# - while holding tokens for a user who is:
# - a member of system:administrator
# - listed in 'bos listusers deleuze'
+# - and who has been set up with Domtool admin privileges by:
+# - running 'domtool-adduser $USER' while holding AFS admin tokens as
+# someone who is already a Domtool admin
+# - running 'domtool-admin grant $USER priv all' as someone who is already a
+# Domtool admin
+# (To bootstrap yourself into admindom:
+# 1. Run '/etc/init.d/domtool-server stop' on deleuze.
+# 2. Run '/etc/init.d/domtool-slave stop' on all Domtool slave machines
+# (e.g., mire).
+# 3. Edit ~domtool/acl, following the example of adamc_admin to grant
+# yourself 'priv all'.
+# 4. Run '/etc/init.d/domtool-server start' on deleuze.
+# 5. Run '/etc/init.d/domtool-slave start' on all Domtool slave
+# machines.
+# 6. Run 'domtool-adduser' as above.)
USER=$1
exit 1
fi
+#
+# Helper functions
+#
+
+# Run a command on both mire and deleuze; assumes that no escaping is
+# needed.
+function mire_and_deleuze() {
+ $*
+ ssh mire.hcoop.net $*
+}
#
# Kerberos principals
vos examine user.$USER 2>/dev/null || \
vos create deleuze.hcoop.net /vicepa user.$USER -maxquota 400000
mkdir -p `dirname $HOMEPATH`
-fs ls $HOMEPATH || fs mkm $HOMEPATH user.$USER
-chown $USER $HOMEPATH
+fs ls $HOMEPATH || test -L $HOMEPATH || fs mkm $HOMEPATH user.$USER
+chown $USER:nogroup $HOMEPATH
fs sa $HOMEPATH $USER all
fs sa $HOMEPATH system:anyuser l
# Apache logs
-mkdir -p $HOMEPATH/logs/apache
-fs sa $HOMEPATH/logs/apache $USER.daemon rlwidk
+mkdir -p $HOMEPATH/.logs
+chown $USER:nogroup $HOMEPATH/.logs
+mkdir -p $HOMEPATH/.logs/apache
+chown $USER:nogroup $HOMEPATH/.logs/apache
+fs sa $HOMEPATH/.logs/apache $USER.daemon rlwidk
+mkdir -p $HOMEPATH/.logs/mail
+fs sa $HOMEPATH/.logs/mail $USER.daemon rlwidk
+chown $USER:nogroup $HOMEPATH/.logs/mail
# public_html
-mkdir -p $HOMEPATH/public_html/
+mkdir -p $HOMEPATH/public_html
+chown $USER:nogroup $HOMEPATH/public_html
fs sa $HOMEPATH/public_html system:anyuser rl
-mkdir -p $HOMEPATH/.procmail.d/
-fs sa $HOMEPATH/.procmail.d/ system:anyuser rl
+
+# .procmail.d
+mkdir -p $HOMEPATH/.procmail.d
+chown $USER:nogroup $HOMEPATH/.procmail.d
+fs sa $HOMEPATH/.procmail.d system:anyuser rl
+
+# .public
mkdir -p $HOMEPATH/.public/
-fs sa $HOMEPATH/.public/ system:anyuser rl
-test -e $HOMEPATH/.forward || \
- test -L $HOMEPATH/.forward || \
- ln -s $HOMEPATH/.public/.forward $HOMEPATH/.forward
-mkdir -p $HOMEPATH/.public/.domtool/
+chown $USER:nogroup $HOMEPATH/.public
+fs sa $HOMEPATH/.public system:anyuser rl
+
+# .domtool
+mkdir -p $HOMEPATH/.public/.domtool
+chown $USER:nogroup $HOMEPATH/.public/.domtool
test -e $HOMEPATH/.domtool || \
test -L $HOMEPATH/.domtool || \
ln -s $HOMEPATH/.public/.domtool $HOMEPATH/.domtool
+# Gitweb hosting
+#test -L /var/cache/git/$USER || \
+# ln -s $HOMEPATH/.hcoop-git /var/cache/git/$USER
