boban
/
mailwolt-installer
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Laudende Default seite entfernen

main
boksbc 2025-10-17 02:35:54 +02:00
parent ce31a51b18
commit 26c01be12a
4 changed files with 303 additions and 142 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

279
scripts/21-le-deploy-hook.sh
View File

@ -2,133 +2,182 @@
set -euo pipefail set -euo pipefail
source ./lib.sh source ./lib.sh
# ──────────────────────────────────────────────────────────────────────────── log "Let's Encrypt Deploy-Hooks und Wrapper anlegen …"
# 21-le-deploy-hook.sh
# • legt /etc/mailwolt/installer.env an (falls fehlt)
# • erzeugt Deploy-Hooks:
# - 50-mailwolt-symlinks.sh → verlinkt LE-Zerts nach /etc/ssl/{ui,webmail,mail}
# - 60-mailwolt-tlsa.sh → aktualisiert TLSA (3 1 1) für MX bei jedem Renew
# • KEIN Reload von Postfix/Dovecot (kommt später im Installer)
# ────────────────────────────────────────────────────────────────────────────
# 0) Hostnamen persistent speichern (für spätere Deploys) # 1) Wrapper-Skript, das Symlinks setzt und Nginx reloaded
install -d -m 0755 /etc/mailwolt cat >/usr/local/sbin/mw-deploy.sh <<'WRAP'
if [[ ! -f /etc/mailwolt/installer.env ]]; then
cat >/etc/mailwolt/installer.env <<EOF
UI_HOST=${UI_HOST}
WEBMAIL_HOST=${WEBMAIL_HOST}
MAIL_HOSTNAME=${MAIL_HOSTNAME}
EOF
echo "[+] /etc/mailwolt/installer.env erstellt."
fi
# 1) Deploy-Hooks-Verzeichnis anlegen
install -d -m 0755 /etc/letsencrypt/renewal-hooks/deploy
# ────────────────────────────────────────────────────────────────────────────
# 2) 50-mailwolt-symlinks.sh
# ────────────────────────────────────────────────────────────────────────────
cat >/etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh <<HOOK
#!/usr/bin/env bash #!/usr/bin/env bash
set -euo pipefail set -euo pipefail
UI_LE="/etc/letsencrypt/live/${UI_HOST}"
WEBMAIL_LE="/etc/letsencrypt/live/${WEBMAIL_HOST}"
MX_LE="/etc/letsencrypt/live/${MAIL_HOSTNAME}"
UI_SSL_DIR="/etc/ssl/ui"
WEBMAIL_SSL_DIR="/etc/ssl/webmail"
MAIL_SSL_DIR="/etc/ssl/mail"
# Zielverzeichnisse anlegen (einmalig)
install -d -m 0755 "\$UI_SSL_DIR" "\$WEBMAIL_SSL_DIR" "\$MAIL_SSL_DIR"
link_if() { link_if() {
local le_base="\$1" target_dir="\$2" local le_base="$1" target_dir="$2"
local cert="\${le_base}/fullchain.pem" local cert="${le_base}/fullchain.pem"
local key="\${le_base}/privkey.pem" local key="${le_base}/privkey.pem"
[[ -s "\$cert" && -s "\$key" ]] || return 0 [[ -s "$cert" && -s "$key" ]] || return 0
ln -sf "\$cert" "\${target_dir}/fullchain.pem" install -d -m 0755 "$target_dir"
ln -sf "\$key" "\${target_dir}/privkey.pem" ln -sf "$cert" "${target_dir}/fullchain.pem"
chmod 644 "\${target_dir}/fullchain.pem" 2>/dev/null || true ln -sf "$key" "${target_dir}/privkey.pem"
chmod 600 "\${target_dir}/privkey.pem" 2>/dev/null || true chmod 644 "${target_dir}/fullchain.pem" 2>/dev/null || true
echo "[+] Linked \${target_dir} -> \${le_base}" chmod 600 "${target_dir}/privkey.pem" 2>/dev/null || true
echo "[+] Linked ${target_dir} -> ${le_base}"
} }
