X-Git-Url: https://git.hcoop.net/hcoop/scripts.git/blobdiff_plain/2c556c0c801c8b81a44931b05fd03782f74e8600..24222a38e29a6beb9423c53fed6c5ee51ba5aa01:/create-user

diff --git a/create-user b/create-user
index 87d56ec..f71edfa 100755
--- a/create-user
+++ b/create-user
@@ -1,14 +1,29 @@
 #!/bin/bash -ex
 
 # MUST be executed:
-#  - on deleuze
+#  - on fritz
 #  - as a user with an /etc/sudoers line
-#  - member of "wheel" unix group on deleuze
+#  - member of "wheel" unix group on deleuze (FIXME: TRUE?)
 #  - while holding tickets for a user who can 'ssh -K' to mire
 #     - and is a member of "wheel" on mire
 #  - while holding tokens for a user who is:
 #     - a member of system:administrator
-#     - listed in 'bos listusers deleuze'
+#     - listed in 'bos listusers fritz'
+#  - and who has been set up with Domtool admin privileges by:
+#     - running 'domtool-adduser $USER' while holding AFS admin tokens as
+#       someone who is already a Domtool admin
+#     - running 'domtool-admin grant $USER priv all' as someone who is already a
+#       Domtool admin
+#       (To bootstrap yourself into admindom:
+#         1. Run '/etc/init.d/domtool-server stop' on deleuze.
+#         2. Run '/etc/init.d/domtool-slave stop' on all Domtool slave machines
+#            (e.g., mire).
+#         3. Edit ~domtool/acl, following the example of adamc_admin to grant
+#             yourself 'priv all'.
+#         4. Run '/etc/init.d/domtool-server start' on deleuze.
+#         5. Run '/etc/init.d/domtool-slave start' on all Domtool slave
+#            machines.
+#         6. Run 'domtool-adduser' as above.)
 
 USER=$1
 
@@ -19,6 +34,34 @@ if test -z "$USER"; then
 	exit 1
 fi
 
+#
+# Helper functions
+#
+
+# Run a command on both mire and deleuze; assumes that no escaping is
+# needed.
+
+
+function execute_on_web_nodes() {
+    ssh -K deleuze $*
+    ssh -K mire $*
+    ssh -K navajos $*
+}
+
+# change to execute_on_domtool_server
+function execute_on_domtool_server () {
+    ssh -K deleuze.hcoop.net $*
+}
+
+
+function execute_on_all_machines () {
+    $*
+    ssh -K mire.hcoop.net $*
+    ssh -K hopper.hcoop.net $*
+    ssh -K deleuze.hcoop.net $*
+    ssh -K navajos.hcoop.net $*
+    ssh -K bog.hcoop.net $*
+}
 
 #
 # Kerberos principals
@@ -54,60 +97,10 @@ ID_DAEMON=`pts examine $USER.daemon | head -n1 | sed 's_.*, id: *__' | sed 's_,.
 PATHBITS=`echo $USER | head -c 1`/`echo $USER | head -c 2`/$USER
 HOMEPATH=/afs/hcoop.net/user/$PATHBITS
 MAILPATH=/afs/hcoop.net/common/email/$PATHBITS
-DBPATH=/afs/hcoop.net/common/.databases/$PATHBITS
-PGDIR=$DBPATH/postgres
-MYSQLDIR=$DBPATH/mysql
-
-
-#
-# Create LDAP entries. (With the whole libnss-ptdb, I kind of
-# lost the idea of what I want to do with LDAP, but we'll 
-# see with time how well it integrates...)
-# The ID returned from AFS is important here, we want to make
-# sure those IDs match.
-#
-
-# USER entry
-echo "
-dn: uid=$USER,ou=People,dc=hcoop,dc=net
-objectClass: top
-objectClass: person
-objectClass: posixAccount
-cn: $USER
-uid: $USER
-gidNumber: $ID
-sn: $USER
-host: abulafia
-host: mire
-
-dn: cn=$USER,ou=Group,dc=hcoop,dc=net
-objectClass: top
-objectClass: posixGroup
-cn: $USER
-gidNumber: $ID
-memberUid: $USER
-" | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true
-
-# USER.daemon entry
-echo "
-dn: uid=$USER.daemon,ou=People,dc=hcoop,dc=net
-objectClass: top
-objectClass: person
-objectClass: posixAccount
-cn: $USER.daemon
-uid: $USER.daemon
-gidNumber: $ID_DAEMON
-sn: $USER.daemon
-
-dn: cn=$USER.daemon,ou=Group,dc=hcoop,dc=net
-objectClass: top
-objectClass: posixGroup
-cn: $USER.daemon
-gidNumber: $ID_DAEMON
-memberUid: $USER.daemon
-" | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true
 
