Commit | Line | Data |
---|---|---|
abfe84ca CE |
1 | # -*- sh-mode -*- |
2 | ||
3 | # Library functions for create-user scripts | |
4 | # Export the $NEWUSER variable before sourcing! | |
5 | ||
6 | # Functionality is split so that the scripts for creating real users, | |
7 | # service users, and web service users can share as much code as | |
8 | # possible. | |
9 | ||
10 | # This has probably grown to the point where it shouldn't be a shell | |
11 | # script any more. | |
12 | ||
13 | # ALWAYS REMEMBER: THIS MUST BE IDEMPOTENT! re creating a user is | |
14 | # something that should be perfectly permissible, and is something | |
15 | # that we do somewhat regularly (to bring old accounts up to date). | |
16 | ||
17 | export PATH=$PATH:/afs/hcoop.net/common/bin/ | |
18 | ||
19 | if test -z "$NEWUSER"; then | |
20 | echo "NEWUSER not set before sourcing create user library" | |
21 | exit 1 | |
22 | fi | |
23 | ||
24 | # | |
25 | # Construct various paths for later perusal. | |
26 | # | |
27 | ||
28 | # (If it's not clear, for user fred, PATHBITS = f/fr/fred) | |
29 | PATHBITS=`echo $NEWUSER | head -c 1`/`echo $NEWUSER | head -c 2`/$NEWUSER | |
30 | HOMEPATH=/afs/hcoop.net/user/$PATHBITS | |
31 | MAILPATH=/afs/hcoop.net/common/email/$PATHBITS | |
32 | ||
33 | # | |
34 | # Helper functions | |
35 | # | |
36 | ||
37 | function execute_on_web_nodes () { | |
6d76f213 | 38 | ssh -K shelob.hcoop.net $* |
abfe84ca CE |
39 | } |
40 | ||
41 | function execute_on_domtool_server () { | |
6d76f213 | 42 | ssh -K gibran.hcoop.net $* |
abfe84ca CE |
43 | } |
44 | ||
8b3e03c4 CE |
45 | function execute_on_mail_nodes () { |
46 | ssh -K minsky.hcoop.net $* | |
47 | } | |
abfe84ca CE |
48 | |
49 | function execute_on_all_machines () { | |
50 | $* | |
6d76f213 CE |
51 | ssh -K marsh.hcoop.net $* |
52 | ssh -K minsky.hcoop.net $* | |
53 | ssh -K shelob.hcoop.net $* | |
8b3e03c4 | 54 | ssh -K lovelace.hcoop.net $* |
6d76f213 | 55 | ssh -K outpost.hcoop.net $* |
abfe84ca CE |
56 | } |
57 | ||
58 | # | |
59 | # User credentials | |
60 | # | |
61 | ||
62 | function create_pts_user () { | |
63 | # Create primary user kerberos principle and afs pts user | |
64 | ||
65 | # We use -randkey for user's main principal as well, to make sure | |
66 | # that the creation process does not continue without having a | |
67 | # main principal. (But you who want to set password for a user, | |
68 | # don't worry - we'll invoke cpw later, so that it has the same | |
69 | # effect as setting password right now - while it is more error | |
70 | # tolerant). | |
71 | ||
72 | sudo kadmin.local -p root/admin -q "ank -policy user -randkey +requires_preauth $NEWUSER@HCOOP.NET" | |
73 | sudo kadmin.local -p root/admin -q "modprinc -maxlife 1day $NEWUSER@HCOOP.NET" | |
74 | ||
75 | pts cu $NEWUSER || true | |
76 | } | |
77 | ||
78 | function create_pts_user_daemon () { | |
79 | ||
80 | # Create additional kerberos principles ($user.daemon for now, in | |
81 | # theory also $user.mail, $user.cgi) and pts users for any used to | |
82 | # gain afs access ($user.daemon only) | |
83 | sudo kadmin.local -p root/admin -q "ank -policy daemon -randkey +requires_preauth $NEWUSER/daemon@HCOOP.NET" | |
