| 1 | # -*- sh-mode -*- |
| 2 | |
| 3 | # Library functions for create-user scripts |
| 4 | # Export the $NEWUSER variable before sourcing! |
| 5 | |
| 6 | # Functionality is split so that the scripts for creating real users, |
| 7 | # service users, and web service users can share as much code as |
| 8 | # possible. |
| 9 | |
| 10 | # This has probably grown to the point where it shouldn't be a shell |
| 11 | # script any more. |
| 12 | |
| 13 | # ALWAYS REMEMBER: THIS MUST BE IDEMPOTENT! re creating a user is |
| 14 | # something that should be perfectly permissible, and is something |
| 15 | # that we do somewhat regularly (to bring old accounts up to date). |
| 16 | |
| 17 | export PATH=$PATH:/afs/hcoop.net/common/bin/ |
| 18 | |
| 19 | if test -z "$NEWUSER"; then |
| 20 | echo "NEWUSER not set before sourcing create user library" |
| 21 | exit 1 |
| 22 | fi |
| 23 | |
| 24 | # |
| 25 | # Construct various paths for later perusal. |
| 26 | # |
| 27 | |
| 28 | # (If it's not clear, for user fred, PATHBITS = f/fr/fred) |
| 29 | PATHBITS=`echo $NEWUSER | head -c 1`/`echo $NEWUSER | head -c 2`/$NEWUSER |
| 30 | HOMEPATH=/afs/hcoop.net/user/$PATHBITS |
| 31 | MAILPATH=/afs/hcoop.net/common/email/$PATHBITS |
| 32 | |
| 33 | # |
| 34 | # Helper functions |
| 35 | # |
| 36 | |
| 37 | function execute_on_web_nodes () { |
| 38 | ssh -K deleuze $* |
| 39 | ssh -K navajos $* |
| 40 | } |
| 41 | |
| 42 | function execute_on_domtool_server () { |
| 43 | ssh -K deleuze.hcoop.net $* |
| 44 | } |
| 45 | |
| 46 | |
| 47 | function execute_on_all_machines () { |
| 48 | $* |
| 49 | ssh -K hopper.hcoop.net $* |
| 50 | ssh -K deleuze.hcoop.net $* |
| 51 | ssh -K navajos.hcoop.net $* |
| 52 | ssh -K bog.hcoop.net $* |
| 53 | } |
| 54 | |
| 55 | # |
| 56 | # User credentials |
| 57 | # |
| 58 | |
| 59 | function create_pts_user () { |
| 60 | # Create primary user kerberos principle and afs pts user |
| 61 | |
| 62 | # We use -randkey for user's main principal as well, to make sure |
| 63 | # that the creation process does not continue without having a |
| 64 | # main principal. (But you who want to set password for a user, |
| 65 | # don't worry - we'll invoke cpw later, so that it has the same |
| 66 | # effect as setting password right now - while it is more error |
| 67 | # tolerant). |
| 68 | |
| 69 | sudo kadmin.local -p root/admin -q "ank -policy user -randkey +requires_preauth $NEWUSER@HCOOP.NET" |
| 70 | sudo kadmin.local -p root/admin -q "modprinc -maxlife 1day $NEWUSER@HCOOP.NET" |
| 71 | |
| 72 | pts cu $NEWUSER || true |
| 73 | } |
| 74 | |
| 75 | function create_pts_user_daemon () { |
| 76 | |
| 77 | # Create additional kerberos principles ($user.daemon for now, in |
| 78 | # theory also $user.mail, $user.cgi) and pts users for any used to |
| 79 | # gain afs access ($user.daemon only) |
