HCoop / hcoop / scripts.git / blob
? search:


2e009f4cdad88947ede2268682e9a35451a9e22e
[hcoop/scripts.git] / create-user
1 #!/bin/bash -ex
2
3 # MUST be executed:
4 # - on deleuze
5 # - as a user with an /etc/sudoers line
6 # - member of wheel unix group
7 # - while holding tokens for a user who is:
8 # - a member of system:administrator
9 # - listed in 'bos listusers deleuze'
10
11 USER=$1
12
13 if test -z "$USER"; then
14 echo "Invoke as create-user <USERNAME>"
15 exit 1
16 fi
17
18
19 #
20 # Kerberos principals
21 # (creat kerberos principals: fred, fred/cgi, fred/mailfilter)
22 #
23
24 # We use -randkey for user's main principal as well, to make sure that
25 # the creation process does not continue without having a main
26 # principal. (But you who want to set password for a user, don't
27 # worry - we'll invoke cpw later, so that it has the same effect
28 # as setting password right now - while it is more error tolerant).
29
30 sudo kadmin.local -p root/admin -q "ank -policy user -randkey $USER@HCOOP.NET"
31 sudo kadmin.local -p root/admin -q "ank -policy mailfilter -randkey $USER/mailfilter@HCOOP.NET"
32 sudo kadmin.local -p root/admin -q "ank -policy cgi -randkey $USER/cgi@HCOOP.NET"
33
34
35 #
36 # Create AFS users corresponding to krb5 principals.
37 # (fred/cgi principal == fred.cgi AFS user)
38 #
39
40 pts cu $USER || true
41 ID=`pts examine $USER | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
42 pts cu $USER.mailfilter $ID_MF || true
43 ID_MF=`pts examine $USER.mailfilter | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
44 pts cu $USER.cgi || true
45 ID_CGI=`pts examine $USER.cgi | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
46
47
48 #
49 # Construct various paths for later perusal.
50 #
51
52 # (If it's not clear, for user fred, PATHBITS = f/fr/fred)
53 PATHBITS=`echo $USER | head -c 1`/`echo $USER | head -c 2`/$USER
54 HOMEPATH=/afs/hcoop.net/user/$PATHBITS
55 MAILPATH=/afs/hcoop.net/common/email/$PATHBITS
56 DBPATH=/afs/hcoop.net/common/databases/$PATHBITS
57 PGDIR=$DBPATH/postgres
58 MYSQLDIR=$DBPATH/mysql
59
60
61 #
62 # Create LDAP entries. (With the whole libnss-ptdb, I kind of
63 # lost the idea of what I want to do with LDAP, but we'll
64 # see with time how well it integrates...)
65 # The ID returned from AFS is important here, we want to make
66 # sure those IDs match.
67 #
68
69 # USER entry
70 echo "
71 dn: uid=$USER,ou=People,dc=hcoop,dc=net
72 objectClass: top
73 objectClass: person
74 objectClass: posixAccount
75 cn: $USER
76 uid: $USER
77 gidNumber: $ID
78 homeDirectory: $HOMEPATH
79 sn: $USER
80 host: abulafia
81 host: mire
82
83 dn: cn=$USER,ou=Group,dc=hcoop,dc=net
84 objectClass: top
85 objectClass: posixGroup
86 cn: $USER
87 gidNumber: $ID
88 memberUid: $USER
89 " | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true
90
91 # USER.mailfilter entry
92 echo "
93 dn: uid=$USER.mailfilter,ou=People,dc=hcoop,dc=net
94 objectClass: top
95 objectClass: person
96 objectClass: posixAccount
97 cn: $USER.mailfilter
98 uid: $USER.mailfilter
99 gidNumber: $ID_MF
100 homeDirectory: $HOMEPATH
101 sn: $USER.mailfilter
102
103 dn: cn=$USER.mailfilter,ou=Group,dc=hcoop,dc=net
104 objectClass: top
105 objectClass: posixGroup
106 cn: $USER.mailfilter
107 gidNumber: $ID_MF
108 memberUid: $USER.mailfilter
109 " | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true
110
111 # USER.cgi entry
112 echo "
113 dn: uid=$USER.cgi,ou=People,dc=hcoop,dc=net
114 objectClass: top
115 objectClass: person
116 objectClass: posixAccount
117 cn: $USER.cgi
118 uid: $USER.cgi
119 gidNumber: $ID_CGI
120 homeDirectory: $HOMEPATH
121 sn: $USER.cgi
122
123 dn: cn=$USER.cgi,ou=Group,dc=hcoop,dc=net
124 objectClass: top
125 objectClass: posixGroup
126 cn: $USER.cgi
127 gidNumber: $ID_CGI
128 memberUid: $USER.cgi
129 " | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true
130
131
132 #
