole libnss-ptdb, I kind of
89 # lost the idea of what I want to do with LDAP, but we'll
90 # see with time how well it integrates...)
91 # The ID returned from AFS is important here, we want to make
92 # sure those IDs match.
93 #
94
95 # USER entry
96 echo "
97 dn: uid=$USER,ou=People,dc=hcoop,dc=net
98 objectClass: top
99 objectClass: person
100 objectClass: posixAccount
101 cn: $USER
102 uid: $USER
103 gidNumber: $ID
104 sn: $USER
105 host: abulafia
106 host: mire
107
108 dn: cn=$USER,ou=Group,dc=hcoop,dc=net
109 objectClass: top
110 objectClass: posixGroup
111 cn: $USER
112 gidNumber: $ID
113 memberUid: $USER
114 " | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true
115
116 # USER.daemon entry
117 echo "
118 dn: uid=$USER.daemon,ou=People,dc=hcoop,dc=net
119 objectClass: top
120 objectClass: person
121 objectClass: posixAccount
122 cn: $USER.daemon
123 uid: $USER.daemon
124 gidNumber: $ID_DAEMON
125 sn: $USER.daemon
126
127 dn: cn=$USER.daemon,ou=Group,dc=hcoop,dc=net
128 objectClass: top
129 objectClass: posixGroup
130 cn: $USER.daemon
131 gidNumber: $ID_DAEMON
132 memberUid: $USER.daemon
133 " | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true
134
135
136 #
137 # Export .mailfilter and .cgi keys to a keytab file
138 #
139
140 # create a daemon keytab (used by /etc/exim4/get-token)
141 # *only* if it does not exist!
142 test -e /etc/keytabs/user.daemon/$USER || \
143 sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/user.daemon/$USER $USER/daemon@HCOOP.NET"
144
145 # Properly chown/mod keytab files (must be $USER:www-data)
146 sudo chown $USER:www-data /etc/keytabs/user.daemon/$USER
147 sudo chmod 440 /etc/keytabs/user.daemon/$USER
148
149 # rsync keytabs
150 (cd /etc/keytabs
151 sudo tar clpf - user.daemon/$USER | \
152 ssh mire.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
153 (cd /etc/keytabs
154 sudo tar clpf - user.daemon/$USER | \
155 ssh hopper.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
156
157 #
158 # Create/mount/set-perms on user's volumes (home, mail, databases, logs)
159 #
160
161 # HOME VOLUME
162 if vos examine user.$USER.d 2>/dev/null; then
163 echo "Reactivating old volume (user.$USER.d)"
164 vos rename user.$USER.d user.$USER
165 fi
166 vos examine user.$USER 2>/dev/null || \
167 vos create deleuze.hcoop.net /vicepa user.$USER -maxquota 400000
168
169 mkdir -p `dirname $HOMEPATH`
170 fs ls $HOMEPATH || test -L $HOMEPATH || fs mkm $HOMEPATH user.$USER
171 chown $USER:nogroup $HOMEPATH
172 fs sa $HOMEPATH $USER all
173 fs sa $HOMEPATH system:anyuser l
174
175 # Apache logs
176 mkdir -p $HOMEPATH/.logs
177 chown $USER:nogroup $HOMEPATH/.logs
178 mkdir -p $HOMEPATH/.logs/apache
179 chown $USER:nogroup $HOMEPATH/.logs/apache
180 fs sa $HOMEPATH/.logs/apache $USER.daemon rlwidk
181 mkdir -p $HOMEPATH/.logs/mail
182 fs sa $HOMEPATH/.logs/mail $USER.daemon rlwidk
183 chown $USER:nogroup $HOMEPATH/.logs/mail
184
185 # public_html
186 test -e $HOMEPATH/public_html || \
187 (mkdir -p $HOMEPATH/public_html; \
188 chown $USER:nogroup $HOMEPATH/public_html; \
189 fs sa $HOMEPATH/public_html system:anyuser none; \
190 fs sa $HOMEPATH/public_html $USER.daemon rl)
191
192 # .procmail.d
193 mkdir -p $HOMEPATH/.procmail.d
194 chown $USER:nogroup $HOMEPATH/.procmail.d
195 fs sa $HOMEPATH/.procmail.d system:anyuser rl
196
197 # .public
198 mkdir -p $HOMEPATH/.public/
199 chown $USER:nogroup $HOMEPATH/.public
200 fs sa $HOMEPATH/.public system:anyuser rl
201
202 # .domtool
203 mkdir -p $HOMEPATH/.public/.domtool
204 chown $USER:nogroup $HOMEPATH/.public/.domtool
205 test -e $HOMEPATH/.domtool || \
206 test -L $HOMEPATH/.domtool || \
207 sudo -u $USER ln -s $HOMEPATH/.public/.domtool $HOMEPATH/.domtool
208
209 # Gitweb hosting
210 test -L /var/cache/git/$USER || \
211 sudo ln -s $HOMEPATH/.hcoop-git /var/cache/git/$USER
212
213 # MAIL VOLUME
214 if vos examine mail.$USER.d 2>/dev/null; then
