diff --git a/scripts/10-provision.sh b/scripts/10-provision.sh index d58aea6..4928e1e 100644 --- a/scripts/10-provision.sh +++ b/scripts/10-provision.sh @@ -15,7 +15,7 @@ apt-get -y -o Dpkg::Options::="--force-confdef" \ mariadb-server mariadb-client redis-server rspamd opendkim opendkim-tools opendmarc clamav \ clamav-daemon nginx php php-fpm php-cli php-mbstring php-xml php-curl php-zip php-mysql \ php-redis php-gd unzip curl composer git certbot python3-certbot-nginx fail2ban ca-certificates \ - rsyslog sudo openssl monit acl netcat-openbsd + rsyslog sudo openssl monit acl netcat-openbsd jq # <<< Apache konsequent entfernen >>> systemctl disable --now apache2 >/dev/null 2>&1 || true diff --git a/scripts/60-rspamd-opendkim.sh b/scripts/60-rspamd-opendkim.sh index e375c2c..9d7166a 100644 --- a/scripts/60-rspamd-opendkim.sh +++ b/scripts/60-rspamd-opendkim.sh @@ -36,30 +36,52 @@ worker "controller" { } CONF -#cat >/etc/rspamd/local.d/worker-normal.inc <<'CONF' -#worker "normal" { -# bind_socket = "127.0.0.1:11333"; -#} -#CONF +cat >/etc/rspamd/local.d/statistic.conf </etc/rspamd/local.d/worker-proxy.inc <<'CONF' worker "proxy" { - bind_socket = "127.0.0.1:11333"; + bind_socket = "127.0.0.1:11332"; milter = yes; timeout = 120s; - upstream "local" { + + upstream "scan" { default = yes; self_scan = yes; + servers = "127.0.0.1:11333"; } } CONF +cat >/etc/rspamd/local.d/worker-normal.inc <<'CONF' +worker "normal" { + bind_socket = "127.0.0.1:11333"; +} +CONF cat >/etc/rspamd/local.d/milter_headers.conf <<'CONF' use = ["authentication-results"]; header = "Authentication-Results"; CONF +cat >/etc/rspamd/local.d/options.inc <<'CONF' +dns { + servers = ["9.9.9.9:53", "1.1.1.1:53"]; + timeout = 5s; + retransmits = 2; +} +CONF + # ────────────────────────────────────────────────────────────── # Rspamd Redis-Konfiguration # ────────────────────────────────────────────────────────────── @@ -105,8 +127,8 @@ if [[ "${DKIM_ENABLE}" != "1" ]]; then log "DKIM_ENABLE=0 → OpenDKIM wird übersprungen." /usr/sbin/postconf -e "milter_default_action = accept" /usr/sbin/postconf -e "milter_protocol = 6" - /usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11333" - /usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11333" + /usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332" + /usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332" exit 0 fi diff --git a/scripts/95-woltguard.sh b/scripts/95-woltguard.sh index dc7cacb..faffe39 100644 --- a/scripts/95-woltguard.sh +++ b/scripts/95-woltguard.sh @@ -4,44 +4,95 @@ source ./lib.sh log "WoltGuard (Monit + Self-Heal) einrichten …" -set +u -[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env -set -u +# ───────────────────────────────────────────────────────────── +# Env nur nachladen, wenn Flags nicht bereits exportiert sind +# ───────────────────────────────────────────────────────────── +INSTALLER_ENV="/etc/mailwolt/installer.env" +: "${CLAMAV_ENABLE:=}" ; : "${OPENDMARC_ENABLE:=}" ; : "${FAIL2BAN_ENABLE:=}" +if [[ -z "${CLAMAV_ENABLE}${OPENDMARC_ENABLE}${FAIL2BAN_ENABLE}" && -r "$INSTALLER_ENV" ]]; then + # shellcheck disable=SC1090 + . "$INSTALLER_ENV" +fi CLAMAV_ENABLE="${CLAMAV_ENABLE:-0}" OPENDMARC_ENABLE="${OPENDMARC_ENABLE:-0}" FAIL2BAN_ENABLE="${FAIL2BAN_ENABLE:-1}" -# Pakete