From 087a0d3706919507af1b3084497877145d9685be Mon Sep 17 00:00:00 2001
From: boksbc <boban.blaskovic@gmail.com>
Date: Fri, 24 Oct 2025 06:31:19 +0200
Subject: [PATCH] Dovecot Systax Problem

---
 scripts/70-nginx.sh  |  91 ++++++++++++++++++++++++++++---
 scripts/80-app.sh    |   3 +-
 scripts/bootstrap.sh | 125 ++++++++++++++++++++++++++++++++++---------
 3 files changed, 185 insertions(+), 34 deletions(-)

diff --git a/scripts/70-nginx.sh b/scripts/70-nginx.sh
index 5805522..f71110d 100644
--- a/scripts/70-nginx.sh
+++ b/scripts/70-nginx.sh
@@ -43,19 +43,94 @@ else
 fi
 
 # ── Builder 1: HTTP-only (Proxy-Mode: TLS endet im NPM) ───────────────────
-# $1=host, $2=outfile
+## $1=host, $2=outfile
+#build_site_http_only(){
+#  local host="$1" outfile="$2"
+#
+#  local def=""
+#  [[ "${DEV_MODE}" = "1" ]] && def=" default_server"
+#  [[ -z "${host}" || "${host}" = "_" ]] && host="_"
+#
+#  cat > "$outfile" <<CONF
+## --- ${host} : HTTP (kein Redirect, kein TLS; läuft hinter Reverse-Proxy) ---
+#server {
+#  listen 80;
+#  listen [::]:80;
+#  server_name ${host};
+#
+#  # ACME HTTP-01 (optional; meist übernimmt das der Proxy)
+#  location ^~ /.well-known/acme-challenge/ {
+#    root ${ACME_ROOT};
+#    allow all;
+#  }
+#
+#  root ${APP_DIR}/public;
+#  index index.php index.html;
+#
+#  access_log /var/log/nginx/${host}_access.log;
+#  error_log  /var/log/nginx/${host}_error.log;
+#
+#  client_max_body_size 25m;
+#
+#  location / { try_files \$uri \$uri/ /index.php?\$query_string; }
+#
+#  location ~ \.php\$ {
+#    include snippets/fastcgi-php.conf;
+#    ${FASTCGI_PASS}
+#  }
+#
+#  location ^~ /livewire/ { try_files \$uri /index.php?\$query_string; }
+#  location ~* \.(jpg|jpeg|png|gif|css|js|ico|svg)\$ { expires 30d; access_log off; }
+#
+#  # WebSocket: Laravel Reverb (Backend intern HTTP)
+#  location /ws/ {
+#    proxy_http_version 1.1;
+#    proxy_set_header Upgrade \$http_upgrade;
+#    proxy_set_header Connection "Upgrade";
+#    proxy_set_header Host \$host;
+#    proxy_read_timeout 60s;
+#    proxy_send_timeout 60s;
+#    proxy_pass http://127.0.0.1:8080/;
+#  }
+#
+#  # Reverb HTTP API
+#  location /apps/ {
+#    proxy_http_version 1.1;
+#    proxy_set_header Host \$host;
+#    proxy_read_timeout 60s;
+#    proxy_send_timeout 60s;
+#    proxy_pass http://127.0.0.1:8080/apps/;
+#  }
+#CONF
+#
+#  if [[ "${DEV_MODE}" = "1" ]]; then
+#    cat >> "$outfile" <<'CONF'
+#  # DEV: Vite-Proxy (HMR)
+#  location ^~ /@vite/        { proxy_pass http://127.0.0.1:5173/@vite/;        proxy_set_header Host $host; }
+#  location ^~ /node_modules/ { proxy_pass http://127.0.0.1:5173/node_modules/; proxy_set_header Host $host; }
+#  location ^~ /resources/    { proxy_pass http://127.0.0.1:5173/resources/;    proxy_set_header Host $host; }
+#CONF
+#  fi
+#
+#  echo "}" >> "$outfile"
+#}
+
 build_site_http_only(){
   local host="$1" outfile="$2"
 
