Clinton Ebadi [Fri, 28 Feb 2020 01:02:27 +0000 (20:02 -0500)]
create-user: move dav lock db directory
/var/lock clears itself on boot nowadays, move to /var/local.
https://bugzilla.hcoop.net/show_bug.cgi?id=1298
Clinton Ebadi [Thu, 4 Apr 2019 01:35:15 +0000 (21:35 -0400)]
hcoop-all-db-backup: switch cwd to tmpdir
postgres commands complain when they can't cwd to the current
directory.
Clinton Ebadi [Sun, 31 Mar 2019 19:46:51 +0000 (15:46 -0400)]
hcoop-all-db-backup: update backup script
* Use /srv/backup/database instead of /var/backups
* Retain 7 days of backups instead of only 2
* Use pigz for faster compression of mysql backups
* Use --single-transaction to avoid locks during mysql backups
* Use native postgres dump format instead of sql dumps for postgres
* Tidy up commands used to list databases to backup
* Change postgres dir name in preparation for postgres-10 backups
Clinton Ebadi [Sun, 31 Mar 2019 19:45:40 +0000 (15:45 -0400)]
ca-install: allow installing optional intermediate chain
All software nowadays supports storing cert + key + intermediate in
one file, adapt ca-install for this format.
Clinton Ebadi [Sun, 10 Feb 2019 04:38:47 +0000 (23:38 -0500)]
create-user: add lovelace to execute_on_all_machines
and a quick function to execute things on the mail servers
Clinton Ebadi [Sun, 10 Feb 2019 04:37:25 +0000 (23:37 -0500)]
create-user: bump default quota to ~10G
This is what we're listing as the default quota on the website
Clinton Ebadi [Thu, 10 Jan 2019 01:15:08 +0000 (20:15 -0500)]
ca-install: install certs to mailman server
certs need to be available in case members configure list domains with
ssl.
Clinton Ebadi [Sat, 5 Jan 2019 18:15:40 +0000 (13:15 -0500)]
create-user: misc updates for Debian Stretch / server changes
Specify postgres host instead of assuming we are running on the
postgres server.
Use printf instead of "tee -i" to double output when setting initial
password; newer sudo barfs with permission denied on /dev/stdout (and
printf makes it clearer anyway).
Gitweb symlink creation was cruft, a cron on the webserver manages the
symlinks automatically.
And don't check for volume sync from outpost, it is not running
openafs-fileserver (just the afs db servers).
Clinton Ebadi [Tue, 25 Dec 2018 03:12:14 +0000 (22:12 -0500)]
new script to check freespace in afs
trivial script. if this proves annoying when/if we pass 85% used, may
want to use quotacheck as a basis for a more advanced script (and back
off over time if usage stops increasing).
Clinton Ebadi [Sat, 15 Dec 2018 17:42:43 +0000 (12:42 -0500)]
become-hcoop: add to git
Been around for a while but was never committed.
Clinton Ebadi [Sat, 15 Dec 2018 17:37:24 +0000 (12:37 -0500)]
create-user: update for new servers
remove old servers, add new servers.
Clinton Ebadi [Sat, 15 Dec 2018 17:26:36 +0000 (12:26 -0500)]
freeze: use rmdom and revoke instead of rmuser
Just revoke access to domains, no need to totally purge domtool
cert/key for user when freezing.
Clinton Ebadi [Sat, 15 Dec 2018 17:26:20 +0000 (12:26 -0500)]
hcoop-git-maint: don't generate cache page
has been unused for several years now
Clinton Ebadi [Sat, 15 Dec 2018 17:24:59 +0000 (12:24 -0500)]
deploy-domtool: update for new servers and systemd
Some servers now have insufficient memory to handle multiple instances
of mlton, but this isn't as big of a deal now with improved
single-threaded performance.
Clinton Ebadi [Sat, 15 Dec 2018 17:24:10 +0000 (12:24 -0500)]
misc updates
use new hostnames, sudo instead of su, etc.
Clinton Ebadi [Sat, 15 Dec 2018 17:22:57 +0000 (12:22 -0500)]
new-user: use most recent generated password for username
It is possible for the same username to apply multiple times and not
finish the application, make sure to use the most recent one.
