[hcoop/scripts.git] / lib / create-user-lib.sh

# -*- sh-mode -*-

# Library functions for create-user scripts
# Export the $NEWUSER variable before sourcing!

# Functionality is split so that the scripts for creating real users,
# service users, and web service users can share as much code as
# possible.

# This has probably grown to the point where it shouldn't be a shell
# script any more.

# ALWAYS REMEMBER: THIS MUST BE IDEMPOTENT! re creating a user is
# something that should be perfectly permissible, and is something
# that we do somewhat regularly (to bring old accounts up to date).

export PATH=$PATH:/afs/hcoop.net/common/bin/

if test -z "$NEWUSER"; then
	echo "NEWUSER not set before sourcing create user library"
	exit 1
fi

#
# Construct various paths for later perusal.
#

# (If it's not clear, for user fred, PATHBITS = f/fr/fred)
PATHBITS=`echo $NEWUSER | head -c 1`/`echo $NEWUSER | head -c 2`/$NEWUSER
HOMEPATH=/afs/hcoop.net/user/$PATHBITS
MAILPATH=/afs/hcoop.net/common/email/$PATHBITS

#
# Helper functions
#

function execute_on_web_nodes () {
    ssh -K shelob.hcoop.net $*
}

function execute_on_domtool_server () {
    ssh -K gibran.hcoop.net $*
}


function execute_on_all_machines () {
    $*
    ssh -K marsh.hcoop.net $*
    ssh -K minsky.hcoop.net $*
    ssh -K shelob.hcoop.net $*
    ssh -K outpost.hcoop.net $*
}

#
# User credentials
#

function create_pts_user () {
    # Create primary user kerberos principle and afs pts user

    # We use -randkey for user's main principal as well, to make sure
    # that the creation process does not continue without having a
    # main principal. (But you who want to set password for a user,
    # don't worry - we'll invoke cpw later, so that it has the same
    # effect as setting password right now - while it is more error
    # tolerant).

    sudo kadmin.local -p root/admin -q "ank -policy user -randkey +requires_preauth $NEWUSER@HCOOP.NET"
    sudo kadmin.local -p root/admin -q "modprinc -maxlife 1day $NEWUSER@HCOOP.NET"

    pts cu $NEWUSER || true
}

function create_pts_user_daemon () {

    # Create additional kerberos principles ($user.daemon for now, in
    # theory also $user.mail, $user.cgi) and pts users for any used to
    # gain afs access ($user.daemon only)
    sudo kadmin.local -p root/admin -q "ank -policy daemon -randkey +requires_preauth $NEWUSER/daemon@HCOOP.NET"
    pts cu $NEWUSER.daemon || true
}

function export_user_keytabs () {

    # Export .mailfilter and .cgi keys to a keytab file

    # This is suboptimal, we need to generate keytabs for
    # cgi/mail/etc. separately, and only sync to the nodes that
    # perform the services in question

    # create a daemon keytab (used by /etc/exim4/get-token)
    # *only* if it does not exist!
    test -e /etc/keytabs/user.daemon/$NEWUSER || \
	sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/user.daemon/$NEWUSER $NEWUSER/daemon@HCOOP.NET"

    # Properly chown/mod keytab files (must be $NEWUSER:www-data)
    sudo chown $NEWUSER:www-data /etc/keytabs/user.daemon/$NEWUSER
    sudo chmod 440            /etc/keytabs/user.daemon/$NEWUSER

    # rsync keytabs
    # only needed on nodes that will run code on behalf of members
    # fixme: duplicates all server list
    (cd /etc/keytabs
	sudo tar clpf - user.daemon/$NEWUSER | \
	    ssh marsh.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
    (cd /etc/keytabs
	sudo tar clpf - user.daemon/$NEWUSER | \
	    ssh minsky.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
    (cd /etc/keytabs
	sudo tar clpf - user.daemon/$NEWUSER | \
	    ssh shelob.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
}


#
# Create/mount/set-perms on user's volumes (home, mail, databases, logs)
#

# Each function that creates an afs volume should ensure that the
# backup volume is created and mounted for users.

function create_home_volume () {

    if vos examine user.$NEWUSER.d 2>/dev/null; then
	echo "Reactivating old volume (user.$NEWUSER.d)"
	vos rename user.$NEWUSER.d user.$NEWUSER
    fi
    vos examine user.$NEWUSER 2>/dev/null || \
	vos create gibran.hcoop.net /vicepa user.$NEWUSER -maxquota 10000000

    mkdir -p `dirname $HOMEPATH`
    fs ls $HOMEPATH || test -L $HOMEPATH || fs mkm $HOMEPATH user.$NEWUSER
    chown $NEWUSER:nogroup $HOMEPATH
    fs sa $HOMEPATH $NEWUSER            all
    fs sa $HOMEPATH system:anyuser   l
    # cleanliness / needed to keep suphp happy
    chown root:root $HOMEPATH/../../
    chown root:root $HOMEPATH/../
    
