X-Git-Url: http://git.hcoop.net/clinton/scripts.git/blobdiff_plain/0963ebc5874bb149eb343e4efbf99798f8810524..481c2d5ff16953a69191cdc14f2c5ef54f45be33:/create-user

diff --git a/create-user b/create-user
index d5f5a11..ce6304f 100755
--- a/create-user
+++ b/create-user
@@ -3,18 +3,47 @@
 # MUST be executed:
 #  - on deleuze
 #  - as a user with an /etc/sudoers line
-#  - member of wheel unix group
+#  - member of "wheel" unix group on deleuze
+#  - while holding tickets for a user who can 'ssh -K' to mire
+#     - and is a member of "wheel" on mire
 #  - while holding tokens for a user who is:
 #     - a member of system:administrator
 #     - listed in 'bos listusers deleuze'
+#  - and who has been set up with Domtool admin privileges by:
+#     - running 'domtool-adduser $USER' while holding AFS admin tokens as
+#       someone who is already a Domtool admin
+#     - running 'domtool-admin grant $USER priv all' as someone who is already a
+#       Domtool admin
+#       (To bootstrap yourself into admindom:
+#         1. Run '/etc/init.d/domtool-server stop' on deleuze.
+#         2. Run '/etc/init.d/domtool-slave stop' on all Domtool slave machines
+#            (e.g., mire).
+#         3. Edit ~domtool/acl, following the example of adamc_admin to grant
+#             yourself 'priv all'.
+#         4. Run '/etc/init.d/domtool-server start' on deleuze.
+#         5. Run '/etc/init.d/domtool-slave start' on all Domtool slave
+#            machines.
+#         6. Run 'domtool-adduser' as above.)
 
 USER=$1
 
+export PATH=$PATH:/afs/hcoop.net/common/bin/
+
 if test -z "$USER"; then
 	echo "Invoke as create-user <USERNAME>"
 	exit 1
 fi
 
+#
+# Helper functions
+#
+
+# Run a command on both mire and deleuze; assumes that no escaping is
+# needed.
+function mire_and_deleuze() {
+    $*
+    ssh mire.hcoop.net $*
+}
 
 #
 # Kerberos principals
@@ -27,10 +56,9 @@ fi
 # worry - we'll invoke cpw later, so that it has the same effect
 # as setting password right now - while it is more error tolerant).
 
-sudo kadmin.local -p root/admin -q "ank -policy user -randkey $USER@HCOOP.NET"
-sudo kadmin.local -p root/admin -q "ank -policy mailfilter -randkey $USER/mailfilter@HCOOP.NET"
-sudo kadmin.local -p root/admin -q "ank -policy cgi -randkey $USER/cgi@HCOOP.NET"
-
+sudo kadmin.local -p root/admin -q "ank -policy user -randkey +requires_preauth $USER@HCOOP.NET"
+sudo kadmin.local -p root/admin -q "modprinc -maxlife 1day $USER@HCOOP.NET"
+sudo kadmin.local -p root/admin -q "ank -policy daemon -randkey +requires_preauth $USER/daemon@HCOOP.NET"
 
 #
 # Create AFS users corresponding to krb5 principals.
@@ -39,10 +67,8 @@ sudo kadmin.local -p root/admin -q "ank -policy cgi -randkey $USER/cgi@HCOOP.NET
 
 pts cu $USER || true
 ID=`pts examine $USER | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
-pts cu $USER.mailfilter $ID_MF || true
-ID_MF=`pts examine $USER.mailfilter | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
-pts cu $USER.cgi || true
-ID_CGI=`pts examine $USER.cgi | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
+pts cu $USER.daemon || true
+ID_DAEMON=`pts examine $USER.daemon | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
 