# Verlinken (nur wenn Host konfiguriert) UI_HOST="${UI_HOST:-}"
[[ -n "${UI_HOST}" ]] && link_if "\$UI_LE" "\$UI_SSL_DIR" WEBMAIL_HOST="${WEBMAIL_HOST:-}"
[[ -n "${WEBMAIL_HOST}" ]] && link_if "\$WEBMAIL_LE" "\$WEBMAIL_SSL_DIR" MAIL_HOSTNAME="${MAIL_HOSTNAME:-}"
[[ -n "${MAIL_HOSTNAME}" ]] && link_if "\$MX_LE" "\$MAIL_SSL_DIR"
[[ -n "$UI_HOST" ]] && link_if "/etc/letsencrypt/live/${UI_HOST}" "/etc/ssl/ui"
[[ -n "$WEBMAIL_HOST" ]] && link_if "/etc/letsencrypt/live/${WEBMAIL_HOST}" "/etc/ssl/webmail"
[[ -n "$MAIL_HOSTNAME" ]] && link_if "/etc/letsencrypt/live/${MAIL_HOSTNAME}" "/etc/ssl/mail"
# Nur reloaden, wenn Nginx aktiv ist (Installer startet ihn später erst)
if systemctl is-active --quiet nginx; then if systemctl is-active --quiet nginx; then
systemctl reload nginx || true systemctl reload nginx || true
fi fi
WRAP
chmod +x /usr/local/sbin/mw-deploy.sh
# 2) Certbot Deploy-Hook-Verzeichnis + Symlink für Renewals
install -d -m 0755 /etc/letsencrypt/renewal-hooks/deploy
cat >/etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh <<'HOOK'
#!/usr/bin/env bash
exec /usr/local/sbin/mw-deploy.sh
HOOK HOOK
chmod +x /etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh chmod +x /etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh
# ──────────────────────────────────────────────────────────────────────────── log "[✓] MailWolt Deploy-Hook eingerichtet"
# 3) 60-mailwolt-tlsa.sh
# → nutzt Laravel, falls vorhanden; sonst Fallback mit OpenSSL.
# → schreibt nur, wenn sich der Hash geändert hat (idempotent)
# ────────────────────────────────────────────────────────────────────────────
cat >/etc/letsencrypt/renewal-hooks/deploy/60-mailwolt-tlsa.sh <<'HOOK'
#!/usr/bin/env bash
set -euo pipefail
# installer.env lesen ##!/usr/bin/env bash
set +u #set -euo pipefail
[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env #source ./lib.sh
set -u #
## ────────────────────────────────────────────────────────────────────────────
APP_ENV_VAL="${APP_ENV:-production}" ## 21-le-deploy-hook.sh
BASE_DOMAIN_VAL="${BASE_DOMAIN:-example.com}" ## • legt /etc/mailwolt/installer.env an (falls fehlt)
## • erzeugt Deploy-Hooks:
case "$APP_ENV_VAL" in ## - 50-mailwolt-symlinks.sh → verlinkt LE-Zerts nach /etc/ssl/{ui,webmail,mail}
local|dev|development) exit 0 ;; ## - 60-mailwolt-tlsa.sh → aktualisiert TLSA (3 1 1) für MX bei jedem Renew
esac ## • KEIN Reload von Postfix/Dovecot (kommt später im Installer)
[ "$BASE_DOMAIN_VAL" = "example.com" ] && exit 0 ## ────────────────────────────────────────────────────────────────────────────
#
MX_HOST="${MAIL_HOSTNAME:-}" ## 0) Hostnamen persistent speichern (für spätere Deploys)
SERVICE="_25._tcp" #install -d -m 0755 /etc/mailwolt
DNS_DIR="/etc/mailwolt/dns" #if [[ ! -f /etc/mailwolt/installer.env ]]; then
OUT_FILE="${DNS_DIR}/${MX_HOST}.tlsa.txt" # cat >/etc/mailwolt/installer.env <<EOF
#UI_HOST=${UI_HOST}
# Nur reagieren, wenn MX-Zertifikat betroffen war #WEBMAIL_HOST=${WEBMAIL_HOST}
case " ${RENEWED_DOMAINS:-} " in #MAIL_HOSTNAME=${MAIL_HOSTNAME}
*" ${MX_HOST} "*) ;; #EOF
*) exit 0 ;; # echo "[+] /etc/mailwolt/installer.env erstellt."
