Laudende Default seite entfernen

2025-10-16 19:10:16 +02:00 · 2025-10-16 19:10:16 +02:00 · be85653c89
parent 55f59433a9
commit be85653c89
6 changed files with 436 additions and 94 deletions
--- a/scripts/21-le-deploy-hook.sh
+++ b/scripts/21-le-deploy-hook.sh
@ -0,0 +1,92 @@
 #!/usr/bin/env bash
 set -euo pipefail
 source ./lib.sh
 install -d /etc/letsencrypt/renewal-hooks/deploy
 cat >/etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh <<'HOOK'
 #!/usr/bin/env bash
 set -euo pipefail
 UI_SSL_DIR="/etc/ssl/ui"
 WEBMAIL_SSL_DIR="/etc/ssl/webmail"
 MAIL_SSL_DIR="/etc/ssl/mail"
 UI_HOST="${UI_HOST}"
 WEBMAIL_HOST="${WEBMAIL_HOST}"
 MX_HOST="${MAIL_HOSTNAME}"
 UI_LE="/etc/letsencrypt/live/${UI_HOST}"
 WEBMAIL_LE="/etc/letsencrypt/live/${WEBMAIL_HOST}"
 MX_LE="/etc/letsencrypt/live/${MX_HOST}"
 link_if() {
  local le_base="$1" target_dir="$2"
  local cert="${le_base}/fullchain.pem"
  local key="${le_base}/privkey.pem"
  if [ -f "$cert" ] && [ -f "$key" ]; then
    install -d -m 0755 "$target_dir"
    ln -sf "$cert" "${target_dir}/fullchain.pem"
    ln -sf "$key"  "${target_dir}/privkey.pem"
    echo "[+] Linked ${target_dir} -> ${le_base}"
  fi
 }
 link_if "$UI_LE"      "$UI_SSL_DIR"
 link_if "$WEBMAIL_LE" "$WEBMAIL_SSL_DIR"
 link_if "$MX_LE"      "$MAIL_SSL_DIR"
 # Dienste neu laden
 systemctl reload nginx || true
 systemctl reload postfix dovecot || true
 HOOK
 chmod +x /etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh
 ##!/usr/bin/env bash
 #set -euo pipefail
 #source ./lib.sh
 #
 #UI_SSL_DIR="/etc/ssl/ui"
 #WEBMAIL_SSL_DIR="/etc/ssl/webmail"
 #MAIL_SSL_DIR="/etc/ssl/mail"
 #
 #UI_HOST="${UI_HOST:-}"
 #WEBMAIL_HOST="${WEBMAIL_HOST:-}"
 #MX_HOST="${MAIL_HOSTNAME:-}"
 #
 #install -d -m 0755 /etc/letsencrypt/renewal-hooks/deploy
 #
 ## Hook-Datei, die Certbot nach jeder Erneuerung ausführt
 #cat >/etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh <<'HOOK'
 ##!/usr/bin/env bash
 #set -euo pipefail
 #
 #UI_SSL_DIR="/etc/ssl/ui"
 #WEBMAIL_SSL_DIR="/etc/ssl/webmail"
 #MAIL_SSL_DIR="/etc/ssl/mail"
 #
 #UI_HOST="${UI_HOST}"
 #WEBMAIL_HOST="${WEBMAIL_HOST}"
 #MX_HOST="${MAIL_HOSTNAME}"
 #
 #link_if() {
 #  local host="$1" target_dir="$2"
 #  [[ -z "$host" ]] && return 0
 #  local le="/etc/letsencrypt/live/${host}"
 #  local cert="${le}/fullchain.pem"
 #  local key="${le}/privkey.pem"
 #  [[ -f "$cert" && -f "$key" ]] || return 0
 #  install -d -m 0755 "$target_dir"
 #  ln -sf "$cert" "${target_dir}/fullchain.pem"
 #  ln -sf "$key"  "${target_dir}/privkey.pem"
 #  echo "[+] Linked ${target_dir} -> ${le}"
 #}
 #
 #link_if "$UI_HOST"      "$UI_SSL_DIR"
 #link_if "$WEBMAIL_HOST" "$WEBMAIL_SSL_DIR"
 #link_if "$MX_HOST"      "$MAIL_SSL_DIR"
