feat(install): make DB engines + Stalwart optional, gate dependent prompts

Adds three install flags driven by first-run prompts:
  INSTALL_MARIADB / INSTALL_POSTGRES — replaces "always install both"
  INSTALL_STALWART                  — user mail server now optional

Prompt flow only asks for what the operator picked:
  - phpMyAdmin only offered when MariaDB is selected
  - pgAdmin4 only offered when PostgreSQL is selected
  - Mail admin host + DKIM selector only asked when Stalwart=yes
  - Admin IP allowlist only asked when at least one admin endpoint
    (pma / pga / Stalwart) is being installed

20-databases.sh skips MariaDB block / Postgres block independently.
70-mail.sh exits 0 when Stalwart not selected.
00-base.sh firewalld rules for smtp/smtps/587/imaps are gated on
INSTALL_STALWART, and removed if a previous run had opened them.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: qfiber

bootstrap/00-base.sh

@@ -88,53 +88,98 @@ else
         warn "Invalid port."
     done
 
-    # ---- Mail admin panel ----
-    echo
-    info "Mail admin panel (Stalwart web UI) — IP-allowlisted only."
     DOMAIN_PART="${SERVER_HOSTNAME#*.}"
-    prompt MAIL_ADMIN_HOST "Mail admin panel hostname" "mail.${DOMAIN_PART}"
-    valid_domain "${MAIL_ADMIN_HOST}" || die "Invalid FQDN."
-    while :; do
-        prompt_required MAIL_ADMIN_ALLOWLIST "Admin allowlist (IP/CIDR, comma-separated; v4+v6 both OK)"
-        ok=1
-        IFS=',' read -ra entries <<<"${MAIL_ADMIN_ALLOWLIST}"
-        for e in "${entries[@]}"; do
-            e="${e//[[:space:]]/}"
-            valid_ip_or_cidr "${e}" || { warn "Invalid: '${e}'"; ok=0; break; }
-        done
-        [[ ${ok} -eq 1 ]] && break
-    done
 