esac #fi
#
CERT="${RENEWED_LINEAGE}/fullchain.pem" ## 1) Deploy-Hooks-Verzeichnis anlegen
[ -s "$CERT" ] || exit 0 #install -d -m 0755 /etc/letsencrypt/renewal-hooks/deploy
#
# Wenn Laravel vorhanden ist → interner Command (DB + Datei idempotent) ## ────────────────────────────────────────────────────────────────────────────
if command -v php >/dev/null 2>&1 && [ -d /var/www/mailwolt ]; then ## 2) 50-mailwolt-symlinks.sh
cd /var/www/mailwolt || exit 0 ## ────────────────────────────────────────────────────────────────────────────
php artisan dns:tlsa:refresh || true #cat >/etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh <<HOOK
exit 0 ##!/usr/bin/env bash
fi #set -euo pipefail
#
# Fallback: nur Datei aktualisieren, wenn Hash sich ändert #UI_LE="/etc/letsencrypt/live/${UI_HOST}"
HASH="$(openssl x509 -in "$CERT" -noout -pubkey \ #WEBMAIL_LE="/etc/letsencrypt/live/${WEBMAIL_HOST}"
| openssl pkey -pubin -outform DER \ #MX_LE="/etc/letsencrypt/live/${MAIL_HOSTNAME}"
| openssl dgst -sha256 | sed 's/^.*= //')" #
NEW_LINE="${SERVICE}.${MX_HOST}. IN TLSA 3 1 1 ${HASH}" #UI_SSL_DIR="/etc/ssl/ui"
#WEBMAIL_SSL_DIR="/etc/ssl/webmail"
mkdir -p "$DNS_DIR" #MAIL_SSL_DIR="/etc/ssl/mail"
#
if [ -r "$OUT_FILE" ] && grep -q "IN TLSA" "$OUT_FILE"; then ## Zielverzeichnisse anlegen (einmalig)
if grep -q "$HASH" "$OUT_FILE"; then #install -d -m 0755 "\$UI_SSL_DIR" "\$WEBMAIL_SSL_DIR" "\$MAIL_SSL_DIR"
echo "[TLSA] Unverändert kein Update nötig." #
exit 0 #link_if() {
fi # local le_base="\$1" target_dir="\$2"
fi # local cert="\${le_base}/fullchain.pem"
# local key="\${le_base}/privkey.pem"
echo "$NEW_LINE" > "$OUT_FILE" # [[ -s "\$cert" && -s "\$key" ]] || return 0
echo "[TLSA] Aktualisiert: $NEW_LINE" # ln -sf "\$cert" "\${target_dir}/fullchain.pem"
HOOK # ln -sf "\$key" "\${target_dir}/privkey.pem"
chmod +x /etc/letsencrypt/renewal-hooks/deploy/60-mailwolt-tlsa.sh # chmod 644 "\${target_dir}/fullchain.pem" 2>/dev/null || true
# chmod 600 "\${target_dir}/privkey.pem" 2>/dev/null || true
# ──────────────────────────────────────────────────────────────────────────── # echo "[+] Linked \${target_dir} -> \${le_base}"
echo "[✓] Deploy-Hooks installiert." #}
#
## Verlinken (nur wenn Host konfiguriert)
#[[ -n "${UI_HOST}" ]] && link_if "\$UI_LE" "\$UI_SSL_DIR"
#[[ -n "${WEBMAIL_HOST}" ]] && link_if "\$WEBMAIL_LE" "\$WEBMAIL_SSL_DIR"
#[[ -n "${MAIL_HOSTNAME}" ]] && link_if "\$MX_LE" "\$MAIL_SSL_DIR"
