From 977e1d756632439277b49363df5dd3ff00c17de5 Mon Sep 17 00:00:00 2001 From: boksbc Date: Mon, 27 Oct 2025 01:43:29 +0100 Subject: [PATCH] Dovecot Systax Problem --- scripts/80-app.sh | 2 +- scripts/88-update-wrapper.sh | 1 - scripts/95-woltguard.bak.sh | 491 ++++++++++++++++++++++++++++++++++ scripts/95-woltguard.sh | 492 ++++++++--------------------------- scripts/bootstrap.sh | 3 + 5 files changed, 606 insertions(+), 383 deletions(-) create mode 100644 scripts/95-woltguard.bak.sh diff --git a/scripts/80-app.sh b/scripts/80-app.sh index 5b6f655..0e1ad33 100644 --- a/scripts/80-app.sh +++ b/scripts/80-app.sh @@ -183,7 +183,7 @@ upsert_env SESSION_SAMESITE "lax" upsert_env REDIS_CLIENT "phpredis" upsert_env REDIS_HOST "127.0.0.1" upsert_env REDIS_PORT "6379" -upsert_env REDIS_PASSWORD "${REDIS_PASS}" +upsert_env REDIS_PASS "${REDIS_PASS}" upsert_env REDIS_DB "0" upsert_env REDIS_CACHE_DB "1" upsert_env REDIS_CACHE_CONNECTION "cache" diff --git a/scripts/88-update-wrapper.sh b/scripts/88-update-wrapper.sh index 4a2b1f2..19db17b 100644 --- a/scripts/88-update-wrapper.sh +++ b/scripts/88-update-wrapper.sh @@ -129,7 +129,6 @@ Defaults!/usr/bin/systemctl !requiretty Cmnd_Alias MW_SERVICES = \ /usr/bin/systemctl reload nginx.service, \ /usr/bin/systemctl try-reload-or-restart nginx.service, \ - /usr/bin/systemctl restart php8.3-fpm.service, \ /usr/bin/systemctl try-reload-or-restart postfix.service, \ /usr/bin/systemctl try-reload-or-restart dovecot.service, \ /usr/bin/systemctl try-reload-or-restart rspamd.service, \ diff --git a/scripts/95-woltguard.bak.sh b/scripts/95-woltguard.bak.sh new file mode 100644 index 0000000..d727918 --- /dev/null +++ b/scripts/95-woltguard.bak.sh @@ -0,0 +1,491 @@ +#!/usr/bin/env bash +set -euo pipefail +source ./lib.sh + +log "WoltGuard (Monit + Self-Heal) einrichten …" + +# ───────────────────────────────────────────────────────────── +# Env nur nachladen, wenn Flags nicht bereits exportiert sind +# ───────────────────────────────────────────────────────────── +INSTALLER_ENV="/etc/mailwolt/installer.env" +: "${CLAMAV_ENABLE:=}" ; : "${OPENDMARC_ENABLE:=}" ; : "${FAIL2BAN_ENABLE:=}" +if [[ -z "${CLAMAV_ENABLE}${OPENDMARC_ENABLE}${FAIL2BAN_ENABLE}" && -r "$INSTALLER_ENV" ]]; then + # shellcheck disable=SC1090 + . "$INSTALLER_ENV" +fi +CLAMAV_ENABLE="${CLAMAV_ENABLE:-0}" +OPENDMARC_ENABLE="${OPENDMARC_ENABLE:-0}" +FAIL2BAN_ENABLE="${FAIL2BAN_ENABLE:-1}" + +# ───────────────────────────────────────────────────────────── +# Monit installieren & aktivieren +# ───────────────────────────────────────────────────────────── +command -v monit >/dev/null || { apt-get update -qq; apt-get install -y monit; } +systemctl enable --now monit + +# ───────────────────────────────────────────────────────────── +# Helper-Skripte (laufen später eigenständig → Env selbst laden) +# ───────────────────────────────────────────────────────────── +install -d -m 0755 /usr/local/sbin + +# Redis-Ping (nimmt REDIS_PASSWORD aus installer.env oder .env) +cat >/usr/local/sbin/mailwolt-redis-ping.sh <<'EOSH' +#!/usr/bin/env bash +set -euo pipefail + +INSTALLER_ENV="/etc/mailwolt/installer.env" +APP_ENV="/var/www/mailwolt/.env" + +# Defaults +REDIS_HOST="${REDIS_HOST:-127.0.0.1}" +REDIS_PORT="${REDIS_PORT:-6379}" +REDIS_PASSWORD="${REDIS_PASSWORD:-}" +REDIS_PASS="${REDIS_PASS:-}" # Legacy + +# Installer-Env (falls vorhanden) +[[ -r "$INSTALLER_ENV" ]] && . "$INSTALLER_ENV" || true + +# Falls .env existiert: Werte ergänzen, die noch leer sind +if [[ -r "$APP_ENV" ]]; then + [[ -z "${REDIS_HOST}" ]] && REDIS_HOST="$(grep -m1 -E '^REDIS_HOST=' "$APP_ENV" | cut -d= -f2- || true)" + [[ -z "${REDIS_PORT}" ]] && REDIS_PORT="$(grep -m1 -E '^REDIS_PORT=' "$APP_ENV" | cut -d= -f2- || true)" + [[ -z "${REDIS_PASSWORD}" ]] && REDIS_PASSWORD="$(grep -m1 -E '^REDIS_PASSWORD=' "$APP_ENV" | cut -d= -f2- || true)" +fi + +# Legacy-Fallback: wenn PASSWORD leer, aber PASS gesetzt → übernehmen +[[ -z "${REDIS_PASSWORD}" && -n "${REDIS_PASS}" ]] && REDIS_PASSWORD="$REDIS_PASS" + +# Quotes strippen +strip(){ printf '%s' "$1" | sed -E 's/^"(.*)"$/\1/; s/^'\''(.*)'\''$/\1/'; } +REDIS_HOST="$(strip "${REDIS_HOST:-}")" +REDIS_PORT="$(strip "${REDIS_PORT:-}")" +REDIS_PASSWORD="$(strip "${REDIS_PASSWORD:-}")" + +# redis-cli muss vorhanden sein +command -v redis-cli >/dev/null 2>&1 || exit 1 + +BASE=(timeout 2 redis-cli --no-auth-warning --raw -h "$REDIS_HOST" -p "$REDIS_PORT") +if [[ -n "$REDIS_PASSWORD" ]]; then + CMD=("${BASE[@]}" -a "$REDIS_PASSWORD" ping) +else + CMD=("${BASE[@]}" ping) +fi + +# Erfolgreich nur bei exakt "PONG" +[[ "$("${CMD[@]}" 2>/dev/null || true)" == "PONG" ]] +EOSH +chmod 0755 /usr/local/sbin/mailwolt-redis-ping.sh + +# Rspamd-Heal (setzt Laufzeitverzeichnis, leert alte Socke, restarts rspamd) +cat >/usr/local/sbin/mailwolt-rspamd-heal.sh <<'EOSH' +#!