--- /dev/null
+#!/bin/sh
+
+if [ "$1" = "-h" -o "$1" = "--help" -o $# -ne 1 ]; then
+ echo "Usage $0 <dirname>"
+ echo "<dirname> is the full path to the site, such as /var/www/example.nl"
+ echo "which is created if it does not exist yet. If it exists, it's"
+ echo "permissions are reset".
+ exit 0
+fi
+
+HTTPD_USER=www-data
+# The primary group of the created user
+HTTPD_USERS_GID=1002
+# The template to copy
+TEMPLATE_DIR=/data/www/template
+# The bases to create users under
+USERBASE=ou=Users,dc=drsnuggles,dc=stderr,dc=nl
+GROUPBASE=ou=Groups,dc=drsnuggles,dc=stderr,dc=nl
+# PHP config to change the error_log setting in
+PHP_CONFIG=conf/php.ini.override
+# PHP error logfile to set error_log to
+PHP_ERRORLOG=logs/php.log
+
+DIR=$1
+
+if [ -e "$DIR" -a ! -d "$DIR" ]; then
+ echo "$DIR" must be a directory, or not exist yet.
+ exit 1;
+fi
+
+# Strip prefix
+SITE=`basename $DIR`
+
+# replace . with -
+GROUP=`echo $SITE | sed s/\\\\./-/g`
+SCRIPT_USER="httpd-$GROUP"
+
+if getent passwd | grep $SCRIPT_USER &> /dev/null && getent group | grep $GROUP &> /dev/null; then
+ echo "$SCRIPT_USER and/or $GROUP already exists, skipping account creation"
+else
+ # find a uid
+ ID=2000
+ while getent passwd | cut -f 3 -d: | grep "^$ID\$" &>/dev/null && getent group | cut -f 3 -d: | grep "^$ID\$" &> /dev/null; do
+ ((ID++))
+ done;
+
+ echo Found uid/gid $ID for $SCRIPT_USER/$GROUP
+
+ # Create a user for scripts to run as, and a group to give write permissions to
+ # files.
+ ldapvi --profile bind --add --in --ldapvi <<EOF || exit
+add cn=$GROUP,$GROUPBASE
+cn: $GROUP
+gidNumber: $ID
+objectClass: posixGroup
+objectClass: top
+
+add cn=$SITE,$USERBASE
+cn: $SITE
+uidNumber: $ID
+gidNumber: $HTTPD_USERS_GID
+homeDirectory: $DIR
+objectClass: posixAccount
+objectClass: account
+objectClass: top
+uid: $SCRIPT_USER
+EOF
+fi
+
+if getent passwd | grep $SCRIPT_USER &> /dev/null && getent group | grep $GROUP &> /dev/null; then
+ echo "$SCRIPT_USER and $GROUP created succesfully"
+else
+ echo "User or group creation failed"
+ exit 1
+fi
+
+if [ -e "$DIR" ]; then
+ echo "Skipping creation of $DIR, it already exists";
+else
+ # Create $DIR from $TEMPLATE_DIR, if it does not exist yet
+ echo "Creating $DIR from $TEMPLATE_DIR"
+ cp -R "$TEMPLATE_DIR" "$DIR"
+fi
+
+echo "Setting up permissions"
+# Set up permissions
+sudo chown -R 0:$GROUP "$DIR"
+
+# By default, let the owner have write access, the group have read access
+sudo setfacl -R --set d:u::rwX,d:g::rX,d:o::-,u::rwX,g::rX,o::- "$DIR"
+
+# Give the group write access to htdocs and conf
+sudo setfacl -R -m g::rwX "$DIR/htdocs" "$DIR/conf"
+
+# Give lighttpd read access to the dir itself
+sudo setfacl -R -m u:$HTTPD_USER:rx "$DIR"
+
+# Allow lighttpd to read anything in htdocs
+sudo setfacl -m d:u:$HTTPD_USER:rX,u:$HTTPD_USER:rX "$DIR/htdocs"
+
+# Allow lighttpd to write new files in logs (but not touch existing!)
+sudo setfacl -m u:$HTTPD_USER:rwX "$DIR/logs"
+
+# Allow scripts to read anything in applications, htdocs and conf
+sudo setfacl -R -m d:u:$SCRIPT_USER:rX,u:$SCRIPT_USER:rX "$DIR/applications" "$DIR/htdocs" "$DIR/conf"
+
+# Allow scripts to create new files in logs and data (but not touch existing!)
+sudo setfacl -R -m d:u:$SCRIPT_USER:rwX,u:$SCRIPT_USER:rwX "$DIR/logs" "$DIR/data"
+
+# Temp, chown existing log files
+sudo sh -c "chown -R $SCRIPT_USER \"$DIR\"/logs/php.log* \"$DIR\"/logs/wipi.log*"
+sudo sh -c "chown -R $HTTPD_USER \"$DIR\"/logs/access.log*"
+
+# Now, set the error_log setting in php.ini
+
+echo Updating `basename $PHP_CONFIG`
+
+sudo sed -i "s#^error_log *=.*#error_log = $DIR/$PHP_ERRORLOG#" "$DIR/$PHP_CONFIG"
+
+
+# Done!
+echo "Done!"
+echo "Now add human users to $GROUP."
+echo "Also add this site to /usr/local/sbin/spawn-fcgi.sh and enable"
+echo "fcgi in lighttpd if dynamic content is required."
projects / matthijs / servers / drsnuggles.git / commitdiff