Clinton Ebadi [Sat, 15 Dec 2018 17:21:38 +0000 (12:21 -0500)]
hcoop-kprop: remove
This is handled by Puppet now, which generates individual crontab
entries for each kdc replica.
Clinton Ebadi [Sat, 15 Dec 2018 17:19:41 +0000 (12:19 -0500)]
create-user-database: new postgres dir, nuke 8.1, ensure permissions
Explicitly chmod dirs to avoid leaving them at 755.
Clinton Ebadi [Sat, 15 Dec 2018 17:19:07 +0000 (12:19 -0500)]
ca-install: support multiple webservers, update for new servers
Clinton Ebadi [Wed, 5 Dec 2018 04:59:24 +0000 (23:59 -0500)]
import hcoop-webalizer cron as script
Clinton Ebadi [Wed, 7 Nov 2018 16:31:36 +0000 (11:31 -0500)]
quotacheck: check volumes on gibran
Clinton Ebadi [Sat, 28 Jan 2017 22:26:10 +0000 (17:26 -0500)]
create-user: create fastcgi wrapper script
mod_fcgid is annoying and has no way to integrate with
mod_waklog. Generate wrapper scripts that grab tokens as a workaround.
clinton_admin [Thu, 22 Oct 2015 02:24:54 +0000 (22:24 -0400)]
hcoop-git-maint: speed up and avoid blocking forever if apache is slow
Previous `find' incantation was actually scanning all the way down
objects/ and refs/. Invert the regex and actually prune. The script
runs in a few seconds rather than a good minute or two now.
Also add a wget timeout so that an unresponsive apache doesn't block
the cron job forever. The cache page isn't really used any more
anyway.
clinton_admin [Tue, 12 May 2015 22:34:05 +0000 (18:34 -0400)]
deploy-domtool: add mccarthy.hcoop.net
clinton_admin [Sat, 25 Apr 2015 22:29:16 +0000 (18:29 -0400)]
mysql-grant-table-drop: quote database and table names
Tables with '-' in their name broke the script.
clinton_admin [Sat, 25 Apr 2015 22:28:35 +0000 (18:28 -0400)]
mysql-grant-drop: exclude `performance_schema' database, consilidate conditionals
clinton_admin [Tue, 24 Mar 2015 20:46:31 +0000 (16:46 -0400)]
hcoop-kprop: invert grep exit status to shut cron up
We want to eat the success message while allowing any error output to
be displayed, but we also want to return success.
clinton_admin [Tue, 24 Mar 2015 20:25:45 +0000 (16:25 -0400)]
apache-sync-logs: allow setting VERBOSE from the environment
Makes one-shot testing way less of a pain
clinton_admin [Tue, 24 Mar 2015 20:25:13 +0000 (16:25 -0400)]
ca-install: permissions were only fixed in combined pem case
Move chmod outside of the if so separate key/cert files are chmoded
instead.
Clinton Ebadi [Sat, 27 Dec 2014 23:39:37 +0000 (18:39 -0500)]
ca-install: use openssl instead of grepping for private key
The check was never reliable, do it the Right Way (tm) instead.
clinton_admin [Fri, 17 Oct 2014 17:25:36 +0000 (13:25 -0400)]
create-user: create ~/.domtool link as admin and chown
Some security update appears to have changed sudo behavior slightly and tokens are lost.
clinton_admin [Fri, 17 Oct 2014 17:24:15 +0000 (13:24 -0400)]
domtool: make -j2 because we finally have enough ram
May as well crank up all of the cpu power we have. Better than halves
deploy time!
clinton_admin [Fri, 17 Oct 2014 17:23:30 +0000 (13:23 -0400)]
domtool: deploy server and slave simultaneously on fritz
Was previously quietly failing during install because
/usr/local/bin/domtool-slave cannot be overwritten while it is
running.
