5 # - as a user with an /etc/sudoers line
6 # - member of "wheel" unix group on deleuze
7 # - while holding tickets for a user who can 'ssh -K' to mire
8 # - and is a member of "wheel" on mire
9 # - while holding tokens for a user who is:
10 # - a member of system:administrator
11 # - listed in 'bos listusers deleuze'
12 # - and who has been set up with Domtool admin privileges by:
13 # - running 'domtool-adduser $USER' while holding AFS admin tokens as
14 # someone who is already a Domtool admin
15 # - running 'domtool-admin grant $USER priv all' as someone who is already a
17 # (To bootstrap yourself into admindom:
18 # 1. Run '/etc/init.d/domtool-server stop' on deleuze.
19 # 2. Run '/etc/init.d/domtool-slave stop' on all Domtool slave machines
21 # 3. Edit ~domtool/acl, following the example of adamc_admin to grant
22 # yourself 'priv all'.
23 # 4. Run '/etc/init.d/domtool-server start' on deleuze.
24 # 5. Run '/etc/init.d/domtool-slave start' on all Domtool slave
26 # 6. Run 'domtool-adduser' as above.)
30 export PATH
=$PATH:/afs
/hcoop.net
/common
/bin
/
32 if test -z "$USER"; then
33 echo "Invoke as create-user <USERNAME>"
41 # Run a command on both mire and deleuze; assumes that no escaping is
43 function mire_and_deleuze
() {
45 ssh -K mire.hcoop.net $
*
48 function execute_on_fritz
() {
49 ssh -K fritz.hcoop.net $
*
52 function execute_on_all_machines
() {
54 ssh -K mire.hcoop.net $
*
55 ssh -K hopper.hcoop.net $
*
56 ssh -K fritz.hcoop.net $
*
61 # (creat kerberos principals: fred, fred/cgi, fred/mailfilter)
64 # We use -randkey for user's main principal as well, to make sure that
65 # the creation process does not continue without having a main
66 # principal. (But you who want to set password for a user, don't
67 # worry - we'll invoke cpw later, so that it has the same effect
68 # as setting password right now - while it is more error tolerant).
70 sudo kadmin.
local -p root
/admin
-q "ank -policy user -randkey +requires_preauth $USER@HCOOP.NET"
71 sudo kadmin.
local -p root
/admin
-q "modprinc -maxlife 1day $USER@HCOOP.NET"
72 sudo kadmin.
local -p root
/admin
-q "ank -policy daemon -randkey +requires_preauth $USER/daemon@HCOOP.NET"
75 # Create AFS users corresponding to krb5 principals.
76 # (fred/cgi principal == fred.cgi AFS user)
80 ID
=`pts examine $USER | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
81 pts cu
$USER.daemon || true
82 ID_DAEMON
=`pts examine $USER.daemon | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
86 # Construct various paths for later perusal.
89 # (If it's not clear, for user fred, PATHBITS = f/fr/fred)
90 PATHBITS
=`echo $USER | head -c 1`/`echo $USER | head -c 2`/$USER
91 HOMEPATH
=/afs
/hcoop.net
/user
/$PATHBITS
92 MAILPATH
=/afs
/hcoop.net
/common
/email
/$PATHBITS
95 # Create LDAP entries. (With the whole libnss-ptdb, I kind of
96 # lost the idea of what I want to do with LDAP, but we'll
97 # see with time how well it integrates...)
98 # The ID returned from AFS is important here, we want to make
99 # sure those IDs match.
