boban
/
mailwolt-installer
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Laudende Default seite entfernen

main
boksbc 2025-10-16 20:28:11 +02:00
parent be85653c89
commit 0fd7252048
5 changed files with 265 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
scripts/10-provision.sh
View File

@ -35,14 +35,16 @@ mkdir -p /etc/mysql/mariadb.conf.d
[[ -f /etc/mysql/mariadb.cnf ]] || echo '!include /etc/mysql/mariadb.conf.d/*.cnf' > /etc/mysql/mariadb.cnf [[ -f /etc/mysql/mariadb.cnf ]] || echo '!include /etc/mysql/mariadb.conf.d/*.cnf' > /etc/mysql/mariadb.cnf
log "Redis absichern …" log "Redis absichern …"
if [[ -z "${REDIS_PASS:-}" || "${REDIS_PASS}" == "changeme" ]]; then
REDIS_PASS="$(openssl rand -hex 16)"
export REDIS_PASS
log "Neues Redis-Passwort generiert."
fi
# Aktiven Redis-Config-Pfad aus systemd holen (Fallback: Standard) # Aktiven Redis-Config-Pfad aus systemd holen (Fallback: Standard)
REDIS_CONF="$(systemctl show -p ExecStart redis-server \ REDIS_CONF="$(systemctl show -p ExecStart redis-server \
| sed -n 's/^ExecStart=.*redis-server[[:space:]]\+\([^[:space:]]\+\).*/\1/p')" | sed -n 's/^ExecStart=.*redis-server[[:space:]]\+\([^[:space:]]\+\).*/\1/p')"
REDIS_CONF="${REDIS_CONF:-/etc/redis/redis.conf}" REDIS_CONF="${REDIS_CONF:-/etc/redis/redis.conf}"
# Einmaliges, zufälliges Passwort (falls nicht von außen gesetzt)
REDIS_PASS="${REDIS_PASS:-$(openssl rand -hex 16)}"
# Bind + protected-mode hart setzen # Bind + protected-mode hart setzen
sed -i 's/^[[:space:]]*#\?[[:space:]]*bind .*/bind 127.0.0.1/' "$REDIS_CONF" sed -i 's/^[[:space:]]*#\?[[:space:]]*bind .*/bind 127.0.0.1/' "$REDIS_CONF"
sed -i 's/^[[:space:]]*#\?[[:space:]]*protected-mode .*/protected-mode yes/' "$REDIS_CONF" sed -i 's/^[[:space:]]*#\?[[:space:]]*protected-mode .*/protected-mode yes/' "$REDIS_CONF"

270
scripts/70-nginx.sh
View File

@ -4,12 +4,12 @@ source ./lib.sh
log "Nginx konfigurieren …" log "Nginx konfigurieren …"
# Flags/Umgebung (kommen idealerweise aus bootstrap; hier Fallbacks) # ── Flags/Umgebung (vom Bootstrap gesetzt; hier Fallbacks) ────────────────
DEV_MODE="${DEV_MODE:-0}" # 1 = DEV (Vite-Proxy aktiv), 0 = PROD DEV_MODE="${DEV_MODE:-0}" # 1 = DEV (Vite-Proxy aktiv), 0 = PROD
PROXY_MODE="${PROXY_MODE:-0}" # 1 = NPM/Proxy davor PROXY_MODE="${PROXY_MODE:-0}" # 1 = NPM/Proxy davor, Backend spricht nur HTTP:80
NPM_IP="${NPM_IP:-}" # z.B. 10.10.20.20 NPM_IP="${NPM_IP:-}" # z.B. 10.10.20.20
# Erwartet gesetzt: UI_HOST, WEBMAIL_HOST, APP_DIR # Erwartet vom Bootstrap/Installer exportiert:
: "${UI_HOST:?UI_HOST fehlt}" : "${UI_HOST:?UI_HOST fehlt}"
