From 861fdf7a5081011e4b29fa11d3959a5b3ad86761 Mon Sep 17 00:00:00 2001
From: holger krekel <holger@merlinux.eu>
Date: Thu, 5 Mar 2026 19:31:41 +0100
Subject: [PATCH 01/31] feat: add LXC container support for local chatmail
 development

Add cmdeploy "lxc-test" command to run cmdeploy against local containers,
with supplementary lxc-start, lxc-stop and lxc-status subcommands.
See doc/source/lxc.rst for full documentation including prerequisites,
DNS setup, TLS handling, DNS-free testing, and known limitations.

Apart from adding lxc-specific docs, tests, and implementation files in the cmdeploy/lxc directory,
this PR adds the --ssh-config option to cmdeploy run/dns/status/test commands and pyinfra invocations,
and also to sshexec (Execnet) handling.  This allows for the host to need no DNS entries for a relay,
and route all resolution through ssh-config.  This is used by the "lxc-test" command, which performs
a completely local setup -- again, see docs for more details.

While working on DNS/SSH things i also unified all zone-file handling
to use actual BIND format as it is easy enough to parse back.
---
 .gitignore                                    |   1 +
 cmdeploy/src/cmdeploy/chatmail.zone.j2        |  32 -
 cmdeploy/src/cmdeploy/cmdeploy.py             |  90 ++-
 cmdeploy/src/cmdeploy/deployers.py            |  31 +-
 cmdeploy/src/cmdeploy/dns.py                  |  56 +-
 cmdeploy/src/cmdeploy/lxc/cli.py              | 469 +++++++++++++
 cmdeploy/src/cmdeploy/lxc/incus.py            | 638 ++++++++++++++++++
 cmdeploy/src/cmdeploy/remote/rdns.py          |  12 +-
 cmdeploy/src/cmdeploy/selfsigned/deployer.py  |  32 +-
 cmdeploy/src/cmdeploy/sshexec.py              |  52 +-
 cmdeploy/src/cmdeploy/tests/data/zftest.zone  |  33 +-
 .../src/cmdeploy/tests/online/test_0_qr.py    |  19 +-
 .../src/cmdeploy/tests/online/test_1_basic.py |  11 +-
 .../cmdeploy/tests/online/test_2_deltachat.py |   5 +-
 .../cmdeploy/tests/online/test_3_status.py    |   3 +
 cmdeploy/src/cmdeploy/tests/plugin.py         | 109 ++-
 cmdeploy/src/cmdeploy/tests/test_cmdeploy.py  |   5 +-
 cmdeploy/src/cmdeploy/tests/test_dns.py       |  18 +-
 cmdeploy/src/cmdeploy/tests/test_lxc.py       | 174 +++++
 cmdeploy/src/cmdeploy/util.py                 |  63 ++
 doc/source/conf.py                            |   2 +-
 doc/source/index.rst                          |   1 +
 doc/source/lxc.rst                            | 312 +++++++++
 23 files changed, 2028 insertions(+), 140 deletions(-)
 delete mode 100644 cmdeploy/src/cmdeploy/chatmail.zone.j2
 create mode 100644 cmdeploy/src/cmdeploy/lxc/cli.py
 create mode 100644 cmdeploy/src/cmdeploy/lxc/incus.py
 create mode 100644 cmdeploy/src/cmdeploy/tests/test_lxc.py
 create mode 100644 cmdeploy/src/cmdeploy/util.py
 create mode 100644 doc/source/lxc.rst

diff --git a/.gitignore b/.gitignore
index c0f40b9b1..a542cf469 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,6 +5,7 @@ __pycache__/
 *.swp
 *qr-*.png
 chatmail*.ini
+lxconfigs/
 
