tests: fix output capture

cmdeploy: test if ini was overwritten with --force2
2026-05-13 17:34:38 +00:00 · 2025-08-25 14:58:03 +02:00 · 2025-08-25 13:54:16 +02:00
19 changed files with 302 additions and 204 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -170,4 +170,3 @@ chatmail.zone
 /custom/
 docker-compose.yaml
 .env
 /traefik/data/
--- a/chatmaild/src/chatmaild/config.py
+++ b/chatmaild/src/chatmaild/config.py
@@ -33,9 +33,7 @@ class Config:
        self.password_min_length = int(params["password_min_length"])
        self.passthrough_senders = params["passthrough_senders"].split()
        self.passthrough_recipients = params["passthrough_recipients"].split()
-        self.is_development_instance = (
+        self.is_development_instance = params.get("is_development_instance", "true").lower() == "true"
            params.get("is_development_instance", "true").lower() == "true"
        )
        self.filtermail_smtp_port = int(params["filtermail_smtp_port"])
        self.filtermail_smtp_port_incoming = int(
            params["filtermail_smtp_port_incoming"]
@@ -46,13 +44,9 @@ class Config:
        )
        self.mtail_address = params.get("mtail_address")
        self.disable_ipv6 = params.get("disable_ipv6", "false").lower() == "true"
-        self.use_foreign_cert_manager = (
+        self.use_foreign_cert_manager = params.get("use_foreign_cert_manager", "false").lower() == "true"
            params.get("use_foreign_cert_manager", "false").lower() == "true"
        )
        self.acme_email = params["acme_email"]
-        self.change_kernel_settings = (
+        self.change_kernel_settings = params.get("change_kernel_settings", "true").lower() == "true"
            params.get("change_kernel_settings", "true").lower() == "true"
        )
        self.fs_inotify_max_user_instances_and_watchers = int(
            params["fs_inotify_max_user_instances_and_watchers"]
        )
--- a/cmdeploy/src/cmdeploy/cmdeploy.py
+++ b/cmdeploy/src/cmdeploy/cmdeploy.py
@@ -46,11 +46,12 @@ def init_cmd(args, out):
    inipath = args.inipath
    if args.inipath.exists():
        if not args.recreate_ini:
-            out.green(f"[WARNING] Path exists, not modifying: {inipath}")
+            print(f"[WARNING] Path exists, not modifying: {inipath}")
-            return 0
+            return 1
        else:
-            out.yellow(f"[WARNING] Force argument was provided, deleting config file: {inipath}")
+            print(f"[WARNING] Force argument was provided, deleting config file: {inipath}")
            inipath.unlink()
            return 0
    write_initial_config(inipath, mail_domain, overrides={})
    out.green(f"created config file for {mail_domain} in {inipath}")
@@ -72,7 +73,7 @@ def run_cmd_options(parser):
    parser.add_argument(
        "--ssh-host",
        dest="ssh_host",
-        help="Deploy to 'localhost', via 'docker', or to a specific SSH host",
+        help="specify an SSH host to deploy to; uses mail_domain from chatmail.ini by default",
    )
    parser.add_argument(
        "--skip-dns-check",
@@ -99,11 +100,7 @@ def run_cmd(args, out):
    deploy_path = importlib.resources.files(__package__).joinpath("deploy.py").resolve()
    pyinf = "pyinfra --dry" if args.dry_run else "pyinfra"
    ssh_host = args.config.mail_domain if not args.ssh_host else args.ssh_host
    cmd = f"{pyinf} --ssh-user root {ssh_host} {deploy_path} -y"
    if sshexec in ["docker", "localhost"]:
        cmd = f"{pyinf} @local {deploy_path} -y"
    if version.parse(pyinfra.__version__) < version.parse("3"):
        out.red("Please re-run scripts/initenv.sh to update pyinfra to version 3.")
        return 1
@@ -135,11 +132,6 @@ def dns_cmd_options(parser):
        default=None,
        help="write out a zonefile",
    )
    parser.add_argument(
        "--ssh-host",
        dest="ssh_host",
        help="Run the DNS queries on 'localhost', in the chatmail 'docker' container, or on a specific SSH host",
    )
 def dns_cmd(args, out):
@@ -371,11 +363,6 @@ def main(args=None):
    def get_sshexec():
        host = args.ssh_host if hasattr(args, "ssh_host") and args.ssh_host else args.config.mail_domain
        if host in [ "@local", "localhost" ]:
            return "localhost"
        elif host == "docker":
            return "docker"
        print(f"[ssh] login to {host}")
        return SSHExec(host, verbose=args.verbose)
--- a/cmdeploy/src/cmdeploy/dns.py
+++ b/cmdeploy/src/cmdeploy/dns.py
@@ -7,10 +7,6 @@ from . import remote
 def get_initial_remote_data(sshexec, mail_domain):
    if sshexec == "docker":
        return remote.rdns.perform_initial_checks(mail_domain, pre_command="docker exec chatmail ")
    elif sshexec == "localhost":
        return remote.rdns.perform_initial_checks(mail_domain, pre_command="")
    return sshexec.logged(
        call=remote.rdns.perform_initial_checks, kwargs=dict(mail_domain=mail_domain)
    )
@@ -48,17 +44,14 @@ def check_full_zone(sshexec, remote_data, out, zonefile) -> int:
    """Check existing DNS records, optionally write them to zone file
    and return (exitcode, remote_data) tuple."""
