3 # Library functions for create-user scripts
4 # Export the $NEWUSER variable before sourcing!
6 # Functionality is split so that the scripts for creating real users,
7 # service users, and web service users can share as much code as
10 # This has probably grown to the point where it shouldn't be a shell
13 # ALWAYS REMEMBER: THIS MUST BE IDEMPOTENT! re creating a user is
14 # something that should be perfectly permissible, and is something
15 # that we do somewhat regularly (to bring old accounts up to date).
17 export PATH
=$PATH:/afs
/hcoop.net
/common
/bin
/
19 if test -z "$NEWUSER"; then
20 echo "NEWUSER not set before sourcing create user library"
25 # Construct various paths for later perusal.
28 # (If it's not clear, for user fred, PATHBITS = f/fr/fred)
29 PATHBITS
=`echo $NEWUSER | head -c 1`/`echo $NEWUSER | head -c 2`/$NEWUSER
30 HOMEPATH
=/afs
/hcoop.net
/user
/$PATHBITS
31 MAILPATH
=/afs
/hcoop.net
/common
/email
/$PATHBITS
37 function execute_on_web_nodes
() {
43 function execute_on_domtool_server
() {
44 ssh -K deleuze.hcoop.net $
*
48 function execute_on_all_machines
() {
50 ssh -K mire.hcoop.net $
*
51 ssh -K hopper.hcoop.net $
*
52 ssh -K deleuze.hcoop.net $
*
53 ssh -K navajos.hcoop.net $
*
54 ssh -K bog.hcoop.net $
*
61 function create_pts_user
() {
62 # Create primary user kerberos principle and afs pts user
64 # We use -randkey for user's main principal as well, to make sure
65 # that the creation process does not continue without having a
66 # main principal. (But you who want to set password for a user,
67 # don't worry - we'll invoke cpw later, so that it has the same
68 # effect as setting password right now - while it is more error
71 sudo kadmin.
local -p root
/admin
-q "ank -policy user -randkey +requires_preauth $NEWUSER@HCOOP.NET"
72 sudo kadmin.
local -p root
/admin
-q "modprinc -maxlife 1day $NEWUSER@HCOOP.NET"
74 pts cu
$NEWUSER || true
77 function create_pts_user_daemon
() {
79 # Create additional kerberos principles ($user.daemon for now, in
80 # theory also $user.mail, $user.cgi) and pts users for any used to
81 # gain afs access ($user.daemon only)
82 sudo kadmin.
local -p root
/admin
-q "ank -policy daemon -randkey +requires_preauth $NEWUSER/daemon@HCOOP.NET"
83 pts cu
$NEWUSER.daemon || true
86 function export_user_keytabs
() {
88 # Export .mailfilter and .cgi keys to a keytab file
90 # This is suboptimal, we need to generate keytabs for
91 # cgi/mail/etc. separately, and only sync to the nodes that
92 # perform the services in question
94 # create a daemon keytab (used by /etc/exim4/get-token)
95 # *only* if it does not exist!
96 test -e /etc
/keytabs
/user.daemon
/$NEWUSER || \
97 sudo kadmin.
local -p root
/admin
-q "ktadd -k /etc/keytabs/user.daemon/$NEWUSER $NEWUSER/daemon@HCOOP.NET"
99 # Properly chown/mod keytab files (must be $NEWUSER:www-data)
100 sudo chown
$NEWUSER:www-data
/etc
/keytabs
/user.daemon
/$NEWUSER
101 sudo
chmod 440 /etc
/keytabs
/user.daemon
/$NEWUSER
105 sudo
tar clpf
- user.daemon
/$NEWUSER | \
106 ssh mire.hcoop.net
cd /etc
/keytabs\
; sudo
tar xlpf
-)
108 sudo
tar clpf
- user.daemon
/$NEWUSER | \
109 ssh hopper.hcoop.net
cd /etc
/keytabs\
; sudo
tar xlpf
-)
111 sudo
tar clpf
- user.daemon
/$NEWUSER | \
112 ssh deleuze.hcoop.net
cd /etc
/keytabs\
; sudo
tar xlpf
-)
114 sudo
tar clpf
- user.daemon
/$NEWUSER | \
115 ssh navajos.hcoop.net
cd /etc
/keytabs\
; sudo
tar xlpf
-)
117 sudo
tar clpf
- user.daemon
/$NEWUSER | \
118 ssh bog.hcoop.net
cd /etc
/keytabs\
; sudo
tar xlpf
-)
123 # Create/mount/set-perms on user's volumes (home, mail, databases, logs)
126 # Each function that creates an afs volume should ensure that the
127 # backup volume is created and mounted for users.