/usr/bin/env bash +set -euo pipefail + +INSTALLER_ENV="/etc/mailwolt/installer.env" +APP_ENV="/var/www/mailwolt/.env" + +REDIS_HOST="${REDIS_HOST:-127.0.0.1}" +REDIS_PORT="${REDIS_PORT:-6379}" +REDIS_PASSWORD="${REDIS_PASSWORD:-}" + +[[ -r "$INSTALLER_ENV" ]] && . "$INSTALLER_ENV" +if [[ -z "${REDIS_PASSWORD}" && -r "$APP_ENV" ]]; then + REDIS_PASSWORD="$(grep -E '^REDIS_PASSWORD=' "$APP_ENV" | head -n1 | cut -d= -f2- || true)" +fi + +# Rspamd Runtime fixen +install -d -m 0755 -o _rspamd -g _rspamd /run/rspamd || true +[[ -S /var/lib/rspamd/rspamd.sock ]] && rm -f /var/lib/rspamd/rspamd.sock || true + +# Neustart +systemctl restart rspamd + +# Mini-Healthcheck +sleep 2 +ss -tln | grep -q ':11334' || echo "[WARN] Rspamd Controller Port 11334 nicht sichtbar" + +exit 0 +EOSH +chmod 0755 /usr/local/sbin/mailwolt-rspamd-heal.sh + +# ───────────────────────────────────────────────────────────── +# WoltGuard Wrapper + Unit +# ───────────────────────────────────────────────────────────── +cat >/usr/local/bin/woltguard <<'EOSH' +#!/usr/bin/env bash +set -euo pipefail +case "${1:-status}" in + start) systemctl enable --now monit ;; + stop) systemctl stop monit ;; + status) monit summary || systemctl status monit || true ;; + heal) monit reload || true; sleep 1; monit restart all || true ;; + monitor) monit monitor all || true ;; + unmonitor) monit unmonitor all || true ;; + *) echo "Usage: woltguard {start|stop|status|heal|monitor|unmonitor}"; exit 2;; +esac +EOSH +chmod 0755 /usr/local/bin/woltguard + +cat >/etc/systemd/system/woltguard.service <<'EOF' +[Unit] +Description=WoltGuard – Self-Healing Monitor for MailWolt +After=network.target +[Service] +Type=oneshot +ExecStart=/usr/local/bin/woltguard start +ExecStop=/usr/local/bin/woltguard stop +RemainAfterExit=yes +[Install] +WantedBy=multi-user.target +EOF +systemctl daemon-reload +systemctl enable --now woltguard + +# ───────────────────────────────────────────────────────────── +# Monit Basis + includes +# ───────────────────────────────────────────────────────────── +sed -i 's/^set daemon .*/set daemon 30/' /etc/monit/monitrc || true +grep -q 'include /etc/monit/conf.d/*' /etc/monit/monitrc || echo 'include /etc/monit/conf.d/*' >>/etc/monit/monitrc +install -d -m 0755 /etc/monit/conf.d + +# ───────────────────────────────────────────────────────────── +# Monit Checks +# ───────────────────────────────────────────────────────────── +# 10 – Redis zuerst (abhängig für rspamd) +cat >/etc/monit/conf.d/10-redis.conf <<'EOF' +check process redis with pidfile /run/redis/redis-server.pid + start program = "/bin/systemctl start redis-server" + stop program = "/bin/systemctl stop redis-server" + if failed host 127.0.0.1 port 6379 for 2 cycles then restart + if 5 restarts within 5 cycles then alert + +check program redis_ping path "/usr/local/sbin/mailwolt-redis-ping.sh" + if status != 0 for 2 cycles then exec "/bin/systemctl restart redis-server" +EOF + +# 20 – Rspamd (hängt von Redis ab), robust über process-matching +cat >/etc/monit/conf.d/20-rspamd.conf <<'EOF' +check process rspamd matching "/usr/bin/rspamd" + start program = "/bin/systemctl start rspamd" + stop program = "/bin/systemctl stop rspamd" + depends on redis + if failed host 127.0.0.1 port 11333 for 2 cycles then exec "/usr/local/sbin/mailwolt-rspamd-heal.sh" + if failed host 127.0.0.1 port 11334 for 2 cycles then exec "/usr/local/sbin/mailwolt-rspamd-heal.sh" + if 5 restarts within 5 cycles then alert +EOF + +# 30 – Maildienste +cat >/etc/monit/conf.d/30-postfix.conf <<'EOF' +check process postfix with pidfile /var/spool/postfix/pid/master.pid + start program = "/bin/systemctl start postfix" + stop program = "/bin/systemctl stop postfix" + if failed port 25 protocol smtp then restart + if failed port 465 type tcpssl then restart + if failed port 587 type tcp then restart + if 5 restarts within 5 cycles then alert +EOF + +cat >/etc/monit/conf.d/30-dovecot.conf <<'EOF' +check process dovecot with pidfile /run/dovecot/master.pid + start program = "/bin/systemctl start dovecot" + stop program = "/bin/systemctl stop dovecot" + if failed port 993 type tcpssl for 2 cycles then restart + if failed port 24 protocol lmtp for 2 cycles then restart + if 5 restarts within 5 cycles then alert +EOF + +# 40 – Web/PHP +cat >/etc/monit/conf.d/40-nginx.conf <<'EOF' +check process nginx with pidfile /run/nginx.pid + start program = "/bin/systemctl start nginx" + stop program = "/bin/systemctl stop nginx" + if failed port 80 type tcp then restart + if failed port 443 type tcpssl then restart + if 5 restarts within 5 cycles then alert +EOF + +# 50 – DKIM/DMARC +cat >/etc/monit/conf.d/50-opendkim.conf <<'EOF' +check process opendkim with pidfile /run/opendkim/opendkim.pid + start program = "/bin/systemctl start opendkim" + stop program = "/bin/systemctl stop opendkim" + if failed host 127.0.0.1 port 8891 type tcp for 2 cycles then restart + if 5 restarts within 5 cycles then alert +EOF + +# optional: OpenDMARC +if [[ "$OPENDMARC_ENABLE" = "1" ]]; then + cat >/etc/monit/conf.d/55-opendmarc.conf <<'EOF' +check process opendmarc with pidfile /run/opendmarc/opendmarc.pid + start program = "/bin/systemctl start opendmarc" + stop program = "/bin/systemctl stop opendmarc" + if 5 restarts within 5 cycles then alert +EOF +else + rm -f /etc/monit/conf.d/55-opendmarc.conf || true +fi + +# 60 – optional: ClamAV +if [[ "$CLAMAV_ENABLE" = "1" ]]; then + cat >/etc/monit/conf.d/60-clamav.conf <<'EOF' +check process clamd with pidfile /run/clamav/clamd.pid + start program = "/bin/systemctl start clamav-daemon" + stop program = "/bin/systemctl stop clamav-daemon" + if failed unixsocket /run/clamav/clamd.ctl for 3 cycles then restart + if 5 restarts within 5 cycles then timeout +EOF +else + rm -f /etc/monit/conf.d/60-clamav.conf || true +fi + +# 70 – Fail2Ban (optional, standardmäßig aktiv) +if [[ "$FAIL2BAN_ENABLE" = "1" ]]; then + cat >/etc/monit/conf.d/70-fail2ban.conf <<'EOF' +check process fail2ban with pidfile /run/fail2ban/fail2ban.pid + start program = "/bin/systemctl start fail2ban" + stop program = "/bin/systemctl stop fail2ban" + if 5 restarts within 5 cycles then alert +EOF +else + rm -f /etc/monit/conf.d/70-fail2ban.conf || true +fi +# ───────────────────────────────────────────────────────────── +# Monit neu laden +# ───────────────────────────────────────────────────────────── +monit -t +systemctl reload monit || systemctl restart monit +systemctl status monit --no-pager || true +log "[✓] WoltGuard aktiv." + +##!/usr/bin/env bash +#set -euo pipefail +#source ./lib.sh +# +#log "WoltGuard (Monit + Self-Heal) einrichten …" +# +#set +u +#[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env +#set -u +#CLAMAV_ENABLE="${CLAMAV_ENABLE:-0}" +#OPENDMARC_ENABLE="${OPENDMARC_ENABLE:-0}" +#FAIL2BAN_ENABLE="${FAIL2BAN_ENABLE:-1}" +# +## Pakete sicherstellen +#command -v monit >/dev/null || { apt-get update -qq; apt-get install -y monit; } +#systemctl enable --now monit +# +## Helper-Skripte +#install -d -m 0755 /usr/local/sbin +#cat >/usr/local/sbin/mailwolt-redis-ping.sh <<'EOSH' +##!/usr/bin/env bash +#set -euo pipefail +#PASS="" +#[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env || true +#if command -v redis-cli >/dev/null 2>&1; then +# [[ -n "${REDIS_PASS:-}" ]] \ +# && redis-cli -h 127.0.0.1 -p 6379 -a "$REDIS_PASS" ping | grep -q PONG \ +# || redis-cli -h 127.0.0.1 -p 6379 ping | grep -q PONG +#else +# exit 1 +#fi +#EOSH +#chmod 0755 /usr/local/sbin/mailwolt-redis-ping.sh +# +#cat >/usr/local/sbin/mailwolt-rspamd-heal.sh <<'EOSH' +##!/usr/bin/env bash +#set -euo pipefail +# +#REDIS_HOST="${REDIS_HOST:-127.0.0.1}" +#REDIS_PORT="${REDIS_PORT:-6379}" +#REDIS_PASSWORD="${REDIS_PASSWORD:-}" +# +#INSTALLER_ENV="/etc/mailwolt/installer.env" +#APP_ENV="/var/www/mailwolt/.env" +#REDIS_CLI="$(command -v redis-cli || true)" +#SYSTEMCTL="$(command -v systemctl || true)" +#RSPAMD_SERVICE="rspamd" +# +#if [ -r "$INSTALLER_ENV" ]; then . "$INSTALLER_ENV"; fi +#if [ -z "${REDIS_PASSWORD}" ] && [ -r "$APP_ENV" ]; then +# REDIS_PASSWORD="$(grep -E '^REDIS_PASSWORD=' "$APP_ENV" | head -n1 | cut -d= -f2- || true)" +#fi +# +#if [ -n "$REDIS_CLI" ]; then +# echo "[INFO] Prüfe Redis Verbindung..." +# if [ -n "${REDIS_PASSWORD}" ]; then +# if ! "$REDIS_CLI" -h "$REDIS_HOST" -p "$REDIS_PORT" -a "$REDIS_PASSWORD" ping | grep -q '^PONG$'; then +# echo "[WARN] Redis antwortet nicht oder Passwort falsch!" +# else +# echo "[OK] Redis antwortet (auth ok)." +# fi +# else +# if ! "$REDIS_CLI" -h "$REDIS_HOST" -p "$REDIS_PORT" ping | grep -q '^PONG$'; then +# echo "[WARN] Redis antwortet nicht (ohne Passwort)." +# else +# echo "[OK] Redis antwortet (kein Passwort)." +# fi +# fi +#else +# echo "[WARN] redis-cli nicht gefunden – überspringe Test." +#fi +# +#echo "[INFO] Prüfe Rspamd Socket & Verzeichnis..." +#install -d -m 0755 -o _rspamd -g _rspamd /run/rspamd || true +#[ -S /var/lib/rspamd/rspamd.sock ] && rm -f /var/lib/rspamd/rspamd.sock || true +# +#echo "[INFO] Starte Rspamd neu..." +#if [ -n "$SYSTEMCTL" ]; then +# "$SYSTEMCTL" restart "$RSPAMD_SERVICE" +# echo "[OK] Rspamd erfolgreich neu gestartet." +#else +# echo "[ERROR] systemctl nicht gefunden – kein Neustart möglich." +# exit 1 +#fi +# +#echo "[INFO] Healthcheck (Port 11334)..." +#sleep 3 +#if ss -tln | grep -q ':11334'; then +# echo "[OK] Rspamd Controller läuft auf Port 11334." +#else +# echo "[WARN] Rspamd Controller Port 11334 nicht erreichbar." +#fi +# +#echo "[DONE] Mailwolt Rspamd-Heal abgeschlossen." +#exit 0 +#EOSH +#chmod 0755 /usr/local/sbin/mailwolt-rspamd-heal.sh +# +## WoltGuard Wrapper + Unit +#cat >/usr/local/bin/woltguard <<'EOSH' +##!/usr/bin/env bash +#set -euo pipefail +#case "${1:-status}" in +# start) systemctl enable --now monit ;; +# stop) systemctl stop monit ;; +# status) monit summary || systemctl status monit || true ;; +# heal) monit reload || true; sleep 1; monit restart all || true ;; +# monitor) monit monitor all || true ;; +# unmonitor) monit unmonitor all || true ;; +# *) echo "Usage: woltguard {start|stop|status|heal|monitor|unmonitor}"; exit 2;; +#esac +#EOSH +#chmod 0755 /usr/local/bin/woltguard +# +#cat >/etc/systemd/system/woltguard.service <<'EOF' +#[Unit] +#Description=WoltGuard – Self-Healing Monitor for MailWolt +#After=network.target +#[Service] +#Type=oneshot +#ExecStart=/usr/local/bin/woltguard start +#ExecStop=/usr/local/bin/woltguard stop +#RemainAfterExit=yes +#[Install] +#WantedBy=multi-user.target +#EOF +#systemctl daemon-reload +#systemctl enable --now woltguard +# +## Monit Basis + include +#sed -i 's/^set daemon .