ci: deploy with ssh_host=localhost on staging-ipv4

.dockerignore

@@ -1,18 +0,0 @@
-data/
-venv/
-__pycache__
-*.pyc
-*.orig
-*.ini
-.pytest_cache
-.env
-
-# Slim build context — .git/ alone can be 100s of MB
-.git
-.github/
-docs/
-tests/
-
-# Exclude markdown files but keep www/src/*.md (used by WebsiteDeployer)
-*.md
-!www/**/*.md

.github/workflows/docker-build.yaml

@@ -1,76 +0,0 @@
-name: Docker Build
-
-on:
-  pull_request:
-    paths:
-      - 'docker/**'
-      - 'docker-compose.yaml'
-      - '.dockerignore'
-      - 'chatmaild/**'
-      - 'cmdeploy/**'
-      - '.github/workflows/docker-build.yaml'
-  push:
-    branches:
-      - main
-      - j4n/docker
-    paths:
-      - 'docker/**'
-      - 'docker-compose.yaml'
-      - '.dockerignore'
-      - 'chatmaild/**'
-      - 'cmdeploy/**'
-      - '.github/workflows/docker-build.yaml'
-    tags:
-      - 'v*'
-
-env:
-  REGISTRY: ghcr.io
-  IMAGE_NAME: ${{ github.repository }}
-
-jobs:
-  build:
-    name: Build Docker image
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Login to GHCR
-        if: github.event_name == 'push'
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Extract metadata (tags, labels)
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          tags: |
-            # Tagged releases: v1.2.3 → :1.2.3, :1.2, :latest
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            # Branch pushes: j4n/docker → :j4n-docker
-            type=ref,event=branch
-            # Always: :sha-<hash>
-            type=sha
-
-      - name: Build and push
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: docker/chatmail_relay.dockerfile
-          push: ${{ github.event_name == 'push' }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-          build-args: |
-            GIT_HASH=${{ github.sha }}

.github/workflows/test-and-deploy-ipv4only.yaml

@@ -71,26 +71,35 @@ jobs:
       - name: run deploy-chatmail offline tests 
         run: pytest --pyargs cmdeploy 
 
-      - run: |
+      - name: setup dependencies
-          cmdeploy init staging-ipv4.testrun.org
+        run: |
-          sed -i 's#disable_ipv6 = False#disable_ipv6 = True#' chatmail.ini
+          ssh root@staging-ipv4.testrun.org apt update
-          sed -i 's/#\s*mtail_address/mtail_address/' chatmail.ini
+          ssh root@staging-ipv4.testrun.org apt install -y git python3.11-venv python3-dev gcc
+          ssh root@staging-ipv4.testrun.org git clone https://github.com/chatmail/relay
+          ssh root@staging-ipv4.testrun.org "cd relay && git checkout " ${{ github.head_ref }}
+          ssh root@staging-ipv4.testrun.org "cd relay && scripts/initenv.sh"
 
-      - run: cmdeploy run --verbose --skip-dns-check
+      - name: initialize config
+        run: |
+          ssh root@staging-ipv4.testrun.org "cd relay && scripts/cmdeploy init staging-ipv4.testrun.org"
+          ssh root@staging-ipv4.testrun.org "sed -i 's#disable_ipv6 = False#disable_ipv6 = True#' relay/chatmail.ini"
+          ssh root@staging-ipv4.testrun.org "sed -i 's/#\s*mtail_address/mtail_address/' relay/chatmail.ini"
+
+      - run: ssh root@staging-ipv4.testrun.org "cd relay && scripts/cmdeploy run --verbose --skip-dns-check"
 
       - name: set DNS entries
         run: |
-          ssh -o StrictHostKeyChecking=accept-new -v root@staging-ipv4.testrun.org chown opendkim:opendkim -R /etc/dkimkeys
+          ssh root@staging-ipv4.testrun.org chown opendkim:opendkim -R /etc/dkimkeys
-          cmdeploy dns --zonefile staging-generated.zone
+          ssh root@staging-ipv4.testrun.org "cd relay && scripts/cmdeploy dns --zonefile staging-generated.zone"
-          cat staging-generated.zone >> .github/workflows/staging-ipv4.testrun.org-default.zone
+          ssh root@staging-ipv4.testrun.org cat relay/staging-generated.zone >> .github/workflows/staging-ipv4.testrun.org-default.zone
           cat .github/workflows/staging-ipv4.testrun.org-default.zone
           scp .github/workflows/staging-ipv4.testrun.org-default.zone root@ns.testrun.org:/etc/nsd/staging-ipv4.testrun.org.zone
           ssh root@ns.testrun.org nsd-checkzone staging-ipv4.testrun.org /etc/nsd/staging-ipv4.testrun.org.zone
           ssh root@ns.testrun.org systemctl reload nsd
 
       - name: cmdeploy test
-        run: CHATMAIL_DOMAIN2=ci-chatmail.testrun.org cmdeploy test --slow
+        run: ssh root@staging-ipv4.testrun.org "cd relay && CHATMAIL_DOMAIN2=ci-chatmail.testrun.org scripts/cmdeploy test --slow"
 
       - name: cmdeploy dns
-        run: cmdeploy dns -v
+        run: ssh root@staging-ipv4.testrun.org "cd relay && scripts/cmdeploy dns -v"
 

.github/workflows/test-and-deploy.yaml

@@ -76,6 +76,7 @@ jobs:
 
       - run: |
           cmdeploy init staging2.testrun.org
+          sed -i 's/^ssh_host/#ssh_host/' chatmail.ini
           sed -i 's/#\s*mtail_address/mtail_address/' chatmail.ini
 
       - run: cmdeploy run --verbose --skip-dns-check

.gitignore

@@ -164,9 +164,3 @@ cython_debug/
 #.idea/
 
 chatmail.zone
-
-# docker
-/data/
-/custom/
-docker-compose.override.yaml
-.env

CHANGELOG.md

@@ -121,13 +121,6 @@
   Provide an "fsreport" CLI for more fine grained analysis of message files. 
   ([#637](https://github.com/chatmail/relay/pull/637))
 
-- Add installation via docker compose (MVP 1). The instructions, known issues and limitations are located in `/docs` 
-  ([#614](https://github.com/chatmail/relay/pull/614))
-
-- Add configuration parameters
-  ([#614](https://github.com/chatmail/relay/pull/614)):
-  - `change_kernel_settings` - Whether to change kernel parameters during installation (default: `True`)
-  - `fs_inotify_max_user_instances_and_watchers` - Value for kernel parameters `fs.inotify.max_user_instances` and `fs.inotify.max_user_watches` (default: `65535`)
 
 ## 1.7.0 2025-09-11
 

chatmaild/src/chatmaild/config.py

@@ -9,30 +9,28 @@ from chatmaild.user import User
 def read_config(inipath):
     assert Path(inipath).exists(), inipath
     cfg = iniconfig.IniConfig(inipath)
-    params = cfg.sections["params"]
+    return Config(inipath, params=cfg.sections["params"])
-    default_config_content = get_default_config_content(params["mail_domain"])
-    df_params = iniconfig.IniConfig("ini", data=default_config_content)["params"]
-    new_params = dict(df_params.items())
-    new_params.update(params)
-    return Config(inipath, params=new_params)
 
