freedombone/src/freedombone-adduser

#!/bin/bash
#
# .---.                  .              .
# |                      |              |
# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
#
#                    Freedom in the Cloud
#

# Adds an user to the system

# License
# =======
#
# Copyright (C) 2015 Bob Mottram <bob@robotics.uk.to>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.

MY_USERNAME=$1
SSH_PUBLIC_KEY="$2"
GPG_KEYSERVER='hkp://keys.gnupg.net'
SSH_PORT=2222
COMPLETION_FILE=$HOME/freedombone-completed.txt

if [ ! $MY_USERNAME ]; then
    echo 'No username was given'
    exit 1
fi

if [ -d /home/$MY_USERNAME ]; then
    echo "The user $MY_USERNAME already exists"
    exit 2
fi

if [ ! -f $COMPLETION_FILE ]; then
    echo "$COMPLETION_FILE not found"
    userdel -r $MY_USERNAME
    exit 3
fi

NEW_USER_PASSWORD="$(openssl rand -base64 10 | cut -c1-8)"
useradd -m -p "$NEW_USER_PASSWORD" -s /bin/bash $MY_USERNAME
adduser $MY_USERNAME sasl

if [ ! -d /home/$MY_USERNAME ]; then
    echo 'Home directory was not created'
    exit 4
fi

if [ "$SSH_PUBLIC_KEY" ]; then
    if [ ${#SSH_PUBLIC_KEY} -gt 5 ]; then
        if [ -f "$SSH_PUBLIC_KEY" ]; then
            mkdir /home/$MY_USERNAME/.ssh
            cp $SSH_PUBLIC_KEY /home/$MY_USERNAME/.ssh/authorized_keys
            chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.ssh
            echo 'ssh public key installed'
        else
            if [[ "$SSH_PUBLIC_KEY" == "ssh-"* ]]; then
                mkdir /home/$MY_USERNAME/.ssh
                echo "$SSH_PUBLIC_KEY" > /home/$MY_USERNAME/.ssh/authorized_keys
                chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.ssh
                echo 'ssh public key installed'
            else
                echo 'The second parameter does not look like an ssh key'
                exit 5
            fi
        fi
    fi
fi

if [ ! -d /home/$MY_USERNAME/Maildir ]; then
    echo 'Email directory was not created'
    userdel -r $MY_USERNAME
    exit 6
fi

if grep -q "set from=" /home/$MY_USERNAME/.muttrc; then
    sed -i "s|set from=.*|set from='$MY_USERNAME <$MY_USERNAME@$HOSTNAME>'|g" /home/$MY_USERNAME/.muttrc
else
    echo "set from='$MY_USERNAME <$MY_USERNAME@$HOSTNAME>'" >> /home/$MY_USERNAME/.muttrc
fi

USERN='$USER@'
sed -i "s|$USERN|$MY_USERNAME@|g" /home/$MY_USERNAME/.procmailrc

# generate a gpg key
echo "Making a GPG key for $MY_USERNAME@$HOSTNAME"
mkdir /home/$MY_USERNAME/.gnupg
echo "keyserver $GPG_KEYSERVER" >> /home/$MY_USERNAME/.gnupg/gpg.conf
echo 'keyserver-options auto-key-retrieve' >> /home/$MY_USERNAME/.gnupg/gpg.conf
echo '' >> /home/$MY_USERNAME/.gnupg/gpg.conf
echo '# default preferences' >> /home/$MY_USERNAME/.gnupg/gpg.conf
echo 'personal-digest-preferences SHA256' >> /home/$MY_USERNAME/.gnupg/gpg.conf
echo 'cert-digest-algo SHA256' >> /home/$MY_USERNAME/.gnupg/gpg.conf
echo 'default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed' >> /home/$MY_USERNAME/.gnupg/gpg.conf

chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.gnupg
chmod 700 /home/$MY_USERNAME/.gnupg
chmod 600 /home/$MY_USERNAME/.gnupg/*

# Generate a GPG key
echo 'Key-Type: 1' > /home/$MY_USERNAME/gpg-genkey.conf
echo 'Key-Length: 4096' >> /home/$MY_USERNAME/gpg-genkey.conf
echo 'Subkey-Type: 1' >> /home/$MY_USERNAME/gpg-genkey.conf
echo 'Subkey-Length: 4096' >> /home/$MY_USERNAME/gpg-genkey.conf
echo "Name-Real:  $MY_USERNAME" >> /home/$MY_USERNAME/gpg-genkey.conf
echo "Name-Email: $MY_USERNAME@$HOSTNAME" >> /home/$MY_USERNAME/gpg-genkey.conf
echo 'Expire-Date: 0' >> /home/$MY_USERNAME/gpg-genkey.conf
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/gpg-genkey.conf
su -c "gpg --batch --gen-key /home/$MY_USERNAME/gpg-genkey.conf" - $MY_USERNAME
shred -zu /home/$MY_USERNAME/gpg-genkey.conf
MY_GPG_PUBLIC_KEY_ID=$(su -c "gpg --list-keys $MY_USERNAME@$HOSTNAME | grep 'pub '" - $MY_USERNAME | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
MY_GPG_PUBLIC_KEY=/home/$MY_USERNAME/public_key.gpg
su -c "gpg --output $MY_GPG_PUBLIC_KEY --armor --export $MY_GPG_PUBLIC_KEY_ID" - $MY_USERNAME

if [ ! -f $MY_GPG_PUBLIC_KEY ]; then
    echo "GPG public key was not generated for $MY_USERNAME@$HOSTNAME $MY_GPG_PUBLIC_KEY_ID"
    userdel -r $MY_USERNAME
    exit 7
fi

