#!/usr/local/bin/bash
# ---------------------------------------------------------------------------
# makeuser - tilde.institute new user creation
# Usage: makeuser [-h|--help] <username> <email> "<pubkey>"
# ---------------------------------------------------------------------------

PROGNAME=${0##*/}

error_exit() {
  echo -e "${PROGNAME}: ${1:-"Unknown Error"}" >&2
  exit 1
}

usage() {
  echo -e "usage: $PROGNAME [-h|--help] <username> <email> \"<pubkey>\""
}

[[ $(id -u) != 0 ]] && error_exit "you must be the superuser to run this script."

USERLIST=$(cut </etc/passwd -d ":" -f1)
if [[ $USERLIST == $1* ]]; then
  error_exit "User already exists!"
fi

case $1 in
-h | --help)
  usage
  exit
  ;;
-*)
  usage
  error_exit "unknown option $1"
  ;;
*)
  [[ $# -ne 3 ]] && error_exit "not enough args"

  # generate a random 20 digit password
  # encrypt the password and pass it to
  # useradd, set ksh as default shell
  echo "adding new user $1"
  newpw=$(pwgen -1B 20)
  pwcrypt=$(encrypt ${newpw})
  useradd -m -g 1001 -p $pwcrypt -s /bin/ksh -k /etc/skel $1

  # make the public_html directory for the users
  mkdir /var/www/users/$1
  chown $1:tilde /var/www/users/$1
  doas -u $1 ln -s /var/www/users/$1 /home/$1/public_html

  # make the public_repos directory
  mkdir /var/www/cgit_repos/$1
  chown $1:tilde /var/www/cgit_repos/$1
  doas -u $1 ln -s /var/www/cgit_repos/$1 /home/$1/public_repos

  # set up the httpd configuration for
  # individual users. this config forces tls
  # for all subdomains
  echo "server \"$1.tilde.institute\" {
        listen on \$ext_addr port 80 block return 301 \"https://\$SERVER_NAME\$REQUEST_URI\"
    }
    server \"$1.tilde.institute\" {
		listen on \$ext_addr tls port 443
		root \"/users/$1\"
        tls {
            key \"/etc/letsencrypt/live/tilde.institute-0001/privkey.pem\"
            certificate \"/etc/letsencrypt/live/tilde.institute-0001/fullchain.pem\"
        }
		directory index index.html
		directory auto index
		location \"/*.cgi\" {
			fastcgi
		}
		location \"/*.php\" {
			fastcgi socket \"/run/php-fpm.sock\"
		}
	}" >/etc/httpd/$1.conf

  # add the user's vhost config to the bridged vhost config, which
  # is loaded by /etc/httpd.conf. This is necessary because httpd(8)
  # does not support globbing on includes
  echo "include \"/etc/httpd/$1.conf\"" >>/etc/httpd-vusers.conf

  # Sort and deduplicate entries in the bridged vhost config file
  # Duplicate entries cause weird behavior. Subdomains after the
  # duplicated entry won't resolve properly and instead resolve
  # to the main site
  sort -u /etc/httpd-vusers.conf >/etc/httpd-vusers.conf.sorted
  cp /etc/httpd-vusers.conf.sorted /etc/httpd-vusers.conf
  #pkill -HUP httpd
  #rcctl restart httpd

  # send welcome email
  sed -e "s/newusername/$1/g" /admin/misc/email.tmpl | mail -r admins@tilde.institute -s "welcome to tilde.institute!" $2

  # subscribe to mailing list
  #echo " " | doas -u $1 mail -s "subscribe" institute-join@lists.tildeverse.org

  # lock down the users' history files so they can't be deleted or truncated (bash and ksh only)
  doas -u "$1" touch /home/$1/.history
  doas -u "$1" touch /home/$1/.bash_history
  chflags uappnd /home/$1/.history
  chflags uappnd /home/$1/.bash_history

  # announce the new user's creation on mastodon
  # then copy their ssh key to their home directory
  /admin/bin/toot.py "Welcome new user ~$1!"
  cut </etc/passwd -d ":" -f1 >/var/www/htdocs/userlist
  echo "$3" | tee /home/$1/.ssh/authorized_keys
  ;;
esac