 
+# LDAP bit excised (see git history...)
+
 #
 # Export .mailfilter and .cgi keys to a keytab file
 #
@@ -121,33 +114,60 @@ test -e /etc/keytabs/user.daemon/$USER || \
 sudo chown $USER:www-data /etc/keytabs/user.daemon/$USER
 sudo chmod 440            /etc/keytabs/user.daemon/$USER
 
-# rsync keytabs to mire
+# rsync keytabs
 (cd /etc/keytabs
    sudo tar clpf - user.daemon/$USER | \
      ssh mire.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
+(cd /etc/keytabs
+   sudo tar clpf - user.daemon/$USER | \
+     ssh hopper.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
+(cd /etc/keytabs
+   sudo tar clpf - user.daemon/$USER | \
+     ssh deleuze.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
+(cd /etc/keytabs
+   sudo tar clpf - user.daemon/$USER | \
+     ssh navajos.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
+(cd /etc/keytabs
+   sudo tar clpf - user.daemon/$USER | \
+     ssh bog.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
 
 #
 # Create/mount/set-perms on user's volumes (home, mail, databases, logs)
 #
 
 # HOME VOLUME
+if vos examine user.$USER.d 2>/dev/null; then
+	echo "Reactivating old volume (user.$USER.d)"
+	vos rename user.$USER.d user.$USER
+fi
 vos examine user.$USER 2>/dev/null || \
-  vos create deleuze.hcoop.net /vicepa user.$USER -maxquota 400000
+  vos create fritz.hcoop.net /vicepa user.$USER -maxquota 400000
+
 mkdir -p `dirname $HOMEPATH`
-fs ls $HOMEPATH || fs mkm $HOMEPATH user.$USER
+fs ls $HOMEPATH || test -L $HOMEPATH || fs mkm $HOMEPATH user.$USER
 chown $USER:nogroup $HOMEPATH
 fs sa $HOMEPATH $USER            all
 fs sa $HOMEPATH system:anyuser   l
+# cleanliness / needed to keep suphp happy
+chown root:root $HOMEPATH/../../
+chown root:root $HOMEPATH/../
 
 # Apache logs
-mkdir -p $HOMEPATH/logs/apache
-chown $USER:nogroup $HOMEPATH/logs/apache
-fs sa $HOMEPATH/logs/apache $USER.daemon rlwidk
+mkdir -p $HOMEPATH/.logs
+chown $USER:nogroup $HOMEPATH/.logs
+mkdir -p $HOMEPATH/.logs/apache
+chown $USER:nogroup $HOMEPATH/.logs/apache
+fs sa $HOMEPATH/.logs/apache $USER.daemon rlwidk
+mkdir -p $HOMEPATH/.logs/mail
+fs sa $HOMEPATH/.logs/mail $USER.daemon rlwidk
+chown $USER:nogroup $HOMEPATH/.logs/mail
 
 # public_html
-mkdir -p $HOMEPATH/public_html
-chown $USER:nogroup $HOMEPATH/public_html
-fs sa $HOMEPATH/public_html system:anyuser rl
+test -e $HOMEPATH/public_html || \
+ (mkdir -p $HOMEPATH/public_html; \
+  chown $USER:nogroup $HOMEPATH/public_html; \
+  fs sa $HOMEPATH/public_html system:anyuser none; \
+  fs sa $HOMEPATH/public_html $USER.daemon rl)
 
 # .procmail.d
 mkdir -p $HOMEPATH/.procmail.d
@@ -164,43 +184,58 @@ mkdir -p $HOMEPATH/.public/.domtool
 chown $USER:nogroup $HOMEPATH/.public/.domtool
 test -e $HOMEPATH/.domtool || \
     test -L $HOMEPATH/.domtool || \
-        ln -s $HOMEPATH/.public/.domtool $HOMEPATH/.domtool
+        execute_on_domtool_server sudo -u $USER ln -s $HOMEPATH/.public/.domtool $HOMEPATH/.domtool
+        # ^^ work around sudo env_reset crap without having to
+        # actually figure out how to make it work cleanly -- clinton,
+        # 2011-11-30
+
+# Gitweb hosting
+test -L /var/cache/git/$USER || \
+    sudo ln -s $HOMEPATH/.hcoop-git /var/cache/git/$USER
 
