Commit | Line | Data |
---|---|---|
abfe84ca CE |
1 | # -*- sh-mode -*- |
2 | ||
3 | # Library functions for create-user scripts | |
4 | # Export the $NEWUSER variable before sourcing! | |
5 | ||
6 | # Functionality is split so that the scripts for creating real users, | |
7 | # service users, and web service users can share as much code as | |
8 | # possible. | |
9 | ||
10 | # This has probably grown to the point where it shouldn't be a shell | |
11 | # script any more. | |
12 | ||
13 | # ALWAYS REMEMBER: THIS MUST BE IDEMPOTENT! re creating a user is | |
14 | # something that should be perfectly permissible, and is something | |
15 | # that we do somewhat regularly (to bring old accounts up to date). | |
16 | ||
17 | export PATH=$PATH:/afs/hcoop.net/common/bin/ | |
18 | ||
19 | if test -z "$NEWUSER"; then | |
20 | echo "NEWUSER not set before sourcing create user library" | |
21 | exit 1 | |
22 | fi | |
23 | ||
24 | # | |
25 | # Construct various paths for later perusal. | |
26 | # | |
27 | ||
28 | # (If it's not clear, for user fred, PATHBITS = f/fr/fred) | |
29 | PATHBITS=`echo $NEWUSER | head -c 1`/`echo $NEWUSER | head -c 2`/$NEWUSER | |
30 | HOMEPATH=/afs/hcoop.net/user/$PATHBITS | |
31 | MAILPATH=/afs/hcoop.net/common/email/$PATHBITS | |
32 | ||
33 | # | |
34 | # Helper functions | |
35 | # | |
36 | ||
37 | function execute_on_web_nodes () { | |
38 | ssh -K deleuze $* | |
39 | ssh -K mire $* | |
40 | ssh -K navajos $* | |
41 | } | |
42 | ||
43 | function execute_on_domtool_server () { | |
44 | ssh -K deleuze.hcoop.net $* | |
45 | } | |
46 | ||
47 | ||
48 | function execute_on_all_machines () { | |
49 | $* | |
50 | ssh -K mire.hcoop.net $* | |
51 | ssh -K hopper.hcoop.net $* | |
52 | ssh -K deleuze.hcoop.net $* | |
53 | ssh -K navajos.hcoop.net $* | |
54 | ssh -K bog.hcoop.net $* | |
55 | } | |
56 | ||
57 | # | |
58 | # User credentials | |
59 | # | |
60 | ||
61 | function create_pts_user () { | |
62 | # Create primary user kerberos principle and afs pts user | |
63 | ||
64 | # We use -randkey for user's main principal as well, to make sure | |
65 | # that the creation process does not continue without having a | |
66 | # main principal. (But you who want to set password for a user, | |
67 | # don't worry - we'll invoke cpw later, so that it has the same | |
68 | # effect as setting password right now - while it is more error | |
69 | # tolerant). | |
70 | ||
71 | sudo kadmin.local -p root/admin -q "ank -policy user -randkey +requires_preauth $NEWUSER@HCOOP.NET" | |
72 | sudo kadmin.local -p root/admin -q "modprinc -maxlife 1day $NEWUSER@HCOOP.NET" | |
73 | ||
74 | pts cu $NEWUSER || true | |
75 | } | |
76 | ||
77 | function create_pts_user_daemon () { | |
78 | ||
79 | # Create additional kerberos principles ($user.daemon for now, in | |
80 | # theory also $user.mail, $user.cgi) and pts users for any used to | |
81 | # gain afs access ($user.daemon only) | |
82 | sudo kadmin.local -p root/admin -q "ank -policy daemon -randkey +requires_preauth $NEWUSER/daemon@HCOOP.NET" | |
83 | pts cu $NEWUSER.daemon || true | |
84 | } | |
85 | ||
86 | function export_user_keytabs () { | |
87 | ||
88 | # Export .mailfilter and .cgi keys to a keytab file | |
89 | ||
90 | # This is suboptimal, we need to generate keytabs for | |
91 | # cgi/mail/etc. separately, and only sync to the nodes that | |
92 | # perform the services in question | |
93 | ||
94 | # create a daemon keytab (used by /etc/exim4/get-token) | |
95 | # *only* if it does not exist! | |
96 | test -e /etc/keytabs/user.daemon/$NEWUSER || \ | |
97 | sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/user.daemon/$NEWUSER $NEWUSER/daemon@HCOOP.NET" | |
98 | ||
99 | # Properly chown/mod keytab files (must be $NEWUSER:www-data) | |
100 | sudo chown $NEWUSER:www-data /etc/keytabs/user.daemon/$NEWUSER | |
101 | sudo chmod 440 /etc/keytabs/user.daemon/$NEWUSER | |
102 | ||
103 | # rsync keytabs | |
