chatmail · hpk42 · May 6, 2026 · Apr 30, 2026 · j4n · May 6, 2026
diff --git a/chatmaild/src/chatmaild/tests/test_migrate_db.py b/chatmaild/src/chatmaild/tests/test_migrate_db.py
@@ -48,6 +48,8 @@ def test_migration(tmp_path, example_config, caplog):
     assert passdb_path.stat().st_size > 10000
 
     example_config.passdb_path = passdb_path
+    # ensure logging.info records are captured regardless of global configuration
+    caplog.set_level("INFO")
 
     assert not caplog.records
 

diff --git a/cmdeploy/src/cmdeploy/acmetool/__init__.py b/cmdeploy/src/cmdeploy/acmetool/__init__.py
@@ -1,6 +1,4 @@
-import importlib.resources
-
-from pyinfra.operations import apt, files, server, systemd
+from pyinfra.operations import apt, server
 
 from ..basedeploy import Deployer
 
@@ -9,131 +7,48 @@ class AcmetoolDeployer(Deployer):
     def __init__(self, email, domains):
         self.domains = domains
         self.email = email
-        self.need_restart_redirector = False
-        self.need_restart_reconcile_service = False
-        self.need_restart_reconcile_timer = False
 
     def install(self):
         apt.packages(
             name="Install acmetool",
             packages=["acmetool"],
         )
 
-        files.file(
-            name="Remove old acmetool cronjob, it is replaced with systemd timer.",
-            path="/etc/cron.d/acmetool",
-            present=False,
-        )
+        self.remove_file("/etc/cron.d/acmetool")
 
-        files.put(
-            name="Install acmetool hook.",
-            src=importlib.resources.files(__package__)
-            .joinpath("acmetool.hook")
-            .open("rb"),
-            dest="/etc/acme/hooks/nginx",
-            user="root",
-            group="root",
-            mode="755",
-        )
-        files.file(
-            name="Remove acmetool hook from the wrong location where it was previously installed.",
-            path="/usr/lib/acme/hooks/nginx",
-            present=False,
-        )
+        self.put_executable("acmetool/acmetool.hook", "/etc/acme/hooks/nginx")
+        self.remove_file("/usr/lib/acme/hooks/nginx")
 
     def configure(self):
-        files.template(
-            src=importlib.resources.files(__package__).joinpath(
-                "response-file.yaml.j2"
-            ),
-            dest="/var/lib/acme/conf/responses",
-            user="root",
-            group="root",
-            mode="644",
+        self.put_template(
+            "acmetool/response-file.yaml.j2",
+            "/var/lib/acme/conf/responses",
             email=self.email,
         )
 
-        files.template(
-            src=importlib.resources.files(__package__).joinpath("target.yaml.j2"),
-            dest="/var/lib/acme/conf/target",
-            user="root",
-            group="root",
-            mode="644",
+        self.put_template(
+            "acmetool/target.yaml.j2",
+            "/var/lib/acme/conf/target",
         )
 
         server.shell(
             name=f"Remove old acmetool desired files for {self.domains[0]}",
             commands=[f"rm -f /var/lib/acme/desired/{self.domains[0]}-*"],
         )
-        files.template(
-            src=importlib.resources.files(__package__).joinpath("desired.yaml.j2"),
-            dest=f"/var/lib/acme/desired/{self.domains[0]}",  # 0 is mailhost TLD
-            user="root",
-            group="root",
-            mode="644",
+        self.put_template(
+            "acmetool/desired.yaml.j2",
+            f"/var/lib/acme/desired/{self.domains[0]}",
             domains=self.domains,
         )
 
