Commit | Line | Data |
---|---|---|
abfe84ca CE |
1 | # -*- sh-mode -*- |
2 | ||
3 | # Library functions for create-user scripts | |
4 | # Export the $NEWUSER variable before sourcing! | |
5 | ||
6 | # Functionality is split so that the scripts for creating real users, | |
7 | # service users, and web service users can share as much code as | |
8 | # possible. | |
9 | ||
10 | # This has probably grown to the point where it shouldn't be a shell | |
11 | # script any more. | |
12 | ||
13 | # ALWAYS REMEMBER: THIS MUST BE IDEMPOTENT! re creating a user is | |
14 | # something that should be perfectly permissible, and is something | |
15 | # that we do somewhat regularly (to bring old accounts up to date). | |
16 | ||
17 | export PATH=$PATH:/afs/hcoop.net/common/bin/ | |
18 | ||
19 | if test -z "$NEWUSER"; then | |
20 | echo "NEWUSER not set before sourcing create user library" | |
21 | exit 1 | |
22 | fi | |
23 | ||
24 | # | |
25 | # Construct various paths for later perusal. | |
26 | # | |
27 | ||
28 | # (If it's not clear, for user fred, PATHBITS = f/fr/fred) | |
29 | PATHBITS=`echo $NEWUSER | head -c 1`/`echo $NEWUSER | head -c 2`/$NEWUSER | |
30 | HOMEPATH=/afs/hcoop.net/user/$PATHBITS | |
31 | MAILPATH=/afs/hcoop.net/common/email/$PATHBITS | |
32 | ||
33 | # | |
34 | # Helper functions | |
35 | # | |
36 | ||
37 | function execute_on_web_nodes () { | |
6d76f213 | 38 | ssh -K shelob.hcoop.net $* |
abfe84ca CE |
39 | } |
40 | ||
41 | function execute_on_domtool_server () { | |
6d76f213 | 42 | ssh -K gibran.hcoop.net $* |
abfe84ca CE |
43 | } |
44 | ||
45 | ||
46 | function execute_on_all_machines () { | |
47 | $* | |
6d76f213 CE |
48 | ssh -K marsh.hcoop.net $* |
49 | ssh -K minsky.hcoop.net $* | |
50 | ssh -K shelob.hcoop.net $* | |
51 | ssh -K outpost.hcoop.net $* | |
abfe84ca CE |
52 | } |
53 | ||
54 | # | |
55 | # User credentials | |
56 | # | |
57 | ||
58 | function create_pts_user () { | |
59 | # Create primary user kerberos principle and afs pts user | |
60 | ||
61 | # We use -randkey for user's main principal as well, to make sure | |
62 | # that the creation process does not continue without having a | |
63 | # main principal. (But you who want to set password for a user, | |
64 | # don't worry - we'll invoke cpw later, so that it has the same | |
65 | # effect as setting password right now - while it is more error | |
66 | # tolerant). | |
67 | ||
68 | sudo kadmin.local -p root/admin -q "ank -policy user -randkey +requires_preauth $NEWUSER@HCOOP.NET" | |
69 | sudo kadmin.local -p root/admin -q "modprinc -maxlife 1day $NEWUSER@HCOOP.NET" | |
70 | ||
71 | pts cu $NEWUSER || true | |
72 | } | |
73 | ||
74 | function create_pts_user_daemon () { | |
75 | ||
76 | # Create additional kerberos principles ($user.daemon for now, in | |
77 | # theory also $user.mail, $user.cgi) and pts users for any used to | |
78 | # gain afs access ($user.daemon only) | |
79 | sudo kadmin.local -p root/admin -q "ank -policy daemon -randkey +requires_preauth $NEWUSER/daemon@HCOOP.NET" | |
80 | pts cu $NEWUSER.daemon || true | |
81 | } | |
82 | ||
83 | function export_user_keytabs () { | |
84 | ||
