blob: b3494595e2129393b646c44dd81bff6d2fdbe441 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
#!/usr/local/bin/bash
# ---------------------------------------------------------------------------
# makeuser - tilde.institute new user creation
# Usage: makeuser [-h|--help] <username> <email> "<pubkey>"
# ---------------------------------------------------------------------------
PROGNAME=${0##*/}
error_exit() {
echo -e "${PROGNAME}: ${1:-"Unknown Error"}" >&2
exit 1
}
usage() {
echo -e "usage: $PROGNAME [-h|--help] <username> <email> \"<pubkey>\""
}
[[ $(id -u) != 0 ]] && error_exit "you must be the superuser to run this script."
USERLIST=$(cut </etc/passwd -d ":" -f1)
if [[ $USERLIST == $1* ]]; then
error_exit "User already exists!"
fi
case $1 in
-h | --help)
usage
exit
;;
-*)
usage
error_exit "unknown option $1"
;;
*)
[[ $# -ne 3 ]] && error_exit "not enough args"
# generate a random 20 digit password
# encrypt the password and pass it to
# useradd, set ksh as default shell
echo "adding new user $1"
newpw=$(pwgen -1B 20)
pwcrypt=$(encrypt ${newpw})
useradd -m -g 1001 -p $pwcrypt -s /bin/ksh -k /etc/skel $1
# make the public_html directory for the users
mkdir /var/www/users/$1
chown $1:tilde /var/www/users/$1
doas -u $1 ln -s /var/www/users/$1 /home/$1/public_html
# make the public_repos directory
mkdir /var/www/cgit_repos/$1
chown $1:tilde /var/www/cgit_repos/$1
doas -u $1 ln -s /var/www/cgit_repos/$1 /home/$1/public_repos
# set up the httpd configuration for
# individual users. this config forces tls
# for all subdomains
echo "server \"$1.tilde.institute\" {
listen on \$ext_addr port 80 block return 301 \"https://\$SERVER_NAME\$REQUEST_URI\"
}
server \"$1.tilde.institute\" {
listen on \$ext_addr tls port 443
root \"/users/$1\"
tls {
key \"/etc/letsencrypt/live/tilde.institute-0001/privkey.pem\"
certificate \"/etc/letsencrypt/live/tilde.institute-0001/fullchain.pem\"
}
directory index index.html
directory auto index
location \"/*.cgi\" {
fastcgi
}
location \"/*.php\" {
fastcgi socket \"/run/php-fpm.sock\"
}
}" >/etc/httpd/$1.conf
# add the user's vhost config to the bridged vhost config, which
# is loaded by /etc/httpd.conf. This is necessary because httpd(8)
# does not support globbing on includes
echo "include \"/etc/httpd/$1.conf\"" >>/etc/httpd-vusers.conf
# Sort and deduplicate entries in the bridged vhost config file
# Duplicate entries cause weird behavior. Subdomains after the
# duplicated entry won't resolve properly and instead resolve
# to the main site
sort -u /etc/httpd-vusers.conf >/etc/httpd-vusers.conf.sorted
cp /etc/httpd-vusers.conf.sorted /etc/httpd-vusers.conf
#pkill -HUP httpd
#rcctl restart httpd
# send welcome email
sed -e "s/newusername/$1/g" /admin/misc/email.tmpl | mail -r admins@tilde.institute -s "welcome to tilde.institute!" $2
# subscribe to mailing list
#echo " " | doas -u $1 mail -s "subscribe" institute-join@lists.tildeverse.org
# lock down the users' history files so they can't be deleted or truncated (bash and ksh only)
doas -u "$1" touch /home/$1/.history
doas -u "$1" touch /home/$1/.bash_history
chflags uappnd /home/$1/.history
chflags uappnd /home/$1/.bash_history
# announce the new user's creation on mastodon
# then copy their ssh key to their home directory
/admin/bin/toot.py "Welcome new user ~$1!"
cut </etc/passwd -d ":" -f1 >/var/www/htdocs/userlist
echo "$3" | tee /home/$1/.ssh/authorized_keys
;;
esac
|