 #
 #systemctl reload nginx || true
 #systemctl reload postfix || true
 #systemctl reload dovecot || true
 #HOOK
 #chmod +x /etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh
--- a/scripts/70-nginx.sh
+++ b/scripts/70-nginx.sh
@ -4,10 +4,16 @@ source ./lib.sh
 log "Nginx konfigurieren …"
-ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+# Flags/Umgebung (kommen idealerweise aus bootstrap; hier Fallbacks)
 DEV_MODE="${DEV_MODE:-0}"           # 1 = DEV (Vite-Proxy aktiv), 0 = PROD
 PROXY_MODE="${PROXY_MODE:-0}"       # 1 = NPM/Proxy davor
 NPM_IP="${NPM_IP:-}"                # z.B. 10.10.20.20
 # Erwartet gesetzt: UI_HOST, WEBMAIL_HOST, APP_DIR
 : "${UI_HOST:?UI_HOST fehlt}"
 : "${WEBMAIL_HOST:?WEBMAIL_HOST fehlt}"
 : "${APP_DIR:?APP_DIR fehlt}"
 NGINX_SITE="/etc/nginx/sites-available/${APP_USER}.conf"
 NGINX_SITE_LINK="/etc/nginx/sites-enabled/${APP_USER}.conf"
 ACME_ROOT="/var/www/letsencrypt"
 install -d -m 0755 "$ACME_ROOT"
@ -31,79 +37,68 @@ detect_php_fpm_sock(){
 }
 PHP_FPM_TARGET="$(detect_php_fpm_sock)"
 if [[ "$PHP_FPM_TARGET" == unix:* ]]; then
-  FASTCGI_PASS="fastcgi_pass ${PHP_FPM_TARGET};"   # << keep the unix: prefix!
+  FASTCGI_PASS="fastcgi_pass ${PHP_FPM_TARGET};"
 else
  FASTCGI_PASS="fastcgi_pass ${PHP_FPM_TARGET};"
 fi
-# Prüfen, ob UI-Zert vorhanden ist
+# Helper zum Bauen einer Site
-UI_CERT="/etc/ssl/ui/fullchain.pem"
+# $1=host, $2=cert_dir (/etc/ssl/ui oder /etc/ssl/webmail), $3=outfile
-UI_KEY="/etc/ssl/ui/privkey.pem"
+build_site(){
-SSL_ENABLED=0
+  local host="$1" cert_dir="$2" outfile="$3"
-[[ -s "$UI_CERT" && -s "$UI_KEY" ]] && SSL_ENABLED=1
+  local cert="${cert_dir}/fullchain.pem"
  local key="${cert_dir}/privkey.pem"
-TPL="${ROOT_DIR}/config/nginx/site.conf.tmpl"
+  cat > "$outfile" <<CONF
-[[ -f "$TPL" ]] || die "Nginx-Template fehlt: $TPL"
+# --- ${host} : HTTP (ACME + Redirect) ---
-render="$(cat "$TPL")"
+server {
  listen 80;
  listen [::]:80;
  server_name ${host};
-# --------- Bausteine, die in das Template eingesetzt werden ---------
+  # ACME HTTP-01
-
+  location ^~ /.well-known/acme-challenge/ {
-# (A) HTTP-Body, wenn KEIN SSL → App direkt über Port 80
+    root ${ACME_ROOT};
-HTTP_BODY_APP="$(cat <<'HTTP'
+    allow all;
  root ${APP_DIR}/public;
  index index.php index.html;
  access_log /var/log/nginx/${APP_USER}_access.log;
  error_log  /var/log/nginx/${APP_USER}_error.log;
  client_max_body_size 25m;
  location / { try_files $uri $uri/ /index.php?$query_string; }
  location ~ \.php$ {
    include snippets/fastcgi-php.conf;
    __FASTCGI_PASS__
  }
  location ^~ /livewire/ { try_files $uri /index.php?$query_string; }
  location ~* \.(jpg|jpeg|png|gif|css|js|ico|svg)$ { expires 30d; access_log off; }
