#!/bin/sh new_users_file="$1" if [ -z "${new_users_file}" ]; then printf 'Please specify a new users file: ./%s new_users.txt\n' "$0" exit 1 fi add_user() { user_name="$1" user_email="$2" user_pubkey="$3" # generate a random 20 digit password # encrypt the password and pass it to # useradd, set ksh as default shell printf 'Adding new user %s\n' "$1" new_pw="$(pwgen -1B 20)" pw_crypt="$(encrypt "${new_pw}")" useradd -m -g 1001 -p "$pw_crypt" -s /bin/ksh -k /etc/skel "${user_name}" # make the public_html directory for the users mkdir "/var/www/users/$1" chown "${user_name}:tilde" "/var/www/users/${user_name}" doas -u "${user_name}" ln -s "/var/www/users/${user_name}" "/home/${user_name}/public_html" # make the public_repos directory mkdir "/var/www/cgit_repos/${user_name}" chown "${user_name}:tilde" "/var/www/cgit_repos/${user_name}" doas -u "${user_name}" ln -s "/var/www/cgit_repos/${user_name}" "/home/${user_name}/public_repos" # set up the httpd configuration for # individual users. this config forces tls # for all subdomains echo "server \"${user_name}.tilde.institute\" { listen on \$ext_addr port 80 block return 301 \"https://\$SERVER_NAME\$REQUEST_URI\" } server \"${user_name}.tilde.institute\" { listen on \$ext_addr tls port 443 root \"/users/${user_name}\" tls { key \"/etc/letsencrypt/live/tilde.institute-0001/privkey.pem\" certificate \"/etc/letsencrypt/live/tilde.institute-0001/fullchain.pem\" } directory index index.html directory auto index location \"/*.cgi\" { fastcgi } location \"/*.php\" { fastcgi socket \"/run/php-fpm.sock\" } }" >"/etc/httpd/${user_name}.conf" # httpd(8) does not support globbing on includes. # we need to add the includes to a larger include file to keep the main config cleaner. echo "include \"/etc/httpd/${user_name}.conf\"" >>/etc/httpd-vusers.conf # Sort and deduplicate entries in the bridged vhost config file # Duplicate entries cause weird behavior. Subdomains after the # duplicated entry won't resolve properly and instead resolve # to the main site sort -u /etc/httpd-vusers.conf >/etc/httpd-vusers.conf.sorted cp /etc/httpd-vusers.conf.sorted /etc/httpd-vusers.conf # send welcome email sed -e "s/newusername/${user_name}/g" /admin/misc/email.tmpl | mail -r admins@tilde.institute -s "welcome to tilde.institute!" "${user_email}" # subscribe to mailing list #echo " " | doas -u $1 mail -s "subscribe" institute-join@lists.tildeverse.org # lock down the users' history files so they can't be deleted or truncated (bash and ksh only) doas -u "${user_name}" touch "/home/${user_name}/.history" doas -u "${user_name}" touch "/home/${user_name}/.bash_history" chflags uappnd "/home/${user_name}/.history" chflags uappnd "/home/${user_name}/.bash_history" # announce the new user's creation on mastodon # then copy their ssh key to their home directory /admin/bin/toot.py "Welcome new user ~${user_name}!" cut /var/www/htdocs/userlist echo "${user_pubkey}" | tee "/home/${user_name}/.ssh/authorized_keys" } mailing_list_users="" while IFS="" read -r line || [ -n "$line" ]; do [ -z "$line" ] && continue this_user_name="$(echo "$line" | cut -d -f1)" # shellcheck disable=SC2086 add_user $line || continue mailing_list_users="${this_user_name}@tilde.institute\n${mailing_list_users}" done <"${new_users_file}" printf '\nRestarting httpd(8)\n' rcctl restart httpd printf 'Users to add to mailing list:\n\n%s\n' "${mailing_list_users}"