: "${WEBMAIL_HOST:?WEBMAIL_HOST fehlt}" : "${WEBMAIL_HOST:?WEBMAIL_HOST fehlt}"
: "${APP_DIR:?APP_DIR fehlt}" : "${APP_DIR:?APP_DIR fehlt}"
@ -17,16 +17,16 @@ NPM_IP="${NPM_IP:-}" # z.B. 10.10.20.20
ACME_ROOT="/var/www/letsencrypt" ACME_ROOT="/var/www/letsencrypt"
install -d -m 0755 "$ACME_ROOT" install -d -m 0755 "$ACME_ROOT"
# Default-Sites konsequent entfernen (verhindert doppelten default_server) # Default-Sites entfernen (verhindert doppelten default_server)
rm -f /etc/nginx/sites-enabled/default /etc/nginx/sites-available/default || true rm -f /etc/nginx/sites-enabled/default /etc/nginx/sites-available/default || true
# HTTP/2 prüfen # HTTP/2-Unterstützung erkennen
NGINX_HTTP2_SUFFIX="" NGINX_HTTP2_SUFFIX=""
if nginx -V 2>&1 | grep -q http_v2; then if nginx -V 2>&1 | grep -q http_v2; then
NGINX_HTTP2_SUFFIX=" http2" NGINX_HTTP2_SUFFIX=" http2"
fi fi
# PHP-FPM Socket oder TCP ermitteln und fastcgi_pass bauen # PHP-FPM Socket/TCP finden → fastcgi_pass bauen
detect_php_fpm_sock(){ detect_php_fpm_sock(){
for v in 8.3 8.2 8.1 8.0 7.4; do for v in 8.3 8.2 8.1 8.0 7.4; do
s="/run/php/php${v}-fpm.sock" s="/run/php/php${v}-fpm.sock"
@ -42,9 +42,78 @@ else
FASTCGI_PASS="fastcgi_pass ${PHP_FPM_TARGET};" FASTCGI_PASS="fastcgi_pass ${PHP_FPM_TARGET};"
fi fi
# Helper zum Bauen einer Site # ── Builder 1: HTTP-only (Proxy-Mode: TLS endet im NPM) ───────────────────
# $1=host, $2=cert_dir (/etc/ssl/ui oder /etc/ssl/webmail), $3=outfile # $1=host, $2=outfile
build_site(){ build_site_http_only(){
local host="$1" outfile="$2"
cat > "$outfile" <<CONF
# --- ${host} : HTTP (kein Redirect, kein TLS; läuft hinter Reverse-Proxy) ---
server {
listen 80;
listen [::]:80;
server_name ${host};
# ACME HTTP-01 (optional; meist übernimmt das der Proxy)
location ^~ /.well-known/acme-challenge/ {
root ${ACME_ROOT};
allow all;
}
root ${APP_DIR}/public;
index index.php index.html;
access_log /var/log/nginx/${host}_access.log;
error_log /var/log/nginx/${host}_error.log;
client_max_body_size 25m;
location / { try_files \$uri \$uri/ /index.php?\$query_string; }
location ~ \.php\$ {
include snippets/fastcgi-php.conf;
${FASTCGI_PASS}
}
location ^~ /livewire/ { try_files \$uri /index.php?\$query_string; }
location ~* \.(jpg|jpeg|png|gif|css|js|ico|svg)\$ { expires 30d; access_log off; }
# WebSocket: Laravel Reverb (Backend intern HTTP)
location /ws/ {
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host \$host;
proxy_read_timeout 60s;
proxy_send_timeout 60s;
proxy_pass http://127.0.0.1:8080/;
}
# Reverb HTTP API
location /apps/ {
proxy_http_version 1.1;
proxy_set_header Host \$host;
proxy_read_timeout 60s;
proxy_send_timeout 60s;
