[hcoop/scripts.git] / lib / create-user-lib.sh

# -*- sh-mode -*-

# Library functions for create-user scripts
# Export the $NEWUSER variable before sourcing!

# Functionality is split so that the scripts for creating real users,
# service users, and web service users can share as much code as
# possible.

# This has probably grown to the point where it shouldn't be a shell
# script any more.

# ALWAYS REMEMBER: THIS MUST BE IDEMPOTENT! re creating a user is
# something that should be perfectly permissible, and is something
# that we do somewhat regularly (to bring old accounts up to date).

export PATH=$PATH:/afs/hcoop.net/common/bin/

if test -z "$NEWUSER"; then
	echo "NEWUSER not set before sourcing create user library"
	exit 1
fi

#
# Construct various paths for later perusal.
#

# (If it's not clear, for user fred, PATHBITS = f/fr/fred)
PATHBITS=`echo $NEWUSER | head -c 1`/`echo $NEWUSER | head -c 2`/$NEWUSER
HOMEPATH=/afs/hcoop.net/user/$PATHBITS
MAILPATH=/afs/hcoop.net/common/email/$PATHBITS

#
# Helper functions
#

function execute_on_web_nodes () {
    ssh -K shelob.hcoop.net $*
}

function execute_on_domtool_server () {
    ssh -K gibran.hcoop.net $*
}

function execute_on_mail_nodes () {
    ssh -K minsky.hcoop.net $*
}

function execute_on_all_machines () {
    $*
    ssh -K marsh.hcoop.net $*
    ssh -K minsky.hcoop.net $*
    ssh -K shelob.hcoop.net $*
    ssh -K lovelace.hcoop.net $*
    ssh -K outpost.hcoop.net $*
}

#
# User credentials
#

function create_pts_user () {
    # Create primary user kerberos principle and afs pts user

    # We use -randkey for user's main principal as well, to make sure
    # that the creation process does not continue without having a
    # main principal. (But you who want to set password for a user,
    # don't worry - we'll invoke cpw later, so that it has the same
    # effect as setting password right now - while it is more error
    # tolerant).

    sudo kadmin.local -p root/admin -q "ank -policy user -randkey +requires_preauth $NEWUSER@HCOOP.NET"
    sudo kadmin.local -p root/admin -q "modprinc -maxlife 1day $NEWUSER@HCOOP.NET"

    pts cu $NEWUSER || true
}

function create_pts_user_daemon () {

    # Create additional kerberos principles ($user.daemon for now, in
    # theory also $user.mail, $user.cgi) and pts users for any used to
    # gain afs access ($user.daemon only)
    sudo kadmin.local -p root/admin -q "ank -policy daemon -randkey +requires_preauth $NEWUSER/daemon@HCOOP.NET"
    pts cu $NEWUSER.daemon || true
}

function export_user_keytabs () {

    # Export .mailfilter and .cgi keys to a keytab file

    # This is suboptimal, we need to generate keytabs for
    # cgi/mail/etc. separately, and only sync to the nodes that
    # perform the services in question

    # create a daemon keytab (used by /etc/exim4/get-token)
    # *only* if it does not exist!
    test -e /etc/keytabs/user.daemon/$NEWUSER || \
	sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/user.daemon/$NEWUSER $NEWUSER/daemon@HCOOP.NET"

    # Properly chown/mod keytab files (must be $NEWUSER:www-data)
    sudo chown $NEWUSER:www-data /etc/keytabs/user.daemon/$NEWUSER
    sudo chmod 440            /etc/keytabs/user.daemon/$NEWUSER

    # rsync keytabs
    # only needed on nodes that will run code on behalf of members
    # fixme: duplicates all server list
    (cd /etc/keytabs
	sudo tar clpf - user.daemon/$NEWUSER | \
	    ssh marsh.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
    (cd /etc/keytabs
	sudo tar clpf - user.daemon/$NEWUSER | \
	    ssh minsky.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
    (cd /etc/keytabs
	sudo tar clpf - user.daemon/$NEWUSER | \
	    ssh shelob.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
}


