Sandbox chatmail-metadata

Run chatmail-metadata and doveauth as vmail
Apply systemd restrictions to echobot
2026-05-12 09:04:36 +00:00 · 2024-03-30 14:21:07 +00:00 · 2024-03-30 14:21:05 +00:00 · 2024-03-30 14:17:48 +00:00 · 2024-03-30 09:14:01 +00:00 · 2024-03-30 01:49:03 +01:00
10 changed files with 177 additions and 69 deletions
--- a/.github/workflows/test-and-deploy.yaml
+++ b/.github/workflows/test-and-deploy.yaml
@@ -4,12 +4,17 @@ on:
  push:
    branches:
      - main
-      - staging-ci
+  pull_request:
+    paths-ignore:
+      - 'scripts/**'

 jobs:
  deploy:
    name: deploy on staging.testrun.org, and run tests
    runs-on: ubuntu-latest
+    concurrency:
+      group: staging-deploy
+      cancel-in-progress: true
    steps:
      - uses: actions/checkout@v3

@@ -19,44 +24,45 @@ jobs:
          echo "${{ secrets.STAGING_SSH_KEY }}" >> ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
          ssh-keyscan staging.testrun.org > ~/.ssh/known_hosts
-     #    rsync -avz root@staging.testrun.org:/var/lib/acme . || true
-     #    rsync -avz root@staging.testrun.org:/var/lib/rspamd/dkim . || true
+          rsync -avz root@staging.testrun.org:/var/lib/acme . || true
+          rsync -avz root@staging.testrun.org:/etc/dkimkeys . || true

-     #- name: rebuild staging.testrun.org to have a clean VPS
-     #  run: |
-     #      curl -X POST \
-     #      -H "Authorization: Bearer ${{ secrets.HETZNER_API_TOKEN }}" \
-     #      -H "Content-Type: application/json" \
-     #      -d '{"image":"debian-12"}' \
-     #      "https://api.hetzner.cloud/v1/servers/${{ secrets.STAGING_SERVER_ID }}/actions/rebuild"
+      - name: rebuild staging.testrun.org to have a clean VPS
+        run: |
+            curl -X POST \
+            -H "Authorization: Bearer ${{ secrets.HETZNER_API_TOKEN }}" \
+            -H "Content-Type: application/json" \
+            -d '{"image":"debian-12"}' \
+            "https://api.hetzner.cloud/v1/servers/${{ secrets.STAGING_SERVER_ID }}/actions/rebuild"

      - run: scripts/initenv.sh

      - name: append venv/bin to PATH
        run: echo venv/bin >>$GITHUB_PATH

+      - name: upload TLS cert after rebuilding
+        run: |
+          echo " --- wait until staging.testrun.org VPS is rebuilt --- "
+          rm ~/.ssh/known_hosts
+          while ! ssh -o ConnectTimeout=180 -o StrictHostKeyChecking=accept-new -v root@staging.testrun.org id -u ; do sleep 1 ; done
+          ssh -o StrictHostKeyChecking=accept-new -v root@staging.testrun.org id -u
+          rsync -avz acme/ root@staging.testrun.org:/var/lib/acme || true
+          rsync -avz dkimkeys/ root@staging.testrun.org:/etc/dkimkeys || true
+          ssh -o StrictHostKeyChecking=accept-new -v root@staging.testrun.org chown root:root -R /var/lib/acme
+
      - name: run formatting checks 
        run: cmdeploy fmt -v 

      - name: run deploy-chatmail offline tests 
        run: pytest --pyargs cmdeploy 

-     #- name: upload TLS cert after rebuilding
-     #  run: |
-     #    echo " --- wait until staging.testrun.org VPS is rebuilt --- "
-     #    rm ~/.ssh/known_hosts
-     #    while ! ssh -o ConnectTimeout=180 -o StrictHostKeyChecking=accept-new -v root@staging.testrun.org id -u ; do sleep 1 ; done
-     #    ssh -o StrictHostKeyChecking=accept-new -v root@staging.testrun.org id -u
-     #    rsync -avz acme root@staging.testrun.org:/var/lib/ || true
-     #    rsync -avz dkim root@staging.testrun.org:/var/lib/rspamd/ || true
-
      - run: cmdeploy init staging.testrun.org

