iroh: make config read-only

.github/workflows/staging-ipv4.testrun.org-default.zone

@@ -17,4 +17,5 @@ $TTL 300
 ;; DNS records.
 @       IN      A       37.27.95.249
 mta-sts.staging-ipv4.testrun.org.    CNAME   staging-ipv4.testrun.org.
+iroh.staging-ipv4.testrun.org.       CNAME   staging-ipv4.testrun.org.
 www.staging-ipv4.testrun.org.        CNAME   staging-ipv4.testrun.org.

.github/workflows/staging.testrun.org-default.zone

@@ -17,5 +17,6 @@ $TTL 300
 ;; DNS records.
 @       IN      A       37.27.24.139
 mta-sts.staging2.testrun.org.    CNAME   staging2.testrun.org.
+iroh.staging2.testrun.org.       CNAME   staging2.testrun.org.
 www.staging2.testrun.org.        CNAME   staging2.testrun.org.
 

CHANGELOG.md

@@ -2,12 +2,6 @@
 
 ## untagged
 
-- cmdeploy dns: offer alternative DKIM record format for some web interfaces
-  ([#470](https://github.com/deltachat/chatmail/pull/470))
-
-- migration guide: let opendkim own the DKIM keys directory
-  ([#468](https://github.com/deltachat/chatmail/pull/468))
-
 ## 1.5.0 2024-12-20
 
 - cmdeploy dns: always show recommended DNS records

README.md

@@ -281,7 +281,7 @@ to make sure you can connect with SSH.
    `ssh root@13.37.13.37 tar c /etc/dkimkeys | ssh root@13.12.23.42 tar x -C /etc/`
    so the DKIM DNS record stays correct.
 
-3. On the new server, run `chown root: -R /var/lib/acme` and `chown opendkim: -R /etc/dkimkeys` to make sure the permissions are correct.
+3. On the new server, run `chown root: -R /var/lib/acme` and `chown root: -R /etc/dkimkeys` to make sure the permissions are correct.
 
 4. Run `cmdeploy run --disable-mail --ssh-host 13.12.23.42` to install chatmail on the new machine.
    postfix and dovecot are disabled for now,

chatmaild/pyproject.toml

@@ -12,7 +12,6 @@ dependencies = [
   "deltachat-rpc-client",
   "filelock",
   "requests",
-  "crypt-r",
 ]
 
 [tool.setuptools]

chatmaild/src/chatmaild/doveauth.py

@@ -1,10 +1,9 @@
+import crypt
 import json
 import logging
 import os
 import sys
 
-import crypt_r
-
 from .config import Config, read_config
 from .dictproxy import DictProxy
 from .migrate_db import migrate_from_db_to_maildir
@@ -14,7 +13,7 @@ NOCREATE_FILE = "/etc/chatmail-nocreate"
 
 def encrypt_password(password: str):
     # https://doc.dovecot.org/configuration_manual/authentication/password_schemes/
-    passhash = crypt_r.crypt(password, crypt_r.METHOD_SHA512)
+    passhash = crypt.crypt(password, crypt.METHOD_SHA512)
     return "{SHA512-CRYPT}" + passhash
 
 

chatmaild/src/chatmaild/migrate_db.py

@@ -32,7 +32,7 @@ def migrate_from_db_to_maildir(config, chunking=10000):
     # don't transfer special/CI accounts
     rows = [row for row in all_rows if row[0][:3] not in ("ci-", "ac_")]
 
-    logging.info(f"ignoring {len(all_rows) - len(rows)} CI accounts")
+    logging.info(f"ignoring {len(all_rows)-len(rows)} CI accounts")
     logging.info(f"migrating {len(rows)} sqlite database passwords to user dirs")
 
     for i, row in enumerate(rows):

cmdeploy/src/cmdeploy/__init__.py

@@ -10,7 +10,7 @@ import sys
 from pathlib import Path
 
 from chatmaild.config import Config, read_config
-from pyinfra import facts, host
+from pyinfra import host, facts
 from pyinfra.facts.files import File
 from pyinfra.facts.systemd import SystemdEnabled
 from pyinfra.operations import apt, files, pip, server, systemd
@@ -78,11 +78,6 @@ def _install_remote_venv_with_chatmaild(config) -> None:
         always_copy=True,
     )
 