-    # ---- DKIM selector ----
-    prompt DKIM_SELECTOR "DKIM selector (per-server)" "default"
-
-    # ---- DB admin tooling ----
+    # ---- Database engines ----
     echo
-    info "Database admin tooling (optional — extra attack surface, allowlisted+basic-auth)"
-    info "  1) phpMyAdmin (MariaDB)"
-    info "  2) pgAdmin4   (Postgres)"
+    info "Database engines (skip if this server doesn't host apps that need a DB)"
+    info "  1) MariaDB"
+    info "  2) PostgreSQL"
     info "  3) Both"
     info "  4) None"
     while :; do
-        prompt TOOLS_CHOICE "Choice [1-4]" "4"
-        case "${TOOLS_CHOICE}" in 1|2|3|4) break ;; *) warn "Pick 1-4." ;; esac
+        prompt DB_CHOICE "Choice [1-4]" "3"
+        case "${DB_CHOICE}" in 1|2|3|4) break ;; *) warn "Pick 1-4." ;; esac
     done
+    INSTALL_MARIADB="no"
+    INSTALL_POSTGRES="no"
+    case "${DB_CHOICE}" in
+        1) INSTALL_MARIADB="yes" ;;
+        2) INSTALL_POSTGRES="yes" ;;
+        3) INSTALL_MARIADB="yes"; INSTALL_POSTGRES="yes" ;;
+    esac
+
+    # ---- Database admin tooling (only applicable to installed engines) ----
     INSTALL_PMA="no"
     INSTALL_PGA="no"
     PMA_HOST=""
     PGA_HOST=""
-    case "${TOOLS_CHOICE}" in
-        1) INSTALL_PMA="yes" ;;
-        2) INSTALL_PGA="yes" ;;
-        3) INSTALL_PMA="yes"; INSTALL_PGA="yes" ;;
-    esac
-    if [[ "${INSTALL_PMA}" == "yes" ]]; then
-        prompt PMA_HOST "phpMyAdmin hostname" "pma.${DOMAIN_PART}"
-        valid_domain "${PMA_HOST}" || die "Invalid FQDN."
+    if [[ "${INSTALL_MARIADB}" == "yes" || "${INSTALL_POSTGRES}" == "yes" ]]; then
+        echo
+        info "Database admin tooling (optional — extra attack surface, allowlisted+basic-auth)"
+        if [[ "${INSTALL_MARIADB}" == "yes" && "${INSTALL_POSTGRES}" == "yes" ]]; then
+            info "  1) phpMyAdmin (MariaDB)"
+            info "  2) pgAdmin4   (Postgres)"
+            info "  3) Both"
+            info "  4) None"
+            while :; do
+                prompt TOOLS_CHOICE "Choice [1-4]" "4"
+                case "${TOOLS_CHOICE}" in 1|2|3|4) break ;; *) warn "Pick 1-4." ;; esac
+            done
+            case "${TOOLS_CHOICE}" in
+                1) INSTALL_PMA="yes" ;;
+                2) INSTALL_PGA="yes" ;;
+                3) INSTALL_PMA="yes"; INSTALL_PGA="yes" ;;
+            esac
+        elif [[ "${INSTALL_MARIADB}" == "yes" ]]; then
+            prompt_yes_no PMA_YN "Install phpMyAdmin?" "n"
+            [[ "${PMA_YN}" == "yes" ]] && INSTALL_PMA="yes"
+        else
+            prompt_yes_no PGA_YN "Install pgAdmin4?" "n"
+            [[ "${PGA_YN}" == "yes" ]] && INSTALL_PGA="yes"
+        fi
+        if [[ "${INSTALL_PMA}" == "yes" ]]; then
+            prompt PMA_HOST "phpMyAdmin hostname" "pma.${DOMAIN_PART}"
+            valid_domain "${PMA_HOST}" || die "Invalid FQDN."
+        fi
+        if [[ "${INSTALL_PGA}" == "yes" ]]; then
+            prompt PGA_HOST "pgAdmin4 hostname" "pga.${DOMAIN_PART}"
+            valid_domain "${PGA_HOST}" || die "Invalid FQDN."
+        fi
     fi
-    if [[ "${INSTALL_PGA}" == "yes" ]]; then
-        prompt PGA_HOST "pgAdmin4 hostname" "pga.${DOMAIN_PART}"
-        valid_domain "${PGA_HOST}" || die "Invalid FQDN."
+
+    # ---- Stalwart user mail server (optional) ----
+    echo
+    info "Stalwart user mail server (inbound mail on :25, IMAP/SMTP submission, web admin)."
+    info "Skip if this server doesn't host mailboxes — outbound alerts use the relay below."
+    prompt_yes_no INSTALL_STALWART "Install Stalwart mail server?" "n"
+    MAIL_ADMIN_HOST=""
+    DKIM_SELECTOR=""
+    if [[ "${INSTALL_STALWART}" == "yes" ]]; then
+        prompt MAIL_ADMIN_HOST "Mail admin panel hostname" "mail.${DOMAIN_PART}"
+        valid_domain "${MAIL_ADMIN_HOST}" || die "Invalid FQDN."
+        prompt DKIM_SELECTOR "DKIM selector (per-server)" "default"
+    fi
+
+    # ---- Admin allowlist (only if at least one admin endpoint will exist) ----
+    MAIL_ADMIN_ALLOWLIST=""
+    if [[ "${INSTALL_PMA}" == "yes" || "${INSTALL_PGA}" == "yes" || "${INSTALL_STALWART}" == "yes" ]]; then
+        admin_list=()
+        [[ "${INSTALL_PMA}" == "yes" ]]      && admin_list+=("phpMyAdmin")
+        [[ "${INSTALL_PGA}" == "yes" ]]      && admin_list+=("pgAdmin4")
+        [[ "${INSTALL_STALWART}" == "yes" ]] && admin_list+=("Stalwart admin")
+        echo
+        info "Admin allowlist (used for: $(IFS=, ; echo "${admin_list[*]}"))"
+        while :; do
+            prompt_required MAIL_ADMIN_ALLOWLIST "IP/CIDR list (comma-separated; v4+v6 both OK)"
+            ok=1
+            IFS=',' read -ra entries <<<"${MAIL_ADMIN_ALLOWLIST}"
+            for e in "${entries[@]}"; do
+                e="${e//[[:space:]]/}"
+                valid_ip_or_cidr "${e}" || { warn "Invalid: '${e}'"; ok=0; break; }
+            done
+            [[ ${ok} -eq 1 ]] && break
+        done
     fi
 
