addressed link2xt comments except tls cleanup and fixed linting, removed leftovers

.github/workflows/reusable-test-tls-external.yaml

@@ -1,33 +0,0 @@
-name: test tls_external_cert_and_key
-
-on:
-  workflow_call:
-    inputs:
-      domain:
-        required: true
-        type: string
-    secrets:
-      STAGING_SSH_KEY:
-        required: true
-
-jobs:
-  test-tls-external:
-    name: test tls_external_cert_and_key
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    environment:
-      name: ${{ inputs.domain }}
-    concurrency: ${{ inputs.domain }}
-    steps:
-      - uses: actions/checkout@v4
-      - run: scripts/initenv.sh
-      - name: append venv/bin to PATH
-        run: echo venv/bin >>$GITHUB_PATH
-      - name: prepare SSH
-        run: |
-          mkdir -p ~/.ssh
-          echo "${{ secrets.STAGING_SSH_KEY }}" >> ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
-          ssh-keyscan ${{ inputs.domain }} >> ~/.ssh/known_hosts 2>/dev/null
-      - name: run tls_external e2e test
-        run: python -m cmdeploy.tests.setup_tls_external ${{ inputs.domain }}

.github/workflows/test-and-deploy-ipv4only.yaml

@@ -102,11 +102,3 @@ jobs:
       - name: cmdeploy dns
         run: ssh root@staging-ipv4.testrun.org "cd relay && scripts/cmdeploy dns -v --ssh-host localhost"
 
-  test-tls-external:
-    needs: deploy
-    uses: ./.github/workflows/reusable-test-tls-external.yaml
-    with:
-      domain: staging-ipv4.testrun.org
-    secrets:
-      STAGING_SSH_KEY: ${{ secrets.STAGING_SSH_KEY }}
-

.github/workflows/test-and-deploy.yaml

@@ -95,11 +95,3 @@ jobs:
       - name: cmdeploy dns
         run: cmdeploy dns -v
 
-  test-tls-external:
-    needs: deploy
-    uses: ./.github/workflows/reusable-test-tls-external.yaml
-    with:
-      domain: staging2.testrun.org
-    secrets:
-      STAGING_SSH_KEY: ${{ secrets.STAGING_SSH_KEY }}
-

cmdeploy/src/cmdeploy/cmdeploy.py

@@ -93,7 +93,9 @@ def run_cmd(args, out):
     strict_tls = args.config.tls_cert_mode == "acme"
     if not args.dns_check_disabled:
         remote_data = dns.get_initial_remote_data(sshexec, args.config.mail_domain)
-        if not dns.check_initial_remote_data(remote_data, strict_tls=strict_tls, print=out.red):
+        if not dns.check_initial_remote_data(
+            remote_data, strict_tls=strict_tls, print=out.red
+        ):
             return 1
 
     env = os.environ.copy()
@@ -127,7 +129,11 @@ def run_cmd(args, out):
                 out.red("Website deployment failed.")
         elif retcode == 0:
             out.green("Deploy completed, call `cmdeploy dns` next.")
-        elif not args.dns_check_disabled and strict_tls and not remote_data["acme_account_url"]:
+        elif (
+            not args.dns_check_disabled
+            and strict_tls
+            and not remote_data["acme_account_url"]
+        ):
             out.red("Deploy completed but letsencrypt not configured")
             out.red("Run 'cmdeploy run' again")
             retcode = 0

cmdeploy/src/cmdeploy/deployers.py

@@ -20,7 +20,6 @@ from pyinfra.operations import apt, files, pip, server, systemd
 from cmdeploy.cmdeploy import Out
 
 from .acmetool import AcmetoolDeployer
-from .external.deployer import ExternalTlsDeployer
 from .basedeploy import (
     Deployer,
     Deployment,
@@ -580,11 +579,17 @@ def deploy_chatmail(config_path: Path, disable_mail: bool, website_only: bool) -
         )
 
     # Check if mtail_address interface is available (if configured)
-    if config.mtail_address and config.mtail_address not in ('127.0.0.1', '::1', 'localhost'):
+    if config.mtail_address and config.mtail_address not in (
+        "127.0.0.1",
+        "::1",
+        "localhost",
+    ):
         ipv4_addrs = host.get_fact(hardware.Ipv4Addrs)
         all_addresses = [addr for addrs in ipv4_addrs.values() for addr in addrs]
         if config.mtail_address not in all_addresses:
-            Out().red(f"Deploy failed: mtail_address {config.mtail_address} is not available (VPN up?).\n")
+            Out().red(
+                f"Deploy failed: mtail_address {config.mtail_address} is not available (VPN up?).\n"
+            )
             exit(1)
 
     if not os.environ.get("CHATMAIL_NOPORTCHECK"):

cmdeploy/src/cmdeploy/dovecot/deployer.py

@@ -42,7 +42,11 @@ class DovecotDeployer(Deployer):
         restart = False if self.disable_mail else self.need_restart
 
