system: Add script to fix users and permissions for a site.

[matthijs/servers/drsnuggles.git] / usr / local / bin / addsite

#!/bin/sh

if [ "$1" = "-h" -o "$1" = "--help" -o $# -ne 1 ]; then
        echo "Usage $0 <dirname>"
        echo "<dirname> is the full path to the site, such as /var/www/example.nl"
        echo "which is created if it does not exist yet. If it exists, it's"
        echo "permissions are reset".
        exit 0
fi

HTTPD_USER=www-data
# The primary group of the created user
HTTPD_USERS_GID=1002
# The template to copy
TEMPLATE_DIR=/data/www/template
# The bases to create users under
USERBASE=ou=Users,dc=drsnuggles,dc=stderr,dc=nl
GROUPBASE=ou=Groups,dc=drsnuggles,dc=stderr,dc=nl
# PHP config to change the error_log setting in
PHP_CONFIG=conf/php.ini.override
# PHP error logfile to set error_log to
PHP_ERRORLOG=logs/php.log

DIR=$1

if [ -e "$DIR" -a ! -d "$DIR" ]; then
        echo "$DIR" must be a directory, or not exist yet.
        exit 1;
fi

# Strip prefix
SITE=`basename $DIR`

# replace . with -
GROUP=`echo $SITE | sed s/\\\\./-/g`
SCRIPT_USER="httpd-$GROUP"

if getent passwd | grep $SCRIPT_USER &> /dev/null && getent group | grep $GROUP &> /dev/null; then
        echo "$SCRIPT_USER and/or $GROUP already exists, skipping account creation"
else
        # find a uid
        ID=2000
        while getent passwd | cut -f 3 -d: | grep "^$ID\$" &>/dev/null && getent group | cut -f 3 -d: | grep "^$ID\$" &> /dev/null; do
                ((ID++))
        done;

        echo Found uid/gid $ID for $SCRIPT_USER/$GROUP

        # Create a user for scripts to run as, and a group to give write permissions to
        # files.
        ldapvi --profile bind --add --in --ldapvi <<EOF || exit
add cn=$GROUP,$GROUPBASE
cn: $GROUP
gidNumber: $ID
objectClass: posixGroup
objectClass: top

add cn=$SITE,$USERBASE
cn: $SITE
uidNumber: $ID
gidNumber: $HTTPD_USERS_GID
homeDirectory: $DIR
objectClass: posixAccount
objectClass: account
objectClass: top
uid: $SCRIPT_USER
EOF
fi

if getent passwd | grep $SCRIPT_USER &> /dev/null && getent group | grep $GROUP &> /dev/null; then
        echo "$SCRIPT_USER and $GROUP created succesfully"
else
        echo "User or group creation failed"
        exit 1
fi

if [ -e "$DIR" ]; then
        echo "Skipping creation of $DIR, it already exists";
else
        # Create $DIR from $TEMPLATE_DIR, if it does not exist yet
        echo "Creating $DIR from $TEMPLATE_DIR"
        cp -R "$TEMPLATE_DIR" "$DIR"
fi

echo "Setting up permissions"
# Set up permissions
sudo chown -R 0:$GROUP "$DIR"

# By default, let the owner have write access, the group have read access
sudo setfacl -R --set d:u::rwX,d:g::rX,d:o::-,u::rwX,g::rX,o::- "$DIR"

# Give the group write access to htdocs and conf
sudo setfacl -R -m g::rwX "$DIR/htdocs" "$DIR/conf"

# Give lighttpd read access to the dir itself
sudo setfacl -R -m u:$HTTPD_USER:rx "$DIR"

# Allow lighttpd to read anything in htdocs
sudo setfacl -m d:u:$HTTPD_USER:rX,u:$HTTPD_USER:rX "$DIR/htdocs"

# Allow lighttpd to write new files in logs (but not touch existing!)
sudo setfacl -m u:$HTTPD_USER:rwX "$DIR/logs"

# Allow scripts to read anything in applications, htdocs and conf
sudo setfacl -R -m d:u:$SCRIPT_USER:rX,u:$SCRIPT_USER:rX "$DIR/applications" "$DIR/htdocs" "$DIR/conf"

# Allow scripts to create new files in logs and data (but not touch existing!)
sudo setfacl -R -m d:u:$SCRIPT_USER:rwX,u:$SCRIPT_USER:rwX "$DIR/logs" "$DIR/data"

# Temp, chown existing log files
sudo sh -c "chown -R $SCRIPT_USER \"$DIR\"/logs/php.log* \"$DIR\"/logs/wipi.log*"
sudo sh -c "chown -R $HTTPD_USER \"$DIR\"/logs/access.log*"

# Now, set the error_log setting in php.ini

echo Updating `basename $PHP_CONFIG`

sudo sed -i "s#^error_log *=.*#error_log = $DIR/$PHP_ERRORLOG#" "$DIR/$PHP_CONFIG"


# Done!
echo "Done!"
echo "Now add human users to $GROUP."
echo "Also add this site to /usr/local/sbin/spawn-fcgi.sh and enable"
echo "fcgi in lighttpd if dynamic content is required."