feat: support externally managed TLS via tls_external_cert_and_key option

Adds a new tls_external_cert_and_key config option for chatmail servers that manage their own TLS certificates (e.g. via an external ACME client or a load balancer). A systemd path unit (tls-cert-reload.path) watches the certificate file via inotify and automatically reloads dovecot and nginx when it changes. Postfix reads certs per TLS handshake so needs no reload. Also extracts openssl_selfsigned_args() so cert generation parameters are shared between SelfSignedTlsDeployer and the e2e test.
2026-05-12 00:54:37 +00:00 · 2026-02-19 19:18:33 +01:00
parent 06d53503e5
commit 0ae2c19dab
5 changed files with 390 additions and 0 deletions
--- a/.github/workflows/reusable-test-tls-external.yaml
+++ b/.github/workflows/reusable-test-tls-external.yaml
@@ -0,0 +1,33 @@
+name: test tls_external_cert_and_key
+
+on:
+  workflow_call:
+    inputs:
+      domain:
+        required: true
+        type: string
+    secrets:
+      STAGING_SSH_KEY:
+        required: true
+
+jobs:
+  test-tls-external:
+    name: test tls_external_cert_and_key
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    environment:
+      name: ${{ inputs.domain }}
+    concurrency: ${{ inputs.domain }}
+    steps:
+      - uses: actions/checkout@v4
+      - run: scripts/initenv.sh
+      - name: append venv/bin to PATH
+        run: echo venv/bin >>$GITHUB_PATH
+      - name: prepare SSH
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.STAGING_SSH_KEY }}" >> ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+          ssh-keyscan ${{ inputs.domain }} >> ~/.ssh/known_hosts 2>/dev/null
+      - name: run tls_external e2e test
+        run: python -m cmdeploy.tests.setup_tls_external ${{ inputs.domain }}
--- a/.github/workflows/test-and-deploy-ipv4only.yaml
+++ b/.github/workflows/test-and-deploy-ipv4only.yaml
@@ -102,3 +102,11 @@ jobs:
      - name: cmdeploy dns
        run: ssh root@staging-ipv4.testrun.org "cd relay && scripts/cmdeploy dns -v --ssh-host localhost"

+  test-tls-external:
+    needs: deploy
+    uses: ./.github/workflows/reusable-test-tls-external.yaml
+    with:
+      domain: staging-ipv4.testrun.org
+    secrets:
+      STAGING_SSH_KEY: ${{ secrets.STAGING_SSH_KEY }}
+
--- a/.github/workflows/test-and-deploy.yaml
+++ b/.github/workflows/test-and-deploy.yaml
@@ -95,3 +95,11 @@ jobs:
      - name: cmdeploy dns
        run: cmdeploy dns -v

+  test-tls-external:
+    needs: deploy
+    uses: ./.github/workflows/reusable-test-tls-external.yaml
+    with:
+      domain: staging2.testrun.org
+    secrets:
+      STAGING_SSH_KEY: ${{ secrets.STAGING_SSH_KEY }}
+