 
 # C extensions
diff --git a/cmdeploy/src/cmdeploy/chatmail.zone.j2 b/cmdeploy/src/cmdeploy/chatmail.zone.j2
deleted file mode 100644
index 9915ae68d..000000000
--- a/cmdeploy/src/cmdeploy/chatmail.zone.j2
+++ /dev/null
@@ -1,32 +0,0 @@
-;
-; Required DNS entries for chatmail servers 
-;
-{% if A %}
-{{ mail_domain }}.                   A     {{ A }}
-{% endif %}
-{% if AAAA %}
-{{ mail_domain }}.                   AAAA  {{ AAAA }}
-{% endif %}
-{{ mail_domain }}.                   MX 10 {{ mail_domain }}.
-{% if strict_tls %}
-_mta-sts.{{ mail_domain }}.          TXT "v=STSv1; id={{ sts_id }}"
-mta-sts.{{ mail_domain }}.           CNAME {{ mail_domain }}.
-{% endif %}
-www.{{ mail_domain }}.               CNAME {{ mail_domain }}.
-{{ dkim_entry }}
-
-;
-; Recommended DNS entries for interoperability and security-hardening
-;
-{{ mail_domain }}.                   TXT "v=spf1 a ~all"
-_dmarc.{{ mail_domain }}.            TXT "v=DMARC1;p=reject;adkim=s;aspf=s"
-
-{% if acme_account_url %}
-{{ mail_domain }}.                   CAA 0 issue "letsencrypt.org;accounturi={{ acme_account_url }}"
-{% endif %}
-_adsp._domainkey.{{ mail_domain }}.  TXT "dkim=discardable"
-
-_submission._tcp.{{ mail_domain }}.  SRV 0 1 587 {{ mail_domain }}.
-_submissions._tcp.{{ mail_domain }}. SRV 0 1 465 {{ mail_domain }}.
-_imap._tcp.{{ mail_domain }}.        SRV 0 1 143 {{ mail_domain }}.
-_imaps._tcp.{{ mail_domain }}.       SRV 0 1 993 {{ mail_domain }}.
diff --git a/cmdeploy/src/cmdeploy/cmdeploy.py b/cmdeploy/src/cmdeploy/cmdeploy.py
index aace16932..4cd081f6d 100644
--- a/cmdeploy/src/cmdeploy/cmdeploy.py
+++ b/cmdeploy/src/cmdeploy/cmdeploy.py
@@ -18,7 +18,23 @@
 from termcolor import colored
 
 from . import dns, remote
-from .sshexec import LocalExec, SSHExec
+from .lxc.cli import (  # noqa: F401
+    lxc_start_cmd,
+    lxc_start_cmd_options,
+    lxc_status_cmd,
+    lxc_status_cmd_options,
+    lxc_stop_cmd,
+    lxc_stop_cmd_options,
+    lxc_test_cmd,
+    lxc_test_cmd_options,
+)
+from .sshexec import (
+    LocalExec,
+    SSHExec,
+    resolve_host_from_ssh_config,
+    resolve_key_from_ssh_config,
+)
+from .www import main as webdev_main
 
 #
 # cmdeploy sub commands and options
@@ -82,18 +98,21 @@ def run_cmd_options(parser):
         help="disable checks nslookup for dns",
     )
     add_ssh_host_option(parser)
+    add_ssh_config_option(parser)
 
 
 def run_cmd(args, out):
     """Deploy chatmail services on the remote server."""
 
     ssh_host = args.ssh_host if args.ssh_host else args.config.mail_domain
-    sshexec = get_sshexec(ssh_host)
+    sshexec = get_sshexec(ssh_host, ssh_config=args.ssh_config)
     require_iroh = args.config.enable_iroh_relay
     strict_tls = args.config.tls_cert_mode == "acme"
     if not args.dns_check_disabled:
         remote_data = dns.get_initial_remote_data(sshexec, args.config.mail_domain)
-        if not dns.check_initial_remote_data(remote_data, strict_tls=strict_tls, print=out.red):
+        if not dns.check_initial_remote_data(
+            remote_data, strict_tls=strict_tls, print=out.red
+        ):
             return 1
 
     env = os.environ.copy()
@@ -108,6 +127,18 @@ def run_cmd(args, out):
     pyinf = "pyinfra --dry" if args.dry_run else "pyinfra"
 
     cmd = f"{pyinf} --ssh-user root {ssh_host} {deploy_path} -y"
+    ssh_config = args.ssh_config
+    if ssh_config:
+        ssh_config = str(Path(ssh_config).resolve())
+
+        # Use pyinfra's native SSH data keys to configure the connection directly
+        # rather than relying on paramiko config parsing (see also sshexec.py)
+        ip = resolve_host_from_ssh_config(ssh_host, ssh_config)
+        key = resolve_key_from_ssh_config(ssh_host, ssh_config)
+        data_args = f"--data ssh_hostname={ip} --data ssh_known_hosts_file=/dev/null"
+        if key:
+            data_args += f" --data ssh_key={key}"
+        cmd = f"{pyinf} --ssh-user root {ssh_host} {deploy_path} -y {data_args}"
     if ssh_host in ["localhost", "@docker"]:
         if ssh_host == "@docker":
             env["CHATMAIL_NOPORTCHECK"] = "True"
@@ -122,7 +153,11 @@ def run_cmd(args, out):
         out.check_call(cmd, env=env)
         if args.website_only:
             out.green("Website deployment completed.")
-        elif not args.dns_check_disabled and strict_tls and not remote_data["acme_account_url"]:
+        elif (
+            not args.dns_check_disabled
+            and strict_tls
+            and not remote_data["acme_account_url"]
+        ):
             out.red("Deploy completed but letsencrypt not configured")
             out.red("Run 'cmdeploy run' again")
         else:
@@ -139,15 +174,16 @@ def dns_cmd_options(parser):
         dest="zonefile",
         type=pathlib.Path,
         default=None,
-        help="write out a zonefile",
+        help="write DNS records in standard BIND format to the given file",
     )
     add_ssh_host_option(parser)
+    add_ssh_config_option(parser)
 
