+#!/bin/bash -ex
+
+# MUST be executed:
+# - on deleuze
+# - as a user with an /etc/sudoers line
+# - member of wheel unix group
+# - while holding tokens for a user who is:
+# - a member of system:administrator
+# - listed in 'bos listusers deleuze'
+
+USER=$1
+
+if test -z "$USER"; then
+ echo "Invoke as create-user <USERNAME>"
+ exit 1
+fi
+
+
+#
+# Kerberos principals
+# (creat kerberos principals: fred, fred/cgi, fred/mailfilter)
+#
+
+# We use -randkey for user's main principal as well, to make sure that
+# the creation process does not continue without having a main
+# principal. (But you who want to set password for a user, don't
+# worry - we'll invoke cpw later, so that it has the same effect
+# as setting password right now - while it is more error tolerant).
+
+sudo kadmin.local -p root/admin -q "ank -policy user -randkey $USER@HCOOP.NET"
+sudo kadmin.local -p root/admin -q "ank -policy mailfilter -randkey $USER/mailfilter@HCOOP.NET"
+sudo kadmin.local -p root/admin -q "ank -policy cgi -randkey $USER/cgi@HCOOP.NET"
+
+
+#
+# Create AFS users corresponding to krb5 principals.
+# (fred/cgi principal == fred.cgi AFS user)
+#
+
+pts cu $USER || true
+ID=`pts examine $USER | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
+pts cu $USER.mailfilter $ID_MF || true
+ID_MF=`pts examine $USER.mailfilter | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
+pts cu $USER.cgi || true
+ID_CGI=`pts examine $USER.cgi | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
+
+
+#
+# Construct various paths for later perusal.
+#
+
+# (If it's not clear, for user fred, PATHBITS = f/fr/fred)
+PATHBITS=`echo $USER | head -c 1`/`echo $USER | head -c 2`/$USER
+HOMEPATH=/afs/hcoop.net/user/$PATHBITS
+MAILPATH=/afs/hcoop.net/common/email/$PATHBITS
+DBPATH=/afs/hcoop.net/common/databases/$PATHBITS
+PGDIR=$DBPATH/postgres
+MYSQLDIR=$DBPATH/mysql
+
+
+#
+# Create LDAP entries. (With the whole libnss-ptdb, I kind of
+# lost the idea of what I want to do with LDAP, but we'll
+# see with time how well it integrates...)
+# The ID returned from AFS is important here, we want to make
+# sure those IDs match.
+#
+
+# USER entry
+echo "
+dn: uid=$USER,ou=People,dc=hcoop,dc=net
+objectClass: top
+objectClass: person
+objectClass: posixAccount
+cn: $USER
+uid: $USER
+gidNumber: $ID
+homeDirectory: $HOMEPATH
+sn: $USER
+host: abulafia
+host: mire
+
+dn: cn=$USER,ou=Group,dc=hcoop,dc=net
+objectClass: top
+objectClass: posixGroup
+cn: $USER
+gidNumber: $ID
+memberUid: $USER
+" | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret
+
+# USER.mailfilter entry
+echo "
+dn: uid=$USER.mailfilter,ou=People,dc=hcoop,dc=net
+objectClass: top
+objectClass: person
+objectClass: posixAccount
+cn: $USER.mailfilter
+uid: $USER.mailfilter
+gidNumber: $ID_MF
+homeDirectory: $HOMEPATH
+sn: $USER.mailfilter
+
+dn: cn=$USER.mailfilter,ou=Group,dc=hcoop,dc=net
+objectClass: top
+objectClass: posixGroup
+cn: $USER.mailfilter
+gidNumber: $ID_MF
+memberUid: $USER.mailfilter
+" | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret
+
+# USER.cgi entry
+echo "
+dn: uid=$USER.cgi,ou=People,dc=hcoop,dc=net
+objectClass: top
+objectClass: person
+objectClass: posixAccount
+cn: $USER.cgi
+uid: $USER.cgi
+gidNumber: $ID_CGI
+homeDirectory: $HOMEPATH
+sn: $USER.cgi
+
+dn: cn=$USER.cgi,ou=Group,dc=hcoop,dc=net
+objectClass: top
+objectClass: posixGroup
+cn: $USER.cgi
+gidNumber: $ID_CGI
+memberUid: $USER.cgi
+" | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret
+
+
+#
+# Export .mailfilter and .cgi keys to a keytab file
+#
+
+# create a mailfilter keytab (used by /etc/exim4/get-token)
+sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/mailfilter/$USER $USER/mailfilter@HCOOP.NET"
+# create a cgi keytab
+sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/cgi/$USER $USER/cgi@HCOOP.NET"
+
+# Properly chown/mod keytab files (www-data must own the cgi keytab)
+sudo chown www-data:wheel /etc/keytabs/cgi/$USER
+sudo chown $USER:wheel /etc/keytabs/mailfilter/$USER
+sudo chmod 440 /etc/keytabs/cgi/$USER /etc/keytabs/mailfilter/$USER
+
+# FIXME: rsync keytabs to mire?