proxy_pass http://127.0.0.1:8080/apps/;
}
CONF
if [[ "${DEV_MODE}" = "1" ]]; then
cat >> "$outfile" <<'CONF'
# DEV: Vite-Proxy (HMR)
location ^~ /@vite/ { proxy_pass http://127.0.0.1:5173/@vite/; proxy_set_header Host $host; }
location ^~ /node_modules/ { proxy_pass http://127.0.0.1:5173/node_modules/; proxy_set_header Host $host; }
location ^~ /resources/ { proxy_pass http://127.0.0.1:5173/resources/; proxy_set_header Host $host; }
CONF
fi
echo "}" >> "$outfile"
}
# ── Builder 2: 80→443 Redirect + 443/TLS (Live-Server) ────────────────────
# $1=host, $2=cert_dir (/etc/ssl/ui | /etc/ssl/webmail), $3=outfile
build_site_tls(){
local host="$1" cert_dir="$2" outfile="$3" local host="$1" cert_dir="$2" outfile="$3"
local cert="${cert_dir}/fullchain.pem" local cert="${cert_dir}/fullchain.pem"
local key="${cert_dir}/privkey.pem" local key="${cert_dir}/privkey.pem"
@ -56,7 +125,6 @@ server {
listen [::]:80; listen [::]:80;
server_name ${host}; server_name ${host};
# ACME HTTP-01
location ^~ /.well-known/acme-challenge/ { location ^~ /.well-known/acme-challenge/ {
root ${ACME_ROOT}; root ${ACME_ROOT};
allow all; allow all;
@ -114,7 +182,7 @@ server {
} }
CONF CONF
if [[ "$DEV_MODE" = "1" ]]; then if [[ "${DEV_MODE}" = "1" ]]; then
cat >> "$outfile" <<'CONF' cat >> "$outfile" <<'CONF'
# DEV: Vite-Proxy # DEV: Vite-Proxy
location ^~ /@vite/ { proxy_pass http://127.0.0.1:5173/@vite/; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto https; } location ^~ /@vite/ { proxy_pass http://127.0.0.1:5173/@vite/; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto https; }
@ -126,18 +194,25 @@ CONF
echo "}" >> "$outfile" echo "}" >> "$outfile"
} }
# Sites erzeugen # ── Sites erzeugen ─────────────────────────────────────────────────────────
UI_SITE="/etc/nginx/sites-available/ui-mailwolt.conf" UI_SITE="/etc/nginx/sites-available/ui-mailwolt.conf"
WEBMAIL_SITE="/etc/nginx/sites-available/webmail-mailwolt.conf" WEBMAIL_SITE="/etc/nginx/sites-available/webmail-mailwolt.conf"
build_site "$UI_HOST" "/etc/ssl/ui" "$UI_SITE" if [[ "${PROXY_MODE}" -eq 1 ]]; then
build_site "$WEBMAIL_HOST" "/etc/ssl/webmail" "$WEBMAIL_SITE" # Hinter NPM/Proxy: Backend nur HTTP:80 (keine Redirects, kein 443)
build_site_http_only "$UI_HOST" "$UI_SITE"
build_site_http_only "$WEBMAIL_HOST" "$WEBMAIL_SITE"
else
# Live-Server: 80→443 + TLS vHosts
build_site_tls "$UI_HOST" "/etc/ssl/ui" "$UI_SITE"
build_site_tls "$WEBMAIL_HOST" "/etc/ssl/webmail" "$WEBMAIL_SITE"
fi
ln -sf "$UI_SITE" "/etc/nginx/sites-enabled/ui-mailwolt.conf" ln -sf "$UI_SITE" "/etc/nginx/sites-enabled/ui-mailwolt.conf"
