From c443c5a42641f725bc3794fcad88b62a2d48f56a Mon Sep 17 00:00:00 2001 From: boksbc Date: Fri, 31 Oct 2025 16:41:29 +0100 Subject: [PATCH] Dovecot Systax Problem --- scripts/10-provision.sh | 2 +- scripts/63-fail2ban.sh | 160 ++++++++++++++++++-- scripts/80-app.sh | 1 + scripts/88-update-wrapper.sh | 66 ++++++-- scripts/93-backup-tools.sh | 16 ++ scripts/95-woltguard.sh | 283 +++++++++++++++++++++++++++++++---- scripts/bootstrap.sh | 2 + 7 files changed, 478 insertions(+), 52 deletions(-) diff --git a/scripts/10-provision.sh b/scripts/10-provision.sh index 0ed0800..1697460 100644 --- a/scripts/10-provision.sh +++ b/scripts/10-provision.sh @@ -21,7 +21,7 @@ apt-get -y -o Dpkg::Options::="--force-confdef" \ mariadb-server mariadb-client redis-server rspamd opendkim opendkim-tools opendmarc clamav \ clamav-daemon nginx php php-fpm php-cli php-mbstring php-xml php-curl php-zip php-mysql \ php-redis php-gd unzip curl composer git certbot python3-certbot-nginx fail2ban ca-certificates \ - rsyslog sudo openssl monit acl netcat-openbsd jq + rsyslog sudo openssl monit acl netcat-openbsd jq sqlite3 # <<< Apache konsequent entfernen >>> systemctl disable --now apache2 >/dev/null 2>&1 || true diff --git a/scripts/63-fail2ban.sh b/scripts/63-fail2ban.sh index 21ae708..615e4a8 100644 --- a/scripts/63-fail2ban.sh +++ b/scripts/63-fail2ban.sh @@ -13,19 +13,15 @@ FAIL2BAN_ENABLE="${FAIL2BAN_ENABLE:-1}" # Paket if ! dpkg -s fail2ban >/dev/null 2>&1; then apt-get update -qq - apt-get install -y fail2ban + apt-get install -y fail2ban sqlite3 fi install -d -m 0755 /etc/fail2ban/jail.d +# --------------------------------------------------------------- # Basis-Jails (praxisnah) +# --------------------------------------------------------------- cat >/etc/fail2ban/jail.d/mailwolt.conf <<'EOF' -[DEFAULT] -bantime = 1h -findtime = 10m -maxretry = 5 -backend = auto - [sshd] enabled = true port = ssh @@ -41,7 +37,6 @@ enabled = true logpath = /var/log/mail.log port = pop3,pop3s,imap,imaps,submission,465,587,993 -# Optional: Rspamd-Controller-Auth (nur wenn Passwort/Basic-Auth genutzt wird) [rspamd-controller] enabled = true port = 11334 @@ -59,11 +54,156 @@ ignoreregex = EOF fi -# Dienst nach Flag +# --------------------------------------------------------------- +# Fail2Ban-Backend auf SQLite umstellen +# --------------------------------------------------------------- +log "SQLite-Backend aktivieren …" + +cat >/etc/fail2ban/fail2ban.local <<'EOF' +[Definition] +loglevel = INFO +logtarget = /var/log/fail2ban.log +dbfile = /var/lib/fail2ban/fail2ban.sqlite3 +dbpurgeage = 86400 +EOF + +# Datenbankverzeichnis sicherstellen +install -d -o fail2ban -g fail2ban -m 0750 /var/lib/fail2ban + +# Falls DB nicht existiert, Dummy anlegen (wird vom Dienst erweitert) +if [ ! -f /var/lib/fail2ban/fail2ban.sqlite3 ]; then + sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "VACUUM;" +fi +chown fail2ban:fail2ban /var/lib/fail2ban/fail2ban.sqlite3 +chmod 0640 /var/lib/fail2ban/fail2ban.sqlite3 + +# --------------------------------------------------------------- +# sudoers für Web-UI +# --------------------------------------------------------------- +# Fail2Ban Blacklist-Jail +cat >/etc/fail2ban/jail.d/mailwolt-blacklist.local <<'EOF' +[mailwolt-blacklist] +enabled = true +filter = none +port = anyport +bantime = -1 +findtime = 1 +maxretry = 1 +EOF + +SUDOERS_F2B="/etc/sudoers.d/mailwolt-fail2ban" +cat > "${SUDOERS_F2B}" <<'EOF' +www-data ALL=(root) NOPASSWD: \ + /usr/bin/fail2ban-client ping, \ + /usr/bin/fail2ban-client status, \ + /usr/bin/fail2ban-client status *, \ + /usr/bin/fail2ban-client get *, \ + /usr/bin/fail2ban-client set * banip *, \ + /usr/bin/fail2ban-client set * unbanip *, \ + /usr/bin/fail2ban-client reload +EOF +chown root:root "${SUDOERS_F2B}" +chmod 440 "${SUDOERS_F2B}" + +if ! visudo -c -f "${SUDOERS_F2B}" >/dev/null 2>&1; then + echo "[!] Ungültiger sudoers-Eintrag in ${SUDOERS_F2B} – entferne Datei." + rm -f "${SUDOERS_F2B}" +fi + +# --------------------------------------------------------------- +# Dienst aktivieren/deaktivieren +# --------------------------------------------------------------- if [[ "$FAIL2BAN_ENABLE" = "1" ]]; then systemctl enable --now fail2ban else systemctl disable --now fail2ban || true fi -log "[✓] Fail2Ban (ENABLE=${FAIL2BAN_ENABLE}) bereit." \ No newline at end of file +log "[✓] Fail2Ban (ENABLE=${FAIL2BAN_ENABLE}) bereit." + + +##!/usr/bin/env bash +#set -euo pipefail +#source ./lib.sh +# +#log "Fail2Ban installieren/konfigurieren …" +# +## Flags laden +#set +u +#[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env +#set -u +#FAIL2BAN_ENABLE="${FAIL2BAN_ENABLE:-1}" +# +## Paket +#if ! dpkg -s fail2ban >/dev/null 2>&1; then +# apt-get update -qq +# apt-get install -y fail2ban +#fi +# +#install -d -m 0755 /etc/fail2ban/jail.d +# +## Basis-Jails (praxisnah) +#cat >/etc/fail2ban/jail.d/mailwolt.conf <<'EOF' +#[DEFAULT] +#bantime = 1h +#findtime = 10m +#maxretry = 5 +#backend = auto +# +#[sshd] +#enabled = true +#port = ssh +#logpath = /var/log/auth.log +# +#[postfix] +#enabled = true +#logpath = /var/log/mail.log +#port = smtp,ssmtp,submission,465 +# +#[dovecot] +#enabled = true +#logpath = /var/log/mail.log +#port = pop3,pop3s,imap,imaps,submission,465,587,993 +# +#[rspamd-controller] +#enabled = true +#port = 11334 +#filter = rspamd +#logpath = /var/log/rspamd/rspamd.log +#maxretry = 5 +#EOF +# +## einfacher Filter für Rspamd-Controller +#if [ ! -f /etc/fail2ban/filter.d/rspamd.conf ]; then +# cat >/etc/fail2ban/filter.d/rspamd.conf <<'EOF' +#[Definition] +#failregex = .*Authentication failed for user.* from +#ignoreregex = +#EOF +#fi +# +#SUDOERS_F2B="/etc/sudoers.d/mailwolt-fail2ban" +#cat > "${SUDOERS_F2B}" <<'EOF' +#www-data ALL=(root) NOPASSWD: /usr/bin/fail2ban-client status, /usr/bin/fail2ban-client status * +#EOF +#chown root:root "${SUDOERS_F2B}" +#chmod 440 "${SUDOERS_F2B}" +# +#if ! visudo -c -f "${SUDOERS_F2B}" >/dev/null 2>&1; then +# echo "[!] Ungültiger sudoers-Eintrag in ${SUDOERS_F2B} – entferne Datei." +# rm -f "${SUDOERS_F2B}" +#fi +# +#sudo tee /etc/sudoers.d/mailwolt-fail2ban >/dev/null <<'EOF' +#www-data ALL=(root) NOPASSWD: /usr/bin/fail2ban-client status, /usr/bin/fail2ban-client