104 | (cd /etc/keytabs | |
105 | sudo tar clpf - user.daemon/$NEWUSER | \ | |
106 | ssh mire.hcoop.net cd /etc/keytabs\; sudo tar xlpf -) | |
107 | (cd /etc/keytabs | |
108 | sudo tar clpf - user.daemon/$NEWUSER | \ | |
109 | ssh hopper.hcoop.net cd /etc/keytabs\; sudo tar xlpf -) | |
110 | (cd /etc/keytabs | |
111 | sudo tar clpf - user.daemon/$NEWUSER | \ | |
112 | ssh deleuze.hcoop.net cd /etc/keytabs\; sudo tar xlpf -) | |
113 | (cd /etc/keytabs | |
114 | sudo tar clpf - user.daemon/$NEWUSER | \ | |
115 | ssh navajos.hcoop.net cd /etc/keytabs\; sudo tar xlpf -) | |
116 | (cd /etc/keytabs | |
117 | sudo tar clpf - user.daemon/$NEWUSER | \ | |
118 | ssh bog.hcoop.net cd /etc/keytabs\; sudo tar xlpf -) | |
119 | } | |
120 | ||
121 | ||
122 | # | |
123 | # Create/mount/set-perms on user's volumes (home, mail, databases, logs) | |
124 | # | |
125 | ||
126 | # Each function that creates an afs volume should ensure that the | |
127 | # backup volume is created and mounted for users. | |
128 | ||
129 | function create_home_volume () { | |
130 | ||
131 | if vos examine user.$NEWUSER.d 2>/dev/null; then | |
132 | echo "Reactivating old volume (user.$NEWUSER.d)" | |
133 | vos rename user.$NEWUSER.d user.$NEWUSER | |
134 | fi | |
135 | vos examine user.$NEWUSER 2>/dev/null || \ | |
136 | vos create fritz.hcoop.net /vicepa user.$NEWUSER -maxquota 400000 | |
137 | ||
138 | mkdir -p `dirname $HOMEPATH` | |
139 | fs ls $HOMEPATH || test -L $HOMEPATH || fs mkm $HOMEPATH user.$NEWUSER | |
140 | chown $NEWUSER:nogroup $HOMEPATH | |
141 | fs sa $HOMEPATH $NEWUSER all | |
142 | fs sa $HOMEPATH system:anyuser l | |
143 | # cleanliness / needed to keep suphp happy | |
144 | chown root:root $HOMEPATH/../../ | |
145 | chown root:root $HOMEPATH/../ | |
146 | ||
147 | # backup volume | |
148 | mkdir -p `dirname /afs/hcoop.net/.old/user/$PATHBITS` | |
149 | fs ls /afs/hcoop.net/.old/user/$PATHBITS || \ | |
150 | fs mkm /afs/hcoop.net/.old/user/$PATHBITS user.$NEWUSER.backup | |
151 | } | |
152 | ||
153 | ||
154 | function create_mail_volume () { | |
155 | ||
156 | if vos examine mail.$NEWUSER.d 2>/dev/null; then | |
157 | echo "Reactivating old volume (mail.$NEWUSER.d)" | |
158 | vos rename mail.$NEWUSER.d mail.$NEWUSER | |
159 | fi | |
160 | vos examine mail.$NEWUSER 2>/dev/null || \ | |
161 | vos create fritz.hcoop.net /vicepa mail.$NEWUSER -maxquota 400000 | |
162 | ||
163 | mkdir -p `dirname $MAILPATH` | |
164 | fs ls $MAILPATH || fs mkm $MAILPATH mail.$NEWUSER | |
165 | fs ls $HOMEPATH/Maildir || fs mkm $HOMEPATH/Maildir mail.$NEWUSER | |
166 | chown $NEWUSER:nogroup $MAILPATH | |
167 | chown $NEWUSER:nogroup $HOMEPATH/Maildir | |
168 | fs sa $MAILPATH $NEWUSER all | |
169 | fs sa $MAILPATH $NEWUSER.daemon all | |
170 | ||
171 | if test ! -e $MAILPATH/new; then | |
172 | mkdir -p $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp | |
173 | echo -e "This email account is provided as a service for HCoop members." \ | |
174 | "\n\nTo learn how to use it, please visit the page" \ | |
175 | "\n<http://wiki.hcoop.net/MemberManual/Email> on our website."| \ | |
176 | mail -s "Welcome to your HCoop email store" \ | |
177 | -e -a "From: postmaster@hcoop.net" \ | |
178 | real-$NEWUSER | |
179 | fi | |
180 | ||
181 | chown $NEWUSER:nogroup $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp | |
182 | ||
183 | # Set up shared SpamAssassin folder | |
184 | if test -f $HOMEPATH/Maildir/shared-maildirs; then | |
185 | # Deal with case where user rsync'd their Maildir from fyodor | |
186 | # Not an issue now, but harmless and can be adapted when we | |
187 | # move the spamd dirs into afs where they belong later. | |
188 | pattern='^SpamAssassin /home/spamd' | |
189 | file=$HOMEPATH/Maildir/shared-maildirs | |
190 | if grep $pattern $file; then | |
191 | sed -i -r -e \ | |
192 | 's!^(SpamAssassin )/home/spamd!\1/var/local/lib/spamd!1' \ | |
193 | $file | |
