create-user: Run domtool-adduser
[clinton/scripts.git] / create-user
1 #!/bin/bash -ex
2
3 # MUST be executed:
4 # - on deleuze
5 # - as a user with an /etc/sudoers line
6 # - member of "wheel" unix group on deleuze
7 # - while holding tickets for a user who can 'ssh -K' to mire
8 # - and is a member of "wheel" on mire
9 # - while holding tokens for a user who is:
10 # - a member of system:administrator
11 # - listed in 'bos listusers deleuze'
12
13 USER=$1
14
15 export PATH=$PATH:/afs/hcoop.net/common/bin/
16
17 if test -z "$USER"; then
18 echo "Invoke as create-user <USERNAME>"
19 exit 1
20 fi
21
22 #
23 # Helper functions
24 #
25
26 # Run a command on both mire and deleuze; assumes that no escaping is
27 # needed.
28 function mire_and_deleuze() {
29 $*
30 ssh mire.hcoop.net $*
31 }
32
33 #
34 # Kerberos principals
35 # (creat kerberos principals: fred, fred/cgi, fred/mailfilter)
36 #
37
38 # We use -randkey for user's main principal as well, to make sure that
39 # the creation process does not continue without having a main
40 # principal. (But you who want to set password for a user, don't
41 # worry - we'll invoke cpw later, so that it has the same effect
42 # as setting password right now - while it is more error tolerant).
43
44 sudo kadmin.local -p root/admin -q "ank -policy user -randkey +requires_preauth $USER@HCOOP.NET"
45 sudo kadmin.local -p root/admin -q "modprinc -maxlife 1day $USER@HCOOP.NET"
46 sudo kadmin.local -p root/admin -q "ank -policy daemon -randkey +requires_preauth $USER/daemon@HCOOP.NET"
47
48 #
49 # Create AFS users corresponding to krb5 principals.
50 # (fred/cgi principal == fred.cgi AFS user)
51 #
52
53 pts cu $USER || true
54 ID=`pts examine $USER | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
55 pts cu $USER.daemon || true
56 ID_DAEMON=`pts examine $USER.daemon | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
57
58
59 #
60 # Construct various paths for later perusal.
61 #
62
63 # (If it's not clear, for user fred, PATHBITS = f/fr/fred)
64 PATHBITS=`echo $USER | head -c 1`/`echo $USER | head -c 2`/$USER
65 HOMEPATH=/afs/hcoop.net/user/$PATHBITS
66 MAILPATH=/afs/hcoop.net/common/email/$PATHBITS
67 DBPATH=/afs/hcoop.net/common/.databases/$PATHBITS
68 PGDIR=$DBPATH/postgres
69 MYSQLDIR=$DBPATH/mysql
70
71
72 #
73 # Create LDAP entries. (With the whole libnss-ptdb, I kind of
74 # lost the idea of what I want to do with LDAP, but we'll
75 # see with time how well it integrates...)
76 # The ID returned from AFS is important here, we want to make
77 # sure those IDs match.
78 #
79
80 # USER entry
81 echo "
82 dn: uid=$USER,ou=People,dc=hcoop,dc=net
83 objectClass: top
84 objectClass: person
85 objectClass: posixAccount
86 cn: $USER
87 uid: $USER
88 gidNumber: $ID
89 sn: $USER
90 host: abulafia
91 host: mire
92
93 dn: cn=$USER,ou=Group,dc=hcoop,dc=net
94 objectClass: top
95 objectClass: posixGroup
96 cn: $USER
97 gidNumber: $ID
98 memberUid: $USER
99 " | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true
100
101 # USER.daemon entry
102 echo "
103 dn: uid=$USER.daemon,ou=People,dc=hcoop,dc=net
104 objectClass: top
105 objectClass: person
106 objectClass: posixAccount
107 cn: $USER.daemon
108 uid: $USER.daemon
109 gidNumber: $ID_DAEMON
110 sn: $USER.daemon
111
112 dn: cn=$USER.daemon,ou=Group,dc=hcoop,dc=net
113 objectClass: top
114 objectClass: posixGroup
115 cn: $USER.daemon
116 gidNumber: $ID_DAEMON
117 memberUid: $USER.daemon
118 " | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true
119
120
121 #
122 # Export .mailfilter and .cgi keys to a keytab file
123 #
124
125 # create a daemon keytab (used by /etc/exim4/get-token)
126 # *only* if it does not exist!
