boban
/
mailwolt-installer
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Laudende Default seite entfernen

main
boksbc 2025-10-16 19:10:16 +02:00
parent 55f59433a9
commit be85653c89
6 changed files with 436 additions and 94 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

92
scripts/21-le-deploy-hook.sh Normal file
View File

@ -0,0 +1,92 @@
#!/usr/bin/env bash
set -euo pipefail
source ./lib.sh
install -d /etc/letsencrypt/renewal-hooks/deploy
cat >/etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh <<'HOOK'
#!/usr/bin/env bash
set -euo pipefail
UI_SSL_DIR="/etc/ssl/ui"
WEBMAIL_SSL_DIR="/etc/ssl/webmail"
MAIL_SSL_DIR="/etc/ssl/mail"
UI_HOST="${UI_HOST}"
WEBMAIL_HOST="${WEBMAIL_HOST}"
MX_HOST="${MAIL_HOSTNAME}"
UI_LE="/etc/letsencrypt/live/${UI_HOST}"
WEBMAIL_LE="/etc/letsencrypt/live/${WEBMAIL_HOST}"
MX_LE="/etc/letsencrypt/live/${MX_HOST}"
link_if() {
local le_base="$1" target_dir="$2"
local cert="${le_base}/fullchain.pem"
local key="${le_base}/privkey.pem"
if [ -f "$cert" ] && [ -f "$key" ]; then
install -d -m 0755 "$target_dir"
ln -sf "$cert" "${target_dir}/fullchain.pem"
ln -sf "$key" "${target_dir}/privkey.pem"
echo "[+] Linked ${target_dir} -> ${le_base}"
fi
}
link_if "$UI_LE" "$UI_SSL_DIR"
link_if "$WEBMAIL_LE" "$WEBMAIL_SSL_DIR"
link_if "$MX_LE" "$MAIL_SSL_DIR"
# Dienste neu laden
systemctl reload nginx || true
systemctl reload postfix dovecot || true
HOOK
chmod +x /etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh
##!/usr/bin/env bash
#set -euo pipefail
#source ./lib.sh
#
#UI_SSL_DIR="/etc/ssl/ui"
#WEBMAIL_SSL_DIR="/etc/ssl/webmail"
#MAIL_SSL_DIR="/etc/ssl/mail"
#
#UI_HOST="${UI_HOST:-}"
#WEBMAIL_HOST="${WEBMAIL_HOST:-}"
#MX_HOST="${MAIL_HOSTNAME:-}"
#
#install -d -m 0755 /etc/letsencrypt/renewal-hooks/deploy
#
## Hook-Datei, die Certbot nach jeder Erneuerung ausführt
#cat >/etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh <<'HOOK'
##!/usr/bin/env bash
#set -euo pipefail
#
#UI_SSL_DIR="/etc/ssl/ui"
#WEBMAIL_SSL_DIR="/etc/ssl/webmail"
#MAIL_SSL_DIR="/etc/ssl/mail"
#
#UI_HOST="${UI_HOST}"
#WEBMAIL_HOST="${WEBMAIL_HOST}"
#MX_HOST="${MAIL_HOSTNAME}"
#
#link_if() {
# local host="$1" target_dir="$2"
# [[ -z "$host" ]] && return 0
# local le="/etc/letsencrypt/live/${host}"
# local cert="${le}/fullchain.pem"
# local key="${le}/privkey.pem"
# [[ -f "$cert" && -f "$key" ]] || return 0
# install -d -m 0755 "$target_dir"
# ln -sf "$cert" "${target_dir}/fullchain.pem"
# ln -sf "$key" "${target_dir}/privkey.pem"
# echo "[+] Linked ${target_dir} -> ${le}"
#}
#
#link_if "$UI_HOST" "$UI_SSL_DIR"
#link_if "$WEBMAIL_HOST" "$WEBMAIL_SSL_DIR"
#link_if "$MX_HOST" "$MAIL_SSL_DIR"
#
#systemctl reload nginx || true
#systemctl reload postfix || true
#systemctl reload dovecot || true
#HOOK
#chmod +x /etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh

