mailwolt-installer/scripts/95-woltguard.sh

#!/usr/bin/env bash
set -euo pipefail
source ./lib.sh

log "WoltGuard (Monit + Self-Heal) einrichten …"

set +u
[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
set -u
CLAMAV_ENABLE="${CLAMAV_ENABLE:-0}"
OPENDMARC_ENABLE="${OPENDMARC_ENABLE:-0}"
FAIL2BAN_ENABLE="${FAIL2BAN_ENABLE:-1}"

# Pakete sicherstellen
command -v monit >/dev/null || { apt-get update -qq; apt-get install -y monit; }
systemctl enable --now monit

# Helper-Skripte
install -d -m 0755 /usr/local/sbin
cat >/usr/local/sbin/mw-redis-ping.sh <<'EOSH'
#!/usr/bin/env bash
set -euo pipefail
PASS=""
[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env || true
if command -v redis-cli >/dev/null 2>&1; then
  [[ -n "${REDIS_PASS:-}" ]] \
    && redis-cli -h 127.0.0.1 -p 6379 -a "$REDIS_PASS" ping | grep -q PONG \
    || redis-cli -h 127.0.0.1 -p 6379 ping | grep -q PONG
else
  exit 1
fi
EOSH
chmod 0755 /usr/local/sbin/mw-redis-ping.sh

cat >/usr/local/sbin/mw-rspamd-heal.sh <<'EOSH'
#!/usr/bin/env bash
set -euo pipefail
install -d -m 0755 -o _rspamd -g _rspamd /run/rspamd || true
[ -S /var/lib/rspamd/rspamd.sock ] && rm -f /var/lib/rspamd/rspamd.sock || true
systemctl restart rspamd
EOSH
chmod 0755 /usr/local/sbin/mw-rspamd-heal.sh

# WoltGuard Wrapper + Unit
cat >/usr/local/bin/woltguard <<'EOSH'
#!/usr/bin/env bash
set -euo pipefail
case "${1:-status}" in
  start) systemctl enable --now monit ;;
  stop) systemctl stop monit ;;
  status) monit summary || systemctl status monit || true ;;
  heal) monit reload || true; sleep 1; monit restart all || true ;;
  monitor) monit monitor all || true ;;
  unmonitor) monit unmonitor all || true ;;
  *) echo "Usage: woltguard {start|stop|status|heal|monitor|unmonitor}"; exit 2;;
esac
EOSH
chmod 0755 /usr/local/bin/woltguard

cat >/etc/systemd/system/woltguard.service <<'EOF'
[Unit]
Description=WoltGuard – Self-Healing Monitor for MailWolt
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/local/bin/woltguard start
ExecStop=/usr/local/bin/woltguard stop
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable --now woltguard

# Monit Basis + include
sed -i 's/^set daemon .*/set daemon 30/' /etc/monit/monitrc || true
grep -q 'include /etc/monit/conf.d/*' /etc/monit/monitrc || echo 'include /etc/monit/conf.d/*' >>/etc/monit/monitrc
install -d -m 0755 /etc/monit/conf.d

# Checks
cat >/etc/monit/conf.d/postfix.conf <<'EOF'
check process postfix with pidfile /var/spool/postfix/pid/master.pid
  start program = "/bin/systemctl start postfix"
  stop  program = "/bin/systemctl stop postfix"
  if failed port 25 protocol smtp then restart
  if failed port 465 type tcpssl then restart
  if failed port 587 type tcp then restart
  if 5 restarts within 5 cycles then alert
EOF

cat >/etc/monit/conf.d/dovecot.conf <<'EOF'
check process dovecot with pidfile /run/dovecot/master.pid
  start program = "/bin/systemctl start dovecot"
  stop  program = "/bin/systemctl stop dovecot"
  if failed port 993 type tcpssl for 2 cycles then restart
  if failed port 24 protocol lmtp for 2 cycles then restart
  if 5 restarts within 5 cycles then alert
EOF

cat >/etc/monit/conf.d/nginx.conf <<'EOF'
check process nginx with pidfile /run/nginx.pid
  start program = "/bin/systemctl start nginx"
  stop  program = "/bin/systemctl stop nginx"
  if failed port 80 type tcp then restart
  if failed port 443 type tcpssl then restart
  if 5 restarts within 5 cycles then alert
EOF

cat >/etc/monit/conf.d/redis.conf <<'EOF'
check process redis with pidfile /run/redis/redis-server.pid
  start program = "/bin/systemctl start redis-server"
  stop  program = "/bin/systemctl stop redis-server"
  if failed host 127.0.0.1 port 6379 for 2 cycles then restart
  if failed program "/usr/local/sbin/mw-redis-ping.sh" for 2 cycles then restart
  if 5 restarts within 5 cycles then alert
EOF

cat >/etc/monit/conf.d/rspamd.conf <<'EOF'
check process rspamd with pidfile /run/rspamd/rspamd.pid
  start program = "/bin/systemctl start rspamd"
  stop  program = "/bin/systemctl stop rspamd"
  if failed port 11333 for 2 cycles then exec "/usr/local/sbin/mw-rspamd-heal.sh"
  if failed port 11334 for 2 cycles then exec "/usr/local/sbin/mw-rspamd-heal.sh"
  if 5 restarts within 5 cycles then alert
EOF

cat >/etc/monit/conf.d/opendkim.conf <<'EOF'
check process opendkim with pidfile /run/opendkim/opendkim.pid
  start program = "/bin/systemctl start opendkim"
  stop  program = "/bin/systemctl stop opendkim"
  if does not exist file "/run/opendkim/opendkim.pid" then restart
  if 5 restarts within 5 cycles then alert
EOF

# optional: OpenDMARC
if [[ "$OPENDMARC_ENABLE" = "1" ]]; then
  cat >/etc/monit/conf.d/opendmarc.conf <<'EOF'
check process opendmarc with pidfile /run/opendmarc/opendmarc.pid
  start program = "/bin/systemctl start opendmarc"
  stop  program = "/bin/systemctl stop opendmarc"
  if 5 restarts within 5 cycles then alert
EOF
else
  rm -f /etc/monit/conf.d/opendmarc.conf || true
fi

# optional: ClamAV
if [[ "$CLAMAV_ENABLE" = "1" ]]; then
  cat >/etc/monit/conf.d/clamav.conf <<'EOF'
check process clamd with pidfile /run/clamav/clamd.pid
  start program = "/bin/systemctl start clamav-daemon"
  stop  program = "/bin/systemctl stop clamav-daemon"
  if failed unixsocket /run/clamav/clamd.ctl then restart
  if 5 restarts within 5 cycles then alert
EOF
else
  rm -f /etc/monit/conf.d/clamav.conf || true
fi

# optional: Fail2Ban
if [[ "$FAIL2BAN_ENABLE" = "1" ]]; then
  cat >/etc/monit/conf.d/fail2ban.conf <<'EOF'
check process fail2ban with pidfile /run/fail2ban/fail2ban.pid
  start program = "/bin/systemctl start fail2ban"
  stop  program = "/bin/systemctl stop fail2ban"
  if 5 restarts within 5 cycles then alert
EOF
else
  rm -f /etc/monit/conf.d/fail2ban.conf || true
fi

monit -t
systemctl reload monit || systemctl restart monit
woltguard status || true
log "[✓] WoltGuard aktiv."