clinton_admin [Tue, 29 Apr 2014 01:28:24 +0000 (21:28 -0400)]
Increase default quota from 400M to 4G
clinton_admin [Tue, 29 Apr 2014 01:27:36 +0000 (21:27 -0400)]
Domtool server moved to fritz
clinton_admin [Tue, 29 Apr 2014 01:27:16 +0000 (21:27 -0400)]
Remove non-existant db volume from quotadisplay
clinton_admin [Tue, 29 Apr 2014 01:26:57 +0000 (21:26 -0400)]
ca-install fixes
* Scan for correct string in key file
* Ensure no one but apache can read the pem on the webserver
* Reload apache after install so the user can actually use it
clinton_admin [Tue, 4 Mar 2014 07:47:04 +0000 (02:47 -0500)]
Grant webalizer read permissions to new user logs
clinton_admin [Sun, 18 Aug 2013 20:06:18 +0000 (16:06 -0400)]
Avoid deleting log files for removed vhosts
* Not entirely certain this is the best behavior, but seems sensible
so members don't accidentally lose their webalizer stats when
reconfiguring a domain
Clinton Ebadi [Tue, 23 Jul 2013 01:39:11 +0000 (21:39 -0400)]
new-user fixes
* Only use latest application password for new member apps, in case
someone applied and was not accepted using the same username previously
* Call `create-user-new' rather than `create-user'
Clinton Ebadi [Tue, 23 Jul 2013 01:37:46 +0000 (21:37 -0400)]
Update domtool library manual when installing server
Clinton Ebadi [Tue, 23 Jul 2013 01:36:39 +0000 (21:36 -0400)]
Remove mire from admin scripts
* `freeze' will now work with bog
* Install ssl certs to navajos
* Do not copy keytabs etc. to mire
* Do not deploy domtool-slave to mire
clinton_admin [Tue, 23 Jul 2013 01:20:06 +0000 (21:20 -0400)]
Silence apache-sync-logs
Clinton Ebadi [Sun, 14 Jul 2013 05:58:53 +0000 (01:58 -0400)]
Remove stale log files and speed up apache log sync
* Major speedup: The apache log directory was pointlessly being copied
for each user on each sync so that it could be chowned and
transferred. But there is no need: afs ignores the owner/group and
unix permissions and root can read the keytabs. Eliminating the
redundant copy sped the script by from ~9 minutes to ~2 minutes.
* Limit scope of each transfer to the per-host apache log
directory. This could result in less stat()ing, but more importantly
allows us to...
* Pass --delete to rsync to clean up stale log files. It turns out
that for a very long time we've just been leaving the uncompressed
logrotated apache logs behind, and never removing old log files. Fix
that.
Clinton Ebadi [Fri, 11 Jan 2013 08:06:18 +0000 (03:06 -0500)]
"Factored" create-user, and script to create shared service users
Converted create-user script into a set of procedures, grouped by
logical step in the user creation process. Things were regrouped only
as much as was needed to get `create-service-user' script for creating
principles for non-humans and `create-user` working with minimal
duplication. This still needs a lot of work (and destroy-user even
more).
Clinton Ebadi [Sun, 6 Jan 2013 08:57:23 +0000 (03:57 -0500)]
Scripts to deploy domtool across all hosts
These have existed for a while, but in my homedir. Builds domtool in
parallel across all hosts. Possible improvements include only building
one copy of domtool per machine architecture.
Clinton Ebadi [Sun, 6 Jan 2013 08:53:13 +0000 (03:53 -0500)]
Update create-user for new nodes
Extract keytabs, change names of a few functions to indicate their
intended functionality, clean up $PATHBITS permissions after creating
so that they aren't owned by whoever ran the script.
Clinton Ebadi [Sun, 6 Jan 2013 08:51:29 +0000 (03:51 -0500)]
Set initial user password from MemberApp in database
The portal password files are not being created for whatever reason,
and the data is there in the database so there's no real point not
using it anyway.
Clinton Ebadi [Sun, 6 Jan 2013 08:50:25 +0000 (03:50 -0500)]
Run remove from lists on deleuze
So that it actually works and all
clinton_admin [Thu, 20 Dec 2012 08:30:22 +0000 (03:30 -0500)]
Fix restoring shell on unfreeze when member did not have a shell preference
clinton_admin [Thu, 20 Dec 2012 08:29:55 +0000 (03:29 -0500)]
Move frozen database into afs, run on fritz
clinton_admin [Thu, 20 Dec 2012 08:29:17 +0000 (03:29 -0500)]
Sync keytabs to navajos
clinton_admin [Thu, 20 Dec 2012 08:26:46 +0000 (03:26 -0500)]
Create postgresql 9.1 tablespaces for users
clinton_admin [Thu, 20 Dec 2012 08:26:26 +0000 (03:26 -0500)]
Escape @ in mail address for quotacheck
* This caused an error on newer perl
clinton_admin [Thu, 20 Dec 2012 08:25:58 +0000 (03:25 -0500)]
Correct order of sudo in apache sync logs
* Modern sudo clears the environment, so we have to run k5start within sudo not outside
clinton_admin [Mon, 6 Aug 2012 17:50:27 +0000 (13:50 -0400)]
Work around portal storing passwords in local fs space on deleuze
* Really need to move these to afs
clinton_admin [Wed, 4 Jul 2012 02:37:17 +0000 (22:37 -0400)]
Update destroy-user
* Run on fritz
* Don't do anything with ldap since Clinton doesn't care about it,
and Davor isn't maintaining it.
