create-user

   1 #!/bin/bash -ex
   2
   3 # MUST be executed:
   4 #  - on deleuze
   5 #  - as a user with an /etc/sudoers line
   6 #  - member of "wheel" unix group on deleuze
   7 #  - while holding tickets for a user who can 'ssh -K' to mire
   8 #     - and is a member of "wheel" on mire
   9 #  - while holding tokens for a user who is:
  10 #     - a member of system:administrator
  11 #     - listed in 'bos listusers deleuze'
  12
  13 USER=$1
  14
  15 export PATH=$PATH:/afs/hcoop.net/common/bin/
  16
  17 if test -z "$USER"; then
  18         echo "Invoke as create-user <USERNAME>"
  19         exit 1
  20 fi
  21
  22 #
  23 # Helper functions
  24 #
  25
  26 # Run a command on both mire and deleuze; assumes that no escaping is
  27 # needed.
  28 function mire_and_deleuze() {
  29     $*
  30     ssh mire.hcoop.net $*
  31 }
  32
  33 #
  34 # Kerberos principals
  35 # (creat kerberos principals: fred, fred/cgi, fred/mailfilter)
  36 #
  37
  38 # We use -randkey for user's main principal as well, to make sure that
  39 # the creation process does not continue without having a main
  40 # principal. (But you who want to set password for a user, don't
  41 # worry - we'll invoke cpw later, so that it has the same effect
  42 # as setting password right now - while it is more error tolerant).
  43
  44 sudo kadmin.local -p root/admin -q "ank -policy user -randkey +requires_preauth $USER@HCOOP.NET"
  45 sudo kadmin.local -p root/admin -q "modprinc -maxlife 1day $USER@HCOOP.NET"
  46 sudo kadmin.local -p root/admin -q "ank -policy daemon -randkey +requires_preauth $USER/daemon@HCOOP.NET"
  47
  48 #
  49 # Create AFS users corresponding to krb5 principals.
  50 # (fred/cgi principal == fred.cgi AFS user)
  51 #
  52
  53 pts cu $USER || true
  54 ID=`pts examine $USER | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
  55 pts cu $USER.daemon || true
  56 ID_DAEMON=`pts examine $USER.daemon | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
  57
  58
  59 #
  60 # Construct various paths for later perusal.
  61 #
  62
  63 # (If it's not clear, for user fred, PATHBITS = f/fr/fred)
  64 PATHBITS=`echo $USER | head -c 1`/`echo $USER | head -c 2`/$USER
  65 HOMEPATH=/afs/hcoop.net/user/$PATHBITS
  66 MAILPATH=/afs/hcoop.net/common/email/$PATHBITS
  67 DBPATH=/afs/hcoop.net/common/.databases/$PATHBITS
  68 PGDIR=$DBPATH/postgres
  69 MYSQLDIR=$DBPATH/mysql
  70
  71
  72 #
  73 # Create LDAP entries. (With the whole libnss-ptdb, I kind of
  74 # lost the idea of what I want to do with LDAP, but we'll
  75 # see with time how well it integrates...)
  76 # The ID returned from AFS is important here, we want to make
  77 # sure those IDs match.
  78 #
  79
  80 # USER entry
  81 echo "
  82 dn: uid=$USER,ou=People,dc=hcoop,dc=net
  83 objectClass: top
  84 objectClass: person
  85 objectClass: posixAccount
  86 cn: $USER
  87 uid: $USER
  88 gidNumber: $ID
  89 sn: $USER
  90 host: abulafia
  91 host: mire
  92
  93 dn: cn=$USER,ou=Group,dc=hcoop,dc=net
  94 objectClass: top
  95 objectClass: posixGroup
  96 cn: $USER
  97 gidNumber: $ID
  98 memberUid: $USER
  99 " | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true
 100
 101 # USER.daemon entry
 102 echo "
 103 dn: uid=$USER.daemon,ou=People,dc=hcoop,dc=net
 104 objectClass: top
 105 objectClass: person
 106 objectClass: posixAccount
 107 cn: $USER.daemon
 108 uid: $USER.daemon
 109 gidNumber: $ID_DAEMON
 110 sn: $USER.daemon
 111
 112 dn: cn=$USER.daemon,ou=Group,dc=hcoop,dc=net
 113 objectClass: top
 114 objectClass: posixGroup
 115 cn: $USER.daemon
 116 gidNumber: $ID_DAEMON
 117 memberUid: $USER.daemon
 118 " | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true
 119
 120
 121 #
 122 # Export .mailfilter and .cgi keys to a keytab file
 123 #
 124
 125 # create a daemon keytab (used by /etc/exim4/get-token)
 126 # *only* if it does not exist!