129 function create_home_volume
() {
131 if vos examine user.
$NEWUSER.d
2>/dev
/null
; then
132 echo "Reactivating old volume (user.$NEWUSER.d)"
133 vos rename user.
$NEWUSER.d user.
$NEWUSER
135 vos examine user.
$NEWUSER 2>/dev
/null || \
136 vos create fritz.hcoop.net
/vicepa user.
$NEWUSER -maxquota 400000
138 mkdir
-p `dirname $HOMEPATH`
139 fs
ls $HOMEPATH ||
test -L $HOMEPATH || fs mkm
$HOMEPATH user.
$NEWUSER
140 chown
$NEWUSER:nogroup
$HOMEPATH
141 fs sa
$HOMEPATH $NEWUSER all
142 fs sa
$HOMEPATH system
:anyuser l
143 # cleanliness / needed to keep suphp happy
144 chown root
:root
$HOMEPATH/..
/..
/
145 chown root
:root
$HOMEPATH/..
/
148 mkdir
-p `dirname /afs/hcoop.net/.old/user/$PATHBITS`
149 fs
ls /afs
/hcoop.net
/.old
/user
/$PATHBITS || \
150 fs mkm
/afs
/hcoop.net
/.old
/user
/$PATHBITS user.
$NEWUSER.backup
154 function create_mail_volume
() {
156 if vos examine
mail.
$NEWUSER.d
2>/dev
/null
; then
157 echo "Reactivating old volume (mail.$NEWUSER.d)"
158 vos rename
mail.
$NEWUSER.d
mail.
$NEWUSER
160 vos examine
mail.
$NEWUSER 2>/dev
/null || \
161 vos create fritz.hcoop.net
/vicepa
mail.
$NEWUSER -maxquota 400000
163 mkdir
-p `dirname $MAILPATH`
164 fs
ls $MAILPATH || fs mkm
$MAILPATH mail.
$NEWUSER
165 fs
ls $HOMEPATH/Maildir || fs mkm
$HOMEPATH/Maildir
mail.
$NEWUSER
166 chown
$NEWUSER:nogroup
$MAILPATH
167 chown
$NEWUSER:nogroup
$HOMEPATH/Maildir
168 fs sa
$MAILPATH $NEWUSER all
169 fs sa
$MAILPATH $NEWUSER.daemon all
171 if test ! -e $MAILPATH/new
; then
172 mkdir
-p $MAILPATH/cur
$MAILPATH/new
$MAILPATH/tmp
173 echo -e "This email account is provided as a service for HCoop members." \
174 "\n\nTo learn how to use it, please visit the page" \
175 "\n<http://wiki.hcoop.net/MemberManual/Email> on our website."| \
176 mail -s "Welcome to your HCoop email store" \
177 -e -a "From: postmaster@hcoop.net" \
181 chown
$NEWUSER:nogroup
$MAILPATH/cur
$MAILPATH/new
$MAILPATH/tmp
183 # Set up shared SpamAssassin folder
184 if test -f $HOMEPATH/Maildir
/shared-maildirs
; then
185 # Deal with case where user rsync'd their Maildir from fyodor
186 # Not an issue now, but harmless and can be adapted when we
187 # move the spamd dirs into afs where they belong later.
