chore: Add changelog entry

feat: Automate file ownership setting from host migration process
- Added a step to deploy_chatmail() that sets ownership of paths that are copied over as part of the upgrade process. - Removed manual chown step from README.md.
2026-05-11 08:24:37 +00:00 · 2025-08-16 10:07:08 +02:00 · 2025-08-16 10:07:08 +02:00
11 changed files with 53 additions and 172 deletions
--- a/.github/workflows/test-and-deploy-ipv4only.yaml
+++ b/.github/workflows/test-and-deploy-ipv4only.yaml
@@ -70,6 +70,9 @@ jobs:
          rsync -avz dkimkeys-restore/dkimkeys root@staging-ipv4.testrun.org:/etc/ || true
          ssh -o StrictHostKeyChecking=accept-new -v root@staging-ipv4.testrun.org chown root:root -R /var/lib/acme || true

+      - name: run formatting checks 
+        run: cmdeploy fmt -v 
+
      - name: run deploy-chatmail offline tests 
        run: pytest --pyargs cmdeploy 

--- a/.github/workflows/test-and-deploy.yaml
+++ b/.github/workflows/test-and-deploy.yaml
@@ -70,6 +70,9 @@ jobs:
          rsync -avz dkimkeys-restore/dkimkeys root@staging2.testrun.org:/etc/ || true
          ssh -o StrictHostKeyChecking=accept-new -v root@staging2.testrun.org chown root:root -R /var/lib/acme || true

+      - name: run formatting checks 
+        run: cmdeploy fmt -v 
+
      - name: run deploy-chatmail offline tests 
        run: pytest --pyargs cmdeploy 

--- a/ARCHITECTURE.md
+++ b/ARCHITECTURE.md
@@ -1,50 +0,0 @@
-This diagram shows components of the chatmail server; this is a draft
-overview as of mid-August 2025:
-
-```mermaid
-graph LR;
-    cmdeploy --- sshd;
-    letsencrypt --- |80|acmetool-redirector;
-    acmetool-redirector --- |443|nginx-right(["`nginx
-    (external)`"]);
-    nginx-external --- |465|postfix;
-    nginx-external(["`nginx
-    (external)`"]) --- |8443|nginx-internal["`nginx
-    (internal)`"];
-    nginx-internal --- website["`Website
-    /var/www/html`"];
-    nginx-internal --- newemail.py;
-    nginx-internal --- autoconfig.xml;
-    certs-nginx[("`TLS certs
-    /var/lib/acme`")] --> nginx-internal;
-    cron --- chatmail-metrics;
-    cron --- acmetool;
-    cron --- expunge;
-    chatmail-metrics --- website;
-    acmetool --> certs[("`TLS certs
-    /var/lib/acme`")];
-    nginx-external --- |993|dovecot;
-    autoconfig.xml --- postfix;
-    autoconfig.xml --- dovecot;
-    postfix --- echobot;
-    postfix --- |10080,10081|filtermail;
-    postfix --- users["`User data
-    home/vmail/mail`"];
-    postfix --- |doveauth.socket|doveauth;
-    dovecot --- |doveauth.socket|doveauth;
-    dovecot --- users;
-    dovecot --- |metadata.socket|chatmail-metadata;
-    doveauth --- users;
-    expunge --- users;
-    chatmail-metadata --- iroh-relay;
-    certs-nginx --> postfix;
-    certs-nginx --> dovecot;
-    style certs fill:#ff6;
-    style certs-nginx fill:#ff6;
-    style nginx-external fill:#fc9;
-    style nginx-right fill:#fc9;
-```
-
-The edges in this graph should not be taken too literally; they
-reflect some sort of communication path or dependency relationship
-between components of the chatmail server.
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,12 +2,12 @@

 ## untagged

- Make www upload path configurable
-  ([#618](https://github.com/chatmail/relay/pull/618))
-
 - Check whether GCC is installed in initenv.sh
  ([#608](https://github.com/chatmail/relay/pull/608))

+- Automate file ownership setting from host migration process
+  ([#609](https://github.com/chatmail/relay/pull/609))
+
 - Expire push notification tokens after 90 days
  ([#583](https://github.com/chatmail/relay/pull/583))

@@ -32,9 +32,6 @@
 - filtermail: respect config message size limit
  ([#572](https://github.com/chatmail/relay/pull/572))

- Don't deploy if one of the ports used for chatmail relay services is occupied by an unexpected process
-  ([#568](https://github.com/chatmail/relay/pull/568))
-
 - Add config value after how many days large files are deleted
  ([#555](https://github.com/chatmail/relay/pull/555))

--- a/README.md
+++ b/README.md
@@ -255,18 +255,6 @@ This starts a local live development cycle for chatmail web pages:

 - Starts a browser window automatically where you can "refresh" as needed.