297
scripts/70-nginx.sh
View File

@ -4,10 +4,16 @@ source ./lib.sh
log "Nginx konfigurieren …"
ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
# Flags/Umgebung (kommen idealerweise aus bootstrap; hier Fallbacks)
DEV_MODE="${DEV_MODE:-0}" # 1 = DEV (Vite-Proxy aktiv), 0 = PROD
PROXY_MODE="${PROXY_MODE:-0}" # 1 = NPM/Proxy davor
NPM_IP="${NPM_IP:-}" # z.B. 10.10.20.20
# Erwartet gesetzt: UI_HOST, WEBMAIL_HOST, APP_DIR
: "${UI_HOST:?UI_HOST fehlt}"
: "${WEBMAIL_HOST:?WEBMAIL_HOST fehlt}"
: "${APP_DIR:?APP_DIR fehlt}"
NGINX_SITE="/etc/nginx/sites-available/${APP_USER}.conf"
NGINX_SITE_LINK="/etc/nginx/sites-enabled/${APP_USER}.conf"
ACME_ROOT="/var/www/letsencrypt"
install -d -m 0755 "$ACME_ROOT"
@ -31,79 +37,68 @@ detect_php_fpm_sock(){
}
PHP_FPM_TARGET="$(detect_php_fpm_sock)"
if [[ "$PHP_FPM_TARGET" == unix:* ]]; then
FASTCGI_PASS="fastcgi_pass ${PHP_FPM_TARGET};" # << keep the unix: prefix!
FASTCGI_PASS="fastcgi_pass ${PHP_FPM_TARGET};"
else
FASTCGI_PASS="fastcgi_pass ${PHP_FPM_TARGET};"
fi
# Prüfen, ob UI-Zert vorhanden ist
UI_CERT="/etc/ssl/ui/fullchain.pem"
UI_KEY="/etc/ssl/ui/privkey.pem"
SSL_ENABLED=0
[[ -s "$UI_CERT" && -s "$UI_KEY" ]] && SSL_ENABLED=1
# Helper zum Bauen einer Site
# $1=host, $2=cert_dir (/etc/ssl/ui oder /etc/ssl/webmail), $3=outfile
build_site(){
local host="$1" cert_dir="$2" outfile="$3"
local cert="${cert_dir}/fullchain.pem"
local key="${cert_dir}/privkey.pem"
TPL="${ROOT_DIR}/config/nginx/site.conf.tmpl"
[[ -f "$TPL" ]] || die "Nginx-Template fehlt: $TPL"
render="$(cat "$TPL")"
cat > "$outfile" <<CONF
# --- ${host} : HTTP (ACME + Redirect) ---
server {
listen 80;
listen [::]:80;
server_name ${host};
# --------- Bausteine, die in das Template eingesetzt werden ---------
# (A) HTTP-Body, wenn KEIN SSL → App direkt über Port 80
HTTP_BODY_APP="$(cat <<'HTTP'
root ${APP_DIR}/public;
index index.php index.html;
access_log /var/log/nginx/${APP_USER}_access.log;
error_log /var/log/nginx/${APP_USER}_error.log;
client_max_body_size 25m;
location / { try_files $uri $uri/ /index.php?$query_string; }
location ~ \.php$ {
include snippets/fastcgi-php.conf;
__FASTCGI_PASS__
# ACME HTTP-01
location ^~ /.well-known/acme-challenge/ {
root ${ACME_ROOT};
allow all;
}
location ^~ /livewire/ { try_files $uri /index.php?$query_string; }
location ~* \.(jpg|jpeg|png|gif|css|js|ico|svg)$ { expires 30d; access_log off; }
HTTP
)"
# (B) HTTP-Body, wenn SSL → nur Redirect auf 443
HTTP_BODY_REDIRECT='return 301 https://$host$request_uri;'
return 301 https://\$host\$request_uri;
}
# (C) kompletter SSL-Serverblock (wird nur eingefügt, wenn SSL aktiv)
SSL_BLOCK="$(cat <<'SSL'
# --- ${host} : HTTPS ---
server {
listen 443 ssl${NGINX_HTTP2_SUFFIX};
listen [::]:443 ssl${NGINX_HTTP2_SUFFIX};
server_name _;
server_name ${host};
ssl_certificate ${UI_CERT};
ssl_certificate_key ${UI_KEY};
ssl_certificate ${cert};
ssl_certificate_key ${key};
ssl_protocols TLSv1.2 TLSv1.3;
root ${APP_DIR}/public;
index index.php index.html;
access_log /var/log/nginx/${APP_USER}_ssl_access.log;
error_log /var/log/nginx/${APP_USER}_ssl_error.log;
access_log /var/log/nginx/${host}_ssl_access.log;
error_log /var/log/nginx/${host}_ssl_error.log;
client_max_body_size 25m;
location / { try_files $uri $uri/ /index.php?$query_string; }
location ~ \.php$ {
location / { try_files \$uri \$uri/ /index.php?\$query_string; }
location ~ \.php\$ {
include snippets/fastcgi-php.conf;
__FASTCGI_PASS__
${FASTCGI_PASS}
}
location ^~ /livewire/ { try_files $uri /index.php?$query_string; }
location ~* \.(jpg|jpeg|png|gif|css|js|ico|svg)$ { expires 30d; access_log off; }