 
 def dns_cmd(args, out):
     """Check DNS entries and optionally generate dns zone file."""
     ssh_host = args.ssh_host if args.ssh_host else args.config.mail_domain
-    sshexec = get_sshexec(ssh_host, verbose=args.verbose)
+    sshexec = get_sshexec(ssh_host, verbose=args.verbose, ssh_config=args.ssh_config)
     tls_cert_mode = args.config.tls_cert_mode
     strict_tls = tls_cert_mode == "acme"
     remote_data = dns.get_initial_remote_data(sshexec, args.config.mail_domain)
@@ -178,13 +214,14 @@ def dns_cmd(args, out):
 
 def status_cmd_options(parser):
     add_ssh_host_option(parser)
+    add_ssh_config_option(parser)
 
 
 def status_cmd(args, out):
     """Display status for online chatmail instance."""
 
     ssh_host = args.ssh_host if args.ssh_host else args.config.mail_domain
-    sshexec = get_sshexec(ssh_host, verbose=args.verbose)
+    sshexec = get_sshexec(ssh_host, verbose=args.verbose, ssh_config=args.ssh_config)
 
     out.green(f"chatmail domain: {args.config.mail_domain}")
     if args.config.privacy_mail:
@@ -204,14 +241,18 @@ def test_cmd_options(parser):
         help="also run slow tests",
     )
     add_ssh_host_option(parser)
+    add_ssh_config_option(parser)
 
 
 def test_cmd(args, out):
     """Run local and online tests for chatmail deployment."""
 
     env = os.environ.copy()
+    env["CHATMAIL_INI"] = str(args.inipath.resolve())
     if args.ssh_host:
         env["CHATMAIL_SSH"] = args.ssh_host
+    if args.ssh_config:
+        env["CHATMAIL_SSH_CONFIG"] = str(Path(args.ssh_config).resolve())
 
     pytest_path = shutil.which("pytest")
     pytest_args = [
@@ -276,9 +317,7 @@ def bench_cmd(args, out):
 
 def webdev_cmd(args, out):
     """Run local web development loop for static web pages."""
-    from .www import main
-
-    main()
+    webdev_main()
 
 
 #
@@ -321,6 +360,16 @@ def add_ssh_host_option(parser):
     )
 
 
+def add_ssh_config_option(parser):
+    parser.add_argument(
+        "--ssh-config",
+        dest="ssh_config",
+        type=Path,
+        default=None,
+        help="Path to an SSH config file (e.g. lxconfigs/ssh-config).",
+    )
+
+
 def add_config_option(parser):
     parser.add_argument(
         "--config",
@@ -330,6 +379,7 @@ def add_config_option(parser):
         type=Path,
         help="path to the chatmail.ini file",
     )
+
     parser.add_argument(
         "--verbose",
         "-v",
@@ -340,15 +390,16 @@ def add_config_option(parser):
     )
 
 
-def add_subcommand(subparsers, func):
+def add_subcommand(subparsers, func, add_config=True):
     name = func.__name__
     assert name.endswith("_cmd")
-    name = name[:-4]
+    name = name[:-4].replace("_", "-")
     doc = func.__doc__.strip()
     help = doc.split("\n")[0].strip(".")
     p = subparsers.add_parser(name, description=doc, help=help)
     p.set_defaults(func=func)
-    add_config_option(p)
+    if add_config:
+        add_config_option(p)
     return p
 
 
@@ -362,13 +413,15 @@ def get_parser():
     """Return an ArgumentParser for the 'cmdeploy' CLI"""
 
     parser = argparse.ArgumentParser(description=description.strip())
+    parser.set_defaults(func=None, inipath=None)
     subparsers = parser.add_subparsers(title="subcommands")
 
