[hcoop/scripts.git] / lib / create-user-lib.sh

# -*- sh-mode -*-

# Library functions for create-user scripts
# Export the $NEWUSER variable before sourcing!

# Functionality is split so that the scripts for creating real users,
# service users, and web service users can share as much code as
# possible.

# This has probably grown to the point where it shouldn't be a shell
# script any more.

# ALWAYS REMEMBER: THIS MUST BE IDEMPOTENT! re creating a user is
# something that should be perfectly permissible, and is something
# that we do somewhat regularly (to bring old accounts up to date).

export PATH=$PATH:/afs/hcoop.net/common/bin/

if test -z "$NEWUSER"; then
	echo "NEWUSER not set before sourcing create user library"
	exit 1
fi

#
# Construct various paths for later perusal.
#

# (If it's not clear, for user fred, PATHBITS = f/fr/fred)
PATHBITS=`echo $NEWUSER | head -c 1`/`echo $NEWUSER | head -c 2`/$NEWUSER
HOMEPATH=/afs/hcoop.net/user/$PATHBITS
MAILPATH=/afs/hcoop.net/common/email/$PATHBITS

#
# Helper functions
#

function execute_on_web_nodes () {
    ssh -K deleuze $*
    ssh -K mire $*
    ssh -K navajos $*
}

function execute_on_domtool_server () {
    ssh -K deleuze.hcoop.net $*
}


function execute_on_all_machines () {
    $*
    ssh -K mire.hcoop.net $*
    ssh -K hopper.hcoop.net $*
    ssh -K deleuze.hcoop.net $*
    ssh -K navajos.hcoop.net $*
    ssh -K bog.hcoop.net $*
}

#
# User credentials
#

function create_pts_user () {
    # Create primary user kerberos principle and afs pts user

    # We use -randkey for user's main principal as well, to make sure
    # that the creation process does not continue without having a
    # main principal. (But you who want to set password for a user,
    # don't worry - we'll invoke cpw later, so that it has the same
    # effect as setting password right now - while it is more error
    # tolerant).

    sudo kadmin.local -p root/admin -q "ank -policy user -randkey +requires_preauth $NEWUSER@HCOOP.NET"
    sudo kadmin.local -p root/admin -q "modprinc -maxlife 1day $NEWUSER@HCOOP.NET"

    pts cu $NEWUSER || true
}

function create_pts_user_daemon () {

    # Create additional kerberos principles ($user.daemon for now, in
    # theory also $user.mail, $user.cgi) and pts users for any used to
    # gain afs access ($user.daemon only)
    sudo kadmin.local -p root/admin -q "ank -policy daemon -randkey +requires_preauth $NEWUSER/daemon@HCOOP.NET"
    pts cu $NEWUSER.daemon || true
}

function export_user_keytabs () {

    # Export .mailfilter and .cgi keys to a keytab file

    # This is suboptimal, we need to generate keytabs for
    # cgi/mail/etc. separately, and only sync to the nodes that
    # perform the services in question

    # create a daemon keytab (used by /etc/exim4/get-token)
    # *only* if it does not exist!
    test -e /etc/keytabs/user.daemon/$NEWUSER || \
	sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/user.daemon/$NEWUSER $NEWUSER/daemon@HCOOP.NET"

    # Properly chown/mod keytab files (must be $NEWUSER:www-data)
    sudo chown $NEWUSER:www-data /etc/keytabs/user.daemon/$NEWUSER
    sudo chmod 440            /etc/keytabs/user.daemon/$NEWUSER

    # rsync keytabs
    (cd /etc/keytabs
	sudo tar clpf - user.daemon/$NEWUSER | \
	    ssh mire.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
    (cd /etc/keytabs
	sudo tar clpf - user.daemon/$NEWUSER | \
	    ssh hopper.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
    (cd /etc/keytabs
	sudo tar clpf - user.daemon/$NEWUSER | \
	    ssh deleuze.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
    (cd /etc/keytabs
	sudo tar clpf - user.daemon/$NEWUSER | \
	    ssh navajos.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
    (cd /etc/keytabs
	sudo tar clpf - user.daemon/$NEWUSER | \
	    ssh bog.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
}


