boban
/
mailwolt-installer
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Dovecot Systax Problem

main
boksbc 2025-10-31 16:41:29 +01:00
parent b5ed319992
commit c443c5a426
7 changed files with 478 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
scripts/10-provision.sh
View File

@ -21,7 +21,7 @@ apt-get -y -o Dpkg::Options::="--force-confdef" \
mariadb-server mariadb-client redis-server rspamd opendkim opendkim-tools opendmarc clamav \
clamav-daemon nginx php php-fpm php-cli php-mbstring php-xml php-curl php-zip php-mysql \
php-redis php-gd unzip curl composer git certbot python3-certbot-nginx fail2ban ca-certificates \
rsyslog sudo openssl monit acl netcat-openbsd jq
rsyslog sudo openssl monit acl netcat-openbsd jq sqlite3
# <<< Apache konsequent entfernen >>>
systemctl disable --now apache2 >/dev/null 2>&1 || true

160
scripts/63-fail2ban.sh
View File

@ -13,19 +13,15 @@ FAIL2BAN_ENABLE="${FAIL2BAN_ENABLE:-1}"
# Paket
if ! dpkg -s fail2ban >/dev/null 2>&1; then
apt-get update -qq
apt-get install -y fail2ban
apt-get install -y fail2ban sqlite3
fi
install -d -m 0755 /etc/fail2ban/jail.d
# ---------------------------------------------------------------
# Basis-Jails (praxisnah)
# ---------------------------------------------------------------
cat >/etc/fail2ban/jail.d/mailwolt.conf <<'EOF'
[DEFAULT]
bantime = 1h
findtime = 10m
maxretry = 5
backend = auto
[sshd]
enabled = true
port = ssh
@ -41,7 +37,6 @@ enabled = true
logpath = /var/log/mail.log
port = pop3,pop3s,imap,imaps,submission,465,587,993
# Optional: Rspamd-Controller-Auth (nur wenn Passwort/Basic-Auth genutzt wird)
[rspamd-controller]
enabled = true
port = 11334
@ -59,11 +54,156 @@ ignoreregex =
EOF
fi
# Dienst nach Flag
# ---------------------------------------------------------------
# Fail2Ban-Backend auf SQLite umstellen
# ---------------------------------------------------------------
log "SQLite-Backend aktivieren …"
cat >/etc/fail2ban/fail2ban.local <<'EOF'
[Definition]
loglevel = INFO
logtarget = /var/log/fail2ban.log
dbfile = /var/lib/fail2ban/fail2ban.sqlite3
dbpurgeage = 86400
EOF
# Datenbankverzeichnis sicherstellen
install -d -o fail2ban -g fail2ban -m 0750 /var/lib/fail2ban
# Falls DB nicht existiert, Dummy anlegen (wird vom Dienst erweitert)
if [ ! -f /var/lib/fail2ban/fail2ban.sqlite3 ]; then
sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "VACUUM;"
fi
chown fail2ban:fail2ban /var/lib/fail2ban/fail2ban.sqlite3
chmod 0640 /var/lib/fail2ban/fail2ban.sqlite3
# ---------------------------------------------------------------
# sudoers für Web-UI
# ---------------------------------------------------------------
# Fail2Ban Blacklist-Jail
cat >/etc/fail2ban/jail.d/mailwolt-blacklist.local <<'EOF'
[mailwolt-blacklist]
enabled = true
filter = none
port = anyport
bantime = -1
findtime = 1
maxretry = 1
EOF
SUDOERS_F2B="/etc/sudoers.d/mailwolt-fail2ban"
cat > "${SUDOERS_F2B}" <<'EOF'
www-data ALL=(root) NOPASSWD: \
/usr/bin/fail2ban-client ping, \
/usr/bin/fail2ban-client status, \
/usr/bin/fail2ban-client status *, \
/usr/bin/fail2ban-client get *, \
/usr/bin/fail2ban-client set * banip *, \
/usr/bin/fail2ban-client set * unbanip *, \
/usr/bin/fail2ban-client reload
EOF
chown root:root "${SUDOERS_F2B}"
chmod 440 "${SUDOERS_F2B}"
if ! visudo -c -f "${SUDOERS_F2B}" >/dev/null 2>&1; then
echo "[!] Ungültiger sudoers-Eintrag in ${SUDOERS_F2B} entferne Datei."
