diff --git a/scripts/88-update-wrapper.sh b/scripts/88-update-wrapper.sh index abc7836..0e48f99 100644 --- a/scripts/88-update-wrapper.sh +++ b/scripts/88-update-wrapper.sh @@ -9,6 +9,7 @@ LOGFILE="/var/log/mailwolt-update.log" STATEDIR="/var/lib/mailwolt/update" SUDOERS="/etc/sudoers.d/mailwolt-update" VERSION_FILE="/var/lib/mailwolt/version" +SUDOERS_SERVICES="/etc/sudoers.d/mailwolt-services" # Kandidaten: wo liegt update.sh? CANDIDATES=( @@ -73,11 +74,16 @@ echo "running" > "$STATE_DIR/state" # Version schreiben (Git-Tag oder Commit) if command -v git >/dev/null 2>&1; then cd /opt/mailwolt-installer >/dev/null 2>&1 || true - ver=$(git describe --tags --always --dirty 2>/dev/null || echo "unknown") - echo "$ver" > "$VERSION_FILE" - echo "[i] Version aktualisiert: $ver" + raw=$(git describe --tags --always --dirty 2>/dev/null || echo "unknown") + norm=$(printf '%s' "$raw" | sed -E 's/^v//; s/-.*$//') + + echo "$raw" > /var/lib/mailwolt/version_raw + echo "$norm" > /var/lib/mailwolt/version + + echo "[i] Version aktualisiert: raw=$raw norm=$norm" else - echo "unknown" > "$VERSION_FILE" + echo "unknown" > /var/lib/mailwolt/version_raw + echo "0.0.0" > /var/lib/mailwolt/version fi echo "$rc" > "$STATE_DIR/rc" @@ -104,6 +110,35 @@ if ! visudo -c -f "$SUDOERS" >/dev/null 2>&1; then rm -f "$SUDOERS" fi +cat > "$SUDOERS_SERVICES" <<'EOF' +Defaults!/usr/bin/systemctl !requiretty + +Cmnd_Alias MW_SERVICES = \ + /usr/bin/systemctl reload nginx.service, \ + /usr/bin/systemctl try-reload-or-restart nginx.service, \ + /usr/bin/systemctl restart php8.3-fpm.service, \ + /usr/bin/systemctl try-reload-or-restart postfix.service, \ + /usr/bin/systemctl try-reload-or-restart dovecot.service, \ + /usr/bin/systemctl try-reload-or-restart rspamd.service, \ + /usr/bin/systemctl try-reload-or-restart opendkim.service, \ + /usr/bin/systemctl try-reload-or-restart opendmarc.service, \ + /usr/bin/systemctl try-reload-or-restart clamav-daemon.service, \ + /usr/bin/systemctl try-reload-or-restart redis-server.service + +www-data ALL=(root) NOPASSWD: MW_SERVICES +EOF + +chmod 440 "$SUDOERS_SERVICES" +chown root:root "$SUDOERS_SERVICES" + +# Prüfen, ob Syntax gültig ist +if ! visudo -c -f "$SUDOERS_SERVICES" >/dev/null 2>&1; then + echo "[!] Ungültiger sudoers-Eintrag in $SUDOERS_SERVICES – entferne Datei." + rm -f "$SUDOERS_SERVICES" +else + echo "[✓] Sudoers für Dienststeuerung angelegt: $SUDOERS_SERVICES" +fi + # Version-File initial anlegen, falls nicht existiert if [[ ! -f "$VERSION_FILE" ]]; then echo "unknown" > "$VERSION_FILE" @@ -111,100 +146,4 @@ if [[ ! -f "$VERSION_FILE" ]]; then fi log "[✓] Update-Wrapper bereit: $WRAPPER" -log "[✓] Version wird unter $VERSION_FILE gespeichert" - - -##!/usr/bin/env bash -#set -euo pipefail -#source ./lib.sh -# -#log "Update-Wrapper & Sudoers …" -# -#WRAPPER="/usr/local/sbin/mw-update" -#LOGFILE="/var/log/mailwolt-update.log" -#STATEDIR="/var/lib/mailwolt/update" -#SUDOERS="/etc/sudoers.d/mailwolt-update" -# -## Kandidaten: wo liegt update.sh? -#CANDIDATES=( -# /opt/mailwolt-installer/scripts/update.sh -# /mailwolt-installer/scripts/update.sh -# /usr/local/lib/mailwolt/update.sh -#) -# -## State/Log vorbereiten -#install -d -m 0755 "$(dirname "$LOGFILE")" -#install -d -m 0755 "$STATEDIR" -#: > "$LOGFILE" || true -#chmod 0644 "$LOGFILE" -# -## Wrapper erzeugen -#cat > "$WRAPPER" <<'EOF' -##!/usr/bin/env bash -#set -euo pipefail -# -#LOG="/var/log/mailwolt-update.log" -#STATE_DIR="/var/lib/mailwolt/update" -# -#CANDIDATES=( -# /opt/mailwolt-installer/scripts/update.sh -# /mailwolt-installer/scripts/update.sh -# /usr/local/lib/mailwolt/update.sh -#) -# -## Beste vorhandene update.sh finden -#SCRIPT="" -#for p in "${CANDIDATES[@]}"; do -# if [[ -x "$p" ]]; then SCRIPT="$p"; break; fi -# if [[ -f "$p" && -r "$p" ]]; then SCRIPT="$p"; break; fi -#done -# -#install -d -m 0755 "$STATE_DIR" -#echo "running" > "$STATE_DIR/state" -# -#{ -# echo "===== $(date -Is) :: Update gestartet =====" -# if [[ -z "$SCRIPT" ]]; then -# echo "[!] update.sh nicht gefunden oder nicht ausführbar (versucht: ${CANDIDATES[*]})" -# rc=127 -# else -# echo "[i] benutze: $SCRIPT" -# if [[ "$(id -u)" -ne 0 ]]; then -# echo "[!] Bitte als root ausführen" -# rc=1 -# else -# # Dirty-Working-Tree zulassen, damit UI-Commits/Änderungen kein Blocker sind -# if [[ -x "$SCRIPT" ]]; then -# ALLOW_DIRTY=1 "$SCRIPT" -# else -# ALLOW_DIRTY=1 bash "$SCRIPT" -# fi -# rc=$? -# fi -# fi -# echo "===== $(date -Is) :: Update beendet (rc=$rc) =====" -# echo "$rc" > "$STATE_DIR/rc" -# echo "done" > "$STATE_DIR/state" -# exit "$rc" -#} | tee -a "$LOG" -#EOF -# -#chmod 0755 "$WRAPPER" -#chown root:root "$WRAPPER" -# -## Sudoers: www-data (Laravel) & mailwolt dürfen den Wrapper laufen lassen -#cat > "$SUDOERS" <<'EOF' -#Defaults!/usr/local/sbin/mw-update !requiretty -#www-data ALL=(root) NOPASSWD: /usr/local/sbin/mw-update -#mailwolt ALL=(root) NOPASSWD: /usr/local/sbin/mw-update -#EOF -# -#chown root:root "$SUDOERS" -#chmod 440 "$SUDOERS" -# -#if ! visudo -c -f "$SUDOERS" >/dev/null 2>&1; then -# echo "[!] Ungültiger sudoers-Eintrag in $SUDOERS – entferne Datei." -# rm -f "$SUDOERS" -#fi -# -#log "[✓] Update-Wrapper bereit: $WRAPPER" \ No newline at end of file +log "[✓] Version wird unter $VERSION_FILE gespeichert" \ No newline at end of file