#
# Create/mount/set-perms on user's volumes (home, mail, databases, logs)
#

# Each function that creates an afs volume should ensure that the
# backup volume is created and mounted for users.

function create_home_volume () {

    if vos examine user.$NEWUSER.d 2>/dev/null; then
	echo "Reactivating old volume (user.$NEWUSER.d)"
	vos rename user.$NEWUSER.d user.$NEWUSER
    fi
    vos examine user.$NEWUSER 2>/dev/null || \
	vos create fritz.hcoop.net /vicepa user.$NEWUSER -maxquota 400000

    mkdir -p `dirname $HOMEPATH`
    fs ls $HOMEPATH || test -L $HOMEPATH || fs mkm $HOMEPATH user.$NEWUSER
    chown $NEWUSER:nogroup $HOMEPATH
    fs sa $HOMEPATH $NEWUSER            all
    fs sa $HOMEPATH system:anyuser   l
    # cleanliness / needed to keep suphp happy
    chown root:root $HOMEPATH/../../
    chown root:root $HOMEPATH/../
    
    # backup volume
    mkdir -p `dirname /afs/hcoop.net/.old/user/$PATHBITS`
    fs ls /afs/hcoop.net/.old/user/$PATHBITS || \
	fs mkm /afs/hcoop.net/.old/user/$PATHBITS user.$NEWUSER.backup
}


function create_mail_volume () {

    if vos examine mail.$NEWUSER.d 2>/dev/null; then
	echo "Reactivating old volume (mail.$NEWUSER.d)"
	vos rename mail.$NEWUSER.d mail.$NEWUSER
    fi
    vos examine mail.$NEWUSER 2>/dev/null || \
	vos create fritz.hcoop.net /vicepa mail.$NEWUSER -maxquota 400000
    
    mkdir -p `dirname $MAILPATH`
    fs ls $MAILPATH || fs mkm $MAILPATH         mail.$NEWUSER
    fs ls $HOMEPATH/Maildir || fs mkm $HOMEPATH/Maildir mail.$NEWUSER
    chown $NEWUSER:nogroup $MAILPATH
    chown $NEWUSER:nogroup $HOMEPATH/Maildir
    fs sa $MAILPATH $NEWUSER        all
    fs sa $MAILPATH $NEWUSER.daemon all

    if test ! -e $MAILPATH/new; then
	mkdir -p $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp
	echo -e "This email account is provided as a service for HCoop members." \
            "\n\nTo learn how to use it, please visit the page" \
            "\n<http://wiki.hcoop.net/MemberManual/Email> on our website."| \
            mail -s "Welcome to your HCoop email store" \
            -e -a "From: postmaster@hcoop.net" \
            real-$NEWUSER
    fi

    chown $NEWUSER:nogroup $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp

    # Set up shared SpamAssassin folder
    if test -f $HOMEPATH/Maildir/shared-maildirs; then
        # Deal with case where user rsync'd their Maildir from fyodor
        # Not an issue now, but harmless and can be adapted when we
        # move the spamd dirs into afs where they belong later.
	pattern='^SpamAssassin	/home/spamd'
	file=$HOMEPATH/Maildir/shared-maildirs
	if grep $pattern $file; then
            sed -i -r -e \
		's!^(SpamAssassin	)/home/spamd!\1/var/local/lib/spamd!1' \
		$file
	fi
    else
	maildirmake --add SpamAssassin=/var/local/lib/spamd/Maildir \
            $HOMEPATH/Maildir
    fi

    mkdir -p `dirname /afs/hcoop.net/.old/mail/$PATHBITS`
    fs ls /afs/hcoop.net/.old/mail/$PATHBITS || \
	fs mkm /afs/hcoop.net/.old/mail/$PATHBITS mail.$NEWUSER.backup
    vos release old
}

function seed_user_hcoop_directories () {
    # Additional standard directories. Some of these should probably
    # be on their own volumes, and access via a canonical path instead
    # to give users more control over their home dir without risking
    # breaking system services.

