docker: extract cert monitor from background process to systemd timer

The cert monitoring was an orphaned background process (`monitor_certificates &`) Replace with a proper systemd timer/service (every 60s). Also made journald ForwardToConsole=yes idempotent.
2026-05-14 18:04:38 +00:00 · 2026-02-16 20:12:45 +01:00
parent 85ee7dbeb5
commit 0585314468
8 changed files with 56 additions and 49 deletions
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -29,10 +29,7 @@ services:
    environment:
      MAIL_DOMAIN: $MAIL_DOMAIN
      CMDEPLOY_STAGES: ${CMDEPLOY_STAGES:-}
-      # Certificate monitoring (only needed with USE_FOREIGN_CERT_MANAGER)
      USE_FOREIGN_CERT_MANAGER: ${USE_FOREIGN_CERT_MANAGER:-}
-      ENABLE_CERTS_MONITORING: ${ENABLE_CERTS_MONITORING:-}
-      CERTS_MONITORING_TIMEOUT: ${CERTS_MONITORING_TIMEOUT:-}
    network_mode: "host"
    volumes:
      ## system
--- a/docker/chatmail_relay.dockerfile
+++ b/docker/chatmail_relay.dockerfile
@@ -77,6 +77,12 @@ RUN rm -f /etc/nginx/sites-enabled/default
 COPY --chmod=555 ./docker/files/setup_chatmail_docker.sh /setup_chatmail_docker.sh
 COPY --chmod=555 ./docker/files/entrypoint.sh /entrypoint.sh

+# Certificate monitoring as a proper systemd timer (not a background process)
+COPY --chmod=555 ./docker/files/chatmail-certmon.sh /chatmail-certmon.sh
+COPY ./docker/files/chatmail-certmon.service /lib/systemd/system/chatmail-certmon.service
+COPY ./docker/files/chatmail-certmon.timer /lib/systemd/system/chatmail-certmon.timer
+RUN ln -sf /lib/systemd/system/chatmail-certmon.timer /etc/systemd/system/timers.target.wants/chatmail-certmon.timer
+
 HEALTHCHECK --interval=60s --timeout=10s --retries=3 \
  CMD systemctl is-active dovecot postfix nginx unbound opendkim filtermail doveauth chatmail-metadata || exit 1

--- a/docker/example.env
+++ b/docker/example.env
@@ -3,7 +3,5 @@ MAIL_DOMAIN="chat.example.com"
 # CMDEPLOY_STAGES - default: "configure,activate". Set to "install,configure,activate" to force full reinstall.
 # CMDEPLOY_STAGES="configure,activate"

-# Certificate monitoring (only needed with USE_FOREIGN_CERT_MANAGER)
+# Skip acmetool when using an external certificate manager (e.g. Traefik, Caddy).
 # USE_FOREIGN_CERT_MANAGER="True"
-# ENABLE_CERTS_MONITORING="true"
-# CERTS_MONITORING_TIMEOUT=60
--- a/docker/files/chatmail-certmon.service
+++ b/docker/files/chatmail-certmon.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Check TLS certificate changes and reload services
+After=setup_chatmail.service
+
+[Service]
+Type=oneshot
+ExecStart=/bin/bash /chatmail-certmon.sh
+PassEnvironment=MAIL_DOMAIN PATH_TO_SSL
--- a/docker/files/chatmail-certmon.sh
+++ b/docker/files/chatmail-certmon.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+# Check if TLS certificates have changed and reload services if so.
+# Called by chatmail-certmon.timer (systemd timer, default every 60s).
+set -eo pipefail
+
+PATH_TO_SSL="${PATH_TO_SSL:-/var/lib/acme/live/${MAIL_DOMAIN}}"
+HASH_FILE="/run/chatmail-certmon.hash"
+
+if [ ! -d "$PATH_TO_SSL" ]; then
+    exit 0
+fi
+
+current_hash=$(find "$PATH_TO_SSL" -type f -exec sha1sum {} \; | sort | sha1sum | awk '{print $1}')
+previous_hash=""
+if [ -f "$HASH_FILE" ]; then
+    previous_hash=$(cat "$HASH_FILE")
+fi
+
+if [ -n "$current_hash" ] && [ "$current_hash" != "$previous_hash" ]; then
+    echo "[INFO] Certificate hash changed, reloading nginx, dovecot and postfix."
+    echo "$current_hash" > "$HASH_FILE"
+    # On first run (no previous hash), don't reload — services may not be up yet
+    if [ -n "$previous_hash" ]; then
+        systemctl reload nginx.service
+        systemctl reload dovecot.service
+        systemctl reload postfix.service
+    fi
+fi
--- a/docker/files/chatmail-certmon.timer
+++ b/docker/files/chatmail-certmon.timer
@@ -0,0 +1,9 @@
+[Unit]
+Description=Periodically check TLS certificate changes
+
+[Timer]
+OnBootSec=120
+OnUnitActiveSec=60
+
+[Install]
+WantedBy=timers.target
--- a/docker/files/entrypoint.sh
+++ b/docker/files/entrypoint.sh
@@ -6,7 +6,7 @@ SETUP_CHATMAIL_SERVICE_PATH="${SETUP_CHATMAIL_SERVICE_PATH:-/lib/systemd/system/
 # Whitelist only the env vars needed by setup_chatmail_docker.sh.
 # Forwarding all env vars (via printenv) would leak Docker internals,
 # orchestrator secrets, and other unrelated variables into systemd.
-env_vars="MAIL_DOMAIN CMDEPLOY_STAGES CHATMAIL_INI CHATMAIL_NOSYSCTL CHATMAIL_NOPORTCHECK ENABLE_CERTS_MONITORING CERTS_MONITORING_TIMEOUT PATH_TO_SSL PATH USE_FOREIGN_CERT_MANAGER"
+env_vars="MAIL_DOMAIN CMDEPLOY_STAGES CHATMAIL_INI CHATMAIL_NOSYSCTL CHATMAIL_NOPORTCHECK PATH_TO_SSL PATH USE_FOREIGN_CERT_MANAGER"
 sed -i "s|<envs_list>|$env_vars|g" "$SETUP_CHATMAIL_SERVICE_PATH"