sicherstellen +# ───────────────────────────────────────────────────────────── +# Monit installieren & aktivieren +# ───────────────────────────────────────────────────────────── command -v monit >/dev/null || { apt-get update -qq; apt-get install -y monit; } systemctl enable --now monit -# Helper-Skripte +# ───────────────────────────────────────────────────────────── +# Helper-Skripte (laufen später eigenständig → Env selbst laden) +# ───────────────────────────────────────────────────────────── install -d -m 0755 /usr/local/sbin + +# Redis-Ping (nimmt REDIS_PASSWORD aus installer.env oder .env) cat >/usr/local/sbin/mailwolt-redis-ping.sh <<'EOSH' #!/usr/bin/env bash set -euo pipefail -PASS="" -[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env || true -if command -v redis-cli >/dev/null 2>&1; then - [[ -n "${REDIS_PASS:-}" ]] \ - && redis-cli -h 127.0.0.1 -p 6379 -a "$REDIS_PASS" ping | grep -q PONG \ - || redis-cli -h 127.0.0.1 -p 6379 ping | grep -q PONG -else + +INSTALLER_ENV="/etc/mailwolt/installer.env" +APP_ENV="/var/www/mailwolt/.env" + +REDIS_HOST="${REDIS_HOST:-127.0.0.1}" +REDIS_PORT="${REDIS_PORT:-6379}" +REDIS_PASSWORD="${REDIS_PASSWORD:-}" + +# Env-Fallbacks +[[ -r "$INSTALLER_ENV" ]] && . "$INSTALLER_ENV" +if [[ -z "${REDIS_PASSWORD}" && -r "$APP_ENV" ]]; then + REDIS_PASSWORD="$(grep -E '^REDIS_PASSWORD=' "$APP_ENV" | head -n1 | cut -d= -f2- || true)" +fi + +if ! command -v redis-cli >/dev/null 2>&1; then exit 1 fi + +if [[ -n "${REDIS_PASSWORD}" ]]; then + redis-cli -h "$REDIS_HOST" -p "$REDIS_PORT" -a "$REDIS_PASSWORD" ping | grep -q '^PONG$' +else + redis-cli -h "$REDIS_HOST" -p "$REDIS_PORT" ping | grep -q '^PONG$' +fi EOSH chmod 0755 /usr/local/sbin/mailwolt-redis-ping.sh +# Rspamd-Heal (setzt Laufzeitverzeichnis, leert alte Socke, restarts rspamd) cat >/usr/local/sbin/mailwolt-rspamd-heal.sh <<'EOSH' #!/usr/bin/env bash set -euo pipefail + +INSTALLER_ENV="/etc/mailwolt/installer.env" +APP_ENV="/var/www/mailwolt/.env" + +REDIS_HOST="${REDIS_HOST:-127.0.0.1}" +REDIS_PORT="${REDIS_PORT:-6379}" +REDIS_PASSWORD="${REDIS_PASSWORD:-}" + +[[ -r "$INSTALLER_ENV" ]] && . "$INSTALLER_ENV" +if [[ -z "${REDIS_PASSWORD}" && -r "$APP_ENV" ]]; then + REDIS_PASSWORD="$(grep -E '^REDIS_PASSWORD=' "$APP_ENV" | head -n1 | cut -d= -f2- || true)" +fi + +# Rspamd Runtime fixen install -d -m 0755 -o _rspamd -g _rspamd /run/rspamd || true -[ -S /var/lib/rspamd/rspamd.sock ] && rm -f /var/lib/rspamd/rspamd.sock || true +[[ -S /var/lib/rspamd/rspamd.sock ]] && rm -f /var/lib/rspamd/rspamd.sock || true + +# Neustart systemctl restart rspamd + +# Mini-Healthcheck +sleep 2 +ss -tln | grep -q ':11334' || echo "[WARN] Rspamd Controller Port 11334 nicht sichtbar" + +exit 0 EOSH chmod 0755 /usr/local/sbin/mailwolt-rspamd-heal.sh +# ───────────────────────────────────────────────────────────── # WoltGuard Wrapper + Unit +# ───────────────────────────────────────────────────────────── cat >/usr/local/bin/woltguard <<'EOSH' #!/usr/bin/env bash set -euo pipefail @@ -72,12 +123,16 @@ EOF systemctl daemon-reload systemctl enable --now woltguard -# Monit Basis + include +# ───────────────────────────────────────────────────────────── +# Monit Basis + includes +# ───────────────────────────────────────────────────────────── sed -i 's/^set daemon .