#
## Nur reloaden, wenn Nginx aktiv ist (Installer startet ihn später erst)
#if systemctl is-active --quiet nginx; then
# systemctl reload nginx || true
#fi
#HOOK
#chmod +x /etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh
#
## ────────────────────────────────────────────────────────────────────────────
## 3) 60-mailwolt-tlsa.sh
## → nutzt Laravel, falls vorhanden; sonst Fallback mit OpenSSL.
## → schreibt nur, wenn sich der Hash geändert hat (idempotent)
## ────────────────────────────────────────────────────────────────────────────
#cat >/etc/letsencrypt/renewal-hooks/deploy/60-mailwolt-tlsa.sh <<'HOOK'
##!/usr/bin/env bash
#set -euo pipefail
#
## installer.env lesen
#set +u
#[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
#set -u
#
#APP_ENV_VAL="${APP_ENV:-production}"
#BASE_DOMAIN_VAL="${BASE_DOMAIN:-example.com}"
#
#case "$APP_ENV_VAL" in
# local|dev|development) exit 0 ;;
#esac
#[ "$BASE_DOMAIN_VAL" = "example.com" ] && exit 0
#
#MX_HOST="${MAIL_HOSTNAME:-}"
#SERVICE="_25._tcp"
#DNS_DIR="/etc/mailwolt/dns"
#OUT_FILE="${DNS_DIR}/${MX_HOST}.tlsa.txt"
#
## Nur reagieren, wenn MX-Zertifikat betroffen war
#case " ${RENEWED_DOMAINS:-} " in
# *" ${MX_HOST} "*) ;;
# *) exit 0 ;;
#esac
#
#CERT="${RENEWED_LINEAGE}/fullchain.pem"
#[ -s "$CERT" ] || exit 0
#
## Wenn Laravel vorhanden ist → interner Command (DB + Datei idempotent)
#if command -v php >/dev/null 2>&1 && [ -d /var/www/mailwolt ]; then
# cd /var/www/mailwolt || exit 0
# php artisan dns:tlsa:refresh || true
# exit 0
#fi
#
## Fallback: nur Datei aktualisieren, wenn Hash sich ändert
#HASH="$(openssl x509 -in "$CERT" -noout -pubkey \
# | openssl pkey -pubin -outform DER \
# | openssl dgst -sha256 | sed 's/^.*= //')"
#NEW_LINE="${SERVICE}.${MX_HOST}. IN TLSA 3 1 1 ${HASH}"
#
#mkdir -p "$DNS_DIR"
#
#if [ -r "$OUT_FILE" ] && grep -q "IN TLSA" "$OUT_FILE"; then
# if grep -q "$HASH" "$OUT_FILE"; then
# echo "[TLSA] Unverändert kein Update nötig."
# exit 0
# fi
#fi
#
#echo "$NEW_LINE" > "$OUT_FILE"
#echo "[TLSA] Aktualisiert: $NEW_LINE"
#HOOK
#chmod +x /etc/letsencrypt/renewal-hooks/deploy/60-mailwolt-tlsa.sh
#
## ────────────────────────────────────────────────────────────────────────────
#echo "[✓] Deploy-Hooks installiert."

