feat: metadata service: make turnserver socket path configurable

also add tests for the turnserver metadata

chatmaild/src/chatmaild/config.py

@@ -46,6 +46,7 @@ class Config:
         self.acme_email = params.get("acme_email", "")
         self.imap_rawlog = params.get("imap_rawlog", "false").lower() == "true"
         self.imap_compress = params.get("imap_compress", "false").lower() == "true"
+        self.turn_socket_path = params.get("turn_socket_path", "/run/chatmail-turn/turn.socket")
         if "iroh_relay" not in params:
             self.iroh_relay = "https://" + params["mail_domain"]
             self.enable_iroh_relay = True

chatmaild/src/chatmaild/ini/chatmail.ini.f

@@ -55,7 +55,10 @@ passthrough_recipients =
 # Deployment Details
 #
 
-# SMTP outgoing filtermail and reinjection 
+# Path to the TURN server Unix socket
+turn_socket_path = /run/chatmail-turn/turn.socket
+
+# SMTP outgoing filtermail and reinjection
 filtermail_smtp_port = 10080
 postfix_reinject_port = 10025
 

chatmaild/src/chatmaild/metadata.py

@@ -76,12 +76,13 @@ class Metadata:
 
 
 class MetadataDictProxy(DictProxy):
-    def __init__(self, notifier, metadata, iroh_relay=None, turn_hostname=None):
+    def __init__(self, notifier, metadata, iroh_relay=None, turn_hostname=None, config=None):
         super().__init__()
         self.notifier = notifier
         self.metadata = metadata
         self.iroh_relay = iroh_relay
         self.turn_hostname = turn_hostname
+        self.config = config
 
     def handle_lookup(self, parts):
         # Lpriv/43f5f508a7ea0366dff30200c15250e3/devicetoken\tlkj123poi@c2.testrun.org
@@ -101,7 +102,7 @@ class MetadataDictProxy(DictProxy):
                 # Handle `GETMETADATA "" /shared/vendor/deltachat/irohrelay`
                 return f"O{self.iroh_relay}\n"
             elif keyname == "vendor/vendor.dovecot/pvt/server/vendor/deltachat/turn":
-                res = turn_credentials()
+                res = turn_credentials(self.config)
                 port = 3478
                 return f"O{self.turn_hostname}:{port}:{res}\n"
 
@@ -146,6 +147,7 @@ def main():
         metadata=metadata,
         iroh_relay=iroh_relay,
         turn_hostname=mail_domain,
+        config=config,
     )
 
     dictproxy.serve_forever_from_socket(socket)

chatmaild/src/chatmaild/tests/test_turnserver.py

@@ -0,0 +1,120 @@
+"""Tests for turnserver functionality, particularly metadata integration."""
+
+import socket
+import tempfile
+import threading
+from pathlib import Path
+
+from chatmaild.config import read_config, write_initial_config
+from chatmaild.metadata import MetadataDictProxy, Metadata
+from chatmaild.notifier import Notifier
+from chatmaild.turnserver import turn_credentials
+
+
+def test_turn_credentials_function_with_custom_socket():
+    """Test that turn_credentials function works with a custom socket path from config."""
+    # Create a temporary directory and socket file
+    temp_dir = Path(tempfile.mkdtemp())
+    temp_socket_path = temp_dir / "test_turn.socket"
+
+    # Create a mock TURN credentials server
+    def mock_server():
+        server_sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+        server_sock.bind(str(temp_socket_path))
+        server_sock.listen(1)
+
+        # Accept connection and send mock credentials
+        conn, addr = server_sock.accept()
+        with conn:
+            conn.send(b"mock_turn_credentials_abc123\n")
+        server_sock.close()
+
+    # Start server in a background thread
+    server_thread = threading.Thread(target=mock_server, daemon=True)
+    server_thread.start()
+
+    # Create a config with custom socket path
+    config_path = temp_dir / "chatmail.ini"
+    write_initial_config(config_path, "test.example.org", {
+        "turn_socket_path": str(temp_socket_path)
+    })
+    config = read_config(config_path)
+
+    # Allow time for server to start
+    import time
+    time.sleep(0.01)
+
+    # Test that turn_credentials can connect using the config
+    credentials = turn_credentials(config)
+    assert credentials == "mock_turn_credentials_abc123"
+
+    server_thread.join(timeout=1)  # Clean up thread
+
+
+def test_metadata_turn_lookup_integration(tmp_path):
+    """Test that metadata service properly handles TURN metadata lookups."""
+    # Create mock config with custom turn socket path
+    config_path = tmp_path / "chatmail.ini"
+    socket_path = tmp_path / "test_turn.socket"
+    write_initial_config(config_path, "example.org", {
+        "turn_socket_path": str(socket_path)
+    })
+    config = read_config(config_path)
+
+    # Create mock TURN server to return credentials
+    def mock_turn_server():
+        import os
+        os.makedirs(socket_path.parent, exist_ok=True)  # Ensure parent directory exists
+
+        server_sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+        server_sock.bind(str(socket_path))
+        server_sock.listen(1)
+
+        # Accept connection and send mock credentials
+        conn, addr = server_sock.accept()
+        with conn:
+            conn.send(b"test_creds_12345\n")
+        server_sock.close()
+
+    server_thread = threading.Thread(target=mock_turn_server, daemon=True)
+    server_thread.start()
+
+    import time
+    time.sleep(0.01)  # Allow server to start
+
+    # Create a MetadataDictProxy with config
+    queue_dir = tmp_path / "queue"
+    queue_dir.mkdir()
+    notifier = Notifier(queue_dir)
+    metadata = Metadata(tmp_path / "vmail")
+
+    dict_proxy = MetadataDictProxy(
+        notifier=notifier,
+        metadata=metadata,
+        iroh_relay="https://example.org",
+        turn_hostname="example.org",
+        config=config
+    )
+
+    # Simulate a lookup for TURN credentials using the correct format
+    # Input: "shared/0123/vendor/vendor.dovecot/pvt/server/vendor/deltachat/turn"
+    # After parts[0].split("/", 2):
+    # - keyparts[0] = "shared"
+    # - keyparts[1] = "0123"
+    # - keyparts[2] = "vendor/vendor.dovecot/pvt/server/vendor/deltachat/turn"
+    # So keyname = keyparts[2] should match "vendor/vendor.dovecot/pvt/server/vendor/deltachat/turn"
+    parts = [
+        "shared/0123/vendor/vendor.dovecot/pvt/server/vendor/deltachat/turn",
+        "dummy@user.org"
+    ]
+
+    # Call handle_lookup directly
+    result = dict_proxy.handle_lookup(parts)
+
+    # Verify the response format is correct for TURN credentials
+    assert result.startswith("O")  # Output response starts with 'O'
+    assert ":3478:" in result  # Contains port 3478
+    assert "test_creds_12345" in result  # Contains credentials returned by mock server
+    assert "example.org:3478:test_creds_12345" in result
+
+    server_thread.join(timeout=1)  # Clean up thread