 # MAIL VOLUME
+if vos examine mail.$USER.d 2>/dev/null; then
+	echo "Reactivating old volume (mail.$USER.d)"
+	vos rename mail.$USER.d mail.$USER
+fi
 vos examine mail.$USER 2>/dev/null || \
-  vos create deleuze.hcoop.net /vicepa mail.$USER -maxquota 400000
+  vos create fritz.hcoop.net /vicepa mail.$USER -maxquota 400000
+
 mkdir -p `dirname $MAILPATH`
-chown $USER:nogroup $MAILPATH
 fs ls $MAILPATH || fs mkm $MAILPATH         mail.$USER
 fs ls $HOMEPATH/Maildir || fs mkm $HOMEPATH/Maildir mail.$USER
+chown $USER:nogroup $MAILPATH
+chown $USER:nogroup $HOMEPATH/Maildir
 fs sa $MAILPATH $USER        all
 fs sa $MAILPATH $USER.daemon all
-
-# DATABASE VOLUME
-if ! vos examine db.$USER >/dev/null 2>/dev/null; then
-  mkdir -p `dirname /afs/.hcoop.net/common/.databases/$PATHBITS`
-  vos create -server afs -partition a -name db.$USER -maxquota 400000
-  fs mkmount -dir /afs/.hcoop.net/common/.databases/$PATHBITS -vol db.$USER -rw
-  vos release common.databases
-  fs sa -dir $DBPATH -acl system:postgres l
-  fs sa -dir $DBPATH -acl system:mysql    l
-  fs sa -dir $DBPATH -acl system:backup   rl
+if test ! -e $MAILPATH/new; then
+    mkdir -p $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp
+    echo -e "This email account is provided as a service for HCoop members." \
+        "\n\nTo learn how to use it, please visit the page" \
+        "\n<http://wiki.hcoop.net/MemberManual/Email> on our website."| \
+        mail -s "Welcome to your HCoop email store" \
+            -e -a "From: postmaster@hcoop.net" \
+            real-$USER
 fi
-
-# Create postgres user and tablespace placeholder within volume
-if ! [ -d $PGDIR ]; then
-  mkdir -p $PGDIR
-  chown postgres:postgres $PGDIR
-  fs sa -dir $PGDIR -acl system:postgres write
-
- sudo -u postgres psql -c "CREATE TABLESPACE user_$USER OWNER postgres LOCATION '$PGDIR'" template1
+chown $USER:nogroup $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp
+
+# Set up shared SpamAssassin folder
+if test -f $HOMEPATH/Maildir/shared-maildirs; then
+    # Deal with case where user rsync'd their Maildir from fyodor
+    pattern='^SpamAssassin	/home/spamd'
+    file=$HOMEPATH/Maildir/shared-maildirs
+    if grep $pattern $file; then
+        sed -i -r -e \
+            's!^(SpamAssassin	)/home/spamd!\1/var/local/lib/spamd!1' \
+            $file
+    fi
+else
+    maildirmake --add SpamAssassin=/var/local/lib/spamd/Maildir \
+        $HOMEPATH/Maildir
 fi
 
-# Create mysql user and databases placeholder within volume
-mkdir -p $MYSQLDIR
-chown mysql:mysql $MYSQLDIR
-fs sa -dir $MYSQLDIR -acl system:mysql  write
-
+# Create database tablespaces
+sudo /afs/hcoop.net/common/etc/scripts/create-user-database $USER
 
 #
 # Mount points for backup volumes
@@ -215,18 +250,30 @@ fs ls /afs/hcoop.net/.old/mail/$PATHBITS || \
 vos release old
 
 # technically this might not be necessary, but for good measure...
-vos syncserv deleuze
-vos syncvldb deleuze
+vos syncserv fritz
+vos syncvldb fritz
 
 # refresh volume location cache (takes ~2hrs otherwise)
-fs checkvolumes
-ssh mire.hcoop.net fs checkvolumes
+execute_on_all_machines fs checkvolumes
+
+#
+# Non-AFS files and directories
+#
+
+# Make per-user apache DAV lock directory -- the directory must be
+# both user and group-writable, which is silly.
+execute_on_web_nodes sudo mkdir -p /var/lock/apache2/dav/$USER
+execute_on_web_nodes sudo chown $USER:www-data /var/lock/apache2/dav/$USER
+execute_on_web_nodes sudo chmod ug=rwx,o= /var/lock/apache2/dav/$USER
 
 #
-# Files and directories on deleuze
+# Domtool integration
 #
 
-# make per-user apache DAV lock directory
-sudo mkdir -p /var/lock/apache2/dav/$USER
-sudo chown $USER:nogroup /var/lock/apache2/dav/$USER
-sudo chmod u=rwx,go= /var/lock/apache2/dav/$USER
+execute_on_domtool_server domtool-adduser $USER
+
+#
+# Subscribe user to our mailing lists.
+#
+echo $USER@hcoop.net | ssh -K deleuze sudo -u list \
+    /var/lib/mailman/bin/add_members -r - hcoop-announce