    # Apache logs
    mkdir -p $HOMEPATH/.logs
    chown $NEWUSER:nogroup $HOMEPATH/.logs
    mkdir -p $HOMEPATH/.logs/apache
    chown $NEWUSER:nogroup $HOMEPATH/.logs/apache
    fs sa $HOMEPATH/.logs/apache $NEWUSER.daemon rlwidk
    mkdir -p $HOMEPATH/.logs/mail
    fs sa $HOMEPATH/.logs/mail $NEWUSER.daemon rlwidk
    chown $NEWUSER:nogroup $HOMEPATH/.logs/mail

    # public_html
    test -e $HOMEPATH/public_html || \
	(mkdir -p $HOMEPATH/public_html; \
	chown $NEWUSER:nogroup $HOMEPATH/public_html; \
	fs sa $HOMEPATH/public_html system:anyuser none; \
	fs sa $HOMEPATH/public_html $NEWUSER.daemon rl)

    # .procmail.d
    mkdir -p $HOMEPATH/.procmail.d
    chown $NEWUSER:nogroup $HOMEPATH/.procmail.d
    fs sa $HOMEPATH/.procmail.d system:anyuser rl

    # .public
    mkdir -p $HOMEPATH/.public/
    chown $NEWUSER:nogroup $HOMEPATH/.public
    fs sa $HOMEPATH/.public system:anyuser rl

    # .domtool
    mkdir -p $HOMEPATH/.public/.domtool
    chown $NEWUSER:nogroup $HOMEPATH/.public/.domtool
    test -e $HOMEPATH/.domtool || \
	test -L $HOMEPATH/.domtool || \
        execute_on_domtool_server sudo -u $NEWUSER ln -s $HOMEPATH/.public/.domtool $HOMEPATH/.domtool
        # ^^ work around sudo env_reset crap without having to
        # actually figure out how to make it work cleanly -- clinton,
        # 2011-11-30

    # Gitweb hosting
    test -L /var/cache/git/$NEWUSER || \
	sudo ln -s $HOMEPATH/.hcoop-git /var/cache/git/$NEWUSER

}

#
# Non-AFS files and directories
#

function create_dav_locks () {
    # Make per-user apache DAV lock directory -- the directory must be
    # both user and group-writable, which is silly.
    execute_on_web_nodes sudo mkdir -p /var/lock/apache2/dav/$NEWUSER
    execute_on_web_nodes sudo chown $NEWUSER:www-data /var/lock/apache2/dav/$NEWUSER
    execute_on_web_nodes sudo chmod ug=rwx,o= /var/lock/apache2/dav/$NEWUSER
}

function setup_user_databases () {
    sudo /afs/hcoop.net/common/etc/scripts/create-user-database $NEWUSER
}

#
# etc
#

function enable_domtool () {
    execute_on_domtool_server domtool-adduser $NEWUSER
}

function subscribe_to_lists () {
    # Subscribe user to our mailing lists.

    echo $NEWUSER@hcoop.net | ssh -K deleuze sudo -u list \
	/var/lib/mailman/bin/add_members -r - hcoop-announce
}

