diff --git a/scripts/21-le-deploy-hook.sh b/scripts/21-le-deploy-hook.sh new file mode 100644 index 0000000..013f2b9 --- /dev/null +++ b/scripts/21-le-deploy-hook.sh @@ -0,0 +1,92 @@ +#!/usr/bin/env bash +set -euo pipefail +source ./lib.sh + +install -d /etc/letsencrypt/renewal-hooks/deploy + +cat >/etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh <<'HOOK' +#!/usr/bin/env bash +set -euo pipefail +UI_SSL_DIR="/etc/ssl/ui" +WEBMAIL_SSL_DIR="/etc/ssl/webmail" +MAIL_SSL_DIR="/etc/ssl/mail" + +UI_HOST="${UI_HOST}" +WEBMAIL_HOST="${WEBMAIL_HOST}" +MX_HOST="${MAIL_HOSTNAME}" + +UI_LE="/etc/letsencrypt/live/${UI_HOST}" +WEBMAIL_LE="/etc/letsencrypt/live/${WEBMAIL_HOST}" +MX_LE="/etc/letsencrypt/live/${MX_HOST}" + +link_if() { + local le_base="$1" target_dir="$2" + local cert="${le_base}/fullchain.pem" + local key="${le_base}/privkey.pem" + if [ -f "$cert" ] && [ -f "$key" ]; then + install -d -m 0755 "$target_dir" + ln -sf "$cert" "${target_dir}/fullchain.pem" + ln -sf "$key" "${target_dir}/privkey.pem" + echo "[+] Linked ${target_dir} -> ${le_base}" + fi +} +link_if "$UI_LE" "$UI_SSL_DIR" +link_if "$WEBMAIL_LE" "$WEBMAIL_SSL_DIR" +link_if "$MX_LE" "$MAIL_SSL_DIR" + +# Dienste neu laden +systemctl reload nginx || true +systemctl reload postfix dovecot || true +HOOK + +chmod +x /etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh + +##!/usr/bin/env bash +#set -euo pipefail +#source ./lib.sh +# +#UI_SSL_DIR="/etc/ssl/ui" +#WEBMAIL_SSL_DIR="/etc/ssl/webmail" +#MAIL_SSL_DIR="/etc/ssl/mail" +# +#UI_HOST="${UI_HOST:-}" +#WEBMAIL_HOST="${WEBMAIL_HOST:-}" +#MX_HOST="${MAIL_HOSTNAME:-}" +# +#install -d -m 0755 /etc/letsencrypt/renewal-hooks/deploy +# +## Hook-Datei, die Certbot nach jeder Erneuerung ausführt +#cat >/etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh <<'HOOK' +##!/usr/bin/env bash +#set -euo pipefail +# +#UI_SSL_DIR="/etc/ssl/ui" +#WEBMAIL_SSL_DIR="/etc/ssl/webmail" +#MAIL_SSL_DIR="/etc/ssl/mail" +# +#UI_HOST="${UI_HOST}" +#WEBMAIL_HOST="${WEBMAIL_HOST}" +#MX_HOST="${MAIL_HOSTNAME}" +# +#link_if() { +# local host="$1" target_dir="$2" +# [[ -z "$host" ]] && return 0 +# local le="/etc/letsencrypt/live/${host}" +# local cert="${le}/fullchain.pem" +# local key="${le}/privkey.pem" +# [[ -f "$cert" && -f "$key" ]] || return 0 +# install -d -m 0755 "$target_dir" +# ln -sf "$cert" "${target_dir}/fullchain.pem" +# ln -sf "$key" "${target_dir}/privkey.pem" +# echo "[+] Linked ${target_dir} -> ${le}" +#} +# +#link_if "$UI_HOST" "$UI_SSL_DIR" +#link_if "$WEBMAIL_HOST" "$WEBMAIL_SSL_DIR" +#link_if "$MX_HOST" "$MAIL_SSL_DIR" +# +#systemctl