 HTTP
 )"
-# (B) HTTP-Body, wenn SSL → nur Redirect auf 443
+  return 301 https://\$host\$request_uri;
-HTTP_BODY_REDIRECT='return 301 https://$host$request_uri;'
+}
-# (C) kompletter SSL-Serverblock (wird nur eingefügt, wenn SSL aktiv)
+# --- ${host} : HTTPS ---
 SSL_BLOCK="$(cat <<'SSL'
 server {
  listen 443 ssl${NGINX_HTTP2_SUFFIX};
  listen [::]:443 ssl${NGINX_HTTP2_SUFFIX};
-  server_name _;
+  server_name ${host};
-  ssl_certificate     ${UI_CERT};
+  ssl_certificate     ${cert};
-  ssl_certificate_key ${UI_KEY};
+  ssl_certificate_key ${key};
  ssl_protocols       TLSv1.2 TLSv1.3;
  root ${APP_DIR}/public;
  index index.php index.html;
-  access_log /var/log/nginx/${APP_USER}_ssl_access.log;
+  access_log /var/log/nginx/${host}_ssl_access.log;
-  error_log  /var/log/nginx/${APP_USER}_ssl_error.log;
+  error_log  /var/log/nginx/${host}_ssl_error.log;
  client_max_body_size 25m;
-  location / { try_files $uri $uri/ /index.php?$query_string; }
+  location / { try_files \$uri \$uri/ /index.php?\$query_string; }
-  location ~ \.php$ {
+
  location ~ \.php\$ {
    include snippets/fastcgi-php.conf;
-    __FASTCGI_PASS__
+    ${FASTCGI_PASS}
  }
-  location ^~ /livewire/ { try_files $uri /index.php?$query_string; }
+
-  location ~* \.(jpg|jpeg|png|gif|css|js|ico|svg)$ { expires 30d; access_log off; }
+  location ^~ /livewire/ { try_files \$uri /index.php?\$query_string; }
  location ~* \.(jpg|jpeg|png|gif|css|js|ico|svg)\$ { expires 30d; access_log off; }
  # WebSocket: Laravel Reverb
  location /ws/ {
    proxy_http_version 1.1;
-    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Upgrade \$http_upgrade;
    proxy_set_header Connection "Upgrade";
-    proxy_set_header Host $host;
+    proxy_set_header Host \$host;
    proxy_read_timeout 60s;
    proxy_send_timeout 60s;
    proxy_pass http://127.0.0.1:8080/;
@ -112,40 +107,202 @@ server {
  # Reverb HTTP API
  location /apps/ {
    proxy_http_version 1.1;
-    proxy_set_header Host $host;
+    proxy_set_header Host \$host;
    proxy_read_timeout 60s;
    proxy_send_timeout 60s;
    proxy_pass http://127.0.0.1:8080/apps/;
  }
 CONF
  if [[ "$DEV_MODE" = "1" ]]; then
    cat >> "$outfile" <<'CONF'
  # DEV: Vite-Proxy
  location ^~ /@vite/        { proxy_pass http://127.0.0.1:5173/@vite/;        proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto https; }
  location ^~ /node_modules/ { proxy_pass http://127.0.0.1:5173/node_modules/; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto https; }
  location ^~ /resources/    { proxy_pass http://127.0.0.1:5173/resources/;    proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto https; }
 CONF