    # backup volume
    mkdir -p `dirname /afs/hcoop.net/.old/user/$PATHBITS`
    fs ls /afs/hcoop.net/.old/user/$PATHBITS || \
	fs mkm /afs/hcoop.net/.old/user/$PATHBITS user.$NEWUSER.backup
}


function create_mail_volume () {

    if vos examine mail.$NEWUSER.d 2>/dev/null; then
	echo "Reactivating old volume (mail.$NEWUSER.d)"
	vos rename mail.$NEWUSER.d mail.$NEWUSER
    fi
    vos examine mail.$NEWUSER 2>/dev/null || \
	vos create gibran.hcoop.net /vicepa mail.$NEWUSER -maxquota 10000000
    
    mkdir -p `dirname $MAILPATH`
    fs ls $MAILPATH || fs mkm $MAILPATH         mail.$NEWUSER
    fs ls $HOMEPATH/Maildir || fs mkm $HOMEPATH/Maildir mail.$NEWUSER
    chown $NEWUSER:nogroup $MAILPATH
    chown $NEWUSER:nogroup $HOMEPATH/Maildir
    fs sa $MAILPATH $NEWUSER        all
    fs sa $MAILPATH $NEWUSER.daemon all

    if test ! -e $MAILPATH/new; then
	mkdir -p $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp
	echo -e "This email account is provided as a service for HCoop members." \
            "\n\nTo learn how to use it, please visit the page" \
            "\n<http://wiki.hcoop.net/MemberManual/Email> on our website."| \
            mail -s "Welcome to your HCoop email store" \
            -e -a "From: postmaster@hcoop.net" \
            real-$NEWUSER@hcoop.net
    fi

    chown $NEWUSER:nogroup $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp

    # Set up shared SpamAssassin folder
    if test -f $HOMEPATH/Maildir/shared-maildirs; then
        # Deal with case where user rsync'd their Maildir from fyodor
        # Not an issue now, but harmless and can be adapted when we
        # move the spamd dirs into afs where they belong later.
	pattern='^SpamAssassin	/home/spamd'
	file=$HOMEPATH/Maildir/shared-maildirs
	if grep $pattern $file; then
            sed -i -r -e \
		's!^(SpamAssassin	)/home/spamd!\1/var/local/lib/spamd!1' \
		$file
	fi
    else
	maildirmake --add SpamAssassin=/afs/hcoop.net/user/s/sp/spamd/Maildir \
            $HOMEPATH/Maildir
    fi

    mkdir -p `dirname /afs/hcoop.net/.old/mail/$PATHBITS`
    fs ls /afs/hcoop.net/.old/mail/$PATHBITS || \
	fs mkm /afs/hcoop.net/.old/mail/$PATHBITS mail.$NEWUSER.backup
    vos release old
}

function seed_user_hcoop_directories () {
    # Additional standard directories. Some of these should probably
    # be on their own volumes, and access via a canonical path instead
    # to give users more control over their home dir without risking
    # breaking system services.

    # Apache logs
    mkdir -p $HOMEPATH/.logs
    chown $NEWUSER:nogroup $HOMEPATH/.logs
    mkdir -p $HOMEPATH/.logs/apache
    chown $NEWUSER:nogroup $HOMEPATH/.logs/apache
    fs sa $HOMEPATH/.logs/apache $NEWUSER.daemon rlwidk
    fs sa $HOMEPATH/.logs/apache webalizer read
    mkdir -p $HOMEPATH/.logs/mail
    fs sa $HOMEPATH/.logs/mail $NEWUSER.daemon rlwidk
    chown $NEWUSER:nogroup $HOMEPATH/.logs/mail

    # public_html
    test -e $HOMEPATH/public_html || \
	(mkdir -p $HOMEPATH/public_html; \
	chown $NEWUSER:nogroup $HOMEPATH/public_html; \
	fs sa $HOMEPATH/public_html system:anyuser none; \
	fs sa $HOMEPATH/public_html $NEWUSER.daemon rl)