rm -f "${SUDOERS_F2B}"
fi
# ---------------------------------------------------------------
# Dienst aktivieren/deaktivieren
# ---------------------------------------------------------------
if [[ "$FAIL2BAN_ENABLE" = "1" ]]; then
systemctl enable --now fail2ban
else
systemctl disable --now fail2ban || true
fi
log "[✓] Fail2Ban (ENABLE=${FAIL2BAN_ENABLE}) bereit."
log "[✓] Fail2Ban (ENABLE=${FAIL2BAN_ENABLE}) bereit."
##!/usr/bin/env bash
#set -euo pipefail
#source ./lib.sh
#
#log "Fail2Ban installieren/konfigurieren …"
#
## Flags laden
#set +u
#[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
#set -u
#FAIL2BAN_ENABLE="${FAIL2BAN_ENABLE:-1}"
#
## Paket
#if ! dpkg -s fail2ban >/dev/null 2>&1; then
# apt-get update -qq
# apt-get install -y fail2ban
#fi
#
#install -d -m 0755 /etc/fail2ban/jail.d
#
## Basis-Jails (praxisnah)
#cat >/etc/fail2ban/jail.d/mailwolt.conf <<'EOF'
#[DEFAULT]
#bantime = 1h
#findtime = 10m
#maxretry = 5
#backend = auto
#
#[sshd]
#enabled = true
#port = ssh
#logpath = /var/log/auth.log
#
#[postfix]
#enabled = true
#logpath = /var/log/mail.log
#port = smtp,ssmtp,submission,465
#
#[dovecot]
#enabled = true
#logpath = /var/log/mail.log
#port = pop3,pop3s,imap,imaps,submission,465,587,993
#
#[rspamd-controller]
#enabled = true
#port = 11334
#filter = rspamd
#logpath = /var/log/rspamd/rspamd.log
#maxretry = 5
#EOF
#
## einfacher Filter für Rspamd-Controller
#if [ ! -f /etc/fail2ban/filter.d/rspamd.conf ]; then
# cat >/etc/fail2ban/filter.d/rspamd.conf <<'EOF'
#[Definition]
#failregex = .*Authentication failed for user.* from <HOST>
#ignoreregex =
#EOF
#fi
#
#SUDOERS_F2B="/etc/sudoers.d/mailwolt-fail2ban"
#cat > "${SUDOERS_F2B}" <<'EOF'
#www-data ALL=(root) NOPASSWD: /usr/bin/fail2ban-client status, /usr/bin/fail2ban-client status *
#EOF
#chown root:root "${SUDOERS_F2B}"
#chmod 440 "${SUDOERS_F2B}"
#
#if ! visudo -c -f "${SUDOERS_F2B}" >/dev/null 2>&1; then
# echo "[!] Ungültiger sudoers-Eintrag in ${SUDOERS_F2B} entferne Datei."
# rm -f "${SUDOERS_F2B}"
#fi
#
#sudo tee /etc/sudoers.d/mailwolt-fail2ban >/dev/null <<'EOF'
#www-data ALL=(root) NOPASSWD: /usr/bin/fail2ban-client status, /usr/bin/fail2ban-client status *
#EOF
#sudo visudo -cf /etc/sudoers.d/mailwolt-fail2ban
#
## Dienst nach Flag
#if [[ "$FAIL2BAN_ENABLE" = "1" ]]; then
# systemctl enable --now fail2ban
#else
# systemctl disable --now fail2ban || true
#fi
#
#log "[✓] Fail2Ban (ENABLE=${FAIL2BAN_ENABLE}) bereit."

