freedombone-adduser 10KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235
  1. #!/bin/bash
  2. #
  3. # .---. . .
  4. # | | |
  5. # |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
  6. # | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
  7. # ' ' --' --' -' - -' ' ' -' -' -' ' - --'
  8. #
  9. # Freedom in the Cloud
  10. #
  11. # Adds an user to the system
  12. # License
  13. # =======
  14. #
  15. # Copyright (C) 2015 Bob Mottram <bob@robotics.uk.to>
  16. #
  17. # This program is free software: you can redistribute it and/or modify
  18. # it under the terms of the GNU General Public License as published by
  19. # the Free Software Foundation, either version 3 of the License, or
  20. # (at your option) any later version.
  21. #
  22. # This program is distributed in the hope that it will be useful,
  23. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  24. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  25. # GNU General Public License for more details.
  26. #
  27. # You should have received a copy of the GNU General Public License
  28. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  29. MY_USERNAME=$1
  30. SSH_PUBLIC_KEY="$2"
  31. GPG_KEYSERVER='hkp://keys.gnupg.net'
  32. SSH_PORT=2222
  33. COMPLETION_FILE=$HOME/freedombone-completed.txt
  34. SIP_EXTENSION=
  35. if [ ! $MY_USERNAME ]; then
  36. echo 'No username was given'
  37. exit 1
  38. fi
  39. if [ -d /home/$MY_USERNAME ]; then
  40. echo "The user $MY_USERNAME already exists"
  41. exit 2
  42. fi
  43. if [ ! -f $COMPLETION_FILE ]; then
  44. echo "$COMPLETION_FILE not found"
  45. userdel -r $MY_USERNAME
  46. exit 3
  47. fi
  48. NEW_USER_PASSWORD="$(openssl rand -base64 10 | cut -c1-8)"
  49. useradd -m -p "$NEW_USER_PASSWORD" -s /bin/bash $MY_USERNAME
  50. adduser $MY_USERNAME sasl
  51. if [ ! -d /home/$MY_USERNAME ]; then
  52. echo 'Home directory was not created'
  53. exit 4
  54. fi
  55. if [ "$SSH_PUBLIC_KEY" ]; then
  56. if [ ${#SSH_PUBLIC_KEY} -gt 5 ]; then
  57. if [ -f "$SSH_PUBLIC_KEY" ]; then
  58. mkdir /home/$MY_USERNAME/.ssh
  59. cp $SSH_PUBLIC_KEY /home/$MY_USERNAME/.ssh/authorized_keys
  60. chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.ssh
  61. echo 'ssh public key installed'
  62. else
  63. if [[ "$SSH_PUBLIC_KEY" == "ssh-"* ]]; then
  64. mkdir /home/$MY_USERNAME/.ssh
  65. echo "$SSH_PUBLIC_KEY" > /home/$MY_USERNAME/.ssh/authorized_keys
  66. chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.ssh
  67. echo 'ssh public key installed'
  68. else
  69. echo 'The second parameter does not look like an ssh key'
  70. exit 5
  71. fi
  72. fi
  73. fi
  74. fi
  75. if [ ! -d /home/$MY_USERNAME/Maildir ]; then
  76. echo 'Email directory was not created'
  77. userdel -r $MY_USERNAME
  78. exit 6
  79. fi
  80. if grep -q "set from=" /home/$MY_USERNAME/.muttrc; then
  81. sed -i "s|set from=.*|set from='$MY_USERNAME <$MY_USERNAME@$HOSTNAME>'|g" /home/$MY_USERNAME/.muttrc
  82. else
  83. echo "set from='$MY_USERNAME <$MY_USERNAME@$HOSTNAME>'" >> /home/$MY_USERNAME/.muttrc
  84. fi
  85. USERN='$USER@'
  86. sed -i "s|$USERN|$MY_USERNAME@|g" /home/$MY_USERNAME/.procmailrc
  87. # generate a gpg key
  88. echo "Making a GPG key for $MY_USERNAME@$HOSTNAME"
  89. mkdir /home/$MY_USERNAME/.gnupg
  90. echo "keyserver $GPG_KEYSERVER" >> /home/$MY_USERNAME/.gnupg/gpg.conf
  91. echo 'keyserver-options auto-key-retrieve' >> /home/$MY_USERNAME/.gnupg/gpg.conf
  92. echo '' >> /home/$MY_USERNAME/.gnupg/gpg.conf
  93. echo '# default preferences' >> /home/$MY_USERNAME/.gnupg/gpg.conf