    # .procmail.d
    mkdir -p $HOMEPATH/.procmail.d
    chown $NEWUSER:nogroup $HOMEPATH/.procmail.d
    fs sa $HOMEPATH/.procmail.d system:anyuser rl

    # .public
    mkdir -p $HOMEPATH/.public/
    chown $NEWUSER:nogroup $HOMEPATH/.public
    fs sa $HOMEPATH/.public system:anyuser rl

    # .domtool
    mkdir -p $HOMEPATH/.public/.domtool
    chown $NEWUSER:nogroup $HOMEPATH/.public/.domtool
    test -e $HOMEPATH/.domtool || \
	test -L $HOMEPATH/.domtool || \
        execute_on_domtool_server ln -s $HOMEPATH/.public/.domtool $HOMEPATH/.domtool
        execute_on_domtool_server chown $NEWUSER $HOMEPATH/.domtool 
        # ^^ work around sudo env_reset crap without having to
        # actually figure out how to make it work cleanly -- clinton,
        # 2011-11-30
}

#
# Non-AFS files and directories
#

function create_dav_locks () {
    # Make per-user apache DAV lock directory -- the directory must be
    # both user and group-writable, which is silly.
    execute_on_web_nodes sudo mkdir -p /var/lock/apache2/dav/$NEWUSER
    execute_on_web_nodes sudo chown $NEWUSER:www-data /var/lock/apache2/dav/$NEWUSER
    execute_on_web_nodes sudo chmod ug=rwx,o= /var/lock/apache2/dav/$NEWUSER
}

function setup_user_databases () {
    sudo /afs/hcoop.net/common/etc/scripts/create-user-database $NEWUSER
}

#
# etc
#

function enable_domtool () {
    execute_on_domtool_server domtool-adduser $NEWUSER
}

function subscribe_to_lists () {
    # Subscribe user to our mailing lists.

    echo $NEWUSER@hcoop.net | ssh -K minsky sudo -u list  \
	/var/lib/mailman/bin/add_members -r - hcoop-announce
}

function ensure_afs_servers_synced () {
    vos release old
    
    # technically this might not be necessary, but for good measure...
    local srv
    for srv in gibran lovelace; do
	vos syncserv $srv
	vos syncvldb $srv
    done
    
    # refresh volume location cache (takes ~2hrs otherwise)
    execute_on_all_machines fs checkvolumes
}

#
# webserver
#

function create_fcgi_wrapper () {
    # note: might want to move this to domtool-adduser
    local wrapper_dir="/afs/hcoop.net/common/etc/domtool/httpd/fastcgi/${PATHBITS}"
    local wrapper="${wrapper_dir}/${NEWUSER}-wrapper-wrapper"
    mkdir -p $wrapper_dir
    cat > $wrapper <<EOF
#!/bin/bash

