Fix: mailwolt-apply-domains Helper + sudoers + Monit aktiviert

- mailwolt-apply-domains Script im Installer erstellt
- sudoers-Eintrag für www-data (certbot + apply-domains ohne Passwort)
- Wizard State-Dir Owner www-data
- Monit standardmäßig aktiviert (nicht mehr disabled)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
main
boban 2026-04-23 22:24:28 +02:00
parent 19618746ba
commit d5d5fd819c
1 changed files with 103 additions and 3 deletions

View File

@ -557,9 +557,110 @@ fi
# ===== Wizard State-Verzeichnis ===== # ===== Wizard State-Verzeichnis =====
mkdir -p /var/lib/mailwolt/wizard mkdir -p /var/lib/mailwolt/wizard
chown "$APP_USER":"$APP_GROUP" /var/lib/mailwolt/wizard chown www-data:www-data /var/lib/mailwolt/wizard
chmod 775 /var/lib/mailwolt/wizard chmod 775 /var/lib/mailwolt/wizard
# ===== mailwolt-apply-domains Helper =====
log "mailwolt-apply-domains Helper installieren…"
cat > /usr/local/sbin/mailwolt-apply-domains <<'HELPER'
#!/usr/bin/env bash
set -euo pipefail
UI_HOST=""; WEBMAIL_HOST=""; MAIL_HOST=""; SSL_AUTO=0
while [[ $# -gt 0 ]]; do
case "$1" in
--ui-host) UI_HOST="$2"; shift 2 ;;
--webmail-host) WEBMAIL_HOST="$2"; shift 2 ;;
--mail-host) MAIL_HOST="$2"; shift 2 ;;
--ssl-auto) SSL_AUTO="$2"; shift 2 ;;
*) shift ;;
esac
done
PHPV=$(php -r 'echo PHP_MAJOR_VERSION.".".PHP_MINOR_VERSION;')
PHP_FPM_SOCK="/run/php/php${PHPV}-fpm.sock"
[ -S "$PHP_FPM_SOCK" ] || PHP_FPM_SOCK="/run/php/php-fpm.sock"
APP_DIR="/var/www/mailwolt"
NGINX_SITE="/etc/nginx/sites-available/mailwolt.conf"
# Alle Server-Namen sammeln
ALL_NAMES="${UI_HOST} ${WEBMAIL_HOST}"
# Zertifikat-Pfade ermitteln (certbot oder self-signed)
if [ "$SSL_AUTO" = "1" ] && [ -f "/etc/letsencrypt/live/${UI_HOST}/fullchain.pem" ]; then
CERT="/etc/letsencrypt/live/${UI_HOST}/fullchain.pem"
KEY="/etc/letsencrypt/live/${UI_HOST}/privkey.pem"
else
CERT="/etc/mailwolt/ssl/cert.pem"
KEY="/etc/mailwolt/ssl/key.pem"
fi
cat > "$NGINX_SITE" <<CONF
server {
listen 80;
listen [::]:80;
server_name ${UI_HOST} ${WEBMAIL_HOST};
root ${APP_DIR}/public;
index index.php index.html;
location /.well-known/acme-challenge/ { root /var/www/html; }
location / {
try_files \$uri \$uri/ /index.php?\$query_string;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:${PHP_FPM_SOCK};
}
location ^~ /livewire/ {
try_files \$uri /index.php?\$query_string;
}
location ~* \.(jpg|jpeg|png|gif|css|js|ico|svg)$ {
expires 30d; access_log off;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${UI_HOST} ${WEBMAIL_HOST};
ssl_certificate ${CERT};
ssl_certificate_key ${KEY};
ssl_protocols TLSv1.2 TLSv1.3;
root ${APP_DIR}/public;
index index.php index.html;
location / {
try_files \$uri \$uri/ /index.php?\$query_string;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:${PHP_FPM_SOCK};
}
location ^~ /livewire/ {
try_files \$uri /index.php?\$query_string;
}
location ~* \.(jpg|jpeg|png|gif|css|js|ico|svg)$ {
expires 30d; access_log off;
}
}
CONF
nginx -t && systemctl reload nginx
HELPER
chmod 755 /usr/local/sbin/mailwolt-apply-domains
# ===== Sudoers für www-data (certbot + helper) =====
cat > /etc/sudoers.d/mailwolt-www <<'SUDOERS'
www-data ALL=(root) NOPASSWD: /usr/bin/certbot
www-data ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-apply-domains
SUDOERS
chmod 440 /etc/sudoers.d/mailwolt-www
# git safe.directory damit spätere pulls als root möglich sind # git safe.directory damit spätere pulls als root möglich sind
git config --global --add safe.directory "${APP_DIR}" || true git config --global --add safe.directory "${APP_DIR}" || true
@ -662,8 +763,7 @@ check process nginx with pidfile /run/nginx.pid
if failed port 443 type tcp ssl then restart if failed port 443 type tcp ssl then restart
EOF EOF
chmod 600 /etc/monit/monitrc chmod 600 /etc/monit/monitrc
systemctl disable --now monit || true systemctl enable --now monit || true
apt-mark hold monit >/dev/null 2>&1 || true
# ===== Smoke-Test (alle Ports, mit Timeouts) ===== # ===== Smoke-Test (alle Ports, mit Timeouts) =====
log "Smoke-Test (Ports & Banner):" log "Smoke-Test (Ports & Banner):"