1
scripts/80-app.sh
View File

@ -147,6 +147,7 @@ upsert_env APP_HOST "${APP_HOST_VAL}"
upsert_env APP_NAME "${APP_NAME}"
upsert_env APP_ENV "${APP_ENV:-production}"
upsert_env APP_DEBUG "${APP_DEBUG:-false}"
upsert_env APP_TIMEZONE "${APP_TZ:-UTC}"
upsert_env APP_LOCALE "${APP_LOCALE:-de}"
upsert_env APP_FALLBACK_LOCALE "en"

66
scripts/88-update-wrapper.sh
View File

@ -32,6 +32,8 @@ set -euo pipefail
LOG="/var/log/mailwolt-update.log"
STATE_DIR="/var/lib/mailwolt/update"
APP_DIR="/var/www/mailwolt"
WEB_USER="www-data"
CANDIDATES=(
/opt/mailwolt-installer/scripts/update.sh
@ -39,13 +41,6 @@ CANDIDATES=(
/usr/local/lib/mailwolt/update.sh
)
# bestes update.sh finden
SCRIPT=""
for p in "${CANDIDATES[@]}"; do
if [[ -x "$p" ]]; then SCRIPT="$p"; break; fi
if [[ -f "$p" && -r "$p" ]]; then SCRIPT="$p"; break; fi
done
install -d -m 0755 "$(dirname "$LOG")" "$STATE_DIR" /var/lib/mailwolt
: > "$LOG" || true
chmod 0644 "$LOG"
@ -54,6 +49,14 @@ echo "running" > "$STATE_DIR/state"
{
echo "===== $(date -Is) :: Update gestartet ====="
# --- Update-Script finden --------------------------------------------------
SCRIPT=""
for p in "${CANDIDATES[@]}"; do
if [[ -x "$p" ]]; then SCRIPT="$p"; break; fi
if [[ -f "$p" && -r "$p" ]]; then SCRIPT="$p"; break; fi
done
if [[ -z "$SCRIPT" ]]; then
echo "[!] update.sh nicht gefunden (versucht: ${CANDIDATES[*]})"
rc=127
@ -63,23 +66,53 @@ echo "running" > "$STATE_DIR/state"
echo "[!] Bitte als root ausführen"
rc=1
else
if [[ -x "$SCRIPT" ]]; then ALLOW_DIRTY=1 "$SCRIPT"; else ALLOW_DIRTY=1 bash "$SCRIPT"; fi
if [[ -x "$SCRIPT" ]]; then
ALLOW_DIRTY=1 "$SCRIPT"
else
ALLOW_DIRTY=1 bash "$SCRIPT"
fi
rc=$?
fi
fi
echo "===== $(date -Is) :: Update beendet (rc=$rc) ====="
# ── Version schreiben (aus App-Repo, Fallback Installer) ─────────────────────
echo "===== $(date -Is) :: Update-Script beendet (rc=$rc) ====="
# --- Nach dem Update: Assets neu bauen & Laravel optimieren ---------------
if [ -d "$APP_DIR" ]; then
cd "$APP_DIR" || exit 1
echo "[i] Führe Composer aus (falls vorhanden) ..."
if [ -f composer.json ]; then
sudo -u "$WEB_USER" composer install --no-dev --prefer-dist --no-interaction -q || true
fi
echo "[i] Baue Frontend-Assets neu ..."
if command -v npm >/dev/null 2>&1 && [ -f package.json ]; then
sudo -u "$WEB_USER" npm ci --silent || true
sudo -u "$WEB_USER" npm run build --silent || true
fi
echo "[i] Führe Migrationen & Cache-Optimierungen durch ..."
sudo -u "$WEB_USER" php artisan migrate --force || true
sudo -u "$WEB_USER" php artisan config:cache || true
sudo -u "$WEB_USER" php artisan optimize:clear || true
sudo -u "$WEB_USER" php artisan route:cache || true
sudo -u "$WEB_USER" php artisan view:cache || true
echo "[i] Hebe Wartungsmodus auf ..."
sudo -u "$WEB_USER" php artisan up >/dev/null 2>&1 || true
fi
# --- Version aktualisieren -------------------------------------------------
echo "[i] Aktualisiere Version ..."
