bump cmlxc to 0.13.5 which fixes a powerdns config issue

replaces #870
fix #851

chatmaild/src/chatmaild/metadata.py

@@ -70,9 +70,6 @@ class Metadata:
                 # Some tokens have expired, remove them.
                 with self._modify_tokens(addr) as _tokens:
                     pass
-        elif isinstance(tokens, list):
-            with self._modify_tokens(addr) as tokens:
-                token_list = list(tokens.keys())
         else:
             token_list = []
         return token_list

chatmaild/src/chatmaild/tests/test_metadata.py

@@ -372,14 +372,3 @@ def test_iroh_relay(dictproxy):
     dictproxy.iroh_relay = "https://example.org/"
     dictproxy.loop_forever(rfile, wfile)
     assert wfile.getvalue() == b"Ohttps://example.org/\n"
-
-
-def test_legacy_token_migration(metadata, testaddr):
-    with metadata.get_metadata_dict(testaddr).modify() as data:
-        data[metadata.DEVICETOKEN_KEY] = ["oldtoken1", "oldtoken2"]
-
-    assert metadata.get_tokens_for_addr(testaddr) == ["oldtoken1", "oldtoken2"]
-    mdict = metadata.get_metadata_dict(testaddr).read()
-    tokens = mdict[metadata.DEVICETOKEN_KEY]
-    assert isinstance(tokens, dict)
-    assert "oldtoken1" in tokens and "oldtoken2" in tokens

cmdeploy/src/cmdeploy/nginx/nginx.conf.j2

@@ -42,9 +42,6 @@ stream {
 }
 
 http {
-	# access_log setting is inherited by all server sections
-	access_log syslog:server=unix:/dev/log,facility=local7;
-
 {% if config.tls_cert_mode == "self" %}
 	limit_req_zone $binary_remote_addr zone=newaccount:10m rate=2r/s;
 {% endif %}
@@ -72,7 +69,9 @@ http {
 
 		index index.html index.htm;
 
-		server_name {{ config.mail_domain }} mta-sts.{{ config.mail_domain }};
+		server_name {{ config.mail_domain }} www.{{ config.mail_domain }} mta-sts.{{ config.mail_domain }};
+
+		access_log syslog:server=unix:/dev/log,facility=local7;
 
 		location /mxdeliv {
 		    proxy_pass http://127.0.0.1:{{ config.filtermail_http_port_incoming }};
@@ -144,6 +143,7 @@ http {
 		listen 127.0.0.1:8443 ssl;
 		server_name www.{{ config.mail_domain }};
 		return 301 $scheme://{{ config.mail_domain }}$request_uri;
+		access_log syslog:server=unix:/dev/log,facility=local7;
 	}
 
 	server {

cmdeploy/src/cmdeploy/remote/rdns.py

@@ -71,7 +71,7 @@ def get_authoritative_ns(domain):
             f"dig -r -q {domain} -t NS +noall +authority +answer", print=log_progress
         ).split("\n")
     ]
-    filtered_replies = [a for a in ns_replies if len(a) >= 5 and a[3] == "NS"]
+    filtered_replies = [a for a in ns_replies if len(a) >= 5 and a[3] in ("SOA", "NS")]
     if not filtered_replies:
         return
     return filtered_replies[0][4]

cmdeploy/src/cmdeploy/tests/online/test_1_basic.py

@@ -281,13 +281,3 @@ def test_deployed_state(remote):
     # assert len(git_status) == len(remote_version)  # for some reason, we only get 11 lines from remote.iter_output()
     for i in range(len(remote_version)):
         assert git_status[i] == remote_version[i], "You have undeployed changes."
-
-
-def test_nginx_access_log_only_defined_once(sshdomain):
-    sshexec = get_sshexec(sshdomain)
-    conf = sshexec(
-        call=remote.rshell.shell,
-        kwargs=dict(command="nginx -T 2>/dev/null"),
-    )
-    access_logs = [l for l in conf.splitlines() if l.strip().startswith("access_log")]
-    assert len(access_logs) == 1, f"expected 1 access_log, found {len(access_logs)}: {access_logs}"

cmdeploy/src/cmdeploy/tests/test_dns.py

@@ -15,15 +15,26 @@ def mockdns_base(monkeypatch):
         if command.startswith("dig"):
             if command == "dig":
                 return "."
-            if "with.public.soa" in command and "NS" in command:
-                return "domain.with.public.soa. 2419 IN NS ns1.first-ns.de."
+            if "with.public.soa" in command:
+                return (
+                    "domain.with.public.soa. 2419 IN SOA ns1.first-ns.de. dns.hetzner.com."
+                    " 2026050300 7200 1800 604800 3600"
+                )
+            if "with.hidden.soa" in command and "SOA" in command:
+                return (
+                    "domain.with.hidden.soa. 300 IN SOA get.desec.io. get.desec.io."
+                    " 2026025451 86400 3600 2419200 3600"
+                )
             if "with.hidden.soa" in command and "NS" in command:
                 return (
                     "domain.with.hidden.soa. 2137 IN NS ns1.desec.io.\n"
                     "domain.with.hidden.soa. 2137 IN NS ns2.desec.org."
                 )
             if "NS" in command:
-                return "delta.chat. 21600 IN NS ns1.first-ns.de."
+                return (
+                    "delta.chat. 21600 IN SOA ns1.first-ns.de. dns.hetzner.com."
+                    " 2025102800 14400 1800 604800 3600"
+                )
             command_chunks = command.split()
             domain, typ = command_chunks[4], command_chunks[6]
             try:
@@ -134,8 +145,8 @@ class TestPerformInitialChecks:
     ("domain", "ns"),
     [
         ("domain.with.public.soa", "ns1.first-ns.de."),
-        ("domain.with.hidden.soa", "ns1.desec.io."),
-    ],
+        ("domain.with.hidden.soa", "ns1.desec.io.")
+    ]
 )
 def test_get_authoritative_ns(domain, ns, mockdns):
     assert get_authoritative_ns(domain) == ns