194 | fi | |
195 | else | |
196 | maildirmake --add SpamAssassin=/var/local/lib/spamd/Maildir \ | |
197 | $HOMEPATH/Maildir | |
198 | fi | |
199 | ||
200 | mkdir -p `dirname /afs/hcoop.net/.old/mail/$PATHBITS` | |
201 | fs ls /afs/hcoop.net/.old/mail/$PATHBITS || \ | |
202 | fs mkm /afs/hcoop.net/.old/mail/$PATHBITS mail.$NEWUSER.backup | |
203 | vos release old | |
204 | } | |
205 | ||
206 | function seed_user_hcoop_directories () { | |
207 | # Additional standard directories. Some of these should probably | |
208 | # be on their own volumes, and access via a canonical path instead | |
209 | # to give users more control over their home dir without risking | |
210 | # breaking system services. | |
211 | ||
212 | # Apache logs | |
213 | mkdir -p $HOMEPATH/.logs | |
214 | chown $NEWUSER:nogroup $HOMEPATH/.logs | |
215 | mkdir -p $HOMEPATH/.logs/apache | |
216 | chown $NEWUSER:nogroup $HOMEPATH/.logs/apache | |
217 | fs sa $HOMEPATH/.logs/apache $NEWUSER.daemon rlwidk | |
218 | mkdir -p $HOMEPATH/.logs/mail | |
219 | fs sa $HOMEPATH/.logs/mail $NEWUSER.daemon rlwidk | |
220 | chown $NEWUSER:nogroup $HOMEPATH/.logs/mail | |
221 | ||
222 | # public_html | |
223 | test -e $HOMEPATH/public_html || \ | |
224 | (mkdir -p $HOMEPATH/public_html; \ | |
225 | chown $NEWUSER:nogroup $HOMEPATH/public_html; \ | |
226 | fs sa $HOMEPATH/public_html system:anyuser none; \ | |
227 | fs sa $HOMEPATH/public_html $NEWUSER.daemon rl) | |
228 | ||
229 | # .procmail.d | |
230 | mkdir -p $HOMEPATH/.procmail.d | |
231 | chown $NEWUSER:nogroup $HOMEPATH/.procmail.d | |
232 | fs sa $HOMEPATH/.procmail.d system:anyuser rl | |
233 | ||
234 | # .public | |
235 | mkdir -p $HOMEPATH/.public/ | |
236 | chown $NEWUSER:nogroup $HOMEPATH/.public | |
237 | fs sa $HOMEPATH/.public system:anyuser rl | |
238 | ||
239 | # .domtool | |
240 | mkdir -p $HOMEPATH/.public/.domtool | |
241 | chown $NEWUSER:nogroup $HOMEPATH/.public/.domtool | |
242 | test -e $HOMEPATH/.domtool || \ | |
243 | test -L $HOMEPATH/.domtool || \ | |
244 | execute_on_domtool_server sudo -u $NEWUSER ln -s $HOMEPATH/.public/.domtool $HOMEPATH/.domtool | |
245 | # ^^ work around sudo env_reset crap without having to | |
246 | # actually figure out how to make it work cleanly -- clinton, | |
247 | # 2011-11-30 | |
248 | ||
249 | # Gitweb hosting | |
250 | test -L /var/cache/git/$NEWUSER || \ | |
251 | sudo ln -s $HOMEPATH/.hcoop-git /var/cache/git/$NEWUSER | |
252 | ||
253 | } | |
254 | ||
255 | # | |
256 | # Non-AFS files and directories | |
257 | # | |
258 | ||
259 | function create_dav_locks () { | |
260 | # Make per-user apache DAV lock directory -- the directory must be | |
261 | # both user and group-writable, which is silly. | |
262 | execute_on_web_nodes sudo mkdir -p /var/lock/apache2/dav/$NEWUSER | |
263 | execute_on_web_nodes sudo chown $NEWUSER:www-data /var/lock/apache2/dav/$NEWUSER | |
264 | execute_on_web_nodes sudo chmod ug=rwx,o= /var/lock/apache2/dav/$NEWUSER | |
265 | } | |
266 | ||
267 | function setup_user_databases () { | |
268 | sudo /afs/hcoop.net/common/etc/scripts/create-user-database $NEWUSER | |
269 | } | |
270 | ||
271 | # | |
272 | # etc | |
273 | # | |
274 | ||
275 | function enable_domtool () { | |
276 | execute_on_domtool_server domtool-adduser $NEWUSER | |
277 | } | |
278 | ||
279 | function subscribe_to_lists () { | |
280 | # Subscribe user to our mailing lists. | |
281 | ||
282 | echo $NEWUSER@hcoop.net | ssh -K deleuze sudo -u list \ | |
283 | /var/lib/mailman/bin/add_members -r - hcoop-announce | |
284 | } | |
285 | ||
286 | function ensure_afs_servers_synced () { | |
287 | vos release old | |
288 | ||
289 | # technically this might not be necessary, but for good measure... | |
290 | vos syncserv fritz | |
291 | vos syncvldb fritz | |
292 | ||
293 | # refresh volume location cache (takes ~2hrs otherwise) | |
294 | execute_on_all_machines fs checkvolumes | |
295 | } |