-    if sshexec in ["docker", "localhost"]:
+    required_diff, recommended_diff = sshexec.logged(
-        required_diff, recommended_diff = remote.rdns.check_zonefile(zonefile, remote_data["mail_domain"], verbose=False)
+        remote.rdns.check_zonefile,
-    else:
+        kwargs=dict(zonefile=zonefile, mail_domain=remote_data["mail_domain"]),
-        required_diff, recommended_diff = sshexec.logged(
+    )
            remote.rdns.check_zonefile,
            kwargs=dict(zonefile=zonefile, mail_domain=remote_data["mail_domain"]),
        )
    returncode = 0
    if required_diff:
-        out.red("\nPlease set required DNS entries at your DNS provider:\n")
+        out.red("Please set required DNS entries at your DNS provider:\n")
        for line in required_diff:
            out(line)
        out("")
--- a/cmdeploy/src/cmdeploy/remote/rdns.py
+++ b/cmdeploy/src/cmdeploy/remote/rdns.py
@@ -12,23 +12,23 @@ All functions of this module
 import re
-from .rshell import CalledProcessError, shell, log_progress
+from .rshell import CalledProcessError, shell
-def perform_initial_checks(mail_domain, pre_command=""):
+def perform_initial_checks(mail_domain):
    """Collecting initial DNS settings."""
    assert mail_domain
-    if not shell("dig", fail_ok=True, print=log_progress):
+    if not shell("dig", fail_ok=True):
-        shell("apt-get update && apt-get install -y dnsutils", print=log_progress)
+        shell("apt-get update && apt-get install -y dnsutils")
    A = query_dns("A", mail_domain)
    AAAA = query_dns("AAAA", mail_domain)
    MTA_STS = query_dns("CNAME", f"mta-sts.{mail_domain}")
    WWW = query_dns("CNAME", f"www.{mail_domain}")
    res = dict(mail_domain=mail_domain, A=A, AAAA=AAAA, MTA_STS=MTA_STS, WWW=WWW)
-    res["acme_account_url"] = shell(pre_command + "acmetool account-url", fail_ok=True, print=log_progress)
+    res["acme_account_url"] = shell("acmetool account-url", fail_ok=True)
    res["dkim_entry"], res["web_dkim_entry"] = get_dkim_entry(
-        mail_domain, pre_command, dkim_selector="opendkim"
+        mail_domain, dkim_selector="opendkim"
    )
    if not MTA_STS or not WWW or (not A and not AAAA):
@@ -40,12 +40,11 @@ def perform_initial_checks(mail_domain, pre_command=""):
    return res
-def get_dkim_entry(mail_domain, pre_command, dkim_selector):
+def get_dkim_entry(mail_domain, dkim_selector):
    try:
        dkim_pubkey = shell(
-            f"{pre_command} openssl rsa -in /etc/dkimkeys/{dkim_selector}.private "
+            f"openssl rsa -in /etc/dkimkeys/{dkim_selector}.private "
-            "-pubout 2>/dev/null | awk '/-/{next}{printf(\"%s\",$0)}'",
+            "-pubout 2>/dev/null | awk '/-/{next}{printf(\"%s\",$0)}'"
            print=log_progress
        )
    except CalledProcessError:
        return
@@ -62,7 +61,7 @@ def query_dns(typ, domain):
    # Get autoritative nameserver from the SOA record.
    soa_answers = [
        x.split()
-        for x in shell(f"dig -r -q {domain} -t SOA +noall +authority +answer", print=log_progress).split(
+        for x in shell(f"dig -r -q {domain} -t SOA +noall +authority +answer").split(
            "\n"
        )
    ]
@@ -72,13 +71,13 @@ def query_dns(typ, domain):
    ns = soa[0][4]
    # Query authoritative nameserver directly to bypass DNS cache.
-    res = shell(f"dig @{ns} -r -q {domain} -t {typ} +short", print=log_progress)
+    res = shell(f"dig @{ns} -r -q {domain} -t {typ} +short")
    if res:
        return res.split("\n")[0]
    return ""
-def check_zonefile(zonefile, mail_domain, verbose=True):
+def check_zonefile(zonefile, mail_domain):
    """Check expected zone file entries."""
    required = True
    required_diff = []
@@ -90,7 +89,7 @@ def check_zonefile(zonefile, mail_domain, verbose=True):
            continue
        if not zf_line.strip() or zf_line.startswith(";"):
            continue
-        print(f"dns-checking {zf_line!r}") if verbose else log_progress("")
+        print(f"dns-checking {zf_line!r}")
        zf_domain, zf_typ, zf_value = zf_line.split(maxsplit=2)
        zf_domain = zf_domain.rstrip(".")
        zf_value = zf_value.strip()
--- a/cmdeploy/src/cmdeploy/remote/rshell.py
+++ b/cmdeploy/src/cmdeploy/remote/rshell.py
@@ -1,13 +1,7 @@
 from subprocess import DEVNULL, CalledProcessError, check_output
 import sys
-def log_progress(data):
+def shell(command, fail_ok=False):
    sys.stderr.write(".")
