boban
/
mailwolt-installer
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Dovecot Systax Problem

main
boksbc 2025-10-27 01:43:29 +01:00
parent 43de9ea724
commit 977e1d7566
5 changed files with 606 additions and 383 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
scripts/80-app.sh
View File

@ -183,7 +183,7 @@ upsert_env SESSION_SAMESITE "lax"
upsert_env REDIS_CLIENT "phpredis" upsert_env REDIS_CLIENT "phpredis"
upsert_env REDIS_HOST "127.0.0.1" upsert_env REDIS_HOST "127.0.0.1"
upsert_env REDIS_PORT "6379" upsert_env REDIS_PORT "6379"
upsert_env REDIS_PASSWORD "${REDIS_PASS}" upsert_env REDIS_PASS "${REDIS_PASS}"
upsert_env REDIS_DB "0" upsert_env REDIS_DB "0"
upsert_env REDIS_CACHE_DB "1" upsert_env REDIS_CACHE_DB "1"
upsert_env REDIS_CACHE_CONNECTION "cache" upsert_env REDIS_CACHE_CONNECTION "cache"

1
scripts/88-update-wrapper.sh
View File

@ -129,7 +129,6 @@ Defaults!/usr/bin/systemctl !requiretty
Cmnd_Alias MW_SERVICES = \ Cmnd_Alias MW_SERVICES = \
/usr/bin/systemctl reload nginx.service, \ /usr/bin/systemctl reload nginx.service, \
/usr/bin/systemctl try-reload-or-restart nginx.service, \ /usr/bin/systemctl try-reload-or-restart nginx.service, \
/usr/bin/systemctl restart php8.3-fpm.service, \
/usr/bin/systemctl try-reload-or-restart postfix.service, \ /usr/bin/systemctl try-reload-or-restart postfix.service, \
/usr/bin/systemctl try-reload-or-restart dovecot.service, \ /usr/bin/systemctl try-reload-or-restart dovecot.service, \
/usr/bin/systemctl try-reload-or-restart rspamd.service, \ /usr/bin/systemctl try-reload-or-restart rspamd.service, \

491
scripts/95-woltguard.bak.sh Normal file
View File

@ -0,0 +1,491 @@
#!/usr/bin/env bash
set -euo pipefail
source ./lib.sh
log "WoltGuard (Monit + Self-Heal) einrichten …"
# ─────────────────────────────────────────────────────────────
# Env nur nachladen, wenn Flags nicht bereits exportiert sind
# ─────────────────────────────────────────────────────────────
INSTALLER_ENV="/etc/mailwolt/installer.env"
: "${CLAMAV_ENABLE:=}" ; : "${OPENDMARC_ENABLE:=}" ; : "${FAIL2BAN_ENABLE:=}"
if [[ -z "${CLAMAV_ENABLE}${OPENDMARC_ENABLE}${FAIL2BAN_ENABLE}" && -r "$INSTALLER_ENV" ]]; then
# shellcheck disable=SC1090
. "$INSTALLER_ENV"
fi
CLAMAV_ENABLE="${CLAMAV_ENABLE:-0}"
OPENDMARC_ENABLE="${OPENDMARC_ENABLE:-0}"
FAIL2BAN_ENABLE="${FAIL2BAN_ENABLE:-1}"
# ─────────────────────────────────────────────────────────────
# Monit installieren & aktivieren
# ─────────────────────────────────────────────────────────────
command -v monit >/dev/null || { apt-get update -qq; apt-get install -y monit; }
systemctl enable --now monit
# ─────────────────────────────────────────────────────────────
# Helper-Skripte (laufen später eigenständig → Env selbst laden)
# ─────────────────────────────────────────────────────────────
install -d -m 0755 /usr/local/sbin
# Redis-Ping (nimmt REDIS_PASSWORD aus installer.env oder .env)
cat >/usr/local/sbin/mailwolt-redis-ping.sh <<'EOSH'
#!/usr/bin/env bash
set -euo pipefail
INSTALLER_ENV="/etc/mailwolt/installer.env"
APP_ENV="/var/www/mailwolt/.env"
# Defaults
REDIS_HOST="${REDIS_HOST:-127.0.0.1}"
REDIS_PORT="${REDIS_PORT:-6379}"
REDIS_PASSWORD="${REDIS_PASSWORD:-}"
REDIS_PASS="${REDIS_PASS:-}" # Legacy
# Installer-Env (falls vorhanden)
[[ -r "$INSTALLER_ENV" ]] && . "$INSTALLER_ENV" || true
# Falls .env existiert: Werte ergänzen, die noch leer sind
if [[ -r "$APP_ENV" ]]; then
[[ -z "${REDIS_HOST}" ]] && REDIS_HOST="$(grep -m1 -E '^REDIS_HOST=' "$APP_ENV" | cut -d= -f2- || true)"
[[ -z "${REDIS_PORT}" ]] && REDIS_PORT="$(grep -m1 -E '^REDIS_PORT=' "$APP_ENV" | cut -d= -f2- || true)"
[[ -z "${REDIS_PASSWORD}" ]] && REDIS_PASSWORD="$(grep -m1 -E '^REDIS_PASSWORD=' "$APP_ENV" | cut -d= -f2- || true)"
fi
# Legacy-Fallback: wenn PASSWORD leer, aber PASS gesetzt → übernehmen
[[ -z "${REDIS_PASSWORD}" && -n "${REDIS_PASS}" ]] && REDIS_PASSWORD="$REDIS_PASS"
# Quotes strippen
strip(){ printf '%s' "$1" | sed -E 's/^"(.*)"$/\1/; s/^'\''(.*)'\''$/\1/'; }
REDIS_HOST="$(strip "${REDIS_HOST:-}")"
REDIS_PORT="$(strip "${REDIS_PORT:-}")"
REDIS_PASSWORD="$(strip "${REDIS_PASSWORD:-}")"
# redis-cli muss vorhanden sein
command -v redis-cli >/dev/null 2>&1 || exit 1
BASE=(timeout 2 redis-cli --no-auth-warning --raw -h "$REDIS_HOST" -p "$REDIS_PORT")
if [[ -n "$REDIS_PASSWORD" ]]; then
CMD=("${BASE[@]}" -a "$REDIS_PASSWORD" ping)
else
CMD=("${BASE[@]}" ping)
fi
# Erfolgreich nur bei exakt "PONG"
[[ "$("${CMD[@]}" 2>/dev/null || true)" == "PONG" ]]
EOSH
chmod 0755 /usr/local/sbin/mailwolt-redis-ping.sh
# Rspamd-Heal (setzt Laufzeitverzeichnis, leert alte Socke, restarts rspamd)
cat >/usr/local/sbin/mailwolt-rspamd-heal.sh <<'EOSH'
#!/usr/bin/env bash
set -euo pipefail
INSTALLER_ENV="/etc/mailwolt/installer.env"
APP_ENV="/var/www/mailwolt/.env"
REDIS_HOST="${REDIS_HOST:-127.0.0.1}"
REDIS_PORT="${REDIS_PORT:-6379}"
REDIS_PASSWORD="${REDIS_PASSWORD:-}"
[[ -r "$INSTALLER_ENV" ]] && . "$INSTALLER_ENV"
if [[ -z "${REDIS_PASSWORD}" && -r "$APP_ENV" ]]; then
REDIS_PASSWORD="$(grep -E '^REDIS_PASSWORD=' "$APP_ENV" | head -n1 | cut -d= -f2- || true)"
fi
# Rspamd Runtime fixen
install -d -m 0755 -o _rspamd -g _rspamd /run/rspamd || true
[[ -S /var/lib/rspamd/rspamd.sock ]] && rm -f /var/lib/rspamd/rspamd.sock || true
# Neustart
systemctl restart rspamd
# Mini-Healthcheck
sleep 2
ss -tln | grep -q ':11334' || echo "[WARN] Rspamd Controller Port 11334 nicht sichtbar"
exit 0
EOSH