reload nginx || true +#systemctl reload postfix || true +#systemctl reload dovecot || true +#HOOK +#chmod +x /etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh \ No newline at end of file diff --git a/scripts/70-nginx.sh b/scripts/70-nginx.sh index fe271ec..736ad94 100644 --- a/scripts/70-nginx.sh +++ b/scripts/70-nginx.sh @@ -4,10 +4,16 @@ source ./lib.sh log "Nginx konfigurieren …" -ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" +# Flags/Umgebung (kommen idealerweise aus bootstrap; hier Fallbacks) +DEV_MODE="${DEV_MODE:-0}" # 1 = DEV (Vite-Proxy aktiv), 0 = PROD +PROXY_MODE="${PROXY_MODE:-0}" # 1 = NPM/Proxy davor +NPM_IP="${NPM_IP:-}" # z.B. 10.10.20.20 + +# Erwartet gesetzt: UI_HOST, WEBMAIL_HOST, APP_DIR +: "${UI_HOST:?UI_HOST fehlt}" +: "${WEBMAIL_HOST:?WEBMAIL_HOST fehlt}" +: "${APP_DIR:?APP_DIR fehlt}" -NGINX_SITE="/etc/nginx/sites-available/${APP_USER}.conf" -NGINX_SITE_LINK="/etc/nginx/sites-enabled/${APP_USER}.conf" ACME_ROOT="/var/www/letsencrypt" install -d -m 0755 "$ACME_ROOT" @@ -31,79 +37,68 @@ detect_php_fpm_sock(){ } PHP_FPM_TARGET="$(detect_php_fpm_sock)" if [[ "$PHP_FPM_TARGET" == unix:* ]]; then - FASTCGI_PASS="fastcgi_pass ${PHP_FPM_TARGET};" # << keep the unix: prefix! + FASTCGI_PASS="fastcgi_pass ${PHP_FPM_TARGET};" else FASTCGI_PASS="fastcgi_pass ${PHP_FPM_TARGET};" fi -# Prüfen, ob UI-Zert vorhanden ist -UI_CERT="/etc/ssl/ui/fullchain.pem" -UI_KEY="/etc/ssl/ui/privkey.pem" -SSL_ENABLED=0 -[[ -s "$UI_CERT" && -s "$UI_KEY" ]] && SSL_ENABLED=1 +# Helper zum Bauen einer Site +# $1=host, $2=cert_dir (/etc/ssl/ui oder /etc/ssl/webmail), $3=outfile +build_site(){ + local host="$1" cert_dir="$2" outfile="$3" + local cert="${cert_dir}/fullchain.pem" + local key="${cert_dir}/privkey.pem" -TPL="${ROOT_DIR}/config/nginx/site.conf.tmpl" -[[ -f "$TPL" ]] || die "Nginx-Template fehlt: $TPL" -render="$(cat "$TPL")" + cat > "$outfile" <> "$outfile" <<'CONF' + # DEV: Vite-Proxy + location ^~ /@vite/ { proxy_pass http://127.0.0.1:5173/@vite/; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto https; } + location ^~ /node_modules/ { proxy_pass http://127.0.0.1:5173/node_modules/; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto https; } + location ^~ /resources/ { proxy_pass http://127.0.0.1:5173/resources/; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto https; } +CONF + fi + + echo "}" >> "$outfile" } -SSL -)" -# --------- Platzhalter ersetzen --------- -if [[ $SSL_ENABLED -eq 1 ]]; then - render="${render/__HTTP_BODY__/$HTTP_BODY_REDIRECT}" - render="${render/__SSL_SERVER_BLOCK__/$SSL_BLOCK}" +# Sites