diff --git a/scripts/21-le-deploy-hook.sh b/scripts/21-le-deploy-hook.sh index c3f5702..e750d3b 100644 --- a/scripts/21-le-deploy-hook.sh +++ b/scripts/21-le-deploy-hook.sh @@ -142,6 +142,7 @@ exec /usr/local/sbin/mw-deploy.sh HOOK chmod +x /etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-certs.sh + log "[✓] MailWolt Deploy-Hook eingerichtet" ##!/usr/bin/env bash diff --git a/scripts/88-update-wrapper.sh b/scripts/88-update-wrapper.sh new file mode 100644 index 0000000..ebd7c07 --- /dev/null +++ b/scripts/88-update-wrapper.sh @@ -0,0 +1,64 @@ +#!/usr/bin/env bash +set -euo pipefail +source ./lib.sh + +log "Update-Wrapper & Sudoers …" + +# Pfade +WRAPPER="/usr/local/sbin/mw-update" +LOGFILE="/var/log/mailwolt-update.log" +STATEDIR="/var/lib/mailwolt/update" +SUDOERS="/etc/sudoers.d/mailwolt-update" +UPDATE_SCRIPT="/mailwolt-installer/scripts/update.sh" + +# State/Log vorbereiten +install -d -m 0755 "$(dirname "$LOGFILE")" +install -d -m 0755 "$STATEDIR" +: > "$LOGFILE" || true +chmod 0644 "$LOGFILE" + +# Wrapper erzeugen +cat > "$WRAPPER" <<'EOF' +#!/usr/bin/env bash +set -euo pipefail + +LOG="/var/log/mailwolt-update.log" +STATE_DIR="/var/lib/mailwolt/update" +SCRIPT="/mailwolt-installer/scripts/update.sh" + +install -d -m 0755 "$STATE_DIR" +echo "running" > "$STATE_DIR/state" + +{ + echo "===== $(date -Is) :: Update gestartet =====" + if [[ -x "$SCRIPT" ]]; then + "$SCRIPT" + rc=$? + else + echo "[!] $SCRIPT nicht gefunden oder nicht ausführbar" + rc=127 + fi + echo "===== $(date -Is) :: Update beendet (rc=$rc) =====" + echo "$rc" > "$STATE_DIR/rc" + echo "done" > "$STATE_DIR/state" + exit "$rc" +} | tee -a "$LOG" +EOF +chmod 0755 "$WRAPPER" +chown root:root "$WRAPPER" + +# Sudoers erlauben, dass www-data & mailwolt den Wrapper ohne PW starten dürfen +cat > "$SUDOERS" <<'EOF' +Defaults!/usr/local/sbin/mw-update !requiretty +www-data ALL=(root) NOPASSWD: /usr/local/sbin/mw-update +mailwolt ALL=(root) NOPASSWD: /usr/local/sbin/mw-update +EOF +chown root:root "$SUDOERS" +chmod 440 "$SUDOERS" + +if ! visudo -c -f "$SUDOERS" >/dev/null 2>&1; then + echo "[!] Ungültiger sudoers-Eintrag in $SUDOERS – entferne Datei." + rm -f "$SUDOERS" +fi + +log "[✓] Update-Wrapper bereit: $WRAPPER" \ No newline at end of file diff --git a/scripts/bootstrap.sh b/scripts/bootstrap.sh index 601477f..1cb9d27 100644 --- a/scripts/bootstrap.sh +++ b/scripts/bootstrap.sh @@ -211,7 +211,7 @@ for STEP in \ 20-ssl 21-le-deploy-hook 22-dkim-helper \ 30-db 40-postfix 50-dovecot \ 60-rspamd-opendkim 61-opendmarc 62-clamav 63-fail2ban \ - 70-nginx 75-le-issue 80-app 90-services 95-woltguard 98-motd 99-summary + 70-nginx 75-le-issue 80-app 88-update-wrapper 90-services 95-woltguard 98-motd 99-summary do log ">>> Running ${STEP}.sh" bash "./${STEP}.sh"