diff --git a/.github/workflows/docker-ci.yaml b/.github/workflows/docker-ci.yaml index 28a00e8a..1de06043 100644 --- a/.github/workflows/docker-ci.yaml +++ b/.github/workflows/docker-ci.yaml @@ -135,9 +135,9 @@ jobs: echo "${{ secrets.STAGING_SSH_KEY }}" >> ~/.ssh/id_ed25519 chmod 600 ~/.ssh/id_ed25519 ssh-keyscan ${HOST} > ~/.ssh/known_hosts - # save previous acme & dkim state (Docker bind-mount paths) - rsync -avz root@${HOST}:/srv/chatmail/certs/ ${ACME_DIR}/ || true - rsync -avz root@${HOST}:/srv/chatmail/dkim/ ${DKIM_DIR}/ || true + # save previous acme & dkim state + rsync -avz root@${HOST}:/var/lib/acme/ ${ACME_DIR}/ || true + rsync -avz root@${HOST}:/etc/dkimkeys/ ${DKIM_DIR}/ || true # store previous acme & dkim state on ns.testrun.org, if it contains useful certs if [ -f ${DKIM_DIR}/opendkim.private ]; then rsync -avz -e "ssh -o StrictHostKeyChecking=accept-new" ${DKIM_DIR} root@ns.testrun.org:/tmp/ || true; fi if [ "$(ls -A ${ACME_DIR}/certs 2>/dev/null)" ]; then rsync -avz -e "ssh -o StrictHostKeyChecking=accept-new" ${ACME_DIR} root@ns.testrun.org:/tmp/ || true; fi @@ -185,10 +185,11 @@ jobs: # download from ns.testrun.org rsync -e "ssh -o StrictHostKeyChecking=accept-new" -avz root@ns.testrun.org:/tmp/${ACME_DIR} acme-restore || true rsync -avz root@ns.testrun.org:/tmp/${DKIM_DIR} dkimkeys-restore || true - # restore to VPS host paths (will be bind-mounted into container) - ssh root@${HOST} mkdir -p /srv/chatmail/dkim /srv/chatmail/certs - rsync -avz acme-restore/${ACME_DIR}/ root@${HOST}:/srv/chatmail/certs/ || true - rsync -avz dkimkeys-restore/${DKIM_DIR}/ root@${HOST}:/srv/chatmail/dkim/ || true + # restore to acme & dkim state + rsync -avz acme-restore/${ACME_DIR}/ root@${HOST}:/var/lib/acme/ || true + rsync -avz dkimkeys-restore/${DKIM_DIR}/ root@${HOST}:/etc/dkimkeys/ || true + # copy acme & dkim state to docker bind mounts + ssh root@${HOST} 'mkdir -p /srv/chatmail/certs /srv/chatmail/dkim && cp -a /var/lib/acme/. /srv/chatmail/certs/ && cp -a /etc/dkimkeys/. /srv/chatmail/dkim/' - name: generate chatmail.ini env: diff --git a/docker/chatmail-init.sh b/docker/chatmail-init.sh index d83bc3ef..60a5c427 100755 --- a/docker/chatmail-init.sh +++ b/docker/chatmail-init.sh @@ -83,6 +83,9 @@ else echo "$current_fp" > "$FINGERPRINT_FILE" fi +# Signal success to Docker healthcheck +touch /run/chatmail-init.done + # Forward journald to console so `docker compose logs` works grep -q '^ForwardToConsole=yes' /etc/systemd/journald.conf \ || echo "ForwardToConsole=yes" >> /etc/systemd/journald.conf diff --git a/docker/chatmail_relay.dockerfile b/docker/chatmail_relay.dockerfile index f874812d..4f0d3e9b 100644 --- a/docker/chatmail_relay.dockerfile +++ b/docker/chatmail_relay.dockerfile @@ -88,10 +88,10 @@ RUN rm -f /etc/nginx/sites-enabled/default COPY --chmod=555 ./docker/chatmail-init.sh /chatmail-init.sh COPY --chmod=555 ./docker/entrypoint.sh /entrypoint.sh +COPY --chmod=555 ./docker/healthcheck.sh /healthcheck.sh -HEALTHCHECK --interval=60s --timeout=10s --retries=3 \ - CMD systemctl is-active chatmail-metadata doveauth dovecot filtermail filtermail-incoming nginx postfix unbound || exit 1 - # maybe add iroh-relay turnserver +HEALTHCHECK --interval=15s --timeout=10s --retries=3 \ + CMD /healthcheck.sh STOPSIGNAL SIGRTMIN+3 diff --git a/docker/docker-compose.ci.yaml b/docker/docker-compose.ci.yaml index e46e4dbb..760ad451 100644 --- a/docker/docker-compose.ci.yaml +++ b/docker/docker-compose.ci.yaml @@ -4,5 +4,8 @@ services: chatmail: image: ${CHATMAIL_IMAGE:-chatmail-relay:latest} volumes: + - /srv/chatmail/chatmail.ini:/etc/chatmail/chatmail.ini - /srv/chatmail/dkim:/etc/dkimkeys - /srv/chatmail/certs:/var/lib/acme + environment: + TLS_EXTERNAL_CERT_AND_KEY: /var/lib/acme/live/${MAIL_DOMAIN}/fullchain /var/lib/acme/live/${MAIL_DOMAIN}/privkey