ln -sf "$WEBMAIL_SITE" "/etc/nginx/sites-enabled/webmail-mailwolt.conf" ln -sf "$WEBMAIL_SITE" "/etc/nginx/sites-enabled/webmail-mailwolt.conf"
# Real-IP nur, wenn Proxy davor # ── Real-IP nur, wenn Proxy davor ──────────────────────────────────────────
if [[ "$PROXY_MODE" -eq 1 && -n "$NPM_IP" ]]; then if [[ "${PROXY_MODE}" -eq 1 && -n "${NPM_IP}" ]]; then
cat > /etc/nginx/conf.d/realip.conf <<NGX cat > /etc/nginx/conf.d/realip.conf <<NGX
real_ip_header X-Forwarded-For; real_ip_header X-Forwarded-For;
set_real_ip_from ${NPM_IP}; set_real_ip_from ${NPM_IP};
@ -147,7 +222,7 @@ else
rm -f /etc/nginx/conf.d/realip.conf || true rm -f /etc/nginx/conf.d/realip.conf || true
fi fi
# Test & reload # ── Test & reload ──────────────────────────────────────────────────────────
if nginx -t; then if nginx -t; then
systemctl enable --now nginx >/dev/null 2>&1 || true systemctl enable --now nginx >/dev/null 2>&1 || true
systemctl reload nginx || true systemctl reload nginx || true
@ -155,6 +230,167 @@ else
die "nginx -t fehlgeschlagen siehe /var/log/nginx/*.log" die "nginx -t fehlgeschlagen siehe /var/log/nginx/*.log"
fi fi
#---
##!/usr/bin/env bash
#set -euo pipefail
#source ./lib.sh
#
#log "Nginx konfigurieren …"
#
## Flags/Umgebung (kommen idealerweise aus bootstrap; hier Fallbacks)
#DEV_MODE="${DEV_MODE:-0}" # 1 = DEV (Vite-Proxy aktiv), 0 = PROD
#PROXY_MODE="${PROXY_MODE:-0}" # 1 = NPM/Proxy davor
#NPM_IP="${NPM_IP:-}" # z.B. 10.10.20.20
#
## Erwartet gesetzt: UI_HOST, WEBMAIL_HOST, APP_DIR
#: "${UI_HOST:?UI_HOST fehlt}"
#: "${WEBMAIL_HOST:?WEBMAIL_HOST fehlt}"
#: "${APP_DIR:?APP_DIR fehlt}"
#
#ACME_ROOT="/var/www/letsencrypt"
#install -d -m 0755 "$ACME_ROOT"
#
## Default-Sites konsequent entfernen (verhindert doppelten default_server)
#rm -f /etc/nginx/sites-enabled/default /etc/nginx/sites-available/default || true
#
## HTTP/2 prüfen
#NGINX_HTTP2_SUFFIX=""
#if nginx -V 2>&1 | grep -q http_v2; then
# NGINX_HTTP2_SUFFIX=" http2"
#fi
#
## PHP-FPM Socket oder TCP ermitteln und fastcgi_pass bauen
#detect_php_fpm_sock(){
# for v in 8.3 8.2 8.1 8.0 7.4; do
# s="/run/php/php${v}-fpm.sock"
# [[ -S "$s" ]] && { echo "unix:${s}"; return; }
# done
# [[ -S "/run/php/php-fpm.sock" ]] && { echo "unix:/run/php/php-fpm.sock"; return; }
# echo "127.0.0.1:9000"
#}
#PHP_FPM_TARGET="$(detect_php_fpm_sock)"
#if [[ "$PHP_FPM_TARGET" == unix:* ]]; then
# FASTCGI_PASS="fastcgi_pass ${PHP_FPM_TARGET};"
#else
# FASTCGI_PASS="fastcgi_pass ${PHP_FPM_TARGET};"
#fi
#
## Helper zum Bauen einer Site
## $1=host, $2=cert_dir (/etc/ssl/ui oder /etc/ssl/webmail), $3=outfile
#build_site(){