| 80 | sudo kadmin.local -p root/admin -q "ank -policy daemon -randkey +requires_preauth $NEWUSER/daemon@HCOOP.NET" |
| 81 | pts cu $NEWUSER.daemon || true |
| 82 | } |
| 83 | |
| 84 | function export_user_keytabs () { |
| 85 | |
| 86 | # Export .mailfilter and .cgi keys to a keytab file |
| 87 | |
| 88 | # This is suboptimal, we need to generate keytabs for |
| 89 | # cgi/mail/etc. separately, and only sync to the nodes that |
| 90 | # perform the services in question |
| 91 | |
| 92 | # create a daemon keytab (used by /etc/exim4/get-token) |
| 93 | # *only* if it does not exist! |
| 94 | test -e /etc/keytabs/user.daemon/$NEWUSER || \ |
| 95 | sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/user.daemon/$NEWUSER $NEWUSER/daemon@HCOOP.NET" |
| 96 | |
| 97 | # Properly chown/mod keytab files (must be $NEWUSER:www-data) |
| 98 | sudo chown $NEWUSER:www-data /etc/keytabs/user.daemon/$NEWUSER |
| 99 | sudo chmod 440 /etc/keytabs/user.daemon/$NEWUSER |
| 100 | |
| 101 | # rsync keytabs |
| 102 | (cd /etc/keytabs |
| 103 | sudo tar clpf - user.daemon/$NEWUSER | \ |
| 104 | ssh hopper.hcoop.net cd /etc/keytabs\; sudo tar xlpf -) |
| 105 | (cd /etc/keytabs |
| 106 | sudo tar clpf - user.daemon/$NEWUSER | \ |
| 107 | ssh deleuze.hcoop.net cd /etc/keytabs\; sudo tar xlpf -) |
| 108 | (cd /etc/keytabs |
| 109 | sudo tar clpf - user.daemon/$NEWUSER | \ |
| 110 | ssh navajos.hcoop.net cd /etc/keytabs\; sudo tar xlpf -) |
| 111 | (cd /etc/keytabs |
| 112 | sudo tar clpf - user.daemon/$NEWUSER | \ |
| 113 | ssh bog.hcoop.net cd /etc/keytabs\; sudo tar xlpf -) |
| 114 | } |
| 115 | |
| 116 | |
| 117 | # |
| 118 | # Create/mount/set-perms on user's volumes (home, mail, databases, logs) |
| 119 | # |
| 120 | |
| 121 | # Each function that creates an afs volume should ensure that the |
| 122 | # backup volume is created and mounted for users. |
| 123 | |
| 124 | function create_home_volume () { |
| 125 | |
| 126 | if vos examine user.$NEWUSER.d 2>/dev/null; then |
| 127 | echo "Reactivating old volume (user.$NEWUSER.d)" |
| 128 | vos rename user.$NEWUSER.d user.$NEWUSER |
| 129 | fi |
| 130 | vos examine user.$NEWUSER 2>/dev/null || \ |
| 131 | vos create fritz.hcoop.net /vicepa user.$NEWUSER -maxquota 400000 |
| 132 | |
| 133 | mkdir -p `dirname $HOMEPATH` |
| 134 | fs ls $HOMEPATH || test -L $HOMEPATH || fs mkm $HOMEPATH user.$NEWUSER |
| 135 | chown $NEWUSER:nogroup $HOMEPATH |
| 136 | fs sa $HOMEPATH $NEWUSER all |
| 137 | fs sa $HOMEPATH system:anyuser l |
| 138 | # cleanliness / needed to keep suphp happy |
| 139 | chown root:root $HOMEPATH/../../ |
| 140 | chown root:root $HOMEPATH/../ |
| 141 | |
| 142 | # backup volume |
| 143 | mkdir -p `dirname /afs/hcoop.net/.old/user/$PATHBITS` |
| 144 | fs ls /afs/hcoop.net/.old/user/$PATHBITS || \ |
| 145 | fs mkm /afs/hcoop.net/.old/user/$PATHBITS user.$NEWUSER.backup |
| 146 | } |
| 147 | |
| 148 | |
| 149 | function create_mail_volume () { |