 
 class Config:
     def __init__(self, inipath, params):
         self._inipath = inipath
         self.mail_domain = params["mail_domain"]
+        self.ssh_host = params.get("ssh_host", self.mail_domain)
         self.max_user_send_per_minute = int(params.get("max_user_send_per_minute", 60))
         self.max_user_send_burst_size = int(params.get("max_user_send_burst_size", 10))
-        self.max_mailbox_size = params["max_mailbox_size"]
+        self.max_mailbox_size = params.get("max_mailbox_size", "500M")
-        self.max_message_size = int(params.get("max_message_size", "31457280"))
+        self.max_message_size = int(params.get("max_message_size", 31457280))
-        self.delete_mails_after = params["delete_mails_after"]
+        self.delete_mails_after = params.get("delete_mails_after", "20")
-        self.delete_large_after = params["delete_large_after"]
+        self.delete_large_after = params.get("delete_large_after", "7")
-        self.delete_inactive_users_after = int(params["delete_inactive_users_after"])
+        self.delete_inactive_users_after = int(
-        self.username_min_length = int(params["username_min_length"])
+            params.get("delete_inactive_users_after", 100)
-        self.username_max_length = int(params["username_max_length"])
+        )
-        self.password_min_length = int(params["password_min_length"])
+        self.username_min_length = int(params.get("username_min_length", 9))
-        self.passthrough_senders = params["passthrough_senders"].split()
+        self.username_max_length = int(params.get("username_max_length", 9))
-        self.passthrough_recipients = params["passthrough_recipients"].split()
+        self.password_min_length = int(params.get("password_min_length", 9))
+        self.passthrough_senders = params.get("passthrough_senders", "").split()
+        self.passthrough_recipients = params.get("passthrough_recipients", "").split()
         self.www_folder = params.get("www_folder", "")
         self.filtermail_smtp_port = int(params.get("filtermail_smtp_port", "10080"))
         self.filtermail_smtp_port_incoming = int(
@@ -44,7 +42,6 @@ class Config:
         )
         self.mtail_address = params.get("mtail_address")
         self.disable_ipv6 = params.get("disable_ipv6", "false").lower() == "true"
-        self.noacme = os.environ.get("CHATMAIL_NOACME", "false").lower() == "true"
         self.addr_v4 = os.environ.get("CHATMAIL_ADDR_V4", "")
         self.addr_v6 = os.environ.get("CHATMAIL_ADDR_V6", "")
         self.acme_email = params.get("acme_email", "")

chatmaild/src/chatmaild/ini/chatmail.ini.f

@@ -3,6 +3,9 @@
 # mail domain (MUST be set to fully qualified chat mail domain)
 mail_domain = {mail_domain}
 
+# Where to deploy the relay - if unspecified, mail_domain will be used.
+ssh_host = localhost
+
 #
 # If you only do private test deploys, you don't need to modify any settings below
 #

chatmaild/src/chatmaild/tests/test_filtermail_blackbox.py

@@ -57,19 +57,10 @@ def test_one_mail(
     path = str(config._inipath)
 
     popen = make_popen(["filtermail", path, filtermail_mode])
-
+    line = popen.stderr.readline().strip()
-    # Wait for filtermail to start accepting connections
+    if b"loop" not in line:
-    import socket
+        print(line.decode("ascii"), file=sys.stderr)
-    import time
+        pytest.fail("starting filtermail failed")
-    for _ in range(50):  # 5 second timeout
-        try:
-            sock = socket.create_connection(("127.0.0.1", smtp_inject_port), timeout=0.1)
-            sock.close()
-            break
-        except (ConnectionRefusedError, OSError):
-            time.sleep(0.1)
-    else:
-        pytest.fail("filtermail failed to start accepting connections")
 
     addr = f"user1@{config.mail_domain}"
     config.get_user(addr).set_password("l1k2j3l1k2j3l")

cmdeploy/src/cmdeploy/basedeploy.py

@@ -5,11 +5,6 @@ import os
 from pyinfra.operations import files, server, systemd
 
 
-def has_systemd():
-    """Returns False during Docker image builds or any other non-systemd environment."""
-    return os.path.isdir("/run/systemd/system")
-
-
 def get_resource(arg, pkg=__package__):
     return importlib.resources.files(pkg).joinpath(arg)
 

cmdeploy/src/cmdeploy/cmdeploy.py

@@ -88,7 +88,7 @@ def run_cmd_options(parser):
 def run_cmd(args, out):
     """Deploy chatmail services on the remote server."""
 
-    ssh_host = args.ssh_host if args.ssh_host else args.config.mail_domain
+    ssh_host = args.ssh_host if args.ssh_host else args.config.ssh_host
     sshexec = get_sshexec(ssh_host)
     require_iroh = args.config.enable_iroh_relay
     if not args.dns_check_disabled:
@@ -108,10 +108,7 @@ def run_cmd(args, out):
     pyinf = "pyinfra --dry" if args.dry_run else "pyinfra"
 
     cmd = f"{pyinf} --ssh-user root {ssh_host} {deploy_path} -y"
-    if ssh_host in ["localhost", "@docker"]:
+    if ssh_host in ["localhost", "@local", "@docker"]:
-        if ssh_host == "@docker":
-            env["CHATMAIL_NOPORTCHECK"] = "True"
-            env["CHATMAIL_NOSYSCTL"] = "True"
         cmd = f"{pyinf} @local {deploy_path} -y"
 
     if version.parse(pyinfra.__version__) < version.parse("3"):
@@ -152,7 +149,7 @@ def dns_cmd_options(parser):
 
 def dns_cmd(args, out):
     """Check DNS entries and optionally generate dns zone file."""
-    ssh_host = args.ssh_host if args.ssh_host else args.config.mail_domain
+    ssh_host = args.ssh_host if args.ssh_host else args.config.ssh_host
     sshexec = get_sshexec(ssh_host, verbose=args.verbose)
     remote_data = dns.get_initial_remote_data(sshexec, args.config.mail_domain)
     if not remote_data:
@@ -186,7 +183,7 @@ def status_cmd_options(parser):
 def status_cmd(args, out):
     """Display status for online chatmail instance."""
 
-    ssh_host = args.ssh_host if args.ssh_host else args.config.mail_domain
+    ssh_host = args.ssh_host if args.ssh_host else args.config.ssh_host
     sshexec = get_sshexec(ssh_host, verbose=args.verbose)
 
     out.green(f"chatmail domain: {args.config.mail_domain}")
@@ -206,6 +203,7 @@ def test_cmd_options(parser):
         action="store_true",
         help="also run slow tests",
     )
+    add_ssh_host_option(parser)
 
 
 def test_cmd(args, out):
@@ -217,6 +215,9 @@ def test_cmd(args, out):
     x = importlib.util.find_spec("deltachat")
     if x is None:
         out.check_call(f"{sys.executable} -m pip install deltachat")
+    env = os.environ.copy()
+    if args.ssh_host:
+        env["CHATMAIL_SSH"] = args.ssh_host
 
     pytest_path = shutil.which("pytest")
     pytest_args = [
@@ -230,7 +231,7 @@ def test_cmd(args, out):
     ]
     if args.slow:
         pytest_args.append("--slow")
-    ret = out.run_ret(pytest_args)
+    ret = out.run_ret(pytest_args, env=env)
     return ret
 
 
@@ -331,7 +332,7 @@ def add_config_option(parser):
         "--config",
         dest="inipath",
         action="store",
-        default=Path(os.environ.get("CHATMAIL_INI", "chatmail.ini")),
+        default=Path("chatmail.ini"),
         type=Path,
         help="path to the chatmail.ini file",
     )

cmdeploy/src/cmdeploy/deployers.py

@@ -2,7 +2,6 @@
 Chat Mail pyinfra deploy.
 """
 
-import os
 import shutil
 import subprocess
 import sys
@@ -26,7 +25,6 @@ from .basedeploy import (
     activate_remote_units,
     configure_remote_units,
     get_resource,
-    has_systemd,
 )
 from .dovecot.deployer import DovecotDeployer
 from .filtermail.deployer import FiltermailDeployer
@@ -67,8 +65,6 @@ def _build_chatmaild(dist_dir) -> None:
 
 
 def remove_legacy_artifacts():
-    if not has_systemd():
-        return
     # disable legacy doveauth-dictproxy.service
     if host.get_fact(SystemdEnabled).get("doveauth-dictproxy.service"):
         systemd.service(
@@ -303,7 +299,7 @@ class LegacyRemoveDeployer(Deployer):
             present=False,
         )
         # remove echobot if it is still running
-        if has_systemd() and host.get_fact(SystemdEnabled).get("echobot.service"):
+        if host.get_fact(SystemdEnabled).get("echobot.service"):
             systemd.service(
                 name="Disable echobot.service",
                 service="echobot.service",
@@ -570,35 +566,34 @@ def deploy_chatmail(config_path: Path, disable_mail: bool, website_only: bool) -
             Out().red(f"Deploy failed: mtail_address {config.mtail_address} is not available (VPN up?).\n")
             exit(1)
 