    sys.stderr.flush()
 def shell(command, fail_ok=False, print=print):
    print(f"$ {command}")
    args = dict(shell=True)
    if fail_ok:
--- a/cmdeploy/src/cmdeploy/sshexec.py
+++ b/cmdeploy/src/cmdeploy/sshexec.py
@@ -70,6 +70,10 @@ class SSHExec:
                raise self.FuncError(data)
    def logged(self, call, kwargs):
        def log_progress(data):
            sys.stderr.write(".")
            sys.stderr.flush()
        title = call.__doc__
        if not title:
            title = call.__name__
@@ -78,6 +82,6 @@ class SSHExec:
            return self(call, kwargs, log_callback=print_stderr)
        else:
            print_stderr(title, end="")
-            res = self(call, kwargs, log_callback=remote.rshell.log_progress)
+            res = self(call, kwargs, log_callback=log_progress)
            print_stderr()
            return res
--- a/cmdeploy/src/cmdeploy/tests/test_cmdeploy.py
+++ b/cmdeploy/src/cmdeploy/tests/test_cmdeploy.py
@@ -27,3 +27,6 @@ class TestCmdline:
        assert main(["init", "chat.example.org"]) == 1
        out, err = capsys.readouterr()
        assert "path exists" in out.lower()
        assert main(["init", "chat.example.org", "--force"]) == 0
        out, err = capsys.readouterr()
        assert "deleting config file" in out.lower()
--- a/docker/chatmail_server.dockerfile
+++ b/docker/chatmail_server.dockerfile
@@ -18,6 +18,8 @@ RUN echo 'APT::Install-Recommends "0";' > /etc/apt/apt.conf.d/01norecommend && \
 RUN apt-get update && \
    apt-get install -y \
        openssh-client \
        openssh-server \
        git \
        python3 \
        python3-venv \
@@ -52,6 +54,23 @@ RUN apt-get update && \
    done \
    && rm -rf /var/lib/apt/lists/*
 RUN systemctl enable \
        ssh \
        fcgiwrap
 RUN sed -i 's/^#PasswordAuthentication .*/PasswordAuthentication no/' /etc/ssh/sshd_config && \
    sed -i 's/^#PermitRootLogin .*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config && \
    ssh-keygen -P "" -t rsa -b 2048 -f /root/.ssh/id_rsa && \
    mkdir -p /root/.ssh && \
    cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys && \
    SSH_USER_CONFIG="/root/.ssh/config" && \
    echo "Host localhost" >  "$SSH_USER_CONFIG" && \
    echo "    HostName localhost" >>  "$SSH_USER_CONFIG" && \
    echo "    User root" >>  "$SSH_USER_CONFIG" && \
    echo "    StrictHostKeyChecking no" >>  "$SSH_USER_CONFIG" && \
    echo "    UserKnownHostsFile /dev/null" >>  "$SSH_USER_CONFIG"
    ## TODO: deny access for all insteed root form 127.0.0.1 https://unix.stackexchange.com/a/406264
 WORKDIR /opt/chatmail
 ARG SETUP_CHATMAIL_SERVICE_PATH=/lib/systemd/system/setup_chatmail.service
--- a/docker/docker-compose-default.yaml
+++ b/docker/docker-compose-default.yaml
@@ -2,7 +2,7 @@ services:
  chatmail:
    build: 
      context: ./docker
-      dockerfile: chatmail_relay.dockerfile
+      dockerfile: chatmail_server.dockerfile
      tags:
        - chatmail-relay:latest
    image: chatmail-relay:latest
@@ -20,11 +20,11 @@ services:
        max-size: "10m"
        max-file: "3"
    environment:
-      MAIL_DOMAIN: $MAIL_DOMAIN
+      MAIL_DOMAIN: <your_domain>
      CHANGE_KERNEL_SETTINGS: "False"
-      ACME_EMAIL: $ACME_EMAIL
+      ACME_EMAIL: <your_email>
-      # RECREATE_VENV: "false"
+
-      # MAX_MESSAGE_SIZE: "50M"
+      MAX_MESSAGE_SIZE: "50M"
      # DEBUG_COMMANDS_ENABLED: "true"
      # FORCE_REINIT_INI_FILE: "true"
      # USE_FOREIGN_CERT_MANAGER: "True"
@@ -32,17 +32,16 @@ services:
      # CERTS_MONITORING_TIMEOUT: 10
      # IS_DEVELOPMENT_INSTANCE: "True"
    ports:
      - "80:80"
      - "443:443"
      - "25:25"
      - "587:587"
      - "143:143"
      - "465:465"
      - "993:993"
      - "443:443"
    volumes:
      ## system
      - /sys/fs/cgroup:/sys/fs/cgroup:rw # required for systemd
      - ./:/opt/chatmail
      - ./data/acme:/var/lib/acme
      ## data
      - ./data/chatmail:/home
--- a/docker/docker-compose-traefik.yaml
+++ b/docker/docker-compose-traefik.yaml
@@ -2,7 +2,7 @@ services:
  chatmail:
    build: 
      context: ./docker
-      dockerfile: chatmail_relay.dockerfile
+      dockerfile: chatmail_server.dockerfile
      tags:
        - chatmail-relay:latest
    image: chatmail-relay:latest
@@ -26,10 +26,9 @@ services:
      # MAX_MESSAGE_SIZE: "50M"
      # DEBUG_COMMANDS_ENABLED: "true"
      # FORCE_REINIT_INI_FILE: "true"
      # RECREATE_VENV: "false"
      USE_FOREIGN_CERT_MANAGER: "true"
      CHANGE_KERNEL_SETTINGS: "false"
-      PATH_TO_SSL: "${CERTS_ROOT_DIR_CONTAINER}/${MAIL_DOMAIN}"
+      PATH_TO_SSL_CONTAINER: $PATH_TO_SSL_CONTAINER
      ENABLE_CERTS_MONITORING: "true"
      # CERTS_MONITORING_TIMEOUT: 60
      # IS_DEVELOPMENT_INSTANCE: "true"