 exec /lib/systemd/systemd "$@"
--- a/docker/files/setup_chatmail_docker.sh
+++ b/docker/files/setup_chatmail_docker.sh
@@ -2,9 +2,6 @@

 set -eo pipefail
 export CHATMAIL_INI="${CHATMAIL_INI:-/etc/chatmail/chatmail.ini}"
-export ENABLE_CERTS_MONITORING="${ENABLE_CERTS_MONITORING:-true}"
-export CERTS_MONITORING_TIMEOUT="${CERTS_MONITORING_TIMEOUT:-60}"
-export PATH_TO_SSL="${PATH_TO_SSL:-/var/lib/acme/live/${MAIL_DOMAIN}}"

 CMDEPLOY=/opt/cmdeploy/bin/cmdeploy

@@ -13,42 +10,6 @@ if [ -z "$MAIL_DOMAIN" ]; then
    exit 1
 fi

-calculate_hash() {
-    if [ ! -d "$PATH_TO_SSL" ]; then
-        echo ""
-        return 0
-    fi
-    find "$PATH_TO_SSL" -type f -exec sha1sum {} \; | sort | sha1sum | awk '{print $1}'
-}
-
-monitor_certificates() {
-    if [ "$ENABLE_CERTS_MONITORING" != "true" ]; then
-        echo "Certs monitoring disabled."
-        return 0
-    fi
-
-    # Wait for certificate directory to exist before monitoring
-    echo "[INFO] Waiting for certificate directory: $PATH_TO_SSL"
-    while [ ! -d "$PATH_TO_SSL" ]; do
-        sleep "$CERTS_MONITORING_TIMEOUT"
-    done
-    echo "[INFO] Certificate directory found, starting monitoring."
-
-    previous_hash=$(calculate_hash)
-
-    while true; do
-        sleep "$CERTS_MONITORING_TIMEOUT"
-        current_hash=$(calculate_hash)
-        if [ -n "$current_hash" ] && [ "$current_hash" != "$previous_hash" ]; then
-            echo "[INFO] Certificate's folder hash was changed, reloading nginx, dovecot and postfix services."
-            systemctl reload nginx.service
-            systemctl reload dovecot.service
-            systemctl reload postfix.service
-            previous_hash=$current_hash
-        fi
-    done
-}
-
 ### MAIN

 if [ ! -f /etc/dkimkeys/opendkim.private ]; then
@@ -66,7 +27,7 @@ fi
 export CMDEPLOY_STAGES="${CMDEPLOY_STAGES:-configure,activate}"
 $CMDEPLOY run --config "$CHATMAIL_INI" --ssh-host @local

-echo "ForwardToConsole=yes" >> /etc/systemd/journald.conf
+# Journald: forward to console for docker logs (idempotent)
+grep -q '^ForwardToConsole=yes' /etc/systemd/journald.conf \
+    || echo "ForwardToConsole=yes" >> /etc/systemd/journald.conf
 systemctl restart systemd-journald
-
-monitor_certificates &