-#!/bin/bash -ex
-
-# MUST be executed:
-# - on deleuze
-# - as a user with an /etc/sudoers line
-# - member of wheel unix group
-# - while holding tokens for a user who is:
-# - a member of system:administrator
-# - listed in 'bos listusers deleuze'
-
-USER=$1
-
-if test -z "$USER"; then
- echo "Invoke as create-user <USERNAME>"
- exit 1
-fi
-
-
-#
-# Kerberos principals
-# (creat kerberos principals: fred, fred/cgi, fred/mailfilter)
-#
-
-# We use -randkey for user's main principal as well, to make sure that
-# the creation process does not continue without having a main
-# principal. (But you who want to set password for a user, don't
-# worry - we'll invoke cpw later, so that it has the same effect
-# as setting password right now - while it is more error tolerant).
-
-sudo kadmin.local -p root/admin -q "ank -policy user -randkey $USER@HCOOP.NET"
-sudo kadmin.local -p root/admin -q "ank -policy mailfilter -randkey $USER/mailfilter@HCOOP.NET"
-sudo kadmin.local -p root/admin -q "ank -policy cgi -randkey $USER/cgi@HCOOP.NET"
-
-
-#
-# Create AFS users corresponding to krb5 principals.
-# (fred/cgi principal == fred.cgi AFS user)
-#
-
-pts cu $USER || true
-ID=`pts examine $USER | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
-pts cu $USER.mailfilter $ID_MF || true
-ID_MF=`pts examine $USER.mailfilter | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
-pts cu $USER.cgi || true
-ID_CGI=`pts examine $USER.cgi | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
-
-
-#
-# Construct various paths for later perusal.
-#
-
-# (If it's not clear, for user fred, PATHBITS = f/fr/fred)
-PATHBITS=`echo $USER | head -c 1`/`echo $USER | head -c 2`/$USER
-HOMEPATH=/afs/hcoop.net/user/$PATHBITS
-MAILPATH=/afs/hcoop.net/common/email/$PATHBITS
-DBPATH=/afs/hcoop.net/common/databases/$PATHBITS
-PGDIR=$DBPATH/postgres
-MYSQLDIR=$DBPATH/mysql
-
-
-#
-# Create LDAP entries. (With the whole libnss-ptdb, I kind of
-# lost the idea of what I want to do with LDAP, but we'll
-# see with time how well it integrates...)
-# The ID returned from AFS is important here, we want to make
-# sure those IDs match.
-#
-
-# USER entry
-echo "
-dn: uid=$USER,ou=People,dc=hcoop,dc=net
-objectClass: top
-objectClass: person
-objectClass: posixAccount
-cn: $USER
-uid: $USER
-gidNumber: $ID
-homeDirectory: $HOMEPATH
-sn: $USER
-host: abulafia
-host: mire
-
-dn: cn=$USER,ou=Group,dc=hcoop,dc=net
-objectClass: top
-objectClass: posixGroup
-cn: $USER
-gidNumber: $ID
-memberUid: $USER
-" | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true
-
-# USER.mailfilter entry
-echo "
-dn: uid=$USER.mailfilter,ou=People,dc=hcoop,dc=net
-objectClass: top
-objectClass: person
-objectClass: posixAccount
-cn: $USER.mailfilter
-uid: $USER.mailfilter
-gidNumber: $ID_MF
-homeDirectory: $HOMEPATH
-sn: $USER.mailfilter
-
-dn: cn=$USER.mailfilter,ou=Group,dc=hcoop,dc=net
-objectClass: top
-objectClass: posixGroup
-cn: $USER.mailfilter
-gidNumber: $ID_MF
-memberUid: $USER.mailfilter
-" | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true
-
-# USER.cgi entry
-echo "
-dn: uid=$USER.cgi,ou=People,dc=hcoop,dc=net
-objectClass: top
-objectClass: person
-objectClass: posixAccount
-cn: $USER.cgi
-uid: $USER.cgi
-gidNumber: $ID_CGI
