Laudende Default seite entfernen

2025-10-16 20:28:11 +02:00 · 2025-10-16 20:28:11 +02:00 · 0fd7252048
parent be85653c89
commit 0fd7252048
5 changed files with 265 additions and 25 deletions
--- a/scripts/10-provision.sh
+++ b/scripts/10-provision.sh
@ -35,14 +35,16 @@ mkdir -p /etc/mysql/mariadb.conf.d
 [[ -f /etc/mysql/mariadb.cnf ]] || echo '!include /etc/mysql/mariadb.conf.d/*.cnf' > /etc/mysql/mariadb.cnf

 log "Redis absichern …"
+if [[ -z "${REDIS_PASS:-}" || "${REDIS_PASS}" == "changeme" ]]; then
+  REDIS_PASS="$(openssl rand -hex 16)"
+  export REDIS_PASS
+  log "Neues Redis-Passwort generiert."
+fi
 # Aktiven Redis-Config-Pfad aus systemd holen (Fallback: Standard)
 REDIS_CONF="$(systemctl show -p ExecStart redis-server \
  | sed -n 's/^ExecStart=.*redis-server[[:space:]]\+\([^[:space:]]\+\).*/\1/p')"
 REDIS_CONF="${REDIS_CONF:-/etc/redis/redis.conf}"

-# Einmaliges, zufälliges Passwort (falls nicht von außen gesetzt)
-REDIS_PASS="${REDIS_PASS:-$(openssl rand -hex 16)}"
-
 # Bind + protected-mode hart setzen
 sed -i 's/^[[:space:]]*#\?[[:space:]]*bind .*/bind 127.0.0.1/' "$REDIS_CONF"
 sed -i 's/^[[:space:]]*#\?[[:space:]]*protected-mode .*/protected-mode yes/' "$REDIS_CONF"
--- a/scripts/70-nginx.sh
+++ b/scripts/70-nginx.sh
@ -4,12 +4,12 @@ source ./lib.sh

 log "Nginx konfigurieren …"

-# Flags/Umgebung (kommen idealerweise aus bootstrap; hier Fallbacks)
+# ── Flags/Umgebung (vom Bootstrap gesetzt; hier Fallbacks) ────────────────
 DEV_MODE="${DEV_MODE:-0}"           # 1 = DEV (Vite-Proxy aktiv), 0 = PROD
-PROXY_MODE="${PROXY_MODE:-0}"       # 1 = NPM/Proxy davor
+PROXY_MODE="${PROXY_MODE:-0}"       # 1 = NPM/Proxy davor, Backend spricht nur HTTP:80
 NPM_IP="${NPM_IP:-}"                # z.B. 10.10.20.20

-# Erwartet gesetzt: UI_HOST, WEBMAIL_HOST, APP_DIR
+# Erwartet vom Bootstrap/Installer exportiert:
 : "${UI_HOST:?UI_HOST fehlt}"
 : "${WEBMAIL_HOST:?WEBMAIL_HOST fehlt}"
 : "${APP_DIR:?APP_DIR fehlt}"
@ -17,16 +17,16 @@ NPM_IP="${NPM_IP:-}"                # z.B. 10.10.20.20
 ACME_ROOT="/var/www/letsencrypt"
 install -d -m 0755 "$ACME_ROOT"

-# Default-Sites konsequent entfernen (verhindert doppelten default_server)
+# Default-Sites entfernen (verhindert doppelten default_server)
 rm -f /etc/nginx/sites-enabled/default /etc/nginx/sites-available/default || true

-# HTTP/2 prüfen
+# HTTP/2-Unterstützung erkennen
 NGINX_HTTP2_SUFFIX=""
 if nginx -V 2>&1 | grep -q http_v2; then
  NGINX_HTTP2_SUFFIX=" http2"
 fi

-# PHP-FPM Socket oder TCP ermitteln und fastcgi_pass bauen
+# PHP-FPM Socket/TCP finden → fastcgi_pass bauen
 detect_php_fpm_sock(){
  for v in 8.3 8.2 8.1 8.0 7.4; do
    s="/run/php/php${v}-fpm.sock"
@ -42,9 +42,78 @@ else
  FASTCGI_PASS="fastcgi_pass ${PHP_FPM_TARGET};"
 fi