status * +#EOF +#sudo visudo -cf /etc/sudoers.d/mailwolt-fail2ban +# +## Dienst nach Flag +#if [[ "$FAIL2BAN_ENABLE" = "1" ]]; then +# systemctl enable --now fail2ban +#else +# systemctl disable --now fail2ban || true +#fi +# +#log "[✓] Fail2Ban (ENABLE=${FAIL2BAN_ENABLE}) bereit." \ No newline at end of file diff --git a/scripts/80-app.sh b/scripts/80-app.sh index bed7ee4..1ac72c0 100644 --- a/scripts/80-app.sh +++ b/scripts/80-app.sh @@ -147,6 +147,7 @@ upsert_env APP_HOST "${APP_HOST_VAL}" upsert_env APP_NAME "${APP_NAME}" upsert_env APP_ENV "${APP_ENV:-production}" upsert_env APP_DEBUG "${APP_DEBUG:-false}" +upsert_env APP_TIMEZONE "${APP_TZ:-UTC}" upsert_env APP_LOCALE "${APP_LOCALE:-de}" upsert_env APP_FALLBACK_LOCALE "en" diff --git a/scripts/88-update-wrapper.sh b/scripts/88-update-wrapper.sh index 19db17b..90e3ee8 100644 --- a/scripts/88-update-wrapper.sh +++ b/scripts/88-update-wrapper.sh @@ -32,6 +32,8 @@ set -euo pipefail LOG="/var/log/mailwolt-update.log" STATE_DIR="/var/lib/mailwolt/update" +APP_DIR="/var/www/mailwolt" +WEB_USER="www-data" CANDIDATES=( /opt/mailwolt-installer/scripts/update.sh @@ -39,13 +41,6 @@ CANDIDATES=( /usr/local/lib/mailwolt/update.sh ) -# bestes update.sh finden -SCRIPT="" -for p in "${CANDIDATES[@]}"; do - if [[ -x "$p" ]]; then SCRIPT="$p"; break; fi - if [[ -f "$p" && -r "$p" ]]; then SCRIPT="$p"; break; fi -done - install -d -m 0755 "$(dirname "$LOG")" "$STATE_DIR" /var/lib/mailwolt : > "$LOG" || true chmod 0644 "$LOG" @@ -54,6 +49,14 @@ echo "running" > "$STATE_DIR/state" { echo "===== $(date -Is) :: Update gestartet =====" + + # --- Update-Script finden -------------------------------------------------- + SCRIPT="" + for p in "${CANDIDATES[@]}"; do + if [[ -x "$p" ]]; then SCRIPT="$p"; break; fi + if [[ -f "$p" && -r "$p" ]]; then SCRIPT="$p"; break; fi + done + if [[ -z "$SCRIPT" ]]; then echo "[!] update.sh nicht gefunden (versucht: ${CANDIDATES[*]})" rc=127 @@ -63,23 +66,53 @@ echo "running" > "$STATE_DIR/state" echo "[!] Bitte als root ausführen" rc=1 else - if [[ -x "$SCRIPT" ]]; then ALLOW_DIRTY=1 "$SCRIPT"; else ALLOW_DIRTY=1 bash "$SCRIPT"; fi + if [[ -x "$SCRIPT" ]]; then + ALLOW_DIRTY=1 "$SCRIPT" + else + ALLOW_DIRTY=1 bash "$SCRIPT" + fi rc=$? fi fi - echo "===== $(date -Is) :: Update beendet (rc=$rc) =====" - # ── Version schreiben (aus App-Repo, Fallback Installer) ───────────────────── + echo "===== $(date -Is) :: Update-Script beendet (rc=$rc) =====" + + # --- Nach dem Update: Assets neu bauen & Laravel optimieren --------------- + if [ -d "$APP_DIR" ]; then + cd "$APP_DIR" || exit 1 + + echo "[i] Führe Composer aus (falls vorhanden) ..." + if [ -f composer.json ]; then + sudo -u "$WEB_USER" composer install --no-dev --prefer-dist --no-interaction -q || true + fi + + echo "[i] Baue Frontend-Assets neu ..." + if command -v npm >/dev/null 2>&1 && [ -f package.json ]; then + sudo -u "$WEB_USER" npm ci --silent || true + sudo -u "$WEB_USER" npm run build --silent || true + fi + + echo "[i] Führe Migrationen & Cache-Optimierungen durch ..." + sudo -u "$WEB_USER" php artisan migrate --force || true + sudo -u "$WEB_USER" php artisan config:cache || true + sudo -u "$WEB_USER" php artisan optimize:clear || true + sudo -u "$WEB_USER" php artisan route:cache || true + sudo -u "$WEB_USER" php artisan view:cache || true + + echo "[i] Hebe Wartungsmodus auf ..." + sudo -u "$WEB_USER" php artisan up >/dev/null 2>&1 || true + fi + + # --- Version aktualisieren ------------------------------------------------- + echo "[i] Aktualisiere Version ..." if command -v git >/dev/null 2>&1; then SRC="/var/www/mailwolt" if [ ! -d "$SRC/.git" ]; then SRC="/opt/mailwolt-installer" fi - # <<< NEU: root darf dieses Repo lesen (gegen 'dubious ownership') git config --global --add safe.directory "$SRC" || true - # falls shallow: Tags nachziehen if [ -f "$SRC/.git/shallow" ]; then git -C "$SRC" fetch --unshallow --quiet || true fi @@ -99,9 +132,16 @@ echo "running" > "$STATE_DIR/state" chmod 0644 /var/lib/mailwolt/version_raw /var/lib/mailwolt/version fi - printf '%s\n' "$rc" > "$STATE_DIR/rc" + # --- Services neu starten -------------------------------------------------- + echo "[i] Starte MailWolt-Dienste neu ..." + sudo -u "$WEB_USER" php artisan mailwolt:restart-services || true + + # --- Abschluss ------------------------------------------------------------- + printf '%s\n' "$rc" > "$STATE_DIR/rc" echo "done" > "$STATE_DIR/state" + echo "===== $(date -Is) :: Update beendet =====" exit "$rc" + } | tee -a "$LOG" EOF diff --git a/scripts/93-backup-tools.sh b/scripts/93-backup-tools.sh index bf0328a..ebfd7c4 100644 --- a/scripts/93-backup-tools.sh +++ b/scripts/93-backup-tools.sh @@ -42,6 +42,22 @@ BACKUP_INTERVAL="${BACKUP_INTERVAL:-daily}" # daily|weekly|monthly install -d -m 0755 "$CONF_DIR" "$BACKUP_DIR" + +SUDOERS_BACKUP_FILE="/etc/sudoers.d/mailwolt-backup" +# 2) Sudoers-Datei schreiben +cat > "${SUDOERS_BACKUP_FILE} " </dev/null 2>&1; then + echo "[!] Ungültiger sudoers-Eintrag in ${SUDOERS_BACKUP_FILE} – entferne Datei." + rm -f "${SUDOERS_BACKUP_FILE}" +fi + # ───────────────────────────────────────────────────────────── # 3) /etc/mailwolt/backup.conf (von UI/APP überschreibbar) # ───────────────────────────────────────────────────────────── diff --git a/scripts/95-woltguard.sh b/scripts/95-woltguard.sh index 5c3aa8a..b3f31f4 100644 --- a/scripts/95-woltguard.sh +++ b/scripts/95-woltguard.sh @@ -14,6 +14,8 @@ MONIT_HTTP="${MONIT_HTTP:-1}" # ── Monit so konfigurieren, dass NUR monitrc.d/* geladen wird ──────────────── install -d -m 0755 /etc/monit/monitrc.d +install -d -m 0755 /etc/monit/conf.d # passiver Ablageort (NICHT includiert) + # Poll-Intervall (30s) sed -i 's/^set daemon .*/set daemon 30/' /etc/monit/monitrc || true # alle alten include-Zeilen raus und monitrc.d setzen @@ -30,9 +32,8 @@ set httpd port 2812 and HTTP fi -sudo mkdir -p /etc/monit/monitrc.d -sudo rm -rf /etc/monit/monitrc.d/* 2>/dev/null || true -sudo rm -f /etc/monit/conf.d/*.conf 2>/dev/null || true +# KEIN Löschen mehr der Dateien – wir verschieben je nach Status +# (vorher stand hier rm -rf /etc/monit/monitrc.d/* und rm -f /etc/monit/conf.d/*.conf) # ── Helper-Skripte ────────────────────────────────────────────────────────── install -d -m 0755 /usr/local/sbin @@ -102,7 +103,7 @@ exit 0 EOSH chmod 0755 /usr/local/sbin/mailwolt-rspamd-heal.sh -# ── Monit-Checks (nummeriert) ─────────────────────────────────────────────── +# ── Monit-Checks (nummeriert) – fixe Dienste immer aktiv ──────────────────── # 10 – Redis cat >/etc/monit/monitrc.d/10-redis.conf <<'EOF' check process redis with pidfile /run/redis/redis-server.pid @@ -131,10 +132,10 @@ EOF cat >/etc/monit/monitrc.d/30-postfix.conf <<'EOF' check process postfix with pidfile /var/spool/postfix/pid/master.pid start program = "/bin/systemctl start postfix" - stop program = "/bin/systemctl stop postfix" - if failed port 25 protocol smtp with timeout 20 seconds for 2 cycles then restart - if failed port 465 type tcpssl with timeout 10 seconds then restart - if failed port 587 type tcp with timeout 10 seconds then restart + stop program = "/bin/systemctl stop postfix" + if failed host 127.0.0.1 port 25 type tcp with timeout 15 seconds for 3 cycles then restart + if failed host 127.0.0.1 port 465 type tcpssl with timeout 10 seconds then restart + if failed host 127.0.0.1 port 587 type tcp with timeout 10 seconds then restart if 5 restarts within 5 cycles then alert EOF @@ -166,47 +167,273 @@ check process opendkim with pidfile /run/opendkim/opendkim.pid if 5 restarts within 5 cycles then alert EOF -# 55 – OpenDMARC (optional) -if [[ "$OPENDMARC_ENABLE" = "1" ]]; then - cat >/etc/monit/monitrc.d/55-opendmarc.conf <<'EOF' +move_monit_conf() { + local name="$1" # z.B. 55-opendmarc + local enabled="$2" # "0" oder "1" + local src="/etc/monit/conf.d/${name}.conf" + local dst="/etc/monit/monitrc.d/${name}.conf" + + mkdir -p /etc/monit/conf.d /etc/monit/monitrc.d + + # Falls Datei nirgends existiert → in conf.d anlegen (lesbare Quelle) + if [[ ! -f "$src" && ! -f "$dst" ]]; then + cat >"$src" <<'EOF_PAYLOAD' +__PAYLOAD__ +EOF_PAYLOAD + fi + + if [[ "$enabled" = "1" ]]; then + # Aktiv: in monitrc.d haben + if [[ -f "$src" && ! -f "$dst" ]]; then + mv -f "$src" "$dst" + fi + else + # Inaktiv: in conf.d haben + if [[ -f "$dst" && ! -f "$src" ]]; then + mv -f "$dst" "$src" + fi + fi +} + +move_monit_conf "55-opendmarc" "${OPENDMARC_ENABLE:-0}" <<'EOF' check process opendmarc with pidfile /run/opendmarc/opendmarc.pid start program = "/bin/systemctl start opendmarc" stop program = "/bin/systemctl stop opendmarc" if 5 restarts within 5 cycles then alert EOF -else - rm -f /etc/monit/monitrc.d/55-opendmarc.conf || true -fi -# 60 – ClamAV (über Socket) -if [[ "$CLAMAV_ENABLE" = "1" ]]; then - cat >/etc/monit/monitrc.d/60-clamav.conf <<'EOF' +move_monit_conf "60-clamav" "${CLAMAV_ENABLE:-0}" <<'EOF' check process clamd matching "clamd" start program = "/bin/systemctl start clamav-daemon" stop program = "/bin/systemctl stop clamav-daemon" if failed unixsocket /run/clamav/clamd.ctl for 3 cycles then restart if 5 restarts within 10 cycles then unmonitor EOF -else - rm -f /etc/monit/monitrc.d/60-clamav.conf || true -fi -# 70 – Fail2Ban (optional) -if [[ "$FAIL2BAN_ENABLE" = "1" ]]; then - cat >/etc/monit/monitrc.d/70-fail2ban.conf <<'EOF' +move_monit_conf "70-fail2ban" "${FAIL2BAN_ENABLE:-0}" <<'EOF' check process fail2ban with pidfile /run/fail2ban/fail2ban.pid start program = "/bin/systemctl start fail2ban" stop program = "/bin/systemctl stop fail2ban" if 5 restarts within 5 cycles then alert EOF -else - rm -f /etc/monit/monitrc.d/70-fail2ban.conf || true -fi # ── Monit neu laden ───────────────────────────────────────────────────────── monit -t systemctl reload monit || systemctl restart monit # Optionaler Sichttest (CLI funktioniert auch ohne HTTP-UI) -sleep 2 -monit summary || true \ No newline at end of file +# sleep 2 +# monit summary || true + +##!/usr/bin/env bash +#set -euo pipefail +# +## Flags laden (falls vorhanden) +#INSTALLER_ENV="/etc/mailwolt/installer.env" +#: "${CLAMAV_ENABLE:=}"; : "${OPENDMARC_ENABLE:=}"; : "${FAIL2BAN_ENABLE:=}"; : "${MONIT_HTTP:=}" +#if [[ -z "${CLAMAV_ENABLE}${OPENDMARC_ENABLE}${FAIL2BAN_ENABLE}" && -r "$INSTALLER_ENV" ]]; then +# . "$INSTALLER_ENV" +#fi +#CLAMAV_ENABLE="${CLAMAV_ENABLE:-1}" +#OPENDMARC_ENABLE="${OPENDMARC_ENABLE:-1}" +#FAIL2BAN_ENABLE="${FAIL2BAN_ENABLE:-1}" +#MONIT_HTTP="${MONIT_HTTP:-1}" +# +## ── Monit so konfigurieren, dass NUR monitrc.d/* geladen wird ──────────────── +#install -d -m 0755 /etc/monit/monitrc.d +## Poll-Intervall (30s) +#sed -i 's/^set daemon .*/set daemon 30/' /etc/monit/monitrc || true +## alle alten include-Zeilen raus und monitrc.d setzen +#sed -i 's|^#\?\s*include .*$||g' /etc/monit/monitrc +#grep -q '^include /etc/monit/monitrc.d/\*' /etc/monit/monitrc \ +# || echo 'include /etc/monit/monitrc.d/*' >> /etc/monit/monitrc +# +## Optional: HTTP-UI nur einschalten, wenn explizit gewünscht +#if [[ "$MONIT_HTTP" = "1" ]]; then +# grep -q '^set httpd port 2812' /etc/monit/monitrc || cat >>/etc/monit/monitrc <<'HTTP' +#set httpd port 2812 and +# use address localhost +# allow localhost +#HTTP +#fi +# +#sudo mkdir -p /etc/monit/monitrc.d +#sudo rm -rf /etc/monit/monitrc.d/* 2>/dev/null || true +#sudo rm -f /etc/monit/conf.d/*.conf 2>/dev/null || true +# +## ── Helper-Skripte ────────────────────────────────────────────────────────── +#install -d -m 0755 /usr/local/sbin +# +## Redis-Ping (Password: REDIS_PASSWORD aus installer.env oder .env) +#cat >/usr/local/sbin/mailwolt-redis-ping.sh <<'EOSH' +##!/usr/bin/env bash +#set -euo pipefail +#INSTALLER_ENV="/etc/mailwolt/installer.env" +#APP_ENV="/var/www/mailwolt/.env" +#REDIS_HOST="${REDIS_HOST:-127.0.0.1}" +#REDIS_PORT="${REDIS_PORT:-6379}" +#REDIS_PASSWORD="${REDIS_PASSWORD:-}" +#REDIS_PASS="${REDIS_PASS:-}" +# +#[[ -r "$INSTALLER_ENV" ]] && . "$INSTALLER_ENV" || true +#if [[ -r "$APP_ENV" ]]; then +# [[ -z "${REDIS_HOST}" ]] && REDIS_HOST="$(grep -m1 '^REDIS_HOST=' "$APP_ENV" | cut -d= -f2- || true)" +# [[ -z "${REDIS_PORT}" ]] && REDIS_PORT="$(grep -m1 '^REDIS_PORT=' "$APP_ENV" | cut -d= -f2- || true)" +# [[ -z "${REDIS_PASSWORD}" ]] && REDIS_PASSWORD="$(grep -m1 '^REDIS_PASSWORD=' "$APP_ENV" | cut -d= -f2- || true)" +#fi +#[[ -z "${REDIS_PASSWORD}" && -n "${REDIS_PASS}" ]] && REDIS_PASSWORD="$REDIS_PASS" +# +#strip(){ printf '%s' "$1" | sed -E 's/^"(.