188 pattern
='^SpamAssassin /home/spamd'
189 file=$HOMEPATH/Maildir
/shared-maildirs
190 if grep $pattern $file; then
192 's!^(SpamAssassin )/home/spamd!\1/var/local/lib/spamd!1' \
196 maildirmake
--add SpamAssassin
=/var
/local
/lib
/spamd
/Maildir \
200 mkdir
-p `dirname /afs/hcoop.net/.old/mail/$PATHBITS`
201 fs
ls /afs
/hcoop.net
/.old
/mail
/$PATHBITS || \
202 fs mkm
/afs
/hcoop.net
/.old
/mail
/$PATHBITS mail.
$NEWUSER.backup
206 function seed_user_hcoop_directories
() {
207 # Additional standard directories. Some of these should probably
208 # be on their own volumes, and access via a canonical path instead
209 # to give users more control over their home dir without risking
210 # breaking system services.
213 mkdir
-p $HOMEPATH/.logs
214 chown
$NEWUSER:nogroup
$HOMEPATH/.logs
215 mkdir
-p $HOMEPATH/.logs
/apache
216 chown
$NEWUSER:nogroup
$HOMEPATH/.logs
/apache
217 fs sa
$HOMEPATH/.logs
/apache
$NEWUSER.daemon rlwidk
218 mkdir
-p $HOMEPATH/.logs
/mail
219 fs sa
$HOMEPATH/.logs
/mail $NEWUSER.daemon rlwidk
220 chown
$NEWUSER:nogroup
$HOMEPATH/.logs
/mail
223 test -e $HOMEPATH/public_html || \
224 (mkdir
-p $HOMEPATH/public_html
; \
225 chown
$NEWUSER:nogroup
$HOMEPATH/public_html
; \
226 fs sa
$HOMEPATH/public_html system
:anyuser none
; \
227 fs sa
$HOMEPATH/public_html
$NEWUSER.daemon rl
)
230 mkdir
-p $HOMEPATH/.procmail.d
231 chown
$NEWUSER:nogroup
$HOMEPATH/.procmail.d
232 fs sa
$HOMEPATH/.procmail.d system
:anyuser rl
235 mkdir
-p $HOMEPATH/.public
/
236 chown
$NEWUSER:nogroup
$HOMEPATH/.public
237 fs sa
$HOMEPATH/.public system
:anyuser rl
240 mkdir
-p $HOMEPATH/.public
/.domtool
241 chown
$NEWUSER:nogroup
$HOMEPATH/.public
/.domtool
242 test -e $HOMEPATH/.domtool || \
243 test -L $HOMEPATH/.domtool || \
244 execute_on_domtool_server sudo
-u $NEWUSER ln -s $HOMEPATH/.public
/.domtool
$HOMEPATH/.domtool
245 # ^^ work around sudo env_reset crap without having to
246 # actually figure out how to make it work cleanly -- clinton,
250 test -L /var
/cache
/git
/$NEWUSER || \
251 sudo
ln -s $HOMEPATH/.hcoop-git
/var
/cache
/git
/$NEWUSER
256 # Non-AFS files and directories
259 function create_dav_locks
() {
260 # Make per-user apache DAV lock directory -- the directory must be
261 # both user and group-writable, which is silly.
262 execute_on_web_nodes sudo mkdir
-p /var
/lock
/apache
2/dav
/$NEWUSER
263 execute_on_web_nodes sudo chown
$NEWUSER:www-data
/var
/lock
/apache
2/dav
/$NEWUSER
264 execute_on_web_nodes sudo
chmod ug
=rwx
,o
= /var
/lock
/apache
2/dav
/$NEWUSER
267 function setup_user_databases
() {
268 sudo
/afs
/hcoop.net
/common
/etc
/scripts
/create-user-database
$NEWUSER
275 function enable_domtool
() {
276 execute_on_domtool_server domtool-adduser
$NEWUSER
279 function subscribe_to_lists
() {
280 # Subscribe user to our mailing lists.
282 echo $NEWUSER@hcoop.net |
ssh -K deleuze sudo
-u list \
283 /var
/lib
/mailman
/bin
/add_members
-r - hcoop-announce
286 function ensure_afs_servers_synced
() {
289 # technically this might not be necessary, but for good measure...
293 # refresh volume location cache (takes ~2hrs otherwise)
294 execute_on_all_machines fs checkvolumes