85 | # Export .mailfilter and .cgi keys to a keytab file | |
86 | ||
87 | # This is suboptimal, we need to generate keytabs for | |
88 | # cgi/mail/etc. separately, and only sync to the nodes that | |
89 | # perform the services in question | |
90 | ||
91 | # create a daemon keytab (used by /etc/exim4/get-token) | |
92 | # *only* if it does not exist! | |
93 | test -e /etc/keytabs/user.daemon/$NEWUSER || \ | |
94 | sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/user.daemon/$NEWUSER $NEWUSER/daemon@HCOOP.NET" | |
95 | ||
96 | # Properly chown/mod keytab files (must be $NEWUSER:www-data) | |
97 | sudo chown $NEWUSER:www-data /etc/keytabs/user.daemon/$NEWUSER | |
98 | sudo chmod 440 /etc/keytabs/user.daemon/$NEWUSER | |
99 | ||
100 | # rsync keytabs | |
6d76f213 CE |
101 | # only needed on nodes that will run code on behalf of members |
102 | # fixme: duplicates all server list | |
abfe84ca CE |
103 | (cd /etc/keytabs |
104 | sudo tar clpf - user.daemon/$NEWUSER | \ | |
6d76f213 | 105 | ssh marsh.hcoop.net cd /etc/keytabs\; sudo tar xlpf -) |
abfe84ca CE |
106 | (cd /etc/keytabs |
107 | sudo tar clpf - user.daemon/$NEWUSER | \ | |
6d76f213 | 108 | ssh minsky.hcoop.net cd /etc/keytabs\; sudo tar xlpf -) |
abfe84ca CE |
109 | (cd /etc/keytabs |
110 | sudo tar clpf - user.daemon/$NEWUSER | \ | |
6d76f213 | 111 | ssh shelob.hcoop.net cd /etc/keytabs\; sudo tar xlpf -) |
abfe84ca CE |
112 | } |
113 | ||
114 | ||
115 | # | |
116 | # Create/mount/set-perms on user's volumes (home, mail, databases, logs) | |
117 | # | |
118 | ||
119 | # Each function that creates an afs volume should ensure that the | |
120 | # backup volume is created and mounted for users. | |
121 | ||
122 | function create_home_volume () { | |
123 | ||
124 | if vos examine user.$NEWUSER.d 2>/dev/null; then | |
125 | echo "Reactivating old volume (user.$NEWUSER.d)" | |
126 | vos rename user.$NEWUSER.d user.$NEWUSER | |
127 | fi | |
128 | vos examine user.$NEWUSER 2>/dev/null || \ | |
9aa22d85 | 129 | vos create gibran.hcoop.net /vicepa user.$NEWUSER -maxquota 10000000 |
abfe84ca CE |
130 | |
131 | mkdir -p `dirname $HOMEPATH` | |
132 | fs ls $HOMEPATH || test -L $HOMEPATH || fs mkm $HOMEPATH user.$NEWUSER | |
133 | chown $NEWUSER:nogroup $HOMEPATH | |
134 | fs sa $HOMEPATH $NEWUSER all | |
135 | fs sa $HOMEPATH system:anyuser l | |
136 | # cleanliness / needed to keep suphp happy | |
137 | chown root:root $HOMEPATH/../../ | |
138 | chown root:root $HOMEPATH/../ | |
139 | ||
140 | # backup volume | |
141 | mkdir -p `dirname /afs/hcoop.net/.old/user/$PATHBITS` | |
142 | fs ls /afs/hcoop.net/.old/user/$PATHBITS || \ | |
143 | fs mkm /afs/hcoop.net/.old/user/$PATHBITS user.$NEWUSER.backup | |
144 | } | |
145 | ||
146 | ||
147 | function create_mail_volume () { | |
148 | ||
149 | if vos examine mail.$NEWUSER.d 2>/dev/null; then | |
150 | echo "Reactivating old volume (mail.$NEWUSER.d)" | |
151 | vos rename mail.$NEWUSER.d mail.$NEWUSER | |
152 | fi | |
153 | vos examine mail.$NEWUSER 2>/dev/null || \ | |
9aa22d85 | 154 | vos create gibran.hcoop.net /vicepa mail.$NEWUSER -maxquota 10000000 |
abfe84ca CE |
155 | |
156 | mkdir -p `dirname $MAILPATH` | |