138
scripts/75-le-issue.sh
View File

@ -5,21 +5,26 @@ source ./lib.sh
ACME_WEBROOT="/var/www/letsencrypt" ACME_WEBROOT="/var/www/letsencrypt"
install -d -m 0755 "${ACME_WEBROOT}/.well-known/acme-challenge" install -d -m 0755 "${ACME_WEBROOT}/.well-known/acme-challenge"
# Let's Encrypt: Staging optional aktivieren (keine echten Zertifikate)
CERTBOT_EXTRA=() CERTBOT_EXTRA=()
LE_STAGING="${LE_STAGING:-0}" # 1 = Let's Encrypt Staging aktivieren LE_STAGING="${LE_STAGING:-0}" # 1 = Staging
[[ "$LE_STAGING" = "1" ]] && CERTBOT_EXTRA+=(--test-cert) [[ "$LE_STAGING" = "1" ]] && CERTBOT_EXTRA+=(--test-cert)
# Einheitliche LE-E-Mail mit Fallback
LE_MAIL="${LE_EMAIL:-admin@${BASE_DOMAIN}}"
# DNS-Auflösung gegen unsere bekannte(n) IP(s) prüfen (nur als Warnsignal)
resolve_ok() { resolve_ok() {
local host="$1" local host="$1"
local pats=() local pats=()
[[ -n "${SERVER_PUBLIC_IPV4:-}" ]] && pats+=("${SERVER_PUBLIC_IPV4//./\\.}") [[ -n "${SERVER_PUBLIC_IPV4:-}" ]] && pats+=("${SERVER_PUBLIC_IPV4//./\\.}")
[[ -n "${SERVER_PUBLIC_IPV6:-}" ]] && pats+=("${SERVER_PUBLIC_IPV6//:/\\:}") [[ -n "${SERVER_PUBLIC_IPV6:-}" ]] && pats+=("${SERVER_PUBLIC_IPV6//:/\\:}")
# Wenn gar nichts bekannt ist, lieber nicht blockieren:
[[ ${#pats[@]} -eq 0 ]] && return 0 [[ ${#pats[@]} -eq 0 ]] && return 0
getent ahosts "$host" | awk '{print $1}' | sort -u \ getent ahosts "$host" | awk '{print $1}' | sort -u \
| grep -Eq "^($(IFS='|'; echo "${pats[*]}"))$" | grep -Eq "^($(IFS='|'; echo "${pats[*]}"))$"
} }
# HTTP-01 Erreichbarkeit schnell antesten (IPv4/IPv6)
probe_http() { probe_http() {
local host="$1" local host="$1"
echo test > "${ACME_WEBROOT}/.well-known/acme-challenge/_probe" echo test > "${ACME_WEBROOT}/.well-known/acme-challenge/_probe"
@ -27,43 +32,124 @@ probe_http() {
|| curl -fsS --max-time 5 -6 "http://${host}/.well-known/acme-challenge/_probe" >/dev/null || curl -fsS --max-time 5 -6 "http://${host}/.well-known/acme-challenge/_probe" >/dev/null
} }
# Ein Zertifikat für einen Host ausstellen
issue() { issue() {
local host="$1" local host="$1"
[[ -z "$host" ]] && return 0
echo "[i] Versuche LE für ${host}" echo "[i] Versuche LE für ${host}"
resolve_ok "$host" || { echo "[!] DNS zeigt (noch) nicht hierher skip ${host}"; return 0; }
if ! resolve_ok "$host"; then
echo "[!] DNS zeigt (noch) nicht hierher überspringe: ${host}"
return 0
fi
if ! probe_http "$host"; then if ! probe_http "$host"; then
echo "[!] ACME-HTTP-Check für ${host} fehlgeschlagen (Port 80/IPv6/Firewall/Nginx prüfen)." echo "[!] ACME-HTTP-Check für ${host} fehlgeschlagen (Port 80/IPv6/Firewall/Nginx prüfen)."
# wir versuchen es trotzdem Certbot meldet sich, falls es scheitert
fi fi
# MX: Key beibehalten (TLSA 3 1 1 bleibt stabil) # Für MX den Key wiederverwenden (stabiler TLSA-Hash 3 1 1)
EXTRA_ARGS=() EXTRA_ARGS=()
[[ "$host" == "$MAIL_HOSTNAME" ]] && EXTRA_ARGS+=(--reuse-key) [[ "${host}" == "${MAIL_HOSTNAME}" ]] && EXTRA_ARGS+=(--reuse-key)
certbot certonly --agree-tos -m "${LE_EMAIL:-admin@${BASE_DOMAIN}}" \ certbot certonly \
--non-interactive --webroot -w "$ACME_WEBROOT" -d "$host" \ --agree-tos -m "${LE_MAIL}" --non-interactive \
--webroot -w "${ACME_WEBROOT}" -d "${host}" \
--deploy-hook /usr/local/sbin/mw-deploy.sh \
"${EXTRA_ARGS[@]}" "${CERTBOT_EXTRA[@]}" || true "${EXTRA_ARGS[@]}" "${CERTBOT_EXTRA[@]}" || true
} }
if [[ "$BASE_DOMAIN" != "example.com" ]]; then # -----------------------------------------------------------------------------
issue "$UI_HOST" # Hauptlauf
issue "$WEBMAIL_HOST" # -----------------------------------------------------------------------------
issue "$MAIL_HOSTNAME" if [[ "${BASE_DOMAIN}" != "example.com" ]]; then
issue "${UI_HOST:-}"
issue "${WEBMAIL_HOST:-}"
issue "${MAIL_HOSTNAME:-}"
run-parts /etc/letsencrypt/renewal-hooks/deploy || true # Der Deploy-Hook hat Symlinks bereits gesetzt und nginx ggf. neu geladen.