#
# Create/mount/set-perms on user's volumes (home, mail, databases, logs)
#

# Each function that creates an afs volume should ensure that the
# backup volume is created and mounted for users.

function create_home_volume () {

    if vos examine user.$NEWUSER.d 2>/dev/null; then
	echo "Reactivating old volume (user.$NEWUSER.d)"
	vos rename user.$NEWUSER.d user.$NEWUSER
    fi
    vos examine user.$NEWUSER 2>/dev/null || \
	vos create gibran.hcoop.net /vicepa user.$NEWUSER -maxquota 10000000

    mkdir -p `dirname $HOMEPATH`
    fs ls $HOMEPATH || test -L $HOMEPATH || fs mkm $HOMEPATH user.$NEWUSER
    chown $NEWUSER:nogroup $HOMEPATH
    fs sa $HOMEPATH $NEWUSER            all
    fs sa $HOMEPATH system:anyuser   l
    # cleanliness / needed to keep suphp happy
    chown root:root $HOMEPATH/../../
    chown root:root $HOMEPATH/../
    
    # backup volume
    mkdir -p `dirname /afs/hcoop.net/.old/user/$PATHBITS`
    fs ls /afs/hcoop.net/.old/user/$PATHBITS || \
	fs mkm /afs/hcoop.net/.old/user/$PATHBITS user.$NEWUSER.backup
}


function create_mail_volume () {

    if vos examine mail.$NEWUSER.d 2>/dev/null; then
	echo "Reactivating old volume (mail.$NEWUSER.d)"
	vos rename mail.$NEWUSER.d mail.$NEWUSER
    fi
    vos examine mail.$NEWUSER 2>/dev/null || \
	vos create gibran.hcoop.net /vicepa mail.$NEWUSER -maxquota 10000000
    
    mkdir -p `dirname $MAILPATH`
    fs ls $MAILPATH || fs mkm $MAILPATH         mail.$NEWUSER
    fs ls $HOMEPATH/Maildir || fs mkm $HOMEPATH/Maildir mail.$NEWUSER
    chown $NEWUSER:nogroup $MAILPATH
    chown $NEWUSER:nogroup $HOMEPATH/Maildir
    fs sa $MAILPATH $NEWUSER        all
    fs sa $MAILPATH $NEWUSER.daemon all

    if test ! -e $MAILPATH/new; then
	mkdir -p $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp
	echo -e "This email account is provided as a service for HCoop members." \
            "\n\nTo learn how to use it, please visit the page" \
            "\n<http://wiki.hcoop.net/MemberManual/Email> on our website."| \
            mail -s "Welcome to your HCoop email store" \
            -e -a "From: postmaster@hcoop.net" \
            real-$NEWUSER@hcoop.net
    fi

    chown $NEWUSER:nogroup $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp

    # Set up shared SpamAssassin folder
    if test -f $HOMEPATH/Maildir/shared-maildirs; then
        # Deal with case where user rsync'd their Maildir from fyodor
        # Not an issue now, but harmless and can be adapted when we
        # move the spamd dirs into afs where they belong later.
	pattern='^SpamAssassin	/home/spamd'
	file=$HOMEPATH/Maildir/shared-maildirs
	if grep $pattern $file; then
            sed -i -r -e \
		's!^(SpamAssassin	)/home/spamd!\1/var/local/lib/spamd!1' \
		$file
	fi
    else
	maildirmake --add SpamAssassin=/afs/hcoop.net/user/s/sp/spamd/Maildir \
            $HOMEPATH/Maildir
    fi

    mkdir -p `dirname /afs/hcoop.net/.old/mail/$PATHBITS`
    fs ls /afs/hcoop.net/.old/mail/$PATHBITS || \
	fs mkm /afs/hcoop.net/.old/mail/$PATHBITS mail.$NEWUSER.backup
    vos release old
}

function seed_user_hcoop_directories () {
    # Additional standard directories. Some of these should probably
    # be on their own volumes, and access via a canonical path instead
    # to give users more control over their home dir without risking
    # breaking system services.

