-#!/bin/bash -ex
-
-# MUST be executed:
-# - on fritz
-# - as a user with an /etc/sudoers line
-# - member of "wheel" unix group on deleuze (FIXME: TRUE?)
-# - while holding tickets for a user who can 'ssh -K' to mire
-# - and is a member of "wheel" on mire
-# - while holding tokens for a user who is:
-# - a member of system:administrator
-# - listed in 'bos listusers fritz'
-# - and who has been set up with Domtool admin privileges by:
-# - running 'domtool-adduser $USER' while holding AFS admin tokens as
-# someone who is already a Domtool admin
-# - running 'domtool-admin grant $USER priv all' as someone who is already a
-# Domtool admin
-# (To bootstrap yourself into admindom:
-# 1. Run '/etc/init.d/domtool-server stop' on deleuze.
-# 2. Run '/etc/init.d/domtool-slave stop' on all Domtool slave machines
-# (e.g., mire).
-# 3. Edit ~domtool/acl, following the example of adamc_admin to grant
-# yourself 'priv all'.
-# 4. Run '/etc/init.d/domtool-server start' on deleuze.
-# 5. Run '/etc/init.d/domtool-slave start' on all Domtool slave
-# machines.
-# 6. Run 'domtool-adduser' as above.)
-
-USER=$1
-
-export PATH=$PATH:/afs/hcoop.net/common/bin/
-
-if test -z "$USER"; then
- echo "Invoke as create-user <USERNAME>"
- exit 1
-fi
-
-#
-# Helper functions
-#
-
-# Run a command on both mire and deleuze; assumes that no escaping is
-# needed.
-
-
-function execute_on_web_nodes() {
- ssh -K deleuze $*
- ssh -K mire $*
- ssh -K navajos $*
-}
-
-# change to execute_on_domtool_server
-function execute_on_domtool_server () {
- ssh -K deleuze.hcoop.net $*
-}
-
-
-function execute_on_all_machines () {
- $*
- ssh -K mire.hcoop.net $*
- ssh -K hopper.hcoop.net $*
- ssh -K deleuze.hcoop.net $*
- ssh -K navajos.hcoop.net $*
- ssh -K bog.hcoop.net $*
-}
-
-#
-# Kerberos principals
-# (creat kerberos principals: fred, fred/cgi, fred/mailfilter)
-#
-
-# We use -randkey for user's main principal as well, to make sure that
-# the creation process does not continue without having a main
-# principal. (But you who want to set password for a user, don't
-# worry - we'll invoke cpw later, so that it has the same effect
-# as setting password right now - while it is more error tolerant).
-
-sudo kadmin.local -p root/admin -q "ank -policy user -randkey +requires_preauth $USER@HCOOP.NET"
-sudo kadmin.local -p root/admin -q "modprinc -maxlife 1day $USER@HCOOP.NET"
-sudo kadmin.local -p root/admin -q "ank -policy daemon -randkey +requires_preauth $USER/daemon@HCOOP.NET"
-
-#
-# Create AFS users corresponding to krb5 principals.
-# (fred/cgi principal == fred.cgi AFS user)
-#
-
-pts cu $USER || true
-ID=`pts examine $USER | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
-pts cu $USER.daemon || true
-ID_DAEMON=`pts examine $USER.daemon | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
-
-
-#
-# Construct various paths for later perusal.
-#
-
-# (If it's not clear, for user fred, PATHBITS = f/fr/fred)
-PATHBITS=`echo $USER | head -c 1`/`echo $USER | head -c 2`/$USER
-HOMEPATH=/afs/hcoop.net/user/$PATHBITS
-MAILPATH=/afs/hcoop.net/common/email/$PATHBITS
-
-
-# LDAP bit excised (see git history...)
-
-#
-# Export .mailfilter and .cgi keys to a keytab file
-#
-
-# create a daemon keytab (used by /etc/exim4/get-token)
-# *only* if it does not exist!
-test -e /etc/keytabs/user.daemon/$USER || \
- sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/user.daemon/$USER $USER/daemon@HCOOP.NET"
-
-# Properly chown/mod keytab files (must be $USER:www-data)
-sudo chown $USER:www-data /etc/keytabs/user.daemon/$USER
-sudo chmod 440 /etc/keytabs/user.daemon/$USER
-
-# rsync keytabs
-(cd /etc/keytabs
- sudo tar clpf - user.daemon/$USER | \
- ssh mire.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
-(cd /etc/keytabs
- sudo tar clpf - user.daemon/$USER | \
- ssh hopper.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
-(cd /etc/keytabs
- sudo tar clpf - user.daemon/$USER | \
- ssh deleuze.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
-(cd /etc/keytabs
- sudo tar clpf - user.daemon/$USER | \
- ssh navajos.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
-(cd /etc/keytabs
- sudo tar clpf - user.daemon/$USER | \
- ssh bog.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
-
-#
-# Create/mount/set-perms on user's volumes (home, mail, databases, logs)
-#
-
-# HOME VOLUME
-if vos examine user.$USER.d 2>/dev/null; then
- echo "Reactivating old volume (user.$USER.d)"
- vos rename user.$USER.d user.$USER
-fi
-vos examine user.$USER 2>/dev/null || \
