docker: extract cert monitor from background process to systemd timer

The cert monitoring was an orphaned background process (`monitor_certificates &`) Replace with a proper systemd timer/service (every 60s). Also made journald ForwardToConsole=yes idempotent.
2026-05-19 04:18:09 +00:00 · 2026-02-16 20:12:45 +01:00
parent 85ee7dbeb5
commit 0585314468
8 changed files with 56 additions and 49 deletions
--- a/docker/files/setup_chatmail_docker.sh
+++ b/docker/files/setup_chatmail_docker.sh
@@ -2,9 +2,6 @@

 set -eo pipefail
 export CHATMAIL_INI="${CHATMAIL_INI:-/etc/chatmail/chatmail.ini}"
-export ENABLE_CERTS_MONITORING="${ENABLE_CERTS_MONITORING:-true}"
-export CERTS_MONITORING_TIMEOUT="${CERTS_MONITORING_TIMEOUT:-60}"
-export PATH_TO_SSL="${PATH_TO_SSL:-/var/lib/acme/live/${MAIL_DOMAIN}}"

 CMDEPLOY=/opt/cmdeploy/bin/cmdeploy

@@ -13,42 +10,6 @@ if [ -z "$MAIL_DOMAIN" ]; then
    exit 1
 fi

-calculate_hash() {
-    if [ ! -d "$PATH_TO_SSL" ]; then
-        echo ""
-        return 0
-    fi
-    find "$PATH_TO_SSL" -type f -exec sha1sum {} \; | sort | sha1sum | awk '{print $1}'
-}
-
-monitor_certificates() {
-    if [ "$ENABLE_CERTS_MONITORING" != "true" ]; then
-        echo "Certs monitoring disabled."
-        return 0
-    fi
-
-    # Wait for certificate directory to exist before monitoring
-    echo "[INFO] Waiting for certificate directory: $PATH_TO_SSL"
-    while [ ! -d "$PATH_TO_SSL" ]; do
-        sleep "$CERTS_MONITORING_TIMEOUT"
-    done
-    echo "[INFO] Certificate directory found, starting monitoring."
-
-    previous_hash=$(calculate_hash)
-
-    while true; do
-        sleep "$CERTS_MONITORING_TIMEOUT"
-        current_hash=$(calculate_hash)
-        if [ -n "$current_hash" ] && [ "$current_hash" != "$previous_hash" ]; then
-            echo "[INFO] Certificate's folder hash was changed, reloading nginx, dovecot and postfix services."
-            systemctl reload nginx.service
-            systemctl reload dovecot.service
-            systemctl reload postfix.service
-            previous_hash=$current_hash
-        fi
-    done
-}
-
 ### MAIN

 if [ ! -f /etc/dkimkeys/opendkim.private ]; then
@@ -66,7 +27,7 @@ fi
 export CMDEPLOY_STAGES="${CMDEPLOY_STAGES:-configure,activate}"
 $CMDEPLOY run --config "$CHATMAIL_INI" --ssh-host @local

-echo "ForwardToConsole=yes" >> /etc/systemd/journald.conf
+# Journald: forward to console for docker logs (idempotent)
+grep -q '^ForwardToConsole=yes' /etc/systemd/journald.conf \
+    || echo "ForwardToConsole=yes" >> /etc/systemd/journald.conf
 systemctl restart systemd-journald
-
-monitor_certificates &