clinton_admin [Sun, 25 Mar 2012 07:13:23 +0000 (03:13 -0400)]
Escape tablespace name when creating postgresql tablespace
* Previously, a name with a '-' would break things
* Usernames containing '"' are invalid anyway so we should be bulletproof
clinton_admin [Mon, 12 Dec 2011 19:52:55 +0000 (14:52 -0500)]
Make `new-user' half-work again
* (Non-Working) LDAP stuff disabled
* Run `create-user' on fritz
* Disable setting password (has to be done manually for now)
* Portal has to move to either storing passwords in afs or running on
fritz (or both)
Clinton Ebadi [Wed, 30 Nov 2011 05:44:27 +0000 (00:44 -0500)]
Don't create LDAP entries for new users
* LDAP does not work on fritz.
* I have no interest in making LDAP work on fritz.
Clinton Ebadi [Wed, 30 Nov 2011 05:42:56 +0000 (00:42 -0500)]
Update `create-user' to operate on fritz properly
* It /appeared/ to succeed before for `mb0' but actually failed to do
things like create his homedir so...
* Tweak to where things work, there is still some needless reliance
upon deleuze unfortunately
clinton_admin [Wed, 19 Oct 2011 05:19:40 +0000 (01:19 -0400)]
Only propagate kerberos db to hopper
* fritz is now the master
* deleuze's KDC is too old (dump format 5 vs 6) to load dumps from fritz's kdc, disable
clinton_admin [Fri, 11 Mar 2011 00:42:18 +0000 (19:42 -0500)]
create-user: Database creation fixes
* Invoke `create-user-database' as root
* Do not attempt to create directories or tablespaces if they already
exist
clinton_admin [Fri, 11 Mar 2011 00:41:41 +0000 (19:41 -0500)]
create-user: Sync keytabs to fritz
clinton_admin [Sat, 26 Feb 2011 06:15:26 +0000 (01:15 -0500)]
BCC: admins@hcoop.net instead of just admins in quotacheck
clinton_admin [Sat, 26 Feb 2011 05:01:24 +0000 (00:01 -0500)]
...and pass the new db arguments to the commands to actually dump things
clinton_admin [Sat, 26 Feb 2011 04:39:40 +0000 (23:39 -0500)]
Remove obsolete database volume information from quotacheck email
Clinton Ebadi [Sat, 26 Feb 2011 04:21:28 +0000 (23:21 -0500)]
Update database backup script to connect to fritz
* Mysql has to use a special my.cnf stored in /root
Clinton Ebadi [Sat, 26 Feb 2011 04:10:15 +0000 (23:10 -0500)]
BCC admins@ instead of docelic@ in quota check
Clinton Ebadi [Sat, 26 Feb 2011 04:10:01 +0000 (23:10 -0500)]
Check quotas on fritz instead of deleuze
* Remove $USER.db volume check
Clinton Ebadi [Sat, 26 Feb 2011 04:08:28 +0000 (23:08 -0500)]
You need domtool-admin rights to destroy a user
* Otherwise very bad things happen very quickly
Clinton Ebadi [Sat, 26 Feb 2011 04:08:06 +0000 (23:08 -0500)]
Typo fix in create-user
Clinton Ebadi [Sat, 26 Feb 2011 04:07:55 +0000 (23:07 -0500)]
Explicitly forward kerberos tokens in create-user
Clinton Ebadi [Wed, 23 Feb 2011 12:51:08 +0000 (07:51 -0500)]
Call `create-user-database' with $USER and not $PATHBITS
Clinton Ebadi [Mon, 21 Feb 2011 11:53:50 +0000 (06:53 -0500)]
Set +x on create-user-database script
Clinton Ebadi [Mon, 21 Feb 2011 11:51:32 +0000 (06:51 -0500)]
Create user volumes on fritz instead of deleuze
Clinton Ebadi [Mon, 21 Feb 2011 11:50:40 +0000 (06:50 -0500)]
Create database tablespace stubs on fritz
Clinton Ebadi [Mon, 21 Feb 2011 10:29:36 +0000 (05:29 -0500)]
Sync changes in current working tree
Richard Darst [Mon, 29 Mar 2010 01:57:03 +0000 (21:57 -0400)]
hcoop-kprop: update for fritz
(not acutually done by me)
Richard Darst [Mon, 29 Mar 2010 01:42:43 +0000 (21:42 -0400)]
hcoop-backup{,-wrapper}: temporarily disable backups
mwolson_admin [Sat, 4 Apr 2009 19:30:41 +0000 (15:30 -0400)]
hcoop-git-maint: Send output to /dev/null.