@@ -37,13 +36,12 @@ services:
      - "25:25"
      - "587:587"
      - "143:143"
      - "465:465"
      - "993:993"
    volumes:
      ## system
      - /sys/fs/cgroup:/sys/fs/cgroup:rw # required for systemd
      - ./:/opt/chatmail
-      - ${CERTS_ROOT_DIR_HOST}:${CERTS_ROOT_DIR_CONTAINER}:ro
+      - ${PATH_TO_SSL_HOST}:${PATH_TO_SSL_CONTAINER}:ro
      ## data
      - ./data/chatmail:/home
@@ -69,22 +67,6 @@ services:
      - traefik.http.routers.chatmail-relay.tls=true
      - traefik.http.routers.chatmail-relay.tls.certresolver=letsEncrypt
  traefik_init:
    image: alpine:latest
    restart: on-failure
    logging:
      driver: json-file
      options:
        max-size: "10m"
        max-file: "3"
    working_dir: /app
    entrypoint: sh -c '
      touch acme.json &&
      chown 0:0 ./acme.json &&
      chmod 600 ./acme.json'
    volumes:
      - ./traefik/data:/app
  traefik:
    image: traefik:v3.3
    container_name: traefik
@@ -95,20 +77,17 @@ services:
        max-size: "10m"
        max-file: "3"
    command:
-      - "--configFile=/config.yaml"
+      - --configFile=/config.yaml
      - "--certificatesresolvers.letsEncrypt.acme.email=${ACME_EMAIL}"
    # ports:
    #   - "80:80"
    #   - "443:443"
    network_mode: host
    depends_on:
      traefik_init:
        condition: service_completed_successfully
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
-      - ./traefik/config.yaml:/config.yaml
+      - ./data/traefik/config.yaml:/config.yaml
-      - ./traefik/data/acme.json:/acme.json
+      - ./data/traefik/acme.json:/acme.json
-      - ./traefik/dynamic-configs:/dynamic/conf
+      - ./data/traefik/dynamic-configs:/dynamic/conf
    network_mode: host
  traefik-certs-dumper:
    image: ldez/traefik-certs-dumper:v2.10.0
@@ -131,6 +110,6 @@ services:
    environment:
      CERTS_DIR: /data/letsencrypt/certs
    volumes:
-      - ./traefik/data/letsencrypt:/data/letsencrypt
+      - ./data/traefik/letsencrypt:/data/letsencrypt
-      - ./traefik/data/acme.json:/data/acme.json
+      - ./data/traefik/acme.json:/data/acme.json
-      - ./traefik/post-hook.sh:/post-hook.sh
+      - ./data/traefik/post-hook.sh:/post-hook.sh
--- a/docker/example.env
+++ b/docker/example.env
@@ -1,5 +1,4 @@
 MAIL_DOMAIN="chat.example.com"
 ACME_EMAIL="my.email@gmail.com"
-CERTS_ROOT_DIR_HOST="./traefik/data/letsencrypt/certs"
+PATH_TO_SSL_HOST="/opt/traefik/data/letsencrypt/certs/${MAIL_DOMAIN}"
-CERTS_ROOT_DIR_CONTAINER="/var/lib/acme/live"
+PATH_TO_SSL_CONTAINER="/var/lib/acme/live/${MAIL_DOMAIN}"
--- a/docker/files/entrypoint.sh
+++ b/docker/files/entrypoint.sh
@@ -1,17 +1,13 @@
 #!/bin/bash
 set -eo pipefail
 unlink /etc/nginx/sites-enabled/default || true
 if [ "${USE_FOREIGN_CERT_MANAGER,,}" == "true" ]; then
-    if [ ! -f "$PATH_TO_SSL/fullchain" ]; then
+    if [ ! -f "$PATH_TO_SSL_CONTAINER/fullchain" ]; then
-        echo "Error: file '$PATH_TO_SSL/fullchain' does not exist. Exiting..." > /dev/stderr
+        echo "Error: file '$PATH_TO_SSL_CONTAINER/fullchain' does not exist. Exiting..." > /dev/stderr
        sleep 2
        exit 1
    fi
-    if [ ! -f "$PATH_TO_SSL/privkey" ]; then
+    if [ ! -f "$PATH_TO_SSL_CONTAINER/privkey" ]; then
-        echo "Error: file '$PATH_TO_SSL/privkey' does not exist. Exiting..." > /dev/stderr
+        echo "Error: file '$PATH_TO_SSL_CONTAINER/privkey' does not exist. Exiting..." > /dev/stderr
        sleep 2
        exit 1
    fi
 fi
--- a/docker/files/setup_chatmail_docker.sh
+++ b/docker/files/setup_chatmail_docker.sh
@@ -4,9 +4,8 @@ set -eo pipefail
 export INI_FILE="${INI_FILE:-chatmail.ini}"
 export ENABLE_CERTS_MONITORING="${ENABLE_CERTS_MONITORING:-true}"
 export CERTS_MONITORING_TIMEOUT="${CERTS_MONITORING_TIMEOUT:-60}"
-export PATH_TO_SSL="${PATH_TO_SSL:-/var/lib/acme/live/${MAIL_DOMAIN}}"
+export PATH_TO_SSL_CONTAINER="${PATH_TO_SSL_CONTAINER:-/var/lib/acme/live/${MAIL_DOMAIN}}"
 export CHANGE_KERNEL_SETTINGS=${CHANGE_KERNEL_SETTINGS:-"False"}
 export RECREATE_VENV=${RECREATE_VENV:-"false"}
 if [ -z "$MAIL_DOMAIN" ]; then
    echo "ERROR: Environment variable 'MAIL_DOMAIN' must be set!" >&2
@@ -20,7 +19,7 @@ debug_commands() {
 }
 calculate_hash() {
-    find "$PATH_TO_SSL" -type f -exec sha1sum {} \; | sort | sha1sum | awk '{print $1}'
+    find "$PATH_TO_SSL_CONTAINER" -type f -exec sha1sum {} \; | sort | sha1sum | awk '{print $1}'
 }
 monitor_certificates() {
@@ -36,8 +35,8 @@ monitor_certificates() {
        current_hash=$(calculate_hash)
        if [[ "$current_hash" != "$previous_hash" ]]; then
        # TODO: add an option to restart at a specific time interval 
-            echo "[INFO] Certificate's folder hash was changed, reloading nginx, dovecot and postfix services."