systemctl reload nginx || true # Optional trotzdem manuell ausführen (harmlos, hilft bei exotischen Setups):
if [[ -d /etc/letsencrypt/renewal-hooks/deploy ]]; then
# TLSA direkt einmal schreiben (Hook macht es bei Renewals sowieso) run-parts /etc/letsencrypt/renewal-hooks/deploy || true
MX_CERT="/etc/letsencrypt/live/${MAIL_HOSTNAME}/fullchain.pem" fi
if [[ -s "$MX_CERT" ]]; then if systemctl is-active --quiet nginx; then
HASH="$(openssl x509 -in "$MX_CERT" -noout -pubkey \ systemctl reload nginx || true
| openssl pkey -pubin -outform DER \
| openssl dgst -sha256 | sed 's/^.*= //')"
TLSA_LINE="_25._tcp.${MAIL_HOSTNAME}. IN TLSA 3 1 1 ${HASH}"
install -d -m 0755 /etc/mailwolt/dns
echo "${TLSA_LINE}" > "/etc/mailwolt/dns/${MAIL_HOSTNAME}.tlsa.txt"
echo "[TLSA] ${TLSA_LINE}"
fi fi
else else
echo "[i] BASE_DOMAIN=example.com LE wird übersprungen." echo "[i] BASE_DOMAIN=example.com LE-Ausstellung wird übersprungen."
fi fi
##!/usr/bin/env bash
#set -euo pipefail
#source ./lib.sh
#
#ACME_WEBROOT="/var/www/letsencrypt"
#install -d -m 0755 "${ACME_WEBROOT}/.well-known/acme-challenge"
#
#CERTBOT_EXTRA=()
#LE_STAGING="${LE_STAGING:-0}" # 1 = Let's Encrypt Staging aktivieren
#[[ "$LE_STAGING" = "1" ]] && CERTBOT_EXTRA+=(--test-cert)
