about summary refs log tree commit diff stats
path: root/bin/makeuser
blob: 91e3b567bfe12a159b9579df260645c402370b80 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
#!/usr/local/bin/bash
# ---------------------------------------------------------------------------
# makeuser - tilde.institute new user creation
# Usage: makeuser [-h|--help] <username> <email> "<pubkey>"
# <gbmor> ben@gbmor.dev
# ---------------------------------------------------------------------------

PROGNAME=${0##*/}
VERSION="0.1"

error_exit() {
  echo -e "${PROGNAME}: ${1:-"Unknown Error"}" >&2
  exit 1
}

usage() {
  echo -e "usage: $PROGNAME [-h|--help] <username> <email> \"<pubkey>\""
}

[[ $(id -u) != 0 ]] && error_exit "you must be the superuser to run this script."

USERLIST=$(</etc/passwd cut -d ":" -f1)
if [[ $USERLIST == $1* ]]; then
    error_exit "User already exists!"
fi

case $1 in
  -h | --help)
    usage; exit ;;
  -* | --*)
    usage; error_exit "unknown option $1" ;;
  *)
    [[ $# -ne 3 ]] && error_exit "not enough args"

# generate a random 20 digit password
# encrypt the password and pass it to
# useradd, set ksh as default shell
    echo "adding new user $1"
    newpw=$(pwgen -1B 20)
    pwcrypt=$(encrypt ${newpw})
    useradd -m -g 1001 -p $pwcrypt -s /bin/ksh -k /etc/skel $1

# make the public_html directory for the users
	mkdir /var/www/users/$1
	chown $1:tilde /var/www/users/$1
    doas -u $1 ln -s /var/www/users/$1 /home/$1/public_html

# make the public_repos directory
    mkdir /var/www/cgit_repos/$1
    chown $1:tilde /var/www/cgit_repos/$1
    doas -u $1 ln -s /var/www/cgit_repos/$1 /home/$1/public_repos

# set up the httpd configuration for
# individual users. this config forces tls
# for all subdomains
    echo "server \"$1.tilde.institute\" {
        listen on \$ext_addr port 80 block return 301 \"https://\$SERVER_NAME\$REQUEST_URI\"
    }
    server \"$1.tilde.institute\" {
		listen on \$ext_addr tls port 443
		root \"/users/$1\"
        tls {
            key \"/etc/letsencrypt/live/tilde.institute-0001/privkey.pem\"
            certificate \"/etc/letsencrypt/live/tilde.institute-0001/fullchain.pem\"
        }
		directory index index.html
		directory auto index
		location \"/*.cgi\" {
			fastcgi
		}
		location \"/*.php\" {
			fastcgi socket \"/run/php-fpm.sock\"
		}
	}" > /etc/httpd/$1.conf

# add the user's vhost config to the bridged vhost config, which
# is loaded by /etc/httpd.conf. This is necessary because httpd(8)
# does not support globbing on includes
	echo "include \"/etc/httpd/$1.conf\"" >> /etc/httpd-vusers.conf

# Sort and deduplicate entries in the bridged vhost config file
# Duplicate entries cause weird behavior. Subdomains after the
# duplicated entry won't resolve properly and instead resolve
# to the main site
    sort -u /etc/httpd-vusers.conf > /etc/httpd-vusers.conf.sorted
    cp /etc/httpd-vusers.conf.sorted /etc/httpd-vusers.conf
    pkill -HUP httpd

# send welcome email
        sed -e "s/newusername/$1/g" /admin/misc/email.tmpl | mail -r admins@tilde.institute -s "welcome to tilde.institute!" $2

# subscribe to mailing list
    echo " " | doas -u $1 mail -s "subscribe" institute-join@lists.tildeverse.org

# announce the new user's creation on mastodon
# then copy their ssh key to their home directory
    /admin/bin/toot.py "Welcome new user ~$1!"
    </etc/passwd cut -d ":" -f1 > /var/www/htdocs/userlist
    echo "$3" | tee /home/$1/.ssh/authorized_keys
esac