104 dn: uid=$USER,ou=People,dc=hcoop,dc=net
107 objectClass: posixAccount
115 dn: cn=$USER,ou=Group,dc=hcoop,dc=net
117 objectClass: posixGroup
121 " | sudo ldapadd
-x -D cn
=admin
,dc=hcoop
,dc=net
-y /etc
/ldap.secret || true
125 dn: uid=$USER.daemon,ou=People,dc=hcoop,dc=net
128 objectClass: posixAccount
131 gidNumber: $ID_DAEMON
134 dn: cn=$USER.daemon,ou=Group,dc=hcoop,dc=net
136 objectClass: posixGroup
138 gidNumber: $ID_DAEMON
139 memberUid: $USER.daemon
140 " | sudo ldapadd
-x -D cn
=admin
,dc=hcoop
,dc=net
-y /etc
/ldap.secret || true
144 # Export .mailfilter and .cgi keys to a keytab file
147 # create a daemon keytab (used by /etc/exim4/get-token)
148 # *only* if it does not exist!
149 test -e /etc
/keytabs
/user.daemon
/$USER || \
150 sudo kadmin.
local -p root
/admin
-q "ktadd -k /etc/keytabs/user.daemon/$USER $USER/daemon@HCOOP.NET"
152 # Properly chown/mod keytab files (must be $USER:www-data)
153 sudo chown
$USER:www-data
/etc
/keytabs
/user.daemon
/$USER
154 sudo
chmod 440 /etc
/keytabs
/user.daemon
/$USER
158 sudo
tar clpf
- user.daemon
/$USER | \
159 ssh mire.hcoop.net
cd /etc
/keytabs\
; sudo
tar xlpf
-)
161 sudo
tar clpf
- user.daemon
/$USER | \
162 ssh hopper.hcoop.net
cd /etc
/keytabs\
; sudo
tar xlpf
-)
164 sudo
tar clpf
- user.daemon
/$USER | \
165 ssh fritz.hcoop.net
cd /etc
/keytabs\
; sudo
tar xlpf
-)
168 # Create/mount/set-perms on user's volumes (home, mail, databases, logs)
172 if vos examine user.
$USER.d
2>/dev
/null
; then
173 echo "Reactivating old volume (user.$USER.d)"
174 vos rename user.
$USER.d user.
$USER
176 vos examine user.
$USER 2>/dev
/null || \
177 vos create fritz.hcoop.net
/vicepa user.
$USER -maxquota 400000
179 mkdir
-p `dirname $HOMEPATH`
180 fs
ls $HOMEPATH ||
test -L $HOMEPATH || fs mkm
$HOMEPATH user.
$USER
181 chown
$USER:nogroup
$HOMEPATH
182 fs sa
$HOMEPATH $USER all
183 fs sa
$HOMEPATH system
:anyuser l
186 mkdir
-p $HOMEPATH/.logs
187 chown
$USER:nogroup
$HOMEPATH/.logs
188 mkdir
-p $HOMEPATH/.logs
/apache
189 chown
$USER:nogroup
$HOMEPATH/.logs
/apache
190 fs sa
$HOMEPATH/.logs
/apache
$USER.daemon rlwidk
191 mkdir
-p $HOMEPATH/.logs
/mail
192 fs sa
$HOMEPATH/.logs
/mail $USER.daemon rlwidk
193 chown
$USER:nogroup
$HOMEPATH/.logs
/mail
196 test -e $HOMEPATH/public_html || \
197 (mkdir
-p $HOMEPATH/public_html
; \
198 chown
$USER:nogroup
$HOMEPATH/public_html
; \
199 fs sa
$HOMEPATH/public_html system
:anyuser none
; \
200 fs sa
$HOMEPATH/public_html
$USER.daemon rl
)
203 mkdir
-p $HOMEPATH/.procmail.d
204 chown
$USER:nogroup
$HOMEPATH/.procmail.d
205 fs sa
$HOMEPATH/.procmail.d system
:anyuser rl
208 mkdir
-p $HOMEPATH/.public
/
209 chown
$USER:nogroup
$HOMEPATH/.public
210 fs sa
$HOMEPATH/.public system
:anyuser rl
213 mkdir
-p $HOMEPATH/.public
/.domtool
214 chown
$USER:nogroup
$HOMEPATH/.public
/.domtool
215 test -e $HOMEPATH/.domtool || \
216 test -L $HOMEPATH/.domtool || \
217 sudo
-u $USER ln -s $HOMEPATH/.public
/.domtool
$HOMEPATH/.domtool
220 test -L /var
/cache
/git
/$USER || \
221 sudo
ln -s $HOMEPATH/.hcoop-git
/var
/cache
/git
/$USER
224 if vos examine
mail.