  fi
  echo "}" >> "$outfile"
 }
 SSL
 )"
-# --------- Platzhalter ersetzen ---------
+# Sites erzeugen
-if [[ $SSL_ENABLED -eq 1 ]]; then
+UI_SITE="/etc/nginx/sites-available/ui-mailwolt.conf"
-  render="${render/__HTTP_BODY__/$HTTP_BODY_REDIRECT}"
+WEBMAIL_SITE="/etc/nginx/sites-available/webmail-mailwolt.conf"
-  render="${render/__SSL_SERVER_BLOCK__/$SSL_BLOCK}"
+
 build_site "$UI_HOST"      "/etc/ssl/ui"      "$UI_SITE"
 build_site "$WEBMAIL_HOST" "/etc/ssl/webmail" "$WEBMAIL_SITE"
 ln -sf "$UI_SITE"      "/etc/nginx/sites-enabled/ui-mailwolt.conf"
 ln -sf "$WEBMAIL_SITE" "/etc/nginx/sites-enabled/webmail-mailwolt.conf"
 # Real-IP nur, wenn Proxy davor
 if [[ "$PROXY_MODE" -eq 1 && -n "$NPM_IP" ]]; then
  cat > /etc/nginx/conf.d/realip.conf <<NGX
 real_ip_header X-Forwarded-For;
 set_real_ip_from ${NPM_IP};
 real_ip_recursive on;
 NGX
 else
-  render="${render/__HTTP_BODY__/$HTTP_BODY_APP}"
+  rm -f /etc/nginx/conf.d/realip.conf || true
  # HTTPS-Block komplett entfernen
  render="${render/__SSL_SERVER_BLOCK__/}"
 fi
 # Variablen & __FASTCGI_PASS__ im fertigen Render ersetzen
 render="$(echo "$render" \
  | sed "s|\${APP_DIR}|${APP_DIR}|g; s|\${APP_USER}|${APP_USER}|g; \
         s|\${UI_CERT}|${UI_CERT}|g; s|\${UI_KEY}|${UI_KEY}|g; \
         s|\${NGINX_HTTP2_SUFFIX}|${NGINX_HTTP2_SUFFIX}|g; \
         s|__FASTCGI_PASS__|${FASTCGI_PASS}|g")"
 # Schreiben/aktivieren
 echo "$render" > "$NGINX_SITE"
 ln -sf "$NGINX_SITE" "$NGINX_SITE_LINK"
 # Test & reload
 if nginx -t; then
  systemctl enable --now nginx >/dev/null 2>&1 || true
  systemctl reload nginx || true
 else
  die "nginx -t fehlgeschlagen – siehe /var/log/nginx/*.log"
-fi
+fi
 ##!/usr/bin/env bash
 #set -euo pipefail
 #source ./lib.sh
 #
 #log "Nginx konfigurieren …"
 #
 #ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 #
 #NGINX_SITE="/etc/nginx/sites-available/${APP_USER}.conf"
 #NGINX_SITE_LINK="/etc/nginx/sites-enabled/${APP_USER}.conf"
 #ACME_ROOT="/var/www/letsencrypt"
 #install -d -m 0755 "$ACME_ROOT"
 #
 ## Default-Sites konsequent entfernen (verhindert doppelten default_server)
 #rm -f /etc/nginx/sites-enabled/default /etc/nginx/sites-available/default || true
 #
 ## HTTP/2 prüfen
 #NGINX_HTTP2_SUFFIX=""
 #if nginx -V 2>&1 | grep -q http_v2; then
 #  NGINX_HTTP2_SUFFIX=" http2"
 #fi
 #
 ## PHP-FPM Socket oder TCP ermitteln und fastcgi_pass bauen
 #detect_php_fpm_sock(){
 #  for v in 8.3 8.2 8.1 8.0 7.4; do
 #    s="/run/php/php${v}-fpm.sock"
 #    [[ -S "$s" ]] && { echo "unix:${s}"; return; }
 #  done
 #  [[ -S "/run/php/php-fpm.sock" ]] && { echo "unix:/run/php/php-fpm.sock"; return; }
 #  echo "127.0.0.1:9000"
 #}
 #PHP_FPM_TARGET="$(detect_php_fpm_sock)"