 
 #
@@ -53,7 +79,7 @@ ID_CGI=`pts examine $USER.cgi | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
 PATHBITS=`echo $USER | head -c 1`/`echo $USER | head -c 2`/$USER
 HOMEPATH=/afs/hcoop.net/user/$PATHBITS
 MAILPATH=/afs/hcoop.net/common/email/$PATHBITS
-DBPATH=/afs/hcoop.net/common/databases/$PATHBITS
+DBPATH=/afs/hcoop.net/common/.databases/$PATHBITS
 PGDIR=$DBPATH/postgres
 MYSQLDIR=$DBPATH/mysql
 
@@ -75,7 +101,6 @@ objectClass: posixAccount
 cn: $USER
 uid: $USER
 gidNumber: $ID
-homeDirectory: $HOMEPATH
 sn: $USER
 host: abulafia
 host: mire
@@ -88,44 +113,23 @@ gidNumber: $ID
 memberUid: $USER
 " | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true
 
-# USER.mailfilter entry
+# USER.daemon entry
 echo "
-dn: uid=$USER.mailfilter,ou=People,dc=hcoop,dc=net
+dn: uid=$USER.daemon,ou=People,dc=hcoop,dc=net
 objectClass: top
 objectClass: person
 objectClass: posixAccount
-cn: $USER.mailfilter
-uid: $USER.mailfilter
-gidNumber: $ID_MF
-homeDirectory: $HOMEPATH
-sn: $USER.mailfilter
+cn: $USER.daemon
+uid: $USER.daemon
+gidNumber: $ID_DAEMON
+sn: $USER.daemon
 
-dn: cn=$USER.mailfilter,ou=Group,dc=hcoop,dc=net
+dn: cn=$USER.daemon,ou=Group,dc=hcoop,dc=net
 objectClass: top
 objectClass: posixGroup
-cn: $USER.mailfilter
-gidNumber: $ID_MF
-memberUid: $USER.mailfilter
-" | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true
-
-# USER.cgi entry
-echo "
-dn: uid=$USER.cgi,ou=People,dc=hcoop,dc=net
-objectClass: top
-objectClass: person
-objectClass: posixAccount
-cn: $USER.cgi
-uid: $USER.cgi
-gidNumber: $ID_CGI
-homeDirectory: $HOMEPATH
-sn: $USER.cgi
-
-dn: cn=$USER.cgi,ou=Group,dc=hcoop,dc=net
-objectClass: top
-objectClass: posixGroup
-cn: $USER.cgi
-gidNumber: $ID_CGI
-memberUid: $USER.cgi
+cn: $USER.daemon
+gidNumber: $ID_DAEMON
+memberUid: $USER.daemon
 " | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true
 
 
@@ -133,17 +137,19 @@ memberUid: $USER.cgi
 # Export .mailfilter and .cgi keys to a keytab file
 #
 
-# create a mailfilter keytab (used by /etc/exim4/get-token)
-sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/mailfilter/$USER $USER/mailfilter@HCOOP.NET"
-# create a cgi keytab
-sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/cgi/$USER $USER/cgi@HCOOP.NET"
+# create a daemon keytab (used by /etc/exim4/get-token)
+# *only* if it does not exist!
+test -e /etc/keytabs/user.daemon/$USER || \
+  sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/user.daemon/$USER $USER/daemon@HCOOP.NET"
 
-# Properly chown/mod keytab files (www-data must own the cgi keytab)
-sudo chown www-data:wheel /etc/keytabs/cgi/$USER
-sudo chown $USER:wheel    /etc/keytabs/mailfilter/$USER
-sudo chmod 440            /etc/keytabs/cgi/$USER /etc/keytabs/mailfilter/$USER
+# Properly chown/mod keytab files (must be $USER:www-data)
+sudo chown $USER:www-data /etc/keytabs/user.daemon/$USER
+sudo chmod 440            /etc/keytabs/user.daemon/$USER
 
-# FIXME: rsync keytabs to mire?
+# rsync keytabs to mire
+(cd /etc/keytabs
+   sudo tar clpf - user.daemon/$USER | \
+     ssh mire.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
 