chmod 0755 /usr/local/sbin/mailwolt-rspamd-heal.sh
# ─────────────────────────────────────────────────────────────
# WoltGuard Wrapper + Unit
# ─────────────────────────────────────────────────────────────
cat >/usr/local/bin/woltguard <<'EOSH'
#!/usr/bin/env bash
set -euo pipefail
case "${1:-status}" in
start) systemctl enable --now monit ;;
stop) systemctl stop monit ;;
status) monit summary || systemctl status monit || true ;;
heal) monit reload || true; sleep 1; monit restart all || true ;;
monitor) monit monitor all || true ;;
unmonitor) monit unmonitor all || true ;;
*) echo "Usage: woltguard {start|stop|status|heal|monitor|unmonitor}"; exit 2;;
esac
EOSH
chmod 0755 /usr/local/bin/woltguard
cat >/etc/systemd/system/woltguard.service <<'EOF'
[Unit]
Description=WoltGuard Self-Healing Monitor for MailWolt
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/local/bin/woltguard start
ExecStop=/usr/local/bin/woltguard stop
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable --now woltguard
# ─────────────────────────────────────────────────────────────
# Monit Basis + includes
# ─────────────────────────────────────────────────────────────
sed -i 's/^set daemon .*/set daemon 30/' /etc/monit/monitrc || true
grep -q 'include /etc/monit/conf.d/*' /etc/monit/monitrc || echo 'include /etc/monit/conf.d/*' >>/etc/monit/monitrc
install -d -m 0755 /etc/monit/conf.d
# ─────────────────────────────────────────────────────────────
# Monit Checks
# ─────────────────────────────────────────────────────────────
# 10 Redis zuerst (abhängig für rspamd)
cat >/etc/monit/conf.d/10-redis.conf <<'EOF'
check process redis with pidfile /run/redis/redis-server.pid
start program = "/bin/systemctl start redis-server"
stop program = "/bin/systemctl stop redis-server"
if failed host 127.0.0.1 port 6379 for 2 cycles then restart
if 5 restarts within 5 cycles then alert
check program redis_ping path "/usr/local/sbin/mailwolt-redis-ping.sh"
if status != 0 for 2 cycles then exec "/bin/systemctl restart redis-server"
EOF
# 20 Rspamd (hängt von Redis ab), robust über process-matching
cat >/etc/monit/conf.d/20-rspamd.conf <<'EOF'
check process rspamd matching "/usr/bin/rspamd"
start program = "/bin/systemctl start rspamd"
stop program = "/bin/systemctl stop rspamd"
depends on redis
if failed host 127.0.0.1 port 11333 for 2 cycles then exec "/usr/local/sbin/mailwolt-rspamd-heal.sh"
if failed host 127.0.0.1 port 11334 for 2 cycles then exec "/usr/local/sbin/mailwolt-rspamd-heal.sh"
if 5 restarts within 5 cycles then alert
EOF
# 30 Maildienste
cat >/etc/monit/conf.d/30-postfix.conf <<'EOF'
check process postfix with pidfile /var/spool/postfix/pid/master.pid
start program = "/bin/systemctl start postfix"
stop program = "/bin/systemctl stop postfix"
if failed port 25 protocol smtp then restart
if failed port 465 type tcpssl then restart
if failed port 587 type tcp then restart
if 5 restarts within 5 cycles then alert
EOF
cat >/etc/monit/conf.d/30-dovecot.conf <<'EOF'
check process dovecot with pidfile /run/dovecot/master.pid
start program = "/bin/systemctl start dovecot"
stop program = "/bin/systemctl stop dovecot"
if failed port 993 type tcpssl for 2 cycles then restart
if failed port 24 protocol lmtp for 2 cycles then restart
if 5 restarts within 5 cycles then alert
EOF
# 40 Web/PHP
cat >/etc/monit/conf.d/40-nginx.conf <<'EOF'
check process nginx with pidfile /run/nginx.pid
start program = "/bin/systemctl start nginx"
stop program = "/bin/systemctl stop nginx"
if failed port 80 type tcp then restart
if failed port 443 type tcpssl then restart
if 5 restarts within 5 cycles then alert
EOF
# 50 DKIM/DMARC
cat >/etc/monit/conf.d/50-opendkim.conf <<'EOF'
check process opendkim with pidfile /run/opendkim/opendkim.pid
start program = "/bin/systemctl start opendkim"
stop program = "/bin/systemctl stop opendkim"
if failed host 127.0.0.1 port 8891 type tcp for 2 cycles then restart
if 5 restarts within 5 cycles then alert
EOF
# optional: OpenDMARC
if [[ "$OPENDMARC_ENABLE" = "1" ]]; then
cat >/etc/monit/conf.d/55-opendmarc.conf <<'EOF'
check process opendmarc with pidfile /run/opendmarc/opendmarc.pid
start program = "/bin/systemctl start opendmarc"
stop program = "/bin/systemctl stop opendmarc"
if 5 restarts within 5 cycles then alert
EOF
else
rm -f /etc/monit/conf.d/55-opendmarc.conf || true
fi
# 60 optional: ClamAV
if [[ "$CLAMAV_ENABLE" = "1" ]]; then
cat >/etc/monit/conf.d/60-clamav.conf <<'EOF'
check process clamd with pidfile /run/clamav/clamd.pid
start program = "/bin/systemctl start clamav-daemon"
stop program = "/bin/systemctl stop clamav-daemon"
if failed unixsocket /run/clamav/clamd.ctl for 3 cycles then restart
if 5 restarts within 5 cycles then timeout
EOF
else
rm -f /etc/monit/conf.d/60-clamav.conf || true
fi
# 70 Fail2Ban (optional, standardmäßig aktiv)
if [[ "$FAIL2BAN_ENABLE" = "1" ]]; then
cat >/etc/monit/conf.d/70-fail2ban.conf <<'EOF'
check process fail2ban with pidfile /run/fail2ban/fail2ban.pid
start program = "/bin/systemctl start fail2ban"
stop program = "/bin/systemctl stop fail2ban"
if 5 restarts within 5 cycles then alert
EOF
else
rm -f /etc/monit/conf.d/70-fail2ban.conf || true
fi
# ─────────────────────────────────────────────────────────────
# Monit neu laden
# ─────────────────────────────────────────────────────────────
monit -t
systemctl reload monit || systemctl restart monit
systemctl status monit --no-pager || true
log "[✓] WoltGuard aktiv."
