HCoop / hcoop / scripts.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
"Factored" create-user, and script to create shared service users
[hcoop/scripts.git] / create-user
1 #!/bin/bash -ex
2
3 # MUST be executed:
4 # - on fritz
5 # - as a user with an /etc/sudoers line
6 # - member of "wheel" unix group on deleuze (FIXME: TRUE?)
7 # - while holding tickets for a user who can 'ssh -K' to mire
8 # - and is a member of "wheel" on mire
9 # - while holding tokens for a user who is:
10 # - a member of system:administrator
11 # - listed in 'bos listusers fritz'
12 # - and who has been set up with Domtool admin privileges by:
13 # - running 'domtool-adduser $USER' while holding AFS admin tokens as
14 # someone who is already a Domtool admin
15 # - running 'domtool-admin grant $USER priv all' as someone who is already a
16 # Domtool admin
17 # (To bootstrap yourself into admindom:
18 # 1. Run '/etc/init.d/domtool-server stop' on deleuze.
19 # 2. Run '/etc/init.d/domtool-slave stop' on all Domtool slave machines
20 # (e.g., mire).
21 # 3. Edit ~domtool/acl, following the example of adamc_admin to grant
22 # yourself 'priv all'.
23 # 4. Run '/etc/init.d/domtool-server start' on deleuze.
24 # 5. Run '/etc/init.d/domtool-slave start' on all Domtool slave
25 # machines.
26 # 6. Run 'domtool-adduser' as above.)
27
28 USER=$1
29
30 export PATH=$PATH:/afs/hcoop.net/common/bin/
31
32 if test -z "$USER"; then
33 echo "Invoke as create-user <USERNAME>"
34 exit 1
35 fi
36
37 #
38 # Helper functions
39 #
40
41 # Run a command on both mire and deleuze; assumes that no escaping is
42 # needed.
43
44
45 function execute_on_web_nodes() {
46 ssh -K deleuze $*
47 ssh -K mire $*
48 ssh -K navajos $*
49 }
50
51 # change to execute_on_domtool_server
52 function execute_on_domtool_server () {
53 ssh -K deleuze.hcoop.net $*
54 }
55
56
57 function execute_on_all_machines () {
58 $*
59 ssh -K mire.hcoop.net $*
60 ssh -K hopper.hcoop.net $*
61 ssh -K deleuze.hcoop.net $*
62 ssh -K navajos.hcoop.net $*
63 ssh -K bog.hcoop.net $*
64 }
65
66 #
67 # Kerberos principals
68 # (creat kerberos principals: fred, fred/cgi, fred/mailfilter)
69 #
70
71 # We use -randkey for user's main principal as well, to make sure that
72 # the creation process does not continue without having a main
73 # principal. (But you who want to set password for a user, don't
74 # worry - we'll invoke cpw later, so that it has the same effect
75 # as setting password right now - while it is more error tolerant).
76
77 sudo kadmin.local -p root/admin -q "ank -policy user -randkey +requires_preauth $USER@HCOOP.NET"
78 sudo kadmin.local -p root/admin -q "modprinc -maxlife 1day $USER@HCOOP.NET"
79 sudo kadmin.local -p root/admin -q "ank -policy daemon -randkey +requires_preauth $USER/daemon@HCOOP.NET"
80
81 #
82 # Create AFS users corresponding to krb5 principals.
83 # (fred/cgi principal == fred.cgi AFS user)
84 #
85
86 pts cu $USER || true
87 ID=`pts examine $USER | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
88 pts cu $USER.daemon || true
89 ID_DAEMON=`pts examine $USER.daemon | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
90
91
92 #
93 # Construct various paths for later perusal.
94 #
95
96 # (If it's not clear, for user fred, PATHBITS = f/fr/fred)
97 PATHBITS=`echo $USER | head -c 1`/`echo $USER | head -c 2`/$USER
98 HOMEPATH=/afs/hcoop.net/user/$PATHBITS
99 MAILPATH=/afs/hcoop.net/common/email/$PATHBITS
100
101
102 # LDAP bit excised (see git history...)