-    if not os.environ.get("CHATMAIL_NOPORTCHECK"):
+    port_services = [
-        port_services = [
+        (["master", "smtpd"], 25),
-            (["master", "smtpd"], 25),
+        ("unbound", 53),
-            ("unbound", 53),
+        ("acmetool", 80),
-            ("acmetool", 80),
+        (["imap-login", "dovecot"], 143),
-            (["imap-login", "dovecot"], 143),
+        ("nginx", 443),
-            ("nginx", 443),
+        (["master", "smtpd"], 465),
-            (["master", "smtpd"], 465),
+        (["master", "smtpd"], 587),
-            (["master", "smtpd"], 587),
+        (["imap-login", "dovecot"], 993),
-            (["imap-login", "dovecot"], 993),
+        ("iroh-relay", 3340),
-            ("iroh-relay", 3340),
+        ("mtail", 3903),
-            ("mtail", 3903),
+        ("stats", 3904),
-            ("stats", 3904),
+        ("nginx", 8443),
-            ("nginx", 8443),
+        (["master", "smtpd"], config.postfix_reinject_port),
-            (["master", "smtpd"], config.postfix_reinject_port),
+        (["master", "smtpd"], config.postfix_reinject_port_incoming),
-            (["master", "smtpd"], config.postfix_reinject_port_incoming),
+        ("filtermail", config.filtermail_smtp_port),
-            ("filtermail", config.filtermail_smtp_port),
+        ("filtermail", config.filtermail_smtp_port_incoming),
-            ("filtermail", config.filtermail_smtp_port_incoming),
+    ]
-        ]
+    for service, port in port_services:
-        for service, port in port_services:
+        print(f"Checking if port {port} is available for {service}...")
-            print(f"Checking if port {port} is available for {service}...")
+        running_service = host.get_fact(Port, port=port)
-            running_service = host.get_fact(Port, port=port)
+        services = [service] if isinstance(service, str) else service
-            services = [service] if isinstance(service, str) else service
+        if running_service:
-            if running_service:
+            if running_service not in services:
-                if running_service not in services:
+                Out().red(
-                    Out().red(
+                    f"Deploy failed: port {port} is occupied by: {running_service}"
-                        f"Deploy failed: port {port} is occupied by: {running_service}"
+                )
-                    )
+                exit(1)
-                    exit(1)
 
     tls_domains = [mail_domain, f"mta-sts.{mail_domain}", f"www.{mail_domain}"]
 
@@ -610,12 +605,7 @@ def deploy_chatmail(config_path: Path, disable_mail: bool, website_only: bool) -
         UnboundDeployer(config),
         TurnDeployer(mail_domain),
         IrohDeployer(config.enable_iroh_relay),
-    ]
+        AcmetoolDeployer(config.acme_email, tls_domains),
-
-    if not config.noacme:
-        all_deployers.append(AcmetoolDeployer(config.acme_email, tls_domains))
-
-    all_deployers += [
         WebsiteDeployer(config),
         ChatmailVenvDeployer(config),
         MtastsDeployer(),

cmdeploy/src/cmdeploy/dovecot/deployer.py

@@ -1,5 +1,3 @@
-import os
-
 from chatmaild.config import Config
 from pyinfra import host
 from pyinfra.facts.server import Arch, Sysctl
@@ -11,7 +9,6 @@ from cmdeploy.basedeploy import (
     activate_remote_units,
     configure_remote_units,
     get_resource,
-    has_systemd,
 )
 
 
@@ -25,11 +22,10 @@ class DovecotDeployer(Deployer):
 
     def install(self):
         arch = host.get_fact(Arch)
-        if has_systemd() and "dovecot.service" in host.get_fact(SystemdEnabled):
+        if not "dovecot.service" in host.get_fact(SystemdEnabled):
-            return  # already installed and running
+            _install_dovecot_package("core", arch)
-        _install_dovecot_package("core", arch)
+            _install_dovecot_package("imapd", arch)
-        _install_dovecot_package("imapd", arch)
+            _install_dovecot_package("lmtpd", arch)
-        _install_dovecot_package("lmtpd", arch)
 
     def configure(self):
         configure_remote_units(self.config.mail_domain, self.units)
@@ -120,19 +116,18 @@ def _configure_dovecot(config: Config, debug: bool = False) -> (bool, bool):
 
     # as per https://doc.dovecot.org/2.3/configuration_manual/os/
     # it is recommended to set the following inotify limits
-    if not os.environ.get("CHATMAIL_NOSYSCTL"):
+    for name in ("max_user_instances", "max_user_watches"):
-        for name in ("max_user_instances", "max_user_watches"):
+        key = f"fs.inotify.{name}"
-            key = f"fs.inotify.{name}"
+        if host.get_fact(Sysctl)[key] > 65535:
-            if host.get_fact(Sysctl)[key] > 65535:
+            # Skip updating limits if already sufficient
-                # Skip updating limits if already sufficient
+            # (enables running in incus containers where sysctl readonly)
-                # (enables running in incus containers where sysctl readonly)
+            continue
-                continue
+        server.sysctl(
-            server.sysctl(
+            name=f"Change {key}",
-                name=f"Change {key}",
+            key=key,
-                key=key,
+            value=65535,
-                value=65535,
+            persist=True,
-                persist=True,
+        )
-            )
 
     timezone_env = files.line(
         name="Set TZ environment variable",

cmdeploy/src/cmdeploy/sshexec.py

@@ -85,6 +85,8 @@ class SSHExec:
 
 
 class LocalExec:
+    FuncError = FuncError
+
     def __init__(self, verbose=False, docker=False):
         self.verbose = verbose
         self.docker = docker
@@ -95,11 +97,19 @@ class LocalExec:
         return call(**kwargs)
 
     def logged(self, call, kwargs: dict):
+        title = call.__doc__
+        if not title:
+            title = call.__name__
         where = "locally"
         if self.docker:
             if call == remote.rdns.perform_initial_checks:
                 kwargs["pre_command"] = "docker exec chatmail "
                 where = "in docker"
         if self.verbose:
-            print(f"Running {where}: {call.__name__}(**{kwargs})")
+            print_stderr(f"Running {where}: {title}(**{kwargs})")
-        return call(**kwargs)
+            return self(call, kwargs, log_callback=print_stderr)
+        else:
+            print_stderr(title, end="")
+            res = self(call, kwargs, log_callback=remote.rshell.log_progress)
+            print_stderr()
+            return res

cmdeploy/src/cmdeploy/tests/online/test_1_basic.py

@@ -7,13 +7,13 @@ import time
 import pytest
 
 from cmdeploy import remote
-from cmdeploy.sshexec import SSHExec
+from cmdeploy.cmdeploy import get_sshexec
 
 
 class TestSSHExecutor:
     @pytest.fixture(scope="class")
     def sshexec(self, sshdomain):
-        return SSHExec(sshdomain)
+        return get_sshexec(sshdomain)
 
     def test_ls(self, sshexec):
         out = sshexec(call=remote.rdns.shell, kwargs=dict(command="ls"))
@@ -27,6 +27,7 @@ class TestSSHExecutor:
         assert res["A"] or res["AAAA"]
 
     def test_logged(self, sshexec, maildomain, capsys):
+        sshexec.verbose = False
         sshexec.logged(
             remote.rdns.perform_initial_checks, kwargs=dict(mail_domain=maildomain)
         )
@@ -52,6 +53,8 @@ class TestSSHExecutor:
                 remote.rdns.perform_initial_checks,
                 kwargs=dict(mail_domain=None),
             )
+        except AssertionError:
+            pass
         except sshexec.FuncError as e:
             assert "rdns.py" in str(e)
             assert "AssertionError" in str(e)

cmdeploy/src/cmdeploy/tests/online/test_2_deltachat.py

@@ -7,7 +7,7 @@ import pytest
 import requests
 
 from cmdeploy.remote import rshell
-from cmdeploy.sshexec import SSHExec
+from cmdeploy.cmdeploy import get_sshexec
 