    # Apache logs
    mkdir -p $HOMEPATH/.logs
    chown $NEWUSER:nogroup $HOMEPATH/.logs
    mkdir -p $HOMEPATH/.logs/apache
    chown $NEWUSER:nogroup $HOMEPATH/.logs/apache
    fs sa $HOMEPATH/.logs/apache $NEWUSER.daemon rlwidk
    fs sa $HOMEPATH/.logs/apache webalizer read
    mkdir -p $HOMEPATH/.logs/mail
    fs sa $HOMEPATH/.logs/mail $NEWUSER.daemon rlwidk
    chown $NEWUSER:nogroup $HOMEPATH/.logs/mail

    # public_html
    test -e $HOMEPATH/public_html || \
	(mkdir -p $HOMEPATH/public_html; \
	chown $NEWUSER:nogroup $HOMEPATH/public_html; \
	fs sa $HOMEPATH/public_html system:anyuser none; \
	fs sa $HOMEPATH/public_html $NEWUSER.daemon rl)

    # .procmail.d
    mkdir -p $HOMEPATH/.procmail.d
    chown $NEWUSER:nogroup $HOMEPATH/.procmail.d
    fs sa $HOMEPATH/.procmail.d system:anyuser rl

    # .public
    mkdir -p $HOMEPATH/.public/
    chown $NEWUSER:nogroup $HOMEPATH/.public
    fs sa $HOMEPATH/.public system:anyuser rl

    # .domtool
    mkdir -p $HOMEPATH/.public/.domtool
    chown $NEWUSER:nogroup $HOMEPATH/.public/.domtool
    test -e $HOMEPATH/.domtool || \
	test -L $HOMEPATH/.domtool || \
        execute_on_domtool_server ln -s $HOMEPATH/.public/.domtool $HOMEPATH/.domtool
        execute_on_domtool_server chown $NEWUSER $HOMEPATH/.domtool 
        # ^^ work around sudo env_reset crap without having to
        # actually figure out how to make it work cleanly -- clinton,
        # 2011-11-30
}

#
# Non-AFS files and directories
#

function create_dav_locks () {
    # Make per-user apache DAV lock directory -- the directory must be
    # both user and group-writable, which is silly.
    execute_on_web_nodes sudo mkdir -p /var/local/domtool/apache2/dav/$NEWUSER
    execute_on_web_nodes sudo chown $NEWUSER:www-data /var/local/domtool/apache2/dav/$NEWUSER
    execute_on_web_nodes sudo chmod ug=rwx,o= /var/local/domtool/apache2/dav/$NEWUSER
}

function setup_user_databases () {
    sudo /afs/hcoop.net/common/etc/scripts/create-user-database $NEWUSER
}

#
# etc
#

function enable_domtool () {
    execute_on_domtool_server domtool-adduser $NEWUSER
}

function subscribe_to_lists () {
    # Subscribe user to our mailing lists.

    echo $NEWUSER@hcoop.net | ssh -K minsky sudo -u list  \
	/var/lib/mailman/bin/add_members -r - hcoop-announce
}

function ensure_afs_servers_synced () {
    vos release old
    
    # technically this might not be necessary, but for good measure...
    local srv
    for srv in gibran lovelace; do
	vos syncserv $srv
	vos syncvldb $srv
    done
    