*/set daemon 30/' /etc/monit/monitrc || true +#grep -q 'include /etc/monit/conf.d/*' /etc/monit/monitrc || echo 'include /etc/monit/conf.d/*' >>/etc/monit/monitrc +#install -d -m 0755 /etc/monit/conf.d +# +## Checks +#cat >/etc/monit/conf.d/postfix.conf <<'EOF' +#check process postfix with pidfile /var/spool/postfix/pid/master.pid +# start program = "/bin/systemctl start postfix" +# stop program = "/bin/systemctl stop postfix" +# if failed port 25 protocol smtp then restart +# if failed port 465 type tcpssl then restart +# if failed port 587 type tcp then restart +# if 5 restarts within 5 cycles then alert +#EOF +# +#cat >/etc/monit/conf.d/dovecot.conf <<'EOF' +#check process dovecot with pidfile /run/dovecot/master.pid +# start program = "/bin/systemctl start dovecot" +# stop program = "/bin/systemctl stop dovecot" +# if failed port 993 type tcpssl for 2 cycles then restart +# if failed port 24 protocol lmtp for 2 cycles then restart +# if 5 restarts within 5 cycles then alert +#EOF +# +#cat >/etc/monit/conf.d/nginx.conf <<'EOF' +#check process nginx with pidfile /run/nginx.pid +# start program = "/bin/systemctl start nginx" +# stop program = "/bin/systemctl stop nginx" +# if failed port 80 type tcp then restart +# if failed port 443 type tcpssl then restart +# if 5 restarts within 5 cycles then alert +#EOF +# +#cat >/etc/monit/conf.d/redis.conf <<'EOF' +#check process redis with pidfile /run/redis/redis-server.pid +# start program = "/bin/systemctl start redis-server" +# stop program = "/bin/systemctl stop redis-server" +# if failed host 127.0.0.1 port 6379 for 2 cycles then restart +# if 5 restarts within 5 cycles then alert +# +#check program redis_ping path "/usr/local/sbin/mailwolt-redis-ping.sh" +# if status != 0 for 2 cycles then exec "/bin/systemctl restart redis-server" +#EOF +# +#cat >/etc/monit/conf.d/rspamd.conf <<'EOF' +#check process rspamd with pidfile /run/rspamd/rspamd.pid +# start program = "/bin/systemctl start rspamd" +# stop program = "/bin/systemctl stop rspamd" +# if failed port 11333 for 2 cycles then exec "/usr/local/sbin/mailwolt-rspamd-heal.sh" +# if failed port 11334 for 2 cycles then exec "/usr/local/sbin/mailwolt-rspamd-heal.sh" +# if 5 restarts within 5 cycles then alert +#EOF +# +#cat >/etc/monit/conf.d/opendkim.conf <<'EOF' +#check process opendkim with pidfile /run/opendkim/opendkim.pid +# start program = "/bin/systemctl start opendkim" +# stop program = "/bin/systemctl stop opendkim" +# if failed host 127.0.0.1 port 8891 type tcp for 2 cycles then restart +# if 5 restarts within 5 cycles then alert +#EOF +# +## optional: OpenDMARC +#if [[ "$OPENDMARC_ENABLE" = "1" ]]; then +# cat >/etc/monit/conf.d/opendmarc.conf <<'EOF' +#check process opendmarc with pidfile /run/opendmarc/opendmarc.pid +# start program = "/bin/systemctl start opendmarc" +# stop program = "/bin/systemctl stop opendmarc" +# if 5 restarts within 5 cycles then alert +#EOF +#else +# rm -f /etc/monit/conf.d/opendmarc.conf || true +#fi +# +## optional: ClamAV +#if [[ "$CLAMAV_ENABLE" = "1" ]]; then +# cat >/etc/monit/conf.d/clamav.conf <<'EOF' +#check process clamd with pidfile /run/clamav/clamd.pid +# start program = "/bin/systemctl start clamav-daemon" +# stop program = "/bin/systemctl stop clamav-daemon" +# if failed unixsocket /run/clamav/clamd.ctl then restart +# if 5 restarts within 5 cycles then alert +#EOF +#else +# rm -f /etc/monit/conf.d/clamav.conf || true +#fi +# +## optional: Fail2Ban +#if [[ "$FAIL2BAN_ENABLE" = "1" ]]; then +# cat >/etc/monit/conf.d/fail2ban.conf <<'EOF' +#check process fail2ban with pidfile /run/fail2ban/fail2ban.pid +# start program = "/bin/systemctl start fail2ban" +# stop program = "/bin/systemctl stop fail2ban" +# if 5 restarts within 5 cycles then alert +#EOF +#else +# rm -f /etc/monit/conf.d/fail2ban.conf || true +#fi +# +#monit -t +#systemctl reload monit || systemctl restart monit +#systemctl status monit --no-pager || true +#log "[✓] WoltGuard aktiv." \ No newline at end of file diff --git a/scripts/95-woltguard.sh b/scripts/95-woltguard.sh index faffe39..1985517 100644 --- a/scripts/95-woltguard.sh +++ b/scripts/95-woltguard.sh @@ -1,167 +1,84 @@ #!/usr/bin/env bash set -euo pipefail -source ./lib.sh -log "WoltGuard (Monit + Self-Heal) einrichten …" - -# ───────────────────────────────────────────────────────────── -# Env nur nachladen, wenn Flags nicht bereits exportiert sind -# ───────────────────────────────────────────────────────────── +# Flags laden (falls vorhanden) INSTALLER_ENV="/etc/mailwolt/installer.env" -: "${CLAMAV_ENABLE:=}" ; : "${OPENDMARC_ENABLE:=}" ; : "${FAIL2BAN_ENABLE:=}" +: "${CLAMAV_ENABLE:=}"; : "${OPENDMARC_ENABLE:=}"; : "${FAIL2BAN_ENABLE:=}"; : "${MONIT_HTTP:=}" if [[ -z "${CLAMAV_ENABLE}${OPENDMARC_ENABLE}${FAIL2BAN_ENABLE}" && -r "$INSTALLER_ENV" ]]; then - # shellcheck disable=SC1090 . "$INSTALLER_ENV" fi -CLAMAV_ENABLE="${CLAMAV_ENABLE:-0}" -OPENDMARC_ENABLE="${OPENDMARC_ENABLE:-0}" +CLAMAV_ENABLE="${CLAMAV_ENABLE:-1}" +OPENDMARC_ENABLE="${OPENDMARC_ENABLE:-1}" FAIL2BAN_ENABLE="${FAIL2BAN_ENABLE:-1}" +MONIT_HTTP="${MONIT_HTTP:-1}" -# ───────────────────────────────────────────────────────────── -# Monit installieren & aktivieren -# ───────────────────────────────────────────────────────────── -command -v monit >/dev/null || { apt-get update -qq; apt-get install -y monit; } -systemctl enable --now monit +# ── Monit so konfigurieren, dass NUR monitrc.d/* geladen wird ──────────────── +install -d -m 0755 /etc/monit/monitrc.d +# Poll-Intervall (30s) +sed -i 's/^set daemon .