84 | pts cu $NEWUSER.daemon || true | |
85 | } | |
86 | ||
87 | function export_user_keytabs () { | |
88 | ||
89 | # Export .mailfilter and .cgi keys to a keytab file | |
90 | ||
91 | # This is suboptimal, we need to generate keytabs for | |
92 | # cgi/mail/etc. separately, and only sync to the nodes that | |
93 | # perform the services in question | |
94 | ||
95 | # create a daemon keytab (used by /etc/exim4/get-token) | |
96 | # *only* if it does not exist! | |
97 | test -e /etc/keytabs/user.daemon/$NEWUSER || \ | |
98 | sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/user.daemon/$NEWUSER $NEWUSER/daemon@HCOOP.NET" | |
99 | ||
100 | # Properly chown/mod keytab files (must be $NEWUSER:www-data) | |
101 | sudo chown $NEWUSER:www-data /etc/keytabs/user.daemon/$NEWUSER | |
102 | sudo chmod 440 /etc/keytabs/user.daemon/$NEWUSER | |
103 | ||
104 | # rsync keytabs | |
6d76f213 CE |
105 | # only needed on nodes that will run code on behalf of members |
106 | # fixme: duplicates all server list | |
abfe84ca CE |
107 | (cd /etc/keytabs |
108 | sudo tar clpf - user.daemon/$NEWUSER | \ | |
6d76f213 | 109 | ssh marsh.hcoop.net cd /etc/keytabs\; sudo tar xlpf -) |
abfe84ca CE |
110 | (cd /etc/keytabs |
111 | sudo tar clpf - user.daemon/$NEWUSER | \ | |
6d76f213 | 112 | ssh minsky.hcoop.net cd /etc/keytabs\; sudo tar xlpf -) |
abfe84ca CE |
113 | (cd /etc/keytabs |
114 | sudo tar clpf - user.daemon/$NEWUSER | \ | |
6d76f213 | 115 | ssh shelob.hcoop.net cd /etc/keytabs\; sudo tar xlpf -) |
abfe84ca CE |
116 | } |
117 | ||
118 | ||
119 | # | |
120 | # Create/mount/set-perms on user's volumes (home, mail, databases, logs) | |
121 | # | |
122 | ||
123 | # Each function that creates an afs volume should ensure that the | |
124 | # backup volume is created and mounted for users. | |
125 | ||
126 | function create_home_volume () { | |
127 | ||
128 | if vos examine user.$NEWUSER.d 2>/dev/null; then | |
129 | echo "Reactivating old volume (user.$NEWUSER.d)" | |
130 | vos rename user.$NEWUSER.d user.$NEWUSER | |
131 | fi | |
132 | vos examine user.$NEWUSER 2>/dev/null || \ | |
9aa22d85 | 133 | vos create gibran.hcoop.net /vicepa user.$NEWUSER -maxquota 10000000 |
abfe84ca CE |
134 | |
135 | mkdir -p `dirname $HOMEPATH` | |
136 | fs ls $HOMEPATH || test -L $HOMEPATH || fs mkm $HOMEPATH user.$NEWUSER | |
137 | chown $NEWUSER:nogroup $HOMEPATH | |
138 | fs sa $HOMEPATH $NEWUSER all | |
139 | fs sa $HOMEPATH system:anyuser l | |
140 | # cleanliness / needed to keep suphp happy | |
141 | chown root:root $HOMEPATH/../../ | |
142 | chown root:root $HOMEPATH/../ | |
143 | ||
144 | # backup volume | |
145 | mkdir -p `dirname /afs/hcoop.net/.old/user/$PATHBITS` | |
146 | fs ls /afs/hcoop.net/.old/user/$PATHBITS || \ | |
147 | fs mkm /afs/hcoop.net/.old/user/$PATHBITS user.$NEWUSER.backup | |
148 | } | |
149 | ||
150 | ||
151 | function create_mail_volume () { | |
152 | ||
153 | if vos examine mail.$NEWUSER.d 2>/dev/null; then | |
154 | echo "Reactivating old volume (mail.$NEWUSER.d)" | |
155 | vos rename mail.$NEWUSER.d mail.$NEWUSER | |
156 | fi | |
157 | vos examine mail.$NEWUSER 2>/dev/null || \ | |
9aa22d85 | 158 | vos create gibran.hcoop.net /vicepa mail.$NEWUSER -maxquota 10000000 |