*)"$/\1/; s/^'"'"'(.*)'"'"'$/\1/'; } +#REDIS_HOST="$(strip "${REDIS_HOST:-}")" +#REDIS_PORT="$(strip "${REDIS_PORT:-}")" +#REDIS_PASSWORD="$(strip "${REDIS_PASSWORD:-}")" +# +#command -v redis-cli >/dev/null 2>&1 || exit 1 +#BASE=(timeout 2 redis-cli --no-auth-warning --raw -h "$REDIS_HOST" -p "$REDIS_PORT") +#[[ -n "$REDIS_PASSWORD" ]] && CMD=("${BASE[@]}" -a "$REDIS_PASSWORD" ping) || CMD=("${BASE[@]}" ping) +#[[ "$("${CMD[@]}" 2>/dev/null || true)" == "PONG" ]] +#EOSH +#chmod 0755 /usr/local/sbin/mailwolt-redis-ping.sh +# +## Rspamd-Heal (Socke aufräumen, restart, Mini-Port-Check) +#cat >/usr/local/sbin/mailwolt-rspamd-heal.sh <<'EOSH' +##!/usr/bin/env bash +#set -euo pipefail +# +#INSTALLER_ENV="/etc/mailwolt/installer.env" +#APP_ENV="/var/www/mailwolt/.env" +# +#REDIS_HOST="${REDIS_HOST:-127.0.0.1}" +#REDIS_PORT="${REDIS_PORT:-6379}" +#REDIS_PASS="${REDIS_PASS:-}" +# +#[[ -r "$INSTALLER_ENV" ]] && . "$INSTALLER_ENV" +#if [[ -z "${REDIS_PASS}" && -r "$APP_ENV" ]]; then +# REDIS_PASS="$(grep -E '^REDIS_PASS=' "$APP_ENV" | head -n1 | cut -d= -f2- || true)" +#fi +# +## Rspamd Runtime fixen +#install -d -m 0755 -o _rspamd -g _rspamd /run/rspamd || true +#[[ -S /var/lib/rspamd/rspamd.sock ]] && rm -f /var/lib/rspamd/rspamd.sock || true +# +#echo "$(date '+%F %T') heal run" >> /var/log/rspamd-heal.log +# +## Neustart +#systemctl restart rspamd +# +## Mini-Healthcheck +#sleep 2 +#ss -tln | grep -q ':11334' || echo "[WARN] Rspamd Controller Port 11334 nicht sichtbar" +# +#exit 0 +#EOSH +#chmod 0755 /usr/local/sbin/mailwolt-rspamd-heal.sh +# +## ── Monit-Checks (nummeriert) ─────────────────────────────────────────────── +## 10 – Redis +#cat >/etc/monit/monitrc.d/10-redis.conf <<'EOF' +#check process redis with pidfile /run/redis/redis-server.pid +# start program = "/bin/systemctl start redis-server" +# stop program = "/bin/systemctl stop redis-server" +# if failed host 127.0.0.1 port 6379 for 2 cycles then restart +# if 5 restarts within 5 cycles then alert +# +#check program redis_ping path "/usr/local/sbin/mailwolt-redis-ping.sh" +# if status != 0 for 2 cycles then exec "/bin/systemctl restart redis-server" +#EOF +# +## 20 – Rspamd (robust via process-matching + Heal) +#cat >/etc/monit/monitrc.d/20-rspamd.conf <<'EOF' +#check process rspamd matching "rspamd: main process" +# start program = "/bin/systemctl start rspamd" with timeout 120 seconds +# stop program = "/bin/systemctl stop rspamd" +# depends on redis +# if failed host 127.0.0.1 port 11333 for 3 cycles then exec "/usr/local/sbin/mailwolt-rspamd-heal.sh" +# if failed host 127.0.0.1 port 11334 for 3 cycles then exec "/usr/local/sbin/mailwolt-rspamd-heal.sh" +# if does not exist for 2 cycles then restart +# if 5 restarts within 10 cycles then unmonitor +#EOF +# +## 30 – Postfix +#cat >/etc/monit/monitrc.d/30-postfix.conf <<'EOF' +#check process postfix with pidfile /var/spool/postfix/pid/master.pid +# start program = "/bin/systemctl start postfix" +# stop program = "/bin/systemctl stop postfix" +# if failed host 127.0.0.1 port 25 type tcp with timeout 15 seconds for 3 cycles then restart +# if failed