 127 test -e /etc/keytabs/user.daemon/$USER || \
 128   sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/user.daemon/$USER $USER/daemon@HCOOP.NET"
 129
 130 # Properly chown/mod keytab files (must be $USER:www-data)
 131 sudo chown $USER:www-data /etc/keytabs/user.daemon/$USER
 132 sudo chmod 440            /etc/keytabs/user.daemon/$USER
 133
 134 # rsync keytabs to mire
 135 (cd /etc/keytabs
 136    sudo tar clpf - user.daemon/$USER | \
 137      ssh mire.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
 138
 139 #
 140 # Create/mount/set-perms on user's volumes (home, mail, databases, logs)
 141 #
 142
 143 # HOME VOLUME
 144 vos examine user.$USER 2>/dev/null || \
 145   vos create deleuze.hcoop.net /vicepa user.$USER -maxquota 400000
 146 mkdir -p `dirname $HOMEPATH`
 147 fs ls $HOMEPATH || test -L $HOMEPATH || fs mkm $HOMEPATH user.$USER
 148 chown $USER:nogroup $HOMEPATH
 149 fs sa $HOMEPATH $USER            all
 150 fs sa $HOMEPATH system:anyuser   l
 151
 152 # Apache logs
 153 mkdir -p $HOMEPATH/logs/apache
 154 chown $USER:nogroup $HOMEPATH/logs/apache
 155 fs sa $HOMEPATH/logs/apache $USER.daemon rlwidk
 156
 157 # public_html
 158 mkdir -p $HOMEPATH/public_html
 159 chown $USER:nogroup $HOMEPATH/public_html
 160 fs sa $HOMEPATH/public_html system:anyuser rl
 161
 162 # .procmail.d
 163 mkdir -p $HOMEPATH/.procmail.d
 164 chown $USER:nogroup $HOMEPATH/.procmail.d
 165 fs sa $HOMEPATH/.procmail.d system:anyuser rl
 166
 167 # .public
 168 mkdir -p $HOMEPATH/.public/
 169 chown $USER:nogroup $HOMEPATH/.public
 170 fs sa $HOMEPATH/.public system:anyuser rl
 171
 172 # .domtool
 173 mkdir -p $HOMEPATH/.public/.domtool
 174 chown $USER:nogroup $HOMEPATH/.public/.domtool
 175 test -e $HOMEPATH/.domtool || \
 176     test -L $HOMEPATH/.domtool || \
 177         ln -s $HOMEPATH/.public/.domtool $HOMEPATH/.domtool
 178
 179 # MAIL VOLUME
 180 vos examine mail.$USER 2>/dev/null || \
 181   vos create deleuze.hcoop.net /vicepa mail.$USER -maxquota 400000
 182 mkdir -p `dirname $MAILPATH`
 183 fs ls $MAILPATH || fs mkm $MAILPATH         mail.$USER
 184 fs ls $HOMEPATH/Maildir || fs mkm $HOMEPATH/Maildir mail.$USER
 185 chown $USER:nogroup $MAILPATH
 186 chown $USER:nogroup $HOMEPATH/Maildir
 187 fs sa $MAILPATH $USER        all
 188 fs sa $MAILPATH $USER.daemon all
 189
 190 # Set up shared SpamAssassin folder
 191 if test -f $HOMEPATH/Maildir/shared-maildirs; then
 192     # Deal with case where user rsync'd their Maildir from fyodor
 193     pattern='^SpamAssassin      /home/spamd'
 194     file=$HOMEPATH/Maildir/shared-maildirs
 195     if grep $pattern $file; then
 196         sed -i -r -e \
 197             's!^(SpamAssassin   )/home/spamd!\1/var/local/lib/spamd!1' \
 198             $file
 199     fi
 200     NOTIFY=no
 201     for dir in $HOMEPATH/Maildir/shared-folders/SpamAssassin/*; do