-homeDirectory: $HOMEPATH
-sn: $USER.cgi
-
-dn: cn=$USER.cgi,ou=Group,dc=hcoop,dc=net
-objectClass: top
-objectClass: posixGroup
-cn: $USER.cgi
-gidNumber: $ID_CGI
-memberUid: $USER.cgi
-" | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true
-
-
-#
-# Export .mailfilter and .cgi keys to a keytab file
-#
-
-# create a mailfilter keytab (used by /etc/exim4/get-token)
-sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/mailfilter/$USER $USER/mailfilter@HCOOP.NET"
-
-# create a cgi keytab
-sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/cgi/$USER $USER/cgi@HCOOP.NET"
-
-# Properly chown/mod keytab files (www-data must own the cgi keytab)
-sudo chown www-data:wheel /etc/keytabs/cgi/$USER
-sudo chown $USER:wheel /etc/keytabs/mailfilter/$USER
-sudo chmod 440 /etc/keytabs/cgi/$USER /etc/keytabs/mailfilter/$USER
-
-# rsync keytabs to mire
-rsync -e ssh -a /etc/keytabs/cgi/$USER mire.hcoop.net:/etc/keytabs/cgi/$USER
-
-#
-# Create/mount/set-perms on user's volumes (home, mail, databases, logs)
-#
-
-# HOME VOLUME
-vos examine user.$USER 2>/dev/null || \
- vos create deleuze.hcoop.net /vicepa user.$USER -maxquota 400000
-mkdir -p `dirname $HOMEPATH`
-fs ls $HOMEPATH || fs mkm $HOMEPATH user.$USER
-chown $USER $HOMEPATH
-fs sa $HOMEPATH $USER all
-fs sa $HOMEPATH system:anyuser rl
-
-# Apache logs
-mkdir -p $HOMEPATH/logs/apache
-fs sa $HOMEPATH/logs/apache $USER.cgi rlwidk
-
-# public_html
-mkdir -p $HOMEPATH/public_html/
-fs sa $HOMEPATH/public_html system:anyuser rl
-mkdir -p $HOMEPATH/.procmail.d/
-fs sa $HOMEPATH/.procmail.d/ system:anyuser rl
-
-# MAIL VOLUME
-vos examine mail.$USER 2>/dev/null || \
- vos create deleuze.hcoop.net /vicepa mail.$USER -maxquota 400000
-mkdir -p `dirname $MAILPATH`
-fs ls $MAILPATH || fs mkm $MAILPATH mail.$USER
-fs ls $HOMEPATH/Maildir || fs mkm $HOMEPATH/Maildir mail.$USER
-fs sa $MAILPATH $USER all
-fs sa $MAILPATH $USER.mailfilter all
-
-# DATABASE VOLUME
-if ! vos examine db.$USER >/dev/null 2>/dev/null; then
- mkdir -p `dirname /afs/.hcoop.net/common/.databases/$PATHBITS`
- vos create -server afs -partition a -name db.$USER -maxquota 400000
- fs mkmount -dir /afs/.hcoop.net/common/.databases/$PATHBITS -vol db.$USER -rw
- vos release common.databases
- fs sa -dir $DBPATH -acl system:postgres l
- fs sa -dir $DBPATH -acl system:mysql l
- fs sa -dir $DBPATH -acl system:backup rl
-fi
-
-# Create postgres user and tablespace placeholder within volume
-if ! [ -d $PGDIR ]; then
- mkdir -p $PGDIR
- chown postgres:postgres $PGDIR
- fs sa -dir $PGDIR -acl system:postgres write
-
- sudo -u postgres psql -c "CREATE TABLESPACE user_$USER OWNER postgres LOCATION '$PGDIR'" template1
-fi
-
-# Create mysql user and databases placeholder within volume
-mkdir -p $MYSQLDIR
-chown mysql:mysql $MYSQLDIR
-fs sa -dir $MYSQLDIR -acl system:mysql write
-
-
-#
-# Mount points for backup volumes
-#
-
-mkdir -p `dirname /afs/hcoop.net/old/user/$PATHBITS`
-mkdir -p `dirname /afs/hcoop.net/old/mail/$PATHBITS`
-fs ls /afs/hcoop.net/old/user/$PATHBITS || \
- fs mkm /afs/hcoop.net/old/user/$PATHBITS user.$USER.backup
-fs ls /afs/hcoop.net/old/mail/$PATHBITS || \
- fs mkm /afs/hcoop.net/old/mail/$PATHBITS mail.$USER.backup
-
-# technically this might not be necessary, but for good measure...