*/set daemon 30/' /etc/monit/monitrc || true grep -q 'include /etc/monit/conf.d/*' /etc/monit/monitrc || echo 'include /etc/monit/conf.d/*' >>/etc/monit/monitrc install -d -m 0755 /etc/monit/conf.d -# Checks +# ───────────────────────────────────────────────────────────── +# Monit Checks +# ───────────────────────────────────────────────────────────── cat >/etc/monit/conf.d/postfix.conf <<'EOF' check process postfix with pidfile /var/spool/postfix/pid/master.pid start program = "/bin/systemctl start postfix" @@ -159,19 +214,243 @@ else rm -f /etc/monit/conf.d/clamav.conf || true fi -# optional: Fail2Ban -if [[ "$FAIL2BAN_ENABLE" = "1" ]]; then - cat >/etc/monit/conf.d/fail2ban.conf <<'EOF' -check process fail2ban with pidfile /run/fail2ban/fail2ban.pid - start program = "/bin/systemctl start fail2ban" - stop program = "/bin/systemctl stop fail2ban" - if 5 restarts within 5 cycles then alert -EOF -else - rm -f /etc/monit/conf.d/fail2ban.conf || true -fi - +# ───────────────────────────────────────────────────────────── +# Monit neu laden +# ───────────────────────────────────────────────────────────── monit -t systemctl reload monit || systemctl restart monit systemctl status monit --no-pager || true -log "[✓] WoltGuard aktiv." \ No newline at end of file +log "[✓] WoltGuard aktiv." + +##!/usr/bin/env bash +#set -euo pipefail +#source ./lib.sh +# +#log "WoltGuard (Monit + Self-Heal) einrichten …" +# +#set +u +#[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env +#set -u +#CLAMAV_ENABLE="${CLAMAV_ENABLE:-0}" +#OPENDMARC_ENABLE="${OPENDMARC_ENABLE:-0}" +#FAIL2BAN_ENABLE="${FAIL2BAN_ENABLE:-1}" +# +## Pakete sicherstellen +#command -v monit >/dev/null || { apt-get update -qq; apt-get install -y monit; } +#systemctl enable --now monit +# +## Helper-Skripte +#install -d -m 0755 /usr/local/sbin +#cat >/usr/local/sbin/mailwolt-redis-ping.sh <<'EOSH' +##!/usr/bin/env bash +#set -euo pipefail +#PASS="" +#[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env || true +#if command -v redis-cli >/dev/null 2>&1; then +# [[ -n "${REDIS_PASS:-}" ]] \ +# && redis-cli -h 127.0.0.1 -p 6379 -a "$REDIS_PASS" ping | grep -q PONG \ +# || redis-cli -h 127.0.0.1 -p 6379 ping | grep -q PONG +#else +# exit 1 +#fi +#EOSH +#chmod 0755 /usr/local/sbin/mailwolt-redis-ping.sh +# +#cat >/usr/local/sbin/mailwolt-rspamd-heal.sh <<'EOSH' +##!/usr/bin/env bash +#set -euo pipefail +# +#REDIS_HOST="${REDIS_HOST:-127.0.0.1}" +#REDIS_PORT="${REDIS_PORT:-6379}" +#REDIS_PASSWORD="${REDIS_PASSWORD:-}" +# +#INSTALLER_ENV="/etc/mailwolt/installer.env" +#APP_ENV="/var/www/mailwolt/.env" +#REDIS_CLI="$(command -v redis-cli || true)" +#SYSTEMCTL="$(command -v systemctl || true)" +#RSPAMD_SERVICE="rspamd" +# +#if [ -r "$INSTALLER_ENV" ]; then . "$INSTALLER_ENV"; fi +#if [ -z "${REDIS_PASSWORD}" ] && [ -r "$APP_ENV" ]; then +# REDIS_PASSWORD="$(grep -E '^REDIS_PASSWORD=' "$APP_ENV" | head -n1 | cut -d= -f2- || true)" +#fi +# +#if [ -n "$REDIS_CLI" ]; then +# echo "[INFO] Prüfe Redis Verbindung..." +# if [ -n "${REDIS_PASSWORD}" ]; then +# if ! "$REDIS_CLI" -h "$REDIS_HOST" -p "$REDIS_PORT" -a "$REDIS_PASSWORD" ping | grep -q '^PONG$'; then +# echo "[WARN] Redis antwortet nicht oder Passwort falsch!" +# else +# echo "[OK] Redis antwortet (auth ok)." +# fi +# else +# if ! "$REDIS_CLI" -h "$REDIS_HOST" -p "$REDIS_PORT" ping | grep -q '^PONG$'; then +# echo "[WARN] Redis antwortet nicht (ohne Passwort)." +# else +# echo "[OK] Redis antwortet (kein Passwort)." +# fi +# fi +#else +# echo "[WARN] redis-cli nicht gefunden – überspringe Test." +#fi +# +#echo "[INFO] Prüfe Rspamd Socket & Verzeichnis..." +#install -d -m 0755 -o _rspamd -g _rspamd /run/rspamd || true +#[ -S /var/lib/rspamd/rspamd.sock ] && rm -f /var/lib/rspamd/rspamd.sock || true +# +#echo "[INFO] Starte Rspamd neu..." +#if [ -n "$SYSTEMCTL" ]; then +# "$SYSTEMCTL" restart "$RSPAMD_SERVICE" +# echo "[OK] Rspamd erfolgreich neu gestartet." +#else +# echo "[ERROR] systemctl nicht gefunden – kein Neustart möglich." +# exit 1 +#fi +# +#echo "[INFO] Healthcheck (Port 11334)..." +#sleep 3 +#if ss -tln | grep -q ':11334'; then +# echo "[OK] Rspamd Controller läuft auf Port 11334." +#else +# echo "[WARN] Rspamd Controller Port 11334 nicht erreichbar." +#fi +# +#echo "[DONE] Mailwolt Rspamd-Heal abgeschlossen." +#exit 0 +#EOSH +#chmod 0755 /usr/local/sbin/mailwolt-rspamd-heal.sh +# +## WoltGuard Wrapper + Unit +#cat >/usr/local/bin/woltguard <<'EOSH' +##!/usr/bin/env bash +#set -euo pipefail +#case "${1:-status}" in +# start) systemctl enable --now monit ;; +# stop) systemctl stop monit ;; +# status) monit summary || systemctl status monit || true ;; +# heal) monit reload || true; sleep 1; monit restart all || true ;; +# monitor) monit monitor all || true ;; +# unmonitor) monit unmonitor all || true ;; +# *) echo "Usage: woltguard {start|stop|status|heal|monitor|unmonitor}"; exit 2;; +#esac +#EOSH +#chmod 0755 /usr/local/bin/woltguard +# +#cat >/etc/systemd/system/woltguard.service <<'EOF' +#[Unit] +#Description=WoltGuard – Self-Healing Monitor for MailWolt +#After=network.target +#[Service] +#Type=oneshot +#ExecStart=/usr/local/bin/woltguard start +#ExecStop=/usr/local/bin/woltguard stop +#RemainAfterExit=yes +#[Install] +#WantedBy=multi-user.target +#EOF +#systemctl daemon-reload +#systemctl enable --now woltguard +# +## Monit Basis + include +#sed -i 's/^set daemon .*/set daemon 30/' /etc/monit/monitrc || true +#grep -q 'include /etc/monit/conf.d/*' /etc/monit/monitrc || echo 'include /etc/monit/conf.d/*' >>/etc/monit/monitrc +#install -d -m 0755 /etc/monit/conf.d +# +## Checks +#cat >/etc/monit/conf.d/postfix.conf <<'EOF' +#check process postfix with pidfile /var/spool/postfix/pid/master.pid +# start program = "/bin/systemctl start postfix" +# stop program = "/bin/systemctl stop postfix" +# if failed port 25 protocol smtp then restart +# if failed port 465 type tcpssl then restart +# if failed port 587 type tcp then restart +# if 5 restarts within 5 cycles then alert +#EOF +# +#cat >/etc/monit/conf.d/dovecot.conf <<'EOF' +#check process dovecot with pidfile /run/dovecot/master.pid +# start program = "/bin/systemctl start dovecot" +# stop program = "/bin/systemctl stop dovecot" +# if failed port 993 type tcpssl for 2 cycles then restart +# if failed port 24 protocol lmtp for 2 cycles then restart +# if 5 restarts within 5 cycles then alert +#EOF +# +#cat >/etc/monit/conf.d/nginx.conf <<'EOF' +#check process nginx with pidfile /run/nginx.pid +# start program = "/bin/systemctl start nginx" +# stop program = "/bin/systemctl stop nginx" +# if failed port 80 type tcp then restart +# if failed port 443 type tcpssl then restart +# if 5 restarts within 5 cycles then alert +#EOF +# +#cat >/etc/monit/conf.d/redis.conf <<'EOF' +#check process redis with pidfile /run/redis/redis-server.pid +# start program = "/bin/systemctl start redis-server" +# stop program = "/bin/systemctl stop redis-server" +# if failed host 127.0.0.1 port 6379 for 2 cycles then restart +# if 5 restarts within 5 cycles then alert +# +#check program redis_ping path "/usr/local/sbin/mailwolt-redis-ping.sh" +# if status != 0 for 2 cycles then exec "/bin/systemctl restart redis-server" +#EOF +# +#cat >/etc/monit/conf.d/rspamd.conf <<'EOF' +#check process rspamd with pidfile /run/rspamd/rspamd.pid +# start program = "/bin/systemctl start rspamd" +# stop program = "/bin/systemctl stop rspamd" +# if failed port 11333 for 2 cycles then exec "/usr/local/sbin/mailwolt-rspamd-heal.sh" +# if failed port 11334 for 2 cycles then exec "/usr/local/sbin/mailwolt-rspamd-heal.sh" +# if 5 restarts within 5 cycles then alert +#EOF +# +#cat >/etc/monit/conf.d/opendkim.conf <<'EOF' +#check process opendkim with pidfile /run/opendkim/opendkim.pid +# start program = "/bin/systemctl start opendkim" +# stop program = "/bin/systemctl stop opendkim" +# if failed host 127.0.0.1 port 8891 type tcp for 2 cycles then restart +# if 5 restarts within 5 cycles then alert +#EOF +# +## optional: OpenDMARC +#if [[ "$OPENDMARC_ENABLE" = "1" ]]; then +# cat >/etc/monit/conf.d/opendmarc.conf <<'EOF' +#check process opendmarc with pidfile /run/opendmarc/opendmarc.pid +# start program = "/bin/systemctl start opendmarc" +# stop program = "/bin/systemctl stop opendmarc" +# if 5 restarts within 5 cycles then alert +#EOF +#else +# rm -f /etc/monit/conf.d/opendmarc.conf || true +#fi +# +## optional: ClamAV +#if [[ "$CLAMAV_ENABLE" = "1" ]]; then +# cat >/etc/monit/conf.d/clamav.conf <<'EOF' +#check process clamd with pidfile /run/clamav/clamd.pid +# start program = "/bin/systemctl start clamav-daemon" +# stop program = "/bin/systemctl stop clamav-daemon" +# if failed unixsocket /run/clamav/clamd.ctl then restart +# if 5 restarts within 5 cycles then alert +#EOF +#else +# rm -f /etc/monit/conf.d/clamav.conf || true +#fi +# +## optional: Fail2Ban +#if [[ "$FAIL2BAN_ENABLE" = "1" ]]; then +# cat >/etc/monit/conf.d/fail2ban.conf <<'EOF' +#check process fail2ban with pidfile /run/fail2ban/fail2ban.pid +# start program = "/bin/systemctl start fail2ban" +# stop program = "/bin/systemctl stop fail2ban" +# if 5 restarts within 5 cycles then alert +#EOF +#else +# rm -f /etc/monit/conf.d/fail2ban.conf || true +#fi +# +#monit -t +#systemctl reload monit || systemctl restart monit +#systemctl status monit --no-pager || true +#log "[✓] WoltGuard aktiv." \ No newline at end of file diff --git a/scripts/bootstrap.sh b/scripts/bootstrap.sh index 39d80f7..4909b2a 100644 --- a/scripts/bootstrap.sh +++ b/scripts/bootstrap.sh @@ -248,6 +248,8 @@ export CLAMAV_ENABLE OPENDMARC_ENABLE FAIL2BAN_ENABLE install -d -m 0755 /etc/mailwolt cat >/etc/mailwolt/installer.env <