+  # DEV: IP-Zugriff ohne Hostname → default_server + server_name _
   local def=""
-  [[ "${DEV_MODE}" = "1" ]] && def=" default_server"
+  if [[ "${DEV_MODE}" = "1" ]]; then
+    def=" default_server"
+    host="_"
+  fi
   [[ -z "${host}" || "${host}" = "_" ]] && host="_"
 
   cat > "$outfile" <<CONF
-# --- ${host} : HTTP (kein Redirect, kein TLS; läuft hinter Reverse-Proxy) ---
+# --- ${host} : HTTP (kein Redirect, kein TLS; läuft hinter Reverse-Proxy/DEV) ---
 server {
-  listen 80;
-  listen [::]:80;
+  listen 80${def};
+  listen [::]:80${def};
   server_name ${host};
 
   # ACME HTTP-01 (optional; meist übernimmt das der Proxy)
@@ -67,8 +142,8 @@ server {
   root ${APP_DIR}/public;
   index index.php index.html;
 
-  access_log /var/log/nginx/${host}_access.log;
-  error_log  /var/log/nginx/${host}_error.log;
+  access_log /var/log/nginx/${host/_/__}_access.log;
+  error_log  /var/log/nginx/${host/_/__}_error.log;
 
   client_max_body_size 25m;
 
@@ -82,7 +157,7 @@ server {
   location ^~ /livewire/ { try_files \$uri /index.php?\$query_string; }
   location ~* \.(jpg|jpeg|png|gif|css|js|ico|svg)\$ { expires 30d; access_log off; }
 
-  # WebSocket: Laravel Reverb (Backend intern HTTP)
+  # WebSocket: Laravel Reverb
   location /ws/ {
     proxy_http_version 1.1;
     proxy_set_header Upgrade \$http_upgrade;
diff --git a/scripts/80-app.sh b/scripts/80-app.sh
index 2344faa..5b6f655 100644
--- a/scripts/80-app.sh
+++ b/scripts/80-app.sh
@@ -128,6 +128,7 @@ else
   fi
 fi
 
+SECURE=$([[ "${APP_ENV}" = "production" ]] && echo true || echo false)
 
 # --- .env schreiben ---------------------------------------------------------
 upsert_env APP_URL             "${APP_URL_VAL}"
@@ -177,7 +178,7 @@ upsert_env CACHE_STORE                  "redis"
 upsert_env CACHE_DRIVER                 "redis"
 upsert_env CACHE_PREFIX                 "${APP_USER_PREFIX}_cache:"
 upsert_env SESSION_DRIVER               "redis"
-upsert_env SESSION_SECURE_COOKIE        "true"
+upsert_env SESSION_SECURE_COOKIE        "${SECURE}"   # DEV=false, PROD=true
 upsert_env SESSION_SAMESITE             "lax"
 upsert_env REDIS_CLIENT                 "phpredis"
 upsert_env REDIS_HOST                   "127.0.0.1"
diff --git a/scripts/bootstrap.sh b/scripts/bootstrap.sh
index 5a2146c..39d80f7 100644
--- a/scripts/bootstrap.sh
+++ b/scripts/bootstrap.sh
@@ -69,9 +69,34 @@ echo -e "${GREY}Erkannte IP (v4): ${SERVER_PUBLIC_IPV4}  v6: ${SERVER_PUBLIC_IPV
 