+            echo "[INFO] Certificate's folder hash was changed, restarting nginx, dovecot and postfix services."
-            systemctl reload nginx.service
+            systemctl restart nginx.service
            systemctl reload dovecot.service
            systemctl reload postfix.service
            previous_hash=$current_hash
@@ -62,15 +61,12 @@ chown opendkim:opendkim /etc/dkimkeys/opendkim.txt
 # TODO: Move to debug_commands after git clone is moved to dockerfile. 
 git config --global --add safe.directory /opt/chatmail
 if [ "$RECREATE_VENV" == "true" ]; then
    rm -rf venv
 fi
 ./scripts/initenv.sh
 ./scripts/cmdeploy init --config "${INI_FILE}" $INI_CMD_ARGS $MAIL_DOMAIN
 bash /update_ini.sh
-./scripts/cmdeploy run --ssh-host docker
+./scripts/cmdeploy run --ssh-host localhost --skip-dns-check
 echo "ForwardToConsole=yes" >> /etc/systemd/journald.conf
 systemctl restart systemd-journald
--- a/docs/DOCKER_INSTALLATION_EN.md
+++ b/docs/DOCKER_INSTALLATION_EN.md
@@ -1,5 +1,6 @@
 # Known issues and limitations
 - Installation using acmetool (`docker-compose-default.yaml`) may NOT work. In this case, use installation via traefik (`docker-compose-traefik.yaml`). Personally, during my tests, I encountered the error `could not install DNS challenge, no hooks succeeded;`, which I was unable to fix.
 - Chatmail will be reinstalled every time the container is started (longer the first time, faster on subsequent starts). This is how the original installer works because it wasn’t designed for Docker. At the end of the documentation, there’s a [proposed solution](#locking-the-chatmail-version).
 - Requires cgroups v2 configured in the system. Operation with cgroups v1 has not been tested.
 - Yes, of course, using systemd inside a container is a hack, and it would be better to split it into several services, but since this is an MVP, it turned out to be easier to do it this way initially than to rewrite the entire deployment system.
@@ -47,15 +48,13 @@ cp ./docker/docker-compose-default.yaml docker-compose.yaml
 # cp ./docker/docker-compose-traefik.yaml docker-compose.yaml
 ```
-2. Copy `./docker/example.env` and rename it to `.env`. This file stores variables used in `docker-compose.yaml`.
+2. Copy `./docker/example.env` and rename it to `.env`. This file stores variables used in `docker-compose.yaml`. Required only when installing with traefik; if using the default setup, you can skip this step.
 ```shell
 cp ./docker/example.env .env
 ```
-3. Configure environment variables in the `.env` file. These variables are used in the `docker-compose.yaml` file to pass repeated values.
+3. Configure kernel parameters because they cannot be changed inside the container, specifically `fs.inotify.max_user_instances` and `fs.inotify.max_user_watches`. Run the following:
 4. Configure kernel parameters because they cannot be changed inside the container, specifically `fs.inotify.max_user_instances` and `fs.inotify.max_user_watches`. Run the following:
 ```shell
 echo "fs.inotify.max_user_instances=65536" | sudo tee -a /etc/sysctl.d/99-inotify.conf
@@ -63,15 +62,14 @@ echo "fs.inotify.max_user_watches=65536" | sudo tee -a /etc/sysctl.d/99-inotify.