-#### Custom web pages
-
-You can skip uploading a web page
-by setting `www_folder=disabled` in `chatmail.ini`.
-
-If you want to manage your web pages outside this git repository,
-you can set `www_folder` in `chatmail.ini` to a custom directory on your computer.
-`cmdeploy run` will upload it as the server's home page,
-and if it contains a `src/index.md` file,
-will build it with hugo.
-
-
 ## Mailbox directory layout

 Fresh chatmail addresses have a mailbox directory that contains: 
@@ -407,15 +395,6 @@ in this case, just run `ssh-keygen -R "mail.example.org"` as recommended.
   Postfix and Dovecot are disabled for now; we will enable them later. 
   We first need to make the new site fully operational. 

-3. On the new site, run the following to ensure the ownership is correct in case UIDs/GIDs changed:
-
-   ```
-    chown root: -R /var/lib/acme
-    chown opendkim: -R /etc/dkimkeys
-    chown vmail: -R /home/vmail/mail
-    chown echobot: -R /run/echobot
-   ```
-
 4. Now, update DNS entries. 

   If other MTAs try to deliver messages to your chatmail domain they may fail intermittently,
--- a/chatmaild/src/chatmaild/config.py
+++ b/chatmaild/src/chatmaild/config.py
@@ -33,7 +33,6 @@ class Config:
        self.password_min_length = int(params["password_min_length"])
        self.passthrough_senders = params["passthrough_senders"].split()
        self.passthrough_recipients = params["passthrough_recipients"].split()
-        self.www_folder = params.get("www_folder", "")
        self.filtermail_smtp_port = int(params["filtermail_smtp_port"])
        self.filtermail_smtp_port_incoming = int(
            params["filtermail_smtp_port_incoming"]
--- a/cmdeploy/src/cmdeploy/init.py
+++ b/cmdeploy/src/cmdeploy/init.py
@@ -11,7 +11,7 @@ from io import StringIO
 from pathlib import Path

 from chatmaild.config import Config, read_config
-from pyinfra import facts, host, logger
+from pyinfra import facts, host
 from pyinfra.api import FactBase
 from pyinfra.facts.files import File
 from pyinfra.facts.server import Sysctl
@@ -618,7 +618,7 @@ def deploy_chatmail(config_path: Path, disable_mail: bool) -> None:
    check_config(config)
    mail_domain = config.mail_domain

-    from .www import build_webpages, get_paths
+    from .www import build_webpages

    server.group(name="Create vmail group", group="vmail", system=True)
    server.user(name="Create vmail user", user="vmail", group="vmail", system=True)
@@ -675,30 +675,10 @@ def deploy_chatmail(config_path: Path, disable_mail: bool) -> None:
    # to use 127.0.0.1 as the resolver.
    from cmdeploy.cmdeploy import Out

-    port_services = [
-        (["master", "smtpd"], 25),
-        ("unbound", 53),
-        ("acmetool", 80),
-        ("imap-login", 143),
-        ("nginx", 443),
-        (["master", "smtpd"], 465),
-        (["master", "smtpd"], 587),
-        ("imap-login", 993),
-        ("iroh-relay", 3340),
-        ("nginx", 8443),
-        (["master", "smtpd"], config.postfix_reinject_port),
-        (["master", "smtpd"], config.postfix_reinject_port_incoming),
-        ("filtermail", config.filtermail_smtp_port),
-        ("filtermail", config.filtermail_smtp_port_incoming),
-    ]
-    for service, port in port_services:
-        print(f"Checking if port {port} is available for {service}...")
-        running_service = host.get_fact(Port, port=port)
-        if running_service:
-            if running_service not in service:
-                Out().red(f"Deploy failed: port {port} is occupied by: {running_service}")
-                exit(1)
-
+    process_on_53 = host.get_fact(Port, port=53)
+    if process_on_53 not in (None, "unbound"):
+        Out().red(f"Can't install unbound: port 53 is occupied by: {process_on_53}")
+        exit(1)
    apt.packages(
        name="Install unbound",
        packages=["unbound", "unbound-anchor", "dnsutils"],
@@ -751,16 +731,12 @@ def deploy_chatmail(config_path: Path, disable_mail: bool) -> None:
        packages=["fcgiwrap"],
    )

