diff --git a/.github/workflows/reusable-test-tls-external.yaml b/.github/workflows/reusable-test-tls-external.yaml deleted file mode 100644 index b8c33b35..00000000 --- a/.github/workflows/reusable-test-tls-external.yaml +++ /dev/null @@ -1,33 +0,0 @@ -name: test tls_external_cert_and_key - -on: - workflow_call: - inputs: - domain: - required: true - type: string - secrets: - STAGING_SSH_KEY: - required: true - -jobs: - test-tls-external: - name: test tls_external_cert_and_key - runs-on: ubuntu-latest - timeout-minutes: 15 - environment: - name: ${{ inputs.domain }} - concurrency: ${{ inputs.domain }} - steps: - - uses: actions/checkout@v4 - - run: scripts/initenv.sh - - name: append venv/bin to PATH - run: echo venv/bin >>$GITHUB_PATH - - name: prepare SSH - run: | - mkdir -p ~/.ssh - echo "${{ secrets.STAGING_SSH_KEY }}" >> ~/.ssh/id_ed25519 - chmod 600 ~/.ssh/id_ed25519 - ssh-keyscan ${{ inputs.domain }} >> ~/.ssh/known_hosts 2>/dev/null - - name: run tls_external e2e test - run: python -m cmdeploy.tests.setup_tls_external ${{ inputs.domain }} diff --git a/.github/workflows/test-and-deploy-ipv4only.yaml b/.github/workflows/test-and-deploy-ipv4only.yaml index e7246f41..990963ec 100644 --- a/.github/workflows/test-and-deploy-ipv4only.yaml +++ b/.github/workflows/test-and-deploy-ipv4only.yaml @@ -102,11 +102,3 @@ jobs: - name: cmdeploy dns run: ssh root@staging-ipv4.testrun.org "cd relay && scripts/cmdeploy dns -v --ssh-host localhost" - test-tls-external: - needs: deploy - uses: ./.github/workflows/reusable-test-tls-external.yaml - with: - domain: staging-ipv4.testrun.org - secrets: - STAGING_SSH_KEY: ${{ secrets.STAGING_SSH_KEY }} - diff --git a/.github/workflows/test-and-deploy.yaml b/.github/workflows/test-and-deploy.yaml index fd403274..2f744cb8 100644 --- a/.github/workflows/test-and-deploy.yaml +++ b/.github/workflows/test-and-deploy.yaml @@ -95,11 +95,3 @@ jobs: - name: cmdeploy dns run: cmdeploy dns -v - test-tls-external: - needs: deploy - uses: ./.github/workflows/reusable-test-tls-external.yaml - with: - domain: staging2.testrun.org - secrets: - STAGING_SSH_KEY: ${{ secrets.STAGING_SSH_KEY }} - diff --git a/cmdeploy/src/cmdeploy/acmetool/__init__.py b/cmdeploy/src/cmdeploy/acmetool/__init__.py index e4e1ed84..e0e8c02f 100644 --- a/cmdeploy/src/cmdeploy/acmetool/__init__.py +++ b/cmdeploy/src/cmdeploy/acmetool/__init__.py @@ -67,7 +67,7 @@ class AcmetoolDeployer(Deployer): ) files.template( src=importlib.resources.files(__package__).joinpath("desired.yaml.j2"), - dest=f"/var/lib/acme/desired/{self.domains[0]}", # 0 is mailhost TLD + dest=f"/var/lib/acme/desired/{self.domains[0]}", # 0 is mailhost TLD user="root", group="root", mode="644", diff --git a/cmdeploy/src/cmdeploy/cmdeploy.py b/cmdeploy/src/cmdeploy/cmdeploy.py index a7ed5fee..85017c9b 100644 --- a/cmdeploy/src/cmdeploy/cmdeploy.py +++ b/cmdeploy/src/cmdeploy/cmdeploy.py @@ -93,7 +93,9 @@ def run_cmd(args, out): strict_tls = args.config.tls_cert_mode == "acme" if not args.dns_check_disabled: remote_data = dns.get_initial_remote_data(sshexec, args.config.mail_domain) - if not dns.check_initial_remote_data(remote_data, strict_tls=strict_tls, print=out.red): + if not dns.check_initial_remote_data( + remote_data, strict_tls=strict_tls, print=out.red + ): return 1 env = os.environ.copy() @@ -127,7 +129,11 @@ def run_cmd(args, out): out.red("Website