 # ── Helpers ───────────────────────────────────────────────────
 have_whiptail(){ command -v whiptail >/dev/null 2>&1; }
-valid_fqdn(){
-  [[ "$1" =~ ^([a-z0-9]([-a-z0-9]*[a-z0-9])?\.)+[a-z]{2,}$ ]]
+
+#valid_fqdn(){
+#  [[ "$1" =~ ^([a-z0-9]([-a-z0-9]*[a-z0-9])?\.)+[a-z]{2,}$ ]]
+#}
+
+# ── Host-Validierung & DEV-Erkennung ────────────────────────────────────────
+valid_fqdn_prod(){ [[ "$1" =~ ^([a-z0-9]([-a-z0-9]*[a-z0-9])?\.)+[a-z]{2,}$ ]]; }
+valid_host_dev(){
+  # erlaubt: single-label (ui, webmail), FQDNs, IPv4
+  [[ "$1" =~ ^([a-z0-9]([-a-z0-9]*[a-z0-9])?)(\.[a-z0-9-]+)*$ ]] || [[ "$1" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ ]]
 }
+is_local_like(){
+  local h="$(echo "$1" | tr '[:upper:]' '[:lower:]')"
+  [[ "$h" =~ \.local$ || "$h" =~ \.loc$ || "$h" =~ \.dev$ || "$h" =~ \.test$ || "$h" = "localhost" ]] && return 0
+  [[ "$h" =~ ^10\. || "$h" =~ ^192\.168\. || "$h" =~ ^172\.(1[6-9]|2[0-9]|3[0-1])\. || "$h" =~ ^127\. ]] && return 0
+  return 1
+}
+normalize_host(){
+  # $1=input  $2=default  (nutzt DEV_MODE für die passende Prüflogik)
+  local inp="$1" def="$2"
+  if [[ "${DEV_MODE}" = "1" ]]; then
+    valid_host_dev "$inp" && { echo "$inp"; return; }
+  else
+    valid_fqdn_prod "$inp" && { echo "$inp"; return; }
+  fi
+  echo "$def"
+}
+
 ask_tty_domain(){
   local label="$1" example="$2" def="$3" outvar="$4" inp
   echo -e "${CYAN}${label}${NC}"
@@ -95,50 +120,100 @@ CLAMAV_ENABLE=1
 OPENDMARC_ENABLE=1
 FAIL2BAN_ENABLE=1
 
-if have_whiptail; then
+if command -v whiptail >/dev/null 2>&1; then
   TITLE="MailWolt Setup"
 
-  MTA_FQDN="$(whiptail --title "$TITLE" --inputbox "Mailserver-FQDN (MX)\nBeispiel: mx.domain.tld" 11 70 "$MTA_DEFAULT" 3>&1 1>&2 2>&3)" || exit 1
-  valid_fqdn "$MTA_FQDN" || MTA_FQDN="$MTA_DEFAULT"
+  # Hinweise zu erlaubten DEV-Hosts
+  MSG_SUFFIX="\n\nHinweis: Im DEV-Modus sind auch single-label Hosts (z.B. ui, webmail), *.local/*.dev und IPs erlaubt."
 
-  UI_FQDN="$(whiptail --title "$TITLE" --inputbox "UI / Admin-Panel FQDN\nBeispiel: ui.domain.tld" 11 70 "$UI_DEFAULT" 3>&1 1>&2 2>&3)" || exit 1
-  valid_fqdn "$UI_FQDN" || UI_FQDN="$UI_DEFAULT"
+  _mta_in="$(whiptail --title "$TITLE" --inputbox "Mailserver-Host (MX)\nBeispiele: mx.domain.tld | mx.local | 10.0.0.10${MSG_SUFFIX}" 13 70 "$MTA_DEFAULT" 3>&1 1>&2 2>&3)" || exit 1
+  _ui_in="$(whiptail  --title "$TITLE" --inputbox "UI / Admin-Panel Host\nBeispiele: ui.domain.tld | ui.local | 10.0.0.10${MSG_SUFFIX}" 13 70 "$UI_DEFAULT" 3>&1 1>&2 2>&3)" || exit 1
+  _wm_in="$(whiptail  --title "$TITLE" --inputbox "Webmail Host\nBeispiele: webmail.domain.tld | web.local | 10.0.0.10${MSG_SUFFIX}" 13 70 "$WEBMAIL_DEFAULT" 3>&1 1>&2 2>&3)" || exit 1
 
-  WEBMAIL_FQDN="$(whiptail --title "$TITLE" --inputbox "Webmail FQDN\nBeispiel: webmail.domain.tld" 11 70 "$WEBMAIL_DEFAULT" 3>&1 1>&2 2>&3)" || exit 1
-  valid_fqdn "$WEBMAIL_FQDN" || WEBMAIL_FQDN="$WEBMAIL_DEFAULT"
+  # ZUERST provisorisch prüfen, ob „lokal“ → DEV erzwingen
+  if is_local_like "$_mta_in" || is_local_like "$_ui_in" || is_local_like "$_wm_in"; then
+    DEV_MODE=1; APP_ENV="local"; APP_DEBUG="true"
+  fi
+  export DEV_MODE APP_ENV APP_DEBUG
+
+  # Jetzt mit passender Logik normalisieren
+  MTA_FQDN="$(normalize_host "$_mta_in" "$MTA_DEFAULT")"
+  UI_FQDN="$(normalize_host "$_ui_in" "$UI_DEFAULT")"
+  WEBMAIL_FQDN="$(normalize_host "$_wm_in" "$WEBMAIL_DEFAULT")"
 