if command -v git >/dev/null 2>&1; then
SRC="/var/www/mailwolt"
if [ ! -d "$SRC/.git" ]; then
SRC="/opt/mailwolt-installer"
fi
# <<< NEU: root darf dieses Repo lesen (gegen 'dubious ownership')
git config --global --add safe.directory "$SRC" || true
# falls shallow: Tags nachziehen
if [ -f "$SRC/.git/shallow" ]; then
git -C "$SRC" fetch --unshallow --quiet || true
fi
@ -99,9 +132,16 @@ echo "running" > "$STATE_DIR/state"
chmod 0644 /var/lib/mailwolt/version_raw /var/lib/mailwolt/version
fi
printf '%s\n' "$rc" > "$STATE_DIR/rc"
# --- Services neu starten --------------------------------------------------
echo "[i] Starte MailWolt-Dienste neu ..."
sudo -u "$WEB_USER" php artisan mailwolt:restart-services || true
# --- Abschluss -------------------------------------------------------------
printf '%s\n' "$rc" > "$STATE_DIR/rc"
echo "done" > "$STATE_DIR/state"
echo "===== $(date -Is) :: Update beendet ====="
exit "$rc"
} | tee -a "$LOG"
EOF

16
scripts/93-backup-tools.sh
View File

@ -42,6 +42,22 @@ BACKUP_INTERVAL="${BACKUP_INTERVAL:-daily}" # daily|weekly|monthly
install -d -m 0755 "$CONF_DIR" "$BACKUP_DIR"
SUDOERS_BACKUP_FILE="/etc/sudoers.d/mailwolt-backup"
# 2) Sudoers-Datei schreiben
cat > "${SUDOERS_BACKUP_FILE} " <<EOF
Defaults!/usr/local/sbin/mailwolt-backup !requiretty
www-data ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-backup
mailwolt ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-backup
EOF
chown root:root "${SUDOERS_BACKUP_FILE}"
chmod 440 "${SUDOERS_BACKUP_FILE}"
if ! visudo -c -f "${SUDOERS_BACKUP_FILE}" >/dev/null 2>&1; then
echo "[!] Ungültiger sudoers-Eintrag in ${SUDOERS_BACKUP_FILE} entferne Datei."
rm -f "${SUDOERS_BACKUP_FILE}"
fi
# ─────────────────────────────────────────────────────────────
# 3) /etc/mailwolt/backup.conf (von UI/APP überschreibbar)
# ─────────────────────────────────────────────────────────────

283
scripts/95-woltguard.sh
View File

@ -14,6 +14,8 @@ MONIT_HTTP="${MONIT_HTTP:-1}"
# ── Monit so konfigurieren, dass NUR monitrc.d/* geladen wird ────────────────
install -d -m 0755 /etc/monit/monitrc.d
install -d -m 0755 /etc/monit/conf.d # passiver Ablageort (NICHT includiert)
# Poll-Intervall (30s)
sed -i 's/^set daemon .*/set daemon 30/' /etc/monit/monitrc || true
# alle alten include-Zeilen raus und monitrc.d setzen
@ -30,9 +32,8 @@ set httpd port 2812 and
HTTP
fi
sudo mkdir -p /etc/monit/monitrc.d
sudo rm -rf /etc/monit/monitrc.d/* 2>/dev/null || true
sudo rm -f /etc/monit/conf.d/*.conf 2>/dev/null || true
# KEIN Löschen mehr der Dateien wir verschieben je nach Status
# (vorher stand hier rm -rf /etc/monit/monitrc.d/* und rm -f /etc/monit/conf.d/*.conf)
# ── Helper-Skripte ──────────────────────────────────────────────────────────
install -d -m 0755 /usr/local/sbin
@ -102,7 +103,7 @@ exit 0
EOSH
chmod 0755 /usr/local/sbin/mailwolt-rspamd-heal.sh
# ── Monit-Checks (nummeriert) ───────────────────────────────────────────────
# ── Monit-Checks (nummeriert) fixe Dienste immer aktiv ────────────────────
# 10 Redis
cat >/etc/monit/monitrc.d/10-redis.conf <<'EOF'