     # ---- Outbound mail relay ----
@@ -336,7 +381,12 @@ SMTP_PASS="${SMTP_PASS}"
 SMTP_TLS="${SMTP_TLS}"
 SMTP_FROM="${SMTP_FROM}"
 
-# === Mail (Stalwart) admin panel ===
+# === Database engines ===
+INSTALL_MARIADB="${INSTALL_MARIADB}"
+INSTALL_POSTGRES="${INSTALL_POSTGRES}"
+
+# === Stalwart user mail server (inbound) ===
+INSTALL_STALWART="${INSTALL_STALWART}"
 MAIL_ADMIN_HOST="${MAIL_ADMIN_HOST}"
 MAIL_ADMIN_ALLOWLIST="${MAIL_ADMIN_ALLOWLIST}"
 
@@ -686,10 +736,18 @@ firewall-cmd --zone="${ZONE}" --add-port="${SSH_PORT_NEW}/tcp" --permanent
 firewall-cmd --zone="${ZONE}" --add-service=http --permanent
 firewall-cmd --zone="${ZONE}" --add-service=https --permanent
 firewall-cmd --zone="${ZONE}" --add-port=443/udp --permanent
-firewall-cmd --zone="${ZONE}" --add-service=smtp --permanent
-firewall-cmd --zone="${ZONE}" --add-service=smtps --permanent
-firewall-cmd --zone="${ZONE}" --add-port=587/tcp --permanent
-firewall-cmd --zone="${ZONE}" --add-service=imaps --permanent
+if [[ "${INSTALL_STALWART:-no}" == "yes" ]]; then
+    firewall-cmd --zone="${ZONE}" --add-service=smtp --permanent
+    firewall-cmd --zone="${ZONE}" --add-service=smtps --permanent
+    firewall-cmd --zone="${ZONE}" --add-port=587/tcp --permanent
+    firewall-cmd --zone="${ZONE}" --add-service=imaps --permanent
+else
+    # Tear down mail ports if a previous install opened them
+    firewall-cmd --zone="${ZONE}" --remove-service=smtp   --permanent 2>/dev/null || true
+    firewall-cmd --zone="${ZONE}" --remove-service=smtps  --permanent 2>/dev/null || true
+    firewall-cmd --zone="${ZONE}" --remove-port=587/tcp   --permanent 2>/dev/null || true
+    firewall-cmd --zone="${ZONE}" --remove-service=imaps  --permanent 2>/dev/null || true
+fi
 firewall-cmd --reload
 success "firewalld configured (zone: ${ZONE})."
 

bootstrap/20-databases.sh

@@ -15,6 +15,15 @@ REPO_DIR="$(cd "${SCRIPT_DIR}/.." && pwd)"
 source "${REPO_DIR}/lib/common.sh"
 
 require_root
+load_config
+
+INSTALL_MARIADB="${INSTALL_MARIADB:-yes}"
+INSTALL_POSTGRES="${INSTALL_POSTGRES:-yes}"
+
+if [[ "${INSTALL_MARIADB}" != "yes" && "${INSTALL_POSTGRES}" != "yes" ]]; then
+    info "Neither MariaDB nor PostgreSQL selected — skipping 20-databases."
+    exit 0
+fi
 
 MARIADB_VERSION="${MARIADB_VERSION:-12.0}"
 PG_VERSION="${PG_VERSION:-16}"
@@ -30,23 +39,24 @@ info "Detected RAM: ${RAM_MB}MB → tuning to shared=${SHARED_25}MB, effective=$
 # -----------------------------------------------------------------------------
 # 1. MariaDB
 # -----------------------------------------------------------------------------
-if rpm -q MariaDB-server >/dev/null 2>&1 || rpm -q mariadb-server >/dev/null 2>&1; then
-    info "MariaDB already installed."
-else
-    info "Installing MariaDB ${MARIADB_VERSION}..."
-    curl -fsSL https://downloads.mariadb.com/MariaDB/mariadb_repo_setup -o /tmp/mariadb_repo_setup
-    chmod +x /tmp/mariadb_repo_setup
-    if ! /tmp/mariadb_repo_setup --mariadb-server-version="mariadb-${MARIADB_VERSION}" 2>/dev/null; then
-        warn "MariaDB version ${MARIADB_VERSION} unavailable; falling back to repo default."
-        /tmp/mariadb_repo_setup
+if [[ "${INSTALL_MARIADB}" == "yes" ]]; then
+    if rpm -q MariaDB-server >/dev/null 2>&1 || rpm -q mariadb-server >/dev/null 2>&1; then
+        info "MariaDB already installed."
+    else
+        info "Installing MariaDB ${MARIADB_VERSION}..."
+        curl -fsSL https://downloads.mariadb.com/MariaDB/mariadb_repo_setup -o /tmp/mariadb_repo_setup
+        chmod +x /tmp/mariadb_repo_setup
+        if ! /tmp/mariadb_repo_setup --mariadb-server-version="mariadb-${MARIADB_VERSION}" 2>/dev/null; then
+            warn "MariaDB version ${MARIADB_VERSION} unavailable; falling back to repo default."
+            /tmp/mariadb_repo_setup
+        fi
+        rm -f /tmp/mariadb_repo_setup
+        dnf -y install MariaDB-server MariaDB-client
     fi
-    rm -f /tmp/mariadb_repo_setup
-    dnf -y install MariaDB-server MariaDB-client
-fi
 
