Check in new hcoop-all-db-backup script
[clinton/scripts.git] / create-user
1 #!/bin/bash -ex
2
3 # MUST be executed:
4 # - on deleuze
5 # - as a user with an /etc/sudoers line
6 # - member of "wheel" unix group on deleuze
7 # - while holding tickets for a user who can 'ssh -K' to mire
8 # - and is a member of "wheel" on mire
9 # - while holding tokens for a user who is:
10 # - a member of system:administrator
11 # - listed in 'bos listusers deleuze'
12
13 USER=$1
14
15 if test -z "$USER"; then
16 echo "Invoke as create-user <USERNAME>"
17 exit 1
18 fi
19
20
21 #
22 # Kerberos principals
23 # (creat kerberos principals: fred, fred/cgi, fred/mailfilter)
24 #
25
26 # We use -randkey for user's main principal as well, to make sure that
27 # the creation process does not continue without having a main
28 # principal. (But you who want to set password for a user, don't
29 # worry - we'll invoke cpw later, so that it has the same effect
30 # as setting password right now - while it is more error tolerant).
31
32 sudo kadmin.local -p root/admin -q "ank -policy user -randkey +requires_preauth $USER@HCOOP.NET"
33 sudo kadmin.local -p root/admin -q "ank -policy mailfilter -randkey +requires_preauth $USER/mailfilter@HCOOP.NET"
34 sudo kadmin.local -p root/admin -q "ank -policy cgi -randkey +requires_preauth $USER/cgi@HCOOP.NET"
35
36 #
37 # Create AFS users corresponding to krb5 principals.
38 # (fred/cgi principal == fred.cgi AFS user)
39 #
40
41 pts cu $USER || true
42 ID=`pts examine $USER | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
43 pts cu $USER.mailfilter $ID_MF || true
44 ID_MF=`pts examine $USER.mailfilter | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
45 pts cu $USER.cgi || true
46 ID_CGI=`pts examine $USER.cgi | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
47
48
49 #
50 # Construct various paths for later perusal.
51 #
52
53 # (If it's not clear, for user fred, PATHBITS = f/fr/fred)
54 PATHBITS=`echo $USER | head -c 1`/`echo $USER | head -c 2`/$USER
55 HOMEPATH=/afs/hcoop.net/user/$PATHBITS
56 MAILPATH=/afs/hcoop.net/common/email/$PATHBITS
57 DBPATH=/afs/hcoop.net/common/.databases/$PATHBITS
58 PGDIR=$DBPATH/postgres
59 MYSQLDIR=$DBPATH/mysql
60
61
62 #
63 # Create LDAP entries. (With the whole libnss-ptdb, I kind of
64 # lost the idea of what I want to do with LDAP, but we'll
65 # see with time how well it integrates...)
66 # The ID returned from AFS is important here, we want to make
67 # sure those IDs match.
68 #
69
70 # USER entry
71 echo "
72 dn: uid=$USER,ou=People,dc=hcoop,dc=net
73 objectClass: top
74 objectClass: person
75 objectClass: posixAccount
76 cn: $USER
77 uid: $USER
78 gidNumber: $ID
79 sn: $USER
80 host: abulafia
81 host: mire
82
83 dn: cn=$USER,ou=Group,dc=hcoop,dc=net
84 objectClass: top
85 objectClass: posixGroup
86 cn: $USER
87 gidNumber: $ID
88 memberUid: $USER
89 " | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true
90
91 # USER.mailfilter entry
92 echo "
93 dn: uid=$USER.mailfilter,ou=People,dc=hcoop,dc=net
94 objectClass: top
95 objectClass: person
96 objectClass: posixAccount
97 cn: $USER.mailfilter
98 uid: $USER.mailfilter
99 gidNumber: $ID_MF
100 sn: $USER.mailfilter
101
102 dn: cn=$USER.mailfilter,ou=Group,dc=hcoop,dc=net
103 objectClass: top
104 objectClass: posixGroup
105 cn: $USER.mailfilter
106 gidNumber: $ID_MF
107 memberUid: $USER.mailfilter
108 " | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true
109
110 # USER.cgi entry
111 echo "
112 dn: uid=$USER.cgi,ou=People,dc=hcoop,dc=net
113 objectClass: top
114 objectClass: person
115 objectClass: posixAccount
116 cn: $USER.cgi
117 uid: $USER.cgi
118 gidNumber: $ID_CGI
119 sn: $USER.cgi
120
121 dn: cn=$USER.cgi,ou=Group,dc=hcoop,dc=net
122 objectClass: top
123 objectClass: posixGroup
124 cn: $USER.cgi
125 gidNumber: $ID_CGI
126 memberUid: $USER.cgi
