108 lines
3.5 KiB
Bash
Executable File
108 lines
3.5 KiB
Bash
Executable File
#!/usr/local/bin/bash
|
|
# ---------------------------------------------------------------------------
|
|
# makeuser - tilde.institute new user creation
|
|
# Usage: makeuser [-h|--help] <username> <email> "<pubkey>"
|
|
# <gbmor> ben@gbmor.dev
|
|
# ---------------------------------------------------------------------------
|
|
|
|
PROGNAME=${0##*/}
|
|
VERSION="0.1"
|
|
|
|
error_exit() {
|
|
echo -e "${PROGNAME}: ${1:-"Unknown Error"}" >&2
|
|
exit 1
|
|
}
|
|
|
|
usage() {
|
|
echo -e "usage: $PROGNAME [-h|--help] <username> <email> \"<pubkey>\""
|
|
}
|
|
|
|
[[ $(id -u) != 0 ]] && error_exit "you must be the superuser to run this script."
|
|
|
|
USERLIST=$(</etc/passwd cut -d ":" -f1)
|
|
if [[ $USERLIST == $1* ]]; then
|
|
error_exit "User already exists!"
|
|
fi
|
|
|
|
case $1 in
|
|
-h | --help)
|
|
usage; exit ;;
|
|
-* | --*)
|
|
usage; error_exit "unknown option $1" ;;
|
|
*)
|
|
[[ $# -ne 3 ]] && error_exit "not enough args"
|
|
|
|
# generate a random 20 digit password
|
|
# encrypt the password and pass it to
|
|
# useradd, set ksh as default shell
|
|
echo "adding new user $1"
|
|
newpw=$(pwgen -1B 20)
|
|
pwcrypt=$(encrypt ${newpw})
|
|
useradd -m -g 1001 -p $pwcrypt -s /bin/ksh -k /etc/skel $1
|
|
|
|
# make the public_html directory for the users
|
|
mkdir /var/www/users/$1
|
|
chown $1:tilde /var/www/users/$1
|
|
doas -u $1 ln -s /var/www/users/$1 /home/$1/public_html
|
|
|
|
# make the public_repos directory
|
|
mkdir /var/www/cgit_repos/$1
|
|
chown $1:tilde /var/www/cgit_repos/$1
|
|
doas -u $1 ln -s /var/www/cgit_repos/$1 /home/$1/public_repos
|
|
|
|
# set up the httpd configuration for
|
|
# individual users. this config forces tls
|
|
# for all subdomains
|
|
echo "server \"$1.tilde.institute\" {
|
|
listen on \$ext_addr port 80 block return 301 \"https://\$SERVER_NAME\$REQUEST_URI\"
|
|
}
|
|
server \"$1.tilde.institute\" {
|
|
listen on \$ext_addr tls port 443
|
|
root \"/users/$1\"
|
|
tls {
|
|
key \"/etc/letsencrypt/live/tilde.institute-0001/privkey.pem\"
|
|
certificate \"/etc/letsencrypt/live/tilde.institute-0001/fullchain.pem\"
|
|
}
|
|
directory index index.html
|
|
directory auto index
|
|
location \"/*.cgi\" {
|
|
fastcgi
|
|
}
|
|
location \"/*.php\" {
|
|
fastcgi socket \"/run/php-fpm.sock\"
|
|
}
|
|
}" > /etc/httpd/$1.conf
|
|
|
|
# add the user's vhost config to the bridged vhost config, which
|
|
# is loaded by /etc/httpd.conf. This is necessary because httpd(8)
|
|
# does not support globbing on includes
|
|
echo "include \"/etc/httpd/$1.conf\"" >> /etc/httpd-vusers.conf
|
|
|
|
# Sort and deduplicate entries in the bridged vhost config file
|
|
# Duplicate entries cause weird behavior. Subdomains after the
|
|
# duplicated entry won't resolve properly and instead resolve
|
|
# to the main site
|
|
sort -u /etc/httpd-vusers.conf > /etc/httpd-vusers.conf.sorted
|
|
cp /etc/httpd-vusers.conf.sorted /etc/httpd-vusers.conf
|
|
#pkill -HUP httpd
|
|
rcctl restart httpd
|
|
|
|
# send welcome email
|
|
sed -e "s/newusername/$1/g" /admin/misc/email.tmpl | mail -r admins@tilde.institute -s "welcome to tilde.institute!" $2
|
|
|
|
# subscribe to mailing list
|
|
#echo " " | doas -u $1 mail -s "subscribe" institute-join@lists.tildeverse.org
|
|
|
|
# lock down the users' history files so they can't be deleted or truncated (bash and ksh only)
|
|
doas -u "$1" touch /home/$1/.history
|
|
doas -u "$1" touch /home/$1/.bash_history
|
|
chflags uappnd /home/$1/.history
|
|
chflags uappnd /home/$1/.bash_history
|
|
|
|
# announce the new user's creation on mastodon
|
|
# then copy their ssh key to their home directory
|
|
/admin/bin/toot.py "Welcome new user ~$1!"
|
|
</etc/passwd cut -d ":" -f1 > /var/www/htdocs/userlist
|
|
echo "$3" | tee /home/$1/.ssh/authorized_keys
|
|
esac
|