 202         if ! test -d $dir; then
 203             NOTIFY=yes
 204         else
 205             dest=/var/local/lib/spamd/Maildir/.$(basename $dir)
 206             if test "$(readlink $dir/shared)" != "$dest"; then
 207                 ln -sf $dest $dir/shared
 208             fi
 209         fi
 210     done
 211     if test $NOTIFY = yes; then
 212         # This is probably going overboard, but oh well
 213         echo "$USER needs assistance on their shared spam dir" | \
 214             mail -s "[create-user] $USER needs assistance" \
 215               -e -a "From: admins@deleuze.hcoop.net" mwolson_admin
 216     fi
 217 else
 218     maildirmake --add SpamAssassin=/var/local/lib/spamd/Maildir \
 219         $HOMEPATH/Maildir
 220 fi
 221
 222 # DATABASE VOLUME
 223 if ! vos examine db.$USER >/dev/null 2>/dev/null; then
 224   mkdir -p `dirname /afs/.hcoop.net/common/.databases/$PATHBITS`
 225   vos create -server afs -partition a -name db.$USER -maxquota 400000
 226   fs mkmount -dir /afs/.hcoop.net/common/.databases/$PATHBITS -vol db.$USER -rw
 227   vos release common.databases
 228   fs sa -dir $DBPATH -acl system:postgres l
 229   fs sa -dir $DBPATH -acl system:mysql    l
 230   fs sa -dir $DBPATH -acl system:backup   rl
 231 fi
 232
 233 # Create postgres user and tablespace placeholder within volume
 234 if ! test -d $PGDIR; then
 235   mkdir -p $PGDIR
 236   chown postgres:postgres $PGDIR
 237   fs sa -dir $PGDIR -acl system:postgres write
 238
 239  sudo -u postgres psql -c "CREATE TABLESPACE user_$USER OWNER postgres LOCATION '$PGDIR'" template1
 240 fi
 241
 242 # Create mysql user and databases placeholder within volume
 243 mkdir -p $MYSQLDIR
 244 chown mysql:mysql $MYSQLDIR
 245 fs sa -dir $MYSQLDIR -acl system:mysql  write
 246
 247
 248 #
 249 # Mount points for backup volumes
 250 #
 251
 252 mkdir -p `dirname /afs/hcoop.net/.old/user/$PATHBITS`
 253 mkdir -p `dirname /afs/hcoop.net/.old/mail/$PATHBITS`
 254 fs ls /afs/hcoop.net/.old/user/$PATHBITS || \
 255   fs mkm /afs/hcoop.net/.old/user/$PATHBITS user.$USER.backup
 256 fs ls /afs/hcoop.net/.old/mail/$PATHBITS || \
 257   fs mkm /afs/hcoop.net/.old/mail/$PATHBITS mail.$USER.backup
 258 vos release old
 259
 260 # technically this might not be necessary, but for good measure...
 261 vos syncserv deleuze
 262 vos syncvldb deleuze
 263
 264 # refresh volume location cache (takes ~2hrs otherwise)
 265 mire_and_deleuze fs checkvolumes
 266
 267 #
 268 # Non-AFS files and directories
 269 #
 270
 271 # Make per-user apache DAV lock directory -- the directory must be
 272 # both user and group-writable, which is silly.
 273 mire_and_deleuze sudo mkdir -p /var/lock/apache2/dav/$USER
 274 mire_and_deleuze sudo chown $USER:www-data /var/lock/apache2/dav/$USER
 275 mire_and_deleuze sudo chmod ug=rwx,o= /var/lock/apache2/dav/$USER