    # refresh volume location cache (takes ~2hrs otherwise)
    execute_on_all_machines fs checkvolumes
}

#
# webserver
#

function create_fcgi_wrapper () {
    # note: might want to move this to domtool-adduser
    local wrapper_dir="/afs/hcoop.net/common/etc/domtool/httpd/fastcgi/${PATHBITS}"
    local wrapper="${wrapper_dir}/${NEWUSER}-wrapper-wrapper"
    mkdir -p $wrapper_dir
    cat > $wrapper <<EOF
#!/bin/bash

exec k5start -qtUf /etc/keytabs/user.daemon/${NEWUSER} -- \$@
EOF

    chmod +x $wrapper
    chown $NEWUSER:nogroup $wrapper
    chown $NEWUSER:nogroup $wrapper_dir
}
Commit	Line	Data
abfe84ca CE	1	# -- sh-mode --
	2
	3	# Library functions for create-user scripts
	4	# Export the $NEWUSER variable before sourcing!
	5
	6	# Functionality is split so that the scripts for creating real users,
	7	# service users, and web service users can share as much code as
	8	# possible.
	9
	10	# This has probably grown to the point where it shouldn't be a shell
	11	# script any more.
	12
	13	# ALWAYS REMEMBER: THIS MUST BE IDEMPOTENT! re creating a user is
	14	# something that should be perfectly permissible, and is something
	15	# that we do somewhat regularly (to bring old accounts up to date).
	16
	17	export PATH=$PATH:/afs/hcoop.net/common/bin/
	18
	19	if test -z "$NEWUSER"; then
	20	echo "NEWUSER not set before sourcing create user library"
	21	exit 1
	22	fi
	23
	24	#
	25	# Construct various paths for later perusal.
	26	#
	27
	28	# (If it's not clear, for user fred, PATHBITS = f/fr/fred)
	29	PATHBITS=`echo $NEWUSER \| head -c 1`/`echo $NEWUSER \| head -c 2`/$NEWUSER
	30	HOMEPATH=/afs/hcoop.net/user/$PATHBITS
	31	MAILPATH=/afs/hcoop.net/common/email/$PATHBITS
	32
	33	#
	34	# Helper functions
	35	#
	36
	37	function execute_on_web_nodes () {
6d76f213	38	ssh -K shelob.hcoop.net $*
abfe84ca CE	39	}
	40
	41	function execute_on_domtool_server () {
6d76f213	42	ssh -K gibran.hcoop.net $*
abfe84ca CE	43	}
abfe84ca CE	44
8b3e03c4 CE	45	function execute_on_mail_nodes () {
	46	ssh -K minsky.hcoop.net $*
	47	}
abfe84ca CE	48
	49	function execute_on_all_machines () {
	50	$*
6d76f213 CE	51	ssh -K marsh.hcoop.net $*
	52	ssh -K minsky.hcoop.net $*
	53	ssh -K shelob.hcoop.net $*
8b3e03c4	54	ssh -K lovelace.hcoop.net $*
6d76f213	55	ssh -K outpost.hcoop.net $*
abfe84ca CE	56	}
	57
	58	#
	59	# User credentials
	60	#
	61
	62	function create_pts_user () {
	63	# Create primary user kerberos principle and afs pts user
	64
	65	# We use -randkey for user's main principal as well, to make sure
	66	# that the creation process does not continue without having a
	67	# main principal. (But you who want to set password for a user,
	68	# don't worry - we'll invoke cpw later, so that it has the same
	69	# effect as setting password right now - while it is more error
	70	# tolerant).
	71
	72	sudo kadmin.local -p root/admin -q "ank -policy user -randkey +requires_preauth $NEWUSER@HCOOP.NET"
	73	sudo kadmin.local -p root/admin -q "modprinc -maxlife 1day $NEWUSER@HCOOP.NET"
	74