     # find all subcommands in the module namespace
     glob = globals()
     for name, func in glob.items():
         if name.endswith("_cmd"):
-            subparser = add_subcommand(subparsers, func)
+            needs_config = not name.startswith("lxc_")
+            subparser = add_subcommand(subparsers, func, add_config=needs_config)
             addopts = glob.get(name + "_options")
             if addopts is not None:
                 addopts(subparser)
@@ -376,26 +429,27 @@ def get_parser():
     return parser
 
 
-def get_sshexec(ssh_host: str, verbose=True):
+def get_sshexec(ssh_host: str, verbose=True, ssh_config=None):
     if ssh_host in ["localhost", "@local"]:
         return LocalExec(verbose, docker=False)
     elif ssh_host == "@docker":
         return LocalExec(verbose, docker=True)
     if verbose:
         print(f"[ssh] login to {ssh_host}")
-    return SSHExec(ssh_host, verbose=verbose)
+    return SSHExec(ssh_host, verbose=verbose, ssh_config=ssh_config)
 
 
 def main(args=None):
     """Provide main entry point for 'cmdeploy' CLI invocation."""
     parser = get_parser()
     args = parser.parse_args(args=args)
-    if not hasattr(args, "func"):
+    if args.func is None:
         return parser.parse_args(["-h"])
 
     out = Out()
     kwargs = {}
-    if args.func.__name__ not in ("init_cmd", "fmt_cmd"):
+
+    if args.inipath is not None and args.func.__name__ not in ("init_cmd", "fmt_cmd"):
         if not args.inipath.exists():
             out.red(f"expecting {args.inipath} to exist, run init first?")
             raise SystemExit(1)
diff --git a/cmdeploy/src/cmdeploy/deployers.py b/cmdeploy/src/cmdeploy/deployers.py
index 11536062d..c298d8035 100644
--- a/cmdeploy/src/cmdeploy/deployers.py
+++ b/cmdeploy/src/cmdeploy/deployers.py
@@ -18,6 +18,7 @@
 from pyinfra.operations import apt, files, pip, server, systemd
 
 from cmdeploy.cmdeploy import Out
+from cmdeploy.util import get_version_string
 
 from .acmetool import AcmetoolDeployer
 from .basedeploy import (
@@ -271,8 +272,14 @@ def configure(self):
                     logger.warning("Web page build failed, skipping website deployment")
                     return
             # if it is not a hugo page, upload it as is
-            files.rsync(
-                f"{www_path}/", "/var/www/html", flags=["-avz", "--chown=www-data"]
+            # pyinfra files.rsync (experimental) causes problems with ssh-config configuration
+            # the stable files.sync should do
+            files.sync(
+                src=str(www_path),
+                dest="/var/www/html",
+                user="www-data",
+                group="www-data",
+                delete=True,
             )
 
 
@@ -532,17 +539,9 @@ def activate(self):
 
 class GithashDeployer(Deployer):
     def activate(self):
-        try:
-            git_hash = subprocess.check_output(["git", "rev-parse", "HEAD"]).decode()
-        except Exception:
-            git_hash = "unknown\n"
-        try:
-            git_diff = subprocess.check_output(["git", "diff"]).decode()
-        except Exception:
-            git_diff = ""
         files.put(
             name="Upload chatmail relay git commit hash",
-            src=StringIO(git_hash + git_diff),
+            src=StringIO(get_version_string()),
             dest="/etc/chatmail-version",
             mode="700",
         )
@@ -586,11 +585,17 @@ def deploy_chatmail(config_path: Path, disable_mail: bool, website_only: bool) -
         )
 
     # Check if mtail_address interface is available (if configured)
-    if config.mtail_address and config.mtail_address not in ('127.0.0.1', '::1', 'localhost'):
+    if config.mtail_address and config.mtail_address not in (
+        "127.0.0.1",
+        "::1",
+        "localhost",
+    ):
         ipv4_addrs = host.get_fact(hardware.Ipv4Addrs)
         all_addresses = [addr for addrs in ipv4_addrs.values() for addr in addrs]
         if config.mtail_address not in all_addresses:
-            Out().red(f"Deploy failed: mtail_address {config.mtail_address} is not available (VPN up?).\n")
+            Out().red(
+                f"Deploy failed: mtail_address {config.mtail_address} is not available (VPN up?).\n"
+            )
             exit(1)
 
     if not os.environ.get("CHATMAIL_NOPORTCHECK"):
diff --git a/cmdeploy/src/cmdeploy/dns.py b/cmdeploy/src/cmdeploy/dns.py
index 05421b9ed..2370ef7df 100644
--- a/cmdeploy/src/cmdeploy/dns.py
+++ b/cmdeploy/src/cmdeploy/dns.py
@@ -1,11 +1,26 @@
 import datetime
-import importlib
-
-from jinja2 import Template
 
