Commit | Line | Data |
---|---|---|
abfe84ca CE |
1 | # -*- sh-mode -*- |
2 | ||
3 | # Library functions for create-user scripts | |
4 | # Export the $NEWUSER variable before sourcing! | |
5 | ||
6 | # Functionality is split so that the scripts for creating real users, | |
7 | # service users, and web service users can share as much code as | |
8 | # possible. | |
9 | ||
10 | # This has probably grown to the point where it shouldn't be a shell | |
11 | # script any more. | |
12 | ||
13 | # ALWAYS REMEMBER: THIS MUST BE IDEMPOTENT! re creating a user is | |
14 | # something that should be perfectly permissible, and is something | |
15 | # that we do somewhat regularly (to bring old accounts up to date). | |
16 | ||
17 | export PATH=$PATH:/afs/hcoop.net/common/bin/ | |
18 | ||
19 | if test -z "$NEWUSER"; then | |
20 | echo "NEWUSER not set before sourcing create user library" | |
21 | exit 1 | |
22 | fi | |
23 | ||
24 | # | |
25 | # Construct various paths for later perusal. | |
26 | # | |
27 | ||
28 | # (If it's not clear, for user fred, PATHBITS = f/fr/fred) | |
29 | PATHBITS=`echo $NEWUSER | head -c 1`/`echo $NEWUSER | head -c 2`/$NEWUSER | |
30 | HOMEPATH=/afs/hcoop.net/user/$PATHBITS | |
31 | MAILPATH=/afs/hcoop.net/common/email/$PATHBITS | |
32 | ||
33 | # | |
34 | # Helper functions | |
35 | # | |
36 | ||
37 | function execute_on_web_nodes () { | |
38 | ssh -K deleuze $* | |
abfe84ca CE |
39 | ssh -K navajos $* |
40 | } | |
41 | ||
42 | function execute_on_domtool_server () { | |
43 | ssh -K deleuze.hcoop.net $* | |
44 | } | |
45 | ||
46 | ||
47 | function execute_on_all_machines () { | |
48 | $* | |
abfe84ca CE |
49 | ssh -K hopper.hcoop.net $* |
50 | ssh -K deleuze.hcoop.net $* | |
51 | ssh -K navajos.hcoop.net $* | |
52 | ssh -K bog.hcoop.net $* | |
53 | } | |
54 | ||
55 | # | |
56 | # User credentials | |
57 | # | |
58 | ||
59 | function create_pts_user () { | |
60 | # Create primary user kerberos principle and afs pts user | |
61 | ||
62 | # We use -randkey for user's main principal as well, to make sure | |
63 | # that the creation process does not continue without having a | |
64 | # main principal. (But you who want to set password for a user, | |
65 | # don't worry - we'll invoke cpw later, so that it has the same | |
66 | # effect as setting password right now - while it is more error | |
67 | # tolerant). | |
68 | ||
69 | sudo kadmin.local -p root/admin -q "ank -policy user -randkey +requires_preauth $NEWUSER@HCOOP.NET" | |
70 | sudo kadmin.local -p root/admin -q "modprinc -maxlife 1day $NEWUSER@HCOOP.NET" | |
71 | ||
72 | pts cu $NEWUSER || true | |
73 | } | |
74 | ||
75 | function create_pts_user_daemon () { | |
76 | ||
77 | # Create additional kerberos principles ($user.daemon for now, in | |
78 | # theory also $user.mail, $user.cgi) and pts users for any used to | |
79 | # gain afs access ($user.daemon only) | |
80 | sudo kadmin.local -p root/admin -q "ank -policy daemon -randkey +requires_preauth $NEWUSER/daemon@HCOOP.NET" | |
81 | pts cu $NEWUSER.daemon || true | |
82 | } | |
83 | ||
84 | function export_user_keytabs () { | |
85 | ||
86 | # Export .mailfilter and .cgi keys to a keytab file | |
87 | ||
88 | # This is suboptimal, we need to generate keytabs for | |
89 | # cgi/mail/etc. separately, and only sync to the nodes that | |
90 | # perform the services in question | |
91 | ||
92 | # create a daemon keytab (used by /etc/exim4/get-token) | |
93 | # *only* if it does not exist! | |
94 | test -e /etc/keytabs/user.daemon/$NEWUSER || \ | |
95 | sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/user.daemon/$NEWUSER $NEWUSER/daemon@HCOOP.NET" | |
96 | ||
97 | # Properly chown/mod keytab files (must be $NEWUSER:www-data) | |
98 | sudo chown $NEWUSER:www-data /etc/keytabs/user.daemon/$NEWUSER | |
99 | sudo chmod 440 /etc/keytabs/user.daemon/$NEWUSER | |