 
 @pytest.fixture
@@ -90,7 +90,7 @@ class TestEndToEndDeltaChat:
         lp.sec(f"filling remote inbox for {user}")
         fn = f"7743102289.M843172P2484002.c20,S={quota},W=2398:2,"
         path = chatmail_config.mailboxes_dir.joinpath(user, "cur", fn)
-        sshexec = SSHExec(sshdomain)
+        sshexec = get_sshexec(sshdomain)
         sshexec(call=rshell.write_numbytes, kwargs=dict(path=str(path), num=120))
         res = sshexec(call=rshell.dovecot_recalc_quota, kwargs=dict(user=user))
         assert res["percent"] >= 100

cmdeploy/src/cmdeploy/tests/online/test_3_status.py

@@ -5,7 +5,11 @@ from cmdeploy.cmdeploy import main
 
 def test_status_cmd(chatmail_config, capsys, request):
     os.chdir(request.config.invocation_params.dir)
-    assert main(["status"]) == 0
+    command = ["status"]
+    if os.getenv("CHATMAIL_SSH"):
+        command.append("--ssh-host")
+        command.append(os.getenv("CHATMAIL_SSH"))
+    assert main(command) == 0
     status_out = capsys.readouterr()
     print(status_out.out)
 

cmdeploy/src/cmdeploy/tests/plugin.py

@@ -54,8 +54,8 @@ def maildomain(chatmail_config):
 
 
 @pytest.fixture(scope="session")
-def sshdomain(maildomain):
+def sshdomain(chatmail_config):
-    return os.environ.get("CHATMAIL_SSH", maildomain)
+    return os.environ.get("CHATMAIL_SSH", chatmail_config.ssh_host)
 
 
 @pytest.fixture
@@ -337,8 +337,14 @@ class Remote:
 
     def iter_output(self, logcmd=""):
         getjournal = "journalctl -f" if not logcmd else logcmd
+        print(self.sshdomain)
+        match self.sshdomain:
+            case "@local": command = []
+            case "localhost": command = []
+            case _: command = ["ssh", f"root@{self.sshdomain}"]
+        [command.append(arg) for arg in getjournal.split()]
         self.popen = subprocess.Popen(
-            ["ssh", f"root@{self.sshdomain}", getjournal],
+            command,
             stdout=subprocess.PIPE,
         )
         while 1:

doc/source/docker.rst

@@ -1,262 +0,0 @@
-Docker installation
-===================
-
-This section provides instructions for installing a chatmail relay
-using Docker Compose.
-
-.. note::
-
-   Docker support is experimental and not yet covered by automated tests, please report bugs.
-
-
-Known limitations
------------------
-
-- Requires cgroups v2 on the host. Operation with cgroups v1 has not been tested.
-- This preliminary image simply wraps the cmdeploy process detailed in the :doc:`getting_started` instructions in a full Debian-systemd image. 
-- Currently, the image has only been tested and built on amd64, though arm64 should theoretically work as well.
-
-
-Prerequisites
--------------
-
-- **Docker Compose v2** (``docker compose``, not ``docker-compose``) is
-  required for its ``cgroup: host`` support (`Install instructions <https://docs.docker.com/engine/install/debian/#install-using-the-repository>`_:)
-
-- **DNS records** for your domain (see step 1 below).
-
-- **Kernel parameters** — ``fs.inotify.max_user_instances`` and
-  ``fs.inotify.max_user_watches`` must be raised on the host because they
-  cannot be changed inside the container (see step 2 below).
-
-
-Preliminary setup
------------------
-
-We use ``chat.example.org`` as the chatmail domain in the following
-steps. Please substitute it with your own domain.
-
-1. Setup the initial DNS records.
-   The following is an example in the familiar BIND zone file format with
-   a TTL of 1 hour (3600 seconds).
-   Please substitute your domain and IP addresses.
-
-   ::
-
-       chat.example.org. 3600 IN A 198.51.100.5
-       chat.example.org. 3600 IN AAAA 2001:db8::5
-       www.chat.example.org. 3600 IN CNAME chat.example.org.
-       mta-sts.chat.example.org. 3600 IN CNAME chat.example.org.
-
-2. Configure kernel parameters on the host, as these can not be set from the container::
-
-       echo "fs.inotify.max_user_instances=65536" | sudo tee -a /etc/sysctl.d/99-inotify.conf
-       echo "fs.inotify.max_user_watches=65536" | sudo tee -a /etc/sysctl.d/99-inotify.conf
-       sudo sysctl --system
-
-
-Docker Compose Setup
---------------------
-
-Pre-built images are available from GitHub Container Registry. The
-``main`` branch and tagged releases are pushed automatically by CI::
-
-    docker pull ghcr.io/chatmail/relay:main      # latest main branch
-    docker pull ghcr.io/chatmail/relay:1.2.3     # tagged release
-
-
-Create service directory
-^^^^^^^^^^^^^^^^^^^^^^^^
-
-Either:
-
-- Create a service directory, e.g., `/srv/chatmail-relay`::
-
-    mkdir -p /srv/chatmail-relay && cd /srv/chatmail-relay
-    wget https://raw.githubusercontent.com/chatmail/relay/refs/heads/main/docker-compose.yaml https://raw.githubusercontent.com/chatmail/relay/refs/heads/main/docker-compose.override.yaml.example
-    wget https://raw.githubusercontent.com/chatmail/relay/refs/heads/main/docker/env.example -O .env
-    
-
-- or clone the chatmail repo ::
-
-   git clone https://github.com/chatmail/relay
-   cd relay
-   cp example.env .env
-
-
-
-Customize and start
-^^^^^^^^^^^^^^^^^^^
-
-1. All local customizations (data paths, extra volumes, config mounts) go in
-   ``docker-compose.override.yaml``, which Compose merges automatically with
-   the base file. By default, all data is stored in docker volumes, you will
-   likely want to at least create and configure the mail storage location. Copy
-   the example to get started::
-
-       cp docker/docker-compose.override.yaml.example docker-compose.override.yaml
-       # and edit docker-compose.override.yaml
-
-
-2. Configure the ``.env`` file. Only ``MAIL_DOMAIN`` is required, the domain
-   name of the future server.
-
-   The container generates a ``chatmail.ini`` with defaults from
-   ``MAIL_DOMAIN`` on first start. To customize chatmail settings, mount
-   your own ``chatmail.ini`` instead (see `Custom chatmail.ini`_ below).
-
-3. Start the container::
-
-       docker compose up -d
-       docker compose logs -f chatmail   # view logs, Ctrl+C to exit
-
-4. After installation is complete, open ``https://chat.example.org`` in
-   your browser.
-
-
-Managing the server
--------------------
-
-Use ``docker exec`` to run cmdeploy commands inside the container::
-
-    # Show required DNS records
-    docker exec chatmail /opt/cmdeploy/bin/cmdeploy dns --ssh-host @local
-
-    # Check server status
-    docker exec chatmail /opt/cmdeploy/bin/cmdeploy status --ssh-host @local
-
-    # Run benchmarks (can also run from any machine with cmdeploy installed)
-    docker exec chatmail /opt/cmdeploy/bin/cmdeploy bench chat.example.org
-
-
-Customization
--------------
-
-Custom website
-^^^^^^^^^^^^^^
-
-You can customize the chatmail landing page by mounting a directory with
-your own website source files.
-
-1. Create a directory with your custom website source::
-
-       mkdir -p ./custom/www/src
-       nano ./custom/www/src/index.md
-
-2. Add the volume mount in ``docker-compose.override.yaml``::
-
-       services:
-         chatmail:
-           volumes:
-             - ./custom/www:/opt/chatmail-www
-
-3. Restart the service::
-
-       docker compose down
-       docker compose up -d
-
-
-Custom chatmail.ini
-^^^^^^^^^^^^^^^^^^^
-
-There are two configuration modes:
-
-**Simple (default):** Set ``MAIL_DOMAIN`` in ``.env``. The container
-auto-generates ``chatmail.ini`` with defaults on first start. This is
-sufficient for most deployments.
-
-**Advanced:** Generate a ``chatmail.ini``, edit it, and mount it into
-the container. This gives you full control over all chatmail settings.
-
-1. Extract the generated config from a running container::
-
-       docker cp chatmail:/etc/chatmail/chatmail.ini ./chatmail.ini
-
-2. Edit ``chatmail.ini`` as needed.
-
-3. Add the volume mount in ``docker-compose.override.yaml`` ::
-
-       services:
-         chatmail:
-           volumes:
-             - ./chatmail.ini:/etc/chatmail/chatmail.ini
-
-4. Restart the container, the container skips generating a new one: ::
-
-       docker compose down && docker compose up -d
-
-
-Migrating from a bare-metal install
-------------------------------------
-
-If you have an existing bare-metal chatmail installation and want to
-switch to Docker:
-
-1. Stop all existing services::
-
-       systemctl stop postfix dovecot doveauth nginx opendkim unbound \
-         acmetool-redirector filtermail filtermail-incoming chatmail-turn \
-         iroh-relay chatmail-metadata lastlogin mtail
-       systemctl disable postfix dovecot doveauth nginx opendkim unbound \
-         acmetool-redirector filtermail filtermail-incoming chatmail-turn \
-         iroh-relay chatmail-metadata lastlogin mtail
-
-2. Copy your existing ``chatmail.ini`` and mount it into the container
-   (see `Custom chatmail.ini`_ above)::
-
-       cp /usr/local/lib/chatmaild/chatmail.ini ./chatmail.ini
-
-3. Copy persistent data into the ``./data/`` subdirectories (for example, as configured in `Customize and start`_) ::
-
-       mkdir -p data/chatmail-dkimkeys data/chatmail-acme data/chatmail
-
-       # DKIM keys
-       cp -a /etc/dkimkeys/* data/chatmail-dkimkeys/
-
-       # ACME certificates and account
-       rsync -a /var/lib/acme/ data/chatmail-acme/
-
-       # Mail data
-       rsync -a /home/ data/chatmail/
-
-   Alternatively, mount ``/home/vmail`` directly by changing the volume
-   in ``docker-compose-override.yaml``::
-
-       - /home/vmail:/home/vmail
-
-   The three ``./data/`` subdirectories cover all persistent state.
-   Everything else is regenerated by the ``configure`` and ``activate``
-   stages on container start.
-
-Building the image
-------------------
-
-Clone the repository and build the Docker image::
-
-    git clone https://github.com/chatmail/relay
-    cd relay
-    docker compose build chatmail
-
-The build bakes all binaries, Python packages, and the install stage
-into the image. After building, only ``docker-compose.yaml`` and ``.env``
-are needed to run the container.
-
-You can transfer a locally built image to your server directly (pigz is parallel `gzip` which can be used instead as well) ::
-
-    docker save chatmail-relay:latest | pigz | ssh chat.example.org 'pigz -d | docker load'
-
-
-Forcing a full reinstall
-------------------------
-
-On container start, only the ``configure`` and ``activate`` stages run by default.
-
-To force a full reinstall (e.g. after updating the source), either
-rebuild the image::
-
-    docker compose build chatmail
-    docker compose up -d
-
-Or override the stages at runtime without rebuilding::
-
-    CMDEPLOY_STAGES="install,configure,activate" docker compose up -d