103
104 #
105 # Export .mailfilter and .cgi keys to a keytab file
106 #
107
108 # create a daemon keytab (used by /etc/exim4/get-token)
109 # *only* if it does not exist!
110 test -e /etc/keytabs/user.daemon/$USER || \
111 sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/user.daemon/$USER $USER/daemon@HCOOP.NET"
112
113 # Properly chown/mod keytab files (must be $USER:www-data)
114 sudo chown $USER:www-data /etc/keytabs/user.daemon/$USER
115 sudo chmod 440 /etc/keytabs/user.daemon/$USER
116
117 # rsync keytabs
118 (cd /etc/keytabs
119 sudo tar clpf - user.daemon/$USER | \
120 ssh mire.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
121 (cd /etc/keytabs
122 sudo tar clpf - user.daemon/$USER | \
123 ssh hopper.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
124 (cd /etc/keytabs
125 sudo tar clpf - user.daemon/$USER | \
126 ssh deleuze.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
127 (cd /etc/keytabs
128 sudo tar clpf - user.daemon/$USER | \
129 ssh navajos.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
130 (cd /etc/keytabs
131 sudo tar clpf - user.daemon/$USER | \
132 ssh bog.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
133
134 #
135 # Create/mount/set-perms on user's volumes (home, mail, databases, logs)
136 #
137
138 # HOME VOLUME
139 if vos examine user.$USER.d 2>/dev/null; then
140 echo "Reactivating old volume (user.$USER.d)"
141 vos rename user.$USER.d user.$USER
142 fi
143 vos examine user.$USER 2>/dev/null || \
144 vos create fritz.hcoop.net /vicepa user.$USER -maxquota 400000
145
146 mkdir -p `dirname $HOMEPATH`
147 fs ls $HOMEPATH || test -L $HOMEPATH || fs mkm $HOMEPATH user.$USER
148 chown $USER:nogroup $HOMEPATH
149 fs sa $HOMEPATH $USER all
150 fs sa $HOMEPATH system:anyuser l
151 # cleanliness / needed to keep suphp happy
152 chown root:root $HOMEPATH/../../
153 chown root:root $HOMEPATH/../
154
155 # Apache logs
156 mkdir -p $HOMEPATH/.logs
157 chown $USER:nogroup $HOMEPATH/.logs
158 mkdir -p $HOMEPATH/.logs/apache
159 chown $USER:nogroup $HOMEPATH/.logs/apache
160 fs sa $HOMEPATH/.logs/apache $USER.daemon rlwidk
161 mkdir -p $HOMEPATH/.logs/mail
162 fs sa $HOMEPATH/.logs/mail $USER.daemon rlwidk
163 chown $USER:nogroup $HOMEPATH/.logs/mail
164
165 # public_html
166 test -e $HOMEPATH/public_html || \
167 (mkdir -p $HOMEPATH/public_html; \
168 chown $USER:nogroup $HOMEPATH/public_html; \
169 fs sa $HOMEPATH/public_html system:anyuser none; \
170 fs sa $HOMEPATH/public_html $USER.daemon rl)
171
172 # .procmail.d
173 mkdir -p $HOMEPATH/.procmail.d
174 chown $USER:nogroup $HOMEPATH/.procmail.d
175 fs sa $HOMEPATH/.procmail.d system:anyuser rl
176
177 # .public
178 mkdir -p $HOMEPATH/.public/
179 chown $USER:nogroup $HOMEPATH/.public
180 fs sa $HOMEPATH/.public system:anyuser rl
181
182 # .domtool
183 mkdir -p $HOMEPATH/.public/.domtool
184 chown $USER:nogroup $HOMEPATH/.public/.domtool
185 test -e $HOMEPATH/.domtool || \
186 test -L $HOMEPATH/.domtool || \
187 execute_on_domtool_server sudo -u $USER ln -s $HOMEPATH/.public/.domtool $HOMEPATH/.domtool
188 # ^^ work around sudo env_reset crap without having to
189 # actually figure out how to make it work cleanly -- clinton,
190 # 2011-11-30