location ^~ /livewire/ { try_files \$uri /index.php?\$query_string; }
location ~* \.(jpg|jpeg|png|gif|css|js|ico|svg)\$ { expires 30d; access_log off; }
# WebSocket: Laravel Reverb
location /ws/ {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header Host \$host;
proxy_read_timeout 60s;
proxy_send_timeout 60s;
proxy_pass http://127.0.0.1:8080/;
@ -112,40 +107,202 @@ server {
# Reverb HTTP API
location /apps/ {
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Host \$host;
proxy_read_timeout 60s;
proxy_send_timeout 60s;
proxy_pass http://127.0.0.1:8080/apps/;
}
CONF
if [[ "$DEV_MODE" = "1" ]]; then
cat >> "$outfile" <<'CONF'
# DEV: Vite-Proxy
location ^~ /@vite/ { proxy_pass http://127.0.0.1:5173/@vite/; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto https; }
location ^~ /node_modules/ { proxy_pass http://127.0.0.1:5173/node_modules/; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto https; }
location ^~ /resources/ { proxy_pass http://127.0.0.1:5173/resources/; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto https; }
CONF
fi
echo "}" >> "$outfile"
}
SSL
)"
# --------- Platzhalter ersetzen ---------
if [[ $SSL_ENABLED -eq 1 ]]; then
render="${render/__HTTP_BODY__/$HTTP_BODY_REDIRECT}"
render="${render/__SSL_SERVER_BLOCK__/$SSL_BLOCK}"
# Sites erzeugen
UI_SITE="/etc/nginx/sites-available/ui-mailwolt.conf"
WEBMAIL_SITE="/etc/nginx/sites-available/webmail-mailwolt.conf"
build_site "$UI_HOST" "/etc/ssl/ui" "$UI_SITE"
build_site "$WEBMAIL_HOST" "/etc/ssl/webmail" "$WEBMAIL_SITE"
ln -sf "$UI_SITE" "/etc/nginx/sites-enabled/ui-mailwolt.conf"
ln -sf "$WEBMAIL_SITE" "/etc/nginx/sites-enabled/webmail-mailwolt.conf"
# Real-IP nur, wenn Proxy davor
if [[ "$PROXY_MODE" -eq 1 && -n "$NPM_IP" ]]; then
cat > /etc/nginx/conf.d/realip.conf <<NGX
real_ip_header X-Forwarded-For;
set_real_ip_from ${NPM_IP};
real_ip_recursive on;
NGX
else
render="${render/__HTTP_BODY__/$HTTP_BODY_APP}"
# HTTPS-Block komplett entfernen
render="${render/__SSL_SERVER_BLOCK__/}"
rm -f /etc/nginx/conf.d/realip.conf || true
fi
# Variablen & __FASTCGI_PASS__ im fertigen Render ersetzen
render="$(echo "$render" \
| sed "s|\${APP_DIR}|${APP_DIR}|g; s|\${APP_USER}|${APP_USER}|g; \
s|\${UI_CERT}|${UI_CERT}|g; s|\${UI_KEY}|${UI_KEY}|g; \
s|\${NGINX_HTTP2_SUFFIX}|${NGINX_HTTP2_SUFFIX}|g; \
s|__FASTCGI_PASS__|${FASTCGI_PASS}|g")"
# Schreiben/aktivieren
echo "$render" > "$NGINX_SITE"
ln -sf "$NGINX_SITE" "$NGINX_SITE_LINK"
# Test & reload
if nginx -t; then
systemctl enable --now nginx >/dev/null 2>&1 || true
systemctl reload nginx || true
else
die "nginx -t fehlgeschlagen siehe /var/log/nginx/*.log"
fi
fi
##!/usr/bin/env bash
#set -euo pipefail
#source ./lib.sh
#
#log "Nginx konfigurieren …"
#
#ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
#
#NGINX_SITE="/etc/nginx/sites-available/${APP_USER}.conf"
#NGINX_SITE_LINK="/etc/nginx/sites-enabled/${APP_USER}.conf"
#ACME_ROOT="/var/www/letsencrypt"
#install -d -m 0755 "$ACME_ROOT"
#
## Default-Sites konsequent entfernen (verhindert doppelten default_server)
#rm -f /etc/nginx/sites-enabled/default /etc/nginx/sites-available/default || true
#
## HTTP/2 prüfen
#NGINX_HTTP2_SUFFIX=""
#if nginx -V 2>&1 | grep -q http_v2; then
# NGINX_HTTP2_SUFFIX=" http2"
#fi
#
## PHP-FPM Socket oder TCP ermitteln und fastcgi_pass bauen
#detect_php_fpm_sock(){
# for v in 8.3 8.2 8.1 8.0 7.4; do
# s="/run/php/php${v}-fpm.sock"
# [[ -S "$s" ]] && { echo "unix:${s}"; return; }
# done
# [[ -S "/run/php/php-fpm.sock" ]] && { echo "unix:/run/php/php-fpm.sock"; return; }
# echo "127.0.0.1:9000"
#}
