Fix: mailwolt-apply-domains Helper + sudoers + Monit aktiviert

- mailwolt-apply-domains Script im Installer erstellt
- sudoers-Eintrag für www-data (certbot + apply-domains ohne Passwort)
- Wizard State-Dir Owner www-data
- Monit standardmäßig aktiviert (nicht mehr disabled)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

installer.sh

@@ -557,9 +557,110 @@ fi
 
 # ===== Wizard State-Verzeichnis =====
 mkdir -p /var/lib/mailwolt/wizard
-chown "$APP_USER":"$APP_GROUP" /var/lib/mailwolt/wizard
+chown www-data:www-data /var/lib/mailwolt/wizard
 chmod 775 /var/lib/mailwolt/wizard
 
+# ===== mailwolt-apply-domains Helper =====
+log "mailwolt-apply-domains Helper installieren…"
+cat > /usr/local/sbin/mailwolt-apply-domains <<'HELPER'
+#!/usr/bin/env bash
+set -euo pipefail
+
+UI_HOST=""; WEBMAIL_HOST=""; MAIL_HOST=""; SSL_AUTO=0
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --ui-host)      UI_HOST="$2";      shift 2 ;;
+    --webmail-host) WEBMAIL_HOST="$2"; shift 2 ;;
+    --mail-host)    MAIL_HOST="$2";    shift 2 ;;
+    --ssl-auto)     SSL_AUTO="$2";     shift 2 ;;
+    *) shift ;;
+  esac
+done
+
+PHPV=$(php -r 'echo PHP_MAJOR_VERSION.".".PHP_MINOR_VERSION;')
+PHP_FPM_SOCK="/run/php/php${PHPV}-fpm.sock"
+[ -S "$PHP_FPM_SOCK" ] || PHP_FPM_SOCK="/run/php/php-fpm.sock"
+
+APP_DIR="/var/www/mailwolt"
+NGINX_SITE="/etc/nginx/sites-available/mailwolt.conf"
+
+# Alle Server-Namen sammeln
+ALL_NAMES="${UI_HOST} ${WEBMAIL_HOST}"
+
+# Zertifikat-Pfade ermitteln (certbot oder self-signed)
+if [ "$SSL_AUTO" = "1" ] && [ -f "/etc/letsencrypt/live/${UI_HOST}/fullchain.pem" ]; then
+  CERT="/etc/letsencrypt/live/${UI_HOST}/fullchain.pem"
+  KEY="/etc/letsencrypt/live/${UI_HOST}/privkey.pem"
+else
+  CERT="/etc/mailwolt/ssl/cert.pem"
+  KEY="/etc/mailwolt/ssl/key.pem"
+fi
+
+cat > "$NGINX_SITE" <<CONF
+server {
+  listen 80;
+  listen [::]:80;
+  server_name ${UI_HOST} ${WEBMAIL_HOST};
+
+  root ${APP_DIR}/public;
+  index index.php index.html;
+
+  location /.well-known/acme-challenge/ { root /var/www/html; }
+
+  location / {
+    try_files \$uri \$uri/ /index.php?\$query_string;
+  }
+  location ~ \.php$ {
+    include snippets/fastcgi-php.conf;
+    fastcgi_pass unix:${PHP_FPM_SOCK};
+  }
+  location ^~ /livewire/ {
+    try_files \$uri /index.php?\$query_string;
+  }
+  location ~* \.(jpg|jpeg|png|gif|css|js|ico|svg)$ {
+    expires 30d; access_log off;
+  }
+}
+
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  server_name ${UI_HOST} ${WEBMAIL_HOST};
+
+  ssl_certificate     ${CERT};
+  ssl_certificate_key ${KEY};
+  ssl_protocols       TLSv1.2 TLSv1.3;
+
+  root ${APP_DIR}/public;
+  index index.php index.html;
+
+  location / {
+    try_files \$uri \$uri/ /index.php?\$query_string;
+  }
+  location ~ \.php$ {
+    include snippets/fastcgi-php.conf;
+    fastcgi_pass unix:${PHP_FPM_SOCK};
+  }
+  location ^~ /livewire/ {
+    try_files \$uri /index.php?\$query_string;
+  }
+  location ~* \.(jpg|jpeg|png|gif|css|js|ico|svg)$ {
+    expires 30d; access_log off;
+  }
+}
+CONF
+
+nginx -t && systemctl reload nginx
+HELPER
+chmod 755 /usr/local/sbin/mailwolt-apply-domains
+
+# ===== Sudoers für www-data (certbot + helper) =====
+cat > /etc/sudoers.d/mailwolt-www <<'SUDOERS'
+www-data ALL=(root) NOPASSWD: /usr/bin/certbot
+www-data ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-apply-domains
+SUDOERS
+chmod 440 /etc/sudoers.d/mailwolt-www
+
 # git safe.directory damit spätere pulls als root möglich sind
 git config --global --add safe.directory "${APP_DIR}" || true
 
@@ -662,8 +763,7 @@ check process nginx with pidfile /run/nginx.pid
   if failed port 443 type tcp ssl then restart
 EOF
 chmod 600 /etc/monit/monitrc
-systemctl disable --now monit || true
-apt-mark hold monit >/dev/null 2>&1 || true
+systemctl enable --now monit || true
 
 # ===== Smoke-Test (alle Ports, mit Timeouts) =====
 log "Smoke-Test (Ports & Banner):"