Dovecot Systax Problem

scripts/80-app.sh

@@ -2,6 +2,50 @@
 set -euo pipefail
 source ./lib.sh
 
+# --- Helper: sicherer Frontend-Build als APP_USER ---------------------------
+safe_frontend_build() {
+  echo "[i] Frontend build …"
+
+  # Verzeichnisse & Rechte vorbereiten (Gruppen-sticky & ACL)
+  install -d -m 2775 -o "$APP_USER" -g "$APP_GROUP" \
+    "${APP_DIR}/public/build" "${APP_DIR}/node_modules" "${APP_DIR}/.npm-cache"
+
+  chown -R "$APP_USER":"$APP_GROUP" "${APP_DIR}"
+  find "${APP_DIR}" -type d -exec chmod 2775 {} \;
+  find "${APP_DIR}" -type f -exec chmod 664 {} \;
+  setfacl -R  -m g:"$APP_GROUP":rwX -m d:g:"$APP_GROUP":rwX "${APP_DIR}" || true
+
+  # Vite-/Build-Reste bereinigen (falls mal root dort gebaut hat)
+  rm -rf "${APP_DIR}/node_modules/.vite" "${APP_DIR}/public/build/"* 2>/dev/null || true
+
+  # npm auf projektlokales Cache konfigurieren
+  sudo -u "$APP_USER" -H bash -lc "cat > ~/.npmrc <<'RC'
+fund=false
+audit=false
+prefer-offline=true
+cache=${APP_DIR}/.npm-cache
+RC"
+
+  # Node ggf. installieren
+  if ! command -v node >/dev/null 2>&1; then
+    curl -fsSL https://deb.nodesource.com/setup_22.x | bash -
+    apt-get install -y nodejs
+  fi
+
+  # Dependencies + Build (als App-User)
+  if sudo -u "$APP_USER" -H bash -lc "cd ${APP_DIR} && (npm ci --no-audit --no-fund || npm install --no-audit --no-fund) && npm run build"; then
+    return 0
+  fi
+
+  echo "[!] Build fehlgeschlagen – Rechtefix + Clean + Retry …"
+  rm -rf "${APP_DIR}/node_modules/.vite" "${APP_DIR}/public/build/"* 2>/dev/null || true
+  chown -R "$APP_USER":"$APP_GROUP" "${APP_DIR}"
+  find "${APP_DIR}" -type d -exec chmod 2775 {} \;
+  find "${APP_DIR}" -type f -exec chmod 664 {} \;
+
+  sudo -u "$APP_USER" -H bash -lc "cd ${APP_DIR} && npm run build"
+}
+
 relink_and_reload() {
   if [[ -d /etc/letsencrypt/renewal-hooks/deploy ]]; then
     run-parts /etc/letsencrypt/renewal-hooks/deploy || true
@@ -247,20 +291,22 @@ sudo -u "$APP_USER" -H bash -lc "cd ${APP_DIR} && php artisan dns:tlsa:refresh |
 
 # --- Build Frontend (nur wenn nötig) ----------------------------------------
 if [[ -f "${APP_DIR}/package.json" && ! -f "${APP_DIR}/public/build/manifest.json" ]]; then
-  if ! command -v node >/dev/null 2>&1; then
+  safe_frontend_build
-    curl -fsSL https://deb.nodesource.com/setup_22.x | bash -
-    apt-get install -y nodejs
-  fi
-  sudo -u "$APP_USER" -H bash -lc "cd ${APP_DIR} && (npm ci --no-audit --no-fund || npm install)"
-  sudo -u "$APP_USER" -H bash -lc "cd ${APP_DIR} && (npm run build || npx --yes vite build)"
 fi
 
 # --- Abschluss: Caches + Rechte + Reloads -----------------------------------
-sudo -u "$APP_USER" -H bash -lc "cd ${APP_DIR} && php artisan optimize:clear && php artisan config:cache  && php artisan optimize:clear"
+sudo -u "$APP_USER" -H bash -lc "cd ${APP_DIR} && php artisan optimize:clear && php artisan config:cache && php artisan optimize:clear"
 