 sudo sysctl --system
 ```
-5. Configure container environment variables. Below is the list of variables used during deployment:
+4. Configure container environment variables. Below is the list of variables used during deployment:
 - `MAIL_DOMAIN` – The domain name of the future server. (required)
 - `DEBUG_COMMANDS_ENABLED` – Run debug commands before installation. (default: `false`)
 - `FORCE_REINIT_INI_FILE` – Recreate the ini configuration file on startup. (default: `false`)
 - `USE_FOREIGN_CERT_MANAGER` – Use a third-party certificate manager. (default: `false`)
 - `RECREATE_VENV` - Recreate the virtual environment (venv). If set to `true`, the environment will be recreated when the container starts, which will increase the startup time of the service but can help avoid certain errors. (default: `false`)
 - `INI_FILE` – Path to the ini configuration file. (default: `./chatmail.ini`)
- `PATH_TO_SSL` – Path to where the certificates are stored. (default: `/var/lib/acme/live/${MAIL_DOMAIN}`)
+- `PATH_TO_SSL_CONTAINER` – Path to where the certificates are stored. (default: `/var/lib/acme/live/${MAIL_DOMAIN}`)
 - `ENABLE_CERTS_MONITORING` – Enable certificate monitoring if `USE_FOREIGN_CERT_MANAGER=true`. If certificates change, services will be automatically restarted. (default: `false`)
 - `CERTS_MONITORING_TIMEOUT` – Interval in seconds to check if certificates have changed. (default: `'60'`)
@@ -81,12 +79,113 @@ Mandatory variables for deployment via Docker:
 - `CHANGE_KERNEL_SETTINGS` – Change kernel settings (`fs.inotify.max_user_instances` and `fs.inotify.max_user_watches`) on startup. Changing kernel settings inside the container is not possible! (default: `False`)
 5. Configure environment variables in the `.env` file. These variables are used in the `docker-compose.yaml` file to pass repeated values.
 6. Build the Docker image:
 ```shell
-docker compose build
+docker compose build chatmail
 ```
 <details>
 <summary>Additional steps for configuring with traefik</summary>
 > [!note]
 > If you are using the default installation without traefik – skip these steps and go to step 7 (running docker compose).
 Before starting traefik, configuration files must be prepared; otherwise, it will not start correctly.
 First, run these commands in the console, replacing their values with the correct ones:
 ```shell
 export YOUR_EMAIL=your_email@gmail.com
 mkdir -p "./data/traefik"
 cd "./data/traefik"
 ```
 1. Create a traefik configuration file:
 ```shell
 cat > config.yaml << EOF
 log:
  level: TRACE
 entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          permanent: true
  websecure:
    address: ":443"
 providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    directory: /dynamic/conf
    watch: true
 serverstransport:
  insecureskipverify: true
 certificatesResolvers:
  letsEncrypt:
    acme:
      email: $YOUR_EMAIL
      storage: /acme.json
      caServer: "https://acme-v02.api.letsencrypt.org/directory"
      tlschallenge: true
      httpChallenge:
        entryPoint: web
 EOF
 ```
 2. Create a post-hook script:
 ```shell
 cat > post-hook.sh << 'EOF'
 CERTS_DIR=${CERTS_DIR:-"/data/letsencrypt/certs"}
 for dir in "$CERTS_DIR"/*/; do
    cd "$dir"
    if [ -f "certificate.crt" ]; then
        ln -sf certificate.crt fullchain
    fi
    if [ -f "privatekey.key" ]; then
        ln -sf privatekey.key privkey
    fi
    cd -
 done
 EOF
 ```
 3. Create the `acme.json` file:
 ```shell
 touch acme.json
 sudo chown 0:0 ./acme.json # required
 sudo chmod 600 ./acme.json # required
 ```
 4. Create insecure config:
 ```shell
 mkdir dynamic-configs
 cat > ./dynamic-configs/insecure.yaml << 'EOF'
 http:
  serversTransports:
    insecure:
      insecureSkipVerify: true
 EOF
 cd ../..
 ```
 </details>
 7. Start docker compose and wait for the installation to finish:
 ```shell
@@ -96,11 +195,6 @@ docker compose logs -f chatmail # view container logs, press CTRL+C to exit
 8. After installation is complete, you can open `https://<your_domain_name>` in your browser.
 9. To send messages to other chatmail relays,
   you need to set additional DNS records.
   Run `docker exec chatmail scripts/cmdeploy.sh dns --ssh-host localhost`
   to see recommended DNS records and check whether they are correct.
 ## Using custom files
 When using Docker, you can apply modified configuration files to make the installation more personalized. This is usually needed for the `www/src` section so that the Chatmail landing page is customized to your taste, but it can be used for any other cases as well.
@@ -175,10 +269,10 @@ set -eo pipefail
 export ENABLE_CERTS_MONITORING="${ENABLE_CERTS_MONITORING:-true}"
 export CERTS_MONITORING_TIMEOUT="${CERTS_MONITORING_TIMEOUT:-60}"
-export PATH_TO_SSL="${PATH_TO_SSL:-/var/lib/acme/live/${MAIL_DOMAIN}}"
+export PATH_TO_SSL_CONTAINER="${PATH_TO_SSL_CONTAINER:-/var/lib/acme/live/${MAIL_DOMAIN}}"
 calculate_hash() {
-    find "$PATH_TO_SSL" -type f -exec sha1sum {} \; | sort | sha1sum | awk '{print $1}'
+    find "$PATH_TO_SSL_CONTAINER" -type f -exec sha1sum {} \; | sort | sha1sum | awk '{print $1}'
 }
 monitor_certificates() {
@@ -194,8 +288,8 @@ monitor_certificates() {
        current_hash=$(calculate_hash)
        if [[ "$current_hash" != "$previous_hash" ]]; then
        # TODO: add an option to restart at a specific time interval 
-            echo "[INFO] Certificate's folder hash was changed, reloading nginx, dovecot and postfix services."
