diff --git a/docker-compose.yaml b/docker-compose.yaml index 00da94db..2a1f4343 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -36,9 +36,6 @@ services: max-file: "3" environment: MAIL_DOMAIN: $MAIL_DOMAIN - CMDEPLOY_STAGES: ${CMDEPLOY_STAGES:-} - CHATMAIL_NOSYSCTL: ${CHATMAIL_NOSYSCTL:-True} - TLS_EXTERNAL_CERT_AND_KEY: ${TLS_EXTERNAL_CERT_AND_KEY:-} network_mode: "host" volumes: ## system (required) diff --git a/docker/chatmail_relay.dockerfile b/docker/chatmail_relay.dockerfile index 4f82c78c..eda46548 100644 --- a/docker/chatmail_relay.dockerfile +++ b/docker/chatmail_relay.dockerfile @@ -81,12 +81,6 @@ RUN rm -f /etc/nginx/sites-enabled/default COPY --chmod=555 ./docker/files/chatmail-init.sh /chatmail-init.sh COPY --chmod=555 ./docker/files/entrypoint.sh /entrypoint.sh -# Certificate monitoring as a proper systemd timer (not a background process) -COPY --chmod=555 ./docker/files/chatmail-certmon.sh /chatmail-certmon.sh -COPY ./docker/files/chatmail-certmon.service /lib/systemd/system/chatmail-certmon.service -COPY ./docker/files/chatmail-certmon.timer /lib/systemd/system/chatmail-certmon.timer -RUN ln -sf /lib/systemd/system/chatmail-certmon.timer /etc/systemd/system/timers.target.wants/chatmail-certmon.timer - HEALTHCHECK --interval=60s --timeout=10s --retries=3 \ CMD systemctl is-active dovecot postfix nginx unbound opendkim filtermail doveauth chatmail-metadata || exit 1 diff --git a/docker/files/chatmail-certmon.service b/docker/files/chatmail-certmon.service deleted file mode 100644 index 58ab9a04..00000000 --- a/docker/files/chatmail-certmon.service +++ /dev/null @@ -1,8 +0,0 @@ -[Unit] -Description=Check TLS certificate changes and reload services -After=chatmail-init.service - -[Service] -Type=oneshot -ExecStart=/bin/bash /chatmail-certmon.sh -PassEnvironment=MAIL_DOMAIN PATH_TO_SSL diff --git a/docker/files/chatmail-certmon.sh b/docker/files/chatmail-certmon.sh deleted file mode 100644 index 107c169d..00000000 --- a/docker/files/chatmail-certmon.sh +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/bash -# Check if TLS certificates have changed and reload services if so. -# Called by chatmail-certmon.timer (systemd timer, default every 60s). -set -eo pipefail - -PATH_TO_SSL="${PATH_TO_SSL:-/var/lib/acme/live/${MAIL_DOMAIN}}" -HASH_FILE="/run/chatmail-certmon.hash" - -if [ ! -d "$PATH_TO_SSL" ]; then - exit 0 -fi - -current_hash=$(find "$PATH_TO_SSL" -type f -exec sha1sum {} \; | sort | sha1sum | awk '{print $1}') -previous_hash="" -if [ -f "$HASH_FILE" ]; then - previous_hash=$(cat "$HASH_FILE") -fi - -if [ -n "$current_hash" ] && [ "$current_hash" != "$previous_hash" ]; then - echo "[INFO] Certificate hash changed, reloading nginx, dovecot and postfix." - echo "$current_hash" > "$HASH_FILE" - # On first run (no previous hash), don't reload — services may not be up yet - if [ -n "$previous_hash" ]; then - systemctl reload nginx.service - systemctl reload dovecot.service - systemctl reload postfix.service - fi -fi diff --git a/docker/files/chatmail-certmon.timer b/docker/files/chatmail-certmon.timer deleted file mode 100644 index 8dc5aa8d..00000000 --- a/docker/files/chatmail-certmon.timer +++ /dev/null @@ -1,9 +0,0 @@ -[Unit] -Description=Periodically check TLS certificate changes - -[Timer] -OnBootSec=120 -OnUnitActiveSec=60 - -[Install] -WantedBy=timers.target diff --git a/docker/files/chatmail-init.sh b/docker/files/chatmail-init.sh index 8ae846d5..1936015e 100755 --- a/docker/files/chatmail-init.sh +++ b/docker/files/chatmail-init.sh @@ -30,6 +30,13 @@ if [ ! -f "$CHATMAIL_INI" ]; then $CMDEPLOY init --config "$CHATMAIL_INI" "$MAIL_DOMAIN" fi +# Inject external TLS paths from env var (unless user mounted their own ini) +if [ -n "${TLS_EXTERNAL_CERT_AND_KEY:-}" ]; then + if ! grep -q '^tls_external_cert_and_key' "$CHATMAIL_INI"; then + echo "tls_external_cert_and_key = $TLS_EXTERNAL_CERT_AND_KEY" >> "$CHATMAIL_INI" + fi +fi + # --- Deploy fingerprint: skip cmdeploy run if nothing changed --- # On restart with identical image+config, systemd already brings up all # enabled services — the full cmdeploy run is redundant (~30s saved).