+
+#
+# Create/mount/set-perms on user's volumes (home, mail, databases, logs)
+#
+
+# HOME VOLUME
+vos create deleuze.hcoop.net /vicepa user.$USER -maxquota 400000
+mkdir -p `dirname $HOMEPATH`
+fs mkm $HOMEPATH user.$USER
+chown $USER $HOMEPATH
+fs sa $HOMEPATH $USER all
+fs sa $HOMEPATH system:anyuser rl
+
+# Apache logs
+mkdir -p $HOMEPATH/logs/apache
+fs sa $HOMEPATH/logs/apache $USER.cgi rlwidk
+
+# MAIL VOLUME
+vos create deleuze.hcoop.net /vicepa mail.$USER -maxquota 400000
+mkdir -p `dirname $MAILPATH`
+fs mkm $MAILPATH mail.$USER
+fs mkm $HOMEPATH/Maildir mail.$USER
+fs sa $MAILPATH $USER all
+fs sa $MAILPATH $USER.mailfilter all
+
+# DATABASE VOLUME
+if ! vos examine db.$USER >/dev/null 2>/dev/null; then
+ mkdir -p `dirname /afs/.hcoop.net/common/.databases/$PATHBITS`
+ vos create -server afs -partition a -name db.$USER -maxquota 400000
+ fs mkmount -dir /afs/.hcoop.net/common/.databases/$PATHBITS -vol db.$USER -rw
+ vos release common.databases
+ fs sa -dir $DBPATH -acl system:postgres l
+ fs sa -dir $DBPATH -acl system:mysql l
+ fs sa -dir $DBPATH -acl system:backup rl
+fi
+
+# Create postgres user and tablespace placeholder within volume
+if ! [ -d $PGDIR ]; then
+ mkdir -p $PGDIR
+ chown postgres:postgres $PGDIR
+ fs sa -dir $PGDIR -acl system:postgres write
+
+ sudo -u postgres psql -c "CREATE TABLESPACE user_$USER OWNER postgres LOCATION '$PGDIR'" template1
+fi
+
+# Create mysql user and databases placeholder within volume
+mkdir -p $MYSQLDIR
+chown mysql:mysql $MYSQLDIR
+fs sa -dir $MYSQLDIR -acl system:mysql write
+
+
+#
+# Mount points for backup volumes
+#
+
+mkdir -p `dirname /afs/hcoop.net/old/user/$PATHBITS`
+mkdir -p `dirname /afs/hcoop.net/old/mail/$PATHBITS`
+fs mkm /afs/hcoop.net/old/user/$PATHBITS user.$USER.backup
+fs mkm /afs/hcoop.net/old/mail/$PATHBITS mail.$USER.backup
+
+vos syncserv deleuze
+vos syncvldb deleuze
+fs checkvolumes
+
+#
+# Finally, set password for main user's principal
+# Aborting this operation is harmless. Just re-invoke cpw.
+#
+sudo kadmin.local -p root/admin -q "cpw $USER@HCOOP.NET"
+