erzeugen +UI_SITE="/etc/nginx/sites-available/ui-mailwolt.conf" +WEBMAIL_SITE="/etc/nginx/sites-available/webmail-mailwolt.conf" + +build_site "$UI_HOST" "/etc/ssl/ui" "$UI_SITE" +build_site "$WEBMAIL_HOST" "/etc/ssl/webmail" "$WEBMAIL_SITE" + +ln -sf "$UI_SITE" "/etc/nginx/sites-enabled/ui-mailwolt.conf" +ln -sf "$WEBMAIL_SITE" "/etc/nginx/sites-enabled/webmail-mailwolt.conf" + +# Real-IP nur, wenn Proxy davor +if [[ "$PROXY_MODE" -eq 1 && -n "$NPM_IP" ]]; then + cat > /etc/nginx/conf.d/realip.conf < "$NGINX_SITE" -ln -sf "$NGINX_SITE" "$NGINX_SITE_LINK" - # Test & reload if nginx -t; then systemctl enable --now nginx >/dev/null 2>&1 || true systemctl reload nginx || true else die "nginx -t fehlgeschlagen – siehe /var/log/nginx/*.log" -fi \ No newline at end of file +fi + +##!/usr/bin/env bash +#set -euo pipefail +#source ./lib.sh +# +#log "Nginx konfigurieren …" +# +#ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" +# +#NGINX_SITE="/etc/nginx/sites-available/${APP_USER}.conf" +#NGINX_SITE_LINK="/etc/nginx/sites-enabled/${APP_USER}.conf" +#ACME_ROOT="/var/www/letsencrypt" +#install -d -m 0755 "$ACME_ROOT" +# +## Default-Sites konsequent entfernen (verhindert doppelten default_server) +#rm -f /etc/nginx/sites-enabled/default /etc/nginx/sites-available/default || true +# +## HTTP/2 prüfen +#NGINX_HTTP2_SUFFIX="" +#if nginx -V 2>&1 | grep -q http_v2; then +# NGINX_HTTP2_SUFFIX=" http2" +#fi +# +## PHP-FPM Socket oder TCP ermitteln und fastcgi_pass bauen +#detect_php_fpm_sock(){ +# for v in 8.3 8.2 8.1 8.0 7.4; do +# s="/run/php/php${v}-fpm.sock" +# [[ -S "$s" ]] && { echo "unix:${s}"; return; } +# done +# [[ -S "/run/php/php-fpm.sock" ]] && { echo "unix:/run/php/php-fpm.sock"; return; } +# echo "127.0.0.1:9000" +#} +#PHP_FPM_TARGET="$(detect_php_fpm_sock)" +#if [[ "$PHP_FPM_TARGET" == unix:* ]]; then +# FASTCGI_PASS="fastcgi_pass ${PHP_FPM_TARGET};" # << keep the unix: prefix! +#else +# FASTCGI_PASS="fastcgi_pass ${PHP_FPM_TARGET};" +#fi +# +## Prüfen, ob UI-Zert vorhanden ist +#UI_CERT="/etc/ssl/ui/fullchain.pem" +#UI_KEY="/etc/ssl/ui/privkey.pem" +#SSL_ENABLED=0 +#[[ -s "$UI_CERT" && -s "$UI_KEY" ]] && SSL_ENABLED=1 +# +#TPL="${ROOT_DIR}/config/nginx/site.conf.tmpl" +#[[ -f "$TPL" ]] || die "Nginx-Template fehlt: $TPL" +#render="$(cat "$TPL")" +# +## --------- Bausteine, die in das Template eingesetzt werden --------- +# +## (A) HTTP-Body, wenn KEIN SSL → App direkt über Port 80 +#HTTP_BODY_APP="$(cat <<'HTTP' +# root ${APP_DIR}/public; +# index index.php index.html; +# +# access_log /var/log/nginx/${APP_USER}_access.log; +# error_log /var/log/nginx/${APP_USER}_error.log; +# +# client_max_body_size 25m; +# +# location / { try_files $uri $uri/ /index.php?