mwolson_admin [Sat, 4 Apr 2009 19:24:07 +0000 (15:24 -0400)]
New stuff.
mwolson_admin [Sat, 4 Apr 2009 19:23:50 +0000 (15:23 -0400)]
Various improvements.
mwolson_admin [Wed, 1 Apr 2009 04:07:40 +0000 (00:07 -0400)]
hcoop-git-maint: Improve detection of bad permissions.
- Fix bug where bogus symlink loop would be created.
- Iterate through /var/cache/git on the second run, not everyone's
homedir regardless of whether they're using git.
- Check AFS permissions at a deeper level. Skip object and refs
directories because they might take a while.
mwolson_admin [Tue, 24 Feb 2009 05:10:35 +0000 (00:10 -0500)]
create-user: Only change public_html acls if dir does not exist.
mwolson_admin [Sun, 8 Feb 2009 15:55:40 +0000 (10:55 -0500)]
hcoop-backup: Ignore ghc's autogenerated conf files.
mwolson_admin [Sun, 8 Feb 2009 15:52:31 +0000 (10:52 -0500)]
Changes by docelic.
mwolson_admin [Mon, 24 Nov 2008 04:11:16 +0000 (23:11 -0500)]
Make several scripts STFU.
mwolson_admin [Tue, 11 Nov 2008 03:41:09 +0000 (22:41 -0500)]
backup-manager: Add help command.
mwolson_admin [Tue, 11 Nov 2008 03:24:50 +0000 (22:24 -0500)]
Initial version of backup-manager.
mwolson_admin [Fri, 17 Oct 2008 04:43:59 +0000 (00:43 -0400)]
hcoop-git-maint: Quick hack to deal with bad user permissions.
mwolson_admin [Thu, 16 Oct 2008 15:30:05 +0000 (11:30 -0400)]
Misc create-user fixes from docelic.
mwolson_admin [Wed, 17 Sep 2008 04:20:12 +0000 (00:20 -0400)]
hcoop-git-maint: Only update page if new content is nonempty.
mwolson_admin [Mon, 8 Sep 2008 21:15:27 +0000 (17:15 -0400)]
hcoop-backup: More permissions twiddling.
mwolson_admin [Thu, 4 Sep 2008 02:38:03 +0000 (22:38 -0400)]
hcoop-backups: Further tweak permissions.
mwolson_admin [Wed, 3 Sep 2008 08:09:52 +0000 (04:09 -0400)]
hcoop-backup: Be sure that only root can read in-progress backups.
mwolson_admin [Wed, 3 Sep 2008 08:04:06 +0000 (04:04 -0400)]
rsync-shell: Enforce bandwidth limit of 325 KB/s.
mwolson_admin [Wed, 3 Sep 2008 07:55:11 +0000 (03:55 -0400)]
Initial implementation of rsync-shell functionality.
mwolson_admin [Wed, 3 Sep 2008 07:54:13 +0000 (03:54 -0400)]
hcoop-backup: Directory itself must be owner-writable.
Otherwise it can't be deleted.
mwolson_admin [Tue, 2 Sep 2008 14:39:39 +0000 (10:39 -0400)]
hcoop-backup: Update file permissions after run.