check process redis with pidfile /run/redis/redis-server.pid
@ -131,10 +132,10 @@ EOF
cat >/etc/monit/monitrc.d/30-postfix.conf <<'EOF'
check process postfix with pidfile /var/spool/postfix/pid/master.pid
start program = "/bin/systemctl start postfix"
stop program = "/bin/systemctl stop postfix"
if failed port 25 protocol smtp with timeout 20 seconds for 2 cycles then restart
if failed port 465 type tcpssl with timeout 10 seconds then restart
if failed port 587 type tcp with timeout 10 seconds then restart
stop program = "/bin/systemctl stop postfix"
if failed host 127.0.0.1 port 25 type tcp with timeout 15 seconds for 3 cycles then restart
if failed host 127.0.0.1 port 465 type tcpssl with timeout 10 seconds then restart
if failed host 127.0.0.1 port 587 type tcp with timeout 10 seconds then restart
if 5 restarts within 5 cycles then alert
EOF
@ -166,47 +167,273 @@ check process opendkim with pidfile /run/opendkim/opendkim.pid
if 5 restarts within 5 cycles then alert
EOF
# 55 OpenDMARC (optional)
if [[ "$OPENDMARC_ENABLE" = "1" ]]; then
cat >/etc/monit/monitrc.d/55-opendmarc.conf <<'EOF'
move_monit_conf() {
local name="$1" # z.B. 55-opendmarc
local enabled="$2" # "0" oder "1"
local src="/etc/monit/conf.d/${name}.conf"
local dst="/etc/monit/monitrc.d/${name}.conf"
mkdir -p /etc/monit/conf.d /etc/monit/monitrc.d
# Falls Datei nirgends existiert → in conf.d anlegen (lesbare Quelle)
if [[ ! -f "$src" && ! -f "$dst" ]]; then
cat >"$src" <<'EOF_PAYLOAD'
__PAYLOAD__
EOF_PAYLOAD
fi
if [[ "$enabled" = "1" ]]; then
# Aktiv: in monitrc.d haben
if [[ -f "$src" && ! -f "$dst" ]]; then
mv -f "$src" "$dst"
fi
else
# Inaktiv: in conf.d haben
if [[ -f "$dst" && ! -f "$src" ]]; then
mv -f "$dst" "$src"
fi
fi
}
move_monit_conf "55-opendmarc" "${OPENDMARC_ENABLE:-0}" <<'EOF'
check process opendmarc with pidfile /run/opendmarc/opendmarc.pid
start program = "/bin/systemctl start opendmarc"
stop program = "/bin/systemctl stop opendmarc"
if 5 restarts within 5 cycles then alert
EOF
else
rm -f /etc/monit/monitrc.d/55-opendmarc.conf || true
fi
# 60 ClamAV (über Socket)
if [[ "$CLAMAV_ENABLE" = "1" ]]; then
cat >/etc/monit/monitrc.d/60-clamav.conf <<'EOF'
move_monit_conf "60-clamav" "${CLAMAV_ENABLE:-0}" <<'EOF'
check process clamd matching "clamd"
start program = "/bin/systemctl start clamav-daemon"
stop program = "/bin/systemctl stop clamav-daemon"
if failed unixsocket /run/clamav/clamd.ctl for 3 cycles then restart
if 5 restarts within 10 cycles then unmonitor
EOF
else
rm -f /etc/monit/monitrc.d/60-clamav.conf || true
fi
# 70 Fail2Ban (optional)
if [[ "$FAIL2BAN_ENABLE" = "1" ]]; then
cat >/etc/monit/monitrc.d/70-fail2ban.conf <<'EOF'
move_monit_conf "70-fail2ban" "${FAIL2BAN_ENABLE:-0}" <<'EOF'
check process fail2ban with pidfile /run/fail2ban/fail2ban.pid
start program = "/bin/systemctl start fail2ban"
stop program = "/bin/systemctl stop fail2ban"