191
192 # Gitweb hosting
193 test -L /var/cache/git/$USER || \
194 sudo ln -s $HOMEPATH/.hcoop-git /var/cache/git/$USER
195
196 # MAIL VOLUME
197 if vos examine mail.$USER.d 2>/dev/null; then
198 echo "Reactivating old volume (mail.$USER.d)"
199 vos rename mail.$USER.d mail.$USER
200 fi
201 vos examine mail.$USER 2>/dev/null || \
202 vos create fritz.hcoop.net /vicepa mail.$USER -maxquota 400000
203
204 mkdir -p `dirname $MAILPATH`
205 fs ls $MAILPATH || fs mkm $MAILPATH mail.$USER
206 fs ls $HOMEPATH/Maildir || fs mkm $HOMEPATH/Maildir mail.$USER
207 chown $USER:nogroup $MAILPATH
208 chown $USER:nogroup $HOMEPATH/Maildir
209 fs sa $MAILPATH $USER all
210 fs sa $MAILPATH $USER.daemon all
211 if test ! -e $MAILPATH/new; then
212 mkdir -p $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp
213 echo -e "This email account is provided as a service for HCoop members." \
214 "\n\nTo learn how to use it, please visit the page" \
215 "\n<http://wiki.hcoop.net/MemberManual/Email> on our website."| \
216 mail -s "Welcome to your HCoop email store" \
217 -e -a "From: postmaster@hcoop.net" \
218 real-$USER
219 fi
220 chown $USER:nogroup $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp
221
222 # Set up shared SpamAssassin folder
223 if test -f $HOMEPATH/Maildir/shared-maildirs; then
224 # Deal with case where user rsync'd their Maildir from fyodor
225 pattern='^SpamAssassin /home/spamd'
226 file=$HOMEPATH/Maildir/shared-maildirs
227 if grep $pattern $file; then
228 sed -i -r -e \
229 's!^(SpamAssassin )/home/spamd!\1/var/local/lib/spamd!1' \
230 $file
231 fi
232 else
233 maildirmake --add SpamAssassin=/var/local/lib/spamd/Maildir \
234 $HOMEPATH/Maildir
235 fi
236
237 # Create database tablespaces
238 sudo /afs/hcoop.net/common/etc/scripts/create-user-database $USER
239
240 #
241 # Mount points for backup volumes
242 #
243
244 mkdir -p `dirname /afs/hcoop.net/.old/user/$PATHBITS`
245 mkdir -p `dirname /afs/hcoop.net/.old/mail/$PATHBITS`
246 fs ls /afs/hcoop.net/.old/user/$PATHBITS || \
247 fs mkm /afs/hcoop.net/.old/user/$PATHBITS user.$USER.backup
248 fs ls /afs/hcoop.net/.old/mail/$PATHBITS || \
249 fs mkm /afs/hcoop.net/.old/mail/$PATHBITS mail.$USER.backup
250 vos release old
251
252 # technically this might not be necessary, but for good measure...
253 vos syncserv fritz
254 vos syncvldb fritz
255
256 # refresh volume location cache (takes ~2hrs otherwise)
257 execute_on_all_machines fs checkvolumes
258
259 #
260 # Non-AFS files and directories
261 #
262
263 # Make per-user apache DAV lock directory -- the directory must be
264 # both user and group-writable, which is silly.
265 execute_on_web_nodes sudo mkdir -p /var/lock/apache2/dav/$USER
266 execute_on_web_nodes sudo chown $USER:www-data /var/lock/apache2/dav/$USER
267 execute_on_web_nodes sudo chmod ug=rwx,o= /var/lock/apache2/dav/$USER
268
269 #
270 # Domtool integration
271 #
272
273 execute_on_domtool_server domtool-adduser $USER
274
275 #
276 # Subscribe user to our mailing lists.
277 #
278 echo $USER@hcoop.net | ssh -K deleuze sudo -u list \
279 /var/lib/mailman/bin/add_members -r - hcoop-announce
Unnamed repository; edit this file 'description' to name the repository.