# encrypt outgoing mail to the "sent" folder
if ! grep -q "pgp_encrypt_only_command" /home/$MY_USERNAME/.muttrc; then
    echo '' >> /home/$MY_USERNAME/.muttrc
    echo '# Encrypt items in the Sent folder' >> /home/$MY_USERNAME/.muttrc
    echo "set pgp_encrypt_only_command=\"/usr/lib/mutt/pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --always-trust --encrypt-to 0x$MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"" >> /home/$MY_USERNAME/.muttrc
else
    sed -i "s|set pgp_encrypt_only_command.*|set pgp_encrypt_only_command=\"/usr/lib/mutt/pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --always-trust --encrypt-to 0x$MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"|g" /home/$MY_USERNAME/.muttrc
fi

if ! grep -q "pgp_encrypt_sign_command" /home/$MY_USERNAME/.muttrc; then
    echo "set pgp_encrypt_sign_command=\"/usr/lib/mutt/pgpewrap gpg %?p?--passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --always-trust --encrypt-to 0x$MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"" >> /home/$MY_USERNAME/.muttrc
else
    sed -i "s|set pgp_encrypt_sign_command.*|set pgp_encrypt_sign_command=\"/usr/lib/mutt/pgpewrap gpg %?p?--passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --always-trust --encrypt-to 0x$MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"|g" /home/$MY_USERNAME/.muttrc
fi

if ! grep -q "Change your GPG password" /home/$MY_USERNAME/README; then
    echo '' >> /home/$MY_USERNAME/README
    echo '' >> /home/$MY_USERNAME/README
    echo 'Change your GPG password' >> /home/$MY_USERNAME/README
    echo '========================' >> /home/$MY_USERNAME/README
    echo "It's very important to add a password to your GPG key so that" >> /home/$MY_USERNAME/README
    echo "if anyone does get access to your email they still won't be able" >> /home/$MY_USERNAME/README
    echo 'to read them without knowning the GPG password.' >> /home/$MY_USERNAME/README
    echo 'You can change the it with:' >> /home/$MY_USERNAME/README
    echo '' >> /home/$MY_USERNAME/README
    echo "  gpg --edit-key $MY_GPG_PUBLIC_KEY_ID" >> /home/$MY_USERNAME/README
    echo '  passwd' >> /home/$MY_USERNAME/README
    echo '  save' >> /home/$MY_USERNAME/README
    echo '  quit' >> /home/$MY_USERNAME/README
fi

if ! grep -q "Publish your GPG public key" /home/$MY_USERNAME/README; then
    echo '' >> /home/$MY_USERNAME/README
    echo '' >> /home/$MY_USERNAME/README
    echo 'Publish your GPG public key' >> /home/$MY_USERNAME/README
    echo '===========================' >> /home/$MY_USERNAME/README
    echo 'So that others can send emails to you securely you should' >> /home/$MY_USERNAME/README
    echo 'publish your GPG public key with the command:' >> /home/$MY_USERNAME/README
    echo '' >> /home/$MY_USERNAME/README
    echo "  gpg --send-keys $MY_GPG_PUBLIC_KEY_ID" >> /home/$MY_USERNAME/README
fi

chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
chown $MY_USERNAME:$MY_USERNAME $MY_GPG_PUBLIC_KEY
chmod 600 /home/$MY_USERNAME/README

echo "Adding an XMPP account for $MY_USERNAME"
freedombone-addxmpp -e "$MY_USERNAME@$HOSTNAME" -p "$NEW_USER_PASSWORD"
if [ ! "$?" = "0" ]; then
    echo "XMPP account not created"
    userdel -r $MY_USERNAME
    exit 8
fi

if grep -q "Blog domain" $COMPLETION_FILE; then
    FULLBLOG_DOMAIN_NAME=$(cat $COMPLETION_FILE | grep "Blog domain" | awk -F ':' '{print $2}')
    if [ ! -d /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users ]; then
        echo 'Blog users directory not found'
        userdel -r $MY_USERNAME
        exit 9
    fi
    echo ';Password' > /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini
    echo "password = '$NEW_USER_PASSWORD'" >> /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini
    echo 'encryption = clear' >> /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini
    echo ';Role' >> /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini
    echo 'role = admin' >> /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini
    echo "$MY_USERNAME added as a blog user"
fi

clear
echo "New user $MY_USERNAME was created"
echo "Their login password is $NEW_USER_PASSWORD"
echo ''
echo 'IMPORTANT: Make a note of the password, because it will not be saved'
echo 'anywhere else. Preferably give it to them in person on paper or via'
echo 'a secure channel, not in an unencrypted email.'
echo ''
echo "They can download their GPG keys with:"
echo ''
echo "    scp -P $SSH_PORT -r $MY_USERNAME@$HOSTNAME:/home/$MY_USERNAME/.gnupg ~/"
echo ''
echo 'They should also run freedombone-client on their system to ensure'
echo 'the best security.'

exit 0