 #if [[ "$PHP_FPM_TARGET" == unix:* ]]; then
 #  FASTCGI_PASS="fastcgi_pass ${PHP_FPM_TARGET};"   # << keep the unix: prefix!
 #else
 #  FASTCGI_PASS="fastcgi_pass ${PHP_FPM_TARGET};"
 #fi
 #
 ## Prüfen, ob UI-Zert vorhanden ist
 #UI_CERT="/etc/ssl/ui/fullchain.pem"
 #UI_KEY="/etc/ssl/ui/privkey.pem"
 #SSL_ENABLED=0
 #[[ -s "$UI_CERT" && -s "$UI_KEY" ]] && SSL_ENABLED=1
 #
 #TPL="${ROOT_DIR}/config/nginx/site.conf.tmpl"
 #[[ -f "$TPL" ]] || die "Nginx-Template fehlt: $TPL"
 #render="$(cat "$TPL")"
 #
 ## --------- Bausteine, die in das Template eingesetzt werden ---------
 #
 ## (A) HTTP-Body, wenn KEIN SSL → App direkt über Port 80
 #HTTP_BODY_APP="$(cat <<'HTTP'
 #  root ${APP_DIR}/public;
 #  index index.php index.html;
 #
 #  access_log /var/log/nginx/${APP_USER}_access.log;
 #  error_log  /var/log/nginx/${APP_USER}_error.log;
 #
 #  client_max_body_size 25m;
 #
 #  location / { try_files $uri $uri/ /index.php?$query_string; }
 #  location ~ \.php$ {
 #    include snippets/fastcgi-php.conf;
 #    __FASTCGI_PASS__
 #  }
 #  location ^~ /livewire/ { try_files $uri /index.php?$query_string; }
 #  location ~* \.(jpg|jpeg|png|gif|css|js|ico|svg)$ { expires 30d; access_log off; }
 #HTTP
 #)"
 #
 ## (B) HTTP-Body, wenn SSL → nur Redirect auf 443
 #HTTP_BODY_REDIRECT='return 301 https://$host$request_uri;'
 #
 ## (C) kompletter SSL-Serverblock (wird nur eingefügt, wenn SSL aktiv)
 #SSL_BLOCK="$(cat <<'SSL'
 #server {
 #  listen 443 ssl${NGINX_HTTP2_SUFFIX};
 #  listen [::]:443 ssl${NGINX_HTTP2_SUFFIX};
 #  server_name _;
 #
 #  ssl_certificate     ${UI_CERT};
 #  ssl_certificate_key ${UI_KEY};
 #  ssl_protocols       TLSv1.2 TLSv1.3;
 #
 #  root ${APP_DIR}/public;
 #  index index.php index.html;
 #
 #  access_log /var/log/nginx/${APP_USER}_ssl_access.log;
 #  error_log  /var/log/nginx/${APP_USER}_ssl_error.log;
 #
 #  client_max_body_size 25m;
 #
 #  location / { try_files $uri $uri/ /index.php?$query_string; }
 #  location ~ \.php$ {
 #    include snippets/fastcgi-php.conf;
 #    __FASTCGI_PASS__
 #  }
 #  location ^~ /livewire/ { try_files $uri /index.php?$query_string; }
 #  location ~* \.(jpg|jpeg|png|gif|css|js|ico|svg)$ { expires 30d; access_log off; }
 #
 #  # WebSocket: Laravel Reverb
 #  location /ws/ {
 #    proxy_http_version 1.1;
 #    proxy_set_header Upgrade $http_upgrade;
 #    proxy_set_header Connection "Upgrade";
 #    proxy_set_header Host $host;
 #    proxy_read_timeout 60s;
 #    proxy_send_timeout 60s;
 #    proxy_pass http://127.0.0.1:8080/;
 #  }
 #
 #  # Reverb HTTP API
 #  location /apps/ {
 #    proxy_http_version 1.1;
 #    proxy_set_header Host $host;
 #    proxy_read_timeout 60s;
 #    proxy_send_timeout 60s;
 #    proxy_pass http://127.0.0.1:8080/apps/;
 #  }
 #}