-    www_path, src_dir, build_dir = get_paths(config)
-    # if www_folder was set to a non-existing folder, skip upload
-    if not www_path.is_dir():
-        logger.warning("Building web pages is disabled in chatmail.ini, skipping")
-    else:
-        # if www_folder is a hugo page, build it
-        if build_dir:
-            www_path = build_webpages(src_dir, build_dir, config)
-        # if it is not a hugo page, upload it as is
-        files.rsync(f"{www_path}/", "/var/www/html", flags=["-avz"])
+    www_path = importlib.resources.files(__package__).joinpath("../../../www").resolve()
+
+    build_dir = www_path.joinpath("build")
+    src_dir = www_path.joinpath("src")
+    build_webpages(src_dir, build_dir, config)
+    files.rsync(f"{build_dir}/", "/var/www/html", flags=["-avz"])

    _install_remote_venv_with_chatmaild(config)
    debug = False
@@ -772,6 +748,20 @@ def deploy_chatmail(config_path: Path, disable_mail: bool) -> None:
    _remove_rspamd()
    opendkim_need_restart = _configure_opendkim(mail_domain, "opendkim")

+    #
+    # If this system is pre-populated with data from a previous instance,
+    # we might need to adjust ownership of files.
+    #
+    stateful_paths = {
+        "/etc/dkimkeys": "opendkim",
+        "/home/vmail/mail": "vmail",
+        "/run/echobot": "echobot",
+        "/var/lib/acme": "root",
+    }
+    for stateful_path, path_owner in stateful_paths.items():
+        files.directory(stateful_path)  # In case it doesn't exist yet.
+        server.shell("chown {}: -R {}".format(path_owner, stateful_path))
+
    systemd.service(
        name="Start and enable OpenDKIM",
        service="opendkim.service",
--- a/cmdeploy/src/cmdeploy/acmetool/init.py
+++ b/cmdeploy/src/cmdeploy/acmetool/init.py
@@ -1,5 +1,7 @@
 import importlib.resources

+from pyinfra import host
+from pyinfra.facts.systemd import SystemdStatus
 from pyinfra.operations import apt, files, server, systemd


@@ -52,6 +54,12 @@ def deploy_acmetool(email="", domains=[]):
        group="root",
        mode="644",
    )
+    if host.get_fact(SystemdStatus).get("nginx.service"):
+        systemd.service(
+            name="Stop nginx service to free port 80",
+            service="nginx",
+            running=False,
+        )

    systemd.service(
        name="Setup acmetool-redirector service",
--- a/cmdeploy/src/cmdeploy/cmdeploy.py
+++ b/cmdeploy/src/cmdeploy/cmdeploy.py
@@ -89,14 +89,6 @@ def run_cmd(args, out):
    try:
        retcode = out.check_call(cmd, env=env)
        if retcode == 0:
-            print("\nYou can try out the relay by talking to this echo bot: ")
-            sshexec = SSHExec(args.config.mail_domain, verbose=args.verbose)
-            print(
-                sshexec(
-                    call=remote.rshell.shell,
-                    kwargs=dict(command="cat /var/lib/echobot/invite-link.txt"),
-                )
-            )
            out.green("Deploy completed, call `cmdeploy dns` next.")
        elif not remote_data["acme_account_url"]:
            out.red("Deploy completed but letsencrypt not configured")
--- a/cmdeploy/src/cmdeploy/tests/test_cmdeploy.py
+++ b/cmdeploy/src/cmdeploy/tests/test_cmdeploy.py
@@ -1,10 +1,8 @@
-import importlib
 import os

 import pytest

 from cmdeploy.cmdeploy import get_parser, main
-from cmdeploy.www import get_paths


