Commit | Line | Data |
---|---|---|
511e52cc CE |
1 | #!/bin/bash |
2 | ||
3 | # FIXME BEFORE REINSTALLING Override /etc/adduser.conf to set | |
4 | # min_system_uid/gid to 110 to skip over domtool. We are going to kill | |
5 | # the domtool identity for domtool2 eventually, but... | |
6 | ||
7 | # Overriding in hcoop-common-config is sufficient, as long as fewer | |
8 | # than 8 packages requesting dynamically allocated system uids are | |
9 | # installed by d-i | |
10 | ||
11 | # Run on newly created node as a kerberos/afs admin with local sudo rights | |
12 | ||
13 | set -e | |
14 | set -v | |
15 | set -x | |
16 | ||
17 | # Misc postinst stuff | |
18 | # Unfortunately has to be run after the first reboot by an admin user | |
19 | ||
20 | # Domtool was created in pts with id #108, so we skip to 110 for | |
21 | # dynamically allocated UID/GIDs to avoid conflict until the domtool | |
22 | # pts user can be replaced. | |
23 | sudo su -c "cat /etc/adduser.conf | sed -e 's/^FIRST_SYSTEM_UID=.*/FIRST_SYSTEM_UID=110/' -e 's/^FIRST_SYSTEM_GID=.*/FIRST_SYSTEM_GID=110/' > /etc/adduser.conf.hcoop" | |
24 | sudo mv /etc/adduser.conf /etc/adduser.conf.hcoop-orig | |
6eec319f | 25 | sudo ln -s /etc/adduser.conf.hcoop /etc/adduser.conf |
511e52cc CE |
26 | |
27 | sudo apt-get install hcoop-admin-common-config | |
28 | ||
29 | # Extract host keytab | |
30 | sudo kadmin -p ${USER}@HCOOP.NET -r HCOOP.NET -q "ktadd -k /etc/krb5.keytab host/mccarthy.hcoop.net@HCOOP.NET" | |
31 | sudo chown root:root /etc/krb5.keytab | |
32 | sudo chmod go-rwx /etc/krb5.keytab | |
33 | ||
34 | # Sync initial set of keytabs | |
35 | sudo mkdir -p /etc/keytabs | |
36 | sudo mkdir -p /etc/keytabs/service | |
37 | ||
38 | (ssh fritz.hcoop.net cd /etc/keytabs \; sudo tar clpf - domtool hcoop | \ | |
39 | (cd /etc/keytabs; sudo tar xlpf -)) | |
40 | ||
41 | # Web Server | |
42 | sudo kadmin -p ${USER}@HCOOP.NET -r HCOOP.NET -q "ktadd -k /etc/keytabs/service/apache apache2/mccarthy.hcoop.net@HCOOP.NET" | |
43 | sudo chown www-data:root /etc/keytabs/service/apache | |
44 | sudo chmod 400 /etc/keytabs/service/apache | |
45 | ||
46 | sudo addgroup hcoop-tlscert | |
47 | ||
48 | (ssh navajos.hcoop.net sudo tar clpf - /etc/hcoop-ssl/hcoop.pem | \ | |
49 | (cd /; sudo tar xlpf -)) | |
50 | ||
51 | # Just in case | |
52 | sudo chown root:hcoop-tlscert /etc/hcoop-ssl | |
53 | sudo chown root:hcoop-tlscert /etc/hcoop-ssl/hcoop.pem | |
54 | ||
55 | sudo chmod 750 /etc/hcoop-ssl | |
56 | sudo chmod 440 /etc/hcoop-ssl/hcoop.pem | |
57 | ||
58 | # deploy domtool locally | |
59 | sudo touch /var/log/domtool.log | |
60 | sudo chown domtool:nogroup /var/log/domtool.log | |
61 | sudo chmod 600 /var/log/domtool.log | |
62 | ||
63 | sudo mkdir -p /var/domtool | |
64 | sudo chown domtool:nogroup /var/domtool | |
65 | sudo chmod 755 /var/domtool | |
66 | ||
67 | sudo -u domtool mkdir -p /var/domtool/vhosts | |
68 | sudo -u domtool mkdir -p /var/domtool/firewall | |
69 | ||
70 | /afs/hcoop.net/common/etc/scripts/deploy-domtool-on-host --slave --bootstrap | |
71 | ||
72 | fwtool regen mccarthy | |
73 | ||
74 | echo "Manually run 'domtool-admin regen' if needed" |