-vos syncserv deleuze
-vos syncvldb deleuze
-
-# refresh volume location cache (takes ~2hrs otherwise)
-fs checkvolumes
-ssh mire.hcoop.net fs checkvolumes
-
-#
-# Finally, set password for main user's principal
-# Aborting this operation is harmless. Just re-invoke cpw.
-#
-# kadmin.local doesn't report errors properly, so we have to
-# check manually
-#
-sudo rm -f /tmp/kadmin.out
-sudo kadmin.local -p root/admin -q "cpw $USER@HCOOP.NET" \
- 2>&1 | tee /tmp/kadmin.out
-cat /tmp/kadmin.out | grep 'Password for .* changed'
-sudo rm -f /tmp/kadmin.out
-
+#!/bin/bash -ex
+
+# MUST be executed:
+# - on deleuze
+# - as a user with an /etc/sudoers line
+# - member of "wheel" unix group on deleuze
+# - while holding tickets for a user who can 'ssh -K' to mire
+# - and is a member of "wheel" on mire
+# - while holding tokens for a user who is:
+# - a member of system:administrator
+# - listed in 'bos listusers deleuze'
+# - and who has been set up with Domtool admin privileges by:
+# - running 'domtool-adduser $USER' while holding AFS admin tokens as
+# someone who is already a Domtool admin
+# - running 'domtool-admin grant $USER priv all' as someone who is already a
+# Domtool admin
+# (To bootstrap yourself into admindom:
+# 1. Run '/etc/init.d/domtool-server stop' on deleuze.
+# 2. Run '/etc/init.d/domtool-slave stop' on all Domtool slave machines
+# (e.g., mire).
+# 3. Edit ~domtool/acl, following the example of adamc_admin to grant
+# yourself 'priv all'.
+# 4. Run '/etc/init.d/domtool-server start' on deleuze.
+# 5. Run '/etc/init.d/domtool-slave start' on all Domtool slave
+# machines.
+# 6. Run 'domtool-adduser' as above.)
+
+USER=$1
+
+export PATH=$PATH:/afs/hcoop.net/common/bin/
+
+if test -z "$USER"; then
+ echo "Invoke as create-user <USERNAME>"
+ exit 1
+fi
+
+#
+# Helper functions
+#
+
+# Run a command on both mire and deleuze; assumes that no escaping is
+# needed.
+function mire_and_deleuze() {
+ $*
+ ssh -K mire.hcoop.net $*
+}
+
+function execute_on_fritz () {
+ ssh -K fritz.hcoop.net $*
+}
+
+function execute_on_all_machines () {
+ $*
+ ssh -K mire.hcoop.net $*
+ ssh -K hopper.hcoop.net $*
+ ssh -K fritz.hcoop.net $*
+}
+
+#
+# Kerberos principals
+# (creat kerberos principals: fred, fred/cgi, fred/mailfilter)
+#
+
+# We use -randkey for user's main principal as well, to make sure that
+# the creation process does not continue without having a main
+# principal. (But you who want to set password for a user, don't
+# worry - we'll invoke cpw later, so that it has the same effect
+# as setting password right now - while it is more error tolerant).
+
+sudo kadmin.local -p root/admin -q "ank -policy user -randkey +requires_preauth $USER@HCOOP.NET"
+sudo kadmin.local -p root/admin -q "modprinc -maxlife 1day $USER@HCOOP.NET"
+sudo kadmin.local -p root/admin -q "ank -policy daemon -randkey +requires_preauth $USER/daemon@HCOOP.NET"
+
+#
+# Create AFS users corresponding to krb5 principals.
+# (fred/cgi principal == fred.cgi AFS user)
+#
+
+pts cu $USER || true
+ID=`pts examine $USER | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
+pts cu $USER.daemon || true
+ID_DAEMON=`pts examine $USER.daemon | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
+
+
+#
+# Construct various paths for later perusal.
+#
+
+# (If it's not clear, for user fred, PATHBITS = f/fr/fred)
+PATHBITS=`echo $USER | head -c 1`/`echo $USER | head -c 2`/$USER
+HOMEPATH=/afs/hcoop.net/user/$PATHBITS
+MAILPATH=/afs/hcoop.net/common/email/$PATHBITS
+
+#
+# Create LDAP entries. (With the whole libnss-ptdb, I kind of
+# lost the idea of what I want to do with LDAP, but we'll
+# see with time how well it integrates...)