      - run: cmdeploy run

      - name: set DNS entries
        run: |
-          #ssh -o StrictHostKeyChecking=accept-new -v root@staging.testrun.org chown _rspamd:_rspamd -R /var/lib/rspamd/dkim
+          ssh -o StrictHostKeyChecking=accept-new -v root@staging.testrun.org chown opendkim:opendkim -R /etc/dkimkeys
          cmdeploy dns --zonefile staging-generated.zone
          cat staging-generated.zone >> .github/workflows/staging.testrun.org-default.zone
          cat .github/workflows/staging.testrun.org-default.zone
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,8 +1,23 @@
 # Changelog for chatmail deployment 

-## unreleased
+## untagged 

-### Changes since March 15th, 2024
+- Run chatmail-metadata and doveauth as vmail
+  ([#261](https://github.com/deltachat/chatmail/pull/261))
+
+- Apply systemd restrictions to echobot
+  ([#259](https://github.com/deltachat/chatmail/pull/259))
+
+- re-enable running the CI in pull requests, but not concurrently 
+  ([#258](https://github.com/deltachat/chatmail/pull/258))
+
+
+## 1.1.0 - 2024-03-28
+
+### The changelog starts to record changes from March 15th, 2024 
+
+- Move systemd unit templates to cmdeploy package 
+  ([#255](https://github.com/deltachat/chatmail/pull/255))

 - Persist push tokens and support multiple device per address 
  ([#254](https://github.com/deltachat/chatmail/pull/254))
--- a/chatmaild/MANIFEST.in
+++ b/chatmaild/MANIFEST.in
@@ -1,4 +1,3 @@
-include src/chatmaild/*.f 
 include src/chatmaild/ini/*.ini.f
 include src/chatmaild/ini/*.ini
 include src/chatmaild/tests/mail-data/*
--- a/chatmaild/src/chatmaild/chatmail-metadata.service.f
+++ b/chatmaild/src/chatmaild/chatmail-metadata.service.f
@@ -1,10 +0,0 @@
-[Unit]
-Description=Chatmail dict proxy for IMAP METADATA
-
-[Service]
-ExecStart={execpath} /run/dovecot/metadata.socket vmail /home/vmail/mail/{mail_domain}
-Restart=always
-RestartSec=30
-
-[Install]
-WantedBy=multi-user.target
--- a/chatmaild/src/chatmaild/echobot.service.f
+++ b/chatmaild/src/chatmaild/echobot.service.f
@@ -1,11 +0,0 @@
-[Unit]
-Description=Chatmail echo bot for testing it works
-
-[Service]
-ExecStart={execpath} {config_path}
-Environment="PATH={remote_venv_dir}:$PATH"
-Restart=always
-RestartSec=30
-
-[Install]
-WantedBy=multi-user.target
--- a/cmdeploy/src/cmdeploy/init.py
+++ b/cmdeploy/src/cmdeploy/init.py
@@ -110,7 +110,9 @@ def _install_remote_venv_with_chatmaild(config) -> None:
            remote_venv_dir=remote_venv_dir,
            mail_domain=config.mail_domain,
        )
-        source_path = importlib.resources.files("chatmaild").joinpath(f"{fn}.service.f")
+        source_path = importlib.resources.files(__package__).joinpath(
+            "service", f"{fn}.service.f"
+        )
        content = source_path.read_text().format(**params).encode()

        files.put(
@@ -133,20 +135,6 @@ def _configure_opendkim(domain: str, dkim_selector: str = "dkim") -> bool:
    """Configures OpenDKIM"""
    need_restart = False

-    server.group(name="Create opendkim group", group="opendkim", system=True)
-    server.user(
-        name="Create opendkim user",
-        user="opendkim",
-        groups=["opendkim"],
-        system=True,
-    )
-    server.user(
-        name="Add postfix user to opendkim group for socket access",
-        user="postfix",
-        groups=["opendkim"],
-        system=True,
-    )
-
    main_config = files.template(
        src=importlib.resources.files(__package__).joinpath("opendkim/opendkim.conf"),
        dest="/etc/opendkim.conf",
@@ -474,9 +462,29 @@ def deploy_chatmail(config_path: Path) -> None:

    from .www import build_webpages

-    apt.update(name="apt update", cache_time=24 * 3600)
    server.group(name="Create vmail group", group="vmail", system=True)
    server.user(name="Create vmail user", user="vmail", group="vmail", system=True)
+    server.group(name="Create opendkim group", group="opendkim", system=True)
+    server.user(
+        name="Create opendkim user",
+        user="opendkim",
+        groups=["opendkim"],
+        system=True,
+    )
+    server.user(
+        name="Add postfix user to opendkim group for socket access",
+        user="postfix",
+        groups=["opendkim"],
+        system=True,
+    )
+
+    server.shell(
+        name="Fix file owner in /home/vmail",
+        commands=["test -d /home/vmail && chown -R vmail:vmail /home/vmail"],
+    )
+
+    apt.update(name="apt update", cache_time=24 * 3600)
+
    apt.packages(
        name="Install rsync",
        packages=["rsync"],
@@ -563,14 +571,9 @@ def deploy_chatmail(config_path: Path) -> None:
        restarted=mta_sts_need_restart,
    )