127 test -e /etc/keytabs/user.daemon/$USER || \
128 sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/user.daemon/$USER $USER/daemon@HCOOP.NET"
129
130 # Properly chown/mod keytab files (must be $USER:www-data)
131 sudo chown $USER:www-data /etc/keytabs/user.daemon/$USER
132 sudo chmod 440 /etc/keytabs/user.daemon/$USER
133
134 # rsync keytabs to mire
135 (cd /etc/keytabs
136 sudo tar clpf - user.daemon/$USER | \
137 ssh mire.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
138
139 #
140 # Create/mount/set-perms on user's volumes (home, mail, databases, logs)
141 #
142
143 # HOME VOLUME
144 vos examine user.$USER 2>/dev/null || \
145 vos create deleuze.hcoop.net /vicepa user.$USER -maxquota 400000
146 mkdir -p `dirname $HOMEPATH`
147 fs ls $HOMEPATH || test -L $HOMEPATH || fs mkm $HOMEPATH user.$USER
148 chown $USER:nogroup $HOMEPATH
149 fs sa $HOMEPATH $USER all
150 fs sa $HOMEPATH system:anyuser l
151
152 # Apache logs
153 mkdir -p $HOMEPATH/.logs
154 chown $USER:nogroup $HOMEPATH/.logs
155 mkdir -p $HOMEPATH/.logs/apache
156 chown $USER:nogroup $HOMEPATH/.logs/apache
157 fs sa $HOMEPATH/.logs/apache $USER.daemon rlwidk
158 mkdir -p $HOMEPATH/.logs/mail
159 fs sa $HOMEPATH/.logs/mail $USER.daemon rlwidk
160 chown $USER:nogroup $HOMEPATH/.logs/mail
161
162 # public_html
163 mkdir -p $HOMEPATH/public_html
164 chown $USER:nogroup $HOMEPATH/public_html
165 fs sa $HOMEPATH/public_html system:anyuser rl
166
167 # .procmail.d
168 mkdir -p $HOMEPATH/.procmail.d
169 chown $USER:nogroup $HOMEPATH/.procmail.d
170 fs sa $HOMEPATH/.procmail.d system:anyuser rl
171
172 # .public
173 mkdir -p $HOMEPATH/.public/
174 chown $USER:nogroup $HOMEPATH/.public
175 fs sa $HOMEPATH/.public system:anyuser rl
176
177 # .domtool
178 mkdir -p $HOMEPATH/.public/.domtool
179 chown $USER:nogroup $HOMEPATH/.public/.domtool
180 test -e $HOMEPATH/.domtool || \
181 test -L $HOMEPATH/.domtool || \
182 ln -s $HOMEPATH/.public/.domtool $HOMEPATH/.domtool
183
184 # MAIL VOLUME
185 vos examine mail.$USER 2>/dev/null || \
186 vos create deleuze.hcoop.net /vicepa mail.$USER -maxquota 400000
187 mkdir -p `dirname $MAILPATH`
188 fs ls $MAILPATH || fs mkm $MAILPATH mail.$USER
189 fs ls $HOMEPATH/Maildir || fs mkm $HOMEPATH/Maildir mail.$USER
190 chown $USER:nogroup $MAILPATH
191 chown $USER:nogroup $HOMEPATH/Maildir
192 fs sa $MAILPATH $USER all
193 fs sa $MAILPATH $USER.daemon all
194
195 # Set up shared SpamAssassin folder
196 if test -f $HOMEPATH/Maildir/shared-maildirs; then
197 # Deal with case where user rsync'd their Maildir from fyodor
198 pattern='^SpamAssassin /home/spamd'
199 file=$HOMEPATH/Maildir/shared-maildirs
200 if grep $pattern $file; then
201 sed -i -r -e \
202 's!^(SpamAssassin )/home/spamd!\1/var/local/lib/spamd!1' \
