Fix: Installer-Cleanup (PHP-FPM-Socket dynamisch, Arg-Parsing oben, APP_PW früh, doppelter setfacl entfernt)

- PHPV-Erkennung vor nginx-Config verschoben, Socket-Pfad dynamisch
- Argument-Parsing (-dev/-stag) ganz an den Anfang
- APP_PW früh generieren damit es überall verfügbar ist
- Doppelten setfacl-Block entfernt

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

installer.sh

@@ -100,11 +100,21 @@ gen()   { head -c 512 /dev/urandom | tr -dc 'A-Za-z0-9' | head -c "${1:-28}" ||
 pw()    { gen 28; }
 short() { gen 16; }
 
+# ===== Argument-Parsing =====
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    -dev)       APP_ENV="local";   APP_DEBUG="true"  ;;
+    -stag|-staging) APP_ENV="staging"; APP_DEBUG="false" ;;
+  esac
+  shift
+done
+
 # ===== Start =====
 require_root
 header
 
 SERVER_IP="$(detect_ip)"
+APP_PW="${APP_PW:-$(pw)}"
 MAIL_HOSTNAME="${MAIL_HOSTNAME:-"bootstrap.local"}"   # Wizard setzt später FQDN
 TZ="${TZ:-""}"                                       # leer; Wizard setzt final
 
@@ -383,8 +393,9 @@ systemctl enable --now redis-server
 log "Nginx konfigurieren…"
 rm -f /etc/nginx/sites-enabled/default /etc/nginx/sites-available/default || true
 
-PHP_FPM_SOCK="/run/php/php-fpm.sock"
-[ -S "/run/php/php8.2-fpm.sock" ] && PHP_FPM_SOCK="/run/php/php8.2-fpm.sock"
+PHPV=$(php -r 'echo PHP_MAJOR_VERSION.".".PHP_MINOR_VERSION;')
+PHP_FPM_SOCK="/run/php/php${PHPV}-fpm.sock"
+[ -S "$PHP_FPM_SOCK" ] || PHP_FPM_SOCK="/run/php/php-fpm.sock"
 
 cat > ${NGINX_SITE} <<CONF
 server {
@@ -448,20 +459,6 @@ CONF
 ln -sf ${NGINX_SITE} ${NGINX_SITE_LINK}
 nginx -t && systemctl enable --now nginx
 
-while [[ $# -gt 0 ]]; do
-  case "$1" in
-    -dev)
-      APP_ENV="local"
-      APP_DEBUG="true"
-      ;;
-    -stag|-staging)
-      APP_ENV="staging"
-      APP_DEBUG="false"
-      ;;
-  esac
-  shift
-done
-
 # ===== Node/NPM installieren (für Vite/Tailwind Build) =====
 log "Node/NPM installieren…"
 if [ "$NODE_SETUP" = "nodesource" ]; then
@@ -551,16 +548,11 @@ fi
 
 
 # ===== App-User/Gruppen & Rechte (am ENDE ausführen) =====
-APP_USER="${APP_USER:-${APP_NAME}app}"
-APP_GROUP="${APP_GROUP}"
-APP_PW="${APP_PW:-changeme123}"
-APP_DIR="${APP_DIR}"
-
 # User anlegen (nur falls noch nicht vorhanden) + Passwort setzen + Gruppe
 if ! id -u "$APP_USER" >/dev/null 2>&1; then
   adduser --disabled-password --gecos "" "$APP_USER"
-  echo "${APP_USER}:${APP_PW}" | chpasswd
 fi
+echo "${APP_USER}:${APP_PW}" | chpasswd
 usermod -a -G "$APP_GROUP" "$APP_USER"
 
 # Besitz & Rechte
@@ -575,25 +567,13 @@ if command -v setfacl >/dev/null 2>&1; then
     "${APP_DIR}/storage" "${APP_DIR}/bootstrap/cache" || true
 fi
 
-echo -e "${YELLOW}[i] App-User: ${APP_USER}  Passwort: ${APP_PW}${NC}"
-
-
-# Optional: ACLs, falls verfügbar (robuster bei gemischten Schreibzugriffen)
-if command -v setfacl >/dev/null 2>&1; then
-  setfacl -R -m u:${APP_USER}:rwX,g:${APP_GROUP}:rwX \
-    "${APP_DIR}/storage" "${APP_DIR}/bootstrap/cache" || true
-  setfacl -dR -m u:${APP_USER}:rwX,g:${APP_GROUP}:rwX \
-    "${APP_DIR}/storage" "${APP_DIR}/bootstrap/cache" || true
-fi
-
 grep -q 'umask 002' /home/${APP_USER}/.profile 2>/dev/null || echo 'umask 002' >> /home/${APP_USER}/.profile
 grep -q 'umask 002' /home/${APP_USER}/.bashrc   2>/dev/null || echo 'umask 002' >> /home/${APP_USER}/.bashrc
 
 # 7) npm respektiert umask – zur Sicherheit direkt setzen (für APP_USER)
 sudo -u "$APP_USER" -H bash -lc "npm config set umask 0002" >/dev/null 2>&1 || true
 
-# 8) PHP-FPM-Worker laufen als www-data (Standard). Stelle sicher, dass der FPM-Socket group-writable ist:
-PHPV=$(php -r 'echo PHP_MAJOR_VERSION.".".PHP_MINOR_VERSION;')
+# PHP-FPM-Socket group-writable machen
 FPM_POOL="/etc/php/${PHPV}/fpm/pool.d/www.conf"
 if [ -f "$FPM_POOL" ]; then
   sed -i 's/^;*listen\.owner.*/listen.owner = www-data/' "$FPM_POOL"