-    systemd.service(
-        name="Start and enable Postfix",
-        service="postfix.service",
-        running=True,
-        enabled=True,
-        restarted=postfix_need_restart,
-    )
-
+    # Dovecot should be started before Postfix
+    # because it creates authentication socket
+    # required by Postfix.
    systemd.service(
        name="Start and enable Dovecot",
        service="dovecot.service",
@@ -579,6 +582,14 @@ def deploy_chatmail(config_path: Path) -> None:
        restarted=dovecot_need_restart,
    )

+    systemd.service(
+        name="Start and enable Postfix",
+        service="postfix.service",
+        running=True,
+        enabled=True,
+        restarted=postfix_need_restart,
+    )
+
    systemd.service(
        name="Start and enable nginx",
        service="nginx.service",
--- a/cmdeploy/src/cmdeploy/service/chatmail-metadata.service.f
+++ b/cmdeploy/src/cmdeploy/service/chatmail-metadata.service.f
@@ -0,0 +1,47 @@
+[Unit]
+Description=Chatmail dict proxy for IMAP METADATA
+
+[Service]
+ExecStart={execpath} /run/dovecot/metadata.socket vmail /home/vmail/mail/{mail_domain}
+Restart=always
+RestartSec=30
+User=vmail
+
+# Make `systemd-analyze security` happy.
+CapabilityBoundingSet=
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateMounts=true
+PrivateTmp=true
+PrivateUsers=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=noaccess
+ProtectSystem=strict
+RemoveIPC=true
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=~@clock
+SystemCallFilter=~@cpu-emulation
+SystemCallFilter=~@debug
+SystemCallFilter=~@module
+SystemCallFilter=~@mount
+SystemCallFilter=~@obsolete
+SystemCallFilter=~@privileged
+SystemCallFilter=~@raw-io
+SystemCallFilter=~@reboot
+SystemCallFilter=~@resources
+SystemCallFilter=~@swap
+UMask=0077
+
+[Install]
+WantedBy=multi-user.target
--- a/cmdeploy/src/cmdeploy/service/doveauth.service.f
+++ b/cmdeploy/src/cmdeploy/service/doveauth.service.f
@@ -5,6 +5,7 @@ Description=Chatmail dict authentication proxy for dovecot
 ExecStart={execpath} /run/dovecot/doveauth.socket vmail /home/vmail/passdb.sqlite {config_path}
 Restart=always
 RestartSec=30
+User=vmail

 [Install]
 WantedBy=multi-user.target
--- a/cmdeploy/src/cmdeploy/service/echobot.service.f
+++ b/cmdeploy/src/cmdeploy/service/echobot.service.f
@@ -0,0 +1,50 @@
+[Unit]
+Description=Chatmail echo bot for testing it works
+
+[Service]
+ExecStart={execpath} {config_path}
+Environment="PATH={remote_venv_dir}:$PATH"
+Restart=always
+RestartSec=30
+
+# Apply security restrictions suggested by
+#   systemd-analyze security echobot.service
+CapabilityBoundingSet=
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateMounts=true
+PrivateTmp=true
+PrivateUsers=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=noaccess
+
+# Should be "strict", but we currently write /accounts folder in a protected path
+ProtectSystem=full
+
+RemoveIPC=true
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=~@clock
+SystemCallFilter=~@cpu-emulation
+SystemCallFilter=~@debug
+SystemCallFilter=~@module
+SystemCallFilter=~@mount
+SystemCallFilter=~@obsolete
+SystemCallFilter=~@raw-io
+SystemCallFilter=~@reboot
+SystemCallFilter=~@resources
+SystemCallFilter=~@swap
+UMask=0077
+
+[Install]
+WantedBy=multi-user.target
--- a/cmdeploy/src/cmdeploy/service/filtermail.service.f
+++ b/cmdeploy/src/cmdeploy/service/filtermail.service.f
@@ -1,5 +1,5 @@
 [Unit]
-Description=Chatmail Postfix BeforeQeue filter 
+Description=Chatmail Postfix before queue filter