+
+
# MAIL VOLUME
vos examine mail.$USER 2>/dev/null || \
vos create deleuze.hcoop.net /vicepa mail.$USER -maxquota 400000
mkdir -p `dirname $MAILPATH`
fs ls $MAILPATH || fs mkm $MAILPATH mail.$USER
fs ls $HOMEPATH/Maildir || fs mkm $HOMEPATH/Maildir mail.$USER
+chown $USER:nogroup $MAILPATH
+chown $USER:nogroup $HOMEPATH/Maildir
fs sa $MAILPATH $USER all
fs sa $MAILPATH $USER.daemon all
+# Set up shared SpamAssassin folder
+if test -f $HOMEPATH/Maildir/shared-maildirs; then
+ # Deal with case where user rsync'd their Maildir from fyodor
+ pattern='^SpamAssassin /home/spamd'
+ file=$HOMEPATH/Maildir/shared-maildirs
+ if grep $pattern $file; then
+ sed -i -r -e \
+ 's!^(SpamAssassin )/home/spamd!\1/var/local/lib/spamd!1' \
+ $file
+ fi
+
+# This does not yet seem to be needed, and it triggers an AFS issue,
+# so I've commented it out --mwolson.
+#
+# NOTIFY=no
+# for dir in $HOMEPATH/Maildir/shared-folders/SpamAssassin/*; do
+# if ! test -d $dir; then
+# NOTIFY=yes
+# else
+# dest=/var/local/lib/spamd/Maildir/.$(basename $dir)
+# if test "$(readlink $dir/shared)" != "$dest"; then
+# ln -sf $dest $dir/shared
+# fi
+# fi
+# done
+# if test $NOTIFY = yes; then
+# # This is probably going overboard, but oh well
+# echo "$USER needs assistance on their shared spam dir" | \
+# pagsh -c mail -s "[create-user] $USER needs assistance" \
+# -e -a "From: admins@deleuze.hcoop.net" mwolson_admin
+# fi
+
+else
+ maildirmake --add SpamAssassin=/var/local/lib/spamd/Maildir \
+ $HOMEPATH/Maildir
+fi
+
# DATABASE VOLUME
if ! vos examine db.$USER >/dev/null 2>/dev/null; then
mkdir -p `dirname /afs/.hcoop.net/common/.databases/$PATHBITS`
fi
# Create postgres user and tablespace placeholder within volume
-if ! [ -d $PGDIR ]; then
+if ! test -d $PGDIR; then
mkdir -p $PGDIR
chown postgres:postgres $PGDIR
fs sa -dir $PGDIR -acl system:postgres write
vos syncvldb deleuze
# refresh volume location cache (takes ~2hrs otherwise)
-fs checkvolumes
-ssh mire.hcoop.net fs checkvolumes
-
-# Technically this is not idempotent. This is not *too* bad because
-# of the fact that in AFS non-system:administrators users can't change
-# the group/owner of a file anyways. However, users still might want
-# to know which other users created certain files (in, say, a dropbox
-# or something like that). FIMXE.
-chown -R $USER:nogroup $HOMEPATH
-chown -R $USER:nogroup $MAILPATH
+mire_and_deleuze fs checkvolumes
+
+#
+# Non-AFS files and directories
+#
+
+# Make per-user apache DAV lock directory -- the directory must be
+# both user and group-writable, which is silly.
+mire_and_deleuze sudo mkdir -p /var/lock/apache2/dav/$USER
+mire_and_deleuze sudo chown $USER:www-data /var/lock/apache2/dav/$USER
+mire_and_deleuze sudo chmod ug=rwx,o= /var/lock/apache2/dav/$USER
+
+#
+# Domtool integration
+#
+
+domtool-adduser $USER