   CHOICES="$(whiptail --title "$TITLE" --checklist "Optionale Dienste aktivieren" 15 70 6 \
     "ClamAV"    "Virenscan (clamd/clamav-daemon)" ON \
     "OpenDMARC" "DMARC-Auswertung"                ON \
     "Fail2Ban"  "Brute-Force-Schutz"              ON \
     3>&1 1>&2 2>&3)" || true
-
   CLAMAV_ENABLE=0; [[ "$CHOICES" == *"ClamAV"* ]]    && CLAMAV_ENABLE=1
   OPENDMARC_ENABLE=0; [[ "$CHOICES" == *"OpenDMARC"* ]] && OPENDMARC_ENABLE=1
   FAIL2BAN_ENABLE=0; [[ "$CHOICES" == *"Fail2Ban"* ]]  && FAIL2BAN_ENABLE=1
 
-  whiptail --title "$TITLE" --msgbox "Zusammenfassung:
-
-MX      : $MTA_FQDN
-UI      : $UI_FQDN
-Webmail : $WEBMAIL_FQDN
-
-ClamAV    : $([[ $CLAMAV_ENABLE -eq 1 ]] && echo Aktiv || echo Deaktiv)
-OpenDMARC : $([[ $OPENDMARC_ENABLE -eq 1 ]] && echo Aktiv || echo Deaktiv)
-Fail2Ban  : $([[ $FAIL2BAN_ENABLE -eq 1 ]] && echo Aktiv || echo Deaktiv)
-" 16 70
-
 else
-  echo -e "${GREY}[i] whiptail nicht gefunden – nutze TTY-Prompts.${NC}\n"
-  ask_tty_domain "Mailserver-FQDN (MX)" "mx.domain.tld" "$MTA_DEFAULT" MTA_FQDN
-  ask_tty_domain "UI / Admin-Panel FQDN" "ui.domain.tld" "$UI_DEFAULT" UI_FQDN
-  ask_tty_domain "Webmail FQDN" "webmail.domain.tld" "$WEBMAIL_DEFAULT" WEBMAIL_FQDN
+  echo -e "${GREY}[i] whiptail nicht gefunden – TTY-Fallback.${NC}\n"
+  read -r -p "Mailserver-Host (MX) [${MTA_DEFAULT}]: " _mta_in; _mta_in="${_mta_in:-$MTA_DEFAULT}"
+  read -r -p "UI / Admin-Panel Host [${UI_DEFAULT}]: " _ui_in; _ui_in="${_ui_in:-$UI_DEFAULT}"
+  read -r -p "Webmail Host [${WEBMAIL_DEFAULT}]: " _wm_in; _wm_in="${_wm_in:-$WEBMAIL_DEFAULT}"
+
+  if is_local_like "$_mta_in" || is_local_like "$_ui_in" || is_local_like "$_wm_in"; then
+    DEV_MODE=1; APP_ENV="local"; APP_DEBUG="true"
+  fi
+  export DEV_MODE APP_ENV APP_DEBUG
+
+  MTA_FQDN="$(normalize_host "$_mta_in" "$MTA_DEFAULT")"
+  UI_FQDN="$(normalize_host "$_ui_in" "$UI_DEFAULT")"
+  WEBMAIL_FQDN="$(normalize_host "$_wm_in" "$WEBMAIL_DEFAULT")"
 
   read -r -p "ClamAV aktivieren? (1/0, Enter=1): " CLAMAV_ENABLE;    CLAMAV_ENABLE="${CLAMAV_ENABLE:-1}"
   read -r -p "OpenDMARC aktivieren? (1/0, Enter=1): " OPENDMARC_ENABLE; OPENDMARC_ENABLE="${OPENDMARC_ENABLE:-1}"
   read -r -p "Fail2Ban aktivieren? (1/0, Enter=1): " FAIL2BAN_ENABLE;  FAIL2BAN_ENABLE="${FAIL2BAN_ENABLE:-1}"
 fi
 
