#!/bin/bash MY_USERNAME=$1 SSH_PUBLIC_KEY=$2 GPG_KEYSERVER='hkp://keys.gnupg.net' SSH_PORT=2222 COMPLETION_FILE=$HOME/freedombone-completed.txt if [ ! $MY_USERNAME ]; then echo 'No username was given' exit 1 fi if [ -d /home/$MY_USERNAME ]; then echo "The user $MY_USERNAME already exists" exit 2 fi if [ ! -f $COMPLETION_FILE ]; then echo "$COMPLETION_FILE not found" userdel -r $MY_USERNAME exit 3 fi NEW_USER_PASSWORD="$(openssl rand -base64 10 | cut -c1-8)" useradd -m -p "$NEW_USER_PASSWORD" -s /bin/bash $MY_USERNAME adduser $MY_USERNAME sasl if [ ! -d /home/$MY_USERNAME ]; then echo 'Home directory was not created' exit 4 fi if [ $2 ]; then if [ -f $SSH_PUBLIC_KEY ]; then mkdir /home/$MY_USERNAME/.ssh cp $SSH_PUBLIC_KEY /home/$MY_USERNAME/.ssh/authorized_keys echo 'ssh public key installed' else if [[ $SSH_PUBLIC_KEY == "ssh-"* ]]; then mkdir /home/$MY_USERNAME/.ssh echo $SSH_PUBLIC_KEY > /home/$MY_USERNAME/.ssh/authorized_keys echo 'ssh public key installed' else echo 'The second parameter does not look like an ssh key' exit 5 fi fi fi if [ ! -d /home/$MY_USERNAME/Maildir ]; then echo 'Email directory was not created' userdel -r $MY_USERNAME exit 6 fi if grep -q "set from=" /home/$MY_USERNAME/.muttrc; then sed -i "s|set from=.*|set from='$MY_USERNAME <$MY_USERNAME@$HOSTNAME>'|g" /home/$MY_USERNAME/.muttrc else echo "set from='$MY_USERNAME <$MY_USERNAME@$HOSTNAME>'" >> /home/$MY_USERNAME/.muttrc fi USERN='$USER@' sed -i "s|$USERN|$MY_USERNAME@|g" /home/$MY_USERNAME/.procmailrc # generate a gpg key echo "Making a GPG key for $MY_USERNAME@$HOSTNAME" mkdir /home/$MY_USERNAME/.gnupg echo "keyserver $GPG_KEYSERVER" >> /home/$MY_USERNAME/.gnupg/gpg.conf echo 'keyserver-options auto-key-retrieve' >> /home/$MY_USERNAME/.gnupg/gpg.conf echo '' >> /home/$MY_USERNAME/.gnupg/gpg.conf echo '# default preferences' >> /home/$MY_USERNAME/.gnupg/gpg.conf echo 'personal-digest-preferences SHA256' >> /home/$MY_USERNAME/.gnupg/gpg.conf echo 'cert-digest-algo SHA256' >> /home/$MY_USERNAME/.gnupg/gpg.conf echo 'default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed' >> /home/$MY_USERNAME/.gnupg/gpg.conf chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.gnupg chmod 700 /home/$MY_USERNAME/.gnupg chmod 600 /home/$MY_USERNAME/.gnupg/* # Generate a GPG key echo 'Key-Type: 1' > /home/$MY_USERNAME/gpg-genkey.conf echo 'Key-Length: 4096' >> /home/$MY_USERNAME/gpg-genkey.conf echo 'Subkey-Type: 1' >> /home/$MY_USERNAME/gpg-genkey.conf echo 'Subkey-Length: 4096' >> /home/$MY_USERNAME/gpg-genkey.conf echo "Name-Real: $MY_USERNAME" >> /home/$MY_USERNAME/gpg-genkey.conf echo "Name-Email: $MY_USERNAME@$HOSTNAME" >> /home/$MY_USERNAME/gpg-genkey.conf echo 'Expire-Date: 0' >> /home/$MY_USERNAME/gpg-genkey.conf chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/gpg-genkey.conf su -c "gpg --batch --gen-key /home/$MY_USERNAME/gpg-genkey.conf" - $MY_USERNAME shred -zu /home/$MY_USERNAME/gpg-genkey.conf MY_GPG_PUBLIC_KEY_ID=$(su -c "gpg --list-keys $MY_USERNAME@$HOSTNAME | grep 'pub '" - $MY_USERNAME | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}') MY_GPG_PUBLIC_KEY=/home/$MY_USERNAME/public_key.gpg su -c "gpg --output $MY_GPG_PUBLIC_KEY --armor --export $MY_GPG_PUBLIC_KEY_ID" - $MY_USERNAME if [ ! -f $MY_GPG_PUBLIC_KEY ]; then echo "GPG public key was not generated for $MY_USERNAME@$HOSTNAME $MY_GPG_PUBLIC_KEY_ID" userdel -r $MY_USERNAME exit 7 fi # encrypt outgoing mail to the "sent" folder if ! grep -q "pgp_encrypt_only_command" /home/$MY_USERNAME/.muttrc; then echo '' >> /home/$MY_USERNAME/.muttrc echo '# Encrypt items in the Sent folder' >> /home/$MY_USERNAME/.muttrc echo "set pgp_encrypt_only_command=\"/usr/lib/mutt/pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --always-trust --encrypt-to 0x$MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"" >> /home/$MY_USERNAME/.muttrc else sed -i "s|set pgp_encrypt_only_command.