#PHP_FPM_TARGET="$(detect_php_fpm_sock)"
#if [[ "$PHP_FPM_TARGET" == unix:* ]]; then
# FASTCGI_PASS="fastcgi_pass ${PHP_FPM_TARGET};" # << keep the unix: prefix!
#else
# FASTCGI_PASS="fastcgi_pass ${PHP_FPM_TARGET};"
#fi
#
## Prüfen, ob UI-Zert vorhanden ist
#UI_CERT="/etc/ssl/ui/fullchain.pem"
#UI_KEY="/etc/ssl/ui/privkey.pem"
#SSL_ENABLED=0
#[[ -s "$UI_CERT" && -s "$UI_KEY" ]] && SSL_ENABLED=1
#
#TPL="${ROOT_DIR}/config/nginx/site.conf.tmpl"
#[[ -f "$TPL" ]] || die "Nginx-Template fehlt: $TPL"
#render="$(cat "$TPL")"
#
## --------- Bausteine, die in das Template eingesetzt werden ---------
#
## (A) HTTP-Body, wenn KEIN SSL → App direkt über Port 80
#HTTP_BODY_APP="$(cat <<'HTTP'
# root ${APP_DIR}/public;
# index index.php index.html;
#
# access_log /var/log/nginx/${APP_USER}_access.log;
# error_log /var/log/nginx/${APP_USER}_error.log;
#
# client_max_body_size 25m;
#
# location / { try_files $uri $uri/ /index.php?$query_string; }
# location ~ \.php$ {
# include snippets/fastcgi-php.conf;
# __FASTCGI_PASS__
# }
# location ^~ /livewire/ { try_files $uri /index.php?$query_string; }
# location ~* \.(jpg|jpeg|png|gif|css|js|ico|svg)$ { expires 30d; access_log off; }
#HTTP
#)"
#
## (B) HTTP-Body, wenn SSL → nur Redirect auf 443
#HTTP_BODY_REDIRECT='return 301 https://$host$request_uri;'
#
## (C) kompletter SSL-Serverblock (wird nur eingefügt, wenn SSL aktiv)
#SSL_BLOCK="$(cat <<'SSL'
#server {
# listen 443 ssl${NGINX_HTTP2_SUFFIX};
# listen [::]:443 ssl${NGINX_HTTP2_SUFFIX};
# server_name _;
#
# ssl_certificate ${UI_CERT};
# ssl_certificate_key ${UI_KEY};
# ssl_protocols TLSv1.2 TLSv1.3;
#
# root ${APP_DIR}/public;
# index index.php index.html;
#
# access_log /var/log/nginx/${APP_USER}_ssl_access.log;
# error_log /var/log/nginx/${APP_USER}_ssl_error.log;
#
# client_max_body_size 25m;
#
# location / { try_files $uri $uri/ /index.php?$query_string; }
# location ~ \.php$ {
# include snippets/fastcgi-php.conf;
# __FASTCGI_PASS__
# }
# location ^~ /livewire/ { try_files $uri /index.php?$query_string; }
# location ~* \.(jpg|jpeg|png|gif|css|js|ico|svg)$ { expires 30d; access_log off; }
#
# # WebSocket: Laravel Reverb
# location /ws/ {
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "Upgrade";
# proxy_set_header Host $host;
# proxy_read_timeout 60s;
# proxy_send_timeout 60s;
# proxy_pass http://127.0.0.1:8080/;
# }
#
# # Reverb HTTP API
# location /apps/ {
# proxy_http_version 1.1;
# proxy_set_header Host $host;
# proxy_read_timeout 60s;
# proxy_send_timeout 60s;
# proxy_pass http://127.0.0.1:8080/apps/;
# }
#}
#SSL
#)"
#
## --------- Platzhalter ersetzen ---------
#if [[ $SSL_ENABLED -eq 1 ]]; then
# render="${render/__HTTP_BODY__/$HTTP_BODY_REDIRECT}"
# render="${render/__SSL_SERVER_BLOCK__/$SSL_BLOCK}"
#else
# render="${render/__HTTP_BODY__/$HTTP_BODY_APP}"
# # HTTPS-Block komplett entfernen
# render="${render/__SSL_SERVER_BLOCK__/}"
#fi
#
## Variablen & __FASTCGI_PASS__ im fertigen Render ersetzen
#render="$(echo "$render" \
# | sed "s|\${APP_DIR}|${APP_DIR}|g; s|\${APP_USER}|${APP_USER}|g; \
# s|\${UI_CERT}|${UI_CERT}|g; s|\${UI_KEY}|${UI_KEY}|g; \
# s|\${NGINX_HTTP2_SUFFIX}|${NGINX_HTTP2_SUFFIX}|g; \
# s|__FASTCGI_PASS__|${FASTCGI_PASS}|g")"
#
## Schreiben/aktivieren
#echo "$render" > "$NGINX_SITE"
#ln -sf "$NGINX_SITE" "$NGINX_SITE_LINK"
#
## Test & reload
#if nginx -t; then
# systemctl enable --now nginx >/dev/null 2>&1 || true
# systemctl reload nginx || true
#else
# die "nginx -t fehlgeschlagen siehe /var/log/nginx/*.log"
#fi