-# Helper zum Bauen einer Site
-# $1=host, $2=cert_dir (/etc/ssl/ui oder /etc/ssl/webmail), $3=outfile
-build_site(){
+# ── Builder 1: HTTP-only (Proxy-Mode: TLS endet im NPM) ───────────────────
+# $1=host, $2=outfile
+build_site_http_only(){
+  local host="$1" outfile="$2"
+
+  cat > "$outfile" <<CONF
+# --- ${host} : HTTP (kein Redirect, kein TLS; läuft hinter Reverse-Proxy) ---
+server {
+  listen 80;
+  listen [::]:80;
+  server_name ${host};
+
+  # ACME HTTP-01 (optional; meist übernimmt das der Proxy)
+  location ^~ /.well-known/acme-challenge/ {
+    root ${ACME_ROOT};
+    allow all;
+  }
+
+  root ${APP_DIR}/public;
+  index index.php index.html;
+
+  access_log /var/log/nginx/${host}_access.log;
+  error_log  /var/log/nginx/${host}_error.log;
+
+  client_max_body_size 25m;
+
+  location / { try_files \$uri \$uri/ /index.php?\$query_string; }
+
+  location ~ \.php\$ {
+    include snippets/fastcgi-php.conf;
+    ${FASTCGI_PASS}
+  }
+
+  location ^~ /livewire/ { try_files \$uri /index.php?\$query_string; }
+  location ~* \.(jpg|jpeg|png|gif|css|js|ico|svg)\$ { expires 30d; access_log off; }
+
+  # WebSocket: Laravel Reverb (Backend intern HTTP)
+  location /ws/ {
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade \$http_upgrade;
+    proxy_set_header Connection "Upgrade";
+    proxy_set_header Host \$host;
+    proxy_read_timeout 60s;
+    proxy_send_timeout 60s;
+    proxy_pass http://127.0.0.1:8080/;
+  }
+
+  # Reverb HTTP API
+  location /apps/ {
+    proxy_http_version 1.1;
+    proxy_set_header Host \$host;
+    proxy_read_timeout 60s;
+    proxy_send_timeout 60s;
+    proxy_pass http://127.0.0.1:8080/apps/;
+  }
+CONF
+
+  if [[ "${DEV_MODE}" = "1" ]]; then
+    cat >> "$outfile" <<'CONF'
+  # DEV: Vite-Proxy (HMR)
+  location ^~ /@vite/        { proxy_pass http://127.0.0.1:5173/@vite/;        proxy_set_header Host $host; }
+  location ^~ /node_modules/ { proxy_pass http://127.0.0.1:5173/node_modules/; proxy_set_header Host $host; }
+  location ^~ /resources/    { proxy_pass http://127.0.0.1:5173/resources/;    proxy_set_header Host $host; }
+CONF
+  fi
+
+  echo "}" >> "$outfile"
+}
+
+# ── Builder 2: 80→443 Redirect + 443/TLS (Live-Server) ────────────────────
+# $1=host, $2=cert_dir (/etc/ssl/ui | /etc/ssl/webmail), $3=outfile
+build_site_tls(){
  local host="$1" cert_dir="$2" outfile="$3"
  local cert="${cert_dir}/fullchain.pem"
  local key="${cert_dir}/privkey.pem"
@ -56,7 +125,6 @@ server {
  listen [::]:80;
  server_name ${host};

-  # ACME HTTP-01
  location ^~ /.well-known/acme-challenge/ {
    root ${ACME_ROOT};
    allow all;
@ -114,7 +182,7 @@ server {
  }
 CONF

-  if [[ "$DEV_MODE" = "1" ]]; then
+  if [[ "${DEV_MODE}" = "1" ]]; then
    cat >> "$outfile" <<'CONF'
  # DEV: Vite-Proxy
  location ^~ /@vite/        { proxy_pass http://127.0.0.1:5173/@vite/;        proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto https; }
@ -126,18 +194,25 @@ CONF
  echo "}" >> "$outfile"
 }