	75	pts cu $NEWUSER \|\| true
	76	}
	77
	78	function create_pts_user_daemon () {
	79
	80	# Create additional kerberos principles ($user.daemon for now, in
	81	# theory also $user.mail, $user.cgi) and pts users for any used to
	82	# gain afs access ($user.daemon only)
	83	sudo kadmin.local -p root/admin -q "ank -policy daemon -randkey +requires_preauth $NEWUSER/daemon@HCOOP.NET"
	84	pts cu $NEWUSER.daemon \|\| true
	85	}
	86
	87	function export_user_keytabs () {
	88
	89	# Export .mailfilter and .cgi keys to a keytab file
	90
	91	# This is suboptimal, we need to generate keytabs for
	92	# cgi/mail/etc. separately, and only sync to the nodes that
	93	# perform the services in question
	94
	95	# create a daemon keytab (used by /etc/exim4/get-token)
	96	# only if it does not exist!
	97	test -e /etc/keytabs/user.daemon/$NEWUSER \|\| \
	98	sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/user.daemon/$NEWUSER $NEWUSER/daemon@HCOOP.NET"
	99
	100	# Properly chown/mod keytab files (must be $NEWUSER:www-data)
	101	sudo chown $NEWUSER:www-data /etc/keytabs/user.daemon/$NEWUSER
	102	sudo chmod 440 /etc/keytabs/user.daemon/$NEWUSER
	103
	104	# rsync keytabs
6d76f213 CE	105	# only needed on nodes that will run code on behalf of members
6d76f213 CE	106	# fixme: duplicates all server list
abfe84ca CE	107	(cd /etc/keytabs
abfe84ca CE	108	sudo tar clpf - user.daemon/$NEWUSER \| \
6d76f213	109	ssh marsh.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
abfe84ca CE	110	(cd /etc/keytabs
abfe84ca CE	111	sudo tar clpf - user.daemon/$NEWUSER \| \
6d76f213	112	ssh minsky.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
abfe84ca CE	113	(cd /etc/keytabs
abfe84ca CE	114	sudo tar clpf - user.daemon/$NEWUSER \| \
6d76f213	115	ssh shelob.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
abfe84ca CE	116	}
	117
	118
	119	#
	120	# Create/mount/set-perms on user's volumes (home, mail, databases, logs)
	121	#
	122
	123	# Each function that creates an afs volume should ensure that the
	124	# backup volume is created and mounted for users.
	125
	126	function create_home_volume () {
	127
	128	if vos examine user.$NEWUSER.d 2>/dev/null; then
	129	echo "Reactivating old volume (user.$NEWUSER.d)"
	130	vos rename user.$NEWUSER.d user.$NEWUSER
	131	fi
	132	vos examine user.$NEWUSER 2>/dev/null \|\| \
9aa22d85	133	vos create gibran.hcoop.net /vicepa user.$NEWUSER -maxquota 10000000
abfe84ca CE	134
	135	mkdir -p `dirname $HOMEPATH`
	136	fs ls $HOMEPATH \|\| test -L $HOMEPATH \|\| fs mkm $HOMEPATH user.$NEWUSER
	137	chown $NEWUSER:nogroup $HOMEPATH
	138	fs sa $HOMEPATH $NEWUSER all
	139	fs sa $HOMEPATH system:anyuser l
	140	# cleanliness / needed to keep suphp happy
	141	chown root:root $HOMEPATH/../../
	142	chown root:root $HOMEPATH/../
	143
	144	# backup volume
	145	mkdir -p `dirname /afs/hcoop.net/.old/user/$PATHBITS`
	146	fs ls /afs/hcoop.net/.old/user/$PATHBITS \|\| \
	147	fs mkm /afs/hcoop.net/.old/user/$PATHBITS user.$NEWUSER.backup
	148	}
	149
	150