if 5 restarts within 5 cycles then alert
EOF
else
rm -f /etc/monit/monitrc.d/70-fail2ban.conf || true
fi
# ── Monit neu laden ─────────────────────────────────────────────────────────
monit -t
systemctl reload monit || systemctl restart monit
# Optionaler Sichttest (CLI funktioniert auch ohne HTTP-UI)
sleep 2
monit summary || true
# sleep 2
# monit summary || true
##!/usr/bin/env bash
#set -euo pipefail
#
## Flags laden (falls vorhanden)
#INSTALLER_ENV="/etc/mailwolt/installer.env"
#: "${CLAMAV_ENABLE:=}"; : "${OPENDMARC_ENABLE:=}"; : "${FAIL2BAN_ENABLE:=}"; : "${MONIT_HTTP:=}"
#if [[ -z "${CLAMAV_ENABLE}${OPENDMARC_ENABLE}${FAIL2BAN_ENABLE}" && -r "$INSTALLER_ENV" ]]; then
# . "$INSTALLER_ENV"
#fi
#CLAMAV_ENABLE="${CLAMAV_ENABLE:-1}"
#OPENDMARC_ENABLE="${OPENDMARC_ENABLE:-1}"
#FAIL2BAN_ENABLE="${FAIL2BAN_ENABLE:-1}"
#MONIT_HTTP="${MONIT_HTTP:-1}"
#
## ── Monit so konfigurieren, dass NUR monitrc.d/* geladen wird ────────────────
#install -d -m 0755 /etc/monit/monitrc.d
## Poll-Intervall (30s)
#sed -i 's/^set daemon .*/set daemon 30/' /etc/monit/monitrc || true
## alle alten include-Zeilen raus und monitrc.d setzen
#sed -i 's|^#\?\s*include .*$||g' /etc/monit/monitrc
#grep -q '^include /etc/monit/monitrc.d/\*' /etc/monit/monitrc \
# || echo 'include /etc/monit/monitrc.d/*' >> /etc/monit/monitrc
#
## Optional: HTTP-UI nur einschalten, wenn explizit gewünscht
#if [[ "$MONIT_HTTP" = "1" ]]; then
# grep -q '^set httpd port 2812' /etc/monit/monitrc || cat >>/etc/monit/monitrc <<'HTTP'
#set httpd port 2812 and
# use address localhost
# allow localhost
#HTTP
#fi
#
#sudo mkdir -p /etc/monit/monitrc.d
#sudo rm -rf /etc/monit/monitrc.d/* 2>/dev/null || true
#sudo rm -f /etc/monit/conf.d/*.conf 2>/dev/null || true
#
## ── Helper-Skripte ──────────────────────────────────────────────────────────
#install -d -m 0755 /usr/local/sbin
#
## Redis-Ping (Password: REDIS_PASSWORD aus installer.env oder .env)
#cat >/usr/local/sbin/mailwolt-redis-ping.sh <<'EOSH'
##!/usr/bin/env bash
#set -euo pipefail
#INSTALLER_ENV="/etc/mailwolt/installer.env"
#APP_ENV="/var/www/mailwolt/.env"
#REDIS_HOST="${REDIS_HOST:-127.0.0.1}"
#REDIS_PORT="${REDIS_PORT:-6379}"
#REDIS_PASSWORD="${REDIS_PASSWORD:-}"
#REDIS_PASS="${REDIS_PASS:-}"
#
#[[ -r "$INSTALLER_ENV" ]] && . "$INSTALLER_ENV" || true
#if [[ -r "$APP_ENV" ]]; then
# [[ -z "${REDIS_HOST}" ]] && REDIS_HOST="$(grep -m1 '^REDIS_HOST=' "$APP_ENV" | cut -d= -f2- || true)"
# [[ -z "${REDIS_PORT}" ]] && REDIS_PORT="$(grep -m1 '^REDIS_PORT=' "$APP_ENV" | cut -d= -f2- || true)"
# [[ -z "${REDIS_PASSWORD}" ]] && REDIS_PASSWORD="$(grep -m1 '^REDIS_PASSWORD=' "$APP_ENV" | cut -d= -f2- || true)"
#fi
#[[ -z "${REDIS_PASSWORD}" && -n "${REDIS_PASS}" ]] && REDIS_PASSWORD="$REDIS_PASS"
#
#strip(){ printf '%s' "$1" | sed -E 's/^"(.*)"$/\1/; s/^'"'"'(.*)'"'"'$/\1/'; }
#REDIS_HOST="$(strip "${REDIS_HOST:-}")"
#REDIS_PORT="$(strip "${REDIS_PORT:-}")"
#REDIS_PASSWORD="$(strip "${REDIS_PASSWORD:-}")"
