feat: support self-signed TLS via underscore domain convention
Domains starting with "_" (e.g. _chat.example.org) automatically use
self-signed TLS certificates instead of ACME/Let's Encrypt. The TLS
mode is derived from the domain name — no separate config option needed.
Internally, when config.tls_cert_mode is "self" (underscore domain):
- Generate self-signed certificates via openssl
- Set Postfix smtp_tls_security_level to "encrypt" (opportunistic TLS)
- Add smtp_tls_policy_map entry for underscore domains
- Skip ACME, MTA-STS and www CNAME checks in `cmdeploy dns`
- Serve /new via GET (not redirect to dcaccount:) with rate-limiting
(nginx limit_req, 2r/s burst=5)
- Return dclogin: URLs with ic=3 (AcceptInvalidCertificates) from /new
- Render QR codes client-side via JavaScript and qrcode-svg
- Use config.tls_cert_path/tls_key_path in Postfix, Dovecot and nginx
templates instead of hardcoded ACME paths
Deployments to test servers will not be cancelled anymore,
but it is not clear if we even want it.
This setup is much simpler because it only depends
on GitHub Actions features and does not allocate
a runner just to sleep there and wait in the queue.
* add allow_ipv6 config option
* add ipv6 config changes to cmdeploy
* fix name of config option for ipv6 in config.py
* move configure ipv6 before service start
* Use templates for disabling ipv6
* lint
* fix parameters in _configure_dovecot
* dont pass domain to _configure_nginx
* make disable_ipv6 boolean
Co-authored-by: missytake <missytake@systemli.org>
* implement namis suggestions reg boolean for ipv6
* Update chatmaild/src/chatmaild/config.py
Co-authored-by: missytake <missytake@systemli.org>
* ruff
* ruff again :)
* fix merge conflict
* CI: add CI machine with IPv6 disabled
* CI: fix sed statement
* CI: fix ubuntu reset
* CI: separate cert storage for staging2 and staging-ipv4
* add DNS records to proper zone
* CI: ignore if folders are missing
* CI: renames are not needed like this
* CI: fix default DNS zone for ipv4
* CI: use debian 12 instead of ubuntu, tired of trying to guess the correct image
* remove duplicared listen on 8443
* use jinja templates for disable_ipv6
* remove unused variable
* add missing % sign in jinja tempalte
* more fun with jinja syntax
* CI: proper rsync paths for acme & DKIM caching
* Changelog: add disable_ipv6 config option
---------
Co-authored-by: missytake <missytake@systemli.org>
Co-authored-by: holger krekel <holger@merlinux.eu>