#
#resolve_ok() {
# local host="$1"
# local pats=()
# [[ -n "${SERVER_PUBLIC_IPV4:-}" ]] && pats+=("${SERVER_PUBLIC_IPV4//./\\.}")
# [[ -n "${SERVER_PUBLIC_IPV6:-}" ]] && pats+=("${SERVER_PUBLIC_IPV6//:/\\:}")
# # Wenn gar nichts bekannt ist, lieber nicht blockieren:
# [[ ${#pats[@]} -eq 0 ]] && return 0
# getent ahosts "$host" | awk '{print $1}' | sort -u \
# | grep -Eq "^($(IFS='|'; echo "${pats[*]}"))$"
#}
#
#probe_http() {
# local host="$1"
# echo test > "${ACME_WEBROOT}/.well-known/acme-challenge/_probe"
# curl -fsS --max-time 5 -4 "http://${host}/.well-known/acme-challenge/_probe" >/dev/null \
# || curl -fsS --max-time 5 -6 "http://${host}/.well-known/acme-challenge/_probe" >/dev/null
#}
#
#issue() {
# local host="$1"
# echo "[i] Versuche LE für ${host} …"
# resolve_ok "$host" || { echo "[!] DNS zeigt (noch) nicht hierher skip ${host}"; return 0; }
#
# if ! probe_http "$host"; then
# echo "[!] ACME-HTTP-Check für ${host} fehlgeschlagen (Port 80/IPv6/Firewall/Nginx prüfen)."
# fi
#
# # MX: Key beibehalten (TLSA 3 1 1 bleibt stabil)
# EXTRA_ARGS=()
# [[ "$host" == "$MAIL_HOSTNAME" ]] && EXTRA_ARGS+=(--reuse-key)
#
# certbot certonly --agree-tos -m "$LE_EMAIL" --non-interactive \
# --webroot -w "$ACME_WEBROOT" -d "$UI_HOST" \
# --deploy-hook /usr/local/sbin/mw-deploy.sh
#
# certbot certonly --agree-tos -m "${LE_EMAIL:-admin@${BASE_DOMAIN}}" \
# --non-interactive --webroot -w "$ACME_WEBROOT" -d "$host" \
# "${EXTRA_ARGS[@]}" "${CERTBOT_EXTRA[@]}" || true
#}
#
#if [[ "$BASE_DOMAIN" != "example.com" ]]; then
# issue "$UI_HOST"
# issue "$WEBMAIL_HOST"
# issue "$MAIL_HOSTNAME"
#
#run-parts /etc/letsencrypt/renewal-hooks/deploy || true
#systemctl reload nginx || true
#
# # TLSA direkt einmal schreiben (Hook macht es bei Renewals sowieso)
# MX_CERT="/etc/letsencrypt/live/${MAIL_HOSTNAME}/fullchain.pem"
# if [[ -s "$MX_CERT" ]]; then
# HASH="$(openssl x509 -in "$MX_CERT" -noout -pubkey \
# | openssl pkey -pubin -outform DER \
# | openssl dgst -sha256 | sed 's/^.*= //')"
# TLSA_LINE="_25._tcp.${MAIL_HOSTNAME}. IN TLSA 3 1 1 ${HASH}"
# install -d -m 0755 /etc/mailwolt/dns
# echo "${TLSA_LINE}" > "/etc/mailwolt/dns/${MAIL_HOSTNAME}.tlsa.txt"
# echo "[TLSA] ${TLSA_LINE}"
# fi
#else
# echo "[i] BASE_DOMAIN=example.com LE wird übersprungen."
#fi

17
scripts/80-app.sh
View File

@ -2,6 +2,16 @@
set -euo pipefail set -euo pipefail
source ./lib.sh source ./lib.sh
relink_and_reload() {
if [[ -d /etc/letsencrypt/renewal-hooks/deploy ]]; then
run-parts /etc/letsencrypt/renewal-hooks/deploy || true
fi
# Nur reloaden, wenn nginx läuft (während Erstinstallation evtl. noch nicht aktiv)
if systemctl is-active --quiet nginx; then
systemctl reload nginx || true
fi
}
log "App bereitstellen …" log "App bereitstellen …"
mkdir -p "$(dirname "$APP_DIR")" mkdir -p "$(dirname "$APP_DIR")"
chown -R "$APP_USER":"$APP_GROUP" "$(dirname "$APP_DIR")" chown -R "$APP_USER":"$APP_GROUP" "$(dirname "$APP_DIR")"
@ -163,6 +173,9 @@ VITE_DEV_ORIGIN=$(grep '^APP_URL=' "${ENV_FILE}" | cut -d= -f2-)
CONF CONF
fi fi