##!/usr/bin/env bash
#set -euo pipefail
#source ./lib.sh
#
#log "WoltGuard (Monit + Self-Heal) einrichten …"
#
#set +u
#[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
#set -u
#CLAMAV_ENABLE="${CLAMAV_ENABLE:-0}"
#OPENDMARC_ENABLE="${OPENDMARC_ENABLE:-0}"
#FAIL2BAN_ENABLE="${FAIL2BAN_ENABLE:-1}"
#
## Pakete sicherstellen
#command -v monit >/dev/null || { apt-get update -qq; apt-get install -y monit; }
#systemctl enable --now monit
#
## Helper-Skripte
#install -d -m 0755 /usr/local/sbin
#cat >/usr/local/sbin/mailwolt-redis-ping.sh <<'EOSH'
##!/usr/bin/env bash
#set -euo pipefail
#PASS=""
#[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env || true
#if command -v redis-cli >/dev/null 2>&1; then
# [[ -n "${REDIS_PASS:-}" ]] \
# && redis-cli -h 127.0.0.1 -p 6379 -a "$REDIS_PASS" ping | grep -q PONG \
# || redis-cli -h 127.0.0.1 -p 6379 ping | grep -q PONG
#else
# exit 1
#fi
#EOSH
#chmod 0755 /usr/local/sbin/mailwolt-redis-ping.sh
#
#cat >/usr/local/sbin/mailwolt-rspamd-heal.sh <<'EOSH'
##!/usr/bin/env bash
#set -euo pipefail
#
#REDIS_HOST="${REDIS_HOST:-127.0.0.1}"
#REDIS_PORT="${REDIS_PORT:-6379}"
#REDIS_PASSWORD="${REDIS_PASSWORD:-}"
#
#INSTALLER_ENV="/etc/mailwolt/installer.env"
#APP_ENV="/var/www/mailwolt/.env"
#REDIS_CLI="$(command -v redis-cli || true)"
#SYSTEMCTL="$(command -v systemctl || true)"
#RSPAMD_SERVICE="rspamd"
#
#if [ -r "$INSTALLER_ENV" ]; then . "$INSTALLER_ENV"; fi
#if [ -z "${REDIS_PASSWORD}" ] && [ -r "$APP_ENV" ]; then
# REDIS_PASSWORD="$(grep -E '^REDIS_PASSWORD=' "$APP_ENV" | head -n1 | cut -d= -f2- || true)"
#fi
#
#if [ -n "$REDIS_CLI" ]; then
# echo "[INFO] Prüfe Redis Verbindung..."
# if [ -n "${REDIS_PASSWORD}" ]; then
# if ! "$REDIS_CLI" -h "$REDIS_HOST" -p "$REDIS_PORT" -a "$REDIS_PASSWORD" ping | grep -q '^PONG$'; then
# echo "[WARN] Redis antwortet nicht oder Passwort falsch!"
# else
# echo "[OK] Redis antwortet (auth ok)."
# fi
# else
# if ! "$REDIS_CLI" -h "$REDIS_HOST" -p "$REDIS_PORT" ping | grep -q '^PONG$'; then
# echo "[WARN] Redis antwortet nicht (ohne Passwort)."
# else
# echo "[OK] Redis antwortet (kein Passwort)."
# fi
# fi
#else
# echo "[WARN] redis-cli nicht gefunden überspringe Test."
#fi
#
#echo "[INFO] Prüfe Rspamd Socket & Verzeichnis..."
#install -d -m 0755 -o _rspamd -g _rspamd /run/rspamd || true
#[ -S /var/lib/rspamd/rspamd.sock ] && rm -f /var/lib/rspamd/rspamd.sock || true
#
#echo "[INFO] Starte Rspamd neu..."
#if [ -n "$SYSTEMCTL" ]; then
# "$SYSTEMCTL" restart "$RSPAMD_SERVICE"
# echo "[OK] Rspamd erfolgreich neu gestartet."
#else
# echo "[ERROR] systemctl nicht gefunden kein Neustart möglich."
# exit 1
#fi
#
#echo "[INFO] Healthcheck (Port 11334)..."
#sleep 3
#if ss -tln | grep -q ':11334'; then
# echo "[OK] Rspamd Controller läuft auf Port 11334."
#else
# echo "[WARN] Rspamd Controller Port 11334 nicht erreichbar."
#fi
#
#echo "[DONE] Mailwolt Rspamd-Heal abgeschlossen."
#exit 0
#EOSH
#chmod 0755 /usr/local/sbin/mailwolt-rspamd-heal.sh
#
## WoltGuard Wrapper + Unit
#cat >/usr/local/bin/woltguard <<'EOSH'
##!/usr/bin/env bash
#set -euo pipefail
#case "${1:-status}" in
# start) systemctl enable --now monit ;;
# stop) systemctl stop monit ;;
# status) monit summary || systemctl status monit || true ;;
# heal) monit reload || true; sleep 1; monit restart all || true ;;
# monitor) monit monitor all || true ;;
# unmonitor) monit unmonitor all || true ;;
# *) echo "Usage: woltguard {start|stop|status|heal|monitor|unmonitor}"; exit 2;;
#esac
#EOSH
#chmod 0755 /usr/local/bin/woltguard
#
#cat >/etc/systemd/system/woltguard.service <<'EOF'
#[Unit]
#Description=WoltGuard Self-Healing Monitor for MailWolt
#After=network.target
#[Service]
#Type=oneshot
#ExecStart=/usr/local/bin/woltguard start
#ExecStop=/usr/local/bin/woltguard stop
#RemainAfterExit=yes
#[Install]
#WantedBy=multi-user.target
#EOF
#systemctl daemon-reload
#systemctl enable --now woltguard
#
## Monit Basis + include
#sed -i 's/^set daemon .*/set daemon 30/' /etc/monit/monitrc || true
#grep -q 'include /etc/monit/conf.d/*' /etc/monit/monitrc || echo 'include /etc/monit/conf.d/*' >>/etc/monit/monitrc
#install -d -m 0755 /etc/monit/conf.d
#
## Checks
#cat >/etc/monit/conf.d/postfix.conf <<'EOF'
#check process postfix with pidfile /var/spool/postfix/pid/master.pid
# start program = "/bin/systemctl start postfix"
# stop program = "/bin/systemctl stop postfix"
# if failed port 25 protocol smtp then restart
# if failed port 465 type tcpssl then restart
# if failed port 587 type tcp then restart
# if 5 restarts within 5 cycles then alert
#EOF
#
#cat >/etc/monit/conf.d/dovecot.conf <<'EOF'
#check process dovecot with pidfile /run/dovecot/master.pid
# start program = "/bin/systemctl start dovecot"
# stop program = "/bin/systemctl stop dovecot"
# if failed port 993 type tcpssl for 2 cycles then restart
# if failed port 24 protocol lmtp for 2 cycles then restart
# if 5 restarts within 5 cycles then alert
#EOF
#
#cat >/etc/monit/conf.d/nginx.conf <<'EOF'
#check process nginx with pidfile /run/nginx.pid