@pytest.fixture(autouse=True)
@@ -29,28 +27,3 @@ class TestCmdline:
        assert main(["init", "chat.example.org"]) == 1
        out, err = capsys.readouterr()
        assert "path exists" in out.lower()
-
-
-def test_www_folder(example_config, tmp_path):
-    reporoot = importlib.resources.files(__package__).joinpath("../../../../").resolve()
-    assert not example_config.www_folder
-    www_path, src_dir, build_dir = get_paths(example_config)
-    assert www_path.absolute() == reporoot.joinpath("www").absolute()
-    assert src_dir == reporoot.joinpath("www").joinpath("src")
-    assert build_dir == reporoot.joinpath("www").joinpath("build")
-    example_config.www_folder = "disabled"
-    www_path, _, _ = get_paths(example_config)
-    assert not www_path.is_dir()
-    example_config.www_folder = str(tmp_path)
-    www_path, src_dir, build_dir = get_paths(example_config)
-    assert www_path == tmp_path
-    assert not src_dir.exists()
-    assert not build_dir
-    src_path = tmp_path.joinpath("src")
-    os.mkdir(src_path)
-    with open(src_path / "index.md", "w") as f:
-        f.write("# Test")
-    www_path, src_dir, build_dir = get_paths(example_config)
-    assert www_path == tmp_path
-    assert src_dir == src_path
-    assert build_dir == tmp_path.joinpath("build")
--- a/cmdeploy/src/cmdeploy/www.py
+++ b/cmdeploy/src/cmdeploy/www.py
@@ -3,7 +3,6 @@ import importlib.resources
 import time
 import traceback
 import webbrowser
-from pathlib import Path

 import markdown
 from chatmaild.config import read_config
@@ -31,25 +30,9 @@ def prepare_template(source):
    return render_vars, page_layout


-def get_paths(config) -> (Path, Path, Path):
-    reporoot = importlib.resources.files(__package__).joinpath("../../../").resolve()
-    www_path = Path(config.www_folder)
-    # if www_folder was not set, use default directory
-    if config.www_folder == "":
-        www_path = reporoot.joinpath("www")
-    src_dir = www_path.joinpath("src")
-    # if www_folder is a hugo page, build it
-    if src_dir.joinpath("index.md").is_file():
-        build_dir = www_path.joinpath("build")
-    # if it is not a hugo page, upload it as is
-    else:
-        build_dir = None
-    return www_path, src_dir, build_dir
-
-
-def build_webpages(src_dir, build_dir, config) -> Path:
+def build_webpages(src_dir, build_dir, config):
    try:
-        return _build_webpages(src_dir, build_dir, config)
+        _build_webpages(src_dir, build_dir, config)
    except Exception:
        print(traceback.format_exc())

@@ -123,11 +106,15 @@ def main():
    config = read_config(inipath)
    config.webdev = True
    assert config.mail_domain
+    www_path = reporoot.joinpath("www")
+    src_path = www_path.joinpath("src")
+    stats = None
+    build_dir = www_path.joinpath("build")
+    src_dir = www_path.joinpath("src")
+    index_path = build_dir.joinpath("index.html")

    # start web page generation, open a browser and wait for changes
-    www_path, src_path, build_dir = get_paths(config)
-    build_dir = build_webpages(src_path, build_dir, config)
-    index_path = build_dir.joinpath("index.html")
+    build_webpages(src_dir, build_dir, config)
    webbrowser.open(str(index_path))
    stats = snapshot_dir_stats(src_path)
    print(f"\nOpened URL: file://{index_path.resolve()}\n")
@@ -148,7 +135,7 @@ def main():
                changenum += 1

        stats = newstats
-        build_webpages(src_path, build_dir, config)
+        build_webpages(src_dir, build_dir, config)
        print(f"[{changenum}] regenerated web pages at: {index_path}")
        print(f"URL: file://{index_path.resolve()}\n\n")
        count = 0
Author	SHA1	Message	Date
cliffmccarthy	614b955351	chore: Add changelog entry	2025-08-16 10:07:08 +02:00
cliffmccarthy	7b1ffc1410	feat: Automate file ownership setting from host migration process - Added a step to deploy_chatmail() that sets ownership of paths that are copied over as part of the upgrade process. - Removed manual chown step from README.md.	2025-08-16 10:07:08 +02:00