abfe84ca CE |
159 | |
160 | mkdir -p `dirname $MAILPATH` | |
161 | fs ls $MAILPATH || fs mkm $MAILPATH mail.$NEWUSER | |
162 | fs ls $HOMEPATH/Maildir || fs mkm $HOMEPATH/Maildir mail.$NEWUSER | |
163 | chown $NEWUSER:nogroup $MAILPATH | |
164 | chown $NEWUSER:nogroup $HOMEPATH/Maildir | |
165 | fs sa $MAILPATH $NEWUSER all | |
166 | fs sa $MAILPATH $NEWUSER.daemon all | |
167 | ||
168 | if test ! -e $MAILPATH/new; then | |
169 | mkdir -p $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp | |
170 | echo -e "This email account is provided as a service for HCoop members." \ | |
171 | "\n\nTo learn how to use it, please visit the page" \ | |
172 | "\n<http://wiki.hcoop.net/MemberManual/Email> on our website."| \ | |
173 | mail -s "Welcome to your HCoop email store" \ | |
174 | -e -a "From: postmaster@hcoop.net" \ | |
6d76f213 | 175 | real-$NEWUSER@hcoop.net |
abfe84ca CE |
176 | fi |
177 | ||
178 | chown $NEWUSER:nogroup $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp | |
179 | ||
180 | # Set up shared SpamAssassin folder | |
181 | if test -f $HOMEPATH/Maildir/shared-maildirs; then | |
182 | # Deal with case where user rsync'd their Maildir from fyodor | |
183 | # Not an issue now, but harmless and can be adapted when we | |
184 | # move the spamd dirs into afs where they belong later. | |
185 | pattern='^SpamAssassin /home/spamd' | |
186 | file=$HOMEPATH/Maildir/shared-maildirs | |
187 | if grep $pattern $file; then | |
188 | sed -i -r -e \ | |
189 | 's!^(SpamAssassin )/home/spamd!\1/var/local/lib/spamd!1' \ | |
190 | $file | |
191 | fi | |
192 | else | |
6d76f213 | 193 | maildirmake --add SpamAssassin=/afs/hcoop.net/user/s/sp/spamd/Maildir \ |
abfe84ca CE |
194 | $HOMEPATH/Maildir |
195 | fi | |
196 | ||
197 | mkdir -p `dirname /afs/hcoop.net/.old/mail/$PATHBITS` | |
198 | fs ls /afs/hcoop.net/.old/mail/$PATHBITS || \ | |
199 | fs mkm /afs/hcoop.net/.old/mail/$PATHBITS mail.$NEWUSER.backup | |
200 | vos release old | |
201 | } | |
202 | ||
203 | function seed_user_hcoop_directories () { | |
204 | # Additional standard directories. Some of these should probably | |
205 | # be on their own volumes, and access via a canonical path instead | |
206 | # to give users more control over their home dir without risking | |
207 | # breaking system services. | |
208 | ||
209 | # Apache logs | |
210 | mkdir -p $HOMEPATH/.logs | |
211 | chown $NEWUSER:nogroup $HOMEPATH/.logs | |
212 | mkdir -p $HOMEPATH/.logs/apache | |
213 | chown $NEWUSER:nogroup $HOMEPATH/.logs/apache | |
214 | fs sa $HOMEPATH/.logs/apache $NEWUSER.daemon rlwidk | |
e26d1812 | 215 | fs sa $HOMEPATH/.logs/apache webalizer read |
abfe84ca CE |
216 | mkdir -p $HOMEPATH/.logs/mail |
217 | fs sa $HOMEPATH/.logs/mail $NEWUSER.daemon rlwidk | |
218 | chown $NEWUSER:nogroup $HOMEPATH/.logs/mail | |
219 | ||
220 | # public_html | |
221 | test -e $HOMEPATH/public_html || \ | |
222 | (mkdir -p $HOMEPATH/public_html; \ | |
223 | chown $NEWUSER:nogroup $HOMEPATH/public_html; \ | |
224 | fs sa $HOMEPATH/public_html system:anyuser none; \ | |
225 | fs sa $HOMEPATH/public_html $NEWUSER.daemon rl) | |
226 | ||
227 | # .procmail.d | |
228 | mkdir -p $HOMEPATH/.procmail.d | |