 #SSL
 #)"
 #
 ## --------- Platzhalter ersetzen ---------
 #if [[ $SSL_ENABLED -eq 1 ]]; then
 #  render="${render/__HTTP_BODY__/$HTTP_BODY_REDIRECT}"
 #  render="${render/__SSL_SERVER_BLOCK__/$SSL_BLOCK}"
 #else
 #  render="${render/__HTTP_BODY__/$HTTP_BODY_APP}"
 #  # HTTPS-Block komplett entfernen
 #  render="${render/__SSL_SERVER_BLOCK__/}"
 #fi
 #
 ## Variablen & __FASTCGI_PASS__ im fertigen Render ersetzen
 #render="$(echo "$render" \
 #  | sed "s|\${APP_DIR}|${APP_DIR}|g; s|\${APP_USER}|${APP_USER}|g; \
 #         s|\${UI_CERT}|${UI_CERT}|g; s|\${UI_KEY}|${UI_KEY}|g; \
 #         s|\${NGINX_HTTP2_SUFFIX}|${NGINX_HTTP2_SUFFIX}|g; \
 #         s|__FASTCGI_PASS__|${FASTCGI_PASS}|g")"
 #
 ## Schreiben/aktivieren
 #echo "$render" > "$NGINX_SITE"
 #ln -sf "$NGINX_SITE" "$NGINX_SITE_LINK"
 #
 ## Test & reload
 #if nginx -t; then
 #  systemctl enable --now nginx >/dev/null 2>&1 || true
 #  systemctl reload nginx || true
 #else
 #  die "nginx -t fehlgeschlagen – siehe /var/log/nginx/*.log"
 #fi
--- a/scripts/75-le-issue.sh
+++ b/scripts/75-le-issue.sh
@ -0,0 +1,76 @@
 #!/usr/bin/env bash
 set -euo pipefail
 source ./lib.sh
 ACME_WEBROOT="/var/www/letsencrypt"
 resolve_ok() {
  local host="$1"
  getent ahosts "$host" | awk '{print $1}' | sort -u | grep -q -F "$SERVER_PUBLIC_IPV4"
 }
 issue() {
  local host="$1"
  echo "[i] Versuche LE für ${host} …"
  if ! resolve_ok "$host"; then
    echo "[!] DNS zeigt (noch) nicht auf diese IP – überspringe: ${host}"
    return 0
  fi
  certbot certonly --agree-tos -m "${LE_EMAIL:-admin@${BASE_DOMAIN}}" \
    --non-interactive --webroot -w "$ACME_WEBROOT" -d "$host" || true
 }
 if [[ "$BASE_DOMAIN" != "example.com" ]]; then
  issue "$UI_HOST"
  issue "$WEBMAIL_HOST"
  issue "$MAIL_HOSTNAME"
  # Hook verlinkt automatisch; reload nginx:
  systemctl reload nginx || true
 else
  echo "[i] BASE_DOMAIN=example.com – LE-Ausstellung wird übersprungen."
 fi
 ##!/usr/bin/env bash
 #set -euo pipefail
 #source ./lib.sh
 #
 ## Falls du auch UI/Webmail am Backend ausstellen willst, setz diese Flags vor dem Installer:
 ##   ISSUE_UI_CERT=1 ISSUE_WEBMAIL_CERT=1 ./install.sh
 #ISSUE_UI_CERT="${ISSUE_UI_CERT:-0}"
 #ISSUE_WEBMAIL_CERT="${ISSUE_WEBMAIL_CERT:-0}"
 #
 #ACME_WEBROOT="/var/www/letsencrypt"
 #install -d -m 0755 "$ACME_WEBROOT"