-# Sites erzeugen
+# ── Sites erzeugen ─────────────────────────────────────────────────────────
 UI_SITE="/etc/nginx/sites-available/ui-mailwolt.conf"
 WEBMAIL_SITE="/etc/nginx/sites-available/webmail-mailwolt.conf"

-build_site "$UI_HOST"      "/etc/ssl/ui"      "$UI_SITE"
-build_site "$WEBMAIL_HOST" "/etc/ssl/webmail" "$WEBMAIL_SITE"
+if [[ "${PROXY_MODE}" -eq 1 ]]; then
+  # Hinter NPM/Proxy: Backend nur HTTP:80 (keine Redirects, kein 443)
+  build_site_http_only "$UI_HOST"      "$UI_SITE"
+  build_site_http_only "$WEBMAIL_HOST" "$WEBMAIL_SITE"
+else
+  # Live-Server: 80→443 + TLS vHosts
+  build_site_tls "$UI_HOST"      "/etc/ssl/ui"      "$UI_SITE"
+  build_site_tls "$WEBMAIL_HOST" "/etc/ssl/webmail" "$WEBMAIL_SITE"
+fi

 ln -sf "$UI_SITE"      "/etc/nginx/sites-enabled/ui-mailwolt.conf"
 ln -sf "$WEBMAIL_SITE" "/etc/nginx/sites-enabled/webmail-mailwolt.conf"

-# Real-IP nur, wenn Proxy davor
-if [[ "$PROXY_MODE" -eq 1 && -n "$NPM_IP" ]]; then
+# ── Real-IP nur, wenn Proxy davor ──────────────────────────────────────────
+if [[ "${PROXY_MODE}" -eq 1 && -n "${NPM_IP}" ]]; then
  cat > /etc/nginx/conf.d/realip.conf <<NGX
 real_ip_header X-Forwarded-For;
 set_real_ip_from ${NPM_IP};
@ -147,7 +222,7 @@ else
  rm -f /etc/nginx/conf.d/realip.conf || true
 fi

-# Test & reload
+# ── Test & reload ──────────────────────────────────────────────────────────
 if nginx -t; then
  systemctl enable --now nginx >/dev/null 2>&1 || true
  systemctl reload nginx || true
@ -155,6 +230,167 @@ else
  die "nginx -t fehlgeschlagen – siehe /var/log/nginx/*.log"
 fi