*|set pgp_encrypt_only_command=\"/usr/lib/mutt/pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --always-trust --encrypt-to 0x$MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"|g" /home/$MY_USERNAME/.muttrc fi if ! grep -q "pgp_encrypt_sign_command" /home/$MY_USERNAME/.muttrc; then echo "set pgp_encrypt_sign_command=\"/usr/lib/mutt/pgpewrap gpg %?p?--passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --always-trust --encrypt-to 0x$MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"" >> /home/$MY_USERNAME/.muttrc else sed -i "s|set pgp_encrypt_sign_command.*|set pgp_encrypt_sign_command=\"/usr/lib/mutt/pgpewrap gpg %?p?--passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --always-trust --encrypt-to 0x$MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"|g" /home/$MY_USERNAME/.muttrc fi if ! grep -q "Change your GPG password" /home/$MY_USERNAME/README; then echo '' >> /home/$MY_USERNAME/README echo '' >> /home/$MY_USERNAME/README echo 'Change your GPG password' >> /home/$MY_USERNAME/README echo '========================' >> /home/$MY_USERNAME/README echo "It's very important to add a password to your GPG key so that" >> /home/$MY_USERNAME/README echo "if anyone does get access to your email they still won't be able" >> /home/$MY_USERNAME/README echo 'to read them without knowning the GPG password.' >> /home/$MY_USERNAME/README echo 'You can change the it with:' >> /home/$MY_USERNAME/README echo '' >> /home/$MY_USERNAME/README echo " gpg --edit-key $MY_GPG_PUBLIC_KEY_ID" >> /home/$MY_USERNAME/README echo ' passwd' >> /home/$MY_USERNAME/README echo ' save' >> /home/$MY_USERNAME/README echo ' quit' >> /home/$MY_USERNAME/README fi if ! grep -q "Publish your GPG public key" /home/$MY_USERNAME/README; then echo '' >> /home/$MY_USERNAME/README echo '' >> /home/$MY_USERNAME/README echo 'Publish your GPG public key' >> /home/$MY_USERNAME/README echo '===========================' >> /home/$MY_USERNAME/README echo 'So that others can send emails to you securely you should' >> /home/$MY_USERNAME/README echo 'publish your GPG public key with the command:' >> /home/$MY_USERNAME/README echo '' >> /home/$MY_USERNAME/README echo " gpg --send-keys $MY_GPG_PUBLIC_KEY_ID" >> /home/$MY_USERNAME/README fi chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README chown $MY_USERNAME:$MY_USERNAME $MY_GPG_PUBLIC_KEY chmod 600 /home/$MY_USERNAME/README echo "Adding an XMPP account for $MY_USERNAME" freedombone-addxmpp -e "$MY_USERNAME@$HOSTNAME" -p "$NEW_USER_PASSWORD" if [ ! "$?" = "0" ]; then echo "XMPP account not created" userdel -r $MY_USERNAME exit 8 fi if grep -q "Blog domain" $COMPLETION_FILE; then FULLBLOG_DOMAIN_NAME=$(cat $COMPLETION_FILE | grep "Blog domain" | awk -F ':' '{print $2}') if [ ! -d /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users ]; then echo 'Blog users directory not found' userdel -r $MY_USERNAME exit 9 fi echo ';Password' > /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini echo "password = '$NEW_USER_PASSWORD'" >> /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini echo 'encryption = clear' >> /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini echo ';Role' >> /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini echo 'role = admin' >> /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini echo "$MY_USERNAME added as a blog user" fi clear echo "New user $MY_USERNAME was created" echo "Their login password is $NEW_USER_PASSWORD" echo '' echo 'IMPORTANT: Make a note of the password, because it will not be saved' echo 'anywhere else. Preferably give it to them in person on paper or via' echo 'a secure channel, not in an unencrypted email.' echo '' echo "They can download their GPG keys with:" echo '' echo " scp -P $SSH_PORT -r $MY_USERNAME@$HOSTNAME:/home/$MY_USERNAME/.gnupg ~/" echo '' echo 'They should also run freedombone-client on their system to ensure' echo 'the best security.' exit 0