# start program = "/bin/systemctl start nginx"
# stop program = "/bin/systemctl stop nginx"
# if failed port 80 type tcp then restart
# if failed port 443 type tcpssl then restart
# if 5 restarts within 5 cycles then alert
#EOF
#
#cat >/etc/monit/conf.d/redis.conf <<'EOF'
#check process redis with pidfile /run/redis/redis-server.pid
# start program = "/bin/systemctl start redis-server"
# stop program = "/bin/systemctl stop redis-server"
# if failed host 127.0.0.1 port 6379 for 2 cycles then restart
# if 5 restarts within 5 cycles then alert
#
#check program redis_ping path "/usr/local/sbin/mailwolt-redis-ping.sh"
# if status != 0 for 2 cycles then exec "/bin/systemctl restart redis-server"
#EOF
#
#cat >/etc/monit/conf.d/rspamd.conf <<'EOF'
#check process rspamd with pidfile /run/rspamd/rspamd.pid
# start program = "/bin/systemctl start rspamd"
# stop program = "/bin/systemctl stop rspamd"
# if failed port 11333 for 2 cycles then exec "/usr/local/sbin/mailwolt-rspamd-heal.sh"
# if failed port 11334 for 2 cycles then exec "/usr/local/sbin/mailwolt-rspamd-heal.sh"
# if 5 restarts within 5 cycles then alert
#EOF
#
#cat >/etc/monit/conf.d/opendkim.conf <<'EOF'
#check process opendkim with pidfile /run/opendkim/opendkim.pid
# start program = "/bin/systemctl start opendkim"
# stop program = "/bin/systemctl stop opendkim"
# if failed host 127.0.0.1 port 8891 type tcp for 2 cycles then restart
# if 5 restarts within 5 cycles then alert
#EOF
#
## optional: OpenDMARC
#if [[ "$OPENDMARC_ENABLE" = "1" ]]; then
# cat >/etc/monit/conf.d/opendmarc.conf <<'EOF'
#check process opendmarc with pidfile /run/opendmarc/opendmarc.pid
# start program = "/bin/systemctl start opendmarc"
# stop program = "/bin/systemctl stop opendmarc"
# if 5 restarts within 5 cycles then alert
#EOF
#else
# rm -f /etc/monit/conf.d/opendmarc.conf || true
#fi
#
## optional: ClamAV
#if [[ "$CLAMAV_ENABLE" = "1" ]]; then
# cat >/etc/monit/conf.d/clamav.conf <<'EOF'
#check process clamd with pidfile /run/clamav/clamd.pid
# start program = "/bin/systemctl start clamav-daemon"
# stop program = "/bin/systemctl stop clamav-daemon"
# if failed unixsocket /run/clamav/clamd.ctl then restart
# if 5 restarts within 5 cycles then alert
#EOF
#else
# rm -f /etc/monit/conf.d/clamav.conf || true
#fi
#
## optional: Fail2Ban
#if [[ "$FAIL2BAN_ENABLE" = "1" ]]; then
# cat >/etc/monit/conf.d/fail2ban.conf <<'EOF'
#check process fail2ban with pidfile /run/fail2ban/fail2ban.pid
# start program = "/bin/systemctl start fail2ban"
# stop program = "/bin/systemctl stop fail2ban"
# if 5 restarts within 5 cycles then alert
#EOF
#else
# rm -f /etc/monit/conf.d/fail2ban.conf || true
#fi
#
#monit -t
#systemctl reload monit || systemctl restart monit
#systemctl status monit --no-pager || true
#log "[✓] WoltGuard aktiv."

492
scripts/95-woltguard.sh
View File

@ -1,167 +1,84 @@
#!/usr/bin/env bash #!/usr/bin/env bash
set -euo pipefail set -euo pipefail
source ./lib.sh
log "WoltGuard (Monit + Self-Heal) einrichten …" # Flags laden (falls vorhanden)
# ─────────────────────────────────────────────────────────────
# Env nur nachladen, wenn Flags nicht bereits exportiert sind
# ─────────────────────────────────────────────────────────────
INSTALLER_ENV="/etc/mailwolt/installer.env" INSTALLER_ENV="/etc/mailwolt/installer.env"
: "${CLAMAV_ENABLE:=}" ; : "${OPENDMARC_ENABLE:=}" ; : "${FAIL2BAN_ENABLE:=}" : "${CLAMAV_ENABLE:=}"; : "${OPENDMARC_ENABLE:=}"; : "${FAIL2BAN_ENABLE:=}"; : "${MONIT_HTTP:=}"
if [[ -z "${CLAMAV_ENABLE}${OPENDMARC_ENABLE}${FAIL2BAN_ENABLE}" && -r "$INSTALLER_ENV" ]]; then if [[ -z "${CLAMAV_ENABLE}${OPENDMARC_ENABLE}${FAIL2BAN_ENABLE}" && -r "$INSTALLER_ENV" ]]; then
# shellcheck disable=SC1090
. "$INSTALLER_ENV" . "$INSTALLER_ENV"
fi fi
CLAMAV_ENABLE="${CLAMAV_ENABLE:-0}" CLAMAV_ENABLE="${CLAMAV_ENABLE:-1}"
OPENDMARC_ENABLE="${OPENDMARC_ENABLE:-0}" OPENDMARC_ENABLE="${OPENDMARC_ENABLE:-1}"
FAIL2BAN_ENABLE="${FAIL2BAN_ENABLE:-1}" FAIL2BAN_ENABLE="${FAIL2BAN_ENABLE:-1}"
MONIT_HTTP="${MONIT_HTTP:-1}"
# ───────────────────────────────────────────────────────────── # ── Monit so konfigurieren, dass NUR monitrc.d/* geladen wird ────────────────
# Monit installieren & aktivieren install -d -m 0755 /etc/monit/monitrc.d
# ───────────────────────────────────────────────────────────── # Poll-Intervall (30s)
command -v monit >/dev/null || { apt-get update -qq; apt-get install -y monit; } sed -i 's/^set daemon .*/set daemon 30/' /etc/monit/monitrc || true
systemctl enable --now monit # alle alten include-Zeilen raus und monitrc.d setzen
sed -i 's|^#\?\s*include .*$||g' /etc/monit/monitrc
grep -q '^include /etc/monit/monitrc.d/\*' /etc/monit/monitrc \
|| echo 'include /etc/monit/monitrc.d/*' >> /etc/monit/monitrc
# ───────────────────────────────────────────────────────────── # Optional: HTTP-UI nur einschalten, wenn explizit gewünscht
# Helper-Skripte (laufen später eigenständig → Env selbst laden) if [[ "$MONIT_HTTP" = "1" ]]; then
# ───────────────────────────────────────────────────────────── grep -q '^set httpd port 2812' /etc/monit/monitrc || cat >>/etc/monit/monitrc <<'HTTP'
set httpd port 2812 and
use address localhost