exec k5start -qtUf /etc/keytabs/user.daemon/${NEWUSER} -- \$@
EOF

    chmod +x $wrapper
    chown $NEWUSER:nogroup $wrapper
    chown $NEWUSER:nogroup $wrapper_dir
}
Commit	Line	Data
abfe84ca CE	1	# -- sh-mode --
	2
	3	# Library functions for create-user scripts
	4	# Export the $NEWUSER variable before sourcing!
	5
	6	# Functionality is split so that the scripts for creating real users,
	7	# service users, and web service users can share as much code as
	8	# possible.
	9
	10	# This has probably grown to the point where it shouldn't be a shell
	11	# script any more.
	12
	13	# ALWAYS REMEMBER: THIS MUST BE IDEMPOTENT! re creating a user is
	14	# something that should be perfectly permissible, and is something
	15	# that we do somewhat regularly (to bring old accounts up to date).
	16
	17	export PATH=$PATH:/afs/hcoop.net/common/bin/
	18
	19	if test -z "$NEWUSER"; then
	20	echo "NEWUSER not set before sourcing create user library"
	21	exit 1
	22	fi
	23
	24	#
	25	# Construct various paths for later perusal.
	26	#
	27
	28	# (If it's not clear, for user fred, PATHBITS = f/fr/fred)
	29	PATHBITS=`echo $NEWUSER \| head -c 1`/`echo $NEWUSER \| head -c 2`/$NEWUSER
	30	HOMEPATH=/afs/hcoop.net/user/$PATHBITS
	31	MAILPATH=/afs/hcoop.net/common/email/$PATHBITS
	32
	33	#
	34	# Helper functions
	35	#
	36
	37	function execute_on_web_nodes () {
6d76f213	38	ssh -K shelob.hcoop.net $*
abfe84ca CE	39	}
	40
	41	function execute_on_domtool_server () {
6d76f213	42	ssh -K gibran.hcoop.net $*
abfe84ca CE	43	}
	44
	45
	46	function execute_on_all_machines () {
	47	$*
6d76f213 CE	48	ssh -K marsh.hcoop.net $*
	49	ssh -K minsky.hcoop.net $*
	50	ssh -K shelob.hcoop.net $*
	51	ssh -K outpost.hcoop.net $*
abfe84ca CE	52	}
	53
	54	#
	55	# User credentials
	56	#
	57
	58	function create_pts_user () {
	59	# Create primary user kerberos principle and afs pts user
	60
	61	# We use -randkey for user's main principal as well, to make sure
	62	# that the creation process does not continue without having a
	63	# main principal. (But you who want to set password for a user,
	64	# don't worry - we'll invoke cpw later, so that it has the same
	65	# effect as setting password right now - while it is more error
	66	# tolerant).
	67
	68	sudo kadmin.local -p root/admin -q "ank -policy user -randkey +requires_preauth $NEWUSER@HCOOP.NET"
	69	sudo kadmin.local -p root/admin -q "modprinc -maxlife 1day $NEWUSER@HCOOP.NET"
	70
	71	pts cu $NEWUSER \|\| true
	72	}
	73
	74	function create_pts_user_daemon () {
	75
	76	# Create additional kerberos principles ($user.daemon for now, in
	77	# theory also $user.mail, $user.cgi) and pts users for any used to
	78	# gain afs access ($user.daemon only)
	79	sudo kadmin.local -p root/admin -q "ank -policy daemon -randkey +requires_preauth $NEWUSER/daemon@HCOOP.NET"
	80	pts cu $NEWUSER.daemon \|\| true
	81	}
	82
	83	function export_user_keytabs () {
	84
	85	# Export .mailfilter and .cgi keys to a keytab file
	86
	87	# This is suboptimal, we need to generate keytabs for
	88	# cgi/mail/etc. separately, and only sync to the nodes that
	89	# perform the services in question
	90
	91	# create a daemon keytab (used by /etc/exim4/get-token)
	92	# only if it does not exist!
	93	test -e /etc/keytabs/user.daemon/$NEWUSER \|\| \
	94	sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/user.daemon/$NEWUSER $NEWUSER/daemon@HCOOP.NET"
	95
	96	# Properly chown/mod keytab files (must be $NEWUSER:www-data)
	97	sudo chown $NEWUSER:www-data /etc/keytabs/user.daemon/$NEWUSER
	98	sudo chmod 440 /etc/keytabs/user.daemon/$NEWUSER
	99
	100	# rsync keytabs
6d76f213 CE	101	# only needed on nodes that will run code on behalf of members
6d76f213 CE	102	# fixme: duplicates all server list
abfe84ca CE	103	(cd /etc/keytabs
abfe84ca CE	104	sudo tar clpf - user.daemon/$NEWUSER \| \
