docker: comments and cleanup

docker/chatmail_relay.dockerfile

@@ -8,15 +8,16 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
     echo 'APT::Install-Recommends "0";' > /etc/apt/apt.conf.d/01norecommend && \
     echo 'APT::Install-Suggests "0";' >> /etc/apt/apt.conf.d/01norecommend && \
     apt-get update && \
+    DEBIAN_FRONTEND=noninteractive TZ=UTC \
     apt-get install -y \
         ca-certificates \
+        gcc \
         git \
         python3 \
+        python3-dev \
         python3-venv \
-        gcc \
-        python3-dev && \
-    DEBIAN_FRONTEND=noninteractive TZ=UTC \
-    apt-get install -y tzdata locales && \
+        tzdata \
+        locales && \
     sed -i -e "s/# $LANG.*/$LANG UTF-8/" /etc/locale.gen && \
     dpkg-reconfigure --frontend=noninteractive locales && \
     update-locale LANG=$LANG
@@ -46,6 +47,7 @@ RUN --mount=type=cache,target=/root/.cache/pip \
 # Full source copy (editable install's .egg-link still points here)
 COPY . /opt/chatmail/
 
+# Minimal chatmail.ini
 RUN printf '[params]\nmail_domain = build.local\n' > /tmp/chatmail.ini
 
 RUN CMDEPLOY_STAGES=install \
@@ -82,7 +84,8 @@ COPY --chmod=555 ./docker/files/chatmail-init.sh /chatmail-init.sh
 COPY --chmod=555 ./docker/files/entrypoint.sh /entrypoint.sh
 
 HEALTHCHECK --interval=60s --timeout=10s --retries=3 \
-  CMD systemctl is-active dovecot postfix nginx unbound opendkim filtermail doveauth chatmail-metadata || exit 1
+  CMD systemctl is-active chatmail-metadata doveauth dovecot filtermail filtermail-incoming nginx postfix unbound || exit 1
+  # maybe add iroh-relay turnserver
 
 STOPSIGNAL SIGRTMIN+3
 

docker/files/chatmail-init.sh

@@ -11,19 +11,20 @@ if [ -z "$MAIL_DOMAIN" ]; then
     exit 1
 fi
 
+# Generate DKIM keys if not mounted
 if [ ! -f /etc/dkimkeys/opendkim.private ]; then
     /usr/sbin/opendkim-genkey -D /etc/dkimkeys -d "$MAIL_DOMAIN" -s opendkim
 fi
 # Fix ownership for bind-mounted keys (host opendkim UID may differ from container)
 chown -R opendkim:opendkim /etc/dkimkeys
 
-# Create chatmail.ini (skips if file already exists, e.g. volume-mounted)
+# Create chatmail.ini, skip if mounted
 mkdir -p "$(dirname "$CHATMAIL_INI")"
 if [ ! -f "$CHATMAIL_INI" ]; then
     $CMDEPLOY init --config "$CHATMAIL_INI" "$MAIL_DOMAIN"
 fi
 
-# Inject external TLS paths from env var (unless user mounted their own ini)
+# Inject external TLS paths from env var unless defined in chatmail.ini
 if [ -n "${TLS_EXTERNAL_CERT_AND_KEY:-}" ]; then
     if ! grep -q '^tls_external_cert_and_key' "$CHATMAIL_INI"; then
         echo "tls_external_cert_and_key = $TLS_EXTERNAL_CERT_AND_KEY" >> "$CHATMAIL_INI"
@@ -54,23 +55,25 @@ else
     systemctl stop postfix dovecot nginx opendkim unbound \
         filtermail doveauth chatmail-metadata iroh-relay mtail fcgiwrap 2>/dev/null || true
 
-    # Show listening ports before deploy (diagnostic for port-check failures)
-    echo "[DEBUG] Listening ports before deploy:"
-    ss -lptn | while IFS= read -r line; do echo "  $line"; done
+#    # Show listening ports before deploy (diagnostic for port-check failures)
+#    echo "[DEBUG] Listening ports before deploy:"
+#    ss -lptn | while IFS= read -r line; do echo "  $line"; done
+
     export CMDEPLOY_STAGES="${CMDEPLOY_STAGES:-configure,activate}"
+
     # Skip DNS check when MAIL_DOMAIN is a bare IP address
     SKIP_DNS=""
     if [[ "$MAIL_DOMAIN" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]] || [[ "$MAIL_DOMAIN" =~ : ]]; then
         SKIP_DNS="--skip-dns-check"
     fi
     $CMDEPLOY run --config "$CHATMAIL_INI" --ssh-host @local $SKIP_DNS
-    # GithashDeployer overwrites /etc/chatmail-version with "unknown" because
-    # .git/ is excluded from the image; restore the build-time hash.
+
+    # Restore the build-time hash
     cp /etc/chatmail-image-version /etc/chatmail-version
     echo "$current_fp" > "$FINGERPRINT_FILE"
 fi
 
-# Journald: forward to console so `docker compose logs` works.
+# Forward journald to console so `docker compose logs` works
 grep -q '^ForwardToConsole=yes' /etc/systemd/journald.conf \
     || echo "ForwardToConsole=yes" >> /etc/systemd/journald.conf
 systemctl restart systemd-journald