allow localhost
HTTP
fi
# ── Helper-Skripte ──────────────────────────────────────────────────────────
install -d -m 0755 /usr/local/sbin install -d -m 0755 /usr/local/sbin
# Redis-Ping (nimmt REDIS_PASSWORD aus installer.env oder .env) # Redis-Ping (Password: REDIS_PASSWORD aus installer.env oder .env)
cat >/usr/local/sbin/mailwolt-redis-ping.sh <<'EOSH' cat >/usr/local/sbin/mailwolt-redis-ping.sh <<'EOSH'
#!/usr/bin/env bash #!/usr/bin/env bash
set -euo pipefail set -euo pipefail
INSTALLER_ENV="/etc/mailwolt/installer.env" INSTALLER_ENV="/etc/mailwolt/installer.env"
APP_ENV="/var/www/mailwolt/.env" APP_ENV="/var/www/mailwolt/.env"
REDIS_HOST="${REDIS_HOST:-127.0.0.1}" REDIS_HOST="${REDIS_HOST:-127.0.0.1}"
REDIS_PORT="${REDIS_PORT:-6379}" REDIS_PORT="${REDIS_PORT:-6379}"
REDIS_PASSWORD="${REDIS_PASSWORD:-}" REDIS_PASSWORD="${REDIS_PASSWORD:-}"
REDIS_PASS="${REDIS_PASS:-}"
# Env-Fallbacks [[ -r "$INSTALLER_ENV" ]] && . "$INSTALLER_ENV" || true
[[ -r "$INSTALLER_ENV" ]] && . "$INSTALLER_ENV" if [[ -r "$APP_ENV" ]]; then
if [[ -z "${REDIS_PASSWORD}" && -r "$APP_ENV" ]]; then [[ -z "${REDIS_HOST}" ]] && REDIS_HOST="$(grep -m1 '^REDIS_HOST=' "$APP_ENV" | cut -d= -f2- || true)"
REDIS_PASSWORD="$(grep -E '^REDIS_PASSWORD=' "$APP_ENV" | head -n1 | cut -d= -f2- || true)" [[ -z "${REDIS_PORT}" ]] && REDIS_PORT="$(grep -m1 '^REDIS_PORT=' "$APP_ENV" | cut -d= -f2- || true)"
[[ -z "${REDIS_PASSWORD}" ]] && REDIS_PASSWORD="$(grep -m1 '^REDIS_PASSWORD=' "$APP_ENV" | cut -d= -f2- || true)"
fi fi
[[ -z "${REDIS_PASSWORD}" && -n "${REDIS_PASS}" ]] && REDIS_PASSWORD="$REDIS_PASS"
if ! command -v redis-cli >/dev/null 2>&1; then strip(){ printf '%s' "$1" | sed -E 's/^"(.*)"$/\1/; s/^'"'"'(.*)'"'"'$/\1/'; }
exit 1 REDIS_HOST="$(strip "${REDIS_HOST:-}")"
fi REDIS_PORT="$(strip "${REDIS_PORT:-}")"
REDIS_PASSWORD="$(strip "${REDIS_PASSWORD:-}")"
if [[ -n "${REDIS_PASSWORD}" ]]; then command -v redis-cli >/dev/null 2>&1 || exit 1
redis-cli -h "$REDIS_HOST" -p "$REDIS_PORT" -a "$REDIS_PASSWORD" ping | grep -q '^PONG$' BASE=(timeout 2 redis-cli --no-auth-warning --raw -h "$REDIS_HOST" -p "$REDIS_PORT")
else [[ -n "$REDIS_PASSWORD" ]] && CMD=("${BASE[@]}" -a "$REDIS_PASSWORD" ping) || CMD=("${BASE[@]}" ping)
redis-cli -h "$REDIS_HOST" -p "$REDIS_PORT" ping | grep -q '^PONG$' [[ "$("${CMD[@]}" 2>/dev/null || true)" == "PONG" ]]
fi
EOSH EOSH
chmod 0755 /usr/local/sbin/mailwolt-redis-ping.sh chmod 0755 /usr/local/sbin/mailwolt-redis-ping.sh
# Rspamd-Heal (setzt Laufzeitverzeichnis, leert alte Socke, restarts rspamd) # Rspamd-Heal (Socke aufräumen, restart, Mini-Port-Check)
cat >/usr/local/sbin/mailwolt-rspamd-heal.sh <<'EOSH' cat >/usr/local/sbin/mailwolt-rspamd-heal.sh <<'EOSH'
#!/usr/bin/env bash #!/usr/bin/env bash
set -euo pipefail set -euo pipefail
INSTALLER_ENV="/etc/mailwolt/installer.env"
APP_ENV="/var/www/mailwolt/.env"
REDIS_HOST="${REDIS_HOST:-127.0.0.1}"
REDIS_PORT="${REDIS_PORT:-6379}"
REDIS_PASSWORD="${REDIS_PASSWORD:-}"
[[ -r "$INSTALLER_ENV" ]] && . "$INSTALLER_ENV"
if [[ -z "${REDIS_PASSWORD}" && -r "$APP_ENV" ]]; then
REDIS_PASSWORD="$(grep -E '^REDIS_PASSWORD=' "$APP_ENV" | head -n1 | cut -d= -f2- || true)"
fi
# Rspamd Runtime fixen
install -d -m 0755 -o _rspamd -g _rspamd /run/rspamd || true install -d -m 0755 -o _rspamd -g _rspamd /run/rspamd || true
[[ -S /var/lib/rspamd/rspamd.sock ]] && rm -f /var/lib/rspamd/rspamd.sock || true [[ -S /var/lib/rspamd/rspamd.sock ]] && rm -f /var/lib/rspamd/rspamd.sock || true
# Neustart
systemctl restart rspamd systemctl restart rspamd
# Mini-Healthcheck
sleep 2 sleep 2
ss -tln | grep -q ':11334' || echo "[WARN] Rspamd Controller Port 11334 nicht sichtbar" ss -tln | grep -q ':11334' || echo "[WARN] Rspamd Controller Port 11334 nicht sichtbar"
exit 0
EOSH EOSH
chmod 0755 /usr/local/sbin/mailwolt-rspamd-heal.sh chmod 0755 /usr/local/sbin/mailwolt-rspamd-heal.sh
# ───────────────────────────────────────────────────────────── # ── Monit-Checks (nummeriert) ───────────────────────────────────────────────
# WoltGuard Wrapper + Unit # 10 Redis
# ───────────────────────────────────────────────────────────── cat >/etc/monit/monitrc.d/10-redis.conf <<'EOF'
cat >/usr/local/bin/woltguard <<'EOSH'
#!/usr/bin/env bash
set -euo pipefail
case "${1:-status}" in
start) systemctl enable --now monit ;;
stop) systemctl stop monit ;;
status) monit summary || systemctl status monit || true ;;
heal) monit reload || true; sleep 1; monit restart all || true ;;
monitor) monit monitor all || true ;;
unmonitor) monit unmonitor all || true ;;
*) echo "Usage: woltguard {start|stop|status|heal|monitor|unmonitor}"; exit 2;;
esac
EOSH
chmod 0755 /usr/local/bin/woltguard
cat >/etc/systemd/system/woltguard.service <<'EOF'
[Unit]
Description=WoltGuard Self-Healing Monitor for MailWolt
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/local/bin/woltguard start
ExecStop=/usr/local/bin/woltguard stop
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable --now woltguard
# ─────────────────────────────────────────────────────────────
# Monit Basis + includes
# ─────────────────────────────────────────────────────────────
sed -i 's/^set daemon .*/set daemon 30/' /etc/monit/monitrc || true