# --- LE-Symlinks & Nginx (vor Seeder), damit UI/Webmail schon LE-Zert nutzen ---
relink_and_reload
# Laravel Caches säubern und migrieren # Laravel Caches säubern und migrieren
sudo -u "$APP_USER" -H bash -lc "cd ${APP_DIR} && php artisan optimize:clear" sudo -u "$APP_USER" -H bash -lc "cd ${APP_DIR} && php artisan optimize:clear"
@ -193,10 +206,14 @@ fi
sudo -u "$APP_USER" -H bash -lc "cd ${APP_DIR} && php artisan optimize:clear && php artisan config:cache" sudo -u "$APP_USER" -H bash -lc "cd ${APP_DIR} && php artisan optimize:clear && php artisan config:cache"
# Rechte & Laravel Cache # Rechte & Laravel Cache
chown -R "$APP_USER":"$APP_GROUP" "$APP_DIR" chown -R "$APP_USER":"$APP_GROUP" "$APP_DIR"
chmod -R u=rwX,g=rwX,o=rX "$APP_DIR" chmod -R u=rwX,g=rwX,o=rX "$APP_DIR"
install -d -m 0775 -o "$APP_USER" -g "$APP_GROUP" "$APP_DIR/storage" "$APP_DIR/bootstrap/cache" install -d -m 0775 -o "$APP_USER" -g "$APP_GROUP" "$APP_DIR/storage" "$APP_DIR/bootstrap/cache"
sudo -u "$APP_USER" -H bash -lc "cd ${APP_DIR} && php artisan optimize:clear && php artisan config:cache" sudo -u "$APP_USER" -H bash -lc "cd ${APP_DIR} && php artisan optimize:clear && php artisan config:cache"
relink_and_reload
sudo systemctl restart php*-fpm || true sudo systemctl restart php*-fpm || true

11
scripts/99-summary.sh
View File

@ -67,6 +67,7 @@ UI_LE=$([[ -n "$UI_CERT_TARGET" ]] && is_le "$UI_CERT_TARGET" && echo "LE" || ec
WEBMAIL_LE=$([[ -n "$WEBMAIL_CERT_TARGET" ]] && is_le "$WEBMAIL_CERT_TARGET" && echo "LE" || echo "self-signed/none") WEBMAIL_LE=$([[ -n "$WEBMAIL_CERT_TARGET" ]] && is_le "$WEBMAIL_CERT_TARGET" && echo "LE" || echo "self-signed/none")
MAIL_LE=$([[ -n "$MAIL_CERT_TARGET" ]] && is_le "$MAIL_CERT_TARGET" && echo "LE" || echo "self-signed/none") MAIL_LE=$([[ -n "$MAIL_CERT_TARGET" ]] && is_le "$MAIL_CERT_TARGET" && echo "LE" || echo "self-signed/none")
echo echo
bar bar
printf " %s %s\n" "✔ MailWolt Bootstrap fertig" "" printf " %s %s\n" "✔ MailWolt Bootstrap fertig" ""
@ -80,7 +81,15 @@ printf " %-14s %s\n" "Mail-FQDN:" "${MAIL_HOSTNAME:-$SERVER_PUBLIC_IPV4}"
printf " %-14s %s\n" "BASE_DOMAIN:" "${BASE_DOMAIN}" printf " %-14s %s\n" "BASE_DOMAIN:" "${BASE_DOMAIN}"
printf " %-14s %s\n" "LE-Email:" "${LE_EMAIL}" printf " %-14s %s\n" "LE-Email:" "${LE_EMAIL}"
printf " %-14s %s\n" "APP_ENV:" "${APP_ENV}" printf " %-14s %s\n" "APP_ENV:" "${APP_ENV}"
[[ -v PROXY_MODE ]] && printf " %-14s %s\n" "Proxy-Mode:" "$([[ "$PROXY_MODE" = "1" ]] && echo "ja (NPM: ${NPM_IP:-unbekannt})" || echo "nein")"printf " %-14s %s\n" "Server IPv4:" "${SERVER_PUBLIC_IPV4}" if [[ -n "${PROXY_MODE:-}" ]]; then
if [[ "$PROXY_MODE" = "1" ]]; then
printf " %-14s %s\n" "Proxy-Mode:" "ja (NPM: ${NPM_IP:-unbekannt})"
elif [[ "$PROXY_MODE" = "dev" ]]; then
printf " %-14s %s\n" "Proxy-Mode:" "Entwicklungsmodus"
else
printf " %-14s %s\n" "Proxy-Mode:" "nein"
fi
fi
printf " %-14s %s\n" "Server IPv6:" "${SERVER_PUBLIC_IPV6:-}" printf " %-14s %s\n" "Server IPv6:" "${SERVER_PUBLIC_IPV6:-}"
printf " %-14s %s\n" "ACME Webroot:" "${ACME_WEBROOT}" printf " %-14s %s\n" "ACME Webroot:" "${ACME_WEBROOT}"