| 150 | |
| 151 | if vos examine mail.$NEWUSER.d 2>/dev/null; then |
| 152 | echo "Reactivating old volume (mail.$NEWUSER.d)" |
| 153 | vos rename mail.$NEWUSER.d mail.$NEWUSER |
| 154 | fi |
| 155 | vos examine mail.$NEWUSER 2>/dev/null || \ |
| 156 | vos create fritz.hcoop.net /vicepa mail.$NEWUSER -maxquota 400000 |
| 157 | |
| 158 | mkdir -p `dirname $MAILPATH` |
| 159 | fs ls $MAILPATH || fs mkm $MAILPATH mail.$NEWUSER |
| 160 | fs ls $HOMEPATH/Maildir || fs mkm $HOMEPATH/Maildir mail.$NEWUSER |
| 161 | chown $NEWUSER:nogroup $MAILPATH |
| 162 | chown $NEWUSER:nogroup $HOMEPATH/Maildir |
| 163 | fs sa $MAILPATH $NEWUSER all |
| 164 | fs sa $MAILPATH $NEWUSER.daemon all |
| 165 | |
| 166 | if test ! -e $MAILPATH/new; then |
| 167 | mkdir -p $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp |
| 168 | echo -e "This email account is provided as a service for HCoop members." \ |
| 169 | "\n\nTo learn how to use it, please visit the page" \ |
| 170 | "\n<http://wiki.hcoop.net/MemberManual/Email> on our website."| \ |
| 171 | mail -s "Welcome to your HCoop email store" \ |
| 172 | -e -a "From: postmaster@hcoop.net" \ |
| 173 | real-$NEWUSER |
| 174 | fi |
| 175 | |
| 176 | chown $NEWUSER:nogroup $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp |
| 177 | |
| 178 | # Set up shared SpamAssassin folder |
| 179 | if test -f $HOMEPATH/Maildir/shared-maildirs; then |
| 180 | # Deal with case where user rsync'd their Maildir from fyodor |
| 181 | # Not an issue now, but harmless and can be adapted when we |
| 182 | # move the spamd dirs into afs where they belong later. |
| 183 | pattern='^SpamAssassin /home/spamd' |
| 184 | file=$HOMEPATH/Maildir/shared-maildirs |
| 185 | if grep $pattern $file; then |
| 186 | sed -i -r -e \ |
| 187 | 's!^(SpamAssassin )/home/spamd!\1/var/local/lib/spamd!1' \ |
| 188 | $file |
| 189 | fi |
| 190 | else |
| 191 | maildirmake --add SpamAssassin=/var/local/lib/spamd/Maildir \ |
| 192 | $HOMEPATH/Maildir |
| 193 | fi |
| 194 | |
| 195 | mkdir -p `dirname /afs/hcoop.net/.old/mail/$PATHBITS` |
| 196 | fs ls /afs/hcoop.net/.old/mail/$PATHBITS || \ |
| 197 | fs mkm /afs/hcoop.net/.old/mail/$PATHBITS mail.$NEWUSER.backup |
| 198 | vos release old |
| 199 | } |
| 200 | |
| 201 | function seed_user_hcoop_directories () { |
| 202 | # Additional standard directories. Some of these should probably |
| 203 | # be on their own volumes, and access via a canonical path instead |
| 204 | # to give users more control over their home dir without risking |
| 205 | # breaking system services. |
| 206 | |
| 207 | # Apache logs |
| 208 | mkdir -p $HOMEPATH/.logs |
| 209 | chown $NEWUSER:nogroup $HOMEPATH/.logs |
| 210 | mkdir -p $HOMEPATH/.logs/apache |
| 211 | chown $NEWUSER:nogroup $HOMEPATH/.logs/apache |
| 212 | fs sa $HOMEPATH/.logs/apache $NEWUSER.daemon rlwidk |
| 213 | mkdir -p $HOMEPATH/.logs/mail |
