boban
/
mailwolt-installer
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
mailwolt-installer/scripts/10-provision.sh

125 lines
5.1 KiB
Bash
Raw Permalink Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

#!/usr/bin/env bash
set -euo pipefail
source ./lib.sh
if [ -r /etc/mailwolt/installer.env ]; then
. /etc/mailwolt/installer.env
fi
REDIS_PASS="${REDIS_PASS:-}"
SCRIPTS_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
find "$SCRIPTS_DIR/.." -type f -name "*.sh" -exec sed -i 's/\r$//' {} \; || true
log "Pakete installieren …"
export DEBIAN_FRONTEND=noninteractive
apt-get update -y
# Minimal aber vollständig
apt-get -y -o Dpkg::Options::="--force-confdef" \
-o Dpkg::Options::="--force-confold" install \
postfix postfix-mysql dovecot-core dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-mysql \
mariadb-server mariadb-client redis-server rspamd opendkim opendkim-tools opendmarc clamav \
clamav-daemon nginx php php-fpm php-cli php-mbstring php-xml php-curl php-zip php-mysql \
php-redis php-gd unzip curl composer git certbot python3-certbot-nginx fail2ban ca-certificates \
rsyslog sudo openssl monit acl netcat-openbsd jq sqlite3
# <<< Apache konsequent entfernen >>>
systemctl disable --now apache2 >/dev/null 2>&1 || true
apt-get -y purge 'apache2*' >/dev/null 2>&1 || true
apt-get -y autoremove >/dev/null 2>&1 || true
log "Systemuser/Dirs …"
id vmail >/dev/null 2>&1 || adduser --system --group --home /var/mail vmail
id "$APP_USER" >/dev/null 2>&1 || adduser --disabled-password --gecos "" "$APP_USER"
# Systemuser/Dirs …
id vmail >/dev/null 2>&1 || adduser --system --group --home /var/mail vmail
id "$APP_USER" >/dev/null 2>&1 || adduser --disabled-password --gecos "" "$APP_USER"
# --- FIX: Gruppen und Berechtigungen für Maildir und Dovecot-Zugriff ---
# vmail soll primär der Gruppe "mail" angehören, zusätzlich dovecot
usermod -g mail -a -G dovecot vmail || true
# App-User in relevante Gruppen
usermod -a -G "$APP_GROUP" "$APP_USER" || true
usermod -a -G mail,dovecot "$APP_USER" || true
# Maildir-Baum für Gruppe mail lesbar
chgrp -R mail /var/mail/vhosts || true
chmod -R g+rx /var/mail/vhosts || true
# ACLs setzen, damit neue Verzeichnisse automatisch passende Rechte bekommen
setfacl -R -m g:mail:rx /var/mail/vhosts || true
setfacl -dR -m g:mail:rx /var/mail/vhosts || true
usermod -a -G "$APP_GROUP" "$APP_USER" || true
install -d -m 0755 -o root -g root /var/www
install -d -m 0775 -o "$APP_USER" -g "$APP_GROUP" "$APP_DIR"
SUDOERS_DKIM="/etc/sudoers.d/mailwolt-dkim"
cat > "${SUDOERS_DKIM}" <<'EOF'
Defaults!/usr/local/sbin/mailwolt-install-dkim !requiretty
Defaults!/usr/local/sbin/mailwolt-remove-dkim !requiretty
Defaults!/usr/bin/systemctl !requiretty
Defaults!/usr/bin/test !requiretty
www-data ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-install-dkim *
www-data ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-remove-dkim *
www-data ALL=(root) NOPASSWD: /usr/bin/systemctl reload opendkim
www-data ALL=(root) NOPASSWD: /usr/bin/test *
mailwolt ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-install-dkim *
mailwolt ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-remove-dkim *
mailwolt ALL=(root) NOPASSWD: /usr/bin/systemctl reload opendkim
mailwolt ALL=(root) NOPASSWD: /usr/bin/test *
EOF
chown root:root "${SUDOERS_DKIM}"
chmod 440 "${SUDOERS_DKIM}"
if ! visudo -c -f "${SUDOERS_DKIM}" >/dev/null 2>&1; then
echo "[!] Ungültiger sudoers-Eintrag in ${SUDOERS_DKIM} entferne Datei."
rm -f "${SUDOERS_DKIM}"
fi
SUDOERS_DOVEADM="/etc/sudoers.d/mailwolt-doveadm"
cat > "${SUDOERS_DOVEADM}" <<'EOF'
Cmnd_Alias MW_DOVEADM_STATUS = /usr/bin/doveadm -f tab mailbox status -u * messages INBOX, \
/usr/bin/doveadm mailbox status -u * messages INBOX
www-data ALL=(vmail) NOPASSWD: MW_DOVEADM_STATUS
mailwolt ALL=(vmail) NOPASSWD: MW_DOVEADM_STATUS
EOF
chown root:root "${SUDOERS_DOVEADM}"
chmod 440 "${SUDOERS_DOVEADM}"
visudo -c -f "${SUDOERS_DOVEADM}" || rm -f "${SUDOERS_DOVEADM}"
log "MariaDB include-fix …"
mkdir -p /etc/mysql/mariadb.conf.d
[[ -f /etc/mysql/mariadb.cnf ]] || echo '!include /etc/mysql/mariadb.conf.d/*.cnf' > /etc/mysql/mariadb.cnf
log "Redis absichern …"
if [[ -z "${REDIS_PASS:-}" || "${REDIS_PASS}" == "changeme" ]]; then
REDIS_PASS="$(openssl rand -hex 16)"
export REDIS_PASS
log "Neues Redis-Passwort generiert."
fi
# Aktiven Redis-Config-Pfad aus systemd holen (Fallback: Standard)
REDIS_CONF="$(systemctl show -p ExecStart redis-server \
| sed -n 's/^ExecStart=.*redis-server[[:space:]]\+\([^[:space:]]\+\).*/\1/p')"
REDIS_CONF="${REDIS_CONF:-/etc/redis/redis.conf}"
# Bind + protected-mode hart setzen
sed -i 's/^[[:space:]]*#\?[[:space:]]*bind .*/bind 127.0.0.1/' "$REDIS_CONF"
sed -i 's/^[[:space:]]*#\?[[:space:]]*protected-mode .*/protected-mode yes/' "$REDIS_CONF"
# Vorherige requirepass-Zeilen entfernen (kommentiert/unkommentiert), dann neu schreiben
sed -i '/^[[:space:]]*#\?[[:space:]]*requirepass[[:space:]]\+/d' "$REDIS_CONF"
printf '\nrequirepass %s\n' "${REDIS_PASS}" >> "$REDIS_CONF"
# Dienst aktivieren & neu starten
systemctl enable --now redis-server
systemctl restart redis-server || true
# Sanity-Check (kein harter Exit, nur Log)
if redis-cli -a "${REDIS_PASS}" ping 2>/dev/null | grep -q PONG; then
log "Redis mit Passwort OK."
else
warn "Redis PING mit Passwort fehlgeschlagen bitte /etc/redis/redis.conf prüfen."
fi
Reference in New Issue View Git Blame Copy Permalink