 #
 # Create/mount/set-perms on user's volumes (home, mail, databases, logs)
@@ -153,23 +159,82 @@ sudo chmod 440            /etc/keytabs/cgi/$USER /etc/keytabs/mailfilter/$USER
 vos examine user.$USER 2>/dev/null || \
   vos create deleuze.hcoop.net /vicepa user.$USER -maxquota 400000
 mkdir -p `dirname $HOMEPATH`
-test -e $HOMEPATH || fs mkm $HOMEPATH user.$USER
-chown $USER $HOMEPATH
+fs ls $HOMEPATH || test -L $HOMEPATH || fs mkm $HOMEPATH user.$USER
+chown $USER:nogroup $HOMEPATH
 fs sa $HOMEPATH $USER            all
-fs sa $HOMEPATH system:anyuser   rl
+fs sa $HOMEPATH system:anyuser   l
 
 # Apache logs
-mkdir -p $HOMEPATH/logs/apache
-fs sa    $HOMEPATH/logs/apache $USER.cgi rlwidk
+mkdir -p $HOMEPATH/.logs
+chown $USER:nogroup $HOMEPATH/.logs
+mkdir -p $HOMEPATH/.logs/apache
+chown $USER:nogroup $HOMEPATH/.logs/apache
+fs sa $HOMEPATH/.logs/apache $USER.daemon rlwidk
+mkdir -p $HOMEPATH/.logs/mail
+fs sa $HOMEPATH/.logs/mail $USER.daemon rlwidk
+chown $USER:nogroup $HOMEPATH/.logs/mail
+
+# public_html
+mkdir -p $HOMEPATH/public_html
+chown $USER:nogroup $HOMEPATH/public_html
+fs sa $HOMEPATH/public_html system:anyuser rl
+
+# .procmail.d
+mkdir -p $HOMEPATH/.procmail.d
+chown $USER:nogroup $HOMEPATH/.procmail.d
+fs sa $HOMEPATH/.procmail.d system:anyuser rl
+
+# .public
+mkdir -p $HOMEPATH/.public/
+chown $USER:nogroup $HOMEPATH/.public
+fs sa $HOMEPATH/.public system:anyuser rl
+
+# .domtool
+mkdir -p $HOMEPATH/.public/.domtool
+chown $USER:nogroup $HOMEPATH/.public/.domtool
+test -e $HOMEPATH/.domtool || \
+    test -L $HOMEPATH/.domtool || \
+        sudo -u $USER ln -s $HOMEPATH/.public/.domtool $HOMEPATH/.domtool
+
+# Gitweb hosting
+test -L /var/cache/git/$USER || \
+    sudo ln -s $HOMEPATH/.hcoop-git /var/cache/git/$USER
 
 # MAIL VOLUME
 vos examine mail.$USER 2>/dev/null || \
   vos create deleuze.hcoop.net /vicepa mail.$USER -maxquota 400000
 mkdir -p `dirname $MAILPATH`
-test -e $MAILPATH || fs mkm $MAILPATH         mail.$USER
-test -e $HOMEPATH/Maildir || fs mkm $HOMEPATH/Maildir mail.$USER
-fs sa $MAILPATH $USER            all
-fs sa $MAILPATH $USER.mailfilter all
+fs ls $MAILPATH || fs mkm $MAILPATH         mail.$USER
+fs ls $HOMEPATH/Maildir || fs mkm $HOMEPATH/Maildir mail.$USER
+chown $USER:nogroup $MAILPATH
+chown $USER:nogroup $HOMEPATH/Maildir
+fs sa $MAILPATH $USER        all
+fs sa $MAILPATH $USER.daemon all
+if test ! -e $MAILPATH/new; then
+    mkdir -p $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp
+    echo -e "This email account is provided as a service for HCoop members." \
+        "\n\nTo learn how to use it, please visit the page" \
+        "\n<http://wiki2.hcoop.net/MemberManual/Email> on our website."| \
+        mail -s "Welcome to your HCoop email store" \
+            -e -a "From: postmaster@hcoop.net" \
+            real-$USER
+fi
+chown $USER:nogroup $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp
+
+# Set up shared SpamAssassin folder
+if test -f $HOMEPATH/Maildir/shared-maildirs; then
+    # Deal with case where user rsync'd their Maildir from fyodor
+    pattern='^SpamAssassin	/home/spamd'
+    file=$HOMEPATH/Maildir/shared-maildirs
+    if grep $pattern $file; then
+        sed -i -r -e \
+            's!^(SpamAssassin	)/home/spamd!\1/var/local/lib/spamd!1' \
+            $file
+    fi
+else
+    maildirmake --add SpamAssassin=/var/local/lib/spamd/Maildir \
+        $HOMEPATH/Maildir
+fi
 