#
#command -v redis-cli >/dev/null 2>&1 || exit 1
#BASE=(timeout 2 redis-cli --no-auth-warning --raw -h "$REDIS_HOST" -p "$REDIS_PORT")
#[[ -n "$REDIS_PASSWORD" ]] && CMD=("${BASE[@]}" -a "$REDIS_PASSWORD" ping) || CMD=("${BASE[@]}" ping)
#[[ "$("${CMD[@]}" 2>/dev/null || true)" == "PONG" ]]
#EOSH
#chmod 0755 /usr/local/sbin/mailwolt-redis-ping.sh
#
## Rspamd-Heal (Socke aufräumen, restart, Mini-Port-Check)
#cat >/usr/local/sbin/mailwolt-rspamd-heal.sh <<'EOSH'
##!/usr/bin/env bash
#set -euo pipefail
#
#INSTALLER_ENV="/etc/mailwolt/installer.env"
#APP_ENV="/var/www/mailwolt/.env"
#
#REDIS_HOST="${REDIS_HOST:-127.0.0.1}"
#REDIS_PORT="${REDIS_PORT:-6379}"
#REDIS_PASS="${REDIS_PASS:-}"
#
#[[ -r "$INSTALLER_ENV" ]] && . "$INSTALLER_ENV"
#if [[ -z "${REDIS_PASS}" && -r "$APP_ENV" ]]; then
# REDIS_PASS="$(grep -E '^REDIS_PASS=' "$APP_ENV" | head -n1 | cut -d= -f2- || true)"
#fi
#
## Rspamd Runtime fixen
#install -d -m 0755 -o _rspamd -g _rspamd /run/rspamd || true
#[[ -S /var/lib/rspamd/rspamd.sock ]] && rm -f /var/lib/rspamd/rspamd.sock || true
#
#echo "$(date '+%F %T') heal run" >> /var/log/rspamd-heal.log
#
## Neustart
#systemctl restart rspamd
#
## Mini-Healthcheck
#sleep 2
#ss -tln | grep -q ':11334' || echo "[WARN] Rspamd Controller Port 11334 nicht sichtbar"
#
#exit 0
#EOSH
#chmod 0755 /usr/local/sbin/mailwolt-rspamd-heal.sh
#
## ── Monit-Checks (nummeriert) ───────────────────────────────────────────────
## 10 Redis
#cat >/etc/monit/monitrc.d/10-redis.conf <<'EOF'
#check process redis with pidfile /run/redis/redis-server.pid
# start program = "/bin/systemctl start redis-server"
# stop program = "/bin/systemctl stop redis-server"
# if failed host 127.0.0.1 port 6379 for 2 cycles then restart
# if 5 restarts within 5 cycles then alert
#
#check program redis_ping path "/usr/local/sbin/mailwolt-redis-ping.sh"
# if status != 0 for 2 cycles then exec "/bin/systemctl restart redis-server"
#EOF
#
## 20 Rspamd (robust via process-matching + Heal)
#cat >/etc/monit/monitrc.d/20-rspamd.conf <<'EOF'
#check process rspamd matching "rspamd: main process"
# start program = "/bin/systemctl start rspamd" with timeout 120 seconds
# stop program = "/bin/systemctl stop rspamd"
# depends on redis
# if failed host 127.0.0.1 port 11333 for 3 cycles then exec "/usr/local/sbin/mailwolt-rspamd-heal.sh"
# if failed host 127.0.0.1 port 11334 for 3 cycles then exec "/usr/local/sbin/mailwolt-rspamd-heal.sh"
# if does not exist for 2 cycles then restart
# if 5 restarts within 10 cycles then unmonitor
#EOF
#
## 30 Postfix
#cat >/etc/monit/monitrc.d/30-postfix.conf <<'EOF'
#check process postfix with pidfile /var/spool/postfix/pid/master.pid
# start program = "/bin/systemctl start postfix"
# stop program = "/bin/systemctl stop postfix"
# if failed host 127.0.0.1 port 25 type tcp with timeout 15 seconds for 3 cycles then restart
# if failed host 127.0.0.1 port 465 type tcpssl with timeout 10 seconds then restart
# if failed host 127.0.0.1 port 587 type tcp with timeout 10 seconds then restart
# if 5 restarts within 5 cycles then alert
#EOF