157 | fs ls $MAILPATH || fs mkm $MAILPATH mail.$NEWUSER | |
158 | fs ls $HOMEPATH/Maildir || fs mkm $HOMEPATH/Maildir mail.$NEWUSER | |
159 | chown $NEWUSER:nogroup $MAILPATH | |
160 | chown $NEWUSER:nogroup $HOMEPATH/Maildir | |
161 | fs sa $MAILPATH $NEWUSER all | |
162 | fs sa $MAILPATH $NEWUSER.daemon all | |
163 | ||
164 | if test ! -e $MAILPATH/new; then | |
165 | mkdir -p $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp | |
166 | echo -e "This email account is provided as a service for HCoop members." \ | |
167 | "\n\nTo learn how to use it, please visit the page" \ | |
168 | "\n<http://wiki.hcoop.net/MemberManual/Email> on our website."| \ | |
169 | mail -s "Welcome to your HCoop email store" \ | |
170 | -e -a "From: postmaster@hcoop.net" \ | |
6d76f213 | 171 | real-$NEWUSER@hcoop.net |
abfe84ca CE |
172 | fi |
173 | ||
174 | chown $NEWUSER:nogroup $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp | |
175 | ||
176 | # Set up shared SpamAssassin folder | |
177 | if test -f $HOMEPATH/Maildir/shared-maildirs; then | |
178 | # Deal with case where user rsync'd their Maildir from fyodor | |
179 | # Not an issue now, but harmless and can be adapted when we | |
180 | # move the spamd dirs into afs where they belong later. | |
181 | pattern='^SpamAssassin /home/spamd' | |
182 | file=$HOMEPATH/Maildir/shared-maildirs | |
183 | if grep $pattern $file; then | |
184 | sed -i -r -e \ | |
185 | 's!^(SpamAssassin )/home/spamd!\1/var/local/lib/spamd!1' \ | |
186 | $file | |
187 | fi | |
188 | else | |
6d76f213 | 189 | maildirmake --add SpamAssassin=/afs/hcoop.net/user/s/sp/spamd/Maildir \ |
abfe84ca CE |
190 | $HOMEPATH/Maildir |
191 | fi | |
192 | ||
193 | mkdir -p `dirname /afs/hcoop.net/.old/mail/$PATHBITS` | |
194 | fs ls /afs/hcoop.net/.old/mail/$PATHBITS || \ | |
195 | fs mkm /afs/hcoop.net/.old/mail/$PATHBITS mail.$NEWUSER.backup | |
196 | vos release old | |
197 | } | |
198 | ||
199 | function seed_user_hcoop_directories () { | |
200 | # Additional standard directories. Some of these should probably | |
201 | # be on their own volumes, and access via a canonical path instead | |
202 | # to give users more control over their home dir without risking | |
203 | # breaking system services. | |
204 | ||
205 | # Apache logs | |
206 | mkdir -p $HOMEPATH/.logs | |
207 | chown $NEWUSER:nogroup $HOMEPATH/.logs | |
208 | mkdir -p $HOMEPATH/.logs/apache | |
209 | chown $NEWUSER:nogroup $HOMEPATH/.logs/apache | |
210 | fs sa $HOMEPATH/.logs/apache $NEWUSER.daemon rlwidk | |
e26d1812 | 211 | fs sa $HOMEPATH/.logs/apache webalizer read |
abfe84ca CE |
212 | mkdir -p $HOMEPATH/.logs/mail |
213 | fs sa $HOMEPATH/.logs/mail $NEWUSER.daemon rlwidk | |
214 | chown $NEWUSER:nogroup $HOMEPATH/.logs/mail | |
215 | ||
216 | # public_html | |
217 | test -e $HOMEPATH/public_html || \ | |
218 | (mkdir -p $HOMEPATH/public_html; \ | |
219 | chown $NEWUSER:nogroup $HOMEPATH/public_html; \ | |
220 | fs sa $HOMEPATH/public_html system:anyuser none; \ | |
221 | fs sa $HOMEPATH/public_html $NEWUSER.daemon rl) | |
222 | ||
223 | # .procmail.d | |
224 | mkdir -p $HOMEPATH/.procmail.d | |