 # DATABASE VOLUME
 if ! vos examine db.$USER >/dev/null 2>/dev/null; then
@@ -183,7 +248,7 @@ if ! vos examine db.$USER >/dev/null 2>/dev/null; then
 fi
 
 # Create postgres user and tablespace placeholder within volume
-if ! [ -d $PGDIR ]; then
+if ! test -d $PGDIR; then
   mkdir -p $PGDIR
   chown postgres:postgres $PGDIR
   fs sa -dir $PGDIR -acl system:postgres write
@@ -201,20 +266,39 @@ fs sa -dir $MYSQLDIR -acl system:mysql  write
 # Mount points for backup volumes
 #
 
-mkdir -p `dirname /afs/hcoop.net/old/user/$PATHBITS`
-mkdir -p `dirname /afs/hcoop.net/old/mail/$PATHBITS`
-test -e /afs/hcoop.net/old/user/$PATHBITS || \
-  fs mkm /afs/hcoop.net/old/user/$PATHBITS user.$USER.backup
-test -e /afs/hcoop.net/old/mail/$PATHBITS || \
-  fs mkm /afs/hcoop.net/old/mail/$PATHBITS mail.$USER.backup
+mkdir -p `dirname /afs/hcoop.net/.old/user/$PATHBITS`
+mkdir -p `dirname /afs/hcoop.net/.old/mail/$PATHBITS`
+fs ls /afs/hcoop.net/.old/user/$PATHBITS || \
+  fs mkm /afs/hcoop.net/.old/user/$PATHBITS user.$USER.backup
+fs ls /afs/hcoop.net/.old/mail/$PATHBITS || \
+  fs mkm /afs/hcoop.net/.old/mail/$PATHBITS mail.$USER.backup
+vos release old
 
+# technically this might not be necessary, but for good measure...
 vos syncserv deleuze
 vos syncvldb deleuze
-fs checkvolumes
 
+# refresh volume location cache (takes ~2hrs otherwise)
+mire_and_deleuze fs checkvolumes
+
+#
+# Non-AFS files and directories
+#
+
+# Make per-user apache DAV lock directory -- the directory must be
+# both user and group-writable, which is silly.
+mire_and_deleuze sudo mkdir -p /var/lock/apache2/dav/$USER
+mire_and_deleuze sudo chown $USER:www-data /var/lock/apache2/dav/$USER
+mire_and_deleuze sudo chmod ug=rwx,o= /var/lock/apache2/dav/$USER
+
+#
+# Domtool integration
 #
-# Finally, set password for main user's principal
-# Aborting this operation is harmless. Just re-invoke cpw.
-# 
-sudo kadmin.local -p root/admin -q "cpw $USER@HCOOP.NET"
 
+domtool-adduser $USER
+
+#
+# Subscribe user to our mailing lists.
+#
+echo $USER@hcoop.net | sudo -u list \
+    /var/lib/mailman/bin/add_members -r - hcoop-announce