+# The ID returned from AFS is important here, we want to make
+# sure those IDs match.
+#
+
+# USER entry
+echo "
+dn: uid=$USER,ou=People,dc=hcoop,dc=net
+objectClass: top
+objectClass: person
+objectClass: posixAccount
+cn: $USER
+uid: $USER
+gidNumber: $ID
+sn: $USER
+host: abulafia
+host: mire
+
+dn: cn=$USER,ou=Group,dc=hcoop,dc=net
+objectClass: top
+objectClass: posixGroup
+cn: $USER
+gidNumber: $ID
+memberUid: $USER
+" | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true
+
+# USER.daemon entry
+echo "
+dn: uid=$USER.daemon,ou=People,dc=hcoop,dc=net
+objectClass: top
+objectClass: person
+objectClass: posixAccount
+cn: $USER.daemon
+uid: $USER.daemon
+gidNumber: $ID_DAEMON
+sn: $USER.daemon
+
+dn: cn=$USER.daemon,ou=Group,dc=hcoop,dc=net
+objectClass: top
+objectClass: posixGroup
+cn: $USER.daemon
+gidNumber: $ID_DAEMON
+memberUid: $USER.daemon
+" | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true
+
+
+#
+# Export .mailfilter and .cgi keys to a keytab file
+#
+
+# create a daemon keytab (used by /etc/exim4/get-token)
+# *only* if it does not exist!
+test -e /etc/keytabs/user.daemon/$USER || \
+ sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/user.daemon/$USER $USER/daemon@HCOOP.NET"
+
+# Properly chown/mod keytab files (must be $USER:www-data)
+sudo chown $USER:www-data /etc/keytabs/user.daemon/$USER
+sudo chmod 440 /etc/keytabs/user.daemon/$USER
+
+# rsync keytabs
+(cd /etc/keytabs
+ sudo tar clpf - user.daemon/$USER | \
+ ssh mire.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
+(cd /etc/keytabs
+ sudo tar clpf - user.daemon/$USER | \
+ ssh hopper.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
+
+#
+# Create/mount/set-perms on user's volumes (home, mail, databases, logs)
+#
+
+# HOME VOLUME
+if vos examine user.$USER.d 2>/dev/null; then
+ echo "Reactivating old volume (user.$USER.d)"
+ vos rename user.$USER.d user.$USER
+fi
+vos examine user.$USER 2>/dev/null || \
+ vos create fritz.hcoop.net /vicepa user.$USER -maxquota 400000
+
+mkdir -p `dirname $HOMEPATH`
+fs ls $HOMEPATH || test -L $HOMEPATH || fs mkm $HOMEPATH user.$USER
+chown $USER:nogroup $HOMEPATH
+fs sa $HOMEPATH $USER all
+fs sa $HOMEPATH system:anyuser l
+
+# Apache logs
+mkdir -p $HOMEPATH/.logs
+chown $USER:nogroup $HOMEPATH/.logs
+mkdir -p $HOMEPATH/.logs/apache
+chown $USER:nogroup $HOMEPATH/.logs/apache
+fs sa $HOMEPATH/.logs/apache $USER.daemon rlwidk
+mkdir -p $HOMEPATH/.logs/mail
+fs sa $HOMEPATH/.logs/mail $USER.daemon rlwidk
+chown $USER:nogroup $HOMEPATH/.logs/mail
+
+# public_html
+test -e $HOMEPATH/public_html || \
+ (mkdir -p $HOMEPATH/public_html; \
+ chown $USER:nogroup $HOMEPATH/public_html; \
+ fs sa $HOMEPATH/public_html system:anyuser none; \
+ fs sa $HOMEPATH/public_html $USER.daemon rl)
+
+# .procmail.d
+mkdir -p $HOMEPATH/.procmail.d
+chown $USER:nogroup $HOMEPATH/.procmail.d
+fs sa $HOMEPATH/.procmail.d system:anyuser rl
+
+# .public
+mkdir -p $HOMEPATH/.public/
+chown $USER:nogroup $HOMEPATH/.public
+fs sa $HOMEPATH/.public system:anyuser rl
+
+# .domtool
+mkdir -p $HOMEPATH/.public/.domtool
