62 lines
2.2 KiB
Bash
62 lines
2.2 KiB
Bash
#!/usr/bin/env bash
|
||
set -euo pipefail
|
||
source ./lib.sh
|
||
|
||
log "Paketquellen aktualisieren…"
|
||
export DEBIAN_FRONTEND=noninteractive
|
||
apt-get update -y
|
||
|
||
# MariaDB include-Workaround
|
||
mkdir -p /etc/mysql /etc/mysql/mariadb.conf.d
|
||
[[ -f /etc/mysql/mariadb.cnf ]] || echo '!include /etc/mysql/mariadb.conf.d/*.cnf' > /etc/mysql/mariadb.cnf
|
||
|
||
log "Pakete installieren… (das dauert etwas)"
|
||
apt-get -y -o Dpkg::Options::="--force-confdef" \
|
||
-o Dpkg::Options::="--force-confold" install \
|
||
postfix postfix-mysql \
|
||
dovecot-core dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-mysql \
|
||
mariadb-server mariadb-client \
|
||
redis-server \
|
||
rspamd \
|
||
opendkim opendkim-tools \
|
||
nginx \
|
||
php php-fpm php-cli php-mbstring php-xml php-curl php-zip php-mysql php-redis php-gd unzip curl \
|
||
composer git \
|
||
certbot python3-certbot-nginx \
|
||
fail2ban \
|
||
ca-certificates rsyslog sudo openssl netcat-openbsd monit acl
|
||
|
||
# HTTP/2 prüfen
|
||
NGINX_HTTP2_SUPPORTED=0
|
||
if nginx -V 2>&1 | grep -q http_v2; then
|
||
NGINX_HTTP2_SUPPORTED=1; log "Nginx: HTTP/2 verfügbar."
|
||
else
|
||
warn "Nginx http_v2 fehlt – versuche nginx-full…"
|
||
apt-get install -y nginx-full || true; systemctl restart nginx || true
|
||
nginx -V 2>&1 | grep -q http_v2 && NGINX_HTTP2_SUPPORTED=1 || warn "HTTP/2 weiterhin nicht verfügbar."
|
||
fi
|
||
export NGINX_HTTP2_SUFFIX=$([[ "$NGINX_HTTP2_SUPPORTED" = "1" ]] && echo " http2" || echo "")
|
||
|
||
# Verzeichnisse / User
|
||
log "Verzeichnisse & Benutzer…"
|
||
mkdir -p /etc/postfix/sql /etc/dovecot/conf.d /etc/rspamd/local.d /var/mail/vhosts
|
||
id vmail >/dev/null 2>&1 || adduser --system --group --home /var/mail vmail
|
||
chown -R vmail:vmail /var/mail
|
||
|
||
id "$APP_USER" >/dev/null 2>&1 || adduser --disabled-password --gecos "" "$APP_USER"
|
||
usermod -a -G "$APP_GROUP" "$APP_USER"
|
||
|
||
# Redis absichern
|
||
log "Redis absichern…"
|
||
REDIS_CONF="/etc/redis/redis.conf"
|
||
REDIS_PASS="${REDIS_PASS:-$(openssl rand -hex 16)}"
|
||
sed -i 's/^\s*#\?\s*bind .*/bind 127.0.0.1/' "$REDIS_CONF"
|
||
sed -i 's/^\s*#\?\s*protected-mode .*/protected-mode yes/' "$REDIS_CONF"
|
||
if grep -qE '^\s*#?\s*requirepass ' "$REDIS_CONF"; then
|
||
sed -i "s/^\s*#\?\s*requirepass .*/requirepass ${REDIS_PASS}/" "$REDIS_CONF"
|
||
else
|
||
printf "\nrequirepass %s\n" "${REDIS_PASS}" >> "$REDIS_CONF"
|
||
fi
|
||
systemctl enable --now redis-server
|
||
systemctl restart redis-server
|