127 " | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true
128
129
130 #
131 # Export .mailfilter and .cgi keys to a keytab file
132 #
133
134 # create a mailfilter keytab (used by /etc/exim4/get-token)
135 sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/mailfilter/$USER $USER/mailfilter@HCOOP.NET"
136
137 # create a cgi keytab
138 sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/cgi/$USER $USER/cgi@HCOOP.NET"
139
140 # Properly chown/mod keytab files (www-data must own the cgi keytab)
141 sudo chown www-data:wheel /etc/keytabs/cgi/$USER
142 sudo chown $USER:wheel /etc/keytabs/mailfilter/$USER
143 sudo chmod 440 /etc/keytabs/cgi/$USER /etc/keytabs/mailfilter/$USER
144
145 # rsync keytabs to mire
146 rsync -e ssh -a /etc/keytabs/cgi/$USER mire.hcoop.net:/etc/keytabs/cgi/$USER
147
148 #
149 # Create/mount/set-perms on user's volumes (home, mail, databases, logs)
150 #
151
152 # HOME VOLUME
153 vos examine user.$USER 2>/dev/null || \
154 vos create deleuze.hcoop.net /vicepa user.$USER -maxquota 400000
155 mkdir -p `dirname $HOMEPATH`
156 fs ls $HOMEPATH || fs mkm $HOMEPATH user.$USER
157 chown $USER $HOMEPATH
158 fs sa $HOMEPATH $USER all
159 fs sa $HOMEPATH system:anyuser rl
160
161 # Apache logs
162 mkdir -p $HOMEPATH/logs/apache
163 fs sa $HOMEPATH/logs/apache $USER.cgi rlwidk
164
165 # public_html
166 mkdir -p $HOMEPATH/public_html/
167 fs sa $HOMEPATH/public_html system:anyuser rl
168 mkdir -p $HOMEPATH/.procmail.d/
169 fs sa $HOMEPATH/.procmail.d/ system:anyuser rl
170
171 # MAIL VOLUME
172 vos examine mail.$USER 2>/dev/null || \
173 vos create deleuze.hcoop.net /vicepa mail.$USER -maxquota 400000
174 mkdir -p `dirname $MAILPATH`
175 fs ls $MAILPATH || fs mkm $MAILPATH mail.$USER
176 fs ls $HOMEPATH/Maildir || fs mkm $HOMEPATH/Maildir mail.$USER
177 fs sa $MAILPATH $USER all
178 fs sa $MAILPATH $USER.mailfilter all
179
180 # DATABASE VOLUME
181 if ! vos examine db.$USER >/dev/null 2>/dev/null; then
182 mkdir -p `dirname /afs/.hcoop.net/common/.databases/$PATHBITS`
183 vos create -server afs -partition a -name db.$USER -maxquota 400000
184 fs mkmount -dir /afs/.hcoop.net/common/.databases/$PATHBITS -vol db.$USER -rw
185 vos release common.databases
186 fs sa -dir $DBPATH -acl system:postgres l
187 fs sa -dir $DBPATH -acl system:mysql l
188 fs sa -dir $DBPATH -acl system:backup rl
189 fi
190
191 # Create postgres user and tablespace placeholder within volume
192 if ! [ -d $PGDIR ]; then
193 mkdir -p $PGDIR
194 chown postgres:postgres $PGDIR
195 fs sa -dir $PGDIR -acl system:postgres write
196
197 sudo -u postgres psql -c "CREATE TABLESPACE user_$USER OWNER postgres LOCATION '$PGDIR'" template1
198 fi
199
200 # Create mysql user and databases placeholder within volume
201 mkdir -p $MYSQLDIR
202 chown mysql:mysql $MYSQLDIR
203 fs sa -dir $MYSQLDIR -acl system:mysql write
204
205
206 #
207 # Mount points for backup volumes
208 #
209
210 mkdir -p `dirname /afs/hcoop.net/old/user/$PATHBITS`
211 mkdir -p `dirname /afs/hcoop.net/old/mail/$PATHBITS`
212 fs ls /afs/hcoop.net/old/user/$PATHBITS || \
213 fs mkm /afs/hcoop.net/old/user/$PATHBITS user.$USER.backup
214 fs ls /afs/hcoop.net/old/mail/$PATHBITS || \
215 fs mkm /afs/hcoop.net/old/mail/$PATHBITS mail.$USER.backup
216
217 # technically this might not be necessary, but for good measure...
218 vos syncserv deleuze
219 vos syncvldb deleuze
220
221 # refresh volume location cache (takes ~2hrs otherwise)
222 fs checkvolumes
223 ssh mire.hcoop.net fs checkvolumes
224
225 # Technically this is not idempotent. This is not *too* bad because
226 # of the fact that in AFS non-system:administrators users can't change
227 # the group/owner of a file anyways. However, users still might want
228 # to know which other users created certain files (in, say, a dropbox
229 # or something like that). FIMXE.
230 chown -R $USER:nogroup $HOMEPATH
231 chown -R $USER:nogroup $MAILPATH