deployment failed.") elif retcode == 0: out.green("Deploy completed, call `cmdeploy dns` next.") - elif not args.dns_check_disabled and strict_tls and not remote_data["acme_account_url"]: + elif ( + not args.dns_check_disabled + and strict_tls + and not remote_data["acme_account_url"] + ): out.red("Deploy completed but letsencrypt not configured") out.red("Run 'cmdeploy run' again") retcode = 0 diff --git a/cmdeploy/src/cmdeploy/deployers.py b/cmdeploy/src/cmdeploy/deployers.py index 54cbcc71..31e87f66 100644 --- a/cmdeploy/src/cmdeploy/deployers.py +++ b/cmdeploy/src/cmdeploy/deployers.py @@ -20,7 +20,6 @@ from pyinfra.operations import apt, files, pip, server, systemd from cmdeploy.cmdeploy import Out from .acmetool import AcmetoolDeployer -from .external.deployer import ExternalTlsDeployer from .basedeploy import ( Deployer, Deployment, @@ -580,11 +579,17 @@ def deploy_chatmail(config_path: Path, disable_mail: bool, website_only: bool) - ) # Check if mtail_address interface is available (if configured) - if config.mtail_address and config.mtail_address not in ('127.0.0.1', '::1', 'localhost'): + if config.mtail_address and config.mtail_address not in ( + "127.0.0.1", + "::1", + "localhost", + ): ipv4_addrs = host.get_fact(hardware.Ipv4Addrs) all_addresses = [addr for addrs in ipv4_addrs.values() for addr in addrs] if config.mtail_address not in all_addresses: - Out().red(f"Deploy failed: mtail_address {config.mtail_address} is not available (VPN up?).\n") + Out().red( + f"Deploy failed: mtail_address {config.mtail_address} is not available (VPN up?).\n" + ) exit(1) if not os.environ.get("CHATMAIL_NOPORTCHECK"): diff --git a/cmdeploy/src/cmdeploy/dovecot/deployer.py b/cmdeploy/src/cmdeploy/dovecot/deployer.py index bb3bd764..302a5510 100644 --- a/cmdeploy/src/cmdeploy/dovecot/deployer.py +++ b/cmdeploy/src/cmdeploy/dovecot/deployer.py @@ -42,7 +42,11 @@ class DovecotDeployer(Deployer): restart = False if self.disable_mail else self.need_restart systemd.service( - name="Disable dovecot for now" if self.disable_mail else "Start and enable Dovecot", + name=( + "Disable dovecot for now" + if self.disable_mail + else "Start and enable Dovecot" + ), service="dovecot.service", running=False if self.disable_mail else True, enabled=False if self.disable_mail else True, diff --git a/cmdeploy/src/cmdeploy/postfix/deployer.py b/cmdeploy/src/cmdeploy/postfix/deployer.py index 96197bd7..1f9c2652 100644 --- a/cmdeploy/src/cmdeploy/postfix/deployer.py +++ b/cmdeploy/src/cmdeploy/postfix/deployer.py @@ -97,7 +97,9 @@ class PostfixDeployer(Deployer): server.shell( name="Validate postfix configuration", # Extract stderr and quit with error if non-zero - commands=["""bash -c 'w=$(postconf 2>&1 >/dev/null); [[ -z "$w" ]] || { echo "$w"; false; }'"""], + commands=[ + """bash -c 'w=$(postconf 2>&1 >/dev/null); [[ -z "$w" ]] || { echo "$w"; false; }'""" + ], ) self.need_restart = need_restart @@ -105,9 +107,11 @@ class PostfixDeployer(Deployer): restart = False if self.disable_mail else self.need_restart systemd.service( - name="disable postfix for now" - if self.disable_mail - else "Start and enable Postfix", + name=( + "disable postfix for now" + if self.disable_mail + else "Start and enable Postfix" + ), service="postfix.service", running=False if self.disable_mail else True, enabled=False if self.disable_mail else True, diff --git a/cmdeploy/src/cmdeploy/selfsigned/deployer.py b/cmdeploy/src/cmdeploy/selfsigned/deployer.py index 0faff5e8..17d04f07 100644 --- a/cmdeploy/src/cmdeploy/selfsigned/deployer.py +++ b/cmdeploy/src/cmdeploy/selfsigned/deployer.py @@ -12,13 +12,24 @@ def openssl_selfsigned_args(domain, cert_path, key_path, days=36500): ``www.