From 3c6185e291214ef17a2a4f4b9e9c91deb09a92b6 Mon Sep 17 00:00:00 2001
From: boksbc <boban.blaskovic@gmail.com>
Date: Thu, 16 Oct 2025 23:00:39 +0200
Subject: [PATCH] Laudende Default seite entfernen

---
 scripts/21-le-deploy-hook.sh | 75 ++++++++++++++++++++++++++----------
 1 file changed, 55 insertions(+), 20 deletions(-)

diff --git a/scripts/21-le-deploy-hook.sh b/scripts/21-le-deploy-hook.sh
index 4417bc2..a62aaa6 100644
--- a/scripts/21-le-deploy-hook.sh
+++ b/scripts/21-le-deploy-hook.sh
@@ -2,8 +2,29 @@
 set -euo pipefail
 source ./lib.sh
 
-install -d /etc/letsencrypt/renewal-hooks/deploy
+# -----------------------------------------------------------------------------
+# 21-le-deploy-hook.sh
+#  - Legt /etc/mailwolt/installer.env (falls fehlt) an
+#  - Erzeugt LE-Deploy-Hooks:
+#      * 50-mailwolt-symlinks.sh  → verlinkt LE-Zerts nach /etc/ssl/{ui,webmail,mail}
+#      * 60-mailwolt-tlsa.sh      → schreibt TLSA (3 1 1) für MX nach jedem Renew
+# -----------------------------------------------------------------------------
 
+# 1) Sicherstellen, dass die Hosts persistent verfügbar sind
+if [[ ! -f /etc/mailwolt/installer.env ]]; then
+  install -d -m 0755 /etc/mailwolt
+  cat >/etc/mailwolt/installer.env <<EOF
+UI_HOST=${UI_HOST}
+WEBMAIL_HOST=${WEBMAIL_HOST}
+MAIL_HOSTNAME=${MAIL_HOSTNAME}
+EOF
+  echo "[+] /etc/mailwolt/installer.env erstellt."
+fi
+
+# 2) Deploy-Hooks-Verzeichnis anlegen
+install -d -m 0755 /etc/letsencrypt/renewal-hooks/deploy
+
+# 3) Hook: LE-Zertifikate nach /etc/ssl/* verlinken und Nginx reloaden
 cat >/etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh <<'HOOK'
 #!/usr/bin/env bash
 set -euo pipefail
@@ -30,7 +51,7 @@ link_if() {
   local le_base="$1" target_dir="$2"
   local cert="${le_base}/fullchain.pem"
   local key="${le_base}/privkey.pem"
-  if [ -f "$cert" ] && [ -f "$key" ]; then
+  if [[ -f "$cert" && -f "$key" ]]; then
     install -d -m 0755 "$target_dir"
     ln -sf "$cert" "${target_dir}/fullchain.pem"
     ln -sf "$key"  "${target_dir}/privkey.pem"
@@ -39,38 +60,52 @@ link_if() {
 }
 
 # Nur linken, wenn Hostnamen vorhanden sind
-[ -n "$UI_HOST" ]      && link_if "$UI_LE"      "$UI_SSL_DIR"
-[ -n "$WEBMAIL_HOST" ] && link_if "$WEBMAIL_LE" "$WEBMAIL_SSL_DIR"
-[ -n "$MX_HOST" ]      && link_if "$MX_LE"      "$MAIL_SSL_DIR"
+[[ -n "$UI_HOST"      ]] && link_if "$UI_LE"      "$UI_SSL_DIR"
+[[ -n "$WEBMAIL_HOST" ]] && link_if "$WEBMAIL_LE" "$WEBMAIL_SSL_DIR"
+[[ -n "$MX_HOST"      ]] && link_if "$MX_LE"      "$MAIL_SSL_DIR"
 
-# Dienste neu laden
+# sinnvolle Rechte (Key nur für root lesbar, Chain world-readable)
+chmod 640 "${UI_SSL_DIR}/privkey.pem"      2>/dev/null || true
+chmod 640 "${WEBMAIL_SSL_DIR}/privkey.pem" 2>/dev/null || true
+chmod 640 "${MAIL_SSL_DIR}/privkey.pem"    2>/dev/null || true
+chmod 644 "${UI_SSL_DIR}/fullchain.pem"      2>/dev/null || true
+chmod 644 "${WEBMAIL_SSL_DIR}/fullchain.pem" 2>/dev/null || true
+chmod 644 "${MAIL_SSL_DIR}/fullchain.pem"    2>/dev/null || true
+
+# Nur Nginx neu laden – Postfix/Dovecot startet später im Installer
 systemctl reload nginx || true
-systemctl reload postfix dovecot || true
 HOOK
-
 chmod +x /etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh
 
-# --- 60: TLSA-Hook (bei jedem Renew für MX neu berechnen – falls Key doch rotiert) ---
-cat >/etc/letsencrypt/renewal-hooks/deploy/60-mailwolt-tlsa.sh <<HOOK
+# 4) Hook: TLSA (3 1 1) für MX nach jedem Renew/Issue generieren
+cat >/etc/letsencrypt/renewal-hooks/deploy/60-mailwolt-tlsa.sh <<'HOOK'
 #!/usr/bin/env bash
 set -euo pipefail
-MX_HOST="${MAIL_HOSTNAME}"
 
-# Nur reagieren, wenn das MX-Zert erneuert wurde
-case " \${RENEWED_DOMAINS:-} " in
-  *" \${MX_HOST} "*) ;;
+# MAIL_HOSTNAME kommt von certbot via Environment nicht automatisch,
+# daher direkt aus installer.env lesen, falls gesetzt.
+set +u
+[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
+set -u
+MX_HOST="${MAIL_HOSTNAME:-}"
+
+[[ -n "$MX_HOST" ]] || exit 0
+
+# Nur reagieren, wenn das MX-Zert in diesem Run drin war
+case " ${RENEWED_DOMAINS:-} " in
+  *" ${MX_HOST} "*) ;;    # ok
   *) exit 0 ;;
 esac
 
-CERT="\${RENEWED_LINEAGE}/fullchain.pem"
-if [[ -s "\$CERT" ]]; then
-  HASH="\$(openssl x509 -in "\$CERT" -noout -pubkey \
+CERT="${RENEWED_LINEAGE}/fullchain.pem"
+if [[ -s "$CERT" ]]; then
+  HASH="$(openssl x509 -in "$CERT" -noout -pubkey \
     | openssl pkey -pubin -outform DER \
     | openssl dgst -sha256 | sed 's/^.*= //')"
-  TLSA_LINE="_25._tcp.\${MX_HOST}. IN TLSA 3 1 1 \${HASH}"
+  TLSA_LINE="_25._tcp.${MX_HOST}. IN TLSA 3 1 1 ${HASH}"
   install -d -m 0755 /etc/mailwolt/dns
-  echo "\${TLSA_LINE}" > "/etc/mailwolt/dns/\${MX_HOST}.tlsa.txt"
-  echo "[TLSA] \${TLSA_LINE}"
+  echo "${TLSA_LINE}" > "/etc/mailwolt/dns/${MX_HOST}.tlsa.txt"
+  echo "[TLSA] ${TLSA_LINE}"
 fi
 HOOK
 chmod +x /etc/letsencrypt/renewal-hooks/deploy/60-mailwolt-tlsa.sh
\ No newline at end of file