fix: make letsencrypt and mail recipes idempotent on redeploy#5
Draft
troglodyne wants to merge 1 commit into
Draft
fix: make letsencrypt and mail recipes idempotent on redeploy#5troglodyne wants to merge 1 commit into
troglodyne wants to merge 1 commit into
Conversation
letsencrypt.tt: Replace unconditional rm -rf of /var/lib/dehydrated/accounts with a migration+symlink approach. On first run with a real directory, contents are copied to /etc/dehydrated/accounts before removal. Subsequent runs detect the symlink and skip entirely. Prevents losing LE account credentials on redeploy which would force re-registration and risk hitting rate limits. mail.tt: Fix six non-idempotent operations that fail or corrupt state on second run: - Guard .orig backups for opendkim.conf, opendmarc.conf, postfix/master.cf so the original system file is preserved across redeployments - Add -p to mkdir for postfix/opendkim and postfix/opendmarc spool dirs - Guard dovecot conf.d → conf-available migration to avoid nesting on redeploy Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This was referenced Apr 24, 2026
troglodyne
commented
Apr 26, 2026
| postconf -e -- "smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination" | ||
| # master.cf shenanigans | ||
| mv /etc/postfix/master.cf /etc/postfix/master.cf.orig | ||
| [ -f /etc/postfix/master.cf.orig ] || mv /etc/postfix/master.cf /etc/postfix/master.cf.orig |
Contributor
Author
There was a problem hiding this comment.
Maybe should timestamp these backups instead?
Contributor
There was a problem hiding this comment.
agree. I wonder if there's a program that does this for us, e.g. backup $file. If not we may want one in $SCRIPT_DIR
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Fix 7 non-idempotent operations in
letsencrypt.ttandmail.ttthat cause failures or data loss when the provisioner is re-run against an existing system.Why
Issue #1 calls out that provisioners need to be safe for shared-environment / existing-system deploys. Two of the most critical problems are explicitly named:
letsencryptdeleting account credentials andmailstomping configs it already owns.Re-running a provisioner is a normal operation (updating config, adding a domain). These bugs make it actively destructive.
How
letsencrypt.tt —
rm -rf /var/lib/dehydrated/accountswas unconditional. Replaced with: check if accounts is a real directory (not already a symlink), migrate contents to/etc/dehydrated/accounts, then remove and symlink. Idempotent on subsequent runs.mail.tt — Six fixes:
mv /etc/opendkim.conf /etc/opendkim.conf.orig→ guarded with[ -f .orig ] ||so the original system file is preserved across redeployments, not overwritten with our last provisioned versionopendmarc.confandpostfix/master.cf.origmkdir /var/spool/postfix/opendkim→mkdir -p(fails without -p on second run)opendmarcspool dirmv /etc/dovecot/conf.d /etc/dovecot/conf-available→ guarded so redeploy doesn't nest our managed conf.d inside conf-availableTesting
No test suite in this project. Changes verified by diff review — all guards follow the same pattern already used in pdns.tt (line 37:
mv ... ; /bin/trueandmkdir -p) and matrix.tt (line 21:if [...]; then \ ... fibackslash-continuation pattern for multi-line shell in Make recipes).