+chown $USER:nogroup $HOMEPATH/.public/.domtool
+test -e $HOMEPATH/.domtool || \
+ test -L $HOMEPATH/.domtool || \
+ sudo -u $USER ln -s $HOMEPATH/.public/.domtool $HOMEPATH/.domtool
+
+# Gitweb hosting
+test -L /var/cache/git/$USER || \
+ sudo ln -s $HOMEPATH/.hcoop-git /var/cache/git/$USER
+
+# MAIL VOLUME
+if vos examine mail.$USER.d 2>/dev/null; then
+ echo "Reactivating old volume (mail.$USER.d)"
+ vos rename mail.$USER.d mail.$USER
+fi
+vos examine mail.$USER 2>/dev/null || \
+ vos create fritz.hcoop.net /vicepa mail.$USER -maxquota 400000
+
+mkdir -p `dirname $MAILPATH`
+fs ls $MAILPATH || fs mkm $MAILPATH mail.$USER
+fs ls $HOMEPATH/Maildir || fs mkm $HOMEPATH/Maildir mail.$USER
+chown $USER:nogroup $MAILPATH
+chown $USER:nogroup $HOMEPATH/Maildir
+fs sa $MAILPATH $USER all
+fs sa $MAILPATH $USER.daemon all
+if test ! -e $MAILPATH/new; then
+ mkdir -p $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp
+ echo -e "This email account is provided as a service for HCoop members." \
+ "\n\nTo learn how to use it, please visit the page" \
+ "\n<http://wiki.hcoop.net/MemberManual/Email> on our website."| \
+ mail -s "Welcome to your HCoop email store" \
+ -e -a "From: postmaster@hcoop.net" \
+ real-$USER
+fi
+chown $USER:nogroup $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp
+
+# Set up shared SpamAssassin folder
+if test -f $HOMEPATH/Maildir/shared-maildirs; then
+ # Deal with case where user rsync'd their Maildir from fyodor
+ pattern='^SpamAssassin /home/spamd'
+ file=$HOMEPATH/Maildir/shared-maildirs
+ if grep $pattern $file; then
+ sed -i -r -e \
+ 's!^(SpamAssassin )/home/spamd!\1/var/local/lib/spamd!1' \
+ $file
+ fi
+else
+ maildirmake --add SpamAssassin=/var/local/lib/spamd/Maildir \
+ $HOMEPATH/Maildir
+fi
+
+# Create database tablespaces
+execute_on_fritz /afs/hcoop.net/common/etc/scripts/create-user-database $USER
+
+#
+# Mount points for backup volumes
+#
+
+mkdir -p `dirname /afs/hcoop.net/.old/user/$PATHBITS`
+mkdir -p `dirname /afs/hcoop.net/.old/mail/$PATHBITS`
+fs ls /afs/hcoop.net/.old/user/$PATHBITS || \
+ fs mkm /afs/hcoop.net/.old/user/$PATHBITS user.$USER.backup
+fs ls /afs/hcoop.net/.old/mail/$PATHBITS || \
+ fs mkm /afs/hcoop.net/.old/mail/$PATHBITS mail.$USER.backup
+vos release old
+
+# technically this might not be necessary, but for good measure...
+vos syncserv fritz
+vos syncvldb fritz
+
+# refresh volume location cache (takes ~2hrs otherwise)
+execute_on_all_machines fs checkvolumes
+
+#
+# Non-AFS files and directories
+#
+
+# Make per-user apache DAV lock directory -- the directory must be
+# both user and group-writable, which is silly.
+mire_and_deleuze sudo mkdir -p /var/lock/apache2/dav/$USER
+mire_and_deleuze sudo chown $USER:www-data /var/lock/apache2/dav/$USER
+mire_and_deleuze sudo chmod ug=rwx,o= /var/lock/apache2/dav/$USER
+
+#
+# Domtool integration
+#
+
+domtool-adduser $USER
+
+#
+# Subscribe user to our mailing lists.
+#
+echo $USER@hcoop.net | sudo -u list \
+ /var/lib/mailman/bin/add_members -r - hcoop-announce
HCoop / clinton / scripts.git / blobdiff