+#---
+
+##!/usr/bin/env bash
+#set -euo pipefail
+#source ./lib.sh
+#
+#log "Nginx konfigurieren …"
+#
+## Flags/Umgebung (kommen idealerweise aus bootstrap; hier Fallbacks)
+#DEV_MODE="${DEV_MODE:-0}"           # 1 = DEV (Vite-Proxy aktiv), 0 = PROD
+#PROXY_MODE="${PROXY_MODE:-0}"       # 1 = NPM/Proxy davor
+#NPM_IP="${NPM_IP:-}"                # z.B. 10.10.20.20
+#
+## Erwartet gesetzt: UI_HOST, WEBMAIL_HOST, APP_DIR
+#: "${UI_HOST:?UI_HOST fehlt}"
+#: "${WEBMAIL_HOST:?WEBMAIL_HOST fehlt}"
+#: "${APP_DIR:?APP_DIR fehlt}"
+#
+#ACME_ROOT="/var/www/letsencrypt"
+#install -d -m 0755 "$ACME_ROOT"
+#
+## Default-Sites konsequent entfernen (verhindert doppelten default_server)
+#rm -f /etc/nginx/sites-enabled/default /etc/nginx/sites-available/default || true
+#
+## HTTP/2 prüfen
+#NGINX_HTTP2_SUFFIX=""
+#if nginx -V 2>&1 | grep -q http_v2; then
+#  NGINX_HTTP2_SUFFIX=" http2"
+#fi
+#
+## PHP-FPM Socket oder TCP ermitteln und fastcgi_pass bauen
+#detect_php_fpm_sock(){
+#  for v in 8.3 8.2 8.1 8.0 7.4; do
+#    s="/run/php/php${v}-fpm.sock"
+#    [[ -S "$s" ]] && { echo "unix:${s}"; return; }
+#  done
+#  [[ -S "/run/php/php-fpm.sock" ]] && { echo "unix:/run/php/php-fpm.sock"; return; }
+#  echo "127.0.0.1:9000"
+#}
+#PHP_FPM_TARGET="$(detect_php_fpm_sock)"
+#if [[ "$PHP_FPM_TARGET" == unix:* ]]; then
+#  FASTCGI_PASS="fastcgi_pass ${PHP_FPM_TARGET};"
+#else
+#  FASTCGI_PASS="fastcgi_pass ${PHP_FPM_TARGET};"
+#fi
+#
+## Helper zum Bauen einer Site
+## $1=host, $2=cert_dir (/etc/ssl/ui oder /etc/ssl/webmail), $3=outfile
+#build_site(){
+#  local host="$1" cert_dir="$2" outfile="$3"
+#  local cert="${cert_dir}/fullchain.pem"
+#  local key="${cert_dir}/privkey.pem"
+#
+#  cat > "$outfile" <<CONF
+## --- ${host} : HTTP (ACME + Redirect) ---
+#server {
+#  listen 80;
+#  listen [::]:80;
+#  server_name ${host};
+#
+#  # ACME HTTP-01
+#  location ^~ /.well-known/acme-challenge/ {
+#    root ${ACME_ROOT};
+#    allow all;
+#  }
+#
+#  return 301 https://\$host\$request_uri;
+#}
+#
+## --- ${host} : HTTPS ---
+#server {
+#  listen 443 ssl${NGINX_HTTP2_SUFFIX};
+#  listen [::]:443 ssl${NGINX_HTTP2_SUFFIX};
+#  server_name ${host};
+#
+#  ssl_certificate     ${cert};
+#  ssl_certificate_key ${key};
+#  ssl_protocols       TLSv1.2 TLSv1.3;
+#
+#  root ${APP_DIR}/public;
+#  index index.php index.html;
+#
+#  access_log /var/log/nginx/${host}_ssl_access.log;
+#  error_log  /var/log/nginx/${host}_ssl_error.log;
+#
+#  client_max_body_size 25m;
+#
+#  location / { try_files \$uri \$uri/ /index.php?\$query_string; }
+#
+#  location ~ \.php\$ {
+#    include snippets/fastcgi-php.conf;
+#    ${FASTCGI_PASS}
+#  }
+#
+#  location ^~ /livewire/ { try_files \$uri /index.php?\$query_string; }
+#  location ~* \.(jpg|jpeg|png|gif|css|js|ico|svg)\$ { expires 30d; access_log off; }
+#
+#  # WebSocket: Laravel Reverb
+#  location /ws/ {
+#    proxy_http_version 1.1;
+#    proxy_set_header Upgrade \$http_upgrade;
+#    proxy_set_header Connection "Upgrade";
+#    proxy_set_header Host \$host;
+#    proxy_read_timeout 60s;
+#    proxy_send_timeout 60s;
+#    proxy_pass http://127.0.0.1:8080/;
+#  }
+#
+#  # Reverb HTTP API
+#  location /apps/ {
+#    proxy_http_version 1.1;
+#    proxy_set_header Host \$host;
+#    proxy_read_timeout 60s;
+#    proxy_send_timeout 60s;
+#    proxy_pass http://127.0.0.1:8080/apps/;
+#  }
+#CONF
+#
+#  if [[ "$DEV_MODE" = "1" ]]; then
+#    cat >> "$outfile" <<'CONF'
+#  # DEV: Vite-Proxy
+#  location ^~ /@vite/        { proxy_pass http://127.0.0.1:5173/@vite/;        proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto https; }
+#  location ^~ /node_modules/ { proxy_pass http://127.0.0.1:5173/node_modules/; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto https; }
+#  location ^~ /resources/    { proxy_pass http://127.0.0.1:5173/resources/;    proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto https; }
+#CONF
+#  fi
+#
+#  echo "}" >> "$outfile"
+#}
+#
+## Sites erzeugen
+#UI_SITE="/etc/nginx/sites-available/ui-mailwolt.conf"
+#WEBMAIL_SITE="/etc/nginx/sites-available/webmail-mailwolt.conf"
+#
+#build_site "$UI_HOST"      "/etc/ssl/ui"      "$UI_SITE"
+#build_site "$WEBMAIL_HOST" "/etc/ssl/webmail" "$WEBMAIL_SITE"
+#
+#ln -sf "$UI_SITE"      "/etc/nginx/sites-enabled/ui-mailwolt.conf"
+#ln -sf "$WEBMAIL_SITE" "/etc/nginx/sites-enabled/webmail-mailwolt.conf"
+#
+## Real-IP nur, wenn Proxy davor
+#if [[ "$PROXY_MODE" -eq 1 && -n "$NPM_IP" ]]; then
+#  cat > /etc/nginx/conf.d/realip.conf <<NGX
+#real_ip_header X-Forwarded-For;
+#set_real_ip_from ${NPM_IP};
+#real_ip_recursive on;
+#NGX
+#else
+#  rm -f /etc/nginx/conf.d/realip.conf || true
+#fi
+#
+## Test & reload
+#if nginx -t; then
+#  systemctl enable --now nginx >/dev/null 2>&1 || true
+#  systemctl reload nginx || true
+#else
+#  die "nginx -t fehlgeschlagen – siehe /var/log/nginx/*.log"
+#fi
+
+#---
+
 ##!/usr/bin/env bash
 #set -euo pipefail
 #source ./lib.sh
--- a/scripts/80-app.sh
+++ b/scripts/80-app.sh
@ -53,8 +53,6 @@ else
  APP_URL_VAL="${SCHEME}://${SERVER_PUBLIC_IPV4}"
 fi