# local host="$1" cert_dir="$2" outfile="$3"
# local cert="${cert_dir}/fullchain.pem"
# local key="${cert_dir}/privkey.pem"
#
# cat > "$outfile" <<CONF
## --- ${host} : HTTP (ACME + Redirect) ---
#server {
# listen 80;
# listen [::]:80;
# server_name ${host};
#
# # ACME HTTP-01
# location ^~ /.well-known/acme-challenge/ {
# root ${ACME_ROOT};
# allow all;
# }
#
# return 301 https://\$host\$request_uri;
#}
#
## --- ${host} : HTTPS ---
#server {
# listen 443 ssl${NGINX_HTTP2_SUFFIX};
# listen [::]:443 ssl${NGINX_HTTP2_SUFFIX};
# server_name ${host};
#
# ssl_certificate ${cert};
# ssl_certificate_key ${key};
# ssl_protocols TLSv1.2 TLSv1.3;
#
# root ${APP_DIR}/public;
# index index.php index.html;
#
# access_log /var/log/nginx/${host}_ssl_access.log;
# error_log /var/log/nginx/${host}_ssl_error.log;
#
# client_max_body_size 25m;
#
# location / { try_files \$uri \$uri/ /index.php?\$query_string; }
#
# location ~ \.php\$ {
# include snippets/fastcgi-php.conf;
# ${FASTCGI_PASS}
# }
#
# location ^~ /livewire/ { try_files \$uri /index.php?\$query_string; }
# location ~* \.(jpg|jpeg|png|gif|css|js|ico|svg)\$ { expires 30d; access_log off; }
#
# # WebSocket: Laravel Reverb
# location /ws/ {
# proxy_http_version 1.1;
# proxy_set_header Upgrade \$http_upgrade;
# proxy_set_header Connection "Upgrade";
# proxy_set_header Host \$host;
# proxy_read_timeout 60s;
# proxy_send_timeout 60s;
# proxy_pass http://127.0.0.1:8080/;
# }
#
# # Reverb HTTP API
# location /apps/ {
# proxy_http_version 1.1;
# proxy_set_header Host \$host;
# proxy_read_timeout 60s;
# proxy_send_timeout 60s;
# proxy_pass http://127.0.0.1:8080/apps/;
# }
#CONF
#
# if [[ "$DEV_MODE" = "1" ]]; then
# cat >> "$outfile" <<'CONF'
# # DEV: Vite-Proxy
# location ^~ /@vite/ { proxy_pass http://127.0.0.1:5173/@vite/; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto https; }
# location ^~ /node_modules/ { proxy_pass http://127.0.0.1:5173/node_modules/; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto https; }
# location ^~ /resources/ { proxy_pass http://127.0.0.1:5173/resources/; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto https; }
#CONF
# fi
#
# echo "}" >> "$outfile"
#}
#
## Sites erzeugen
#UI_SITE="/etc/nginx/sites-available/ui-mailwolt.conf"
#WEBMAIL_SITE="/etc/nginx/sites-available/webmail-mailwolt.conf"
#
#build_site "$UI_HOST" "/etc/ssl/ui" "$UI_SITE"
#build_site "$WEBMAIL_HOST" "/etc/ssl/webmail" "$WEBMAIL_SITE"
#
#ln -sf "$UI_SITE" "/etc/nginx/sites-enabled/ui-mailwolt.conf"
#ln -sf "$WEBMAIL_SITE" "/etc/nginx/sites-enabled/webmail-mailwolt.conf"
#
## Real-IP nur, wenn Proxy davor
#if [[ "$PROXY_MODE" -eq 1 && -n "$NPM_IP" ]]; then