 #
 ## nginx muss bereits laufen (Step 70), und die Location für /.well-known muss existieren.
 #
 #issue_if_points_here() {
 #  local host="$1"
 #  [[ -z "$host" ]] && return 0
 #  # prüfe, ob A/AAAA auf unsere erkannte Public IP zeigen
 #  local want_ip="${SERVER_PUBLIC_IPV4:-$(hostname -I | awk '{print $1}')}"
 #  local has_ip; has_ip="$(getent ahosts "$host" | awk '{print $1}' | sort -u | head -n1 || true)"
 #  if [[ "$has_ip" != "$want_ip" ]]; then
 #    log "DNS von $host zeigt auf $has_ip (nicht $want_ip) – überspringe HTTP-01 hier."
 #    return 0
 #  fi
 #
 #  log "Fordere LE-Zertifikat an für ${host} …"
 #  certbot certonly --agree-tos \
 #    -m "${LE_EMAIL:-admin@${BASE_DOMAIN}}" \
 #    --non-interactive \
 #    --webroot -w "$ACME_WEBROOT" \
 #    -d "$host" || true
 #}
 #
 ## In deiner Topologie holt NPM die UI/Webmail-Zerts → hier nur MX
 #if [[ "${BASE_DOMAIN}" != "example.com" ]]; then
 #  issue_if_points_here "${MAIL_HOSTNAME:-}"
 #
 #  # Optional – nur wenn explizit freigegeben:
 #  [[ "$ISSUE_UI_CERT" = "1" ]]      && issue_if_points_here "${UI_HOST:-}"
 #  [[ "$ISSUE_WEBMAIL_CERT" = "1" ]] && issue_if_points_here "${WEBMAIL_HOST:-}"
 #fi
 #
 ## Nach erfolgreicher Ausstellung sofort die stabilen Pfade verlinken (Deploy-Hook nutzen)
 #bash /etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh || true
--- a/scripts/80-app.sh
+++ b/scripts/80-app.sh
@ -57,10 +57,18 @@ fi
 # --- .env schreiben (vollständig wie vorher) --------------------------------
 upsert_env APP_URL             "${APP_URL_VAL}"
 if [[ "$PROXY_MODE" -eq 1 ]]; then
  TP_LIST="127.0.0.1,::1"
  [[ -n "$NPM_IP" ]] && TP_LIST="${TP_LIST},${NPM_IP}"
  upsert_env TRUSTED_PROXIES "$TP_LIST"
  upsert_env TRUSTED_HEADERS "x-forwarded-all"
 else
  upsert_env TRUSTED_PROXIES ""
  upsert_env TRUSTED_HEADERS "x-forwarded-all"
 fi
 upsert_env APP_HOST            "${APP_HOST_VAL}"
 upsert_env APP_ADMIN_USER      "${ADMIN_USER}"
 upsert_env APP_ADMIN_EMAIL     "${ADMIN_EMAIL}"
 upsert_env APP_ADMIN_PASS      "${ADMIN_PASS}"
 upsert_env APP_NAME            "${APP_NAME}"
 upsert_env APP_ENV             "${APP_ENV:-production}"
 upsert_env APP_DEBUG           "${APP_DEBUG:-false}"
@ -81,7 +89,6 @@ fi
 upsert_env BASE_DOMAIN "${BASE_DOMAIN}"
 upsert_env UI_SUB      "${UI_SUB}"
 upsert_env WEBMAIL_SUB "${WEBMAIL_SUB}"
 upsert_env SYSTEM_SUB  "${SYSTEM_SUB}"
 upsert_env MTA_SUB     "${MTA_SUB}"
 upsert_env LE_EMAIL    "${LE_EMAIL:-admin@${BASE_DOMAIN}}"
--- a/scripts/bootstrap.sh
+++ b/scripts/bootstrap.sh
@ -1,5 +1,23 @@
 #!/usr/bin/env bash
 set -euo pipefail
 # --- Flags / Modi ---
 DEV_MODE=0
 PROXY_MODE=0
 NPM_IP=""
 while [[ $# -gt 0 ]]; do
  case "$1" in
    -dev) DEV_MODE=1 ;;
    -proxy) PROXY_MODE=1; NPM_IP="${2:-}"; shift ;;
  esac
  shift
 done
 APP_ENV="${APP_ENV:-$([[ $DEV_MODE -eq 1 ]] && echo local || echo production)}"
 APP_DEBUG="${APP_DEBUG:-$([[ $DEV_MODE -eq 1 ]] && echo true  || echo false)}"
