#!/usr/bin/env bash set -euo pipefail source ./lib.sh log "WoltGuard (Monit + Self-Heal) einrichten …" set +u [ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env set -u CLAMAV_ENABLE="${CLAMAV_ENABLE:-0}" OPENDMARC_ENABLE="${OPENDMARC_ENABLE:-0}" FAIL2BAN_ENABLE="${FAIL2BAN_ENABLE:-1}" # Pakete sicherstellen command -v monit >/dev/null || { apt-get update -qq; apt-get install -y monit; } systemctl enable --now monit # Helper-Skripte install -d -m 0755 /usr/local/sbin cat >/usr/local/sbin/mailwolt-redis-ping.sh <<'EOSH' #!/usr/bin/env bash set -euo pipefail PASS="" [ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env || true if command -v redis-cli >/dev/null 2>&1; then [[ -n "${REDIS_PASS:-}" ]] \ && redis-cli -h 127.0.0.1 -p 6379 -a "$REDIS_PASS" ping | grep -q PONG \ || redis-cli -h 127.0.0.1 -p 6379 ping | grep -q PONG else exit 1 fi EOSH chmod 0755 /usr/local/sbin/mailwolt-redis-ping.sh cat >/usr/local/sbin/mailwolt-rspamd-heal.sh <<'EOSH' #!/usr/bin/env bash set -euo pipefail install -d -m 0755 -o _rspamd -g _rspamd /run/rspamd || true [ -S /var/lib/rspamd/rspamd.sock ] && rm -f /var/lib/rspamd/rspamd.sock || true systemctl restart rspamd EOSH chmod 0755 /usr/local/sbin/mailwolt-rspamd-heal.sh # WoltGuard Wrapper + Unit cat >/usr/local/bin/woltguard <<'EOSH' #!/usr/bin/env bash set -euo pipefail case "${1:-status}" in start) systemctl enable --now monit ;; stop) systemctl stop monit ;; status) monit summary || systemctl status monit || true ;; heal) monit reload || true; sleep 1; monit restart all || true ;; monitor) monit monitor all || true ;; unmonitor) monit unmonitor all || true ;; *) echo "Usage: woltguard {start|stop|status|heal|monitor|unmonitor}"; exit 2;; esac EOSH chmod 0755 /usr/local/bin/woltguard cat >/etc/systemd/system/woltguard.service <<'EOF' [Unit] Description=WoltGuard – Self-Healing Monitor for MailWolt After=network.target [Service] Type=oneshot ExecStart=/usr/local/bin/woltguard start ExecStop=/usr/local/bin/woltguard stop RemainAfterExit=yes [Install] WantedBy=multi-user.target EOF systemctl daemon-reload systemctl enable --now woltguard # Monit Basis + include sed -i 's/^set daemon .*/set daemon 30/' /etc/monit/monitrc || true grep -q 'include /etc/monit/conf.d/*' /etc/monit/monitrc || echo 'include /etc/monit/conf.d/*' >>/etc/monit/monitrc install -d -m 0755 /etc/monit/conf.d # Checks cat >/etc/monit/conf.d/postfix.conf <<'EOF' check process postfix with pidfile /var/spool/postfix/pid/master.pid start program = "/bin/systemctl start postfix" stop program = "/bin/systemctl stop postfix" if failed port 25 protocol smtp then restart if failed port 465 type tcpssl then restart if failed port 587 type tcp then restart if 5 restarts within 5 cycles then alert EOF cat >/etc/monit/conf.d/dovecot.conf <<'EOF' check process dovecot with pidfile /run/dovecot/master.pid start program = "/bin/systemctl start dovecot" stop program = "/bin/systemctl stop dovecot" if failed port 993 type tcpssl for 2 cycles then restart if failed port 24 protocol lmtp for 2 cycles then restart if 5 restarts within 5 cycles then alert EOF cat >/etc/monit/conf.d/nginx.conf <<'EOF' check process nginx with pidfile /run/nginx.pid start program = "/bin/systemctl start nginx" stop program = "/bin/systemctl stop nginx" if failed port 80 type tcp then restart if failed port 443 type tcpssl then restart if 5 restarts within 5 cycles then alert EOF cat >/etc/monit/conf.d/redis.conf <<'EOF' check process redis with pidfile /run/redis/redis-server.pid start program = "/bin/systemctl start redis-server" stop program = "/bin/systemctl stop redis-server" if failed host 127.0.0.1 port 6379 for 2 cycles then restart if 5 restarts within 5 cycles then alert check program redis_ping path "/usr/local/sbin/mailwolt-redis-ping.sh" if status != 0 for 2 cycles then exec "/bin/systemctl restart redis-server" EOF cat >/etc/monit/conf.d/rspamd.conf <<'EOF' check process rspamd with pidfile /run/rspamd/rspamd.pid start program = "/bin/systemctl start rspamd" stop program = "/bin/systemctl stop rspamd" if failed port 11333 for 2 cycles then exec "/usr/local/sbin/mailwolt-rspamd-heal.sh" if failed port 11334 for 2 cycles then exec "/usr/local/sbin/mailwolt-rspamd-heal.sh" if 5 restarts within 5 cycles then alert EOF cat >/etc/monit/conf.d/opendkim.conf <<'EOF' check process opendkim with pidfile /run/opendkim/opendkim.pid start program = "/bin/systemctl start opendkim" stop program = "/bin/systemctl stop opendkim" if failed host 127.0.0.1 port 8891 type tcp for 2 cycles then restart if 5 restarts within 5 cycles then alert EOF # optional: OpenDMARC if [[ "$OPENDMARC_ENABLE" = "1" ]]; then cat >/etc/monit/conf.d/opendmarc.conf <<'EOF' check process opendmarc with pidfile /run/opendmarc/opendmarc.pid start program = "/bin/systemctl start opendmarc" stop program = "/bin/systemctl stop opendmarc" if 5 restarts within 5 cycles then alert EOF else rm -f /etc/monit/conf.d/opendmarc.conf || true fi # optional: ClamAV if [[ "$CLAMAV_ENABLE" = "1" ]]; then cat >/etc/monit/conf.d/clamav.conf <<'EOF' check process clamd with pidfile /run/clamav/clamd.pid start program = "/bin/systemctl start clamav-daemon" stop program = "/bin/systemctl stop clamav-daemon" if failed unixsocket /run/clamav/clamd.ctl then restart if 5 restarts within 5 cycles then alert EOF else rm -f /etc/monit/conf.d/clamav.conf || true fi # optional: Fail2Ban if [[ "$FAIL2BAN_ENABLE" = "1" ]]; then cat >/etc/monit/conf.d/fail2ban.conf <<'EOF' check process fail2ban with pidfile /run/fail2ban/fail2ban.pid start program = "/bin/systemctl start fail2ban" stop program = "/bin/systemctl stop fail2ban" if 5 restarts within 5 cycles then alert EOF else rm -f /etc/monit/conf.d/fail2ban.conf || true fi monit -t systemctl reload monit || systemctl restart monit systemctl status monit --no-pager || true log "[✓] WoltGuard aktiv."