 from . import remote
 
 
+def parse_zone_records(text):
+    """Yield ``(name, ttl, rtype, rdata)`` from standard BIND-format text.
+
+    Skips comment lines (starting with ``;``) and blank lines.
+    Each record line must have the format ``name TTL IN type rdata``.
+    """
+    for raw_line in text.strip().splitlines():
+        line = raw_line.strip()
+        if not line or line.startswith(";"):
+            continue
+        parts = line.split(None, 4)
+        if len(parts) < 5:
+            raise ValueError(f"Bad zone record line: {line}")
+        name = parts[0].rstrip(".")
+        # parts[2] is the IN class — ignored
+        yield name, parts[1], parts[3].upper(), parts[4]
+
+
 def get_initial_remote_data(sshexec, mail_domain):
     return sshexec.logged(
         call=remote.rdns.perform_initial_checks, kwargs=dict(mail_domain=mail_domain)
@@ -31,13 +46,36 @@ def get_filled_zone_file(remote_data):
     if not sts_id:
         remote_data["sts_id"] = datetime.datetime.now().strftime("%Y%m%d%H%M")
 
-    template = importlib.resources.files(__package__).joinpath("chatmail.zone.j2")
-    content = template.read_text()
-    zonefile = Template(content).render(**remote_data)
-    lines = [x.strip() for x in zonefile.split("\n") if x.strip()]
+    d = remote_data["mail_domain"]
+    lines = ["; Required DNS entries"]
+    if remote_data.get("A"):
+        lines.append(f"{d}.  3600  IN  A  {remote_data['A']}")
+    if remote_data.get("AAAA"):
+        lines.append(f"{d}.  3600  IN  AAAA  {remote_data['AAAA']}")
+    lines.append(f"{d}.  3600  IN  MX  10 {d}.")
+    if remote_data.get("strict_tls"):
+        lines.append(
+            f'_mta-sts.{d}.  3600  IN  TXT  "v=STSv1; id={remote_data["sts_id"]}"'
+        )
+        lines.append(f"mta-sts.{d}.  3600  IN  CNAME  {d}.")
+    lines.append(f"www.{d}.  3600  IN  CNAME  {d}.")
+    lines.append(remote_data["dkim_entry"])
+    lines.append("")
+    lines.append("; Recommended DNS entries")
+    lines.append(f'{d}.  3600  IN  TXT  "v=spf1 a ~all"')
+    lines.append(f'_dmarc.{d}.  3600  IN  TXT  "v=DMARC1;p=reject;adkim=s;aspf=s"')
+    if remote_data.get("acme_account_url"):
+        lines.append(
+            f"{d}.  3600  IN  CAA  0 issue"
+            f' "letsencrypt.org;accounturi={remote_data["acme_account_url"]}"'
+        )
+    lines.append(f'_adsp._domainkey.{d}.  3600  IN  TXT  "dkim=discardable"')
+    lines.append(f"_submission._tcp.{d}.  3600  IN  SRV  0 1 587 {d}.")
+    lines.append(f"_submissions._tcp.{d}.  3600  IN  SRV  0 1 465 {d}.")
+    lines.append(f"_imap._tcp.{d}.  3600  IN  SRV  0 1 143 {d}.")
+    lines.append(f"_imaps._tcp.{d}.  3600  IN  SRV  0 1 993 {d}.")
     lines.append("")
-    zonefile = "\n".join(lines)
-    return zonefile
+    return "\n".join(lines)
 