doc/source/getting_started.rst

@@ -16,18 +16,11 @@ You will need the following:
 
 -  Control over a domain through a DNS provider of your choice.
 
--  A Debian 12 **deployment server** with reachable SMTP/SUBMISSIONS/IMAPS/HTTPS ports.
+-  A Debian 12 server with reachable SMTP/SUBMISSIONS/IMAPS/HTTPS ports.
    IPv6 is encouraged if available. Chatmail relay servers only require
    1GB RAM, one CPU, and perhaps 10GB storage for a few thousand active
    chatmail addresses.
 
--  A Linux or Unix **build machine** with key-based SSH access to the root
-   user of the deployment server.
-   You must add a passphrase-protected private key to your local ssh-agent because you
-   can’t type in your passphrase during deployment.
-   (An ed25519 private key is required due to an `upstream bug in
-   paramiko <https://github.com/paramiko/paramiko/issues/2191>`_)
-
 
 Setup with ``scripts/cmdeploy``
 -------------------------------------
@@ -35,7 +28,7 @@ Setup with ``scripts/cmdeploy``
 We use ``chat.example.org`` as the chatmail domain in the following
 steps. Please substitute it with your own domain.
 
-1. Setup the initial DNS records for your deployment server.
+1. Setup the initial DNS records for your relay.
    The following is an example in the
    familiar BIND zone file format with a TTL of 1 hour (3600 seconds).
    Please substitute your domain and IP addresses.
@@ -47,29 +40,24 @@ steps. Please substitute it with your own domain.
        www.chat.example.org. 3600 IN CNAME chat.example.org.
        mta-sts.chat.example.org. 3600 IN CNAME chat.example.org.
 
-2. On your local PC, clone the repository and bootstrap the Python
+2. Login to the server with SSH, clone the repository and bootstrap the Python
    virtualenv.
 
    ::
 
+       ssh root@chat.example.org
        git clone https://github.com/chatmail/relay
        cd relay
        scripts/initenv.sh
 
-3. On your local build machine (PC), create a chatmail configuration file
+3. Then, create a chatmail configuration file
    ``chatmail.ini``:
 
    ::
 
        scripts/cmdeploy init chat.example.org  # <-- use your domain
 
-4. Verify that SSH root login to the deployment server server works:
+4. Now run the deployment script to install the relay to the server:
-
-   ::
-
-       ssh root@chat.example.org  # <-- use your domain
-
-5. From your local build machine, setup and configure the remote deployment server:
 
    ::
 
@@ -80,33 +68,32 @@ steps. Please substitute it with your own domain.
    configure at your DNS provider (it can take some time until they are
    public).
 
-Docker installation
+Next Steps
--------------------
+----------
 
-There is experimental support for running chatmail via Docker Compose.
+Now you should display and check all recommended DNS records
-See :doc:`docker` for full setup instructions.
+to enable federation with other relays:
-
-Other helpful commands
-----------------------
-
-To check the status of your deployment server running the chatmail service:
-
-::
-
-   scripts/cmdeploy status
-
-To display and check all recommended DNS records:
 
 ::
 
    scripts/cmdeploy dns
 
-To test whether your chatmail service is working correctly:
+You should also test whether your chatmail service is working correctly:
 
 ::
 
    scripts/cmdeploy test
 
+Other Helpful Commands
+----------------------
+
+To check the status of your chatmail relay:
+
+::
+
+   scripts/cmdeploy status
+
+
 To measure the performance of your chatmail service:
 
 ::
@@ -147,8 +134,9 @@ This starts a local live development cycle for chatmail web pages:
    directory and generating HTML files and copying assets to the
    ``www/build`` directory.
 