-        service_file = files.put(
-            src=importlib.resources.files(__package__).joinpath(
-                "acmetool-redirector.service"
-            ),
-            dest="/etc/systemd/system/acmetool-redirector.service",
-            user="root",
-            group="root",
-            mode="644",
-        )
-        self.need_restart_redirector = service_file.changed
-
-        reconcile_service_file = files.put(
-            src=importlib.resources.files(__package__).joinpath(
-                "acmetool-reconcile.service"
-            ),
-            dest="/etc/systemd/system/acmetool-reconcile.service",
-            user="root",
-            group="root",
-            mode="644",
-        )
-        self.need_restart_reconcile_service = reconcile_service_file.changed
-
-        reconcile_timer_file = files.put(
-            src=importlib.resources.files(__package__).joinpath(
-                "acmetool-reconcile.timer"
-            ),
-            dest="/etc/systemd/system/acmetool-reconcile.timer",
-            user="root",
-            group="root",
-            mode="644",
-        )
-        self.need_restart_reconcile_timer = reconcile_timer_file.changed
+        self.ensure_systemd_unit("acmetool/acmetool-redirector.service")
+        self.ensure_systemd_unit("acmetool/acmetool-reconcile.service")
+        self.ensure_systemd_unit("acmetool/acmetool-reconcile.timer")
 
     def activate(self):
-        systemd.service(
-            name="Setup acmetool-redirector service",
-            service="acmetool-redirector.service",
-            running=True,
-            enabled=True,
-            restarted=self.need_restart_redirector,
-        )
-        self.need_restart_redirector = False
-
-        systemd.service(
-            name="Setup acmetool-reconcile service",
-            service="acmetool-reconcile.service",
-            running=False,
-            enabled=False,
-            daemon_reload=self.need_restart_reconcile_service,
-        )
-        self.need_restart_reconcile_service = False
-
-        systemd.service(
-            name="Setup acmetool-reconcile timer",
-            service="acmetool-reconcile.timer",
-            running=True,
-            enabled=True,
-            daemon_reload=self.need_restart_reconcile_timer,
-        )
-        self.need_restart_reconcile_timer = False
+        self.ensure_service("acmetool-redirector.service")
+        self.ensure_service("acmetool-reconcile.service", running=False, enabled=False)
+        self.ensure_service("acmetool-reconcile.timer")
 
         server.shell(
             name=f"Reconcile certificates for: {', '.join(self.domains)}",

diff --git a/cmdeploy/src/cmdeploy/basedeploy.py b/cmdeploy/src/cmdeploy/basedeploy.py
@@ -4,6 +4,7 @@
 from contextlib import contextmanager
 
 from pyinfra import host
+from pyinfra.facts.files import Sha256File
 from pyinfra.facts.server import Command
 from pyinfra.operations import files, server, systemd
 
@@ -50,11 +51,10 @@ def get_resource(arg, pkg=__package__):
     return importlib.resources.files(pkg).joinpath(arg)
 
 
-def configure_remote_units(mail_domain, units) -> None:
+def configure_remote_units(deployer, mail_domain, units) -> None:
     remote_base_dir = "/usr/local/lib/chatmaild"
     remote_venv_dir = f"{remote_base_dir}/venv"
     remote_chatmail_inipath = f"{remote_base_dir}/chatmail.ini"
-    root_owned = dict(user="root", group="root", mode="644")
 
     # install systemd units
     for fn in units:
@@ -70,15 +70,13 @@ def configure_remote_units(mail_domain, units) -> None:
         source_path = get_resource(f"service/{basename}.f")
         content = source_path.read_text().format(**params).encode()
 
-        files.put(
-            name=f"Upload {basename}",
+        deployer.put_file(
             src=io.BytesIO(content),
             dest=f"/etc/systemd/system/{basename}",
-            **root_owned,
         )
 
 
-def activate_remote_units(units) -> None:
+def activate_remote_units(deployer, units) -> None:
     # activate systemd units
     for fn in units:
         basename = fn if "." in fn else f"{fn}.service"
@@ -88,14 +86,8 @@ def activate_remote_units(units) -> None:
             enabled = False
         else:
             enabled = True
-        systemd.service(
-            name=f"Setup {basename}",
-            service=basename,
-            running=enabled,
-            enabled=enabled,
-            restarted=enabled,
-            daemon_reload=True,
-        )
+
+        deployer.ensure_service(basename, running=enabled, enabled=enabled)
 