76
scripts/75-le-issue.sh Normal file
View File

@ -0,0 +1,76 @@
#!/usr/bin/env bash
set -euo pipefail
source ./lib.sh
ACME_WEBROOT="/var/www/letsencrypt"
resolve_ok() {
local host="$1"
getent ahosts "$host" | awk '{print $1}' | sort -u | grep -q -F "$SERVER_PUBLIC_IPV4"
}
issue() {
local host="$1"
echo "[i] Versuche LE für ${host}"
if ! resolve_ok "$host"; then
echo "[!] DNS zeigt (noch) nicht auf diese IP überspringe: ${host}"
return 0
fi
certbot certonly --agree-tos -m "${LE_EMAIL:-admin@${BASE_DOMAIN}}" \
--non-interactive --webroot -w "$ACME_WEBROOT" -d "$host" || true
}
if [[ "$BASE_DOMAIN" != "example.com" ]]; then
issue "$UI_HOST"
issue "$WEBMAIL_HOST"
issue "$MAIL_HOSTNAME"
# Hook verlinkt automatisch; reload nginx:
systemctl reload nginx || true
else
echo "[i] BASE_DOMAIN=example.com LE-Ausstellung wird übersprungen."
fi
##!/usr/bin/env bash
#set -euo pipefail
#source ./lib.sh
#
## Falls du auch UI/Webmail am Backend ausstellen willst, setz diese Flags vor dem Installer:
## ISSUE_UI_CERT=1 ISSUE_WEBMAIL_CERT=1 ./install.sh
#ISSUE_UI_CERT="${ISSUE_UI_CERT:-0}"
#ISSUE_WEBMAIL_CERT="${ISSUE_WEBMAIL_CERT:-0}"
#
#ACME_WEBROOT="/var/www/letsencrypt"
#install -d -m 0755 "$ACME_WEBROOT"
#
## nginx muss bereits laufen (Step 70), und die Location für /.well-known muss existieren.
#
#issue_if_points_here() {
# local host="$1"
# [[ -z "$host" ]] && return 0
# # prüfe, ob A/AAAA auf unsere erkannte Public IP zeigen
# local want_ip="${SERVER_PUBLIC_IPV4:-$(hostname -I | awk '{print $1}')}"
# local has_ip; has_ip="$(getent ahosts "$host" | awk '{print $1}' | sort -u | head -n1 || true)"
# if [[ "$has_ip" != "$want_ip" ]]; then
# log "DNS von $host zeigt auf $has_ip (nicht $want_ip) überspringe HTTP-01 hier."
# return 0
# fi
#
# log "Fordere LE-Zertifikat an für ${host} …"
# certbot certonly --agree-tos \
# -m "${LE_EMAIL:-admin@${BASE_DOMAIN}}" \
# --non-interactive \
# --webroot -w "$ACME_WEBROOT" \
# -d "$host" || true
#}
#
## In deiner Topologie holt NPM die UI/Webmail-Zerts → hier nur MX
#if [[ "${BASE_DOMAIN}" != "example.com" ]]; then
# issue_if_points_here "${MAIL_HOSTNAME:-}"
#
# # Optional nur wenn explizit freigegeben:
# [[ "$ISSUE_UI_CERT" = "1" ]] && issue_if_points_here "${UI_HOST:-}"
# [[ "$ISSUE_WEBMAIL_CERT" = "1" ]] && issue_if_points_here "${WEBMAIL_HOST:-}"
#fi
#
## Nach erfolgreicher Ausstellung sofort die stabilen Pfade verlinken (Deploy-Hook nutzen)
#bash /etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh || true