grep -q 'include /etc/monit/conf.d/*' /etc/monit/monitrc || echo 'include /etc/monit/conf.d/*' >>/etc/monit/monitrc
install -d -m 0755 /etc/monit/conf.d
# ─────────────────────────────────────────────────────────────
# Monit Checks
# ─────────────────────────────────────────────────────────────
cat >/etc/monit/conf.d/postfix.conf <<'EOF'
check process postfix with pidfile /var/spool/postfix/pid/master.pid
start program = "/bin/systemctl start postfix"
stop program = "/bin/systemctl stop postfix"
if failed port 25 protocol smtp then restart
if failed port 465 type tcpssl then restart
if failed port 587 type tcp then restart
if 5 restarts within 5 cycles then alert
EOF
cat >/etc/monit/conf.d/dovecot.conf <<'EOF'
check process dovecot with pidfile /run/dovecot/master.pid
start program = "/bin/systemctl start dovecot"
stop program = "/bin/systemctl stop dovecot"
if failed port 993 type tcpssl for 2 cycles then restart
if failed port 24 protocol lmtp for 2 cycles then restart
if 5 restarts within 5 cycles then alert
EOF
cat >/etc/monit/conf.d/nginx.conf <<'EOF'
check process nginx with pidfile /run/nginx.pid
start program = "/bin/systemctl start nginx"
stop program = "/bin/systemctl stop nginx"
if failed port 80 type tcp then restart
if failed port 443 type tcpssl then restart
if 5 restarts within 5 cycles then alert
EOF
cat >/etc/monit/conf.d/redis.conf <<'EOF'
check process redis with pidfile /run/redis/redis-server.pid check process redis with pidfile /run/redis/redis-server.pid
start program = "/bin/systemctl start redis-server" start program = "/bin/systemctl start redis-server"
stop program = "/bin/systemctl stop redis-server" stop program = "/bin/systemctl stop redis-server"
@ -172,285 +89,98 @@ check program redis_ping path "/usr/local/sbin/mailwolt-redis-ping.sh"
if status != 0 for 2 cycles then exec "/bin/systemctl restart redis-server" if status != 0 for 2 cycles then exec "/bin/systemctl restart redis-server"
EOF EOF
cat >/etc/monit/conf.d/rspamd.conf <<'EOF' # 20 Rspamd (robust via process-matching + Heal)
check process rspamd with pidfile /run/rspamd/rspamd.pid cat >/etc/monit/monitrc.d/20-rspamd.conf <<'EOF'
start program = "/bin/systemctl start rspamd" check process rspamd matching "/usr/bin/rspamd"
stop program = "/bin/systemctl stop rspamd" start program = "/bin/systemctl start rspamd" with timeout 120 seconds
if failed port 11333 for 2 cycles then exec "/usr/local/sbin/mailwolt-rspamd-heal.sh" stop program = "/bin/systemctl stop rspamd"
if failed port 11334 for 2 cycles then exec "/usr/local/sbin/mailwolt-rspamd-heal.sh" depends on redis
if failed host 127.0.0.1 port 11333 for 3 cycles then exec "/usr/local/sbin/mailwolt-rspamd-heal.sh"
if failed host 127.0.0.1 port 11334 for 3 cycles then exec "/usr/local/sbin/mailwolt-rspamd-heal.sh"
if does not exist for 2 cycles then restart
if 5 restarts within 10 cycles then unmonitor
EOF
# 30 Postfix
cat >/etc/monit/monitrc.d/30-postfix.conf <<'EOF'
check process postfix with pidfile /var/spool/postfix/pid/master.pid
start program = "/bin/systemctl start postfix"
stop program = "/bin/systemctl stop postfix"
if failed port 25 protocol smtp then restart
if failed port 465 type tcpssl then restart
if failed port 587 type tcp then restart
if 5 restarts within 5 cycles then alert if 5 restarts within 5 cycles then alert
EOF EOF
cat >/etc/monit/conf.d/opendkim.conf <<'EOF' # 30 Dovecot (IMAPS; LMTP oft Unix-Socket → kein TCP-Fehlalarm)
cat >/etc/monit/monitrc.d/30-dovecot.conf <<'EOF'
check process dovecot with pidfile /run/dovecot/master.pid
start program = "/bin/systemctl start dovecot"
stop program = "/bin/systemctl stop dovecot"
if failed port 993 type tcpssl for 3 cycles then restart
if 5 restarts within 10 cycles then alert
EOF
# 40 Nginx
cat >/etc/monit/monitrc.d/40-nginx.conf <<'EOF'
check process nginx with pidfile /run/nginx.pid
start program = "/bin/systemctl start nginx"
stop program = "/bin/systemctl stop nginx"
if failed port 80 type tcp then restart
if failed port 443 type tcpssl then restart
if 5 restarts within 5 cycles then alert
EOF
# 50 OpenDKIM
cat >/etc/monit/monitrc.d/50-opendkim.conf <<'EOF'
check process opendkim with pidfile /run/opendkim/opendkim.pid check process opendkim with pidfile /run/opendkim/opendkim.pid
start program = "/bin/systemctl start opendkim" start program = "/bin/systemctl start opendkim"
stop program = "/bin/systemctl stop opendkim" stop program = "/bin/systemctl stop opendkim"
if failed host 127.0.0.1 port 8891 type tcp for 2 cycles then restart if failed host 127.0.0.1 port 8891 type tcp for 2 cycles then restart
if 5 restarts within 5 cycles then alert if 5 restarts within 5 cycles then alert
EOF EOF
# optional: OpenDMARC # 55 OpenDMARC (optional)
if [[ "$OPENDMARC_ENABLE" = "1" ]]; then if [[ "$OPENDMARC_ENABLE" = "1" ]]; then
cat >/etc/monit/conf.d/opendmarc.conf <<'EOF' cat >/etc/monit/monitrc.d/55-opendmarc.conf <<'EOF'
check process opendmarc with pidfile /run/opendmarc/opendmarc.pid check process opendmarc with pidfile /run/opendmarc/opendmarc.pid