	151	function create_mail_volume () {
	152
	153	if vos examine mail.$NEWUSER.d 2>/dev/null; then
	154	echo "Reactivating old volume (mail.$NEWUSER.d)"
	155	vos rename mail.$NEWUSER.d mail.$NEWUSER
	156	fi
	157	vos examine mail.$NEWUSER 2>/dev/null \|\| \
9aa22d85	158	vos create gibran.hcoop.net /vicepa mail.$NEWUSER -maxquota 10000000
abfe84ca CE	159
	160	mkdir -p `dirname $MAILPATH`
	161	fs ls $MAILPATH \|\| fs mkm $MAILPATH mail.$NEWUSER
	162	fs ls $HOMEPATH/Maildir \|\| fs mkm $HOMEPATH/Maildir mail.$NEWUSER
	163	chown $NEWUSER:nogroup $MAILPATH
	164	chown $NEWUSER:nogroup $HOMEPATH/Maildir
	165	fs sa $MAILPATH $NEWUSER all
	166	fs sa $MAILPATH $NEWUSER.daemon all
	167
	168	if test ! -e $MAILPATH/new; then
	169	mkdir -p $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp
	170	echo -e "This email account is provided as a service for HCoop members." \
	171	"\n\nTo learn how to use it, please visit the page" \
	172	"\n<http://wiki.hcoop.net/MemberManual/Email> on our website."\| \
	173	mail -s "Welcome to your HCoop email store" \
	174	-e -a "From: postmaster@hcoop.net" \
6d76f213	175	real-$NEWUSER@hcoop.net
abfe84ca CE	176	fi
	177
	178	chown $NEWUSER:nogroup $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp
	179
	180	# Set up shared SpamAssassin folder
	181	if test -f $HOMEPATH/Maildir/shared-maildirs; then
	182	# Deal with case where user rsync'd their Maildir from fyodor
	183	# Not an issue now, but harmless and can be adapted when we
	184	# move the spamd dirs into afs where they belong later.
	185	pattern='^SpamAssassin /home/spamd'
	186	file=$HOMEPATH/Maildir/shared-maildirs
	187	if grep $pattern $file; then
	188	sed -i -r -e \
	189	's!^(SpamAssassin )/home/spamd!\1/var/local/lib/spamd!1' \
	190	$file
	191	fi
	192	else
6d76f213	193	maildirmake --add SpamAssassin=/afs/hcoop.net/user/s/sp/spamd/Maildir \
abfe84ca CE	194	$HOMEPATH/Maildir
	195	fi
	196
	197	mkdir -p `dirname /afs/hcoop.net/.old/mail/$PATHBITS`
	198	fs ls /afs/hcoop.net/.old/mail/$PATHBITS \|\| \
	199	fs mkm /afs/hcoop.net/.old/mail/$PATHBITS mail.$NEWUSER.backup
	200	vos release old
	201	}
	202
	203	function seed_user_hcoop_directories () {
	204	# Additional standard directories. Some of these should probably
	205	# be on their own volumes, and access via a canonical path instead
	206	# to give users more control over their home dir without risking
	207	# breaking system services.
	208
	209	# Apache logs
	210	mkdir -p $HOMEPATH/.logs
	211	chown $NEWUSER:nogroup $HOMEPATH/.logs
	212	mkdir -p $HOMEPATH/.logs/apache
	213	chown $NEWUSER:nogroup $HOMEPATH/.logs/apache
	214	fs sa $HOMEPATH/.logs/apache $NEWUSER.daemon rlwidk
e26d1812	215	fs sa $HOMEPATH/.logs/apache webalizer read
abfe84ca CE	216	mkdir -p $HOMEPATH/.logs/mail
	217	fs sa $HOMEPATH/.logs/mail $NEWUSER.daemon rlwidk
	218	chown $NEWUSER:nogroup $HOMEPATH/.logs/mail
	219
	220	# public_html
	221	test -e $HOMEPATH/public_html \|\| \
	222	(mkdir -p $HOMEPATH/public_html; \
	223	chown $NEWUSER:nogroup $HOMEPATH/public_html; \