203 $file
204 fi
205 NOTIFY=no
206 for dir in $HOMEPATH/Maildir/shared-folders/SpamAssassin/*; do
207 if ! test -d $dir; then
208 NOTIFY=yes
209 else
210 dest=/var/local/lib/spamd/Maildir/.$(basename $dir)
211 if test "$(readlink $dir/shared)" != "$dest"; then
212 ln -sf $dest $dir/shared
213 fi
214 fi
215 done
216 if test $NOTIFY = yes; then
217 # This is probably going overboard, but oh well
218 echo "$USER needs assistance on their shared spam dir" | \
219 mail -s "[create-user] $USER needs assistance" \
220 -e -a "From: admins@deleuze.hcoop.net" mwolson_admin
221 fi
222 else
223 maildirmake --add SpamAssassin=/var/local/lib/spamd/Maildir \
224 $HOMEPATH/Maildir
225 fi
226
227 # DATABASE VOLUME
228 if ! vos examine db.$USER >/dev/null 2>/dev/null; then
229 mkdir -p `dirname /afs/.hcoop.net/common/.databases/$PATHBITS`
230 vos create -server afs -partition a -name db.$USER -maxquota 400000
231 fs mkmount -dir /afs/.hcoop.net/common/.databases/$PATHBITS -vol db.$USER -rw
232 vos release common.databases
233 fs sa -dir $DBPATH -acl system:postgres l
234 fs sa -dir $DBPATH -acl system:mysql l
235 fs sa -dir $DBPATH -acl system:backup rl
236 fi
237
238 # Create postgres user and tablespace placeholder within volume
239 if ! test -d $PGDIR; then
240 mkdir -p $PGDIR
241 chown postgres:postgres $PGDIR
242 fs sa -dir $PGDIR -acl system:postgres write
243
244 sudo -u postgres psql -c "CREATE TABLESPACE user_$USER OWNER postgres LOCATION '$PGDIR'" template1
245 fi
246
247 # Create mysql user and databases placeholder within volume
248 mkdir -p $MYSQLDIR
249 chown mysql:mysql $MYSQLDIR
250 fs sa -dir $MYSQLDIR -acl system:mysql write
251
252
253 #
254 # Mount points for backup volumes
255 #
256
257 mkdir -p `dirname /afs/hcoop.net/.old/user/$PATHBITS`
258 mkdir -p `dirname /afs/hcoop.net/.old/mail/$PATHBITS`
259 fs ls /afs/hcoop.net/.old/user/$PATHBITS || \
260 fs mkm /afs/hcoop.net/.old/user/$PATHBITS user.$USER.backup
261 fs ls /afs/hcoop.net/.old/mail/$PATHBITS || \
262 fs mkm /afs/hcoop.net/.old/mail/$PATHBITS mail.$USER.backup
263 vos release old
264
265 # technically this might not be necessary, but for good measure...
266 vos syncserv deleuze
267 vos syncvldb deleuze
268
269 # refresh volume location cache (takes ~2hrs otherwise)
270 mire_and_deleuze fs checkvolumes
271
272 #
273 # Non-AFS files and directories
274 #
275
276 # Make per-user apache DAV lock directory -- the directory must be
277 # both user and group-writable, which is silly.
278 mire_and_deleuze sudo mkdir -p /var/lock/apache2/dav/$USER
279 mire_and_deleuze sudo chown $USER:www-data /var/lock/apache2/dav/$USER
280 mire_and_deleuze sudo chmod ug=rwx,o= /var/lock/apache2/dav/$USER
281
282 #
283 # Domtool integration
284 #
285
286 domtool-adduser $USER