 
 def check_full_zone(sshexec, remote_data, out, zonefile) -> int:
diff --git a/cmdeploy/src/cmdeploy/lxc/cli.py b/cmdeploy/src/cmdeploy/lxc/cli.py
new file mode 100644
index 000000000..1718a74da
--- /dev/null
+++ b/cmdeploy/src/cmdeploy/lxc/cli.py
@@ -0,0 +1,469 @@
+"""lxc-start/stop/status/test subcommands for testing with local containers."""
+
+import os
+import subprocess
+import time
+from contextlib import contextmanager
+
+from ..util import collapse, get_git_hash, get_version_string, shell
+from .incus import Incus, RelayContainer
+
+RELAY_NAMES = ("test0", "test1")
+
+
+# -------------------------------------------------------------------
+# lxc-start
+# -------------------------------------------------------------------
+
+
+def lxc_start_cmd_options(parser):
+    _add_name_args(
+        parser,
+        help_text="User relay name(s) to create (default: test0).",
+    )
+    parser.add_argument(
+        "--ipv4-only",
+        dest="ipv4_only",
+        action="store_true",
+        help="Create an IPv4-only container.",
+    )
+    parser.add_argument(
+        "--run",
+        action="store_true",
+        help="Run 'cmdeploy run' on each container after starting it.",
+    )
+
+
+def lxc_start_cmd(args, out):
+    """Create/Ensure and start LXC relay and DNS containers."""
+    ix = Incus()
+    relays = [ix.get_container(n) for n in args.names] or [
+        ix.get_container(RELAY_NAMES[0])
+    ]
+    out.green("Ensuring DNS container (ns-localchat) ...")
+    dns_ct = ix.get_dns_container()
+    dns_ct.ensure()
+    dns_ip = dns_ct.ipv4
+    print(f"  DNS container IP: {dns_ip}")
+
+    for ct in relays:
+        out.green(f"Ensuring container {ct.name!r} ({ct.domain}) ...")
+        ct.ensure()
+        ip = ct.ipv4
+
+        print("  Configuring container hostname ...")
+        ct.configure_hosts(ip)
+
+        print(f"  Writing {ct.ini.name} ...")
+        ct.write_ini(disable_ipv6=args.ipv4_only)
+        print(f"  Config: {ct.ini}")
+        if args.ipv4_only:
+            ct.disable_ipv6()
+            ipv6 = None
+        else:
+            output = ct.bash(
+                "ip -6 addr show scope global -deprecated"
+                " | grep -oP '(?<=inet6 )[^/]+'",
+                check=False,
+            )
+            ipv6 = output.strip() if output else None
+        print(f"  {_format_addrs(ip, ipv6)}")
+
+        out.green(f"  Container {ct.name!r} ready: {ct.domain} -> {ip}")
+        print()
+
+    # Reset DNS zones only for the containers we just started
+    started_cnames = {ct.name for ct in relays}
+    managed = ix.list_managed()
+    started = [c for c in managed if c["name"] in started_cnames]
+
+    if started:
+        print(
+            f"Resetting DNS zones for {len(started)} domain(s) (A + AAAA records) ..."
+        )
+        dns_ct.reset_dns_records(dns_ip, started)
+
+        for ct in relays:
+            if ct.name in started_cnames:
+                print(f"  Configuring DNS in {ct.name} ...")
+                ct.configure_dns(dns_ip)
+
+    # Generate the unified SSH config
+    out.green("Writing ssh-config ...")
+    ssh_cfg = ix.write_ssh_config()
+    print(f"  {ssh_cfg}")
+
+    # Verify SSH via the generated config
+    for ct in relays:
+        print(f"  Verifying SSH to {ct.name} via ssh-config ...")
+        if ct.verify_ssh(ssh_cfg):
+            print(f"  SSH OK: ssh -F lxconfigs/ssh-config {ct.domain}")
+        else:
+            out.red(f"  WARNING: SSH verification failed for {ct.name}")
+
+    # Print integration suggestions
+    ssh_cfg = ix.ssh_config_path
+    if not ix.check_ssh_include():
+        out.green(
+            "\n  (Optional) To use containers from any SSH client, add to ~/.ssh/config:"
+        )
+        out.green(f"      Include {ssh_cfg}")
+
+    # Optionally run cmdeploy run on each relay
+    if args.run:
+        for ct in relays:
+            with _section(out, f"cmdeploy run: {ct.sname} ({ct.domain})"):
+                ret = _run_cmdeploy("run", ct, ix, extra=["--skip-dns-check"])
+                if ret:
+                    out.red(f"Deploy to {ct.sname} failed (exit {ret})")
+                    return ret
+
+
+# -------------------------------------------------------------------
+# lxc-stop
+# -------------------------------------------------------------------
+
+
+def lxc_stop_cmd_options(parser):
+    parser.add_argument(
+        "--destroy",
+        action="store_true",