`` and ``mta-sts.``. """ return [ - "openssl", "req", "-x509", - "-newkey", "ec", "-pkeyopt", "ec_paramgen_curve:P-256", - "-noenc", "-days", str(days), - "-keyout", str(key_path), - "-out", str(cert_path), - "-subj", f"/CN={domain}", - "-addext", "extendedKeyUsage=serverAuth,clientAuth", + "openssl", + "req", + "-x509", + "-newkey", + "ec", + "-pkeyopt", + "ec_paramgen_curve:P-256", + "-noenc", + "-days", + str(days), + "-keyout", + str(key_path), + "-out", + str(cert_path), + "-subj", + f"/CN={domain}", + "-addext", + "extendedKeyUsage=serverAuth,clientAuth", "-addext", f"subjectAltName=DNS:{domain},DNS:www.{domain},DNS:mta-sts.{domain}", ] @@ -40,7 +51,9 @@ class SelfSignedTlsDeployer(Deployer): def configure(self): args = openssl_selfsigned_args( - self.mail_domain, self.cert_path, self.key_path, + self.mail_domain, + self.cert_path, + self.key_path, ) cmd = shlex.join(args) server.shell( diff --git a/cmdeploy/src/cmdeploy/tests/online/test_0_qr.py b/cmdeploy/src/cmdeploy/tests/online/test_0_qr.py index b916e696..4ffc8f0d 100644 --- a/cmdeploy/src/cmdeploy/tests/online/test_0_qr.py +++ b/cmdeploy/src/cmdeploy/tests/online/test_0_qr.py @@ -30,12 +30,15 @@ def test_newemail_configure(maildomain, rpc, chatmail_config): # set_config_from_qr, so fetch credentials via requests instead res = requests.post(f"https://{maildomain}/new", verify=False) data = res.json() - rpc.add_or_update_transport(account_id, { - "addr": data["email"], - "password": data["password"], - "imapServer": maildomain, - "smtpServer": maildomain, - "certificateChecks": "acceptInvalidCertificates", - }) + rpc.add_or_update_transport( + account_id, + { + "addr": data["email"], + "password": data["password"], + "imapServer": maildomain, + "smtpServer": maildomain, + "certificateChecks": "acceptInvalidCertificates", + }, + ) else: rpc.add_transport_from_qr(account_id, url) diff --git a/cmdeploy/src/cmdeploy/tests/online/test_2_deltachat.py b/cmdeploy/src/cmdeploy/tests/online/test_2_deltachat.py index 53e3846a..947c34f9 100644 --- a/cmdeploy/src/cmdeploy/tests/online/test_2_deltachat.py +++ b/cmdeploy/src/cmdeploy/tests/online/test_2_deltachat.py @@ -6,8 +6,8 @@ import imap_tools import pytest import requests -from cmdeploy.remote import rshell from cmdeploy.cmdeploy import get_sshexec +from cmdeploy.remote import rshell @pytest.fixture diff --git a/cmdeploy/src/cmdeploy/tests/plugin.py b/cmdeploy/src/cmdeploy/tests/plugin.py index 34f258df..f0a27b31 100644 --- a/cmdeploy/src/cmdeploy/tests/plugin.py +++ b/cmdeploy/src/cmdeploy/tests/plugin.py @@ -399,9 +399,12 @@ class Remote: getjournal = "journalctl -f" if not logcmd else logcmd print(self.sshdomain) match self.sshdomain: - case "@local": command = [] - case "localhost": command = [] - case _: command = ["ssh", f"root@{self.sshdomain}"] + case "@local": + command = [] + case "localhost": + command = [] + case _: + command = ["ssh", f"root@{self.sshdomain}"] [command.append(arg) for arg in getjournal.split()] self.popen = subprocess.Popen( command,