133 # Export .mailfilter and .cgi keys to a keytab file
134 #
135
136 # create a mailfilter keytab (used by /etc/exim4/get-token)
137 sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/mailfilter/$USER $USER/mailfilter@HCOOP.NET"
138
139 # create a cgi keytab
140 sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/cgi/$USER $USER/cgi@HCOOP.NET"
141
142 # Properly chown/mod keytab files (www-data must own the cgi keytab)
143 sudo chown www-data:wheel /etc/keytabs/cgi/$USER
144 sudo chown $USER:wheel /etc/keytabs/mailfilter/$USER
145 sudo chmod 440 /etc/keytabs/cgi/$USER /etc/keytabs/mailfilter/$USER
146
147 # rsync keytabs to mire
148 rsync -e ssh -a /etc/keytabs/cgi/$USER mire.hcoop.net:/etc/keytabs/cgi/$USER
149
150 #
151 # Create/mount/set-perms on user's volumes (home, mail, databases, logs)
152 #
153
154 # HOME VOLUME
155 vos examine user.$USER 2>/dev/null || \
156 vos create deleuze.hcoop.net /vicepa user.$USER -maxquota 400000
157 mkdir -p `dirname $HOMEPATH`
158 fs ls $HOMEPATH || fs mkm $HOMEPATH user.$USER
159 chown $USER $HOMEPATH
160 fs sa $HOMEPATH $USER all
161 fs sa $HOMEPATH system:anyuser rl
162
163 # Apache logs
164 mkdir -p $HOMEPATH/logs/apache
165 fs sa $HOMEPATH/logs/apache $USER.cgi rlwidk
166
167 # public_html
168 mkdir -p $HOMEPATH/public_html/
169 fs sa $HOMEPATH/public_html system:anyuser rl
170 mkdir -p $HOMEPATH/.procmail.d/
171 fs sa $HOMEPATH/.procmail.d/ system:anyuser rl
172
173 # MAIL VOLUME
174 vos examine mail.$USER 2>/dev/null || \
175 vos create deleuze.hcoop.net /vicepa mail.$USER -maxquota 400000
176 mkdir -p `dirname $MAILPATH`
177 fs ls $MAILPATH || fs mkm $MAILPATH mail.$USER
178 fs ls $HOMEPATH/Maildir || fs mkm $HOMEPATH/Maildir mail.$USER
179 fs sa $MAILPATH $USER all
180 fs sa $MAILPATH $USER.mailfilter all
181
182 # DATABASE VOLUME
183 if ! vos examine db.$USER >/dev/null 2>/dev/null; then
184 mkdir -p `dirname /afs/.hcoop.net/common/.databases/$PATHBITS`
185 vos create -server afs -partition a -name db.$USER -maxquota 400000
186 fs mkmount -dir /afs/.hcoop.net/common/.databases/$PATHBITS -vol db.$USER -rw
187 vos release common.databases
188 fs sa -dir $DBPATH -acl system:postgres l
189 fs sa -dir $DBPATH -acl system:mysql l
190 fs sa -dir $DBPATH -acl system:backup rl
191 fi
192
193 # Create postgres user and tablespace placeholder within volume
194 if ! [ -d $PGDIR ]; then
195 mkdir -p $PGDIR
196 chown postgres:postgres $PGDIR
197 fs sa -dir $PGDIR -acl system:postgres write
198
199 sudo -u postgres psql -c "CREATE TABLESPACE user_$USER OWNER postgres LOCATION '$PGDIR'" template1
200 fi
201
202 # Create mysql user and databases placeholder within volume
203 mkdir -p $MYSQLDIR
204 chown mysql:mysql $MYSQLDIR
205 fs sa -dir $MYSQLDIR -acl system:mysql write
206
207
208 #
209 # Mount points for backup volumes
210 #
211
212 mkdir -p `dirname /afs/hcoop.net/old/user/$PATHBITS`
213 mkdir -p `dirname /afs/hcoop.net/old/mail/$PATHBITS`
214 fs ls /afs/hcoop.net/old/user/$PATHBITS || \
215 fs mkm /afs/hcoop.net/old/user/$PATHBITS user.$USER.backup
216 fs ls /afs/hcoop.net/old/mail/$PATHBITS || \
217 fs mkm /afs/hcoop.net/old/mail/$PATHBITS mail.$USER.backup
218
219 # technically this might not be necessary, but for good measure...
220 vos syncserv deleuze
221 vos syncvldb deleuze
222
223 # refresh volume location cache (takes ~2hrs otherwise)
224 fs checkvolumes
225 ssh mire.hcoop.net fs checkvolumes
226
227 #
228 # Finally, set password for main user's principal
229 # Aborting this operation is harmless. Just re-invoke cpw.
230 #
231 # kadmin.local doesn't report errors properly, so we have to
232 # check manually
233 #
234 sudo rm -f /tmp/kadmin.out
235 sudo kadmin.local -p root/admin -q "cpw $USER@HCOOP.NET" \
236 2>&1 | tee /tmp/kadmin.out
237 cat /tmp/kadmin.out | grep 'Password for .* changed'
238 sudo rm -f /tmp/kadmin.out
239
Unnamed repository; edit this file 'description' to name the repository.