+            echo "[INFO] Certificate's folder hash was changed, restarting nginx, dovecot and postfix services."
-            systemctl reload nginx.service
+            systemctl restart nginx.service
            systemctl reload dovecot.service
            systemctl reload postfix.service
            previous_hash=$current_hash
--- a/docs/DOCKER_INSTALLATION_RU.md
+++ b/docs/DOCKER_INSTALLATION_RU.md
@@ -1,4 +1,5 @@
 # Известные проблемы и ограничения
 - Установка с помощью acmetool (`docker-compose-default.yaml`) может НЕ работать. В таком случае используйте установку через traefik (`docker-compose-traefik.yaml`). Лично у меня при тестах ошибка была `could not install DNS challenge, no hooks succeeded;`, которую исправить не удалось.
 - Chatmail будет переустановлен при каждом запуске контейнера (при первом - долго, при последующих быстрее). Так устроен изначальный установщик, потому что он не был заточен под docker. В конце документации [представлено](#фиксирование-версии-chatmail) возможное решение
 - Требуется настроенный в системе cgroups v2. Работа с cgroups v1 не тестировалась.
 - Да, понятно дело что systemd использовать в контейнере костыль и надо это всё разнести на несколько сервисов, но это MVP и в первом приближении оказалось сделать проще так, чем переписывать всю систему развертывания.
@@ -42,28 +43,25 @@ cp ./docker/docker-compose-default.yaml docker-compose.yaml
 # cp ./docker/docker-compose-traefik.yaml docker-compose.yaml
 ```
-2. Скопировать `./docker/example.env` и переименовать в `.env`. Здесь хранятся переменные, которые используятся в `docker-compose.yaml`.
+2. Скопировать `./docker/example.env` и переименовать в `.env`. Здесь хранятся переменные, которые используятся в `docker-compose.yaml`. Нужен только для установки совместно с traefik, если используется default - можно пропустить
 ```shell
 cp ./docker/example.env .env
 ```
-3. Настроить переменные окружения в `.env` файле. Эти переменные используются в `docker-compose.yaml` файле, чтобы передавать повторяющиеся значения.
+3. Настроить параметры ядра, потому что внутри контейнера их нельзя изменить, а конкретно `fs.inotify.max_user_instances` и `fs.inotify.max_user_watches`. Для этого выполнить следующее:
 4. Настроить параметры ядра, потому что внутри контейнера их нельзя изменить, а конкретно `fs.inotify.max_user_instances` и `fs.inotify.max_user_watches`. Для этого выполнить следующее:
 ```shell
 echo "fs.inotify.max_user_instances=65536" | sudo tee -a /etc/sysctl.d/99-inotify.conf
 echo "fs.inotify.max_user_watches=65536" | sudo tee -a /etc/sysctl.d/99-inotify.conf
 sudo sysctl --system
 ```
-5. Настроить переменные окружения контейнера. Ниже перечислен список переменных учавствующих при развертывании.
+4. Настроить переменные окружения контейнера. Ниже перечислен список переменных учавствующих при развертывании.
 - `MAIL_DOMAIN` - Доменное имя будущего сервера. (required)
 - `DEBUG_COMMANDS_ENABLED` - Выполнить debug команды перед установкой. (default: `false`)
 - `FORCE_REINIT_INI_FILE` - Пересоздавать ini файл конфигурации при запуске. (default: `false`)
 - `USE_FOREIGN_CERT_MANAGER` - Использовать сторонний менеджер сертификатов. (default: `false`)
 - `RECREATE_VENV` - Пересоздать виртуальное окружение (venv). Если выставлено `true`, то окружение будет пересоздано при запуске контейнера, из-за чего включение сервиса займет больше времени, но поможет избежать ряда ошибок. (default: `false`)
 - `INI_FILE` - путь к ini файлу конфигурации. (default: `./chatmail.ini`)
- `PATH_TO_SSL` - Путь где располагаются сертификаты. (default: `/var/lib/acme/live/${MAIL_DOMAIN}`)
+- `PATH_TO_SSL_CONTAINER` - Путь где располагаются сертификаты. (default: `/var/lib/acme/live/${MAIL_DOMAIN}`)
 - `ENABLE_CERTS_MONITORING` - Включить мониторинг сертификатов, если `USE_FOREIGN_CERT_MANAGER=true`.  Если сертфикаты изменятся сервисы будут автоматически перезапущены. (default: `false`)
 - `CERTS_MONITORING_TIMEOUT` - Раз во сколько секунд проверять что изменились сертификаты. (default: `'60'`)
@@ -72,11 +70,108 @@ sudo sysctl --system
 Ниже перечислены переменные, которые обязательны быть выставлены при развертывании через docker:
 - `CHANGE_KERNEL_SETTINGS` - Менять настройки ядра (`fs.inotify.max_user_instances` и `fs.inotify.max_user_watches`) при запуске. При запуске в контейнере смена настроек ядра не может быть выполнена! (default: `False`)
 5. Настроить переменные окружения в `.env` файле. Эти переменные используются в `docker-compose.yaml` файле, чтобы передавать повторяющиеся значения.