+# Konsistente Rechte/ACL für das gesamte App-Verzeichnis
 chown -R "$APP_USER":"$APP_GROUP" "$APP_DIR"
-chmod -R u=rwX,g=rwX,o=rX "$APP_DIR"
+find "$APP_DIR" -type d -exec chmod 2775 {} \;
-install -d -m 0775 -o "$APP_USER" -g "$APP_GROUP" "$APP_DIR/storage" "$APP_DIR/bootstrap/cache"
+find "$APP_DIR" -type f -exec chmod 664 {} \;
+setfacl -R  -m g:"$APP_GROUP":rwX -m d:g:"$APP_GROUP":rwX "$APP_DIR" || true
 
-#relink_and_reload
+# Laravel-Write-Dirs sicherstellen (mit setgid & ACL)
-#systemctl restart php*-fpm || true
+install -d -m 2775 -o "$APP_USER" -g "$APP_GROUP" "$APP_DIR/storage" "$APP_DIR/bootstrap/cache"
+chgrp -R www-data "$APP_DIR/storage" "$APP_DIR/bootstrap/cache" || true
+find "$APP_DIR/storage" "$APP_DIR/bootstrap/cache" -type d -exec chmod 2775 {} \; || true
+find "$APP_DIR/storage" "$APP_DIR/bootstrap/cache" -type f -exec chmod 0664 {} \; || true
+setfacl -R  -m u:www-data:rwx,u:${APP_USER}:rwx "$APP_DIR/storage" "$APP_DIR/bootstrap/cache" || true
+setfacl -dR -m u:www-data:rwx,u:${APP_USER}:rwx "$APP_DIR/storage" "$APP_DIR/bootstrap/cache" || true

scripts/update.sh

@@ -7,6 +7,9 @@ APP_DIR="${APP_DIR:-/var/www/mailwolt}"
 BRANCH="${BRANCH:-main}"             # nur relevant bei UPDATE_MODE=branch
 MODE="${UPDATE_MODE:-tags}"          # tags | branch
 ALLOW_DIRTY="${ALLOW_DIRTY:-0}"      # 1 = Dirty-Working-Tree zulassen
+export CI=1
+export NPM_CONFIG_FUND=false
+export NPM_CONFIG_AUDIT=false
 
 # -------- Helper --------
 as_app(){ sudo -u "$APP_USER" -H bash -lc "$*"; }
@@ -137,10 +140,30 @@ if [[ $NEED_PHP_RESTART -eq 1 || $NEED_COMPOSER -eq 1 || $NEED_MIGRATIONS -eq 1
   as_app "cd ${APP_DIR} && php artisan optimize:clear || true"
 fi
 
+#if [[ $NEED_FRONTEND -eq 1 ]]; then
+#  echo "[i] Frontend build …"
+#  as_app "cd ${APP_DIR} && (npm ci --no-audit --no-fund || npm install)"
+#  as_app "cd ${APP_DIR} && npm run build"
+#fi
+
+# -------- Frontend build (hardened) --------
 if [[ $NEED_FRONTEND -eq 1 ]]; then
-  echo "[i] Frontend build …"
+  echo "[i] Frontend build (vite) …"
-  as_app "cd ${APP_DIR} && (npm ci --no-audit --no-fund || npm install)"
+
-  as_app "cd ${APP_DIR} && npm run build"
+  # Preflight: Schreibrechte sicherstellen
+  as_app "mkdir -p ${APP_DIR}/public/build ${APP_DIR}/node_modules ${APP_DIR}/.vite"
+  chown -R "$APP_USER":"$APP_GROUP" "${APP_DIR}/public/build" "${APP_DIR}/node_modules" "${APP_DIR}/.vite" || true
+  chmod -R g+rwX "${APP_DIR}/public/build" "${APP_DIR}/node_modules" "${APP_DIR}/.vite" || true
+
+  # Nicht-interaktive / leise npm-Runs
+  NPM_ENV="CI=1 NPM_CONFIG_FUND=false NPM_CONFIG_AUDIT=false npm_config_loglevel=warn"
+
+  echo "[i] npm ci …"
+  as_app "cd ${APP_DIR} && ${NPM_ENV} npm ci --no-audit --no-fund --loglevel=warn --no-progress || \
+                          ${NPM_ENV} npm install --no-audit --no-fund --loglevel=warn --no-progress"
+
+  echo "[i] npm run build …"
+  as_app "cd ${APP_DIR} && ${NPM_ENV} npm run build --silent --loglevel=warn"
 fi
 
 # -------- Dienste nur wenn nötig --------