+        help="Delete containers and their config files after stopping.",
+    )
+    parser.add_argument(
+        "--destroy-all",
+        dest="destroy_all",
+        action="store_true",
+        help="Like --destroy, but also remove the ns-localchat DNS container.",
+    )
+    _add_name_args(
+        parser,
+        help_text="Container name(s) to stop (default: test0 + test1).",
+    )
+
+
+def lxc_stop_cmd(args, out):
+    """Stop (and optionally destroy) local LXC relay containers."""
+    ix = Incus()
+    names = args.names or RELAY_NAMES
+    destroy = args.destroy or args.destroy_all
+
+    for ct in map(ix.get_container, names):
+        if destroy:
+            out.green(f"Destroying container {ct.name!r} ...")
+            ct.destroy()
+        else:
+            out.green(f"Stopping container {ct.name!r} ...")
+            ct.stop(force=True)
+
+    if args.destroy_all:
+        dns_ct = ix.get_dns_container()
+        out.green(f"Destroying DNS container {dns_ct.name!r} ...")
+        dns_ct.destroy()
+        ix.delete_images()
+
+    if destroy:
+        ix.write_ssh_config()
+        out.green("LXC containers destroyed.")
+    else:
+        out.green("LXC containers stopped.")
+
+
+# -------------------------------------------------------------------
+# lxc-test
+# -------------------------------------------------------------------
+
+
+def lxc_test_cmd_options(parser):
+    parser.add_argument(
+        "--one",
+        action="store_true",
+        help="Only deploy and test against test0 (skip test1).",
+    )
+
+
+def lxc_test_cmd(args, out):
+    """Run full LXC pipeline: start, deploy, DNS, zone files, and tests.
+
+    All commands run directly on the host using
+    ``--ssh-config lxconfigs/ssh-config`` for SSH access.
+    """
+    ix = Incus()
+    t_total = time.time()
+    relay_names = list(RELAY_NAMES)
+    if args.one:
+        relay_names = relay_names[:1]
+
+    local_hash = get_git_hash()
+
+    # Per-relay: start, deploy, then snapshot the first relay as a
+    # reusable image so the second relay launches pre-deployed.
+    ipv4_only_flags = {RELAY_NAMES[0]: False, RELAY_NAMES[1]: True}
+
+    for ct in map(ix.get_container, relay_names):
+        name = ct.sname
+        ipv4_only = ipv4_only_flags.get(name, False)
+        label = "IPv4-only" if ipv4_only else "dual-stack"
+
+        with _section(out, f"LXC: lxc-start {name} ({label})"):
+            args.names = [name]
+            args.ipv4_only = ipv4_only
+            args.run = False
+            ret = lxc_start_cmd(args, out)
+            if ret:
+                return ret
+
+        status = _deploy_status(ct, local_hash, ix)
+        if "IN-SYNC" in status:
+            _section_line(out, f"cmdeploy run: {name} — {status}, skipping")
+        else:
+            with _section(out, f"cmdeploy run: {name} ({ct.domain})"):
+                ret = _run_cmdeploy("run", ct, ix, extra=["--skip-dns-check"])
+                if ret:
+                    out.red(f"Deploy to {name} failed (exit {ret})")
+                    return ret
+
+        # Snapshot the first relay so subsequent ones launch pre-deployed
+        if not ix.find_relay_image():
+            with _section(out, "LXC: publishing relay image"):
+                ct.publish_as_relay_image()
+
+    for ct in map(ix.get_container, relay_names):
+        with _section(out, f"cmdeploy dns: {ct.sname} ({ct.domain})"):
+            ret = _run_cmdeploy("dns", ct, ix, extra=["--zonefile", str(ct.zone)])
+            if ret:
+                out.red(f"DNS for {ct.sname} failed (exit {ret})")
+                return ret
+
+    with _section(out, "LXC: PowerDNS zone update"):
+        dns_ct = ix.get_dns_container()
+        for ct in map(ix.get_container, relay_names):
+            if ct.zone.exists():
+                zone_data = ct.zone.read_text()
+                print(f"  Loading {ct.zone} into PowerDNS ...")
+                dns_ct.set_dns_records(zone_data)
+
+    with _section(out, "cmdeploy test"):
+        first = ix.get_container(relay_names[0])
+        env = None
+        if len(relay_names) > 1:
+            env = os.environ.copy()
+            env["CHATMAIL_DOMAIN2"] = ix.get_container(relay_names[1]).domain
+        ret = _run_cmdeploy("test", first, ix, **({"env": env} if env else {}))
+        if ret:
+            out.red(f"Tests failed (exit {ret})")
+            return ret
+
+    elapsed = time.time() - t_total