 6. Собрать docker образ
 ```shell
-docker compose build
+docker compose build chatmail
 ```
 <details>
 <summary>Дополнительные шаги для конфигурации работы с traefik</summary>
 > [!note]
 > Если вы используете default установку, без использования traefik - пропустите эти шаги и переходите к шагу 7 (запуск docker compose)
 Перед запуском traefik необходимо подготовить файлы конфигурации, иначе он запустится некорректно.
 Сначала выполните эти команды в консоли, заменив значения в них на корректные.
 ```shell
 export YOUR_EMAIL=your_email@gmail.com
 mkdir -p "./data/traefik"
 cd "./data/traefik"
 ```
 1. Создать файл конфигурации traefik
 ```shell
 cat > config.yaml << EOF
 log:
  level: TRACE
 entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          permanent: true
  websecure:
    address: ":443"
 providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    directory: /dynamic/conf
    watch: true
 serverstransport:
  insecureskipverify: true
 certificatesResolvers:
  letsEncrypt:
    acme:
      email: $YOUR_EMAIL
      storage: /acme.json
      caServer: "https://acme-v02.api.letsencrypt.org/directory"
      tlschallenge: true
      httpChallenge:
        entryPoint: web
 EOF
 ```
 2. Создать post-hook скрипт
 ```shell
 cat > post-hook.sh << 'EOF'
 CERTS_DIR=${CERTS_DIR:-"/data/letsencrypt/certs"}
 for dir in "$CERTS_DIR"/*/; do
    cd "$dir"
    if [ -f "certificate.crt" ]; then
        ln -sf certificate.crt fullchain
    fi
    if [ -f "privatekey.key" ]; then
        ln -sf privatekey.key privkey
    fi
    cd -
 done
 EOF
 ```
 3. Создать `acme.json` файл
 ```shell
 touch acme.json
 sudo chown 0:0 ./acme.json # это обязательно
 sudo chmod 600 ./acme.json # это обязательно
 ```
 4. Создать insecure config
 ```shell
 mkdir dynamic-configs
 cat > ./dynamic-configs/insecure.yaml << 'EOF'
 http:
  serversTransports:
    insecure:
      insecureSkipVerify: true
 EOF
 cd ../..
 ```
 </details>
 7. Запустить docker compose и дождаться завершения установки
 ```shell
 docker compose up -d # запуск сервиса
@@ -149,10 +244,10 @@ set -eo pipefail
 export ENABLE_CERTS_MONITORING="${ENABLE_CERTS_MONITORING:-true}"
 export CERTS_MONITORING_TIMEOUT="${CERTS_MONITORING_TIMEOUT:-60}"
-export PATH_TO_SSL="${PATH_TO_SSL:-/var/lib/acme/live/${MAIL_DOMAIN}}"
+export PATH_TO_SSL_CONTAINER="${PATH_TO_SSL_CONTAINER:-/var/lib/acme/live/${MAIL_DOMAIN}}"
 calculate_hash() {
-    find "$PATH_TO_SSL" -type f -exec sha1sum {} \; | sort | sha1sum | awk '{print $1}'
+    find "$PATH_TO_SSL_CONTAINER" -type f -exec sha1sum {} \; | sort | sha1sum | awk '{print $1}'
 }
 monitor_certificates() {
@@ -168,8 +263,8 @@ monitor_certificates() {
        current_hash=$(calculate_hash)
        if [[ "$current_hash" != "$previous_hash" ]]; then
        # TODO: add an option to restart at a specific time interval 
-            echo "[INFO] Certificate's folder hash was changed, reloading nginx, dovecot and postfix services."
+            echo "[INFO] Certificate's folder hash was changed, restarting nginx, dovecot and postfix services."
-            systemctl reload nginx.service
+            systemctl restart nginx.service
            systemctl reload dovecot.service
            systemctl reload postfix.service
            previous_hash=$current_hash
--- a/traefik/config.yaml
+++ b/traefik/config.yaml
@@ -1,33 +0,0 @@
 log:
  level: TRACE
 entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          permanent: true
  websecure:
    address: ":443"
 providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    directory: /dynamic/conf
    watch: true
 serverstransport:
  insecureskipverify: true
 certificatesResolvers:
  letsEncrypt:
    acme:
      storage: /acme.json
      caServer: "https://acme-v02.api.letsencrypt.org/directory"
      tlschallenge: true
      httpChallenge:
        entryPoint: web
--- a/traefik/dynamic-configs/insecure.yaml
+++ b/traefik/dynamic-configs/insecure.yaml
@@ -1,4 +0,0 @@
 http:
  serversTransports:
    insecure:
      insecureSkipVerify: true
--- a/traefik/post-hook.sh
+++ b/traefik/post-hook.sh
@@ -1,15 +0,0 @@
 CERTS_DIR=${CERTS_DIR:-"/data/letsencrypt/certs"}
 echo "CERTS_DIR: $CERTS_DIR"
 for dir in "$CERTS_DIR"/*/; do
    echo "Processing: $dir"
    cd "$dir"
    if [ -f "certificate.crt" ]; then
        ln -sf certificate.crt fullchain
    fi
    if [ -f "privatekey.key" ]; then
        ln -sf privatekey.key privkey
    fi
    cd -
 done
Author	SHA1	Message	Date
missytake	e0040c1c52	tests: fix output capture	2025-08-25 14:58:03 +02:00
missytake	ea9f56d6b3	cmdeploy: test if ini was overwritten with --force2	2025-08-25 13:54:16 +02:00