function ensure_afs_servers_synced () {
    vos release old
    
    # technically this might not be necessary, but for good measure...
    vos syncserv fritz
    vos syncvldb fritz
    
    # refresh volume location cache (takes ~2hrs otherwise)
    execute_on_all_machines fs checkvolumes
}
Commit	Line	Data
abfe84ca CE	1	# -- sh-mode --
	2
	3	# Library functions for create-user scripts
	4	# Export the $NEWUSER variable before sourcing!
	5
	6	# Functionality is split so that the scripts for creating real users,
	7	# service users, and web service users can share as much code as
	8	# possible.
	9
	10	# This has probably grown to the point where it shouldn't be a shell
	11	# script any more.
	12
	13	# ALWAYS REMEMBER: THIS MUST BE IDEMPOTENT! re creating a user is
	14	# something that should be perfectly permissible, and is something
	15	# that we do somewhat regularly (to bring old accounts up to date).
	16
	17	export PATH=$PATH:/afs/hcoop.net/common/bin/
	18
	19	if test -z "$NEWUSER"; then
	20	echo "NEWUSER not set before sourcing create user library"
	21	exit 1
	22	fi
	23
	24	#
	25	# Construct various paths for later perusal.
	26	#
	27
	28	# (If it's not clear, for user fred, PATHBITS = f/fr/fred)
	29	PATHBITS=`echo $NEWUSER \| head -c 1`/`echo $NEWUSER \| head -c 2`/$NEWUSER
	30	HOMEPATH=/afs/hcoop.net/user/$PATHBITS
	31	MAILPATH=/afs/hcoop.net/common/email/$PATHBITS
	32
	33	#
	34	# Helper functions
	35	#
	36
	37	function execute_on_web_nodes () {
	38	ssh -K deleuze $*
	39	ssh -K mire $*
	40	ssh -K navajos $*
	41	}
	42
	43	function execute_on_domtool_server () {
	44	ssh -K deleuze.hcoop.net $*
	45	}
	46
	47
	48	function execute_on_all_machines () {
	49	$*
	50	ssh -K mire.hcoop.net $*
	51	ssh -K hopper.hcoop.net $*
	52	ssh -K deleuze.hcoop.net $*
	53	ssh -K navajos.hcoop.net $*
	54	ssh -K bog.hcoop.net $*
	55	}
	56
	57	#
	58	# User credentials
	59	#
	60
	61	function create_pts_user () {
	62	# Create primary user kerberos principle and afs pts user
	63
	64	# We use -randkey for user's main principal as well, to make sure
65	# that the creation process does not continue without having a
66	# main principal. (But you who want to set password for a user,
67	# don't worry - we'll invoke cpw later, so that it has the same
68	# effect as setting password right now - while it is more error
69	# tolerant).
70
71	sudo kadmin.local -p root/admin -q "ank -policy user -randkey +requires_preauth $NEWUSER@HCOOP.NET"
72	sudo kadmin.local -p root/admin -q "modprinc -maxlife 1day $NEWUSER@HCOOP.NET"
73
74	pts cu $NEWUSER \|\| true
75	}
76
77	function create_pts_user_daemon () {
78
79	# Create additional kerberos principles ($user.daemon for now, in
80	# theory also $user.mail, $user.cgi) and pts users for any used to
81	# gain afs access ($user.daemon only)
82	sudo kadmin.local -p root/admin -q "ank -policy daemon -randkey +requires_preauth $NEWUSER/daemon@HCOOP.NET"
83	pts cu $NEWUSER.daemon \|\| true
84	}
85
86	function export_user_keytabs () {
87
88	# Export .mailfilter and .cgi keys to a keytab file
89
90	# This is suboptimal, we need to generate keytabs for
91	# cgi/mail/etc. separately, and only sync to the nodes that
92	# perform the services in question
93
94	# create a daemon keytab (used by /etc/exim4/get-token)
95	# only if it does not exist!
96	test -e /etc/keytabs/user.daemon/$NEWUSER \|\| \
97	sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/user.daemon/$NEWUSER $NEWUSER/daemon@HCOOP.NET"
98