start program = "/bin/systemctl start opendmarc" start program = "/bin/systemctl start opendmarc"
stop program = "/bin/systemctl stop opendmarc" stop program = "/bin/systemctl stop opendmarc"
if 5 restarts within 5 cycles then alert if 5 restarts within 5 cycles then alert
EOF EOF
else else
rm -f /etc/monit/conf.d/opendmarc.conf || true rm -f /etc/monit/monitrc.d/55-opendmarc.conf || true
fi fi
# optional: ClamAV # 60 ClamAV (über Socket)
if [[ "$CLAMAV_ENABLE" = "1" ]]; then if [[ "$CLAMAV_ENABLE" = "1" ]]; then
cat >/etc/monit/conf.d/clamav.conf <<'EOF' cat >/etc/monit/monitrc.d/60-clamav.conf <<'EOF'
check process clamd with pidfile /run/clamav/clamd.pid check process clamd matching "clamd"
start program = "/bin/systemctl start clamav-daemon" start program = "/bin/systemctl start clamav-daemon"
stop program = "/bin/systemctl stop clamav-daemon" stop program = "/bin/systemctl stop clamav-daemon"
if failed unixsocket /run/clamav/clamd.ctl then restart if failed unixsocket /run/clamav/clamd.ctl for 3 cycles then restart
if 5 restarts within 10 cycles then unmonitor
EOF
else
rm -f /etc/monit/monitrc.d/60-clamav.conf || true
fi
# 70 Fail2Ban (optional)
if [[ "$FAIL2BAN_ENABLE" = "1" ]]; then
cat >/etc/monit/monitrc.d/70-fail2ban.conf <<'EOF'
check process fail2ban with pidfile /run/fail2ban/fail2ban.pid
start program = "/bin/systemctl start fail2ban"
stop program = "/bin/systemctl stop fail2ban"
if 5 restarts within 5 cycles then alert if 5 restarts within 5 cycles then alert
EOF EOF
else else
rm -f /etc/monit/conf.d/clamav.conf || true rm -f /etc/monit/monitrc.d/70-fail2ban.conf || true
fi fi
# ───────────────────────────────────────────────────────────── # ── Monit neu laden ─────────────────────────────────────────────────────────
# Monit neu laden
# ─────────────────────────────────────────────────────────────
monit -t monit -t
systemctl reload monit || systemctl restart monit systemctl reload monit || systemctl restart monit
systemctl status monit --no-pager || true
log "[✓] WoltGuard aktiv."
##!/usr/bin/env bash # Optionaler Sichttest (CLI funktioniert auch ohne HTTP-UI)
#set -euo pipefail sleep 2
#source ./lib.sh monit summary || true
#
#log "WoltGuard (Monit + Self-Heal) einrichten …"
#
#set +u
#[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
#set -u
#CLAMAV_ENABLE="${CLAMAV_ENABLE:-0}"
#OPENDMARC_ENABLE="${OPENDMARC_ENABLE:-0}"
#FAIL2BAN_ENABLE="${FAIL2BAN_ENABLE:-1}"
#
## Pakete sicherstellen
#command -v monit >/dev/null || { apt-get update -qq; apt-get install -y monit; }
#systemctl enable --now monit
#
## Helper-Skripte
#install -d -m 0755 /usr/local/sbin
#cat >/usr/local/sbin/mailwolt-redis-ping.sh <<'EOSH'
##!/usr/bin/env bash
#set -euo pipefail
#PASS=""
#[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env || true
#if command -v redis-cli >/dev/null 2>&1; then
# [[ -n "${REDIS_PASS:-}" ]] \
# && redis-cli -h 127.0.0.1 -p 6379 -a "$REDIS_PASS" ping | grep -q PONG \
# || redis-cli -h 127.0.0.1 -p 6379 ping | grep -q PONG
#else
# exit 1
#fi
#EOSH
#chmod 0755 /usr/local/sbin/mailwolt-redis-ping.sh
#
#cat >/usr/local/sbin/mailwolt-rspamd-heal.sh <<'EOSH'
##!/usr/bin/env bash
#set -euo pipefail
#
#REDIS_HOST="${REDIS_HOST:-127.0.0.1}"
#REDIS_PORT="${REDIS_PORT:-6379}"
#REDIS_PASSWORD="${REDIS_PASSWORD:-}"
#
#INSTALLER_ENV="/etc/mailwolt/installer.env"
#APP_ENV="/var/www/mailwolt/.env"
#REDIS_CLI="$(command -v redis-cli || true)"
#SYSTEMCTL="$(command -v systemctl || true)"
#RSPAMD_SERVICE="rspamd"
#
#if [ -r "$INSTALLER_ENV" ]; then . "$INSTALLER_ENV"; fi
#if [ -z "${REDIS_PASSWORD}" ] && [ -r "$APP_ENV" ]; then
# REDIS_PASSWORD="$(grep -E '^REDIS_PASSWORD=' "$APP_ENV" | head -n1 | cut -d= -f2- || true)"
#fi
#
#if [ -n "$REDIS_CLI" ]; then
# echo "[INFO] Prüfe Redis Verbindung..."
# if [ -n "${REDIS_PASSWORD}" ]; then
# if ! "$REDIS_CLI" -h "$REDIS_HOST" -p "$REDIS_PORT" -a "$REDIS_PASSWORD" ping | grep -q '^PONG$'; then
# echo "[WARN] Redis antwortet nicht oder Passwort falsch!"
# else
# echo "[OK] Redis antwortet (auth ok)."
# fi
# else
# if ! "$REDIS_CLI" -h "$REDIS_HOST" -p "$REDIS_PORT" ping | grep -q '^PONG$'; then
# echo "[WARN] Redis antwortet nicht (ohne Passwort)."
# else
# echo "[OK] Redis antwortet (kein Passwort)."
# fi
# fi
#else
# echo "[WARN] redis-cli nicht gefunden überspringe Test."
#fi
#
#echo "[INFO] Prüfe Rspamd Socket & Verzeichnis..."
#install -d -m 0755 -o _rspamd -g _rspamd /run/rspamd || true
#[ -S /var/lib/rspamd/rspamd.sock ] && rm -f /var/lib/rspamd/rspamd.sock || true
#
#echo "[INFO] Starte Rspamd neu..."
#if [ -n "$SYSTEMCTL" ]; then
# "$SYSTEMCTL" restart "$RSPAMD_SERVICE"
# echo "[OK] Rspamd erfolgreich neu gestartet."
#else
# echo "[ERROR] systemctl nicht gefunden kein Neustart möglich."
# exit 1
#fi
#
#echo "[INFO] Healthcheck (Port 11334)..."
#sleep 3
#if ss -tln | grep -q ':11334'; then
# echo "[OK] Rspamd Controller läuft auf Port 11334."
#else
# echo "[WARN] Rspamd Controller Port 11334 nicht erreichbar."
#fi
#
#echo "[DONE] Mailwolt Rspamd-Heal abgeschlossen."
