lxc: dovecot sysctl: warn but skip when running in shared-kernel container

Replace the CHATMAIL_NOSYSCTL guard with an explicit systemd-detect-virt -c check.

cmdeploy/src/cmdeploy/dovecot/deployer.py

@@ -1,9 +1,8 @@
-import os
 import urllib.request
 
 from chatmaild.config import Config
 from pyinfra import host
-from pyinfra.facts.server import Arch, Sysctl
+from pyinfra.facts.server import Arch, Command, Sysctl
 from pyinfra.facts.systemd import SystemdEnabled
 from pyinfra.operations import apt, files, server, systemd
 
@@ -137,22 +136,24 @@ def _configure_dovecot(config: Config, debug: bool = False) -> (bool, bool):
 
     # as per https://doc.dovecot.org/2.3/configuration_manual/os/
     # it is recommended to set the following inotify limits
-    if not os.environ.get("CHATMAIL_NOSYSCTL"):
+    can_modify = host.get_fact(Command, "systemd-detect-virt -c || true") == "none"
     for name in ("max_user_instances", "max_user_watches"):
         key = f"fs.inotify.{name}"
-            if host.get_fact(Sysctl)[key] > 65535:
-                # Skip updating limits if already sufficient
-                # (enables running in incus containers where sysctl readonly)
+        value = host.get_fact(Sysctl)[key]
+        if value > 65534:
+            continue
+        if not can_modify:
+            print(
+                "\n!!!! refusing to attempt sysctl setting in shared-kernel containers\n"
+                f"!!!! dovecot: sysctl {key!r}={value}, should be >65535 for production setups\n"
+                "!!!!"
+            )
             continue
-            # in containers the following can fail see also
-            # https://docs.pyinfra.com/en/3.x/arguments.html#operation-meta-callbacks
         server.sysctl(
             name=f"Change {key}",
             key=key,
             value=65535,
             persist=True,
-                _ignore_errors=True,
-                _continue_on_error=True,
         )
 
     timezone_env = files.line(