-    apt.packages(
-        name="install python3-dev to build crypt_r source package",
-        packages=["python3-dev"],
-    )
-
     server.shell(
         name=f"forced pip-install {dist_file.name}",
         commands=[
@@ -522,12 +517,12 @@ def deploy_iroh_relay(config) -> None:
     need_restart |= systemd_unit.changed
 
     iroh_config = files.put(
-        name="Upload iroh-relay config",
+        name=f"Upload iroh-relay config",
         src=importlib.resources.files(__package__).joinpath("iroh-relay.toml"),
-        dest="/etc/iroh-relay.toml",
+        dest=f"/etc/iroh-relay.toml",
         user="root",
         group="root",
-        mode="644",
+        mode="444",
     )
     need_restart |= iroh_config.changed
 

cmdeploy/src/cmdeploy/acmetool/__init__.py

@@ -70,6 +70,6 @@ def deploy_acmetool(email="", domains=[]):
     )
 
     server.shell(
-        name=f"Request certificate for: {', '.join(domains)}",
-        commands=[f"acmetool want --xlog.severity=debug {' '.join(domains)}"],
+        name=f"Request certificate for: { ', '.join(domains) }",
+        commands=[f"acmetool want --xlog.severity=debug { ' '.join(domains)}"],
     )

cmdeploy/src/cmdeploy/cmdeploy.py

@@ -56,12 +56,12 @@ def run_cmd_options(parser):
         "--disable-mail",
         dest="disable_mail",
         action="store_true",
-        help="install/upgrade the server, but disable postfix & dovecot for now",
+        help="install/upgrade the server, but disable postfix & dovecot for now"
     )
     parser.add_argument(
         "--ssh-host",
         dest="ssh_host",
-        help="specify an SSH host to deploy to; uses mail_domain from chatmail.ini by default",
+        help="specify an SSH host to deploy to; uses mail_domain from chatmail.ini by default"
     )
 
 

cmdeploy/src/cmdeploy/deploy.py

@@ -11,7 +11,7 @@ def main():
         "CHATMAIL_INI",
         importlib.resources.files("cmdeploy").joinpath("../../../chatmail.ini"),
     )
-    disable_mail = bool(os.environ.get("CHATMAIL_DISABLE_MAIL"))
+    disable_mail = bool(os.environ.get('CHATMAIL_DISABLE_MAIL'))
 
     deploy_chatmail(config_path, disable_mail)
 

cmdeploy/src/cmdeploy/dns.py

@@ -56,11 +56,6 @@ def check_full_zone(sshexec, remote_data, out, zonefile) -> int:
             out(line)
         out("")
         returncode = 1
-    if remote_data.get("dkim_entry") in required_diff:
-        out(
-            "If the DKIM entry above does not work with your DNS provider, you can try this one:\n"
-        )
-        out(remote_data.get("web_dkim_entry") + "\n")
     if recommended_diff:
         out("WARNING: these recommended DNS entries are not set:\n")
         for line in recommended_diff:

cmdeploy/src/cmdeploy/remote/rdns.py

@@ -27,9 +27,7 @@ def perform_initial_checks(mail_domain):
 
     res = dict(mail_domain=mail_domain, A=A, AAAA=AAAA, MTA_STS=MTA_STS, WWW=WWW)
     res["acme_account_url"] = shell("acmetool account-url", fail_ok=True)
-    res["dkim_entry"], res["web_dkim_entry"] = get_dkim_entry(
-        mail_domain, dkim_selector="opendkim"
-    )
+    res["dkim_entry"] = get_dkim_entry(mail_domain, dkim_selector="opendkim")
 
     if not MTA_STS or not WWW or (not A and not AAAA):
         return res
@@ -50,11 +48,7 @@ def get_dkim_entry(mail_domain, dkim_selector):
         return
     dkim_value_raw = f"v=DKIM1;k=rsa;p={dkim_pubkey};s=email;t=s"
     dkim_value = '" "'.join(re.findall(".{1,255}", dkim_value_raw))
-    web_dkim_value = "".join(re.findall(".{1,255}", dkim_value_raw))
-    return (
-        f'{dkim_selector}._domainkey.{mail_domain}. TXT "{dkim_value}"',
-        f'{dkim_selector}._domainkey.{mail_domain}. TXT "{web_dkim_value}"',
-    )
+    return f'{dkim_selector}._domainkey.{mail_domain}. TXT "{dkim_value}"'
 
 
 def query_dns(typ, domain):

cmdeploy/src/cmdeploy/tests/online/test_2_deltachat.py

@@ -85,7 +85,7 @@ class TestEndToEndDeltaChat:
         attachsize = 1 * 1024 * 1024
         num_to_send = quota // attachsize + 2
         lp.sec(f"ac1: send {num_to_send} large files to ac2")
-        lp.indent(f"per-user quota is assumed to be: {quota / (1024 * 1024)}MB")
+        lp.indent(f"per-user quota is assumed to be: {quota/(1024*1024)}MB")
         alphanumeric = "abcdefghijklmnopqrstuvwxyz1234567890"
         msgs = []
         for i in range(num_to_send):
@@ -97,7 +97,7 @@ class TestEndToEndDeltaChat:
 
             msg = chat.send_file(str(attachment))
             msgs.append(msg)
-            lp.indent(f"Sent out msg {i}, size {attachsize / (1024 * 1024)}MB")
+            lp.indent(f"Sent out msg {i}, size {attachsize/(1024*1024)}MB")
 
         lp.sec("ac2: check messages are arriving until quota is reached")