X-Git-Url: https://git.hcoop.net/hcoop/scripts.git/blobdiff_plain/7fe272afdb2a2fad62983753a3bb8cd3f10331ba..0f3e692beb17c497104e03c7b41c6e3624554317:/create-user diff --git a/create-user b/create-user dissimilarity index 60% index 2e009f4..39fa7ab 100755 --- a/create-user +++ b/create-user @@ -1,239 +1,306 @@ -#!/bin/bash -ex - -# MUST be executed: -# - on deleuze -# - as a user with an /etc/sudoers line -# - member of wheel unix group -# - while holding tokens for a user who is: -# - a member of system:administrator -# - listed in 'bos listusers deleuze' - -USER=$1 - -if test -z "$USER"; then - echo "Invoke as create-user " - exit 1 -fi - - -# -# Kerberos principals -# (creat kerberos principals: fred, fred/cgi, fred/mailfilter) -# - -# We use -randkey for user's main principal as well, to make sure that -# the creation process does not continue without having a main -# principal. (But you who want to set password for a user, don't -# worry - we'll invoke cpw later, so that it has the same effect -# as setting password right now - while it is more error tolerant). - -sudo kadmin.local -p root/admin -q "ank -policy user -randkey $USER@HCOOP.NET" -sudo kadmin.local -p root/admin -q "ank -policy mailfilter -randkey $USER/mailfilter@HCOOP.NET" -sudo kadmin.local -p root/admin -q "ank -policy cgi -randkey $USER/cgi@HCOOP.NET" - - -# -# Create AFS users corresponding to krb5 principals. -# (fred/cgi principal == fred.cgi AFS user) -# - -pts cu $USER || true -ID=`pts examine $USER | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'` -pts cu $USER.mailfilter $ID_MF || true -ID_MF=`pts examine $USER.mailfilter | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'` -pts cu $USER.cgi || true -ID_CGI=`pts examine $USER.cgi | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'` - - -# -# Construct various paths for later perusal. -# - -# (If it's not clear, for user fred, PATHBITS = f/fr/fred) -PATHBITS=`echo $USER | head -c 1`/`echo $USER | head -c 2`/$USER -HOMEPATH=/afs/hcoop.net/user/$PATHBITS -MAILPATH=/afs/hcoop.net/common/email/$PATHBITS -DBPATH=/afs/hcoop.net/common/databases/$PATHBITS -PGDIR=$DBPATH/postgres -MYSQLDIR=$DBPATH/mysql - - -# -# Create LDAP entries. (With the whole libnss-ptdb, I kind of -# lost the idea of what I want to do with LDAP, but we'll -# see with time how well it integrates...) -# The ID returned from AFS is important here, we want to make -# sure those IDs match. -# - -# USER entry -echo " -dn: uid=$USER,ou=People,dc=hcoop,dc=net -objectClass: top -objectClass: person -objectClass: posixAccount -cn: $USER -uid: $USER -gidNumber: $ID -homeDirectory: $HOMEPATH -sn: $USER -host: abulafia -host: mire - -dn: cn=$USER,ou=Group,dc=hcoop,dc=net -objectClass: top -objectClass: posixGroup -cn: $USER -gidNumber: $ID -memberUid: $USER -" | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true - -# USER.mailfilter entry -echo " -dn: uid=$USER.mailfilter,ou=People,dc=hcoop,dc=net -objectClass: top -objectClass: person -objectClass: posixAccount -cn: $USER.mailfilter -uid: $USER.mailfilter -gidNumber: $ID_MF -homeDirectory: $HOMEPATH -sn: $USER.mailfilter - -dn: cn=$USER.mailfilter,ou=Group,dc=hcoop,dc=net -objectClass: top -objectClass: posixGroup -cn: $USER.mailfilter -gidNumber: $ID_MF -memberUid: $USER.mailfilter -" | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true - -# USER.cgi entry -echo " -dn: uid=$USER.cgi,ou=People,dc=hcoop,dc=net -objectClass: top -objectClass: person -objectClass: posixAccount -cn: $USER.cgi -uid: $USER.cgi -gidNumber: $ID_CGI -homeDirectory: $HOMEPATH -sn: $USER.cgi - -dn: cn=$USER.cgi,ou=Group,dc=hcoop,dc=net -objectClass: top -objectClass: posixGroup -cn: $USER.cgi -gidNumber: $ID_CGI -memberUid: $USER.cgi -" | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true - - -# -# Export .mailfilter and .cgi keys to a keytab file -# - -# create a mailfilter keytab (used by /etc/exim4/get-token) -sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/mailfilter/$USER $USER/mailfilter@HCOOP.NET" - -# create a cgi keytab -sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/cgi/$USER $USER/cgi@HCOOP.NET" - -# Properly chown/mod keytab files (www-data must own the cgi keytab) -sudo chown www-data:wheel /etc/keytabs/cgi/$USER -sudo chown $USER:wheel /etc/keytabs/mailfilter/$USER -sudo chmod 440 /etc/keytabs/cgi/$USER /etc/keytabs/mailfilter/$USER - -# rsync keytabs to mire -rsync -e ssh -a /etc/keytabs/cgi/$USER mire.hcoop.net:/etc/keytabs/cgi/$USER - -# -# Create/mount/set-perms on user's volumes (home, mail, databases, logs) -# - -# HOME VOLUME -vos examine user.$USER 2>/dev/null || \ - vos create deleuze.hcoop.net /vicepa user.$USER -maxquota 400000 -mkdir -p `dirname $HOMEPATH` -fs ls $HOMEPATH || fs mkm $HOMEPATH user.$USER -chown $USER $HOMEPATH -fs sa $HOMEPATH $USER all -fs sa $HOMEPATH system:anyuser rl - -# Apache logs -mkdir -p $HOMEPATH/logs/apache -fs sa $HOMEPATH/logs/apache $USER.cgi rlwidk - -# public_html -mkdir -p $HOMEPATH/public_html/ -fs sa $HOMEPATH/public_html system:anyuser rl -mkdir -p $HOMEPATH/.procmail.d/ -fs sa $HOMEPATH/.procmail.d/ system:anyuser rl - -# MAIL VOLUME -vos examine mail.$USER 2>/dev/null || \ - vos create deleuze.hcoop.net /vicepa mail.$USER -maxquota 400000 -mkdir -p `dirname $MAILPATH` -fs ls $MAILPATH || fs mkm $MAILPATH mail.$USER -fs ls $HOMEPATH/Maildir || fs mkm $HOMEPATH/Maildir mail.$USER -fs sa $MAILPATH $USER all -fs sa $MAILPATH $USER.mailfilter all - -# DATABASE VOLUME -if ! vos examine db.$USER >/dev/null 2>/dev/null; then - mkdir -p `dirname /afs/.hcoop.net/common/.databases/$PATHBITS` - vos create -server afs -partition a -name db.$USER -maxquota 400000 - fs mkmount -dir /afs/.hcoop.net/common/.databases/$PATHBITS -vol db.$USER -rw - vos release common.databases - fs sa -dir $DBPATH -acl system:postgres l - fs sa -dir $DBPATH -acl system:mysql l - fs sa -dir $DBPATH -acl system:backup rl -fi - -# Create postgres user and tablespace placeholder within volume -if ! [ -d $PGDIR ]; then - mkdir -p $PGDIR - chown postgres:postgres $PGDIR - fs sa -dir $PGDIR -acl system:postgres write - - sudo -u postgres psql -c "CREATE TABLESPACE user_$USER OWNER postgres LOCATION '$PGDIR'" template1 -fi - -# Create mysql user and databases placeholder within volume -mkdir -p $MYSQLDIR -chown mysql:mysql $MYSQLDIR -fs sa -dir $MYSQLDIR -acl system:mysql write - - -# -# Mount points for backup volumes -# - -mkdir -p `dirname /afs/hcoop.net/old/user/$PATHBITS` -mkdir -p `dirname /afs/hcoop.net/old/mail/$PATHBITS` -fs ls /afs/hcoop.net/old/user/$PATHBITS || \ - fs mkm /afs/hcoop.net/old/user/$PATHBITS user.