225 | chown $NEWUSER:nogroup $HOMEPATH/.procmail.d | |
226 | fs sa $HOMEPATH/.procmail.d system:anyuser rl | |
227 | ||
228 | # .public | |
229 | mkdir -p $HOMEPATH/.public/ | |
230 | chown $NEWUSER:nogroup $HOMEPATH/.public | |
231 | fs sa $HOMEPATH/.public system:anyuser rl | |
232 | ||
233 | # .domtool | |
234 | mkdir -p $HOMEPATH/.public/.domtool | |
235 | chown $NEWUSER:nogroup $HOMEPATH/.public/.domtool | |
236 | test -e $HOMEPATH/.domtool || \ | |
237 | test -L $HOMEPATH/.domtool || \ | |
39aa6e0c | 238 | execute_on_domtool_server ln -s $HOMEPATH/.public/.domtool $HOMEPATH/.domtool |
239 | execute_on_domtool_server chown $NEWUSER $HOMEPATH/.domtool | |
abfe84ca CE |
240 | # ^^ work around sudo env_reset crap without having to |
241 | # actually figure out how to make it work cleanly -- clinton, | |
242 | # 2011-11-30 | |
abfe84ca CE |
243 | } |
244 | ||
245 | # | |
246 | # Non-AFS files and directories | |
247 | # | |
248 | ||
249 | function create_dav_locks () { | |
250 | # Make per-user apache DAV lock directory -- the directory must be | |
251 | # both user and group-writable, which is silly. | |
252 | execute_on_web_nodes sudo mkdir -p /var/lock/apache2/dav/$NEWUSER | |
253 | execute_on_web_nodes sudo chown $NEWUSER:www-data /var/lock/apache2/dav/$NEWUSER | |
254 | execute_on_web_nodes sudo chmod ug=rwx,o= /var/lock/apache2/dav/$NEWUSER | |
255 | } | |
256 | ||
257 | function setup_user_databases () { | |
258 | sudo /afs/hcoop.net/common/etc/scripts/create-user-database $NEWUSER | |
259 | } | |
260 | ||
261 | # | |
262 | # etc | |
263 | # | |
264 | ||
265 | function enable_domtool () { | |
266 | execute_on_domtool_server domtool-adduser $NEWUSER | |
267 | } | |
268 | ||
269 | function subscribe_to_lists () { | |
270 | # Subscribe user to our mailing lists. | |
271 | ||
6d76f213 | 272 | echo $NEWUSER@hcoop.net | ssh -K minsky sudo -u list \ |
abfe84ca CE |
273 | /var/lib/mailman/bin/add_members -r - hcoop-announce |
274 | } | |
275 | ||
276 | function ensure_afs_servers_synced () { | |
277 | vos release old | |
278 | ||
279 | # technically this might not be necessary, but for good measure... | |
6d76f213 | 280 | local srv |
6c8ee94d | 281 | for srv in gibran lovelace; do |
6d76f213 CE |
282 | vos syncserv $srv |
283 | vos syncvldb $srv | |
284 | done | |
abfe84ca CE |
285 | |
286 | # refresh volume location cache (takes ~2hrs otherwise) | |
287 | execute_on_all_machines fs checkvolumes | |
447125c3 CE |
288 | } |
289 | ||
290 | # | |
291 | # webserver | |
292 | # | |
293 | ||
294 | function create_fcgi_wrapper () { | |
295 | # note: might want to move this to domtool-adduser | |
6d76f213 CE |
296 | local wrapper_dir="/afs/hcoop.net/common/etc/domtool/httpd/fastcgi/${PATHBITS}" |
297 | local wrapper="${wrapper_dir}/${NEWUSER}-wrapper-wrapper" | |
298 | mkdir -p $wrapper_dir | |
447125c3 CE |
299 | cat > $wrapper <<EOF |
300 | #!/bin/bash | |
301 | ||
6d76f213 | 302 | exec k5start -qtUf /etc/keytabs/user.daemon/${NEWUSER} -- \$@ |
447125c3 CE |
303 | EOF |
304 | ||
305 | chmod +x $wrapper | |
306 | chown $NEWUSER:nogroup $wrapper | |
6d76f213 | 307 | chown $NEWUSER:nogroup $wrapper_dir |
447125c3 | 308 | } |