cqrenet/relay
4
0
Fork 0
mirror of https://github.com/chatmail/relay.git synced 2026-05-21 13:28:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

docker: rebase again on hpk/tls-external and modify our end

Browse Source 
Remove the custom certmon timer (polling via sha1sum every 60s),
replaced by the deployer's tls-cert-reload.path unit (inotify).

chatmail-init.sh: inject TLS_EXTERNAL_CERT_AND_KEY env var into
chatmail.ini at startup if not already present.

docker-compose.yaml: remove CMDEPLOY_STAGES, CHATMAIL_NOSYSCTL,
TLS_EXTERNAL_CERT_AND_KEY from base environment (set in init script
or via override file).
This commit is contained in:
j4n
2026-02-23 17:06:19 +01:00
parent 696d07f70c
commit fa834e7737
6 changed files with 7 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
docker-compose.yaml
View File

@@ -36,9 +36,6 @@ services:
max-file: "3" max-file: "3"
environment: environment:
MAIL_DOMAIN: $MAIL_DOMAIN MAIL_DOMAIN: $MAIL_DOMAIN
CMDEPLOY_STAGES: ${CMDEPLOY_STAGES:-}
CHATMAIL_NOSYSCTL: ${CHATMAIL_NOSYSCTL:-True}
TLS_EXTERNAL_CERT_AND_KEY: ${TLS_EXTERNAL_CERT_AND_KEY:-}
network_mode: "host" network_mode: "host"
volumes: volumes:
## system (required) ## system (required)

6
docker/chatmail_relay.dockerfile
View File

@@ -81,12 +81,6 @@ RUN rm -f /etc/nginx/sites-enabled/default
COPY --chmod=555 ./docker/files/chatmail-init.sh /chatmail-init.sh COPY --chmod=555 ./docker/files/chatmail-init.sh /chatmail-init.sh
COPY --chmod=555 ./docker/files/entrypoint.sh /entrypoint.sh COPY --chmod=555 ./docker/files/entrypoint.sh /entrypoint.sh
# Certificate monitoring as a proper systemd timer (not a background process)
COPY --chmod=555 ./docker/files/chatmail-certmon.sh /chatmail-certmon.sh
COPY ./docker/files/chatmail-certmon.service /lib/systemd/system/chatmail-certmon.service
COPY ./docker/files/chatmail-certmon.timer /lib/systemd/system/chatmail-certmon.timer
RUN ln -sf /lib/systemd/system/chatmail-certmon.timer /etc/systemd/system/timers.target.wants/chatmail-certmon.timer
HEALTHCHECK --interval=60s --timeout=10s --retries=3 \ HEALTHCHECK --interval=60s --timeout=10s --retries=3 \
CMD systemctl is-active dovecot postfix nginx unbound opendkim filtermail doveauth chatmail-metadata || exit 1 CMD systemctl is-active dovecot postfix nginx unbound opendkim filtermail doveauth chatmail-metadata || exit 1

8
docker/files/chatmail-certmon.service
View File

@@ -1,8 +0,0 @@
[Unit]
Description=Check TLS certificate changes and reload services
After=chatmail-init.service
[Service]
Type=oneshot
ExecStart=/bin/bash /chatmail-certmon.sh
PassEnvironment=MAIL_DOMAIN PATH_TO_SSL

28
docker/files/chatmail-certmon.sh
View File

@@ -1,28 +0,0 @@
#!/bin/bash
# Check if TLS certificates have changed and reload services if so.
# Called by chatmail-certmon.timer (systemd timer, default every 60s).
set -eo pipefail
PATH_TO_SSL="${PATH_TO_SSL:-/var/lib/acme/live/${MAIL_DOMAIN}}"
HASH_FILE="/run/chatmail-certmon.hash"
if [ ! -d "$PATH_TO_SSL" ]; then
exit 0
fi
current_hash=$(find "$PATH_TO_SSL" -type f -exec sha1sum {} \; | sort | sha1sum | awk '{print $1}')
previous_hash=""
if [ -f "$HASH_FILE" ]; then
previous_hash=$(cat "$HASH_FILE")
fi
if [ -n "$current_hash" ] && [ "$current_hash" != "$previous_hash" ]; then
echo "[INFO] Certificate hash changed, reloading nginx, dovecot and postfix."
echo "$current_hash" > "$HASH_FILE"
# On first run (no previous hash), don't reload — services may not be up yet
if [ -n "$previous_hash" ]; then
systemctl reload nginx.service
systemctl reload dovecot.service
systemctl reload postfix.service
fi
fi

9
docker/files/chatmail-certmon.timer
View File

@@ -1,9 +0,0 @@
[Unit]
Description=Periodically check TLS certificate changes
[Timer]
OnBootSec=120
OnUnitActiveSec=60
[Install]
WantedBy=timers.target

7
docker/files/chatmail-init.sh
View File

@@ -30,6 +30,13 @@ if [ ! -f "$CHATMAIL_INI" ]; then
$CMDEPLOY init --config "$CHATMAIL_INI" "$MAIL_DOMAIN" $CMDEPLOY init --config "$CHATMAIL_INI" "$MAIL_DOMAIN"
fi fi
# Inject external TLS paths from env var (unless user mounted their own ini)
if [ -n "${TLS_EXTERNAL_CERT_AND_KEY:-}" ]; then
if ! grep -q '^tls_external_cert_and_key' "$CHATMAIL_INI"; then
echo "tls_external_cert_and_key = $TLS_EXTERNAL_CERT_AND_KEY" >> "$CHATMAIL_INI"
fi
fi
# --- Deploy fingerprint: skip cmdeploy run if nothing changed --- # --- Deploy fingerprint: skip cmdeploy run if nothing changed ---
# On restart with identical image+config, systemd already brings up all # On restart with identical image+config, systemd already brings up all
# enabled services — the full cmdeploy run is redundant (~30s saved). # enabled services — the full cmdeploy run is redundant (~30s saved).