#exit 0
#EOSH
#chmod 0755 /usr/local/sbin/mailwolt-rspamd-heal.sh
#
## WoltGuard Wrapper + Unit
#cat >/usr/local/bin/woltguard <<'EOSH'
##!/usr/bin/env bash
#set -euo pipefail
#case "${1:-status}" in
# start) systemctl enable --now monit ;;
# stop) systemctl stop monit ;;
# status) monit summary || systemctl status monit || true ;;
# heal) monit reload || true; sleep 1; monit restart all || true ;;
# monitor) monit monitor all || true ;;
# unmonitor) monit unmonitor all || true ;;
# *) echo "Usage: woltguard {start|stop|status|heal|monitor|unmonitor}"; exit 2;;
#esac
#EOSH
#chmod 0755 /usr/local/bin/woltguard
#
#cat >/etc/systemd/system/woltguard.service <<'EOF'
#[Unit]
#Description=WoltGuard Self-Healing Monitor for MailWolt
#After=network.target
#[Service]
#Type=oneshot
#ExecStart=/usr/local/bin/woltguard start
#ExecStop=/usr/local/bin/woltguard stop
#RemainAfterExit=yes
#[Install]
#WantedBy=multi-user.target
#EOF
#systemctl daemon-reload
#systemctl enable --now woltguard
#
## Monit Basis + include
#sed -i 's/^set daemon .*/set daemon 30/' /etc/monit/monitrc || true
#grep -q 'include /etc/monit/conf.d/*' /etc/monit/monitrc || echo 'include /etc/monit/conf.d/*' >>/etc/monit/monitrc
#install -d -m 0755 /etc/monit/conf.d
#
## Checks
#cat >/etc/monit/conf.d/postfix.conf <<'EOF'
#check process postfix with pidfile /var/spool/postfix/pid/master.pid
# start program = "/bin/systemctl start postfix"
# stop program = "/bin/systemctl stop postfix"
# if failed port 25 protocol smtp then restart
# if failed port 465 type tcpssl then restart
# if failed port 587 type tcp then restart
# if 5 restarts within 5 cycles then alert
#EOF
#
#cat >/etc/monit/conf.d/dovecot.conf <<'EOF'
#check process dovecot with pidfile /run/dovecot/master.pid
# start program = "/bin/systemctl start dovecot"
# stop program = "/bin/systemctl stop dovecot"
# if failed port 993 type tcpssl for 2 cycles then restart
# if failed port 24 protocol lmtp for 2 cycles then restart
# if 5 restarts within 5 cycles then alert
#EOF
#
#cat >/etc/monit/conf.d/nginx.conf <<'EOF'
#check process nginx with pidfile /run/nginx.pid
# start program = "/bin/systemctl start nginx"
# stop program = "/bin/systemctl stop nginx"
# if failed port 80 type tcp then restart
# if failed port 443 type tcpssl then restart
# if 5 restarts within 5 cycles then alert
#EOF
#
#cat >/etc/monit/conf.d/redis.conf <<'EOF'
#check process redis with pidfile /run/redis/redis-server.pid
# start program = "/bin/systemctl start redis-server"
# stop program = "/bin/systemctl stop redis-server"
# if failed host 127.0.0.1 port 6379 for 2 cycles then restart
# if 5 restarts within 5 cycles then alert
#
#check program redis_ping path "/usr/local/sbin/mailwolt-redis-ping.sh"
# if status != 0 for 2 cycles then exec "/bin/systemctl restart redis-server"
#EOF
#
#cat >/etc/monit/conf.d/rspamd.conf <<'EOF'
#check process rspamd with pidfile /run/rspamd/rspamd.pid
# start program = "/bin/systemctl start rspamd"
# stop program = "/bin/systemctl stop rspamd"
# if failed port 11333 for 2 cycles then exec "/usr/local/sbin/mailwolt-rspamd-heal.sh"
# if failed port 11334 for 2 cycles then exec "/usr/local/sbin/mailwolt-rspamd-heal.sh"
# if 5 restarts within 5 cycles then alert
#EOF
#
#cat >/etc/monit/conf.d/opendkim.conf <<'EOF'
#check process opendkim with pidfile /run/opendkim/opendkim.pid
# start program = "/bin/systemctl start opendkim"
# stop program = "/bin/systemctl stop opendkim"
# if failed host 127.0.0.1 port 8891 type tcp for 2 cycles then restart
# if 5 restarts within 5 cycles then alert
#EOF
#
## optional: OpenDMARC
#if [[ "$OPENDMARC_ENABLE" = "1" ]]; then
# cat >/etc/monit/conf.d/opendmarc.conf <<'EOF'
#check process opendmarc with pidfile /run/opendmarc/opendmarc.pid
# start program = "/bin/systemctl start opendmarc"
# stop program = "/bin/systemctl stop opendmarc"
# if 5 restarts within 5 cycles then alert
#EOF
#else
# rm -f /etc/monit/conf.d/opendmarc.conf || true
#fi
#
## optional: ClamAV
#if [[ "$CLAMAV_ENABLE" = "1" ]]; then
# cat >/etc/monit/conf.d/clamav.conf <<'EOF'
#check process clamd with pidfile /run/clamav/clamd.pid
# start program = "/bin/systemctl start clamav-daemon"
# stop program = "/bin/systemctl stop clamav-daemon"
# if failed unixsocket /run/clamav/clamd.ctl then restart
# if 5 restarts within 5 cycles then alert
#EOF
#else
# rm -f /etc/monit/conf.d/clamav.conf || true
#fi
#
## optional: Fail2Ban
#if [[ "$FAIL2BAN_ENABLE" = "1" ]]; then
# cat >/etc/monit/conf.d/fail2ban.conf <<'EOF'
#check process fail2ban with pidfile /run/fail2ban/fail2ban.pid
# start program = "/bin/systemctl start fail2ban"
# stop program = "/bin/systemctl stop fail2ban"
# if 5 restarts within 5 cycles then alert
#EOF
#else
# rm -f /etc/monit/conf.d/fail2ban.conf || true
#fi
#
#monit -t
#systemctl reload monit || systemctl restart monit
#systemctl status monit --no-pager || true
#log "[✓] WoltGuard aktiv."

3
scripts/bootstrap.sh
View File

@ -270,6 +270,9 @@ DB_HOST=127.0.0.1
DB_NAME=${DB_NAME} DB_NAME=${DB_NAME}
DB_USER=${DB_USER} DB_USER=${DB_USER}
DB_PASS=${DB_PASS} DB_PASS=${DB_PASS}
REDIS_HOST=127.0.0.1
REDIS_PORT=6379
REDIS_PASS=${REDIS_PASS} REDIS_PASS=${REDIS_PASS}
SERVER_PUBLIC_IPV4=${SERVER_PUBLIC_IPV4} SERVER_PUBLIC_IPV4=${SERVER_PUBLIC_IPV4}