	224	fs sa $HOMEPATH/public_html system:anyuser none; \
	225	fs sa $HOMEPATH/public_html $NEWUSER.daemon rl)
	226
	227	# .procmail.d
	228	mkdir -p $HOMEPATH/.procmail.d
	229	chown $NEWUSER:nogroup $HOMEPATH/.procmail.d
	230	fs sa $HOMEPATH/.procmail.d system:anyuser rl
	231
	232	# .public
	233	mkdir -p $HOMEPATH/.public/
	234	chown $NEWUSER:nogroup $HOMEPATH/.public
	235	fs sa $HOMEPATH/.public system:anyuser rl
	236
	237	# .domtool
	238	mkdir -p $HOMEPATH/.public/.domtool
	239	chown $NEWUSER:nogroup $HOMEPATH/.public/.domtool
	240	test -e $HOMEPATH/.domtool \|\| \
	241	test -L $HOMEPATH/.domtool \|\| \
39aa6e0c	242	execute_on_domtool_server ln -s $HOMEPATH/.public/.domtool $HOMEPATH/.domtool
39aa6e0c	243	execute_on_domtool_server chown $NEWUSER $HOMEPATH/.domtool
abfe84ca CE	244	# ^^ work around sudo env_reset crap without having to
	245	# actually figure out how to make it work cleanly -- clinton,
	246	# 2011-11-30
abfe84ca CE	247	}
	248
	249	#
	250	# Non-AFS files and directories
	251	#
	252
	253	function create_dav_locks () {
	254	# Make per-user apache DAV lock directory -- the directory must be
	255	# both user and group-writable, which is silly.
c74ee81a	256	execute_on_web_nodes sudo mkdir -p /var/local/domtool/apache2/dav/$NEWUSER
22ff5a6b CE	257	execute_on_web_nodes sudo chown $NEWUSER:www-data /var/local/domtool/apache2/dav/$NEWUSER
22ff5a6b CE	258	execute_on_web_nodes sudo chmod ug=rwx,o= /var/local/domtool/apache2/dav/$NEWUSER
abfe84ca CE	259	}
	260
	261	function setup_user_databases () {
	262	sudo /afs/hcoop.net/common/etc/scripts/create-user-database $NEWUSER
	263	}
	264
	265	#
	266	# etc
	267	#
	268
	269	function enable_domtool () {
	270	execute_on_domtool_server domtool-adduser $NEWUSER
	271	}
	272
	273	function subscribe_to_lists () {
	274	# Subscribe user to our mailing lists.
	275
6d76f213	276	echo $NEWUSER@hcoop.net \| ssh -K minsky sudo -u list \
abfe84ca CE	277	/var/lib/mailman/bin/add_members -r - hcoop-announce
	278	}
	279
	280	function ensure_afs_servers_synced () {
	281	vos release old
	282
	283	# technically this might not be necessary, but for good measure...
6d76f213	284	local srv
6c8ee94d	285	for srv in gibran lovelace; do
6d76f213 CE	286	vos syncserv $srv
	287	vos syncvldb $srv
	288	done
abfe84ca CE	289
	290	# refresh volume location cache (takes ~2hrs otherwise)
	291	execute_on_all_machines fs checkvolumes
447125c3 CE	292	}
	293
	294	#
	295	# webserver
	296	#
	297
	298	function create_fcgi_wrapper () {
	299	# note: might want to move this to domtool-adduser
6d76f213 CE	300	local wrapper_dir="/afs/hcoop.net/common/etc/domtool/httpd/fastcgi/${PATHBITS}"
	301	local wrapper="${wrapper_dir}/${NEWUSER}-wrapper-wrapper"
	302	mkdir -p $wrapper_dir
447125c3 CE	303	cat > $wrapper <<EOF
	304	#!/bin/bash
	305
6d76f213	306	exec k5start -qtUf /etc/keytabs/user.daemon/${NEWUSER} -- \$@
447125c3 CE	307	EOF
	308
	309	chmod +x $wrapper
	310	chown $NEWUSER:nogroup $wrapper
6d76f213	311	chown $NEWUSER:nogroup $wrapper_dir
447125c3	312	}