diff options
author | Benjamin Morrison <ben@gbmor.org> | 2023-06-12 22:40:57 -0400 |
---|---|---|
committer | Benjamin Morrison <ben@gbmor.org> | 2023-06-12 22:48:29 -0400 |
commit | 127e786b70911bed54c1189e394e6744907395c1 (patch) | |
tree | 6c9c3538214765c07a564bcba9e09b7f16d99d59 /bin | |
parent | 36edcab02c713b46a52db3a0dd0271459d57b9e8 (diff) | |
download | admin-127e786b70911bed54c1189e394e6744907395c1.tar.gz |
Diffstat (limited to 'bin')
-rwxr-xr-x | bin/badprocs.py | 2 | ||||
-rwxr-xr-x | bin/connusers.py | 1 | ||||
-rwxr-xr-x | bin/makeuser | 107 | ||||
-rwxr-xr-x | bin/makeuser.sh | 110 | ||||
-rw-r--r-- | bin/makeuser_all.sh | 97 | ||||
-rwxr-xr-x | bin/motdrotate.py | 2 | ||||
-rwxr-xr-x | bin/regusers.py | 1 | ||||
-rwxr-xr-x | bin/rmuser | 7 | ||||
-rwxr-xr-x | bin/showwhoison | 9 | ||||
-rwxr-xr-x | bin/weekconns.py | 1 |
10 files changed, 221 insertions, 116 deletions
diff --git a/bin/badprocs.py b/bin/badprocs.py index ae41702..515e366 100755 --- a/bin/badprocs.py +++ b/bin/badprocs.py @@ -2,7 +2,6 @@ # Checks the process list for anything that could be potentially worrisome. # If something is found, emails the admins@tilde.institute account. -# gbmor <ben@gbmor.dev> from shlex import quote import subprocess @@ -47,6 +46,7 @@ if __name__ == "__main__": "transmission", "tshark", "xmr", # lots of monero miners have this in the name + "znc", ] procsFound = getBadProcs(procsList) diff --git a/bin/connusers.py b/bin/connusers.py index ebdde7f..0a1cafd 100755 --- a/bin/connusers.py +++ b/bin/connusers.py @@ -1,7 +1,6 @@ #!/usr/local/bin/python3 -I # Lists currently connected users for https://tilde.institute/stats -# gbmor <ben@gbmor.dev> # 'ps' truncates usernames at 8 characters (called by 'showwhoison' to find mosh users) # so I'm matching the potentially-partial username to a home directory to retrieve diff --git a/bin/makeuser b/bin/makeuser deleted file mode 100755 index e9a4c1f..0000000 --- a/bin/makeuser +++ /dev/null @@ -1,107 +0,0 @@ -#!/usr/local/bin/bash -# --------------------------------------------------------------------------- -# makeuser - tilde.institute new user creation -# Usage: makeuser [-h|--help] <username> <email> "<pubkey>" -# <gbmor> ben@gbmor.dev -# --------------------------------------------------------------------------- - -PROGNAME=${0##*/} -VERSION="0.1" - -error_exit() { - echo -e "${PROGNAME}: ${1:-"Unknown Error"}" >&2 - exit 1 -} - -usage() { - echo -e "usage: $PROGNAME [-h|--help] <username> <email> \"<pubkey>\"" -} - -[[ $(id -u) != 0 ]] && error_exit "you must be the superuser to run this script." - -USERLIST=$(</etc/passwd cut -d ":" -f1) -if [[ $USERLIST == $1* ]]; then - error_exit "User already exists!" -fi - -case $1 in - -h | --help) - usage; exit ;; - -* | --*) - usage; error_exit "unknown option $1" ;; - *) - [[ $# -ne 3 ]] && error_exit "not enough args" - -# generate a random 20 digit password -# encrypt the password and pass it to -# useradd, set ksh as default shell - echo "adding new user $1" - newpw=$(pwgen -1B 20) - pwcrypt=$(encrypt ${newpw}) - useradd -m -g 1001 -p $pwcrypt -s /bin/ksh -k /etc/skel $1 - -# make the public_html directory for the users - mkdir /var/www/users/$1 - chown $1:tilde /var/www/users/$1 - doas -u $1 ln -s /var/www/users/$1 /home/$1/public_html - -# make the public_repos directory - mkdir /var/www/cgit_repos/$1 - chown $1:tilde /var/www/cgit_repos/$1 - doas -u $1 ln -s /var/www/cgit_repos/$1 /home/$1/public_repos - -# set up the httpd configuration for -# individual users. this config forces tls -# for all subdomains - echo "server \"$1.tilde.institute\" { - listen on \$ext_addr port 80 block return 301 \"https://\$SERVER_NAME\$REQUEST_URI\" - } - server \"$1.tilde.institute\" { - listen on \$ext_addr tls port 443 - root \"/users/$1\" - tls { - key \"/etc/letsencrypt/live/tilde.institute-0001/privkey.pem\" - certificate \"/etc/letsencrypt/live/tilde.institute-0001/fullchain.pem\" - } - directory index index.html - directory auto index - location \"/*.cgi\" { - fastcgi - } - location \"/*.php\" { - fastcgi socket \"/run/php-fpm.sock\" - } - }" > /etc/httpd/$1.conf - -# add the user's vhost config to the bridged vhost config, which -# is loaded by /etc/httpd.conf. This is necessary because httpd(8) -# does not support globbing on includes - echo "include \"/etc/httpd/$1.conf\"" >> /etc/httpd-vusers.conf - -# Sort and deduplicate entries in the bridged vhost config file -# Duplicate entries cause weird behavior. Subdomains after the -# duplicated entry won't resolve properly and instead resolve -# to the main site - sort -u /etc/httpd-vusers.conf > /etc/httpd-vusers.conf.sorted - cp /etc/httpd-vusers.conf.sorted /etc/httpd-vusers.conf - #pkill -HUP httpd - rcctl restart httpd - -# send welcome email - sed -e "s/newusername/$1/g" /admin/misc/email.tmpl | mail -r admins@tilde.institute -s "welcome to tilde.institute!" $2 - -# subscribe to mailing list - #echo " " | doas -u $1 mail -s "subscribe" institute-join@lists.tildeverse.org - -# lock down the users' history files so they can't be deleted or truncated (bash and ksh only) - doas -u "$1" touch /home/$1/.history - doas -u "$1" touch /home/$1/.bash_history - chflags uappnd /home/$1/.history - chflags uappnd /home/$1/.bash_history - -# announce the new user's creation on mastodon -# then copy their ssh key to their home directory - /admin/bin/toot.py "Welcome new user ~$1!" - </etc/passwd cut -d ":" -f1 > /var/www/htdocs/userlist - echo "$3" | tee /home/$1/.ssh/authorized_keys -esac diff --git a/bin/makeuser.sh b/bin/makeuser.sh new file mode 100755 index 0000000..b349459 --- /dev/null +++ b/bin/makeuser.sh @@ -0,0 +1,110 @@ +#!/usr/local/bin/bash +# --------------------------------------------------------------------------- +# makeuser - tilde.institute new user creation +# Usage: makeuser [-h|--help] <username> <email> "<pubkey>" +# --------------------------------------------------------------------------- + +PROGNAME=${0##*/} + +error_exit() { + echo -e "${PROGNAME}: ${1:-"Unknown Error"}" >&2 + exit 1 +} + +usage() { + echo -e "usage: $PROGNAME [-h|--help] <username> <email> \"<pubkey>\"" +} + +[[ $(id -u) != 0 ]] && error_exit "you must be the superuser to run this script." + +USERLIST=$(cut </etc/passwd -d ":" -f1) +if [[ $USERLIST == $1* ]]; then + error_exit "User already exists!" +fi + +case $1 in +-h | --help) + usage + exit + ;; +-*) + usage + error_exit "unknown option $1" + ;; +*) + [[ $# -ne 3 ]] && error_exit "not enough args" + + # generate a random 20 digit password + # encrypt the password and pass it to + # useradd, set ksh as default shell + echo "adding new user $1" + newpw=$(pwgen -1B 20) + pwcrypt=$(encrypt ${newpw}) + useradd -m -g 1001 -p $pwcrypt -s /bin/ksh -k /etc/skel $1 + + # make the public_html directory for the users + mkdir /var/www/users/$1 + chown $1:tilde /var/www/users/$1 + doas -u $1 ln -s /var/www/users/$1 /home/$1/public_html + + # make the public_repos directory + mkdir /var/www/cgit_repos/$1 + chown $1:tilde /var/www/cgit_repos/$1 + doas -u $1 ln -s /var/www/cgit_repos/$1 /home/$1/public_repos + + # set up the httpd configuration for + # individual users. this config forces tls + # for all subdomains + echo "server \"$1.tilde.institute\" { + listen on \$ext_addr port 80 block return 301 \"https://\$SERVER_NAME\$REQUEST_URI\" + } + server \"$1.tilde.institute\" { + listen on \$ext_addr tls port 443 + root \"/users/$1\" + tls { + key \"/etc/letsencrypt/live/tilde.institute-0001/privkey.pem\" + certificate \"/etc/letsencrypt/live/tilde.institute-0001/fullchain.pem\" + } + directory index index.html + directory auto index + location \"/*.cgi\" { + fastcgi + } + location \"/*.php\" { + fastcgi socket \"/run/php-fpm.sock\" + } + }" >/etc/httpd/$1.conf + + # add the user's vhost config to the bridged vhost config, which + # is loaded by /etc/httpd.conf. This is necessary because httpd(8) + # does not support globbing on includes + echo "include \"/etc/httpd/$1.conf\"" >>/etc/httpd-vusers.conf + + # Sort and deduplicate entries in the bridged vhost config file + # Duplicate entries cause weird behavior. Subdomains after the + # duplicated entry won't resolve properly and instead resolve + # to the main site + sort -u /etc/httpd-vusers.conf >/etc/httpd-vusers.conf.sorted + cp /etc/httpd-vusers.conf.sorted /etc/httpd-vusers.conf + #pkill -HUP httpd + #rcctl restart httpd + + # send welcome email + sed -e "s/newusername/$1/g" /admin/misc/email.tmpl | mail -r admins@tilde.institute -s "welcome to tilde.institute!" $2 + + # subscribe to mailing list + #echo " " | doas -u $1 mail -s "subscribe" institute-join@lists.tildeverse.org + + # lock down the users' history files so they can't be deleted or truncated (bash and ksh only) + doas -u "$1" touch /home/$1/.history + doas -u "$1" touch /home/$1/.bash_history + chflags uappnd /home/$1/.history + chflags uappnd /home/$1/.bash_history + + # announce the new user's creation on mastodon + # then copy their ssh key to their home directory + /admin/bin/toot.py "Welcome new user ~$1!" + cut </etc/passwd -d ":" -f1 >/var/www/htdocs/userlist + echo "$3" | tee /home/$1/.ssh/authorized_keys + ;; +esac diff --git a/bin/makeuser_all.sh b/bin/makeuser_all.sh new file mode 100644 index 0000000..7fdad76 --- /dev/null +++ b/bin/makeuser_all.sh @@ -0,0 +1,97 @@ +#!/bin/sh + +new_users_file="$1" +if [ -z "${new_users_file}" ]; then + printf 'Please specify a new users file: ./%s new_users.txt\n' "$0" + exit 1 +fi + +add_user() { + user_name="$1" + user_email="$2" + user_pubkey="$3" + + # generate a random 20 digit password + # encrypt the password and pass it to + # useradd, set ksh as default shell + printf 'Adding new user %s\n' "$1" + new_pw="$(pwgen -1B 20)" + pw_crypt="$(encrypt "${new_pw}")" + useradd -m -g 1001 -p "$pw_crypt" -s /bin/ksh -k /etc/skel "${user_name}" + + # make the public_html directory for the users + mkdir "/var/www/users/$1" + chown "${user_name}:tilde" "/var/www/users/${user_name}" + doas -u "${user_name}" ln -s "/var/www/users/${user_name}" "/home/${user_name}/public_html" + + # make the public_repos directory + mkdir "/var/www/cgit_repos/${user_name}" + chown "${user_name}:tilde" "/var/www/cgit_repos/${user_name}" + doas -u "${user_name}" ln -s "/var/www/cgit_repos/${user_name}" "/home/${user_name}/public_repos" + + # set up the httpd configuration for + # individual users. this config forces tls + # for all subdomains + echo "server \"${user_name}.tilde.institute\" { + listen on \$ext_addr port 80 block return 301 \"https://\$SERVER_NAME\$REQUEST_URI\" + } + server \"${user_name}.tilde.institute\" { + listen on \$ext_addr tls port 443 + root \"/users/${user_name}\" + tls { + key \"/etc/letsencrypt/live/tilde.institute-0001/privkey.pem\" + certificate \"/etc/letsencrypt/live/tilde.institute-0001/fullchain.pem\" + } + directory index index.html + directory auto index + location \"/*.cgi\" { + fastcgi + } + location \"/*.php\" { + fastcgi socket \"/run/php-fpm.sock\" + } + }" >"/etc/httpd/${user_name}.conf" + + # httpd(8) does not support globbing on includes. + # we need to add the includes to a larger include file to keep the main config cleaner. + echo "include \"/etc/httpd/${user_name}.conf\"" >>/etc/httpd-vusers.conf + + # Sort and deduplicate entries in the bridged vhost config file + # Duplicate entries cause weird behavior. Subdomains after the + # duplicated entry won't resolve properly and instead resolve + # to the main site + sort -u /etc/httpd-vusers.conf >/etc/httpd-vusers.conf.sorted + cp /etc/httpd-vusers.conf.sorted /etc/httpd-vusers.conf + + # send welcome email + sed -e "s/newusername/${user_name}/g" /admin/misc/email.tmpl | mail -r admins@tilde.institute -s "welcome to tilde.institute!" "${user_email}" + + # subscribe to mailing list + #echo " " | doas -u $1 mail -s "subscribe" institute-join@lists.tildeverse.org + + # lock down the users' history files so they can't be deleted or truncated (bash and ksh only) + doas -u "${user_name}" touch "/home/${user_name}/.history" + doas -u "${user_name}" touch "/home/${user_name}/.bash_history" + chflags uappnd "/home/${user_name}/.history" + chflags uappnd "/home/${user_name}/.bash_history" + + # announce the new user's creation on mastodon + # then copy their ssh key to their home directory + /admin/bin/toot.py "Welcome new user ~${user_name}!" + cut </etc/passwd -d ":" -f1 >/var/www/htdocs/userlist + echo "${user_pubkey}" | tee "/home/${user_name}/.ssh/authorized_keys" +} + +mailing_list_users="" +while IFS="" read -r line || [ -n "$line" ]; do + [ -z "$line" ] && continue + this_user_name="$(echo "$line" | cut -d -f1)" + # shellcheck disable=SC2086 + add_user $line || continue + mailing_list_users="${this_user_name}@tilde.institute\n${mailing_list_users}" +done <"${new_users_file}" + +printf '\nRestarting httpd(8)\n' +rcctl restart httpd + +printf 'Users to add to mailing list:\n\n%s\n' "${mailing_list_users}" diff --git a/bin/motdrotate.py b/bin/motdrotate.py index 15593f0..cad8688 100755 --- a/bin/motdrotate.py +++ b/bin/motdrotate.py @@ -6,8 +6,6 @@ import random ############################################## ## Uses a skeleton motd plus a random quote ## ## to produce a motd with a nifty quote. ## -##------------------------------------------## -## <gbmor> ben@gbmor.dev ## ############################################## def pullfile(filename): diff --git a/bin/regusers.py b/bin/regusers.py index 53997da..d240b9e 100755 --- a/bin/regusers.py +++ b/bin/regusers.py @@ -2,7 +2,6 @@ # Lists all the currently registered users extant on the system # for the stats page at https://tilde.institute/stats -# gbmor <ben@gbmor.dev> import os import sys diff --git a/bin/rmuser b/bin/rmuser index 98c697a..b7f5932 100755 --- a/bin/rmuser +++ b/bin/rmuser @@ -1,5 +1,4 @@ #!/bin/sh -set -eu if [ -z "$1" ]; then printf 'Please pass a user as the first argument.\n' @@ -7,6 +6,12 @@ if [ -z "$1" ]; then fi printf 'Removing user %s from the system\n' "$1" + +chflags nouappnd "/home/$1/.history" +chflags nouappnd "/home/$1/.bash_history" + +set -e + userdel -r -v "$1" printf 'Cleaning /var/www/users/%s\n' "$1" rm -rf "/var/www/users/$1" diff --git a/bin/showwhoison b/bin/showwhoison index 6c36584..5247282 100755 --- a/bin/showwhoison +++ b/bin/showwhoison @@ -4,8 +4,13 @@ # Shows connected users, including those # connected via mosh -x=$(who | cut -d' ' -f1 ) +x=$(who | cut -d' ' -f1) y=$(ps aux | grep mosh | cut -d' ' -f1) +z=$(ps aux | grep notty | cut -d' ' -f1) echo "Currently logged in users, including MOSH: " -echo "$x" |sort | uniq +echo "$x" | sort | uniq echo "$y" | sort | uniq + +echo "" +echo "NO TTY:" +echo "$z" | sort | uniq diff --git a/bin/weekconns.py b/bin/weekconns.py index ed9d375..0c62263 100755 --- a/bin/weekconns.py +++ b/bin/weekconns.py @@ -3,7 +3,6 @@ # Lists the users who have connected in # the last week for the stats page at # https://tilde.institute/stats -# <gbmor> ben@gbmor.dev from sys import exit import subprocess |