# cat > /etc/nginx/conf.d/realip.conf <<NGX
#real_ip_header X-Forwarded-For;
#set_real_ip_from ${NPM_IP};
#real_ip_recursive on;
#NGX
#else
# rm -f /etc/nginx/conf.d/realip.conf || true
#fi
#
## Test & reload
#if nginx -t; then
# systemctl enable --now nginx >/dev/null 2>&1 || true
# systemctl reload nginx || true
#else
# die "nginx -t fehlgeschlagen siehe /var/log/nginx/*.log"
#fi
#---
##!/usr/bin/env bash ##!/usr/bin/env bash
#set -euo pipefail #set -euo pipefail
#source ./lib.sh #source ./lib.sh

2
scripts/80-app.sh
View File

@ -53,8 +53,6 @@ else
APP_URL_VAL="${SCHEME}://${SERVER_PUBLIC_IPV4}" APP_URL_VAL="${SCHEME}://${SERVER_PUBLIC_IPV4}"
fi fi
[ -z "${REDIS_PASS:-}" ] && REDIS_PASS="$(awk '/^[[:space:]]*requirepass[[:space:]]+/ {print $2}' /etc/redis/redis.conf | tail -n1 || true)"
# --- .env schreiben (vollständig wie vorher) -------------------------------- # --- .env schreiben (vollständig wie vorher) --------------------------------
upsert_env APP_URL "${APP_URL_VAL}" upsert_env APP_URL "${APP_URL_VAL}"

6
scripts/bootstrap.sh
View File

@ -18,6 +18,11 @@ APP_ENV="${APP_ENV:-$([[ $DEV_MODE -eq 1 ]] && echo local || echo production)}"
APP_DEBUG="${APP_DEBUG:-$([[ $DEV_MODE -eq 1 ]] && echo true || echo false)}" APP_DEBUG="${APP_DEBUG:-$([[ $DEV_MODE -eq 1 ]] && echo true || echo false)}"
export DEV_MODE PROXY_MODE NPM_IP APP_ENV APP_DEBUG export DEV_MODE PROXY_MODE NPM_IP APP_ENV APP_DEBUG
DB_PASS="${DB_PASS:-$(openssl rand -hex 16)}"
REDIS_PASS="${REDIS_PASS:-$(openssl rand -hex 16)}"
export DB_PASS REDIS_PASS
cd "$(dirname "$0")" cd "$(dirname "$0")"
source ./lib.sh source ./lib.sh
require_root require_root
@ -37,7 +42,6 @@ MTA_SUB="${MTA_SUB:-mx}"
DB_NAME="${DB_NAME:-${APP_USER}}" DB_NAME="${DB_NAME:-${APP_USER}}"
DB_USER="${DB_USER:-${APP_USER}}" DB_USER="${DB_USER:-${APP_USER}}"
DB_PASS="${DB_PASS:-$(openssl rand -hex 16)}"
SERVER_PUBLIC_IPV4="$(detect_ip)" SERVER_PUBLIC_IPV4="$(detect_ip)"
SERVER_PUBLIC_IPV6="$(detect_ipv6)" SERVER_PUBLIC_IPV6="$(detect_ipv6)"

4
scripts/lib.sh
View File

@ -32,8 +32,8 @@ require_root(){ [[ "$(id -u)" -eq 0 ]] || die "Bitte als root ausführen."; }
# DB / Redis (werden später durch .env überschrieben) # DB / Redis (werden später durch .env überschrieben)
: "${DB_NAME:=${APP_USER}}" : "${DB_NAME:=${APP_USER}}"
: "${DB_USER:=${APP_USER}}" : "${DB_USER:=${APP_USER}}"
: "${DB_PASS:=changeme}" : "${DB_PASS:=}"
: "${REDIS_PASS:=changeme}" : "${REDIS_PASS:=}"
# Stabile Zert-Pfade (UI/WEBMAIL/MX → symlinked via 20-ssl.sh) # Stabile Zert-Pfade (UI/WEBMAIL/MX → symlinked via 20-ssl.sh)
: "${MAIL_SSL_DIR:=/etc/ssl/mail}" : "${MAIL_SSL_DIR:=/etc/ssl/mail}"