-info "Writing MariaDB tuning config..."
-mkdir -p /etc/my.cnf.d
-cat > /etc/my.cnf.d/serverdeploy.cnf <<EOF
+    info "Writing MariaDB tuning config..."
+    mkdir -p /etc/my.cnf.d
+    cat > /etc/my.cnf.d/serverdeploy.cnf <<EOF
 # Generated by serverdeploy 20-databases.sh
 [mariadb]
 innodb_buffer_pool_size = ${SHARED_25}M
@@ -63,45 +73,49 @@ bind-address = 127.0.0.1
 default-character-set = utf8mb4
 EOF
 
-systemctl enable mariadb
-systemctl restart mariadb
-sleep 2
+    systemctl enable mariadb
+    systemctl restart mariadb
+    sleep 2
 
-info "Securing MariaDB (drop test db, anonymous users, remote root)..."
-mariadb <<'SQL' || die "MariaDB SQL failed."
+    info "Securing MariaDB (drop test db, anonymous users, remote root)..."
+    mariadb <<'SQL' || die "MariaDB SQL failed."
 DELETE FROM mysql.user WHERE User='';
 DELETE FROM mysql.global_priv WHERE User='' OR User IS NULL;
 DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');
 DROP DATABASE IF EXISTS test;
 DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';
 FLUSH PRIVILEGES;
 SQL
-success "MariaDB installed and secured."
+    success "MariaDB installed and secured."
+else
+    info "Skipping MariaDB (INSTALL_MARIADB=${INSTALL_MARIADB})."
+fi
 
 # -----------------------------------------------------------------------------
 # 2. PostgreSQL
 # -----------------------------------------------------------------------------
-if rpm -q "postgresql${PG_VERSION}-server" >/dev/null 2>&1; then
-    info "PostgreSQL ${PG_VERSION} already installed."
-else
-    info "Installing PostgreSQL ${PG_VERSION}..."
-    dnf -y install "https://download.postgresql.org/pub/repos/yum/reporpms/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm"
-    dnf -qy module disable postgresql || true
-    dnf -y install "postgresql${PG_VERSION}-server" "postgresql${PG_VERSION}-contrib"
-fi
+if [[ "${INSTALL_POSTGRES}" == "yes" ]]; then
+    if rpm -q "postgresql${PG_VERSION}-server" >/dev/null 2>&1; then
+        info "PostgreSQL ${PG_VERSION} already installed."
+    else
+        info "Installing PostgreSQL ${PG_VERSION}..."
+        dnf -y install "https://download.postgresql.org/pub/repos/yum/reporpms/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm"
+        dnf -qy module disable postgresql || true
+        dnf -y install "postgresql${PG_VERSION}-server" "postgresql${PG_VERSION}-contrib"
+    fi
 
-PG_DATA="/var/lib/pgsql/${PG_VERSION}/data"
-if [[ ! -f "${PG_DATA}/PG_VERSION" ]]; then
-    info "Initializing Postgres data directory..."
-    "/usr/pgsql-${PG_VERSION}/bin/postgresql-${PG_VERSION}-setup" initdb
-fi
+    PG_DATA="/var/lib/pgsql/${PG_VERSION}/data"
+    if [[ ! -f "${PG_DATA}/PG_VERSION" ]]; then
+        info "Initializing Postgres data directory..."
+        "/usr/pgsql-${PG_VERSION}/bin/postgresql-${PG_VERSION}-setup" initdb
+    fi
 