#
## 30 Dovecot (IMAPS; LMTP oft Unix-Socket → kein TCP-Fehlalarm)
#cat >/etc/monit/monitrc.d/30-dovecot.conf <<'EOF'
#check process dovecot with pidfile /run/dovecot/master.pid
# start program = "/bin/systemctl start dovecot"
# stop program = "/bin/systemctl stop dovecot"
# if failed port 993 type tcpssl for 3 cycles then restart
# if 5 restarts within 10 cycles then alert
#EOF
#
## 40 Nginx
#cat >/etc/monit/monitrc.d/40-nginx.conf <<'EOF'
#check process nginx with pidfile /run/nginx.pid
# start program = "/bin/systemctl start nginx"
# stop program = "/bin/systemctl stop nginx"
# if failed port 80 type tcp then restart
# if failed port 443 type tcpssl then restart
# if 5 restarts within 5 cycles then alert
#EOF
#
## 50 OpenDKIM
#cat >/etc/monit/monitrc.d/50-opendkim.conf <<'EOF'
#check process opendkim with pidfile /run/opendkim/opendkim.pid
# start program = "/bin/systemctl start opendkim"
# stop program = "/bin/systemctl stop opendkim"
# if failed host 127.0.0.1 port 8891 type tcp for 2 cycles then restart
# if 5 restarts within 5 cycles then alert
#EOF
#
## 55 OpenDMARC (optional)
#if [[ "$OPENDMARC_ENABLE" = "1" ]]; then
# cat >/etc/monit/monitrc.d/55-opendmarc.conf <<'EOF'
#check process opendmarc with pidfile /run/opendmarc/opendmarc.pid
# start program = "/bin/systemctl start opendmarc"
# stop program = "/bin/systemctl stop opendmarc"
# if 5 restarts within 5 cycles then alert
#EOF
#else
# rm -f /etc/monit/monitrc.d/55-opendmarc.conf || true
#fi
#
## 60 ClamAV (über Socket)
#if [[ "$CLAMAV_ENABLE" = "1" ]]; then
# cat >/etc/monit/monitrc.d/60-clamav.conf <<'EOF'
#check process clamd matching "clamd"
# start program = "/bin/systemctl start clamav-daemon"
# stop program = "/bin/systemctl stop clamav-daemon"
# if failed unixsocket /run/clamav/clamd.ctl for 3 cycles then restart
# if 5 restarts within 10 cycles then unmonitor
#EOF
#else
# rm -f /etc/monit/monitrc.d/60-clamav.conf || true
#fi
#
## 70 Fail2Ban (optional)
#if [[ "$FAIL2BAN_ENABLE" = "1" ]]; then
# cat >/etc/monit/monitrc.d/70-fail2ban.conf <<'EOF'
#check process fail2ban with pidfile /run/fail2ban/fail2ban.pid
# start program = "/bin/systemctl start fail2ban"
# stop program = "/bin/systemctl stop fail2ban"
# if 5 restarts within 5 cycles then alert
#EOF
#else
# rm -f /etc/monit/monitrc.d/70-fail2ban.conf || true
#fi
#
## ── Monit neu laden ─────────────────────────────────────────────────────────
#monit -t
#systemctl reload monit || systemctl restart monit
#
## Optionaler Sichttest (CLI funktioniert auch ohne HTTP-UI)
##sleep 2
##monit summary || true

2
scripts/bootstrap.sh
View File

@ -250,6 +250,8 @@ install -d -m 0755 /etc/mailwolt
cat >/etc/mailwolt/installer.env <<EOF
SERVER_PUBLIC_IPV4=${SERVER_PUBLIC_IPV4}
SERVER_PUBLIC_IPV6=${SERVER_PUBLIC_IPV6}
APP_TZ=${APP_TZ}
APP_LOCALE=${APP_LOCALE}
BASE_DOMAIN=${BASE_DOMAIN}
MTA_SUB=${MTA_SUB}
UI_SUB=${UI_SUB}