blob: 7fdad76db16bbe5049dd1e2e5dc3597bd46207f8 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
#!/bin/sh
new_users_file="$1"
if [ -z "${new_users_file}" ]; then
printf 'Please specify a new users file: ./%s new_users.txt\n' "$0"
exit 1
fi
add_user() {
user_name="$1"
user_email="$2"
user_pubkey="$3"
# generate a random 20 digit password
# encrypt the password and pass it to
# useradd, set ksh as default shell
printf 'Adding new user %s\n' "$1"
new_pw="$(pwgen -1B 20)"
pw_crypt="$(encrypt "${new_pw}")"
useradd -m -g 1001 -p "$pw_crypt" -s /bin/ksh -k /etc/skel "${user_name}"
# make the public_html directory for the users
mkdir "/var/www/users/$1"
chown "${user_name}:tilde" "/var/www/users/${user_name}"
doas -u "${user_name}" ln -s "/var/www/users/${user_name}" "/home/${user_name}/public_html"
# make the public_repos directory
mkdir "/var/www/cgit_repos/${user_name}"
chown "${user_name}:tilde" "/var/www/cgit_repos/${user_name}"
doas -u "${user_name}" ln -s "/var/www/cgit_repos/${user_name}" "/home/${user_name}/public_repos"
# set up the httpd configuration for
# individual users. this config forces tls
# for all subdomains
echo "server \"${user_name}.tilde.institute\" {
listen on \$ext_addr port 80 block return 301 \"https://\$SERVER_NAME\$REQUEST_URI\"
}
server \"${user_name}.tilde.institute\" {
listen on \$ext_addr tls port 443
root \"/users/${user_name}\"
tls {
key \"/etc/letsencrypt/live/tilde.institute-0001/privkey.pem\"
certificate \"/etc/letsencrypt/live/tilde.institute-0001/fullchain.pem\"
}
directory index index.html
directory auto index
location \"/*.cgi\" {
fastcgi
}
location \"/*.php\" {
fastcgi socket \"/run/php-fpm.sock\"
}
}" >"/etc/httpd/${user_name}.conf"
# httpd(8) does not support globbing on includes.
# we need to add the includes to a larger include file to keep the main config cleaner.
echo "include \"/etc/httpd/${user_name}.conf\"" >>/etc/httpd-vusers.conf
# Sort and deduplicate entries in the bridged vhost config file
# Duplicate entries cause weird behavior. Subdomains after the
# duplicated entry won't resolve properly and instead resolve
# to the main site
sort -u /etc/httpd-vusers.conf >/etc/httpd-vusers.conf.sorted
cp /etc/httpd-vusers.conf.sorted /etc/httpd-vusers.conf
# send welcome email
sed -e "s/newusername/${user_name}/g" /admin/misc/email.tmpl | mail -r admins@tilde.institute -s "welcome to tilde.institute!" "${user_email}"
# subscribe to mailing list
#echo " " | doas -u $1 mail -s "subscribe" institute-join@lists.tildeverse.org
# lock down the users' history files so they can't be deleted or truncated (bash and ksh only)
doas -u "${user_name}" touch "/home/${user_name}/.history"
doas -u "${user_name}" touch "/home/${user_name}/.bash_history"
chflags uappnd "/home/${user_name}/.history"
chflags uappnd "/home/${user_name}/.bash_history"
# announce the new user's creation on mastodon
# then copy their ssh key to their home directory
/admin/bin/toot.py "Welcome new user ~${user_name}!"
cut </etc/passwd -d ":" -f1 >/var/www/htdocs/userlist
echo "${user_pubkey}" | tee "/home/${user_name}/.ssh/authorized_keys"
}
mailing_list_users=""
while IFS="" read -r line || [ -n "$line" ]; do
[ -z "$line" ] && continue
this_user_name="$(echo "$line" | cut -d -f1)"
# shellcheck disable=SC2086
add_user $line || continue
mailing_list_users="${this_user_name}@tilde.institute\n${mailing_list_users}"
done <"${new_users_file}"
printf '\nRestarting httpd(8)\n'
rcctl restart httpd
printf 'Users to add to mailing list:\n\n%s\n' "${mailing_list_users}"
|