--  Starts a browser window automatically where you can “refresh” as
+-  if you are running scripts/cmdeploy webdev on the relay itself,
-   needed.
+   you need to configure a route in /etc/nginx/nginx.conf
+   to expose the build directory.
 
 Custom web pages
 ----------------
@@ -166,7 +154,7 @@ Disable automatic address creation
 --------------------------------------------------------
 
 If you need to stop address creation, e.g. because some script is wildly
-creating addresses, login with ssh to the deployment machine and run:
+creating addresses, login with ssh to the relay and run:
 
 ::
 
@@ -174,24 +162,3 @@ creating addresses, login with ssh to the deployment machine and run:
 
 Chatmail address creation will be denied while this file is present.
 
-
-Migrating to a new build machine
-----------------------------------
-
-To move or add a build machine,
-clone the relay repository on the new build machine, and copy the ``chatmail.ini`` file from the old build machine.
-Make sure ``rsync`` is installed, then initialize the environment:
-
-::
-
-   ./scripts/initenv.sh
-
-Run safety checks before a new deployment:
-
-::
-
-   ./scripts/cmdeploy dns
-   ./scripts/cmdeploy status
-
-If you keep multiple build machines (ie laptop and desktop), keep ``chatmail.ini`` in sync between
-them.

doc/source/index.rst

@@ -13,7 +13,6 @@ Contributions and feedback welcome through the https://github.com/chatmail/relay
     :maxdepth: 5
 
     getting_started
-    docker
     proxy
     migrate
     overview

docker-compose.override.yaml.example

@@ -1,33 +0,0 @@
-# Local overrides — copy to docker-compose.override.yaml in the repo root.
-# Compose automatically merges this with docker-compose.yaml.
-#
-#   cp docker/docker-compose.override.yaml.example docker-compose.override.yaml
-#
-# Volumes listed here are APPENDED to the base file's volumes.
-# Scalar values (environment, image, etc.) are REPLACED.
-services:
-  chatmail:
-    volumes:
-      ## Data paths — bind-mount to host directories for easy access/backup.
-      ## Uncomment and adjust paths as needed. These override the named
-      ## volumes in the base docker-compose.yaml.
-      # - ./data/chatmail:/home/vmail
-      # - ./data/chatmail-dkimkeys:/etc/dkimkeys
-      # - ./data/chatmail-acme:/var/lib/acme
-
-      ## Or mount data from an existing bare-metal install.
-      ## Note: DKIM key ownership is fixed automatically on startup
-      ## (the host's opendkim UID may differ from the container's).
-      # - /home/vmail:/home/vmail
-      # - /etc/dkimkeys:/etc/dkimkeys
-      # - /var/lib/acme:/var/lib/acme
-
-      ## Mount your own chatmail.ini (skips auto-generation):
-      # - ./chatmail.ini:/etc/chatmail/chatmail.ini
-
-      ## Custom website:
-      # - ./custom/www:/opt/chatmail-www
-
-      ## Debug — mount scripts from the repo for live editing:
-      # - ./docker/files/setup_chatmail_docker.sh:/setup_chatmail_docker.sh
-      # - ./docker/files/entrypoint.sh:/entrypoint.sh

docker-compose.yaml

@@ -1,51 +0,0 @@
-# Base compose file — do not edit. Put customizations (data paths, extra
-# volumes, env overrides) in docker-compose.override.yaml instead.
-# See docker/docker-compose.override.yaml.example for a starting point.
-#
-# Security note: this container uses network_mode:host (chatmail needs many
-# ports: 25, 53, 80, 143, 443, 465, 587, 993, 3340, 8443) and cgroup:host
-# (required for systemd). Together these give the container near-host-level
-# access. This is acceptable for a dedicated mail server, but be aware that
-# the container can bind any port and see all host network traffic.
-services:
-  chatmail:
-    build:
-      context: ./
-      dockerfile: docker/chatmail_relay.dockerfile
-      args:
-        GIT_HASH: ${GIT_HASH:-unknown}
-    image: chatmail-relay:latest
-    restart: unless-stopped
-    container_name: chatmail
-    # Required for systemd — use only one of the following:
-    cgroup: host          # compose v2 only
-    # privileged: true    # compose v1 (not tested)
-    tty: true # required for logs
-    tmpfs: # required for systemd
-      - /tmp
-      - /run
-      - /run/lock
-    logging:
-      driver: json-file
-      options:
-        max-size: "10m"
-        max-file: "3"
-    environment:
-      MAIL_DOMAIN: $MAIL_DOMAIN
-      CMDEPLOY_STAGES: ${CMDEPLOY_STAGES:-}
-      CHATMAIL_NOSYSCTL: ${CHATMAIL_NOSYSCTL:-True}
-      CHATMAIL_NOPORTCHECK: ${CHATMAIL_NOPORTCHECK:-True}
-      CHATMAIL_NOACME: ${CHATMAIL_NOACME:-}
-    network_mode: "host"
-    volumes:
-      ## system (required)
-      - /sys/fs/cgroup:/sys/fs/cgroup:rw
-      ## data (defaults — override in docker-compose.override.yaml)
-      - chatmail-data:/home/vmail
-      - chatmail-dkimkeys:/etc/dkimkeys
-      - chatmail-acme:/var/lib/acme
-
-volumes:
-  chatmail-data:
-  chatmail-dkimkeys:
-  chatmail-acme:

docker/build.sh

@@ -1,9 +0,0 @@
-#!/bin/sh
-# Build the chatmail Docker image with the current git hash baked in.
-# Usage: ./docker/build.sh [extra docker-compose build args...]
-#
-# .git/ is excluded from the build context (.dockerignore) so the hash
-# must be passed as a build arg from the host.
-
-export GIT_HASH=$(git rev-parse --short HEAD)
-exec docker compose build "$@"