15
scripts/80-app.sh
View File

@ -57,10 +57,18 @@ fi
# --- .env schreiben (vollständig wie vorher) --------------------------------
upsert_env APP_URL "${APP_URL_VAL}"
if [[ "$PROXY_MODE" -eq 1 ]]; then
TP_LIST="127.0.0.1,::1"
[[ -n "$NPM_IP" ]] && TP_LIST="${TP_LIST},${NPM_IP}"
upsert_env TRUSTED_PROXIES "$TP_LIST"
upsert_env TRUSTED_HEADERS "x-forwarded-all"
else
upsert_env TRUSTED_PROXIES ""
upsert_env TRUSTED_HEADERS "x-forwarded-all"
fi
upsert_env APP_HOST "${APP_HOST_VAL}"
upsert_env APP_ADMIN_USER "${ADMIN_USER}"
upsert_env APP_ADMIN_EMAIL "${ADMIN_EMAIL}"
upsert_env APP_ADMIN_PASS "${ADMIN_PASS}"
upsert_env APP_NAME "${APP_NAME}"
upsert_env APP_ENV "${APP_ENV:-production}"
upsert_env APP_DEBUG "${APP_DEBUG:-false}"
@ -81,7 +89,6 @@ fi
upsert_env BASE_DOMAIN "${BASE_DOMAIN}"
upsert_env UI_SUB "${UI_SUB}"
upsert_env WEBMAIL_SUB "${WEBMAIL_SUB}"
upsert_env SYSTEM_SUB "${SYSTEM_SUB}"
upsert_env MTA_SUB "${MTA_SUB}"
upsert_env LE_EMAIL "${LE_EMAIL:-admin@${BASE_DOMAIN}}"