$USER.d
2>/dev
/null
; then
225 echo "Reactivating old volume (mail.$USER.d)"
226 vos rename
mail.
$USER.d
mail.
$USER
228 vos examine
mail.
$USER 2>/dev
/null || \
229 vos create fritz.hcoop.net
/vicepa
mail.
$USER -maxquota 400000
231 mkdir
-p `dirname $MAILPATH`
232 fs
ls $MAILPATH || fs mkm
$MAILPATH mail.
$USER
233 fs
ls $HOMEPATH/Maildir || fs mkm
$HOMEPATH/Maildir
mail.
$USER
234 chown
$USER:nogroup
$MAILPATH
235 chown
$USER:nogroup
$HOMEPATH/Maildir
236 fs sa
$MAILPATH $USER all
237 fs sa
$MAILPATH $USER.daemon all
238 if test ! -e $MAILPATH/new
; then
239 mkdir
-p $MAILPATH/cur
$MAILPATH/new
$MAILPATH/tmp
240 echo -e "This email account is provided as a service for HCoop members." \
241 "\n\nTo learn how to use it, please visit the page" \
242 "\n<http://wiki.hcoop.net/MemberManual/Email> on our website."| \
243 mail -s "Welcome to your HCoop email store" \
244 -e -a "From: postmaster@hcoop.net" \
247 chown
$USER:nogroup
$MAILPATH/cur
$MAILPATH/new
$MAILPATH/tmp
249 # Set up shared SpamAssassin folder
250 if test -f $HOMEPATH/Maildir
/shared-maildirs
; then
251 # Deal with case where user rsync'd their Maildir from fyodor
252 pattern
='^SpamAssassin /home/spamd'
253 file=$HOMEPATH/Maildir
/shared-maildirs
254 if grep $pattern $file; then
256 's!^(SpamAssassin )/home/spamd!\1/var/local/lib/spamd!1' \
260 maildirmake
--add SpamAssassin
=/var
/local
/lib
/spamd
/Maildir \
264 # Create database tablespaces
265 execute_on_fritz
/afs
/hcoop.net
/common
/etc
/scripts
/create-user-database
$USER
268 # Mount points for backup volumes
271 mkdir
-p `dirname /afs/hcoop.net/.old/user/$PATHBITS`
272 mkdir
-p `dirname /afs/hcoop.net/.old/mail/$PATHBITS`
273 fs
ls /afs
/hcoop.net
/.old
/user
/$PATHBITS || \
274 fs mkm
/afs
/hcoop.net
/.old
/user
/$PATHBITS user.
$USER.backup
275 fs
ls /afs
/hcoop.net
/.old
/mail
/$PATHBITS || \
276 fs mkm
/afs
/hcoop.net
/.old
/mail
/$PATHBITS mail.
$USER.backup
279 # technically this might not be necessary, but for good measure...
283 # refresh volume location cache (takes ~2hrs otherwise)
284 execute_on_all_machines fs checkvolumes
287 # Non-AFS files and directories
290 # Make per-user apache DAV lock directory -- the directory must be
291 # both user and group-writable, which is silly.
292 mire_and_deleuze sudo mkdir
-p /var
/lock
/apache
2/dav
/$USER
293 mire_and_deleuze sudo chown
$USER:www-data
/var
/lock
/apache
2/dav
/$USER
294 mire_and_deleuze sudo
chmod ug
=rwx
,o
= /var
/lock
/apache
2/dav
/$USER
297 # Domtool integration
300 domtool-adduser
$USER
303 # Subscribe user to our mailing lists.
305 echo $USER@hcoop.net | sudo
-u list \
306 /var
/lib
/mailman
/bin
/add_members
-r - hcoop-announce