 [Service]
 ExecStart={execpath} {config_path}
Author	SHA1	Message	Date
link2xt	5b8b41a0d0	Sandbox chatmail-metadata	2024-03-30 14:21:07 +00:00
link2xt	aa55cf3439	Run chatmail-metadata and doveauth as vmail	2024-03-30 14:21:05 +00:00
link2xt	221f4a2b0c	Apply systemd restrictions to echobot These options are suggested by `systemd-analyze security echobot.service`	2024-03-30 14:17:48 +00:00
link2xt	080ae058d8	Remove non-existent file pattern from MANIFEST.in	2024-03-30 09:14:01 +00:00
missytake	edb84c0b3b	CI: chown /var/lib/acme to root after restoring state	2024-03-30 01:49:03 +01:00
missytake	04ef477d51	CI: fix rsync statements	2024-03-30 01:49:03 +01:00
holger krekel	5696788d3a	add changelog entry	2024-03-29 08:54:11 +01:00
link2xt	1c2bf919ed	Start Dovecot before Postfix	2024-03-29 04:24:54 +00:00
link2xt	d15c22c1e8	Configure users and groups before installing any packages Otherwise packages may add user without correct configuration such as groups and the step adding user will be skipped.	2024-03-29 04:24:54 +00:00
missytake	9c6e90ae27	make sure fmt and offline checks are only run after DKIM & ACME is restored	2024-03-29 04:24:54 +00:00
missytake	481791c277	re-enable running the CI in pull requests, but not concurrently	2024-03-29 04:24:54 +00:00
holger krekel	a25c7981f9	start unreleased changelog	2024-03-28 18:02:05 +01:00
holger krekel	53519f2865	prepare 1.1.0 tag	2024-03-28 17:59:42 +01:00
link2xt	3a50d82657	Move systemd unit templates to cmdeploy They are part of deployment rather than service itself. Different deployments may have different users, filesystem layout etc.	2024-03-28 16:38:30 +01:00
holger krekel	c640087498	fix error string	2024-03-28 16:11:00 +01:00
holger krekel	2089f3ab58	persist pending notifications to directory so that they survive a restart	2024-03-28 16:11:00 +01:00
holger krekel	cbaa6924c1	use json instead of python's marshal	2024-03-28 16:11:00 +01:00
holger krekel	6ab3e9657d	test and fix for edge case	2024-03-28 16:11:00 +01:00
holger krekel	16f237dc60	add changelog entry	2024-03-28 16:11:00 +01:00
holger krekel	554c33423f	various naming refinements	2024-03-28 16:11:00 +01:00
holger krekel	5d5e2b199c	remove timeout support, it's not needed	2024-03-28 16:11:00 +01:00
holger krekel	989ce70f97	refine logging	2024-03-28 16:11:00 +01:00
holger krekel	f5dc4cb71e	more resilience	2024-03-28 16:11:00 +01:00
holger krekel	76512dfa2d	move persistentdict into own file, rename	2024-03-28 16:11:00 +01:00
holger krekel	850112502f	extend imap online test to cover multi-device	2024-03-28 16:11:00 +01:00
holger krekel	888fa88aa3	back to using marshal, and a filelock	2024-03-28 16:11:00 +01:00
holger krekel	15e7458666	add a persistent dict impl	2024-03-28 16:11:00 +01:00
holger krekel	0a93c76e66	add multi-token support	2024-03-28 16:11:00 +01:00
holger krekel	312f86223c	fix target dir	2024-03-28 16:11:00 +01:00
holger krekel	27a60418ad	use "devicetoken" consistently and take it from a var	2024-03-28 16:11:00 +01:00
holger krekel	46d31a91da	properly startup metadata service and add online test for metadata	2024-03-28 16:11:00 +01:00
holger krekel	a8765d8847	store metadata in a per-mbox dir	2024-03-28 16:11:00 +01:00
holger krekel	8ee6ca1b80	store tokens on a per-maildir basis	2024-03-28 16:11:00 +01:00
holger krekel	1a2b73a862	store tokens in guid-directories	2024-03-28 16:11:00 +01:00
link2xt	c44f4efced	Store raw tokens instead of dictionaries in metadata	2024-03-28 16:11:00 +01:00