-info "Tuning PostgreSQL..."
-PG_CONF="${PG_DATA}/postgresql.conf"
-PG_TUNING_DIR="${PG_DATA}/conf.d"
-PG_TUNING_FILE="${PG_TUNING_DIR}/serverdeploy.conf"
-mkdir -p "${PG_TUNING_DIR}"
-cat > "${PG_TUNING_FILE}" <<EOF
+    info "Tuning PostgreSQL..."
+    PG_CONF="${PG_DATA}/postgresql.conf"
+    PG_TUNING_DIR="${PG_DATA}/conf.d"
+    PG_TUNING_FILE="${PG_TUNING_DIR}/serverdeploy.conf"
+    mkdir -p "${PG_TUNING_DIR}"
+    cat > "${PG_TUNING_FILE}" <<EOF
 # Generated by serverdeploy 20-databases.sh
 listen_addresses = '127.0.0.1'
 max_connections = 200
@@ -113,26 +127,29 @@ wal_compression = on
 log_min_duration_statement = 1000
 log_line_prefix = '%t [%p] %u@%d '
 EOF
-chown postgres:postgres "${PG_TUNING_FILE}"
-chown -R postgres:postgres "${PG_TUNING_DIR}"
+    chown postgres:postgres "${PG_TUNING_FILE}"
+    chown -R postgres:postgres "${PG_TUNING_DIR}"
 
-if ! grep -q "include_dir = 'conf.d'" "${PG_CONF}"; then
-    echo "" >> "${PG_CONF}"
-    echo "include_dir = 'conf.d'" >> "${PG_CONF}"
-fi
+    if ! grep -q "include_dir = 'conf.d'" "${PG_CONF}"; then
+        echo "" >> "${PG_CONF}"
+        echo "include_dir = 'conf.d'" >> "${PG_CONF}"
+    fi
 
-systemctl enable "postgresql-${PG_VERSION}"
-systemctl restart "postgresql-${PG_VERSION}"
-sleep 2
-sudo -u postgres psql -tAc "SELECT version()" >/dev/null || die "Postgres not responding."
-success "PostgreSQL ${PG_VERSION} installed and tuned."
+    systemctl enable "postgresql-${PG_VERSION}"
+    systemctl restart "postgresql-${PG_VERSION}"
+    sleep 2
+    sudo -u postgres psql -tAc "SELECT version()" >/dev/null || die "Postgres not responding."
+    success "PostgreSQL ${PG_VERSION} installed and tuned."
+else
+    info "Skipping PostgreSQL (INSTALL_POSTGRES=${INSTALL_POSTGRES})."
+fi
 
 # -----------------------------------------------------------------------------
 # Done
 # -----------------------------------------------------------------------------
 echo
 success "20-databases.sh complete."
-info "  MariaDB  : connect with 'mariadb' (unix_socket auth as root)"
-info "  Postgres : connect with 'sudo -u postgres psql' (peer auth)"
+[[ "${INSTALL_MARIADB}"  == "yes" ]] && info "  MariaDB  : connect with 'mariadb' (unix_socket auth as root)"
+[[ "${INSTALL_POSTGRES}" == "yes" ]] && info "  Postgres : connect with 'sudo -u postgres psql' (peer auth)"
 info "  RAM-tuned: shared/buffer=${SHARED_25}MB  effective=${EFFECTIVE_50}MB"
-info "  Both bind 127.0.0.1 only — not reachable from network."
+info "  Installed engines bind 127.0.0.1 only — not reachable from network."

bootstrap/70-mail.sh

@@ -21,6 +21,11 @@ source "${REPO_DIR}/lib/common.sh"
 require_root
 load_config
 
+if [[ "${INSTALL_STALWART:-no}" != "yes" ]]; then
+    info "Stalwart mail server not selected (INSTALL_STALWART=${INSTALL_STALWART:-no}) — skipping."
+    exit 0
+fi
+
 [[ -n "${SERVER_HOSTNAME:-}" ]]      || die "SERVER_HOSTNAME missing — run 00-base.sh first."
 [[ -n "${MAIL_ADMIN_HOST:-}" ]]      || die "MAIL_ADMIN_HOST missing."
 [[ -n "${MAIL_ADMIN_ALLOWLIST:-}" ]] || die "MAIL_ADMIN_ALLOWLIST missing."