diff options
Diffstat (limited to 'bin/makeuser.sh')
| -rwxr-xr-x | bin/makeuser.sh | 110 |
1 files changed, 110 insertions, 0 deletions
diff --git a/bin/makeuser.sh b/bin/makeuser.sh new file mode 100755 index 0000000..b349459 --- /dev/null +++ b/bin/makeuser.sh @@ -0,0 +1,110 @@ +#!/usr/local/bin/bash +# --------------------------------------------------------------------------- +# makeuser - tilde.institute new user creation +# Usage: makeuser [-h|--help] <username> <email> "<pubkey>" +# --------------------------------------------------------------------------- + +PROGNAME=${0##*/} + +error_exit() { + echo -e "${PROGNAME}: ${1:-"Unknown Error"}" >&2 + exit 1 +} + +usage() { + echo -e "usage: $PROGNAME [-h|--help] <username> <email> \"<pubkey>\"" +} + +[[ $(id -u) != 0 ]] && error_exit "you must be the superuser to run this script." + +USERLIST=$(cut </etc/passwd -d ":" -f1) +if [[ $USERLIST == $1* ]]; then + error_exit "User already exists!" +fi + +case $1 in +-h | --help) + usage + exit + ;; +-*) + usage + error_exit "unknown option $1" + ;; +*) + [[ $# -ne 3 ]] && error_exit "not enough args" + + # generate a random 20 digit password + # encrypt the password and pass it to + # useradd, set ksh as default shell + echo "adding new user $1" + newpw=$(pwgen -1B 20) + pwcrypt=$(encrypt ${newpw}) + useradd -m -g 1001 -p $pwcrypt -s /bin/ksh -k /etc/skel $1 + + # make the public_html directory for the users + mkdir /var/www/users/$1 + chown $1:tilde /var/www/users/$1 + doas -u $1 ln -s /var/www/users/$1 /home/$1/public_html + + # make the public_repos directory + mkdir /var/www/cgit_repos/$1 + chown $1:tilde /var/www/cgit_repos/$1 + doas -u $1 ln -s /var/www/cgit_repos/$1 /home/$1/public_repos + + # set up the httpd configuration for + # individual users. this config forces tls + # for all subdomains + echo "server \"$1.tilde.institute\" { + listen on \$ext_addr port 80 block return 301 \"https://\$SERVER_NAME\$REQUEST_URI\" + } + server \"$1.tilde.institute\" { + listen on \$ext_addr tls port 443 + root \"/users/$1\" + tls { + key \"/etc/letsencrypt/live/tilde.institute-0001/privkey.pem\" + certificate \"/etc/letsencrypt/live/tilde.institute-0001/fullchain.pem\" + } + directory index index.html + directory auto index + location \"/*.cgi\" { + fastcgi + } + location \"/*.php\" { + fastcgi socket \"/run/php-fpm.sock\" + } + }" >/etc/httpd/$1.conf + + # add the user's vhost config to the bridged vhost config, which + # is loaded by /etc/httpd.conf. This is necessary because httpd(8) + # does not support globbing on includes + echo "include \"/etc/httpd/$1.conf\"" >>/etc/httpd-vusers.conf + + # Sort and deduplicate entries in the bridged vhost config file + # Duplicate entries cause weird behavior. Subdomains after the + # duplicated entry won't resolve properly and instead resolve + # to the main site + sort -u /etc/httpd-vusers.conf >/etc/httpd-vusers.conf.sorted + cp /etc/httpd-vusers.conf.sorted /etc/httpd-vusers.conf + #pkill -HUP httpd + #rcctl restart httpd + + # send welcome email + sed -e "s/newusername/$1/g" /admin/misc/email.tmpl | mail -r admins@tilde.institute -s "welcome to tilde.institute!" $2 + + # subscribe to mailing list + #echo " " | doas -u $1 mail -s "subscribe" institute-join@lists.tildeverse.org + + # lock down the users' history files so they can't be deleted or truncated (bash and ksh only) + doas -u "$1" touch /home/$1/.history + doas -u "$1" touch /home/$1/.bash_history + chflags uappnd /home/$1/.history + chflags uappnd /home/$1/.bash_history + + # announce the new user's creation on mastodon + # then copy their ssh key to their home directory + /admin/bin/toot.py "Welcome new user ~$1!" + cut </etc/passwd -d ":" -f1 >/var/www/htdocs/userlist + echo "$3" | tee /home/$1/.ssh/authorized_keys + ;; +esac |