49
scripts/bootstrap.sh
View File

@ -1,5 +1,23 @@
#!/usr/bin/env bash
set -euo pipefail
# --- Flags / Modi ---
DEV_MODE=0
PROXY_MODE=0
NPM_IP=""
while [[ $# -gt 0 ]]; do
case "$1" in
-dev) DEV_MODE=1 ;;
-proxy) PROXY_MODE=1; NPM_IP="${2:-}"; shift ;;
esac
shift
done
APP_ENV="${APP_ENV:-$([[ $DEV_MODE -eq 1 ]] && echo local || echo production)}"
APP_DEBUG="${APP_DEBUG:-$([[ $DEV_MODE -eq 1 ]] && echo true || echo false)}"
export DEV_MODE PROXY_MODE NPM_IP APP_ENV APP_DEBUG
cd "$(dirname "$0")"
source ./lib.sh
require_root
@ -16,11 +34,6 @@ BASE_DOMAIN="${BASE_DOMAIN:-example.com}"
UI_SUB="${UI_SUB:-ui}"
WEBMAIL_SUB="${WEBMAIL_SUB:-webmail}"
MTA_SUB="${MTA_SUB:-mx}"
SYSTEM_SUB="${SYSTEM_SUB:-system}"
ADMIN_USER="${ADMIN_USER:-${APP_USER}}"
ADMIN_EMAIL="${ADMIN_EMAIL:-admin@localhost}"
ADMIN_PASS="${ADMIN_PASS:-ChangeMe}"
DB_NAME="${DB_NAME:-${APP_USER}}"
DB_USER="${DB_USER:-${APP_USER}}"
@ -33,28 +46,26 @@ DEFAULT_LOCALE="$(guess_locale_from_tz "$DEFAULT_TZ")"
echo -e "${GREY}Erkannte IP (v4): ${SERVER_PUBLIC_IPV4} v6: ${SERVER_PUBLIC_IPV6:-}${NC}"
read -r -p "Basisdomain (Enter=${BASE_DOMAIN}): " INP; BASE_DOMAIN="${INP:-$BASE_DOMAIN}"
read -r -p "UI Subdomain (Enter=${UI_SUB}): " INP; UI_SUB="${INP:-$UI_SUB}"
read -r -p "Webmail Subdomain (Enter=${WEBMAIL_SUB}): " INP; WEBMAIL_SUB="${INP:-$WEBMAIL_SUB}"
read -r -p "Mailserver Subdomain (Enter=${MTA_SUB}): " INP; MTA_SUB="${INP:-$MTA_SUB}"
read -r -p "Mailserver FQDN (z.B. mx.domain.tld) [Enter=${MTA_SUB}.${BASE_DOMAIN}]: " MAIL_FQDN
MAIL_FQDN="${MAIL_FQDN:-${MTA_SUB}.${BASE_DOMAIN}}"
read -r -p "Zeitzone (Enter=${DEFAULT_TZ}): " INP; APP_TZ="${INP:-$DEFAULT_TZ}"
read -r -p "Sprache [de/en] (Enter=${DEFAULT_LOCALE}): " INP; APP_LOCALE="${INP:-$DEFAULT_LOCALE}"
if [[ "$MAIL_FQDN" =~ ^([^.]+)\.(.+)$ ]]; then
MTA_SUB="${BASH_REMATCH[1]}"
BASE_DOMAIN="${BASH_REMATCH[2]}"
fi
UI_HOST="$(join_host "$UI_SUB" "$BASE_DOMAIN")"
WEBMAIL_HOST="$(join_host "$WEBMAIL_SUB" "$BASE_DOMAIN")"
MAIL_HOSTNAME="$(join_host "$MTA_SUB" "$BASE_DOMAIN")"
SYSTEM_HOSTNAME="$(join_host "$SYSTEM_SUB" "$BASE_DOMAIN")"
UI_HOST="${UI_SUB}.${BASE_DOMAIN}"
WEBMAIL_HOST="${WEBMAIL_SUB}.${BASE_DOMAIN}"
MAIL_HOSTNAME="${MAIL_FQDN}"
export APP_NAME APP_USER APP_GROUP APP_USER_PREFIX APP_DIR
export BASE_DOMAIN UI_SUB WEBMAIL_SUB MTA_SUB SYSTEM_SUB
export UI_HOST WEBMAIL_HOST MAIL_HOSTNAME SYSTEM_HOSTNAME
export ADMIN_USER ADMIN_EMAIL ADMIN_PASS
export BASE_DOMAIN UI_SUB WEBMAIL_SUB MTA_SUB
export UI_HOST WEBMAIL_HOST MAIL_HOSTNAME
export DB_NAME DB_USER DB_PASS
export SERVER_PUBLIC_IPV4 SERVER_PUBLIC_IPV6 APP_TZ APP_LOCALE
# ── Sequenz ────────────────────────────────────────────────────────────────
for STEP in 10-provision 20-ssl 30-db 40-postfix 50-dovecot 60-rspamd-opendkim 70-nginx 80-app 90-services 95-monit 98-motd 99-summary
for STEP in 10-provision 20-ssl 21-le-deploy-hook 30-db 40-postfix 50-dovecot 60-rspamd-opendkim 70-nginx 75-le-issue 80-app 90-services 95-monit 98-motd 99-summary
do
log ">>> Running ${STEP}.sh"
bash "./${STEP}.sh"

1
scripts/lib.sh
View File

@ -28,7 +28,6 @@ require_root(){ [[ "$(id -u)" -eq 0 ]] || die "Bitte als root ausführen."; }
: "${UI_SUB:=ui}"
: "${WEBMAIL_SUB:=webmail}"
: "${MTA_SUB:=mx}"
: "${SYSTEM_SUB:=system}"
# DB / Redis (werden später durch .env überschrieben)
: "${DB_NAME:=${APP_USER}}"