  94. echo 'personal-digest-preferences SHA256' >> /home/$MY_USERNAME/.gnupg/gpg.conf
  95. echo 'cert-digest-algo SHA256' >> /home/$MY_USERNAME/.gnupg/gpg.conf
  96. echo 'default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed' >> /home/$MY_USERNAME/.gnupg/gpg.conf
  97. chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.gnupg
  98. chmod 700 /home/$MY_USERNAME/.gnupg
  99. chmod 600 /home/$MY_USERNAME/.gnupg/*
  100. # Generate a GPG key
  101. echo 'Key-Type: 1' > /home/$MY_USERNAME/gpg-genkey.conf
  102. echo 'Key-Length: 4096' >> /home/$MY_USERNAME/gpg-genkey.conf
  103. echo 'Subkey-Type: 1' >> /home/$MY_USERNAME/gpg-genkey.conf
  104. echo 'Subkey-Length: 4096' >> /home/$MY_USERNAME/gpg-genkey.conf
  105. echo "Name-Real: $MY_USERNAME" >> /home/$MY_USERNAME/gpg-genkey.conf
  106. echo "Name-Email: $MY_USERNAME@$HOSTNAME" >> /home/$MY_USERNAME/gpg-genkey.conf
  107. echo 'Expire-Date: 0' >> /home/$MY_USERNAME/gpg-genkey.conf
  108. chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/gpg-genkey.conf
  109. su -c "gpg --batch --gen-key /home/$MY_USERNAME/gpg-genkey.conf" - $MY_USERNAME
  110. shred -zu /home/$MY_USERNAME/gpg-genkey.conf
  111. MY_GPG_PUBLIC_KEY_ID=$(su -c "gpg --list-keys $MY_USERNAME@$HOSTNAME | grep 'pub '" - $MY_USERNAME | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
  112. MY_GPG_PUBLIC_KEY=/home/$MY_USERNAME/public_key.gpg
  113. su -c "gpg --output $MY_GPG_PUBLIC_KEY --armor --export $MY_GPG_PUBLIC_KEY_ID" - $MY_USERNAME
  114. if [ ! -f $MY_GPG_PUBLIC_KEY ]; then
  115. echo "GPG public key was not generated for $MY_USERNAME@$HOSTNAME $MY_GPG_PUBLIC_KEY_ID"
  116. userdel -r $MY_USERNAME
  117. exit 7
  118. fi
  119. # encrypt outgoing mail to the "sent" folder
  120. if ! grep -q "pgp_encrypt_only_command" /home/$MY_USERNAME/.muttrc; then
  121. echo '' >> /home/$MY_USERNAME/.muttrc
  122. echo '# Encrypt items in the Sent folder' >> /home/$MY_USERNAME/.muttrc
  123. echo "set pgp_encrypt_only_command=\"/usr/lib/mutt/pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --always-trust --encrypt-to 0x$MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"" >> /home/$MY_USERNAME/.muttrc
  124. else
  125. sed -i "s|set pgp_encrypt_only_command.*|set pgp_encrypt_only_command=\"/usr/lib/mutt/pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --always-trust --encrypt-to 0x$MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"|g" /home/$MY_USERNAME/.muttrc
  126. fi
  127. if ! grep -q "pgp_encrypt_sign_command" /home/$MY_USERNAME/.muttrc; then
  128. echo "set pgp_encrypt_sign_command=\"/usr/lib/mutt/pgpewrap gpg %?p?--passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --always-trust --encrypt-to 0x$MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"" >> /home/$MY_USERNAME/.muttrc
  129. else
  130. sed -i "s|set pgp_encrypt_sign_command.*|set pgp_encrypt_sign_command=\"/usr/lib/mutt/pgpewrap gpg %?p?--passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --always-trust --encrypt-to 0x$MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"|g" /home/$MY_USERNAME/.muttrc
  131. fi
  132. if ! grep -q "Change your GPG password" /home/$MY_USERNAME/README; then
  133. echo '' >> /home/$MY_USERNAME/README
  134. echo '' >> /home/$MY_USERNAME/README
  135. echo 'Change your GPG password' >> /home/$MY_USERNAME/README
  136. echo '========================' >> /home/$MY_USERNAME/README
  137. echo "It's very important to add a password to your GPG key so that" >> /home/$MY_USERNAME/README
  138. echo "if anyone does get access to your email they still won't be able" >> /home/$MY_USERNAME/README