         systemd.service(
-            name="Disable dovecot for now" if self.disable_mail else "Start and enable Dovecot",
+            name=(
+                "Disable dovecot for now"
+                if self.disable_mail
+                else "Start and enable Dovecot"
+            ),
             service="dovecot.service",
             running=False if self.disable_mail else True,
             enabled=False if self.disable_mail else True,

cmdeploy/src/cmdeploy/postfix/deployer.py

@@ -97,7 +97,9 @@ class PostfixDeployer(Deployer):
             server.shell(
                 name="Validate postfix configuration",
                 # Extract stderr and quit with error if non-zero
-                commands=["""bash -c 'w=$(postconf 2>&1 >/dev/null); [[ -z "$w" ]] || { echo "$w"; false; }'"""],
+                commands=[
+                    """bash -c 'w=$(postconf 2>&1 >/dev/null); [[ -z "$w" ]] || { echo "$w"; false; }'"""
+                ],
             )
         self.need_restart = need_restart
 
@@ -105,9 +107,11 @@ class PostfixDeployer(Deployer):
         restart = False if self.disable_mail else self.need_restart
 
         systemd.service(
-            name="disable postfix for now"
+            name=(
+                "disable postfix for now"
                 if self.disable_mail
-            else "Start and enable Postfix",
+                else "Start and enable Postfix"
+            ),
             service="postfix.service",
             running=False if self.disable_mail else True,
             enabled=False if self.disable_mail else True,

cmdeploy/src/cmdeploy/selfsigned/deployer.py

@@ -12,13 +12,24 @@ def openssl_selfsigned_args(domain, cert_path, key_path, days=36500):
     ``www.<domain>`` and ``mta-sts.<domain>``.
     """
     return [
-        "openssl", "req", "-x509",
+        "openssl",
-        "-newkey", "ec", "-pkeyopt", "ec_paramgen_curve:P-256",
+        "req",
-        "-noenc", "-days", str(days),
+        "-x509",
-        "-keyout", str(key_path),
+        "-newkey",
-        "-out", str(cert_path),
+        "ec",
-        "-subj", f"/CN={domain}",
+        "-pkeyopt",
-        "-addext", "extendedKeyUsage=serverAuth,clientAuth",
+        "ec_paramgen_curve:P-256",
+        "-noenc",
+        "-days",
+        str(days),
+        "-keyout",
+        str(key_path),
+        "-out",
+        str(cert_path),
+        "-subj",
+        f"/CN={domain}",
+        "-addext",
+        "extendedKeyUsage=serverAuth,clientAuth",
         "-addext",
         f"subjectAltName=DNS:{domain},DNS:www.{domain},DNS:mta-sts.{domain}",
     ]
@@ -40,7 +51,9 @@ class SelfSignedTlsDeployer(Deployer):
 
     def configure(self):
         args = openssl_selfsigned_args(
-            self.mail_domain, self.cert_path, self.key_path,
+            self.mail_domain,
+            self.cert_path,
+            self.key_path,
         )
         cmd = shlex.join(args)
         server.shell(

cmdeploy/src/cmdeploy/tests/online/test_0_qr.py

@@ -30,12 +30,15 @@ def test_newemail_configure(maildomain, rpc, chatmail_config):
             # set_config_from_qr, so fetch credentials via requests instead
             res = requests.post(f"https://{maildomain}/new", verify=False)
             data = res.json()
-            rpc.add_or_update_transport(account_id, {
+            rpc.add_or_update_transport(
+                account_id,
+                {
                     "addr": data["email"],
                     "password": data["password"],
                     "imapServer": maildomain,
                     "smtpServer": maildomain,
                     "certificateChecks": "acceptInvalidCertificates",
-            })
+                },
+            )
         else:
             rpc.add_transport_from_qr(account_id, url)

cmdeploy/src/cmdeploy/tests/online/test_2_deltachat.py

@@ -6,8 +6,8 @@ import imap_tools
 import pytest
 import requests
 
-from cmdeploy.remote import rshell
 from cmdeploy.cmdeploy import get_sshexec
+from cmdeploy.remote import rshell
 
 
 @pytest.fixture

cmdeploy/src/cmdeploy/tests/plugin.py

@@ -399,9 +399,12 @@ class Remote:
         getjournal = "journalctl -f" if not logcmd else logcmd
         print(self.sshdomain)
         match self.sshdomain:
-            case "@local": command = []
+            case "@local":
-            case "localhost": command = []
+                command = []
-            case _: command = ["ssh", f"root@{self.sshdomain}"]
+            case "localhost":
+                command = []
+            case _:
+                command = ["ssh", f"root@{self.sshdomain}"]
         [command.append(arg) for arg in getjournal.split()]
         self.popen = subprocess.Popen(
             command,