-[ -z "${REDIS_PASS:-}" ] && REDIS_PASS="$(awk '/^[[:space:]]*requirepass[[:space:]]+/ {print $2}' /etc/redis/redis.conf | tail -n1 || true)"
-
 # --- .env schreiben (vollständig wie vorher) --------------------------------
 upsert_env APP_URL             "${APP_URL_VAL}"

--- a/scripts/bootstrap.sh
+++ b/scripts/bootstrap.sh
@ -18,6 +18,11 @@ APP_ENV="${APP_ENV:-$([[ $DEV_MODE -eq 1 ]] && echo local || echo production)}"
 APP_DEBUG="${APP_DEBUG:-$([[ $DEV_MODE -eq 1 ]] && echo true  || echo false)}"
 export DEV_MODE PROXY_MODE NPM_IP APP_ENV APP_DEBUG

+DB_PASS="${DB_PASS:-$(openssl rand -hex 16)}"
+REDIS_PASS="${REDIS_PASS:-$(openssl rand -hex 16)}"
+
+export DB_PASS REDIS_PASS
+
 cd "$(dirname "$0")"
 source ./lib.sh
 require_root
@ -37,7 +42,6 @@ MTA_SUB="${MTA_SUB:-mx}"

 DB_NAME="${DB_NAME:-${APP_USER}}"
 DB_USER="${DB_USER:-${APP_USER}}"
-DB_PASS="${DB_PASS:-$(openssl rand -hex 16)}"

 SERVER_PUBLIC_IPV4="$(detect_ip)"
 SERVER_PUBLIC_IPV6="$(detect_ipv6)"
--- a/scripts/lib.sh
+++ b/scripts/lib.sh
@ -32,8 +32,8 @@ require_root(){ [[ "$(id -u)" -eq 0 ]] || die "Bitte als root ausführen."; }
 # DB / Redis (werden später durch .env überschrieben)
 : "${DB_NAME:=${APP_USER}}"
 : "${DB_USER:=${APP_USER}}"
-: "${DB_PASS:=changeme}"
-: "${REDIS_PASS:=changeme}"
+: "${DB_PASS:=}"
+: "${REDIS_PASS:=}"

 # Stabile Zert-Pfade (UI/WEBMAIL/MX → symlinked via 20-ssl.sh)
 : "${MAIL_SSL_DIR:=/etc/ssl/mail}"