6d76f213	105	ssh marsh.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
abfe84ca CE	106	(cd /etc/keytabs
abfe84ca CE	107	sudo tar clpf - user.daemon/$NEWUSER \| \
6d76f213	108	ssh minsky.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
abfe84ca CE	109	(cd /etc/keytabs
abfe84ca CE	110	sudo tar clpf - user.daemon/$NEWUSER \| \
6d76f213	111	ssh shelob.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
abfe84ca CE	112	}
	113
	114
	115	#
	116	# Create/mount/set-perms on user's volumes (home, mail, databases, logs)
	117	#
	118
	119	# Each function that creates an afs volume should ensure that the
	120	# backup volume is created and mounted for users.
	121
	122	function create_home_volume () {
	123
	124	if vos examine user.$NEWUSER.d 2>/dev/null; then
	125	echo "Reactivating old volume (user.$NEWUSER.d)"
	126	vos rename user.$NEWUSER.d user.$NEWUSER
	127	fi
	128	vos examine user.$NEWUSER 2>/dev/null \|\| \
9aa22d85	129	vos create gibran.hcoop.net /vicepa user.$NEWUSER -maxquota 10000000
abfe84ca CE	130
	131	mkdir -p `dirname $HOMEPATH`
	132	fs ls $HOMEPATH \|\| test -L $HOMEPATH \|\| fs mkm $HOMEPATH user.$NEWUSER
	133	chown $NEWUSER:nogroup $HOMEPATH
	134	fs sa $HOMEPATH $NEWUSER all
	135	fs sa $HOMEPATH system:anyuser l
	136	# cleanliness / needed to keep suphp happy
	137	chown root:root $HOMEPATH/../../
	138	chown root:root $HOMEPATH/../
	139
	140	# backup volume
	141	mkdir -p `dirname /afs/hcoop.net/.old/user/$PATHBITS`
	142	fs ls /afs/hcoop.net/.old/user/$PATHBITS \|\| \
	143	fs mkm /afs/hcoop.net/.old/user/$PATHBITS user.$NEWUSER.backup
	144	}
	145
	146
	147	function create_mail_volume () {
	148
	149	if vos examine mail.$NEWUSER.d 2>/dev/null; then
	150	echo "Reactivating old volume (mail.$NEWUSER.d)"
	151	vos rename mail.$NEWUSER.d mail.$NEWUSER
	152	fi
	153	vos examine mail.$NEWUSER 2>/dev/null \|\| \
9aa22d85	154	vos create gibran.hcoop.net /vicepa mail.$NEWUSER -maxquota 10000000
abfe84ca CE	155
	156	mkdir -p `dirname $MAILPATH`
	157	fs ls $MAILPATH \|\| fs mkm $MAILPATH mail.$NEWUSER
	158	fs ls $HOMEPATH/Maildir \|\| fs mkm $HOMEPATH/Maildir mail.$NEWUSER
	159	chown $NEWUSER:nogroup $MAILPATH
	160	chown $NEWUSER:nogroup $HOMEPATH/Maildir
	161	fs sa $MAILPATH $NEWUSER all
	162	fs sa $MAILPATH $NEWUSER.daemon all
	163
	164	if test ! -e $MAILPATH/new; then
	165	mkdir -p $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp
	166	echo -e "This email account is provided as a service for HCoop members." \
	167	"\n\nTo learn how to use it, please visit the page" \
	168	"\n<http://wiki.hcoop.net/MemberManual/Email> on our website."\| \
	169	mail -s "Welcome to your HCoop email store" \
	170	-e -a "From: postmaster@hcoop.net" \
6d76f213	171	real-$NEWUSER@hcoop.net
abfe84ca CE	172	fi
	173
	174	chown $NEWUSER:nogroup $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp
	175
	176	# Set up shared SpamAssassin folder
	177	if test -f $HOMEPATH/Maildir/shared-maildirs; then
	178	# Deal with case where user rsync'd their Maildir from fyodor
	179	# Not an issue now, but harmless and can be adapted when we
	180	# move the spamd dirs into afs where they belong later.
	181	pattern='^SpamAssassin /home/spamd'
	182	file=$HOMEPATH/Maildir/shared-maildirs
	183	if grep $pattern $file; then
	184	sed -i -r -e \
	185	's!^(SpamAssassin )/home/spamd!\1/var/local/lib/spamd!1' \
	186	$file
	187	fi
	188	else
6d76f213	189	maildirmake --add SpamAssassin=/afs/hcoop.net/user/s/sp/spamd/Maildir \
abfe84ca CE	190	$HOMEPATH/Maildir
	191	fi
	192
	193	mkdir -p `dirname /afs/hcoop.net/.old/mail/$PATHBITS`
	194	fs ls /afs/hcoop.net/.old/mail/$PATHBITS \|\| \
	195	fs mkm /afs/hcoop.net/.old/mail/$PATHBITS mail.$NEWUSER.backup
	196	vos release old
	197	}
	198
	199	function seed_user_hcoop_directories () {
