From 567ad3512201958880bbe505ec23bce1f785d39d Mon Sep 17 00:00:00 2001
From: Alberto Bertogli <albertito@blitiri.com.ar>
Date: Tue, 23 Aug 2022 23:48:35 +0100
Subject: [PATCH] docker: Only do setfacl if we issued the certificates

Today, we do setfacl unconditionally; this can be a problem for
user-provided certificates because they may be located somewhere else.

This patch fixes the problem by only doing setfacl after renewing the
certificates.

Externally provided certificates will be untouched, and the user is
responsible for ensuring that chasquid can read them.

Thanks to Alex Ellwein (aellwein@github) for reporting this in
https://github.com/albertito/chasquid/issues/29!
---
 docker/entrypoint.sh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
index 3bb9e9f..e5a5451 100755
--- a/docker/entrypoint.sh
+++ b/docker/entrypoint.sh
@@ -46,6 +46,10 @@ if [ "$AUTO_CERTS" != "" ]; then
 	# Note this requires you to restart every week or so, to make sure
 	# your certificate does not expire.
 	certbot renew
+
+	# Give chasquid access to the certificates.
+	# Dovecot does not need this as it reads them as root.
+	setfacl -R -m u:chasquid:rX /etc/letsencrypt/{live,archive}
 fi
 
 CERT_DOMAINS=""
@@ -66,10 +70,6 @@ if [ "$CERT_DOMAINS" == "" ]; then
 	exit 1
 fi
 
-# Give chasquid access to the certificates.
-# Dovecot does not need this as it reads them as root.
-setfacl -R -m u:chasquid:rX /etc/letsencrypt/{live,archive}
-
 # Give chasquid access to the data directory.
 mkdir -p /data/chasquid/data
 chown -R chasquid /data/chasquid/