99	# Properly chown/mod keytab files (must be $NEWUSER:www-data)
100	sudo chown $NEWUSER:www-data /etc/keytabs/user.daemon/$NEWUSER
101	sudo chmod 440 /etc/keytabs/user.daemon/$NEWUSER
102
103	# rsync keytabs
104	(cd /etc/keytabs
105	sudo tar clpf - user.daemon/$NEWUSER \| \
106	ssh mire.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
107	(cd /etc/keytabs
108	sudo tar clpf - user.daemon/$NEWUSER \| \
109	ssh hopper.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
110	(cd /etc/keytabs
111	sudo tar clpf - user.daemon/$NEWUSER \| \
112	ssh deleuze.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
113	(cd /etc/keytabs
114	sudo tar clpf - user.daemon/$NEWUSER \| \
115	ssh navajos.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
116	(cd /etc/keytabs
117	sudo tar clpf - user.daemon/$NEWUSER \| \
118	ssh bog.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
119	}
120
121
122	#
123	# Create/mount/set-perms on user's volumes (home, mail, databases, logs)
124	#
125
126	# Each function that creates an afs volume should ensure that the
127	# backup volume is created and mounted for users.
128
129	function create_home_volume () {
130
131	if vos examine user.$NEWUSER.d 2>/dev/null; then
132	echo "Reactivating old volume (user.$NEWUSER.d)"
133	vos rename user.$NEWUSER.d user.$NEWUSER
134	fi
135	vos examine user.$NEWUSER 2>/dev/null \|\| \
136	vos create fritz.hcoop.net /vicepa user.$NEWUSER -maxquota 400000
137
138	mkdir -p `dirname $HOMEPATH`
139	fs ls $HOMEPATH \|\| test -L $HOMEPATH \|\| fs mkm $HOMEPATH user.$NEWUSER
140	chown $NEWUSER:nogroup $HOMEPATH
141	fs sa $HOMEPATH $NEWUSER all
142	fs sa $HOMEPATH system:anyuser l
143	# cleanliness / needed to keep suphp happy
144	chown root:root $HOMEPATH/../../
145	chown root:root $HOMEPATH/../
146
147	# backup volume
148	mkdir -p `dirname /afs/hcoop.net/.old/user/$PATHBITS`
149	fs ls /afs/hcoop.net/.old/user/$PATHBITS \|\| \
150	fs mkm /afs/hcoop.net/.old/user/$PATHBITS user.$NEWUSER.backup
151	}
152
153
154	function create_mail_volume () {
155
156	if vos examine mail.$NEWUSER.d 2>/dev/null; then
157	echo "Reactivating old volume (mail.$NEWUSER.d)"
158	vos rename mail.$NEWUSER.d mail.$NEWUSER
159	fi
160	vos examine mail.$NEWUSER 2>/dev/null \|\| \
161	vos create fritz.hcoop.net /vicepa mail.$NEWUSER -maxquota 400000
162
163	mkdir -p `dirname $MAILPATH`
164	fs ls $MAILPATH \|\| fs mkm $MAILPATH mail.$NEWUSER
165	fs ls $HOMEPATH/Maildir \|\| fs mkm $HOMEPATH/Maildir mail.$NEWUSER
166	chown $NEWUSER:nogroup $MAILPATH
167	chown $NEWUSER:nogroup $HOMEPATH/Maildir
168	fs sa $MAILPATH $NEWUSER all
169	fs sa $MAILPATH $NEWUSER.daemon all
170
171	if test ! -e $MAILPATH/new; then
172	mkdir -p $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp
173	echo -e "This email account is provided as a service for HCoop members." \
174	"\n\nTo learn how to use it, please visit the page" \
175	"\n<http://wiki.hcoop.net/MemberManual/Email> on our website."\| \
176	mail -s "Welcome to your HCoop email store" \
177	-e -a "From: postmaster@hcoop.net" \
178	real-$NEWUSER
179	fi
180
181	chown $NEWUSER:nogroup $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp
182
183	# Set up shared SpamAssassin folder
184	if test -f $HOMEPATH/Maildir/shared-maildirs; then
185	# Deal with case where user rsync'd their Maildir from fyodor
186	# Not an issue now, but harmless and can be adapted when we
187	# move the spamd dirs into afs where they belong later.
188	pattern='^SpamAssassin /home/spamd'