	200	# Additional standard directories. Some of these should probably
	201	# be on their own volumes, and access via a canonical path instead
	202	# to give users more control over their home dir without risking
	203	# breaking system services.
	204
	205	# Apache logs
	206	mkdir -p $HOMEPATH/.logs
	207	chown $NEWUSER:nogroup $HOMEPATH/.logs
	208	mkdir -p $HOMEPATH/.logs/apache
	209	chown $NEWUSER:nogroup $HOMEPATH/.logs/apache
	210	fs sa $HOMEPATH/.logs/apache $NEWUSER.daemon rlwidk
e26d1812	211	fs sa $HOMEPATH/.logs/apache webalizer read
abfe84ca CE	212	mkdir -p $HOMEPATH/.logs/mail
	213	fs sa $HOMEPATH/.logs/mail $NEWUSER.daemon rlwidk
	214	chown $NEWUSER:nogroup $HOMEPATH/.logs/mail
	215
	216	# public_html
	217	test -e $HOMEPATH/public_html \|\| \
	218	(mkdir -p $HOMEPATH/public_html; \
	219	chown $NEWUSER:nogroup $HOMEPATH/public_html; \
	220	fs sa $HOMEPATH/public_html system:anyuser none; \
	221	fs sa $HOMEPATH/public_html $NEWUSER.daemon rl)
	222
	223	# .procmail.d
	224	mkdir -p $HOMEPATH/.procmail.d
	225	chown $NEWUSER:nogroup $HOMEPATH/.procmail.d
	226	fs sa $HOMEPATH/.procmail.d system:anyuser rl
	227
	228	# .public
	229	mkdir -p $HOMEPATH/.public/
	230	chown $NEWUSER:nogroup $HOMEPATH/.public
	231	fs sa $HOMEPATH/.public system:anyuser rl
	232
	233	# .domtool
	234	mkdir -p $HOMEPATH/.public/.domtool
	235	chown $NEWUSER:nogroup $HOMEPATH/.public/.domtool
	236	test -e $HOMEPATH/.domtool \|\| \
	237	test -L $HOMEPATH/.domtool \|\| \
39aa6e0c	238	execute_on_domtool_server ln -s $HOMEPATH/.public/.domtool $HOMEPATH/.domtool
39aa6e0c	239	execute_on_domtool_server chown $NEWUSER $HOMEPATH/.domtool
abfe84ca CE	240	# ^^ work around sudo env_reset crap without having to
	241	# actually figure out how to make it work cleanly -- clinton,
	242	# 2011-11-30
abfe84ca CE	243	}
	244
	245	#
	246	# Non-AFS files and directories
	247	#
	248
	249	function create_dav_locks () {
	250	# Make per-user apache DAV lock directory -- the directory must be
	251	# both user and group-writable, which is silly.
	252	execute_on_web_nodes sudo mkdir -p /var/lock/apache2/dav/$NEWUSER
	253	execute_on_web_nodes sudo chown $NEWUSER:www-data /var/lock/apache2/dav/$NEWUSER
	254	execute_on_web_nodes sudo chmod ug=rwx,o= /var/lock/apache2/dav/$NEWUSER
	255	}
	256
	257	function setup_user_databases () {
	258	sudo /afs/hcoop.net/common/etc/scripts/create-user-database $NEWUSER
	259	}
	260
	261	#
	262	# etc
	263	#
	264
	265	function enable_domtool () {
	266	execute_on_domtool_server domtool-adduser $NEWUSER
	267	}
	268
	269	function subscribe_to_lists () {
	270	# Subscribe user to our mailing lists.
	271
6d76f213	272	echo $NEWUSER@hcoop.net \| ssh -K minsky sudo -u list \
abfe84ca CE	273	/var/lib/mailman/bin/add_members -r - hcoop-announce
	274	}
	275
	276	function ensure_afs_servers_synced () {
	277	vos release old
	278
	279	# technically this might not be necessary, but for good measure...
6d76f213	280	local srv
6c8ee94d	281	for srv in gibran lovelace; do
6d76f213 CE	282	vos syncserv $srv
	283	vos syncvldb $srv
	284	done
abfe84ca CE	285
	286	# refresh volume location cache (takes ~2hrs otherwise)
	287	execute_on_all_machines fs checkvolumes
447125c3 CE	288	}
	289
	290	#
	291	# webserver
	292	#
	293
	294	function create_fcgi_wrapper () {
	295	# note: might want to move this to domtool-adduser
6d76f213 CE	296	local wrapper_dir="/afs/hcoop.net/common/etc/domtool/httpd/fastcgi/${PATHBITS}"
	297	local wrapper="${wrapper_dir}/${NEWUSER}-wrapper-wrapper"
	298	mkdir -p $wrapper_dir
447125c3 CE	299	cat > $wrapper <<EOF
	300	#!/bin/bash
	301
6d76f213	302	exec k5start -qtUf /etc/keytabs/user.daemon/${NEWUSER} -- \$@
447125c3 CE	303	EOF
	304
	305	chmod +x $wrapper
	306	chown $NEWUSER:nogroup $wrapper
6d76f213	307	chown $NEWUSER:nogroup $wrapper_dir
447125c3	308	}