| 214 | fs sa $HOMEPATH/.logs/mail $NEWUSER.daemon rlwidk |
| 215 | chown $NEWUSER:nogroup $HOMEPATH/.logs/mail |
| 216 | |
| 217 | # public_html |
| 218 | test -e $HOMEPATH/public_html || \ |
| 219 | (mkdir -p $HOMEPATH/public_html; \ |
| 220 | chown $NEWUSER:nogroup $HOMEPATH/public_html; \ |
| 221 | fs sa $HOMEPATH/public_html system:anyuser none; \ |
| 222 | fs sa $HOMEPATH/public_html $NEWUSER.daemon rl) |
| 223 | |
| 224 | # .procmail.d |
| 225 | mkdir -p $HOMEPATH/.procmail.d |
| 226 | chown $NEWUSER:nogroup $HOMEPATH/.procmail.d |
| 227 | fs sa $HOMEPATH/.procmail.d system:anyuser rl |
| 228 | |
| 229 | # .public |
| 230 | mkdir -p $HOMEPATH/.public/ |
| 231 | chown $NEWUSER:nogroup $HOMEPATH/.public |
| 232 | fs sa $HOMEPATH/.public system:anyuser rl |
| 233 | |
| 234 | # .domtool |
| 235 | mkdir -p $HOMEPATH/.public/.domtool |
| 236 | chown $NEWUSER:nogroup $HOMEPATH/.public/.domtool |
| 237 | test -e $HOMEPATH/.domtool || \ |
| 238 | test -L $HOMEPATH/.domtool || \ |
| 239 | execute_on_domtool_server sudo -u $NEWUSER ln -s $HOMEPATH/.public/.domtool $HOMEPATH/.domtool |
| 240 | # ^^ work around sudo env_reset crap without having to |
| 241 | # actually figure out how to make it work cleanly -- clinton, |
| 242 | # 2011-11-30 |
| 243 | |
| 244 | # Gitweb hosting |
| 245 | test -L /var/cache/git/$NEWUSER || \ |
| 246 | sudo ln -s $HOMEPATH/.hcoop-git /var/cache/git/$NEWUSER |
| 247 | |
| 248 | } |
| 249 | |
| 250 | # |
| 251 | # Non-AFS files and directories |
| 252 | # |
| 253 | |
| 254 | function create_dav_locks () { |
| 255 | # Make per-user apache DAV lock directory -- the directory must be |
| 256 | # both user and group-writable, which is silly. |
| 257 | execute_on_web_nodes sudo mkdir -p /var/lock/apache2/dav/$NEWUSER |
| 258 | execute_on_web_nodes sudo chown $NEWUSER:www-data /var/lock/apache2/dav/$NEWUSER |
| 259 | execute_on_web_nodes sudo chmod ug=rwx,o= /var/lock/apache2/dav/$NEWUSER |
| 260 | } |
| 261 | |
| 262 | function setup_user_databases () { |
| 263 | sudo /afs/hcoop.net/common/etc/scripts/create-user-database $NEWUSER |
| 264 | } |
| 265 | |
| 266 | # |
| 267 | # etc |
| 268 | # |
| 269 | |
| 270 | function enable_domtool () { |
| 271 | execute_on_domtool_server domtool-adduser $NEWUSER |
| 272 | } |
| 273 | |
| 274 | function subscribe_to_lists () { |
| 275 | # Subscribe user to our mailing lists. |
| 276 | |
| 277 | echo $NEWUSER@hcoop.net | ssh -K deleuze sudo -u list \ |
| 278 | /var/lib/mailman/bin/add_members -r - hcoop-announce |
| 279 | } |
| 280 | |
| 281 | function ensure_afs_servers_synced () { |
| 282 | vos release old |
| 283 | |
| 284 | # technically this might not be necessary, but for good measure... |
| 285 | vos syncserv fritz |
| 286 | vos syncvldb fritz |
| 287 | |
| 288 | # refresh volume location cache (takes ~2hrs otherwise) |
| 289 | execute_on_all_machines fs checkvolumes |
| 290 | } |