*/set daemon 30/' /etc/monit/monitrc || true +# alle alten include-Zeilen raus und monitrc.d setzen +sed -i 's|^#\?\s*include .*$||g' /etc/monit/monitrc +grep -q '^include /etc/monit/monitrc.d/\*' /etc/monit/monitrc \ + || echo 'include /etc/monit/monitrc.d/*' >> /etc/monit/monitrc -# ───────────────────────────────────────────────────────────── -# Helper-Skripte (laufen später eigenständig → Env selbst laden) -# ───────────────────────────────────────────────────────────── +# Optional: HTTP-UI nur einschalten, wenn explizit gewünscht +if [[ "$MONIT_HTTP" = "1" ]]; then + grep -q '^set httpd port 2812' /etc/monit/monitrc || cat >>/etc/monit/monitrc <<'HTTP' +set httpd port 2812 and + use address localhost + allow localhost +HTTP +fi + +# ── Helper-Skripte ────────────────────────────────────────────────────────── install -d -m 0755 /usr/local/sbin -# Redis-Ping (nimmt REDIS_PASSWORD aus installer.env oder .env) +# Redis-Ping (Password: REDIS_PASSWORD aus installer.env oder .env) cat >/usr/local/sbin/mailwolt-redis-ping.sh <<'EOSH' #!/usr/bin/env bash set -euo pipefail - INSTALLER_ENV="/etc/mailwolt/installer.env" APP_ENV="/var/www/mailwolt/.env" - REDIS_HOST="${REDIS_HOST:-127.0.0.1}" REDIS_PORT="${REDIS_PORT:-6379}" REDIS_PASSWORD="${REDIS_PASSWORD:-}" +REDIS_PASS="${REDIS_PASS:-}" -# Env-Fallbacks -[[ -r "$INSTALLER_ENV" ]] && . "$INSTALLER_ENV" -if [[ -z "${REDIS_PASSWORD}" && -r "$APP_ENV" ]]; then - REDIS_PASSWORD="$(grep -E '^REDIS_PASSWORD=' "$APP_ENV" | head -n1 | cut -d= -f2- || true)" +[[ -r "$INSTALLER_ENV" ]] && . "$INSTALLER_ENV" || true +if [[ -r "$APP_ENV" ]]; then + [[ -z "${REDIS_HOST}" ]] && REDIS_HOST="$(grep -m1 '^REDIS_HOST=' "$APP_ENV" | cut -d= -f2- || true)" + [[ -z "${REDIS_PORT}" ]] && REDIS_PORT="$(grep -m1 '^REDIS_PORT=' "$APP_ENV" | cut -d= -f2- || true)" + [[ -z "${REDIS_PASSWORD}" ]] && REDIS_PASSWORD="$(grep -m1 '^REDIS_PASSWORD=' "$APP_ENV" | cut -d= -f2- || true)" fi +[[ -z "${REDIS_PASSWORD}" && -n "${REDIS_PASS}" ]] && REDIS_PASSWORD="$REDIS_PASS" -if ! command -v redis-cli >/dev/null 2>&1; then - exit 1 -fi +strip(){ printf '%s' "$1" | sed -E 's/^"(.*)"$/\1/; s/^'"'"'(.*)'"'"'$/\1/'; } +REDIS_HOST="$(strip "${REDIS_HOST:-}")" +REDIS_PORT="$(strip "${REDIS_PORT:-}")" +REDIS_PASSWORD="$(strip "${REDIS_PASSWORD:-}")" -if [[ -n "${REDIS_PASSWORD}" ]]; then - redis-cli -h "$REDIS_HOST" -p "$REDIS_PORT" -a "$REDIS_PASSWORD" ping | grep -q '^PONG$' -else - redis-cli -h "$REDIS_HOST" -p "$REDIS_PORT" ping | grep -q '^PONG$' -fi +command -v redis-cli >/dev/null 2>&1 || exit 1 +BASE=(timeout 2 redis-cli --no-auth-warning --raw -h "$REDIS_HOST" -p "$REDIS_PORT") +[[ -n "$REDIS_PASSWORD" ]] && CMD=("${BASE[@]}" -a "$REDIS_PASSWORD" ping) || CMD=("${BASE[@]}" ping) +[[ "$("${CMD[@]}" 2>/dev/null || true)" == "PONG" ]] EOSH chmod 0755 /usr/local/sbin/mailwolt-redis-ping.sh -# Rspamd-Heal (setzt Laufzeitverzeichnis, leert alte Socke, restarts rspamd) +# Rspamd-Heal (Socke aufräumen, restart, Mini-Port-Check) cat >/usr/local/sbin/mailwolt-rspamd-heal.sh <<'EOSH' #!/usr/bin/env bash set -euo pipefail - -INSTALLER_ENV="/etc/mailwolt/installer.env" -APP_ENV="/var/www/mailwolt/.env" - -REDIS_HOST="${REDIS_HOST:-127.0.0.1}" -REDIS_PORT="${REDIS_PORT:-6379}" -REDIS_PASSWORD="${REDIS_PASSWORD:-}" - -[[ -r "$INSTALLER_ENV" ]] && . "$INSTALLER_ENV" -if [[ -z "${REDIS_PASSWORD}" && -r "$APP_ENV" ]]; then - REDIS_PASSWORD="$(grep -E '^REDIS_PASSWORD=' "$APP_ENV" | head -n1 | cut -d= -f2- || true)" -fi - -# Rspamd Runtime fixen install -d -m 0755 -o _rspamd -g _rspamd /run/rspamd || true [[ -S /var/lib/rspamd/rspamd.sock ]] && rm -f /var/lib/rspamd/rspamd.sock || true - -# Neustart systemctl restart rspamd - -# Mini-Healthcheck sleep 2 ss -tln | grep -q ':11334' || echo "[WARN] Rspamd Controller Port 11334 nicht sichtbar" - -exit 0 EOSH chmod 0755 /usr/local/sbin/mailwolt-rspamd-heal.sh -# ───────────────────────────────────────────────────────────── -# WoltGuard Wrapper + Unit -# ───────────────────────────────────────────────────────────── -cat >/usr/local/bin/woltguard <<'EOSH' -#!/usr/bin/env bash -set -euo pipefail -case "${1:-status}" in - start) systemctl enable --now monit ;; - stop) systemctl stop monit ;; - status) monit summary || systemctl status monit || true ;; - heal) monit reload || true; sleep 1; monit restart all || true ;; - monitor) monit monitor all || true ;; - unmonitor) monit unmonitor all || true ;; - *) echo "Usage: woltguard {start|stop|status|heal|monitor|unmonitor}"; exit 2;; -esac -EOSH -chmod 0755 /usr/local/bin/woltguard - -cat >/etc/systemd/system/woltguard.service <<'EOF' -[Unit] -Description=WoltGuard – Self-Healing Monitor for MailWolt -After=network.target -[Service] -Type=oneshot -ExecStart=/usr/local/bin/woltguard start -ExecStop=/usr/local/bin/woltguard stop -RemainAfterExit=yes -[Install] -WantedBy=multi-user.target -EOF -systemctl daemon-reload -systemctl enable --now woltguard - -# ───────────────────────────────────────────────────────────── -# Monit Basis + includes -# ───────────────────────────────────────────────────────────── -sed -i 's/^set daemon .