189	file=$HOMEPATH/Maildir/shared-maildirs
190	if grep $pattern $file; then
191	sed -i -r -e \
192	's!^(SpamAssassin )/home/spamd!\1/var/local/lib/spamd!1' \
193	$file
194	fi
195	else
196	maildirmake --add SpamAssassin=/var/local/lib/spamd/Maildir \
197	$HOMEPATH/Maildir
198	fi
199
200	mkdir -p `dirname /afs/hcoop.net/.old/mail/$PATHBITS`
201	fs ls /afs/hcoop.net/.old/mail/$PATHBITS \|\| \
202	fs mkm /afs/hcoop.net/.old/mail/$PATHBITS mail.$NEWUSER.backup
203	vos release old
204	}
205
206	function seed_user_hcoop_directories () {
207	# Additional standard directories. Some of these should probably
208	# be on their own volumes, and access via a canonical path instead
209	# to give users more control over their home dir without risking
210	# breaking system services.
211
212	# Apache logs
213	mkdir -p $HOMEPATH/.logs
214	chown $NEWUSER:nogroup $HOMEPATH/.logs
215	mkdir -p $HOMEPATH/.logs/apache
216	chown $NEWUSER:nogroup $HOMEPATH/.logs/apache
217	fs sa $HOMEPATH/.logs/apache $NEWUSER.daemon rlwidk
218	mkdir -p $HOMEPATH/.logs/mail
219	fs sa $HOMEPATH/.logs/mail $NEWUSER.daemon rlwidk
220	chown $NEWUSER:nogroup $HOMEPATH/.logs/mail
221
222	# public_html
223	test -e $HOMEPATH/public_html \|\| \
224	(mkdir -p $HOMEPATH/public_html; \
225	chown $NEWUSER:nogroup $HOMEPATH/public_html; \
226	fs sa $HOMEPATH/public_html system:anyuser none; \
227	fs sa $HOMEPATH/public_html $NEWUSER.daemon rl)
228
229	# .procmail.d
230	mkdir -p $HOMEPATH/.procmail.d
231	chown $NEWUSER:nogroup $HOMEPATH/.procmail.d
232	fs sa $HOMEPATH/.procmail.d system:anyuser rl
233
234	# .public
235	mkdir -p $HOMEPATH/.public/
236	chown $NEWUSER:nogroup $HOMEPATH/.public
237	fs sa $HOMEPATH/.public system:anyuser rl
238
239	# .domtool
240	mkdir -p $HOMEPATH/.public/.domtool
241	chown $NEWUSER:nogroup $HOMEPATH/.public/.domtool
242	test -e $HOMEPATH/.domtool \|\| \
243	test -L $HOMEPATH/.domtool \|\| \
244	execute_on_domtool_server sudo -u $NEWUSER ln -s $HOMEPATH/.public/.domtool $HOMEPATH/.domtool
245	# ^^ work around sudo env_reset crap without having to
246	# actually figure out how to make it work cleanly -- clinton,
247	# 2011-11-30
248
249	# Gitweb hosting
250	test -L /var/cache/git/$NEWUSER \|\| \
251	sudo ln -s $HOMEPATH/.hcoop-git /var/cache/git/$NEWUSER
252
253	}
254
255	#
256	# Non-AFS files and directories
257	#
258
259	function create_dav_locks () {
260	# Make per-user apache DAV lock directory -- the directory must be
261	# both user and group-writable, which is silly.
262	execute_on_web_nodes sudo mkdir -p /var/lock/apache2/dav/$NEWUSER
263	execute_on_web_nodes sudo chown $NEWUSER:www-data /var/lock/apache2/dav/$NEWUSER
264	execute_on_web_nodes sudo chmod ug=rwx,o= /var/lock/apache2/dav/$NEWUSER
265	}
266
267	function setup_user_databases () {
268	sudo /afs/hcoop.net/common/etc/scripts/create-user-database $NEWUSER
269	}
270
271	#
272	# etc
273	#
274
275	function enable_domtool () {
276	execute_on_domtool_server domtool-adduser $NEWUSER
277	}
278
279	function subscribe_to_lists () {
280	# Subscribe user to our mailing lists.
281
282	echo $NEWUSER@hcoop.net \| ssh -K deleuze sudo -u list \
283	/var/lib/mailman/bin/add_members -r - hcoop-announce
284	}
285
286	function ensure_afs_servers_synced () {
287	vos release old
288
289	# technically this might not be necessary, but for good measure...
290	vos syncserv fritz
291	vos syncvldb fritz
292
293	# refresh volume location cache (takes ~2hrs otherwise)
294	execute_on_all_machines fs checkvolumes
295	}