host 127.0.0.1 port 465 type tcpssl with timeout 10 seconds then restart +# if failed host 127.0.0.1 port 587 type tcp with timeout 10 seconds then restart +# if 5 restarts within 5 cycles then alert +#EOF +# +## 30 – Dovecot (IMAPS; LMTP oft Unix-Socket → kein TCP-Fehlalarm) +#cat >/etc/monit/monitrc.d/30-dovecot.conf <<'EOF' +#check process dovecot with pidfile /run/dovecot/master.pid +# start program = "/bin/systemctl start dovecot" +# stop program = "/bin/systemctl stop dovecot" +# if failed port 993 type tcpssl for 3 cycles then restart +# if 5 restarts within 10 cycles then alert +#EOF +# +## 40 – Nginx +#cat >/etc/monit/monitrc.d/40-nginx.conf <<'EOF' +#check process nginx with pidfile /run/nginx.pid +# start program = "/bin/systemctl start nginx" +# stop program = "/bin/systemctl stop nginx" +# if failed port 80 type tcp then restart +# if failed port 443 type tcpssl then restart +# if 5 restarts within 5 cycles then alert +#EOF +# +## 50 – OpenDKIM +#cat >/etc/monit/monitrc.d/50-opendkim.conf <<'EOF' +#check process opendkim with pidfile /run/opendkim/opendkim.pid +# start program = "/bin/systemctl start opendkim" +# stop program = "/bin/systemctl stop opendkim" +# if failed host 127.0.0.1 port 8891 type tcp for 2 cycles then restart +# if 5 restarts within 5 cycles then alert +#EOF +# +## 55 – OpenDMARC (optional) +#if [[ "$OPENDMARC_ENABLE" = "1" ]]; then +# cat >/etc/monit/monitrc.d/55-opendmarc.conf <<'EOF' +#check process opendmarc with pidfile /run/opendmarc/opendmarc.pid +# start program = "/bin/systemctl start opendmarc" +# stop program = "/bin/systemctl stop opendmarc" +# if 5 restarts within 5 cycles then alert +#EOF +#else +# rm -f /etc/monit/monitrc.d/55-opendmarc.conf || true +#fi +# +## 60 – ClamAV (über Socket) +#if [[ "$CLAMAV_ENABLE" = "1" ]]; then +# cat >/etc/monit/monitrc.d/60-clamav.conf <<'EOF' +#check process clamd matching "clamd" +# start program = "/bin/systemctl start clamav-daemon" +# stop program = "/bin/systemctl stop clamav-daemon" +# if failed unixsocket /run/clamav/clamd.ctl for 3 cycles then restart +# if 5 restarts within 10 cycles then unmonitor +#EOF +#else +# rm -f /etc/monit/monitrc.d/60-clamav.conf || true +#fi +# +## 70 – Fail2Ban (optional) +#if [[ "$FAIL2BAN_ENABLE" = "1" ]]; then +# cat >/etc/monit/monitrc.d/70-fail2ban.conf <<'EOF' +#check process fail2ban with pidfile /run/fail2ban/fail2ban.pid +# start program = "/bin/systemctl start fail2ban" +# stop program = "/bin/systemctl stop fail2ban" +# if 5 restarts within 5 cycles then alert +#EOF +#else +# rm -f /etc/monit/monitrc.d/70-fail2ban.conf || true +#fi +# +## ── Monit neu laden ───────────────────────────────────────────────────────── +#monit -t +#systemctl reload monit || systemctl restart monit +# +## Optionaler Sichttest (CLI funktioniert auch ohne HTTP-UI) +##sleep 2 +##monit summary || true \ No newline at end of file diff --git a/scripts/bootstrap.sh b/scripts/bootstrap.sh index bbd2cd0..2bfaf20 100644 --- a/scripts/bootstrap.sh +++ b/scripts/bootstrap.sh @@ -250,6 +250,8 @@ install -d -m 0755 /etc/mailwolt cat >/etc/mailwolt/installer.env <