*/set daemon 30/' /etc/monit/monitrc || true -grep -q 'include /etc/monit/conf.d/*' /etc/monit/monitrc || echo 'include /etc/monit/conf.d/*' >>/etc/monit/monitrc -install -d -m 0755 /etc/monit/conf.d - -# ───────────────────────────────────────────────────────────── -# Monit Checks -# ───────────────────────────────────────────────────────────── -cat >/etc/monit/conf.d/postfix.conf <<'EOF' -check process postfix with pidfile /var/spool/postfix/pid/master.pid - start program = "/bin/systemctl start postfix" - stop program = "/bin/systemctl stop postfix" - if failed port 25 protocol smtp then restart - if failed port 465 type tcpssl then restart - if failed port 587 type tcp then restart - if 5 restarts within 5 cycles then alert -EOF - -cat >/etc/monit/conf.d/dovecot.conf <<'EOF' -check process dovecot with pidfile /run/dovecot/master.pid - start program = "/bin/systemctl start dovecot" - stop program = "/bin/systemctl stop dovecot" - if failed port 993 type tcpssl for 2 cycles then restart - if failed port 24 protocol lmtp for 2 cycles then restart - if 5 restarts within 5 cycles then alert -EOF - -cat >/etc/monit/conf.d/nginx.conf <<'EOF' -check process nginx with pidfile /run/nginx.pid - start program = "/bin/systemctl start nginx" - stop program = "/bin/systemctl stop nginx" - if failed port 80 type tcp then restart - if failed port 443 type tcpssl then restart - if 5 restarts within 5 cycles then alert -EOF - -cat >/etc/monit/conf.d/redis.conf <<'EOF' +# ── Monit-Checks (nummeriert) ─────────────────────────────────────────────── +# 10 – Redis +cat >/etc/monit/monitrc.d/10-redis.conf <<'EOF' check process redis with pidfile /run/redis/redis-server.pid start program = "/bin/systemctl start redis-server" stop program = "/bin/systemctl stop redis-server" @@ -172,285 +89,98 @@ check program redis_ping path "/usr/local/sbin/mailwolt-redis-ping.sh" if status != 0 for 2 cycles then exec "/bin/systemctl restart redis-server" EOF -cat >/etc/monit/conf.d/rspamd.conf <<'EOF' -check process rspamd with pidfile /run/rspamd/rspamd.pid - start program = "/bin/systemctl start rspamd" - stop program = "/bin/systemctl stop rspamd" - if failed port 11333 for 2 cycles then exec "/usr/local/sbin/mailwolt-rspamd-heal.sh" - if failed port 11334 for 2 cycles then exec "/usr/local/sbin/mailwolt-rspamd-heal.sh" +# 20 – Rspamd (robust via process-matching + Heal) +cat >/etc/monit/monitrc.d/20-rspamd.conf <<'EOF' +check process rspamd matching "/usr/bin/rspamd" + start program = "/bin/systemctl start rspamd" with timeout 120 seconds + stop program = "/bin/systemctl stop rspamd" + depends on redis + if failed host 127.0.0.1 port 11333 for 3 cycles then exec "/usr/local/sbin/mailwolt-rspamd-heal.sh" + if failed host 127.0.0.1 port 11334 for 3 cycles then exec "/usr/local/sbin/mailwolt-rspamd-heal.sh" + if does not exist for 2 cycles then restart + if 5 restarts within 10 cycles then unmonitor +EOF + +# 30 – Postfix +cat >/etc/monit/monitrc.d/30-postfix.conf <<'EOF' +check process postfix with pidfile /var/spool/postfix/pid/master.pid + start program = "/bin/systemctl start postfix" + stop program = "/bin/systemctl stop postfix" + if failed port 25 protocol smtp then restart + if failed port 465 type tcpssl then restart + if failed port 587 type tcp then restart if 5 restarts within 5 cycles then alert EOF -cat >/etc/monit/conf.d/opendkim.conf <<'EOF' +# 30 – Dovecot (IMAPS; LMTP oft Unix-Socket → kein TCP-Fehlalarm) +cat >/etc/monit/monitrc.d/30-dovecot.conf <<'EOF' +check process dovecot with pidfile /run/dovecot/master.pid + start program = "/bin/systemctl start dovecot" + stop program = "/bin/systemctl stop dovecot" + if failed port 993 type tcpssl for 3 cycles then restart + if 5 restarts within 10 cycles then alert +EOF + +# 40 – Nginx +cat >/etc/monit/monitrc.d/40-nginx.conf <<'EOF' +check process nginx with pidfile /run/nginx.pid + start program = "/bin/systemctl start nginx" + stop program = "/bin/systemctl stop nginx" + if failed port 80 type tcp then restart + if failed port 443 type tcpssl then restart + if 5 restarts within 5 cycles then alert +EOF + +# 50 – OpenDKIM +cat >/etc/monit/monitrc.d/50-opendkim.conf <<'EOF' check process opendkim with pidfile /run/opendkim/opendkim.pid start program = "/bin/systemctl start opendkim" - stop program = "/bin/systemctl stop opendkim" + stop program = "/bin/systemctl stop opendkim" if failed host 127.0.0.1 port 8891 type tcp for 2 cycles then restart if 5 restarts within 5 cycles then alert EOF -# optional: OpenDMARC +# 55 – OpenDMARC (optional) if [[ "$OPENDMARC_ENABLE" = "1" ]]; then - cat >/etc/monit/conf.d/opendmarc.conf <<'EOF' + cat >/etc/monit/monitrc.d/55-opendmarc.conf <<'EOF' check process opendmarc with pidfile /run/opendmarc/opendmarc.pid start program = "/bin/systemctl