 
 class Deployment:
@@ -141,6 +133,7 @@ def perform_stages(self, deployers):
 
 class Deployer:
     need_restart = False
+    daemon_reload = False
 
     def install(self):
         pass
@@ -150,3 +143,113 @@ def configure(self):
 
     def activate(self):
         pass
+
+    def ensure_service(self, service, running=True, enabled=True):
+        if running:
+            verb = "Start and enable"
+        else:
+            verb = "Stop"
+        systemd.service(
+            name=f"{verb} {service}",
+            service=service,
+            running=running,
+            enabled=enabled,
+            restarted=self.need_restart if running else False,
+            daemon_reload=self.daemon_reload,
+        )
+        self.daemon_reload = False
+
+    def ensure_systemd_unit(self, src, **kwargs):
+        dest_name = src.split("/")[-1].replace(".j2", "")
+        dest = f"/etc/systemd/system/{dest_name}"
+        if src.endswith(".j2"):
+            return self.put_template(src, dest, **kwargs)
+        return self.put_file(src, dest)
+
+    def put_file(self, src, dest, mode="644"):
-    def put_file(self, src, dest, mode="644"):
+    def put_file(self, src, dest, mode="644", reason=None):
-    def put_file(self, src, dest, mode="644"):
+    def put_file(self, src, dest, mode="644", reason=None):
+        if isinstance(src, str):
+            src = get_resource(src)
+        res = files.put(
+            name=f"Upload {dest}",
+            src=src,
+            dest=dest,
+            user="root",
+            group="root",
+            mode=mode,
+        )
+
+        return self._update_restart_signals(dest, res)
+
+    def put_executable(self, src, dest):
+        return self.put_file(src, dest, mode="755")
+
+    def put_template(self, src, dest, owner="root", **kwargs):
+        if isinstance(src, str):
+            src = get_resource(src)
+        res = files.template(
+            name=f"Upload {dest}",
+            src=src,
+            dest=dest,
+            user=owner,
+            group=owner,
+            mode="644",
+            **kwargs,
+        )
+
+        return self._update_restart_signals(dest, res)
+
+    def remove_file(self, dest):
+        res = files.file(name=f"Remove {dest}", path=dest, present=False)
+        return self._update_restart_signals(dest, res)
+
+    def ensure_line(self, path, line, **kwargs):
+        name = kwargs.pop("name", f"Ensure line in {path}")
+        res = files.line(name=name, path=path, line=line, **kwargs)
+        return self._update_restart_signals(path, res)
+
+    def ensure_directory(self, path, owner="root", mode="755", **kwargs):
+        name = kwargs.pop("name", f"Ensure directory {path}")
+        res = files.directory(
+            name=name,
+            path=path,
+            user=owner,
+            group=owner,
+            mode=mode,
+            present=True,
+            **kwargs,
+        )
+        return self._update_restart_signals(path, res)
+
+    def remove_directory(self, path, **kwargs):
+        name = kwargs.pop("name", f"Remove directory {path}")
+        res = files.directory(name=name, path=path, present=False, **kwargs)
+        return self._update_restart_signals(path, res)
+
+    def download_executable(self, url, dest, sha256sum, extract=None):
+        existing = host.get_fact(Sha256File, dest)
+        if existing == sha256sum:
+            return
+
+        tmp = f"{dest}.new"
+        if extract:
+            dl_cmd = f"curl -fSL {url} | {extract} >{tmp}"
+        else:
+            dl_cmd = f"curl -fSL {url} -o {tmp}"
+
+        server.shell(
+            name=f"Download {dest}",
+            commands=[
+                f"({dl_cmd}"
+                f" && echo '{sha256sum}  {tmp}' | sha256sum -c"
+                f" && mv {tmp} {dest})",
+                f"chmod 755 {dest}",
+            ],
+        )
+        self.need_restart = True
+
+    def _update_restart_signals(self, path, res):
+        if res.changed:
+            self.need_restart = True
+            if str(path).startswith("/etc/systemd/system/"):
+                self.daemon_reload = True
+        return res