docker/chatmail_relay.dockerfile

@@ -1,105 +0,0 @@
-FROM jrei/systemd-debian:12 AS base
-
-ENV LANG=en_US.UTF-8
-
-RUN echo 'APT::Install-Recommends "0";' > /etc/apt/apt.conf.d/01norecommend && \
-    echo 'APT::Install-Suggests "0";' >> /etc/apt/apt.conf.d/01norecommend && \
-    apt-get update && \
-    apt-get install -y \
-        ca-certificates && \
-    DEBIAN_FRONTEND=noninteractive \
-    TZ=UTC \
-    apt-get install -y tzdata && \
-    apt-get install -y locales && \
-    sed -i -e "s/# $LANG.*/$LANG UTF-8/" /etc/locale.gen && \
-    dpkg-reconfigure --frontend=noninteractive locales && \
-    update-locale LANG=$LANG \
-    && rm -rf /var/lib/apt/lists/*
-
-RUN apt-get update && \
-    apt-get install -y \
-        git \
-        python3 \
-        python3-venv \
-        python3-virtualenv \
-        gcc \
-        python3-dev \
-        opendkim \
-        opendkim-tools \
-        curl \
-        rsync \
-        unbound \
-        unbound-anchor \
-        dnsutils \
-        postfix \
-        acl \
-        nginx \
-        libnginx-mod-stream \
-        fcgiwrap \
-        cron \
-    && rm -rf /var/lib/apt/lists/*
-
-# --- Build-time: install cmdeploy venv and run install stage ---
-# Editable install so importlib.resources reads directly from the source tree.
-# On container start only "configure,activate" stages run.
-COPY . /opt/chatmail/
-WORKDIR /opt/chatmail
-
-RUN printf '[params]\nmail_domain = build.local\n' > /tmp/chatmail.ini
-
-# Dummy git repo init: .git/ is excluded from the build context (.dockerignore)
-# but setuptools calls `git ls-files` when building the sdist.
-RUN git init -q && \
-    python3 -m venv /opt/cmdeploy && \
-    /opt/cmdeploy/bin/pip install --no-cache-dir \
-        -e chatmaild/ -e cmdeploy/
-
-RUN CMDEPLOY_STAGES=install \
-    CHATMAIL_INI=/tmp/chatmail.ini \
-    CHATMAIL_NOSYSCTL=True \
-    CHATMAIL_NOPORTCHECK=True \
-    /opt/cmdeploy/bin/pyinfra @local \
-        /opt/chatmail/cmdeploy/src/cmdeploy/run.py -y
-
-RUN cp -a www/ /opt/chatmail-www/
-
-RUN rm -f /tmp/chatmail.ini
-
-# Record image version (used in deploy fingerprint at runtime).
-# GIT_HASH is passed as a build arg (from docker-compose or CI) so that
-# .git/ can be excluded from the build context via .dockerignore.
-ARG GIT_HASH=unknown
-RUN echo "$GIT_HASH" > /etc/chatmail-image-version && \
-    echo "$GIT_HASH" > /etc/chatmail-version
-# --- End build-time install ---
-
-ENV CHATMAIL_INI=/etc/chatmail/chatmail.ini
-ENV PATH="/opt/cmdeploy/bin:${PATH}"
-RUN ln -s /etc/chatmail/chatmail.ini /opt/chatmail/chatmail.ini
-
-ARG SETUP_CHATMAIL_SERVICE_PATH=/lib/systemd/system/setup_chatmail.service
-COPY ./docker/files/setup_chatmail.service "$SETUP_CHATMAIL_SERVICE_PATH"
-RUN ln -sf "$SETUP_CHATMAIL_SERVICE_PATH" "/etc/systemd/system/multi-user.target.wants/setup_chatmail.service"
-
-# Remove default nginx site config at build time (not in entrypoint)
-RUN rm -f /etc/nginx/sites-enabled/default
-
-COPY --chmod=555 ./docker/files/setup_chatmail_docker.sh /setup_chatmail_docker.sh
-COPY --chmod=555 ./docker/files/entrypoint.sh /entrypoint.sh
-
-# Certificate monitoring as a proper systemd timer (not a background process)
-COPY --chmod=555 ./docker/files/chatmail-certmon.sh /chatmail-certmon.sh
-COPY ./docker/files/chatmail-certmon.service /lib/systemd/system/chatmail-certmon.service
-COPY ./docker/files/chatmail-certmon.timer /lib/systemd/system/chatmail-certmon.timer
-RUN ln -sf /lib/systemd/system/chatmail-certmon.timer /etc/systemd/system/timers.target.wants/chatmail-certmon.timer
-
-HEALTHCHECK --interval=60s --timeout=10s --retries=3 \
-  CMD systemctl is-active dovecot postfix nginx unbound opendkim filtermail doveauth chatmail-metadata || exit 1
-
-STOPSIGNAL SIGRTMIN+3
-
-ENTRYPOINT ["/entrypoint.sh"]
-
-CMD [   "--default-standard-output=journal+console", \
-        "--default-standard-error=journal+console" ]
-

docker/docker-compose-traefik.yaml

@@ -1,116 +0,0 @@
-# Traefik reverse proxy + cert manager for chatmail.
-# Use this instead of docker-compose.yaml when Traefik manages TLS certificates.
-#
-# Required .env vars:
-#   MAIL_DOMAIN=chat.example.com
-#   ACME_EMAIL=admin@example.com
-#
-# Usage:
-#   cp docker/example-traefik.env .env
-#   docker compose -f docker/docker-compose-traefik.yaml build
-#   docker compose -f docker/docker-compose-traefik.yaml up -d
-
-services:
-  chatmail:
-    build:
-      context: ../
-      dockerfile: docker/chatmail_relay.dockerfile
-    image: chatmail-relay:latest
-    restart: unless-stopped
-    container_name: chatmail
-    depends_on:
-      traefik-certs-dumper:
-        condition: service_started
-    cgroup: host
-    tty: true
-    tmpfs:
-      - /tmp
-      - /run
-      - /run/lock
-    logging:
-      driver: json-file
-      options:
-        max-size: "10m"
-        max-file: "3"
-    environment:
-      MAIL_DOMAIN: $MAIL_DOMAIN
-      CMDEPLOY_STAGES: ${CMDEPLOY_STAGES:-}
-      CHATMAIL_NOACME: "true"
-      PATH_TO_SSL: /var/lib/acme/live/${MAIL_DOMAIN}
-    ports:
-      - "25:25"
-      - "143:143"
-      - "465:465"
-      - "587:587"
-      - "993:993"
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:rw
-      - chatmail-data:/home
-      - chatmail-dkimkeys:/etc/dkimkeys
-      - traefik-certs:/var/lib/acme/live:ro
-
-    labels:
-      - traefik.enable=true
-      - traefik.http.services.chatmail.loadbalancer.server.scheme=https
-      - traefik.http.services.chatmail.loadbalancer.server.port=443
-      - traefik.http.services.chatmail.loadbalancer.serverstransport=insecure@file
-      - traefik.http.routers.chatmail.rule=Host(`${MAIL_DOMAIN}`) || Host(`mta-sts.${MAIL_DOMAIN}`) || Host(`www.${MAIL_DOMAIN}`)
-      - traefik.http.routers.chatmail.tls=true
-      - traefik.http.routers.chatmail.tls.certresolver=letsEncrypt
-
-  traefik:
-    image: traefik:v3.3
-    container_name: traefik
-    restart: unless-stopped
-    logging:
-      driver: json-file
-      options:
-        max-size: "10m"
-        max-file: "3"
-    command:
-      - "--configFile=/config.yaml"
-      - "--certificatesresolvers.letsEncrypt.acme.email=${ACME_EMAIL}"
-    network_mode: host
-    depends_on:
-      traefik-init:
-        condition: service_completed_successfully
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-      - ./traefik/config.yaml:/config.yaml:ro
-      - traefik-data:/data
-      - ./traefik/dynamic-configs:/dynamic/conf:ro
-
-  traefik-init:
-    image: alpine:latest
-    restart: "no"
-    entrypoint: sh -c 'touch /data/acme.json && chmod 600 /data/acme.json'
-    volumes:
-      - traefik-data:/data
-
-  traefik-certs-dumper:
-    image: ldez/traefik-certs-dumper:v2.10.0
-    restart: unless-stopped
-    logging:
-      driver: json-file
-      options:
-        max-size: "10m"
-        max-file: "3"
-    depends_on:
-      - traefik
-    entrypoint: sh -c '
-      apk add openssl
-      && while ! [ -e /data/acme.json ] || ! [ "$$(jq ".[] | .Certificates | length" /data/acme.json | jq -s "add")" != "0" ]; do
-        sleep 1
-      ; done
-      && traefik-certs-dumper file --version v3 --watch --domain-subdir=true
-        --source /data/acme.json --dest /certs --post-hook "sh /post-hook.sh"'
-    volumes:
-      - traefik-data:/data:ro
-      - traefik-certs:/certs
-      - ./traefik/post-hook.sh:/post-hook.sh:ro
-
-volumes:
-  chatmail-data:
-  chatmail-dkimkeys:
-  traefik-data:
-  traefik-certs:

docker/example-traefik.env

@@ -1,5 +0,0 @@
-MAIL_DOMAIN="chat.example.com"
-ACME_EMAIL="admin@example.com"
-
-# CMDEPLOY_STAGES - default: "configure,activate". Set to "install,configure,activate" to force full reinstall.
-# CMDEPLOY_STAGES="configure,activate"

docker/files/chatmail-certmon.service

@@ -1,8 +0,0 @@
-[Unit]
-Description=Check TLS certificate changes and reload services
-After=setup_chatmail.service
-
-[Service]
-Type=oneshot
-ExecStart=/bin/bash /chatmail-certmon.sh
-PassEnvironment=MAIL_DOMAIN PATH_TO_SSL