start opendmarc" - stop program = "/bin/systemctl stop opendmarc" + stop program = "/bin/systemctl stop opendmarc" if 5 restarts within 5 cycles then alert EOF else - rm -f /etc/monit/conf.d/opendmarc.conf || true + rm -f /etc/monit/monitrc.d/55-opendmarc.conf || true fi -# optional: ClamAV +# 60 – ClamAV (über Socket) if [[ "$CLAMAV_ENABLE" = "1" ]]; then - cat >/etc/monit/conf.d/clamav.conf <<'EOF' -check process clamd with pidfile /run/clamav/clamd.pid + cat >/etc/monit/monitrc.d/60-clamav.conf <<'EOF' +check process clamd matching "clamd" start program = "/bin/systemctl start clamav-daemon" - stop program = "/bin/systemctl stop clamav-daemon" - if failed unixsocket /run/clamav/clamd.ctl then restart + stop program = "/bin/systemctl stop clamav-daemon" + if failed unixsocket /run/clamav/clamd.ctl for 3 cycles then restart + if 5 restarts within 10 cycles then unmonitor +EOF +else + rm -f /etc/monit/monitrc.d/60-clamav.conf || true +fi + +# 70 – Fail2Ban (optional) +if [[ "$FAIL2BAN_ENABLE" = "1" ]]; then + cat >/etc/monit/monitrc.d/70-fail2ban.conf <<'EOF' +check process fail2ban with pidfile /run/fail2ban/fail2ban.pid + start program = "/bin/systemctl start fail2ban" + stop program = "/bin/systemctl stop fail2ban" if 5 restarts within 5 cycles then alert EOF else - rm -f /etc/monit/conf.d/clamav.conf || true + rm -f /etc/monit/monitrc.d/70-fail2ban.conf || true fi -# ───────────────────────────────────────────────────────────── -# Monit neu laden -# ───────────────────────────────────────────────────────────── +# ── Monit neu laden ───────────────────────────────────────────────────────── monit -t systemctl reload monit || systemctl restart monit -systemctl status monit --no-pager || true -log "[✓] WoltGuard aktiv." -##!/usr/bin/env bash -#set -euo pipefail -#source ./lib.sh -# -#log "WoltGuard (Monit + Self-Heal) einrichten …" -# -#set +u -#[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env -#set -u -#CLAMAV_ENABLE="${CLAMAV_ENABLE:-0}" -#OPENDMARC_ENABLE="${OPENDMARC_ENABLE:-0}" -#FAIL2BAN_ENABLE="${FAIL2BAN_ENABLE:-1}" -# -## Pakete sicherstellen -#command -v monit >/dev/null || { apt-get update -qq; apt-get install -y monit; } -#systemctl enable --now monit -# -## Helper-Skripte -#install -d -m 0755 /usr/local/sbin -#cat >/usr/local/sbin/mailwolt-redis-ping.sh <<'EOSH' -##!/usr/bin/env bash -#set -euo pipefail -#PASS="" -#[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env || true -#if command -v redis-cli >/dev/null 2>&1; then -# [[ -n "${REDIS_PASS:-}" ]] \ -# && redis-cli -h 127.0.0.1 -p 6379 -a "$REDIS_PASS" ping | grep -q PONG \ -# || redis-cli -h 127.0.0.1 -p 6379 ping | grep -q PONG -#else -# exit 1 -#fi -#EOSH -#chmod 0755 /usr/local/sbin/mailwolt-redis-ping.sh -# -#cat >/usr/local/sbin/mailwolt-rspamd-heal.sh <<'EOSH' -##!/usr/bin/env bash -#set -euo pipefail -# -#REDIS_HOST="${REDIS_HOST:-127.0.0.1}" -#REDIS_PORT="${REDIS_PORT:-6379}" -#REDIS_PASSWORD="${REDIS_PASSWORD:-}" -# -#INSTALLER_ENV="/etc/mailwolt/installer.env" -#APP_ENV="/var/www/mailwolt/.env" -#REDIS_CLI="$(command -v redis-cli || true)" -#SYSTEMCTL="$(command -v systemctl || true)" -#RSPAMD_SERVICE="rspamd" -# -#if [ -r "$INSTALLER_ENV" ]; then . "$INSTALLER_ENV"; fi -#if [ -z "${REDIS_PASSWORD}" ] && [ -r "$APP_ENV" ]; then -# REDIS_PASSWORD="$(grep -E '^REDIS_PASSWORD=' "$APP_ENV" | head -n1 | cut -d= -f2- || true)" -#fi -# -#if [ -n "$REDIS_CLI" ]; then -# echo "[INFO] Prüfe Redis Verbindung..." -# if [ -n "${REDIS_PASSWORD}" ]; then -# if ! "$REDIS_CLI" -h "$REDIS_HOST" -p "$REDIS_PORT" -a "$REDIS_PASSWORD" ping | grep -q '^PONG$'; then -# echo "[WARN] Redis antwortet nicht oder Passwort falsch!" -# else -# echo "[OK] Redis antwortet (auth ok)." -# fi -# else -# if ! "$REDIS_CLI" -h "$REDIS_HOST" -p "$REDIS_PORT" ping | grep -q '^PONG$'; then -# echo "[WARN] Redis antwortet nicht (ohne Passwort)." -# else -# echo "[OK] Redis antwortet (kein Passwort)." -# fi -# fi -#else -# echo "[WARN] redis-cli nicht gefunden – überspringe Test." -#fi -# -#echo "[INFO] Prüfe Rspamd Socket & Verzeichnis..." -#install -d -m 0755 -o _rspamd -g _rspamd /run/rspamd || true -#[ -S /var/lib/rspamd/rspamd.sock ] && rm -f /var/lib/rspamd/rspamd.sock || true -# -#echo "[INFO] Starte Rspamd neu..." -#if [ -n "$SYSTEMCTL" ]; then -# "$SYSTEMCTL" restart "$RSPAMD_SERVICE" -# echo "[OK] Rspamd erfolgreich neu gestartet." -#else -# echo "[ERROR] systemctl nicht gefunden – kein Neustart möglich." -# exit 1 -#fi -# -#echo "[INFO] Healthcheck (Port 11334)..." -#sleep 3 -#if ss -tln | grep -q ':11334'; then -# echo "[OK] Rspamd Controller läuft auf Port 11334." -#else -# echo "[WARN] Rspamd Controller Port 11334 nicht erreichbar." -#fi -# -#echo "[DONE] Mailwolt Rspamd-Heal abgeschlossen." -#exit 0 -#EOSH -#chmod 0755 /usr/local/sbin/mailwolt-rspamd-heal.sh -# -## WoltGuard Wrapper + Unit -#cat >/usr/local/bin/woltguard <<'EOSH' -##!