215 echo "Reactivating old volume (mail.$USER.d)"
216 vos rename mail.$USER.d mail.$USER
217 fi
218 vos examine mail.$USER 2>/dev/null || \
219 vos create deleuze.hcoop.net /vicepa mail.$USER -maxquota 400000
220
221 mkdir -p `dirname $MAILPATH`
222 fs ls $MAILPATH || fs mkm $MAILPATH mail.$USER
223 fs ls $HOMEPATH/Maildir || fs mkm $HOMEPATH/Maildir mail.$USER
224 chown $USER:nogroup $MAILPATH
225 chown $USER:nogroup $HOMEPATH/Maildir
226 fs sa $MAILPATH $USER all
227 fs sa $MAILPATH $USER.daemon all
228 if test ! -e $MAILPATH/new; then
229 mkdir -p $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp
230 echo -e "This email account is provided as a service for HCoop members." \
231 "\n\nTo learn how to use it, please visit the page" \
232 "\n<http://wiki.hcoop.net/MemberManual/Email> on our website."| \
233 mail -s "Welcome to your HCoop email store" \
234 -e -a "From: postmaster@hcoop.net" \
235 real-$USER
236 fi
237 chown $USER:nogroup $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp
238
239 # Set up shared SpamAssassin folder
240 if test -f $HOMEPATH/Maildir/shared-maildirs; then
241 # Deal with case where user rsync'd their Maildir from fyodor
242 pattern='^SpamAssassin /home/spamd'
243 file=$HOMEPATH/Maildir/shared-maildirs
244 if grep $pattern $file; then
245 sed -i -r -e \
246 's!^(SpamAssassin )/home/spamd!\1/var/local/lib/spamd!1' \
247 $file
248 fi
249 else
250 maildirmake --add SpamAssassin=/var/local/lib/spamd/Maildir \
251 $HOMEPATH/Maildir
252 fi
253
254 # DATABASE VOLUME
255 if ! vos examine db.$USER >/dev/null 2>/dev/null; then
256 mkdir -p `dirname /afs/.hcoop.net/common/.databases/$PATHBITS`
257 vos create -server afs -partition a -name db.$USER -maxquota 400000
258 fs mkmount -dir /afs/.hcoop.net/common/.databases/$PATHBITS -vol db.$USER -rw
259 fs sa -dir $DBPATH -acl system:postgres l
260 fs sa -dir $DBPATH -acl system:mysql l
261 fs sa -dir $DBPATH -acl system:backup rl
262 fs sa -dir $DBPATH -acl $USER rl
263 fi
264
265 # Create postgres user and tablespace placeholder within volume
266 if ! test -d $PGDIR; then
267 mkdir -p $PGDIR
268 chown postgres:postgres $PGDIR
269 fs sa -dir $PGDIR -acl system:postgres write
270 fs sa -dir $PGDIR -acl $USER none
271
272 sudo -u postgres psql -c "CREATE TABLESPACE user_$USER OWNER postgres LOCATION '$PGDIR'" template1
273 fi
274
275 # Create mysql user and databases placeholder within volume
276 mkdir -p $MYSQLDIR
277 chown mysql:mysql $MYSQLDIR
278 fs sa -dir $MYSQLDIR -acl system:mysql write
279 fs sa -dir $MYSQLDIR -acl $USER none
280
281 vos release common.databases
282
283 #
284 # Mount points for backup volumes
285 #
286
287 mkdir -p `dirname /afs/hcoop.net/.old/user/$PATHBITS`
288 mkdir -p `dirname /afs/hcoop.net/.old/mail/$PATHBITS`
289 fs ls /afs/hcoop.net/.old/user/$PATHBITS || \
290 fs mkm /afs/hcoop.net/.old/user/$PATHBITS user.$USER.backup
291 fs ls /afs/hcoop.net/.old/mail/$PATHBITS || \
292 fs mkm /afs/hcoop.net/.old/mail/$PATHBITS mail.$USER.backup
293 vos release old
294
295 # technically this might not be necessary, but for good measure...
296 vos syncserv deleuze
297 vos syncvldb deleuze
298
299 # refresh volume location cache (takes ~2hrs otherwise)
300 mire_and_deleuze fs checkvolumes
301
302 #
303 # Non-AFS files and directories
304 #
305
306 # Make per-user apache DAV lock directory -- the directory must be
307 # both user and group-writable, which is silly.
308 mire_and_deleuze sudo mkdir -p /var/lock/apache2/dav/$USER
309 mire_and_deleuze sudo chown $USER:www-data /var/lock/apache2/dav/$USER
310 mire_and_deleuze sudo chmod ug=rwx,o= /var/lock/apache2/dav/$USER
311
312 #
313 # Domtool integration
314 #
315
316 domtool-adduser $USER
317
318 #
319 # Subscribe user to our mailing lists.
320 #
321 echo $USER@hcoop.net | sudo -u list \
322 /var/lib/mailman/bin/add_members -r - hcoop-announce