$query_string; } +# location ~ \.php$ { +# include snippets/fastcgi-php.conf; +# __FASTCGI_PASS__ +# } +# location ^~ /livewire/ { try_files $uri /index.php?$query_string; } +# location ~* \.(jpg|jpeg|png|gif|css|js|ico|svg)$ { expires 30d; access_log off; } +#HTTP +#)" +# +## (B) HTTP-Body, wenn SSL → nur Redirect auf 443 +#HTTP_BODY_REDIRECT='return 301 https://$host$request_uri;' +# +## (C) kompletter SSL-Serverblock (wird nur eingefügt, wenn SSL aktiv) +#SSL_BLOCK="$(cat <<'SSL' +#server { +# listen 443 ssl${NGINX_HTTP2_SUFFIX}; +# listen [::]:443 ssl${NGINX_HTTP2_SUFFIX}; +# server_name _; +# +# ssl_certificate ${UI_CERT}; +# ssl_certificate_key ${UI_KEY}; +# ssl_protocols TLSv1.2 TLSv1.3; +# +# root ${APP_DIR}/public; +# index index.php index.html; +# +# access_log /var/log/nginx/${APP_USER}_ssl_access.log; +# error_log /var/log/nginx/${APP_USER}_ssl_error.log; +# +# client_max_body_size 25m; +# +# location / { try_files $uri $uri/ /index.php?$query_string; } +# location ~ \.php$ { +# include snippets/fastcgi-php.conf; +# __FASTCGI_PASS__ +# } +# location ^~ /livewire/ { try_files $uri /index.php?$query_string; } +# location ~* \.(jpg|jpeg|png|gif|css|js|ico|svg)$ { expires 30d; access_log off; } +# +# # WebSocket: Laravel Reverb +# location /ws/ { +# proxy_http_version 1.1; +# proxy_set_header Upgrade $http_upgrade; +# proxy_set_header Connection "Upgrade"; +# proxy_set_header Host $host; +# proxy_read_timeout 60s; +# proxy_send_timeout 60s; +# proxy_pass http://127.0.0.1:8080/; +# } +# +# # Reverb HTTP API +# location /apps/ { +# proxy_http_version 1.1; +# proxy_set_header Host $host; +# proxy_read_timeout 60s; +# proxy_send_timeout 60s; +# proxy_pass http://127.0.0.1:8080/apps/; +# } +#} +#SSL +#)" +# +## --------- Platzhalter ersetzen --------- +#if [[ $SSL_ENABLED -eq 1 ]]; then +# render="${render/__HTTP_BODY__/$HTTP_BODY_REDIRECT}" +# render="${render/__SSL_SERVER_BLOCK__/$SSL_BLOCK}" +#else +# render="${render/__HTTP_BODY__/$HTTP_BODY_APP}" +# # HTTPS-Block komplett entfernen +# render="${render/__SSL_SERVER_BLOCK__/}" +#fi +# +## Variablen & __FASTCGI_PASS__ im fertigen Render ersetzen +#render="$(echo "$render" \ +# | sed "s|\${APP_DIR}|${APP_DIR}|g; s|\${APP_USER}|${APP_USER}|g; \ +# s|\${UI_CERT}|${UI_CERT}|g; s|\${UI_KEY}|${UI_KEY}|g; \ +# s|\${NGINX_HTTP2_SUFFIX}|${NGINX_HTTP2_SUFFIX}|g; \ +# s|__FASTCGI_PASS__|${FASTCGI_PASS}|g")" +# +## Schreiben/aktivieren +#echo "$render" > "$NGINX_SITE" +#ln -sf "$NGINX_SITE" "$NGINX_SITE_LINK" +# +## Test & reload +#if nginx -t; then +# systemctl enable --now nginx >/dev/null 2>&1 || true +# systemctl reload nginx || true +#else +# die "nginx -t fehlgeschlagen – siehe /var/log/nginx/*.log" +#fi \ No newline at end of file diff --git a/scripts/75-le-issue.sh b/scripts/75-le-issue.sh new file mode 100644 index 0000000..7345210 --- /dev/null +++ b/scripts/75-le-issue.sh @@ -0,0 +1,76 @@ +#!/usr/bin/env bash +set -euo pipefail +source ./lib.sh + +ACME_WEBROOT="/var/www/letsencrypt" + +resolve_ok() { + local host="$1" + getent ahosts "$host" | awk '{print $1}' | sort -u | grep -q -F "$SERVER_PUBLIC_IPV4" +} + +issue() { + local host="$1" + echo "[i] Versuche LE für ${host} …" + if ! resolve_ok "$host"; then + echo "[!] DNS zeigt (noch) nicht auf diese IP – überspringe: ${host}" + return 0 + fi + certbot certonly --agree-tos -m "${LE_EMAIL:-admin@${BASE_DOMAIN}}" \ + --non-interactive --webroot -w "$ACME_WEBROOT" -d "$host" || true +} + +if [[ "$BASE_DOMAIN" != "example.com" ]]; then + issue "$UI_HOST" + issue "$WEBMAIL_HOST" + issue "$MAIL_HOSTNAME" + # Hook verlinkt automatisch; reload nginx: + systemctl reload nginx || true +else + echo "[i] BASE_DOMAIN=example.com – LE-Ausstellung wird übersprungen." +fi + +##!/usr/bin/env bash +#set -euo pipefail +#source ./lib.sh +# +## Falls du auch UI/Webmail am Backend ausstellen willst, setz diese Flags vor dem Installer: +## ISSUE_UI_CERT=1 ISSUE_WEBMAIL_CERT=1 ./install.sh +#ISSUE_UI_CERT="${ISSUE_UI_CERT:-0}" +#ISSUE_WEBMAIL_CERT="${ISSUE_WEBMAIL_CERT:-0}" +# +#ACME_WEBROOT="/var/www/letsencrypt" +#install -d -m 0755 "$ACME_WEBROOT" +# +## nginx muss bereits laufen (Step 70), und die Location für /.well-known muss existieren. +# +#issue_if_points_here() { +# local host="$1" +# [[ -z "$host" ]] && return 0 +# # prüfe, ob A/AAAA auf unsere erkannte Public IP zeigen +# local want_ip="${SERVER_PUBLIC_IPV4:-$(hostname -I | awk '{print $1}')}" +# local has_ip; has_ip="$(getent ahosts "$host" | awk '{print $1}' | sort -u | head -n1 || true)" +# if [[ "$has_ip" != "$want_ip" ]]; then +# log "DNS von $host zeigt auf $has_ip (nicht $want_ip) – überspringe HTTP-01 hier." +# return 0 +# fi +# +# log "Fordere LE-Zertifikat an für ${host} …" +# certbot certonly --agree-tos \ +# -m "${LE_EMAIL:-admin@${BASE_DOMAIN}}" \ +# --non-interactive \ +# --webroot -w "$ACME_WEBROOT" \ +# -d "$host" || true +#} +# +## In deiner Topologie holt NPM die UI/Webmail-Zerts → hier nur MX +#if [[ "${BASE_DOMAIN}" != "example.com" ]]; then +# issue_if_points_here "${MAIL_HOSTNAME:-}" +# +# # Optional – nur wenn explizit freigegeben: +# [[ "$ISSUE_UI_CERT" = "1" ]] && issue_if_points_here "${UI_HOST:-}" +# [[ "$ISSUE_WEBMAIL_CERT" = "1" ]] && issue_if_points_here "${WEBMAIL_HOST:-}" +#fi +# +## Nach erfolgreicher Ausstellung sofort die stabilen Pfade verlinken (Deploy-Hook nutzen) +#bash /etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh || true \ No newline at end of file diff --git a/scripts/80-app.sh b/scripts/80-app.sh index 5ead5f7..fcc3e3f 100644 --- a/scripts/80-app.sh +++ b/scripts/80-app.sh @@ -57,10 +57,18 @@ fi # --- .env schreiben (vollständig wie vorher) -------------------------------- upsert_env APP_URL "${APP_URL_VAL}" + +if [[ "$PROXY_MODE" -eq 1 ]]; then + TP_LIST="127.0.0.1,::1" + [[ -n "$NPM_IP" ]] && TP_LIST="${TP_LIST},${NPM_IP}" + upsert_env TRUSTED_PROXIES "$TP_LIST" + upsert_env TRUSTED_HEADERS "x-forwarded-all" +else + upsert_env TRUSTED_PROXIES "" + upsert_env TRUSTED_HEADERS "x-forwarded-all" +fi + upsert_env APP_HOST "${APP_HOST_VAL}" -upsert_env APP_ADMIN_USER "${ADMIN_USER}" -upsert_env APP_ADMIN_EMAIL "${ADMIN_EMAIL}" -upsert_env APP_ADMIN_PASS "${ADMIN_PASS}" upsert_env APP_NAME "${APP_NAME}" upsert_env APP_ENV "${APP_ENV:-production}" upsert_env APP_DEBUG "${APP_DEBUG:-false}" @@ -81,7 +89,6 @@ fi upsert_env BASE_DOMAIN "${BASE_DOMAIN}" upsert_env UI_SUB "${UI_SUB}" upsert_env WEBMAIL_SUB "${WEBMAIL_SUB}" -upsert_env SYSTEM_SUB "${SYSTEM_SUB}" upsert_env MTA_SUB "${MTA_SUB}" upsert_env LE_EMAIL "${LE_EMAIL:-admin@${BASE_DOMAIN}}" diff --git a/scripts/bootstrap.sh b/scripts/bootstrap.sh index afbbbc3..084ae1f 100644 --- a/scripts/bootstrap.sh +++ b/scripts/bootstrap.sh @@ -1,5 +1,23 @@ #!/usr/bin/env bash set -euo pipefail + +# --- Flags / Modi --- +DEV_MODE=0 +PROXY_MODE=0 +NPM_IP="" + +while [[ $# -gt 0 ]]; do + case "$1" in + -dev) DEV_MODE=1 ;; + -proxy) PROXY_MODE=1; NPM_IP="${2:-}"; shift ;; + esac + shift +done + +APP_ENV="${APP_ENV:-$([[ $DEV_MODE -eq 1 ]] && echo local || echo production)}" +APP_DEBUG="${APP_DEBUG:-$([[ $DEV_MODE -eq 1 ]] && echo true || echo false)}" +export DEV_MODE PROXY_MODE NPM_IP APP_ENV APP_DEBUG + cd "$(dirname "$0")" source ./lib.sh require_root @@ -16,11 +34,6 @@ BASE_DOMAIN="${BASE_DOMAIN:-example.com}" UI_SUB="${UI_SUB:-ui}" WEBMAIL_SUB="${WEBMAIL_SUB:-webmail}" MTA_SUB="${MTA_SUB:-mx}" -SYSTEM_SUB="${SYSTEM_SUB:-system}" - -ADMIN_USER="${ADMIN_USER:-${APP_USER}}" -ADMIN_EMAIL="${ADMIN_EMAIL:-admin@localhost}" -ADMIN_PASS="${ADMIN_PASS:-ChangeMe}" DB_NAME="${DB_NAME:-${APP_USER}}" DB_USER="${DB_USER:-${APP_USER}}" @@ -33,28 +46,26 @@ DEFAULT_LOCALE="$(guess_locale_from_tz "$DEFAULT_TZ")" echo -e "${GREY}Erkannte IP (v4): ${SERVER_PUBLIC_IPV4} v6: ${SERVER_PUBLIC_IPV6:-–}${NC}" -read -r -p "Basisdomain (Enter=${BASE_DOMAIN}): " INP; BASE_DOMAIN="${INP:-$BASE_DOMAIN}" -read -r -p "UI Subdomain (Enter=${UI_SUB}): " INP; UI_SUB="${INP:-$UI_SUB}" -read -r -p "Webmail Subdomain (Enter=${WEBMAIL_SUB}): " INP; WEBMAIL_SUB="${INP:-$WEBMAIL_SUB}" -read -r -p "Mailserver Subdomain (Enter=${MTA_SUB}): " INP; MTA_SUB="${INP:-$MTA_SUB}" +read -r -p "Mailserver FQDN (z.B. mx.domain.tld) [Enter=${MTA_SUB}.${BASE_DOMAIN}]: " MAIL_FQDN +MAIL_FQDN="${MAIL_FQDN:-${MTA_SUB}.${BASE_DOMAIN}}" -read -r -p "Zeitzone (Enter=${DEFAULT_TZ}): " INP; APP_TZ="${INP:-$DEFAULT_TZ}" -read -r -p "Sprache [de/en] (Enter=${DEFAULT_LOCALE}): " INP; APP_LOCALE="${INP:-$DEFAULT_LOCALE}" +if [[ "$MAIL_FQDN" =~ ^([^.]+)\.(.+)$ ]]; then + MTA_SUB="${BASH_REMATCH[1]}" + BASE_DOMAIN="${BASH_REMATCH[2]}" +fi -UI_HOST="$(join_host "$UI_SUB" "$BASE_DOMAIN")" -WEBMAIL_HOST="$(join_host "$WEBMAIL_SUB" "$BASE_DOMAIN")" -MAIL_HOSTNAME="$(join_host "$MTA_SUB" "$BASE_DOMAIN")" -SYSTEM_HOSTNAME="$(join_host "$SYSTEM_SUB" "$BASE_DOMAIN")" +UI_HOST="${UI_SUB}.${BASE_DOMAIN}" +WEBMAIL_HOST="${WEBMAIL_SUB}.${BASE_DOMAIN}" +MAIL_HOSTNAME="${MAIL_FQDN}" export APP_NAME APP_USER APP_GROUP APP_USER_PREFIX APP_DIR -export BASE_DOMAIN UI_SUB WEBMAIL_SUB MTA_SUB SYSTEM_SUB -export UI_HOST WEBMAIL_HOST MAIL_HOSTNAME SYSTEM_HOSTNAME -export ADMIN_USER ADMIN_EMAIL ADMIN_PASS +export BASE_DOMAIN UI_SUB WEBMAIL_SUB MTA_SUB +export UI_HOST WEBMAIL_HOST MAIL_HOSTNAME export DB_NAME DB_USER DB_PASS export SERVER_PUBLIC_IPV4 SERVER_PUBLIC_IPV6 APP_TZ APP_LOCALE # ── Sequenz ──────────────────────────────────────────────────────────────── -for STEP in 10-provision 20-ssl 30-db 40-postfix 50-dovecot 60-rspamd-opendkim 70-nginx 80-app 90-services 95-monit 98-motd 99-summary +for STEP in 10-provision 20-ssl 21-le-deploy-hook 30-db 40-postfix 50-dovecot 60-rspamd-opendkim 70-nginx 75-le-issue 80-app 90-services 95-monit 98-motd 99-summary do log ">>> Running ${STEP}.sh" bash "./${STEP}.sh" diff --git a/scripts/lib.sh b/scripts/lib.sh index e36d184..42cbdd7 100644 --- a/scripts/lib.sh +++ b/scripts/lib.sh @@ -28,7 +28,6 @@ require_root(){ [[ "$(id -u)" -eq 0 ]] || die "Bitte als root ausführen."; } : "${UI_SUB:=ui}" : "${WEBMAIL_SUB:=webmail}" : "${MTA_SUB:=mx}" -: "${SYSTEM_SUB:=system}" # DB / Redis (werden später durch .env überschrieben) : "${DB_NAME:=${APP_USER}}"