- vos create fritz.hcoop.net /vicepa user.$USER -maxquota 400000
-
-mkdir -p `dirname $HOMEPATH`
-fs ls $HOMEPATH || test -L $HOMEPATH || fs mkm $HOMEPATH user.$USER
-chown $USER:nogroup $HOMEPATH
-fs sa $HOMEPATH $USER all
-fs sa $HOMEPATH system:anyuser l
-# cleanliness / needed to keep suphp happy
-chown root:root $HOMEPATH/../../
-chown root:root $HOMEPATH/../
-
-# Apache logs
-mkdir -p $HOMEPATH/.logs
-chown $USER:nogroup $HOMEPATH/.logs
-mkdir -p $HOMEPATH/.logs/apache
-chown $USER:nogroup $HOMEPATH/.logs/apache
-fs sa $HOMEPATH/.logs/apache $USER.daemon rlwidk
-mkdir -p $HOMEPATH/.logs/mail
-fs sa $HOMEPATH/.logs/mail $USER.daemon rlwidk
-chown $USER:nogroup $HOMEPATH/.logs/mail
-
-# public_html
-test -e $HOMEPATH/public_html || \
- (mkdir -p $HOMEPATH/public_html; \
- chown $USER:nogroup $HOMEPATH/public_html; \
- fs sa $HOMEPATH/public_html system:anyuser none; \
- fs sa $HOMEPATH/public_html $USER.daemon rl)
-
-# .procmail.d
-mkdir -p $HOMEPATH/.procmail.d
-chown $USER:nogroup $HOMEPATH/.procmail.d
-fs sa $HOMEPATH/.procmail.d system:anyuser rl
-
-# .public
-mkdir -p $HOMEPATH/.public/
-chown $USER:nogroup $HOMEPATH/.public
-fs sa $HOMEPATH/.public system:anyuser rl
-
-# .domtool
-mkdir -p $HOMEPATH/.public/.domtool
-chown $USER:nogroup $HOMEPATH/.public/.domtool
-test -e $HOMEPATH/.domtool || \
- test -L $HOMEPATH/.domtool || \
- execute_on_domtool_server sudo -u $USER ln -s $HOMEPATH/.public/.domtool $HOMEPATH/.domtool
- # ^^ work around sudo env_reset crap without having to
- # actually figure out how to make it work cleanly -- clinton,
- # 2011-11-30
-
-# Gitweb hosting
-test -L /var/cache/git/$USER || \
- sudo ln -s $HOMEPATH/.hcoop-git /var/cache/git/$USER
-
-# MAIL VOLUME
-if vos examine mail.$USER.d 2>/dev/null; then
- echo "Reactivating old volume (mail.$USER.d)"
- vos rename mail.$USER.d mail.$USER
-fi
-vos examine mail.$USER 2>/dev/null || \
- vos create fritz.hcoop.net /vicepa mail.$USER -maxquota 400000
-
-mkdir -p `dirname $MAILPATH`
-fs ls $MAILPATH || fs mkm $MAILPATH mail.$USER
-fs ls $HOMEPATH/Maildir || fs mkm $HOMEPATH/Maildir mail.$USER
-chown $USER:nogroup $MAILPATH
-chown $USER:nogroup $HOMEPATH/Maildir
-fs sa $MAILPATH $USER all
-fs sa $MAILPATH $USER.daemon all
-if test ! -e $MAILPATH/new; then
- mkdir -p $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp
- echo -e "This email account is provided as a service for HCoop members." \
- "\n\nTo learn how to use it, please visit the page" \
- "\n<http://wiki.hcoop.net/MemberManual/Email> on our website."| \
- mail -s "Welcome to your HCoop email store" \
- -e -a "From: postmaster@hcoop.net" \
- real-$USER
-fi
-chown $USER:nogroup $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp
-
-# Set up shared SpamAssassin folder
-if test -f $HOMEPATH/Maildir/shared-maildirs; then
- # Deal with case where user rsync'd their Maildir from fyodor
- pattern='^SpamAssassin /home/spamd'
- file=$HOMEPATH/Maildir/shared-maildirs
- if grep $pattern $file; then
- sed -i -r -e \
- 's!^(SpamAssassin )/home/spamd!\1/var/local/lib/spamd!1' \
- $file
- fi
-else
- maildirmake --add SpamAssassin=/var/local/lib/spamd/Maildir \
- $HOMEPATH/Maildir
-fi
-
-# Create database tablespaces
-sudo /afs/hcoop.net/common/etc/scripts/create-user-database $USER
-
-#
-# Mount points for backup volumes
-#
-
-mkdir -p `dirname /afs/hcoop.net/.old/user/$PATHBITS`
-mkdir -p `dirname /afs/hcoop.net/.old/mail/$PATHBITS`
-fs ls /afs/hcoop.net/.old/user/$PATHBITS || \
- fs mkm /afs/hcoop.net/.old/user/$PATHBITS user.$USER.backup
-fs ls /afs/hcoop.net/.old/mail/$PATHBITS || \
- fs mkm /afs/hcoop.net/.old/mail/$PATHBITS mail.$USER.backup
-vos release old
-
-# technically this might not be necessary, but for good measure...
-vos syncserv fritz
-vos syncvldb fritz
-
-# refresh volume location cache (takes ~2hrs otherwise)
-execute_on_all_machines fs checkvolumes
-
-#
-# Non-AFS files and directories
-#
-
-# Make per-user apache DAV lock directory -- the directory must be
-# both user and group-writable, which is silly.
-execute_on_web_nodes sudo mkdir -p /var/lock/apache2/dav/$USER
-execute_on_web_nodes sudo chown $USER:www-data /var/lock/apache2/dav/$USER
-execute_on_web_nodes sudo chmod ug=rwx,o= /var/lock/apache2/dav/$USER
-
-#
-# Domtool integration
-#
-
-execute_on_domtool_server domtool-adduser $USER
-
-#
-# Subscribe user to our mailing lists.
-#
-echo $USER@hcoop.net | ssh -K deleuze sudo -u list \
- /var/lib/mailman/bin/add_members -r - hcoop-announce
HCoop / hcoop / scripts.git / commitdiff