100 | ||
101 | # rsync keytabs | |
abfe84ca CE |
102 | (cd /etc/keytabs |
103 | sudo tar clpf - user.daemon/$NEWUSER | \ | |
104 | ssh hopper.hcoop.net cd /etc/keytabs\; sudo tar xlpf -) | |
105 | (cd /etc/keytabs | |
106 | sudo tar clpf - user.daemon/$NEWUSER | \ | |
107 | ssh deleuze.hcoop.net cd /etc/keytabs\; sudo tar xlpf -) | |
108 | (cd /etc/keytabs | |
109 | sudo tar clpf - user.daemon/$NEWUSER | \ | |
110 | ssh navajos.hcoop.net cd /etc/keytabs\; sudo tar xlpf -) | |
111 | (cd /etc/keytabs | |
112 | sudo tar clpf - user.daemon/$NEWUSER | \ | |
113 | ssh bog.hcoop.net cd /etc/keytabs\; sudo tar xlpf -) | |
114 | } | |
115 | ||
116 | ||
117 | # | |
118 | # Create/mount/set-perms on user's volumes (home, mail, databases, logs) | |
119 | # | |
120 | ||
121 | # Each function that creates an afs volume should ensure that the | |
122 | # backup volume is created and mounted for users. | |
123 | ||
124 | function create_home_volume () { | |
125 | ||
126 | if vos examine user.$NEWUSER.d 2>/dev/null; then | |
127 | echo "Reactivating old volume (user.$NEWUSER.d)" | |
128 | vos rename user.$NEWUSER.d user.$NEWUSER | |
129 | fi | |
130 | vos examine user.$NEWUSER 2>/dev/null || \ | |
131 | vos create fritz.hcoop.net /vicepa user.$NEWUSER -maxquota 400000 | |
132 | ||
133 | mkdir -p `dirname $HOMEPATH` | |
134 | fs ls $HOMEPATH || test -L $HOMEPATH || fs mkm $HOMEPATH user.$NEWUSER | |
135 | chown $NEWUSER:nogroup $HOMEPATH | |
136 | fs sa $HOMEPATH $NEWUSER all | |
137 | fs sa $HOMEPATH system:anyuser l | |
138 | # cleanliness / needed to keep suphp happy | |
139 | chown root:root $HOMEPATH/../../ | |
140 | chown root:root $HOMEPATH/../ | |
141 | ||
142 | # backup volume | |
143 | mkdir -p `dirname /afs/hcoop.net/.old/user/$PATHBITS` | |
144 | fs ls /afs/hcoop.net/.old/user/$PATHBITS || \ | |
145 | fs mkm /afs/hcoop.net/.old/user/$PATHBITS user.$NEWUSER.backup | |
146 | } | |
147 | ||
148 | ||
149 | function create_mail_volume () { | |
150 | ||
151 | if vos examine mail.$NEWUSER.d 2>/dev/null; then | |
152 | echo "Reactivating old volume (mail.$NEWUSER.d)" | |
153 | vos rename mail.$NEWUSER.d mail.$NEWUSER | |
154 | fi | |
155 | vos examine mail.$NEWUSER 2>/dev/null || \ | |
156 | vos create fritz.hcoop.net /vicepa mail.$NEWUSER -maxquota 400000 | |
157 | ||
158 | mkdir -p `dirname $MAILPATH` | |
159 | fs ls $MAILPATH || fs mkm $MAILPATH mail.$NEWUSER | |
160 | fs ls $HOMEPATH/Maildir || fs mkm $HOMEPATH/Maildir mail.$NEWUSER | |
161 | chown $NEWUSER:nogroup $MAILPATH | |
162 | chown $NEWUSER:nogroup $HOMEPATH/Maildir | |
163 | fs sa $MAILPATH $NEWUSER all | |
164 | fs sa $MAILPATH $NEWUSER.daemon all | |
165 | ||
166 | if test ! -e $MAILPATH/new; then | |
167 | mkdir -p $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp | |
168 | echo -e "This email account is provided as a service for HCoop members." \ | |
169 | "\n\nTo learn how to use it, please visit the page" \ | |
170 | "\n<http://wiki.hcoop.net/MemberManual/Email> on our website."| \ | |
171 | mail -s "Welcome to your HCoop email store" \ | |
172 | -e -a "From: postmaster@hcoop.net" \ | |
173 | real-$NEWUSER | |
174 | fi | |
175 | ||
176 | chown $NEWUSER:nogroup $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp | |
177 | ||
178 | # Set up shared SpamAssassin folder | |
179 | if test -f $HOMEPATH/Maildir/shared-maildirs; then | |
180 | # Deal with case where user rsync'd their Maildir from fyodor | |
181 | # Not an issue now, but harmless and can be adapted when we | |
182 | # move the spamd dirs into afs where they belong later. | |
183 | pattern='^SpamAssassin /home/spamd' | |
184 | file=$HOMEPATH/Maildir/shared-maildirs | |
185 | if grep $pattern $file; then | |
186 | sed -i -r -e \ | |
187 | 's!^(SpamAssassin )/home/spamd!\1/var/local/lib/spamd!1' \ | |
188 | $file | |
189 | fi | |
190 | else | |