chatmaild/src/chatmaild/turnserver.py

@@ -2,8 +2,8 @@
 import socket
 
 
-def turn_credentials() -> str:
+def turn_credentials(config) -> str:
     with socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) as client_socket:
-        client_socket.connect("/run/chatmail-turn/turn.socket")
+        client_socket.connect(config.turn_socket_path)
         with client_socket.makefile("rb") as file:
             return file.readline().decode("utf-8").strip()

cmdeploy/src/cmdeploy/deployers.py

@@ -141,6 +141,10 @@ def _configure_remote_venv_with_chatmaild(config) -> None:
 
 
 class UnboundDeployer(Deployer):
+    def __init__(self, config):
+        self.config = config
+        self.need_restart = False
+
     def install(self):
         # Run local DNS resolver `unbound`.
         # `resolvconf` takes care of setting up /etc/resolv.conf
@@ -177,6 +181,27 @@ class UnboundDeployer(Deployer):
                 "unbound-anchor -a /var/lib/unbound/root.key || true",
             ],
         )
+        if self.config.disable_ipv6:
+            files.directory(
+                path="/etc/unbound/unbound.conf.d",
+                present=True,
+                user="root",
+                group="root",
+                mode="755",
+            )
+            conf = files.put(
+                src=get_resource("unbound/unbound.conf.j2"),
+                dest="/etc/unbound/unbound.conf.d/chatmail.conf",
+                user="root",
+                group="root",
+                mode="644",
+            )
+        else:
+            conf = files.file(
+                path="/etc/unbound/unbound.conf.d/chatmail.conf",
+                present=False,
+            )
+        self.need_restart |= conf.changed
 
     def activate(self):
         server.shell(
@@ -191,6 +216,7 @@ class UnboundDeployer(Deployer):
             service="unbound.service",
             running=True,
             enabled=True,
+            restarted=self.need_restart,
         )
 
 
@@ -527,7 +553,8 @@ def deploy_chatmail(config_path: Path, disable_mail: bool, website_only: bool) -
         files.line(
             name="Add 9.9.9.9 to resolv.conf",
             path="/etc/resolv.conf",
-            line="nameserver 9.9.9.9",
+            # Guard against resolv.conf missing a trailing newline (SolusVM bug).
+            line="\nnameserver 9.9.9.9",
         )
 
     port_services = [
@@ -565,7 +592,7 @@ def deploy_chatmail(config_path: Path, disable_mail: bool, website_only: bool) -
         LegacyRemoveDeployer(),
         FiltermailDeployer(),
         JournaldDeployer(),
-        UnboundDeployer(),
+        UnboundDeployer(config),
         TurnDeployer(mail_domain),
         IrohDeployer(config.enable_iroh_relay),
         AcmetoolDeployer(config.acme_email, tls_domains),

cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2

@@ -1,7 +1,7 @@
 ## Dovecot configuration file
 
 {% if disable_ipv6 %}
-listen = *
+listen = 0.0.0.0
 {% endif %}
 
 protocols = imap lmtp

cmdeploy/src/cmdeploy/postfix/main.cf.j2

@@ -64,7 +64,11 @@ alias_database = hash:/etc/aliases
 mydestination =
 
 relayhost = 
+{% if disable_ipv6 %}
+mynetworks = 127.0.0.0/8
+{% else %}
 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+{% endif %}
 mailbox_size_limit = 0
 message_size_limit = {{config.max_message_size}}
 recipient_delimiter = +

cmdeploy/src/cmdeploy/unbound/unbound.conf.j2

@@ -0,0 +1,4 @@
+# Managed by cmdeploy: disable IPv6 in unbound.
+server:
+  interface: 127.0.0.1
+  do-ip6: no