docker: skip redundant cmdeploy run on container restart

Replace the old IMAGE_VERSION_FILE/RUNNING_VERSION_FILE mechanism with a
single deploy fingerprint (image_version:sha256(chatmail.ini)) stored at
/etc/chatmail/.deploy-fingerprint. On restart, if the fingerprint matches
the last successful deploy, skip cmdeploy run entirely. The fingerprint
lives on the container's writable layer. On fresh containers, setting
CMDEPLOY_STAGES non-empty in env forces a deploy run regardless of
fingerprint.

Also narrow the /home volume mount to /home/vmail.

docker-compose.yaml

@@ -41,11 +41,11 @@ services:
       ## system (required)
       - /sys/fs/cgroup:/sys/fs/cgroup:rw
       ## data (defaults — override in docker-compose.override.yaml)
-      - chatmail-mail:/home
+      - chatmail-data:/home/vmail
       - chatmail-dkimkeys:/etc/dkimkeys
       - chatmail-acme:/var/lib/acme
 
 volumes:
-  chatmail-mail:
+  chatmail-data:
   chatmail-dkimkeys:
   chatmail-acme:

docker/chatmail_relay.dockerfile

@@ -49,7 +49,7 @@ RUN printf '[params]\nmail_domain = build.local\n' > /tmp/chatmail.ini
 
 # Dummy git repo init: .git/ is excluded from the build context (.dockerignore)
 # but setuptools calls `git ls-files` when building the sdist.
-RUN git init && \
+RUN git init -q && \
     python3 -m venv /opt/cmdeploy && \
     /opt/cmdeploy/bin/pip install --no-cache-dir \
         -e chatmaild/ -e cmdeploy/
@@ -65,7 +65,7 @@ RUN cp -a www/ /opt/chatmail-www/
 
 RUN rm -f /tmp/chatmail.ini
 
-# Record image version for upgrade detection at runtime.
+# Record image version (used in deploy fingerprint at runtime).
 # GIT_HASH is passed as a build arg (from docker-compose or CI) so that
 # .git/ can be excluded from the build context via .dockerignore.
 ARG GIT_HASH=unknown

docker/docker-compose.override.yaml.example

@@ -11,7 +11,7 @@ services:
       ## Data paths — bind-mount to host directories for easy access/backup.
       ## Uncomment and adjust paths as needed. These override the named
       ## volumes in the base docker-compose.yaml.
-      # - ./data/chatmail:/home
+      # - ./data/chatmail:/home/vmail
       # - ./data/chatmail-dkimkeys:/etc/dkimkeys
       # - ./data/chatmail-acme:/var/lib/acme
 

docker/files/setup_chatmail_docker.sh

@@ -18,40 +18,37 @@ fi
 # Fix ownership for bind-mounted keys (host opendkim UID may differ from container)
 chown -R opendkim:opendkim /etc/dkimkeys
 
+# Journald: forward to console for docker logs
+grep -q '^ForwardToConsole=yes' /etc/systemd/journald.conf \
+    || echo "ForwardToConsole=yes" >> /etc/systemd/journald.conf
+systemctl restart systemd-journald
+
 # Create chatmail.ini (skips if file already exists, e.g. volume-mounted)
 mkdir -p "$(dirname "$CHATMAIL_INI")"
 if [ ! -f "$CHATMAIL_INI" ]; then
     $CMDEPLOY init --config "$CHATMAIL_INI" "$MAIL_DOMAIN"
 fi
 
-# Auto-detect image upgrades: if the image version changed since last run,
+# --- Deploy fingerprint: skip cmdeploy run if nothing changed ---
-# include the install stage so new packages/binaries are picked up.
+# On restart with identical image+config, systemd already brings up all
+# enabled services — the full cmdeploy run is redundant (~30s saved).
+# The install stage runs at image build time (Dockerfile), so only
+# configure+activate are needed here.
 IMAGE_VERSION_FILE="/etc/chatmail-image-version"
-RUNNING_VERSION_FILE="/home/.chatmail-running-version"
+FINGERPRINT_FILE="/etc/chatmail/.deploy-fingerprint"
-CMDEPLOY_STAGES="${CMDEPLOY_STAGES:-configure,activate}"
+image_ver="none"
-if [ -f "$IMAGE_VERSION_FILE" ]; then
+[ -f "$IMAGE_VERSION_FILE" ] && image_ver=$(cat "$IMAGE_VERSION_FILE")
-    image_ver=$(cat "$IMAGE_VERSION_FILE")
+config_hash=$(sha256sum "$CHATMAIL_INI" | cut -c1-16)
-    running_ver=""
+current_fp="${image_ver}:${config_hash}"
-    if [ -f "$RUNNING_VERSION_FILE" ]; then
-        running_ver=$(cat "$RUNNING_VERSION_FILE")
-    fi
-    if [ "$image_ver" != "$running_ver" ]; then
-        echo "[INFO] Image version changed ($running_ver -> $image_ver), adding install stage."
-        case "$CMDEPLOY_STAGES" in
-            *install*) ;;  # already includes install
-            *) CMDEPLOY_STAGES="install,$CMDEPLOY_STAGES" ;;
-        esac
-    fi
-fi
-export CMDEPLOY_STAGES
-$CMDEPLOY run --config "$CHATMAIL_INI" --ssh-host @local
 
-# Record successful version after deploy
+# CMDEPLOY_STAGES non-empty in env = operator override → always run.
-if [ -f "$IMAGE_VERSION_FILE" ]; then
+# Otherwise, if fingerprint matches the last successful deploy, skip.
-    cp "$IMAGE_VERSION_FILE" "$RUNNING_VERSION_FILE"
+if [ -z "${CMDEPLOY_STAGES:-}" ] \
+    && [ -f "$FINGERPRINT_FILE" ] \
+    && [ "$(cat "$FINGERPRINT_FILE")" = "$current_fp" ]; then
+    echo "[INFO] No changes detected ($current_fp), skipping deploy."
+else
+    export CMDEPLOY_STAGES="${CMDEPLOY_STAGES:-configure,activate}"
+    $CMDEPLOY run --config "$CHATMAIL_INI" --ssh-host @local
+    echo "$current_fp" > "$FINGERPRINT_FILE"
 fi
-
-# Journald: forward to console for docker logs (idempotent)
-grep -q '^ForwardToConsole=yes' /etc/systemd/journald.conf \
-    || echo "ForwardToConsole=yes" >> /etc/systemd/journald.conf
-systemctl restart systemd-journald