+#if have_whiptail; then
+#  TITLE="MailWolt Setup"
+#
+#  MTA_FQDN="$(whiptail --title "$TITLE" --inputbox "Mailserver-FQDN (MX)\nBeispiel: mx.domain.tld" 11 70 "$MTA_DEFAULT" 3>&1 1>&2 2>&3)" || exit 1
+#  valid_fqdn "$MTA_FQDN" || MTA_FQDN="$MTA_DEFAULT"
+#
+#  UI_FQDN="$(whiptail --title "$TITLE" --inputbox "UI / Admin-Panel FQDN\nBeispiel: ui.domain.tld" 11 70 "$UI_DEFAULT" 3>&1 1>&2 2>&3)" || exit 1
+#  valid_fqdn "$UI_FQDN" || UI_FQDN="$UI_DEFAULT"
+#
+#  WEBMAIL_FQDN="$(whiptail --title "$TITLE" --inputbox "Webmail FQDN\nBeispiel: webmail.domain.tld" 11 70 "$WEBMAIL_DEFAULT" 3>&1 1>&2 2>&3)" || exit 1
+#  valid_fqdn "$WEBMAIL_FQDN" || WEBMAIL_FQDN="$WEBMAIL_DEFAULT"
+#
+#  CHOICES="$(whiptail --title "$TITLE" --checklist "Optionale Dienste aktivieren" 15 70 6 \
+#    "ClamAV"    "Virenscan (clamd/clamav-daemon)" ON \
+#    "OpenDMARC" "DMARC-Auswertung"                ON \
+#    "Fail2Ban"  "Brute-Force-Schutz"              ON \
+#    3>&1 1>&2 2>&3)" || true
+#
+#  CLAMAV_ENABLE=0; [[ "$CHOICES" == *"ClamAV"* ]]    && CLAMAV_ENABLE=1
+#  OPENDMARC_ENABLE=0; [[ "$CHOICES" == *"OpenDMARC"* ]] && OPENDMARC_ENABLE=1
+#  FAIL2BAN_ENABLE=0; [[ "$CHOICES" == *"Fail2Ban"* ]]  && FAIL2BAN_ENABLE=1
+#
+#  whiptail --title "$TITLE" --msgbox "Zusammenfassung:
+#
+#MX      : $MTA_FQDN
+#UI      : $UI_FQDN
+#Webmail : $WEBMAIL_FQDN
+#
+#ClamAV    : $([[ $CLAMAV_ENABLE -eq 1 ]] && echo Aktiv || echo Deaktiv)
+#OpenDMARC : $([[ $OPENDMARC_ENABLE -eq 1 ]] && echo Aktiv || echo Deaktiv)
+#Fail2Ban  : $([[ $FAIL2BAN_ENABLE -eq 1 ]] && echo Aktiv || echo Deaktiv)
+#" 16 70
+#
+#else
+#  echo -e "${GREY}[i] whiptail nicht gefunden – nutze TTY-Prompts.${NC}\n"
+#  ask_tty_domain "Mailserver-FQDN (MX)" "mx.domain.tld" "$MTA_DEFAULT" MTA_FQDN
+#  ask_tty_domain "UI / Admin-Panel FQDN" "ui.domain.tld" "$UI_DEFAULT" UI_FQDN
+#  ask_tty_domain "Webmail FQDN" "webmail.domain.tld" "$WEBMAIL_DEFAULT" WEBMAIL_FQDN
+#
+#  read -r -p "ClamAV aktivieren? (1/0, Enter=1): " CLAMAV_ENABLE;    CLAMAV_ENABLE="${CLAMAV_ENABLE:-1}"
+#  read -r -p "OpenDMARC aktivieren? (1/0, Enter=1): " OPENDMARC_ENABLE; OPENDMARC_ENABLE="${OPENDMARC_ENABLE:-1}"
+#  read -r -p "Fail2Ban aktivieren? (1/0, Enter=1): " FAIL2BAN_ENABLE;  FAIL2BAN_ENABLE="${FAIL2BAN_ENABLE:-1}"
+#fi
+
 # ── Defaults/Kompatibilität ──────────────────────────────────
 MTA_FQDN="${MTA_FQDN:-${MTA_DEFAULT}}"
 UI_FQDN="${UI_FQDN:-${UI_DEFAULT}}"