/usr/bin/env bash -#set -euo pipefail -#case "${1:-status}" in -# start) systemctl enable --now monit ;; -# stop) systemctl stop monit ;; -# status) monit summary || systemctl status monit || true ;; -# heal) monit reload || true; sleep 1; monit restart all || true ;; -# monitor) monit monitor all || true ;; -# unmonitor) monit unmonitor all || true ;; -# *) echo "Usage: woltguard {start|stop|status|heal|monitor|unmonitor}"; exit 2;; -#esac -#EOSH -#chmod 0755 /usr/local/bin/woltguard -# -#cat >/etc/systemd/system/woltguard.service <<'EOF' -#[Unit] -#Description=WoltGuard – Self-Healing Monitor for MailWolt -#After=network.target -#[Service] -#Type=oneshot -#ExecStart=/usr/local/bin/woltguard start -#ExecStop=/usr/local/bin/woltguard stop -#RemainAfterExit=yes -#[Install] -#WantedBy=multi-user.target -#EOF -#systemctl daemon-reload -#systemctl enable --now woltguard -# -## Monit Basis + include -#sed -i 's/^set daemon .*/set daemon 30/' /etc/monit/monitrc || true -#grep -q 'include /etc/monit/conf.d/*' /etc/monit/monitrc || echo 'include /etc/monit/conf.d/*' >>/etc/monit/monitrc -#install -d -m 0755 /etc/monit/conf.d -# -## Checks -#cat >/etc/monit/conf.d/postfix.conf <<'EOF' -#check process postfix with pidfile /var/spool/postfix/pid/master.pid -# start program = "/bin/systemctl start postfix" -# stop program = "/bin/systemctl stop postfix" -# if failed port 25 protocol smtp then restart -# if failed port 465 type tcpssl then restart -# if failed port 587 type tcp then restart -# if 5 restarts within 5 cycles then alert -#EOF -# -#cat >/etc/monit/conf.d/dovecot.conf <<'EOF' -#check process dovecot with pidfile /run/dovecot/master.pid -# start program = "/bin/systemctl start dovecot" -# stop program = "/bin/systemctl stop dovecot" -# if failed port 993 type tcpssl for 2 cycles then restart -# if failed port 24 protocol lmtp for 2 cycles then restart -# if 5 restarts within 5 cycles then alert -#EOF -# -#cat >/etc/monit/conf.d/nginx.conf <<'EOF' -#check process nginx with pidfile /run/nginx.pid -# start program = "/bin/systemctl start nginx" -# stop program = "/bin/systemctl stop nginx" -# if failed port 80 type tcp then restart -# if failed port 443 type tcpssl then restart -# if 5 restarts within 5 cycles then alert -#EOF -# -#cat >/etc/monit/conf.d/redis.conf <<'EOF' -#check process redis with pidfile /run/redis/redis-server.pid -# start program = "/bin/systemctl start redis-server" -# stop program = "/bin/systemctl stop redis-server" -# if failed host 127.0.0.1 port 6379 for 2 cycles then restart -# if 5 restarts within 5 cycles then alert -# -#check program redis_ping path "/usr/local/sbin/mailwolt-redis-ping.sh" -# if status != 0 for 2 cycles then exec "/bin/systemctl restart redis-server" -#EOF -# -#cat >/etc/monit/conf.d/rspamd.conf <<'EOF' -#check process rspamd with pidfile /run/rspamd/rspamd.pid -# start program = "/bin/systemctl start rspamd" -# stop program = "/bin/systemctl stop rspamd" -# if failed port 11333 for 2 cycles then exec "/usr/local/sbin/mailwolt-rspamd-heal.sh" -# if failed port 11334 for 2 cycles then exec "/usr/local/sbin/mailwolt-rspamd-heal.sh" -# if 5 restarts within 5 cycles then alert -#EOF -# -#cat >/etc/monit/conf.d/opendkim.conf <<'EOF' -#check process opendkim with pidfile /run/opendkim/opendkim.pid -# start program = "/bin/systemctl start opendkim" -# stop program = "/bin/systemctl stop opendkim" -# if failed host 127.0.0.1 port 8891 type tcp for 2 cycles then restart -# if 5 restarts within 5 cycles then alert -#EOF -# -## optional: OpenDMARC -#if [[ "$OPENDMARC_ENABLE" = "1" ]]; then -# cat >/etc/monit/conf.d/opendmarc.conf <<'EOF' -#check process opendmarc with pidfile /run/opendmarc/opendmarc.pid -# start program = "/bin/systemctl start opendmarc" -# stop program = "/bin/systemctl stop opendmarc" -# if 5 restarts within 5 cycles then alert -#EOF -#else -# rm -f /etc/monit/conf.d/opendmarc.conf || true -#fi -# -## optional: ClamAV -#if [[ "$CLAMAV_ENABLE" = "1" ]]; then -# cat >/etc/monit/conf.d/clamav.conf <<'EOF' -#check process clamd with pidfile /run/clamav/clamd.pid -# start program = "/bin/systemctl start clamav-daemon" -# stop program = "/bin/systemctl stop clamav-daemon" -# if failed unixsocket /run/clamav/clamd.ctl then restart -# if 5 restarts within 5 cycles then alert -#EOF -#else -# rm -f /etc/monit/conf.d/clamav.conf || true -#fi -# -## optional: Fail2Ban -#if [[ "$FAIL2BAN_ENABLE" = "1" ]]; then -# cat >/etc/monit/conf.d/fail2ban.conf <<'EOF' -#check process fail2ban with pidfile /run/fail2ban/fail2ban.pid -# start program = "/bin/systemctl start fail2ban" -# stop program = "/bin/systemctl stop fail2ban" -# if 5 restarts within 5 cycles then alert -#EOF -#else -# rm -f /etc/monit/conf.d/fail2ban.conf || true -#fi -# -#monit -t -#systemctl reload monit || systemctl restart monit -#systemctl status monit --no-pager || true -#log "[✓] WoltGuard aktiv." \ No newline at end of file +# Optionaler Sichttest (CLI funktioniert auch ohne HTTP-UI) +sleep 2 +monit summary || true \ No newline at end of file diff --git a/scripts/bootstrap.sh b/scripts/bootstrap.sh index 4909b2a..f9dcdec 100644 --- a/scripts/bootstrap.sh +++ b/scripts/bootstrap.sh @@ -270,6 +270,9 @@ DB_HOST=127.0.0.1 DB_NAME=${DB_NAME} DB_USER=${DB_USER} DB_PASS=${DB_PASS} + +REDIS_HOST=127.0.0.1 +REDIS_PORT=6379 REDIS_PASS=${REDIS_PASS} SERVER_PUBLIC_IPV4=${SERVER_PUBLIC_IPV4}