  139. echo 'to read them without knowning the GPG password.' >> /home/$MY_USERNAME/README
  140. echo 'You can change the it with:' >> /home/$MY_USERNAME/README
  141. echo '' >> /home/$MY_USERNAME/README
  142. echo " gpg --edit-key $MY_GPG_PUBLIC_KEY_ID" >> /home/$MY_USERNAME/README
  143. echo ' passwd' >> /home/$MY_USERNAME/README
  144. echo ' save' >> /home/$MY_USERNAME/README
  145. echo ' quit' >> /home/$MY_USERNAME/README
  146. fi
  147. if ! grep -q "Publish your GPG public key" /home/$MY_USERNAME/README; then
  148. echo '' >> /home/$MY_USERNAME/README
  149. echo '' >> /home/$MY_USERNAME/README
  150. echo 'Publish your GPG public key' >> /home/$MY_USERNAME/README
  151. echo '===========================' >> /home/$MY_USERNAME/README
  152. echo 'So that others can send emails to you securely you should' >> /home/$MY_USERNAME/README
  153. echo 'publish your GPG public key with the command:' >> /home/$MY_USERNAME/README
  154. echo '' >> /home/$MY_USERNAME/README
  155. echo " gpg --send-keys $MY_GPG_PUBLIC_KEY_ID" >> /home/$MY_USERNAME/README
  156. fi
  157. chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
  158. chown $MY_USERNAME:$MY_USERNAME $MY_GPG_PUBLIC_KEY
  159. chmod 600 /home/$MY_USERNAME/README
  160. if grep -q "install_xmpp" $COMPLETION_FILE; then
  161. echo "Adding an XMPP account for $MY_USERNAME"
  162. freedombone-addxmpp -e "$MY_USERNAME@$HOSTNAME" -p "$NEW_USER_PASSWORD"
  163. if [ ! "$?" = "0" ]; then
  164. echo "XMPP account not created"
  165. userdel -r $MY_USERNAME
  166. exit 8
  167. fi
  168. fi
  169. if grep -q "Blog domain" $COMPLETION_FILE; then
  170. FULLBLOG_DOMAIN_NAME=$(cat $COMPLETION_FILE | grep "Blog domain" | awk -F ':' '{print $2}')
  171. if [ ! -d /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users ]; then
  172. echo 'Blog users directory not found'
  173. userdel -r $MY_USERNAME
  174. exit 9
  175. fi
  176. echo ';Password' > /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini
  177. echo "password = '$NEW_USER_PASSWORD'" >> /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini
  178. echo 'encryption = clear' >> /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini
  179. echo ';Role' >> /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini
  180. echo 'role = admin' >> /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini
  181. echo "$MY_USERNAME added as a blog user"
  182. fi
  183. if grep -q "install_sip" $COMPLETION_FILE; then
  184. SIP_EXTENSION=$(freedombone-sipfreeext)
  185. freedombone-addsipuser -u $MY_USERNAME -e $SIP_EXTENSION -p "$NEW_USER_PASSWORD"
  186. if [ ! "$?" = "0" ]; then
  187. echo 'SIP user could not be added. Ensure that extension numbers are in order and do no exceed 299'
  188. userdel -r $MY_USERNAME
  189. exit 10
  190. fi
  191. fi
  192. clear
  193. echo "New user $MY_USERNAME was created"
  194. if [ $SIP_EXTENSION ]; then
  195. echo "Their SIP phone extension is $SIP_EXTENSION"
  196. fi
  197. echo "Their login password is $NEW_USER_PASSWORD"
  198. echo ''
  199. echo 'IMPORTANT: Make a note of the password, because it will not be saved'
  200. echo 'anywhere else. Preferably give it to them in person on paper or via'
  201. echo 'a secure channel, not in an unencrypted email.'
  202. echo ''
  203. echo "They can download their GPG keys with:"
  204. echo ''
  205. echo " scp -P $SSH_PORT -r $MY_USERNAME@$HOSTNAME:/home/$MY_USERNAME/.gnupg ~/"
  206. echo ''
  207. echo 'They should also run freedombone-client on their system to ensure'
  208. echo 'the best security.'
  209. exit 0