From b4a46d23e649f30c9a4532522cb804cb92df35a6 Mon Sep 17 00:00:00 2001
From: j4n <j4n@systemli.org>
Date: Tue, 31 Mar 2026 09:43:20 +0200
Subject: [PATCH] fix(cmdeploy): pin dovecot packages to prevent apt upgrades

As our .deb packages use Debian's version naming scheme, deploy an apt
preferences file that sets Pin-Priority: -1 for all dovecot-* packages
for every version of dovecot-* from every origin.
---
 cmdeploy/src/cmdeploy/dovecot/deployer.py | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/cmdeploy/src/cmdeploy/dovecot/deployer.py b/cmdeploy/src/cmdeploy/dovecot/deployer.py
index b2d0b95f..3d818813 100644
--- a/cmdeploy/src/cmdeploy/dovecot/deployer.py
+++ b/cmdeploy/src/cmdeploy/dovecot/deployer.py
@@ -1,3 +1,4 @@
+import io
 import os
 import urllib.request
 
@@ -53,6 +54,15 @@ class DovecotDeployer(Deployer):
                         f"dpkg --force-confdef --force-confold -i {deb_list}",
                     ],
                 )
+        files.put(
+            name="Pin dovecot packages to block Debian dist-upgrades",
+            src=io.StringIO(
+                "Package: dovecot-*\n"
+                "Pin: version *\n"
+                "Pin-Priority: -1\n"
+            ),
+            dest="/etc/apt/preferences.d/pin-dovecot",
+        )
 
     def configure(self):
         configure_remote_units(self.config.mail_domain, self.units)