docker: migrate to new external tls logic

- remove all traces of CHATMAIL_NOACME; purge certwatch service
- introduce TLS_EXTERNAL_CERT_AND_KEY as per new logic

docker/chatmail_relay.dockerfile

@@ -87,12 +87,6 @@ RUN rm -f /etc/nginx/sites-enabled/default
 COPY --chmod=555 ./docker/files/setup_chatmail_docker.sh /setup_chatmail_docker.sh
 COPY --chmod=555 ./docker/files/entrypoint.sh /entrypoint.sh
 
-# Certificate monitoring as a proper systemd timer (not a background process)
-COPY --chmod=555 ./docker/files/chatmail-certmon.sh /chatmail-certmon.sh
-COPY ./docker/files/chatmail-certmon.service /lib/systemd/system/chatmail-certmon.service
-COPY ./docker/files/chatmail-certmon.timer /lib/systemd/system/chatmail-certmon.timer
-RUN ln -sf /lib/systemd/system/chatmail-certmon.timer /etc/systemd/system/timers.target.wants/chatmail-certmon.timer
-
 HEALTHCHECK --interval=60s --timeout=10s --retries=3 \
   CMD systemctl is-active dovecot postfix nginx unbound opendkim filtermail doveauth chatmail-metadata || exit 1
 

docker/files/chatmail-certmon.service

@@ -1,8 +0,0 @@
-[Unit]
-Description=Check TLS certificate changes and reload services
-After=setup_chatmail.service
-
-[Service]
-Type=oneshot
-ExecStart=/bin/bash /chatmail-certmon.sh
-PassEnvironment=MAIL_DOMAIN PATH_TO_SSL

docker/files/chatmail-certmon.sh

@@ -1,28 +0,0 @@
-#!/bin/bash
-# Check if TLS certificates have changed and reload services if so.
-# Called by chatmail-certmon.timer (systemd timer, default every 60s).
-set -eo pipefail
-
-PATH_TO_SSL="${PATH_TO_SSL:-/var/lib/acme/live/${MAIL_DOMAIN}}"
-HASH_FILE="/run/chatmail-certmon.hash"
-
-if [ ! -d "$PATH_TO_SSL" ]; then
-    exit 0
-fi
-
-current_hash=$(find "$PATH_TO_SSL" -type f -exec sha1sum {} \; | sort | sha1sum | awk '{print $1}')
-previous_hash=""
-if [ -f "$HASH_FILE" ]; then
-    previous_hash=$(cat "$HASH_FILE")
-fi
-
-if [ -n "$current_hash" ] && [ "$current_hash" != "$previous_hash" ]; then
-    echo "[INFO] Certificate hash changed, reloading nginx, dovecot and postfix."
-    echo "$current_hash" > "$HASH_FILE"
-    # On first run (no previous hash), don't reload — services may not be up yet
-    if [ -n "$previous_hash" ]; then
-        systemctl reload nginx.service
-        systemctl reload dovecot.service
-        systemctl reload postfix.service
-    fi
-fi

docker/files/chatmail-certmon.timer

@@ -1,9 +0,0 @@
-[Unit]
-Description=Periodically check TLS certificate changes
-
-[Timer]
-OnBootSec=120
-OnUnitActiveSec=60
-
-[Install]
-WantedBy=timers.target

docker/files/entrypoint.sh

@@ -6,7 +6,7 @@ SETUP_CHATMAIL_SERVICE_PATH="${SETUP_CHATMAIL_SERVICE_PATH:-/lib/systemd/system/
 # Whitelist only the env vars needed by setup_chatmail_docker.sh.
 # Forwarding all env vars (via printenv) would leak Docker internals,
 # orchestrator secrets, and other unrelated variables into systemd.
-env_vars="MAIL_DOMAIN CMDEPLOY_STAGES CHATMAIL_INI CHATMAIL_NOSYSCTL CHATMAIL_NOPORTCHECK CHATMAIL_NOACME PATH_TO_SSL PATH"
+env_vars="MAIL_DOMAIN CMDEPLOY_STAGES CHATMAIL_INI CHATMAIL_NOSYSCTL CHATMAIL_NOPORTCHECK TLS_EXTERNAL_CERT_AND_KEY PATH"
 sed -i "s|<envs_list>|$env_vars|g" "$SETUP_CHATMAIL_SERVICE_PATH"
 
 exec /lib/systemd/systemd "$@"

docker/files/setup_chatmail_docker.sh

@@ -29,6 +29,13 @@ if [ ! -f "$CHATMAIL_INI" ]; then
     $CMDEPLOY init --config "$CHATMAIL_INI" "$MAIL_DOMAIN"
 fi
 
+# Inject external TLS paths from env var (unless user mounted their own ini)
+if [ -n "${TLS_EXTERNAL_CERT_AND_KEY:-}" ]; then
+    if ! grep -q '^tls_external_cert_and_key' "$CHATMAIL_INI"; then
+        echo "tls_external_cert_and_key = $TLS_EXTERNAL_CERT_AND_KEY" >> "$CHATMAIL_INI"
+    fi
+fi
+
 # --- Deploy fingerprint: skip cmdeploy run if nothing changed ---
 # On restart with identical image+config, systemd already brings up all
 # enabled services — the full cmdeploy run is redundant (~30s saved).