191 | maildirmake --add SpamAssassin=/var/local/lib/spamd/Maildir \ | |
192 | $HOMEPATH/Maildir | |
193 | fi | |
194 | ||
195 | mkdir -p `dirname /afs/hcoop.net/.old/mail/$PATHBITS` | |
196 | fs ls /afs/hcoop.net/.old/mail/$PATHBITS || \ | |
197 | fs mkm /afs/hcoop.net/.old/mail/$PATHBITS mail.$NEWUSER.backup | |
198 | vos release old | |
199 | } | |
200 | ||
201 | function seed_user_hcoop_directories () { | |
202 | # Additional standard directories. Some of these should probably | |
203 | # be on their own volumes, and access via a canonical path instead | |
204 | # to give users more control over their home dir without risking | |
205 | # breaking system services. | |
206 | ||
207 | # Apache logs | |
208 | mkdir -p $HOMEPATH/.logs | |
209 | chown $NEWUSER:nogroup $HOMEPATH/.logs | |
210 | mkdir -p $HOMEPATH/.logs/apache | |
211 | chown $NEWUSER:nogroup $HOMEPATH/.logs/apache | |
212 | fs sa $HOMEPATH/.logs/apache $NEWUSER.daemon rlwidk | |
213 | mkdir -p $HOMEPATH/.logs/mail | |
214 | fs sa $HOMEPATH/.logs/mail $NEWUSER.daemon rlwidk | |
215 | chown $NEWUSER:nogroup $HOMEPATH/.logs/mail | |
216 | ||
217 | # public_html | |
218 | test -e $HOMEPATH/public_html || \ | |
219 | (mkdir -p $HOMEPATH/public_html; \ | |
220 | chown $NEWUSER:nogroup $HOMEPATH/public_html; \ | |
221 | fs sa $HOMEPATH/public_html system:anyuser none; \ | |
222 | fs sa $HOMEPATH/public_html $NEWUSER.daemon rl) | |
223 | ||
224 | # .procmail.d | |
225 | mkdir -p $HOMEPATH/.procmail.d | |
226 | chown $NEWUSER:nogroup $HOMEPATH/.procmail.d | |
227 | fs sa $HOMEPATH/.procmail.d system:anyuser rl | |
228 | ||
229 | # .public | |
230 | mkdir -p $HOMEPATH/.public/ | |
231 | chown $NEWUSER:nogroup $HOMEPATH/.public | |
232 | fs sa $HOMEPATH/.public system:anyuser rl | |
233 | ||
234 | # .domtool | |
235 | mkdir -p $HOMEPATH/.public/.domtool | |
236 | chown $NEWUSER:nogroup $HOMEPATH/.public/.domtool | |
237 | test -e $HOMEPATH/.domtool || \ | |
238 | test -L $HOMEPATH/.domtool || \ | |
239 | execute_on_domtool_server sudo -u $NEWUSER ln -s $HOMEPATH/.public/.domtool $HOMEPATH/.domtool | |
240 | # ^^ work around sudo env_reset crap without having to | |
241 | # actually figure out how to make it work cleanly -- clinton, | |
242 | # 2011-11-30 | |
243 | ||
244 | # Gitweb hosting | |
245 | test -L /var/cache/git/$NEWUSER || \ | |
246 | sudo ln -s $HOMEPATH/.hcoop-git /var/cache/git/$NEWUSER | |
247 | ||
248 | } | |
249 | ||
250 | # | |
251 | # Non-AFS files and directories | |
252 | # | |
253 | ||
254 | function create_dav_locks () { | |
255 | # Make per-user apache DAV lock directory -- the directory must be | |
256 | # both user and group-writable, which is silly. | |
257 | execute_on_web_nodes sudo mkdir -p /var/lock/apache2/dav/$NEWUSER | |
258 | execute_on_web_nodes sudo chown $NEWUSER:www-data /var/lock/apache2/dav/$NEWUSER | |
259 | execute_on_web_nodes sudo chmod ug=rwx,o= /var/lock/apache2/dav/$NEWUSER | |
260 | } | |
261 | ||
262 | function setup_user_databases () { | |
263 | sudo /afs/hcoop.net/common/etc/scripts/create-user-database $NEWUSER | |
264 | } | |
265 | ||
266 | # | |
267 | # etc | |
268 | # | |
269 | ||
270 | function enable_domtool () { | |
271 | execute_on_domtool_server domtool-adduser $NEWUSER | |
272 | } | |
273 | ||
274 | function subscribe_to_lists () { | |
275 | # Subscribe user to our mailing lists. | |
276 | ||
277 | echo $NEWUSER@hcoop.net | ssh -K deleuze sudo -u list \ | |
278 | /var/lib/mailman/bin/add_members -r - hcoop-announce | |
279 | } | |
280 | ||
281 | function ensure_afs_servers_synced () { | |
282 | vos release old | |
283 | ||
284 | # technically this might not be necessary, but for good measure... | |
285 | vos syncserv fritz | |
286 | vos syncvldb fritz | |
287 | ||
288 | # refresh volume location cache (takes ~2hrs otherwise) | |
289 | execute_on_all_machines fs checkvolumes | |
290 | } |