$USER.backup -fs ls /afs/hcoop.net/old/mail/$PATHBITS || \ - fs mkm /afs/hcoop.net/old/mail/$PATHBITS mail.$USER.backup - -# technically this might not be necessary, but for good measure... -vos syncserv deleuze -vos syncvldb deleuze - -# refresh volume location cache (takes ~2hrs otherwise) -fs checkvolumes -ssh mire.hcoop.net fs checkvolumes - -# -# Finally, set password for main user's principal -# Aborting this operation is harmless. Just re-invoke cpw. -# -# kadmin.local doesn't report errors properly, so we have to -# check manually -# -sudo rm -f /tmp/kadmin.out -sudo kadmin.local -p root/admin -q "cpw $USER@HCOOP.NET" \ - 2>&1 | tee /tmp/kadmin.out -cat /tmp/kadmin.out | grep 'Password for .* changed' -sudo rm -f /tmp/kadmin.out - +#!/bin/bash -ex + +# MUST be executed: +# - on deleuze +# - as a user with an /etc/sudoers line +# - member of "wheel" unix group on deleuze +# - while holding tickets for a user who can 'ssh -K' to mire +# - and is a member of "wheel" on mire +# - while holding tokens for a user who is: +# - a member of system:administrator +# - listed in 'bos listusers deleuze' +# - and who has been set up with Domtool admin privileges by: +# - running 'domtool-adduser $USER' while holding AFS admin tokens as +# someone who is already a Domtool admin +# - running 'domtool-admin grant $USER priv all' as someone who is already a +# Domtool admin +# (To bootstrap yourself into admindom: +# 1. Run '/etc/init.d/domtool-server stop' on deleuze. +# 2. Run '/etc/init.d/domtool-slave stop' on all Domtool slave machines +# (e.g., mire). +# 3. Edit ~domtool/acl, following the example of adamc_admin to grant +# yourself 'priv all'. +# 4. Run '/etc/init.d/domtool-server start' on deleuze. +# 5. Run '/etc/init.d/domtool-slave start' on all Domtool slave +# machines. +# 6. Run 'domtool-adduser' as above.) + +USER=$1 + +export PATH=$PATH:/afs/hcoop.net/common/bin/ + +if test -z "$USER"; then + echo "Invoke as create-user " + exit 1 +fi + +# +# Helper functions +# + +# Run a command on both mire and deleuze; assumes that no escaping is +# needed. +function mire_and_deleuze() { + $* + ssh -K mire.hcoop.net $* +} + +function execute_on_fritz () { + ssh -K fritz.hcoop.net $* +} + +function execute_on_all_machines () { + $* + ssh -K mire.hcoop.net $* + ssh -K hopper.hcoop.net $* + ssh -K fritz.hcoop.net $* +} + +# +# Kerberos principals +# (creat kerberos principals: fred, fred/cgi, fred/mailfilter) +# + +# We use -randkey for user's main principal as well, to make sure that +# the creation process does not continue without having a main +# principal. (But you who want to set password for a user, don't +# worry - we'll invoke cpw later, so that it has the same effect +# as setting password right now - while it is more error tolerant). + +sudo kadmin.local -p root/admin -q "ank -policy user -randkey +requires_preauth $USER@HCOOP.NET" +sudo kadmin.local -p root/admin -q "modprinc -maxlife 1day $USER@HCOOP.NET" +sudo kadmin.local -p root/admin -q "ank -policy daemon -randkey +requires_preauth $USER/daemon@HCOOP.NET" + +# +# Create AFS users corresponding to krb5 principals. +# (fred/cgi principal == fred.cgi AFS user) +# + +pts cu $USER || true +ID=`pts examine $USER | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'` +pts cu $USER.daemon || true +ID_DAEMON=`pts examine $USER.daemon | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'` + + +# +# Construct various paths for later perusal. +# + +# (If it's not clear, for user fred, PATHBITS = f/fr/fred) +PATHBITS=`echo $USER | head -c 1`/`echo $USER | head -c 2`/$USER +HOMEPATH=/afs/hcoop.net/user/$PATHBITS +MAILPATH=/afs/hcoop.net/common/email/$PATHBITS + +# +# Create LDAP entries. (With the whole libnss-ptdb, I kind of +# lost the idea of what I want to do with LDAP, but we'll +# see with time how well it integrates...) +# The ID returned from AFS is important here, we want to make +# sure those IDs match. +# + +# USER entry +echo " +dn: uid=$USER,ou=People,dc=hcoop,dc=net +objectClass: top +objectClass: person +objectClass: posixAccount +cn: $USER +uid: $USER +gidNumber: $ID +sn: $USER +host: abulafia +host: mire + +dn: cn=$USER,ou=Group,dc=hcoop,dc=net +objectClass: top +objectClass: posixGroup +cn: $USER +gidNumber: $ID +memberUid: $USER +" | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true + +# USER.daemon entry +echo " +dn: uid=$USER.daemon,ou=People,dc=hcoop,dc=net +objectClass: top +objectClass: person +objectClass: posixAccount +cn: $USER.daemon +uid: $USER.daemon +gidNumber: $ID_DAEMON +sn: $USER.daemon + +dn: cn=$USER.daemon,ou=Group,dc=hcoop,dc=net +objectClass: top +objectClass: posixGroup +cn: $USER.daemon +gidNumber: $ID_DAEMON +memberUid: $USER.daemon +" | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true + + +# +# Export .mailfilter and .cgi keys to a keytab file +# + +# create a daemon keytab (used by /etc/exim4/get-token) +# *only* if it does not exist! +test -e /etc/keytabs/user.daemon/$USER || \ + sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/user.daemon/$USER $USER/daemon@HCOOP.NET" + +# Properly chown/mod keytab files (must be $USER:www-data) +sudo chown $USER:www-data /etc/keytabs/user.daemon/$USER +sudo chmod 440 /etc/keytabs/user.daemon/$USER + +# rsync keytabs +(cd /etc/keytabs + sudo tar clpf - user.daemon/$USER | \ + ssh mire.hcoop.net cd /etc/keytabs\; sudo tar xlpf -) +(cd /etc/keytabs + sudo tar clpf - user.daemon/$USER | \ + ssh hopper.hcoop.net cd /etc/keytabs\; sudo tar xlpf -) +(cd /etc/keytabs + sudo tar clpf - user.daemon/$USER | \ + ssh fritz.hcoop.net cd /etc/keytabs\; sudo tar xlpf -) + +# +# Create/mount/set-perms on user's volumes (home, mail, databases, logs) +# + +# HOME VOLUME +if vos examine user.$USER.d 2>/dev/null; then + echo "Reactivating old volume (user.$USER.d)" + vos rename user.$USER.d user.$USER +fi +vos examine user.$USER 2>/dev/null || \ + vos create fritz.hcoop.net /vicepa user.$USER -maxquota 400000 + +mkdir -p `dirname $HOMEPATH` +fs ls $HOMEPATH || test -L $HOMEPATH || fs mkm $HOMEPATH user.$USER +chown $USER:nogroup $HOMEPATH +fs sa $HOMEPATH $USER all +fs sa $HOMEPATH system:anyuser l + +# Apache logs +mkdir -p $HOMEPATH/.logs +chown $USER:nogroup $HOMEPATH/.logs +mkdir -p $HOMEPATH/.logs/apache +chown $USER:nogroup $HOMEPATH/.logs/apache +fs sa $HOMEPATH/.logs/apache $USER.daemon rlwidk +mkdir -p $HOMEPATH/.logs/mail +fs sa $HOMEPATH/.logs/mail $USER.daemon rlwidk +chown $USER:nogroup $HOMEPATH/.logs/mail + +# public_html +test -e $HOMEPATH/public_html || \ + (mkdir -p $HOMEPATH/public_html; \ + chown $USER:nogroup $HOMEPATH/public_html; \ + fs sa $HOMEPATH/public_html system:anyuser none; \ + fs sa $HOMEPATH/public_html $USER.daemon rl) + +# .procmail.d +mkdir -p $HOMEPATH/.procmail.d +chown $USER:nogroup $HOMEPATH/.procmail.d +fs sa $HOMEPATH/.procmail.d system:anyuser rl + +# .public +mkdir -p $HOMEPATH/.public/ +chown $USER:nogroup $HOMEPATH/.public +fs sa $HOMEPATH/.public system:anyuser rl + +# .domtool +mkdir -p $HOMEPATH/.public/.domtool +chown $USER:nogroup $HOMEPATH/.public/.domtool +test -e $HOMEPATH/.domtool || \ + test -L $HOMEPATH/.domtool || \ + sudo -u $USER ln -s $HOMEPATH/.public/.domtool $HOMEPATH/.domtool + +# Gitweb hosting +test -L /var/cache/git/$USER || \ + sudo ln -s $HOMEPATH/.hcoop-git /var/cache/git/$USER + +# MAIL VOLUME +if vos examine mail.$USER.d 2>/dev/null; then + echo "Reactivating old volume (mail.$USER.d)" + vos rename mail.$USER.d mail.$USER +fi +vos examine mail.$USER 2>/dev/null || \ + vos create fritz.hcoop.net /vicepa mail.$USER -maxquota 400000 + +mkdir -p `dirname $MAILPATH` +fs ls $MAILPATH || fs mkm $MAILPATH mail.$USER +fs ls $HOMEPATH/Maildir || fs mkm $HOMEPATH/Maildir mail.$USER +chown $USER:nogroup $MAILPATH +chown $USER:nogroup $HOMEPATH/Maildir +fs sa $MAILPATH $USER all +fs sa $MAILPATH $USER.daemon all +if test ! -e $MAILPATH/new; then + mkdir -p $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp + echo -e "This email account is provided as a service for HCoop members." \ + "\n\nTo learn how to use it, please visit the page" \ + "\n on our website."| \ + mail -s "Welcome to your HCoop email store" \ + -e -a "From: postmaster@hcoop.net" \ + real-$USER +fi +chown $USER:nogroup $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp + +# Set up shared SpamAssassin folder +if test -f $HOMEPATH/Maildir/shared-maildirs; then + # Deal with case where user rsync'd their Maildir from fyodor + pattern='^SpamAssassin /home/spamd' + file=$HOMEPATH/Maildir/shared-maildirs + if grep $pattern $file; then + sed -i -r -e \ + 's!^(SpamAssassin )/home/spamd!\1/var/local/lib/spamd!1' \ + $file + fi +else + maildirmake --add SpamAssassin=/var/local/lib/spamd/Maildir \ + $HOMEPATH/Maildir +fi + +# Create database tablespaces +execute_on_fritz /afs/hcoop.net/common/etc/scripts/create-user-database $USER + +# +# Mount points for backup volumes +# + +mkdir -p `dirname /afs/hcoop.net/.old/user/$PATHBITS` +mkdir -p `dirname /afs/hcoop.net/.old/mail/$PATHBITS` +fs ls /afs/hcoop.net/.old/user/$PATHBITS || \ + fs mkm /afs/hcoop.net/.old/user/$PATHBITS user.$USER.backup +fs ls /afs/hcoop.net/.old/mail/$PATHBITS || \ + fs mkm /afs/hcoop.net/.old/mail/$PATHBITS mail.$USER.backup +vos release old + +# technically this might not be necessary, but for good measure... +vos syncserv fritz +vos syncvldb fritz + +# refresh volume location cache (takes ~2hrs otherwise) +execute_on_all_machines fs checkvolumes + +# +# Non-AFS files and directories +# + +# Make per-user apache DAV lock directory -- the directory must be +# both user and group-writable, which is silly. +mire_and_deleuze sudo mkdir -p /var/lock/apache2/dav/$USER +mire_and_deleuze sudo chown $USER:www-data /var/lock/apache2/dav/$USER +mire_and_deleuze sudo chmod ug=rwx,o= /var/lock/apache2/dav/$USER + +# +# Domtool integration +# + +domtool-adduser $USER + +# +# Subscribe user to our mailing lists. +# +echo $USER@hcoop.net | sudo -u list \ + /var/lib/mailman/bin/add_members -r - hcoop-announce