 export DEV_MODE PROXY_MODE NPM_IP APP_ENV APP_DEBUG
 cd "$(dirname "$0")"
 source ./lib.sh
 require_root
@ -16,11 +34,6 @@ BASE_DOMAIN="${BASE_DOMAIN:-example.com}"
 UI_SUB="${UI_SUB:-ui}"
 WEBMAIL_SUB="${WEBMAIL_SUB:-webmail}"
 MTA_SUB="${MTA_SUB:-mx}"
 SYSTEM_SUB="${SYSTEM_SUB:-system}"
 ADMIN_USER="${ADMIN_USER:-${APP_USER}}"
 ADMIN_EMAIL="${ADMIN_EMAIL:-admin@localhost}"
 ADMIN_PASS="${ADMIN_PASS:-ChangeMe}"
 DB_NAME="${DB_NAME:-${APP_USER}}"
 DB_USER="${DB_USER:-${APP_USER}}"
@ -33,28 +46,26 @@ DEFAULT_LOCALE="$(guess_locale_from_tz "$DEFAULT_TZ")"
 echo -e "${GREY}Erkannte IP (v4): ${SERVER_PUBLIC_IPV4}  v6: ${SERVER_PUBLIC_IPV6:-–}${NC}"
-read -r -p "Basisdomain (Enter=${BASE_DOMAIN}): " INP; BASE_DOMAIN="${INP:-$BASE_DOMAIN}"
+read -r -p "Mailserver FQDN (z.B. mx.domain.tld) [Enter=${MTA_SUB}.${BASE_DOMAIN}]: " MAIL_FQDN
-read -r -p "UI Subdomain (Enter=${UI_SUB}): " INP; UI_SUB="${INP:-$UI_SUB}"
+MAIL_FQDN="${MAIL_FQDN:-${MTA_SUB}.${BASE_DOMAIN}}"
 read -r -p "Webmail Subdomain (Enter=${WEBMAIL_SUB}): " INP; WEBMAIL_SUB="${INP:-$WEBMAIL_SUB}"
 read -r -p "Mailserver Subdomain (Enter=${MTA_SUB}): " INP; MTA_SUB="${INP:-$MTA_SUB}"
-read -r -p "Zeitzone (Enter=${DEFAULT_TZ}): " INP; APP_TZ="${INP:-$DEFAULT_TZ}"
+if [[ "$MAIL_FQDN" =~ ^([^.]+)\.(.+)$ ]]; then
-read -r -p "Sprache [de/en] (Enter=${DEFAULT_LOCALE}): " INP; APP_LOCALE="${INP:-$DEFAULT_LOCALE}"
+  MTA_SUB="${BASH_REMATCH[1]}"
  BASE_DOMAIN="${BASH_REMATCH[2]}"
 fi
-UI_HOST="$(join_host "$UI_SUB" "$BASE_DOMAIN")"
+UI_HOST="${UI_SUB}.${BASE_DOMAIN}"
-WEBMAIL_HOST="$(join_host "$WEBMAIL_SUB" "$BASE_DOMAIN")"
+WEBMAIL_HOST="${WEBMAIL_SUB}.${BASE_DOMAIN}"
-MAIL_HOSTNAME="$(join_host "$MTA_SUB" "$BASE_DOMAIN")"
+MAIL_HOSTNAME="${MAIL_FQDN}"
 SYSTEM_HOSTNAME="$(join_host "$SYSTEM_SUB" "$BASE_DOMAIN")"
 export APP_NAME APP_USER APP_GROUP APP_USER_PREFIX APP_DIR
-export BASE_DOMAIN UI_SUB WEBMAIL_SUB MTA_SUB SYSTEM_SUB
+export BASE_DOMAIN UI_SUB WEBMAIL_SUB MTA_SUB
-export UI_HOST WEBMAIL_HOST MAIL_HOSTNAME SYSTEM_HOSTNAME
+export UI_HOST WEBMAIL_HOST MAIL_HOSTNAME
 export ADMIN_USER ADMIN_EMAIL ADMIN_PASS
 export DB_NAME DB_USER DB_PASS
 export SERVER_PUBLIC_IPV4 SERVER_PUBLIC_IPV6 APP_TZ APP_LOCALE
 # ── Sequenz ────────────────────────────────────────────────────────────────
-for STEP in 10-provision 20-ssl 30-db 40-postfix 50-dovecot 60-rspamd-opendkim 70-nginx 80-app 90-services 95-monit 98-motd 99-summary
+for STEP in 10-provision 20-ssl 21-le-deploy-hook 30-db 40-postfix 50-dovecot 60-rspamd-opendkim 70-nginx 75-le-issue 80-app 90-services 95-monit 98-motd 99-summary
 do
  log ">>> Running ${STEP}.sh"
  bash "./${STEP}.sh"
--- a/scripts/lib.sh
+++ b/scripts/lib.sh
@ -28,7 +28,6 @@ require_root(){ [[ "$(id -u)" -eq 0 ]] || die "Bitte als root ausführen."; }
 : "${UI_SUB:=ui}"
 : "${WEBMAIL_SUB:=webmail}"
 : "${MTA_SUB:=mx}"
 : "${SYSTEM_SUB:=system}"
 # DB / Redis (werden später durch .env überschrieben)
 : "${DB_NAME:=${APP_USER}}"