229 | chown $NEWUSER:nogroup $HOMEPATH/.procmail.d | |
230 | fs sa $HOMEPATH/.procmail.d system:anyuser rl | |
231 | ||
232 | # .public | |
233 | mkdir -p $HOMEPATH/.public/ | |
234 | chown $NEWUSER:nogroup $HOMEPATH/.public | |
235 | fs sa $HOMEPATH/.public system:anyuser rl | |
236 | ||
237 | # .domtool | |
238 | mkdir -p $HOMEPATH/.public/.domtool | |
239 | chown $NEWUSER:nogroup $HOMEPATH/.public/.domtool | |
240 | test -e $HOMEPATH/.domtool || \ | |
241 | test -L $HOMEPATH/.domtool || \ | |
39aa6e0c | 242 | execute_on_domtool_server ln -s $HOMEPATH/.public/.domtool $HOMEPATH/.domtool |
243 | execute_on_domtool_server chown $NEWUSER $HOMEPATH/.domtool | |
abfe84ca CE |
244 | # ^^ work around sudo env_reset crap without having to |
245 | # actually figure out how to make it work cleanly -- clinton, | |
246 | # 2011-11-30 | |
abfe84ca CE |
247 | } |
248 | ||
249 | # | |
250 | # Non-AFS files and directories | |
251 | # | |
252 | ||
253 | function create_dav_locks () { | |
254 | # Make per-user apache DAV lock directory -- the directory must be | |
255 | # both user and group-writable, which is silly. | |
c74ee81a | 256 | execute_on_web_nodes sudo mkdir -p /var/local/domtool/apache2/dav/$NEWUSER |
22ff5a6b CE |
257 | execute_on_web_nodes sudo chown $NEWUSER:www-data /var/local/domtool/apache2/dav/$NEWUSER |
258 | execute_on_web_nodes sudo chmod ug=rwx,o= /var/local/domtool/apache2/dav/$NEWUSER | |
abfe84ca CE |
259 | } |
260 | ||
261 | function setup_user_databases () { | |
262 | sudo /afs/hcoop.net/common/etc/scripts/create-user-database $NEWUSER | |
263 | } | |
264 | ||
265 | # | |
266 | # etc | |
267 | # | |
268 | ||
269 | function enable_domtool () { | |
270 | execute_on_domtool_server domtool-adduser $NEWUSER | |
271 | } | |
272 | ||
273 | function subscribe_to_lists () { | |
274 | # Subscribe user to our mailing lists. | |
275 | ||
6d76f213 | 276 | echo $NEWUSER@hcoop.net | ssh -K minsky sudo -u list \ |
abfe84ca CE |
277 | /var/lib/mailman/bin/add_members -r - hcoop-announce |
278 | } | |
279 | ||
280 | function ensure_afs_servers_synced () { | |
281 | vos release old | |
282 | ||
283 | # technically this might not be necessary, but for good measure... | |
6d76f213 | 284 | local srv |
6c8ee94d | 285 | for srv in gibran lovelace; do |
6d76f213 CE |
286 | vos syncserv $srv |
287 | vos syncvldb $srv | |
288 | done | |
abfe84ca CE |
289 | |
290 | # refresh volume location cache (takes ~2hrs otherwise) | |
291 | execute_on_all_machines fs checkvolumes | |
447125c3 CE |
292 | } |
293 | ||
294 | # | |
295 | # webserver | |
296 | # | |
297 | ||
298 | function create_fcgi_wrapper () { | |
299 | # note: might want to move this to domtool-adduser | |
6d76f213 CE |
300 | local wrapper_dir="/afs/hcoop.net/common/etc/domtool/httpd/fastcgi/${PATHBITS}" |
301 | local wrapper="${wrapper_dir}/${NEWUSER}-wrapper-wrapper" | |
302 | mkdir -p $wrapper_dir | |
447125c3 CE |
303 | cat > $wrapper <<EOF |
304 | #!/bin/bash | |
305 | ||
6d76f213 | 306 | exec k5start -qtUf /etc/keytabs/user.daemon/${NEWUSER} -- \$@ |
447125c3 CE |
307 | EOF |
308 | ||
309 | chmod +x $wrapper | |
310 | chown $NEWUSER:nogroup $wrapper | |
6d76f213 | 311 | chown $NEWUSER:nogroup $wrapper_dir |
447125c3 | 312 | } |