docker/files/chatmail-certmon.sh

@@ -1,28 +0,0 @@
-#!/bin/bash
-# Check if TLS certificates have changed and reload services if so.
-# Called by chatmail-certmon.timer (systemd timer, default every 60s).
-set -eo pipefail
-
-PATH_TO_SSL="${PATH_TO_SSL:-/var/lib/acme/live/${MAIL_DOMAIN}}"
-HASH_FILE="/run/chatmail-certmon.hash"
-
-if [ ! -d "$PATH_TO_SSL" ]; then
-    exit 0
-fi
-
-current_hash=$(find "$PATH_TO_SSL" -type f -exec sha1sum {} \; | sort | sha1sum | awk '{print $1}')
-previous_hash=""
-if [ -f "$HASH_FILE" ]; then
-    previous_hash=$(cat "$HASH_FILE")
-fi
-
-if [ -n "$current_hash" ] && [ "$current_hash" != "$previous_hash" ]; then
-    echo "[INFO] Certificate hash changed, reloading nginx, dovecot and postfix."
-    echo "$current_hash" > "$HASH_FILE"
-    # On first run (no previous hash), don't reload — services may not be up yet
-    if [ -n "$previous_hash" ]; then
-        systemctl reload nginx.service
-        systemctl reload dovecot.service
-        systemctl reload postfix.service
-    fi
-fi

docker/files/chatmail-certmon.timer

@@ -1,9 +0,0 @@
-[Unit]
-Description=Periodically check TLS certificate changes
-
-[Timer]
-OnBootSec=120
-OnUnitActiveSec=60
-
-[Install]
-WantedBy=timers.target

docker/files/entrypoint.sh

@@ -1,12 +0,0 @@
-#!/bin/bash
-set -eo pipefail
-
-SETUP_CHATMAIL_SERVICE_PATH="${SETUP_CHATMAIL_SERVICE_PATH:-/lib/systemd/system/setup_chatmail.service}"
-
-# Whitelist only the env vars needed by setup_chatmail_docker.sh.
-# Forwarding all env vars (via printenv) would leak Docker internals,
-# orchestrator secrets, and other unrelated variables into systemd.
-env_vars="MAIL_DOMAIN CMDEPLOY_STAGES CHATMAIL_INI CHATMAIL_NOSYSCTL CHATMAIL_NOPORTCHECK CHATMAIL_NOACME PATH_TO_SSL PATH"
-sed -i "s|<envs_list>|$env_vars|g" "$SETUP_CHATMAIL_SERVICE_PATH"
-
-exec /lib/systemd/systemd "$@"

docker/files/setup_chatmail.service

@@ -1,14 +0,0 @@
-[Unit]
-Description=Run container setup commands
-After=multi-user.target
-ConditionPathExists=/setup_chatmail_docker.sh
-
-[Service]
-Type=oneshot
-ExecStart=/bin/bash /setup_chatmail_docker.sh
-RemainAfterExit=true
-WorkingDirectory=/opt/chatmail
-PassEnvironment=<envs_list>
-
-[Install]
-WantedBy=multi-user.target

docker/files/setup_chatmail_docker.sh

@@ -1,54 +0,0 @@
-#!/bin/bash
-
-set -euo pipefail
-export CHATMAIL_INI="${CHATMAIL_INI:-/etc/chatmail/chatmail.ini}"
-
-CMDEPLOY=/opt/cmdeploy/bin/cmdeploy
-
-if [ -z "$MAIL_DOMAIN" ]; then
-    echo "ERROR: Environment variable 'MAIL_DOMAIN' must be set!" >&2
-    exit 1
-fi
-
-### MAIN
-
-if [ ! -f /etc/dkimkeys/opendkim.private ]; then
-    /usr/sbin/opendkim-genkey -D /etc/dkimkeys -d "$MAIL_DOMAIN" -s opendkim
-fi
-# Fix ownership for bind-mounted keys (host opendkim UID may differ from container)
-chown -R opendkim:opendkim /etc/dkimkeys
-
-# Journald: forward to console for docker logs
-grep -q '^ForwardToConsole=yes' /etc/systemd/journald.conf \
-    || echo "ForwardToConsole=yes" >> /etc/systemd/journald.conf
-systemctl restart systemd-journald
-
-# Create chatmail.ini (skips if file already exists, e.g. volume-mounted)
-mkdir -p "$(dirname "$CHATMAIL_INI")"
-if [ ! -f "$CHATMAIL_INI" ]; then
-    $CMDEPLOY init --config "$CHATMAIL_INI" "$MAIL_DOMAIN"
-fi
-
-# --- Deploy fingerprint: skip cmdeploy run if nothing changed ---
-# On restart with identical image+config, systemd already brings up all
-# enabled services — the full cmdeploy run is redundant (~30s saved).
-# The install stage runs at image build time (Dockerfile), so only
-# configure+activate are needed here.
-IMAGE_VERSION_FILE="/etc/chatmail-image-version"
-FINGERPRINT_FILE="/etc/chatmail/.deploy-fingerprint"
-image_ver="none"
-[ -f "$IMAGE_VERSION_FILE" ] && image_ver=$(cat "$IMAGE_VERSION_FILE")
-config_hash=$(sha256sum "$CHATMAIL_INI" | cut -c1-16)
-current_fp="${image_ver}:${config_hash}"
-
-# CMDEPLOY_STAGES non-empty in env = operator override → always run.
-# Otherwise, if fingerprint matches the last successful deploy, skip.
-if [ -z "${CMDEPLOY_STAGES:-}" ] \
-    && [ -f "$FINGERPRINT_FILE" ] \
-    && [ "$(cat "$FINGERPRINT_FILE")" = "$current_fp" ]; then
-    echo "[INFO] No changes detected ($current_fp), skipping deploy."
-else
-    export CMDEPLOY_STAGES="${CMDEPLOY_STAGES:-configure,activate}"
-    $CMDEPLOY run --config "$CHATMAIL_INI" --ssh-host @local
-    echo "$current_fp" > "$FINGERPRINT_FILE"
-fi

docker/traefik/config.yaml

@@ -1,30 +0,0 @@
-log:
-  level: INFO
-
-entryPoints:
-  web:
-    address: ":80"
-    http:
-      redirections:
-        entryPoint:
-          to: websecure
-          permanent: true
-  websecure:
-    address: ":443"
-
-providers:
-  docker:
-    endpoint: "unix:///var/run/docker.sock"
-    exposedByDefault: false
-  file:
-    directory: /dynamic/conf
-    watch: true
-
-certificatesResolvers:
-  letsEncrypt:
-    acme:
-      storage: /data/acme.json
-      caServer: "https://acme-v02.api.letsencrypt.org/directory"
-      tlschallenge: true
-      httpChallenge:
-        entryPoint: web

docker/traefik/dynamic-configs/insecure.yaml

@@ -1,4 +0,0 @@
-http:
-  serversTransports:
-    insecure:
-      insecureSkipVerify: true

docker/traefik/post-hook.sh

@@ -1,12 +0,0 @@
-#!/bin/sh
-# Post-hook for traefik-certs-dumper: create symlinks from Traefik's
-# cert dump format to the paths chatmail expects (fullchain, privkey).
-CERTS_DIR="${CERTS_DIR:-/certs}"
-
-for dir in "$CERTS_DIR"/*/; do
-    [ -d "$dir" ] || continue
-    cd "$dir"
-    [ -f "certificate.crt" ] && ln -sf certificate.crt fullchain
-    [ -f "privatekey.key" ] && ln -sf privatekey.key privkey
-    cd - > /dev/null
-done

env.example

@@ -1,7 +0,0 @@
-MAIL_DOMAIN="chat.example.com"
-
-# CMDEPLOY_STAGES - default: "configure,activate". Set to "install,configure,activate" to force full reinstall.
-# CMDEPLOY_STAGES="configure,activate"
-
-# Skip acmetool when using an external certificate manager (e.g. Traefik, Caddy).
-# CHATMAIL_NOACME="True"