+    _section_line(out, f"lxc-test complete ({elapsed:.1f}s)")
+    return 0
+
+
+# -------------------------------------------------------------------
+# lxc-status
+# -------------------------------------------------------------------
+
+
+def lxc_status_cmd_options(parser):
+    pass
+
+
+def lxc_status_cmd(args, out):
+    """Show status of local LXC chatmail containers."""
+    ix = Incus()
+    containers = ix.list_managed()
+    if not containers:
+        out.red("No LXC containers found.  Run 'cmdeploy lxc-start' first.")
+        return 1
+
+    local_hash = get_git_hash()
+
+    # Get storage pool path for display
+    storage_path = None
+    data = ix.run_json(["storage", "show", "default"], check=False)
+    if data:
+        storage_path = data.get("config", {}).get("source")
+    if storage_path:
+        out.green(f"Containers: ({storage_path})")
+    else:
+        out.green("Containers:")
+
+    dns_ip = None
+    for c in containers:
+        _print_container_status(c, ix, local_hash)
+        if c["name"] == ix.get_dns_container().name:
+            dns_ip = c["ip"]
+
+    _print_ssh_status(out, ix)
+    _print_dns_forwarding_status(out, dns_ip)
+    return 0
+
+
+def _print_container_status(c, ix, local_hash):
+    """Print name/status, domain/IPs, and RAM for one container."""
+    cname = c["name"]
+    is_running = c.get("status") == "Running"
+    ct = ix.get_container(cname)
+
+    # First line: name + running/STOPPED + deploy status
+    if not is_running:
+        tag = "STOPPED"
+    elif not isinstance(ct, RelayContainer):
+        tag = "running"
+    else:
+        tag = f"running {_deploy_status(ct, local_hash, ix)}"
+    print(f"  {cname:20s} {tag}")
+
+    # Second line: domain, IPv4, IPv6
+    domain = c.get("domain", "")
+    ip = c.get("ip") or "?"
+    ipv6 = c.get("ipv6")
+    print(f"  {domain:20s} {_format_addrs(ip, ipv6)}")
+
+    # Third line: RAM (RSS), config
+    indent = " " * 21
+    try:
+        used, total = ct.rss_mib()
+    except Exception:
+        ram_str = "RSS ?"
+    else:
+        ram_str = f"RSS {used}/{total} MiB ({used * 100 // total}%)"
+
+    if isinstance(ct, RelayContainer):
+        detail = f"{ram_str}, config: {os.path.relpath(ct.ini)}"
+    else:
+        detail = ram_str
+
+    print(f"  {indent}{detail}")
+    print()
+
+
+def _print_ssh_status(out, ix):
+    """Print SSH integration status."""
+    print()
+    ssh_cfg = ix.ssh_config_path
+    if ix.check_ssh_include():
+        out.green("SSH: ~/.ssh/config includes lxconfigs/ssh-config ✓")
+    else:
+        out.red("SSH: ~/.ssh/config does NOT include lxconfigs/ssh-config")
+        print("  Add to ~/.ssh/config:")
+        print(f"      Include {ssh_cfg}")
+
+
+def _print_dns_forwarding_status(out, dns_ip):
+    """Print host DNS forwarding status for .localchat."""
+    if not dns_ip:
+        out.red("DNS: ns-localchat container not found")
+        return
+    try:
+        rv = shell("resolvectl status incusbr0", timeout=5)
+        dns_ok = dns_ip in rv.stdout and "localchat" in rv.stdout
+    except (FileNotFoundError, subprocess.TimeoutExpired, OSError):
+        dns_ok = None
+    if dns_ok is True:
+        out.green(f"DNS: .localchat forwarding to {dns_ip} ✓")
+    elif dns_ok is False:
+        out.red("DNS: .localchat forwarding NOT configured")
+        print("  Run:")
+        print(f"      sudo resolvectl dns incusbr0 {dns_ip}")
+        print("      sudo resolvectl domain incusbr0 ~localchat")
+    else:
+        print("  DNS: .localchat forwarding status UNKNOWN")
+
+
+# -------------------------------------------------------------------
+# Internal helpers
+# -------------------------------------------------------------------
+
+
+def _format_addrs(ip, ipv6=None):
+    parts = [f"IPv4 {ip}"]
+    if ipv6:
+        parts.append(f"IPv6 {ipv6}")
+    return ", ".join(parts)
+
+
+SECTION_WIDTH = 72
+
+
+@contextmanager
+def _section(out, title):
+    bar = "\u2501" * (SECTION_WIDTH - len(title) - 5)
+    out.green(f"\u2501\u2501\u2501 {title} {bar}")
+    t0 = time.time()
+    yield
+    elapsed = time.time() - t0
+    print(f"{'':>{SECTION_WIDTH - 10}}({elapsed:.1f}s)")
+    print()
+
+
+def _section_line(out, title):
+    bar = "\u2501" * (SECTION_WIDTH - len(title) - 5)
+    out.green(f"\u2501\u2501\u2501 {title} {bar}")
+    print()
+
+
+def _deploy_status(ct, local_hash, ix):
+    """Return a human-readable deploy status string.
+
+    Compares the full deployed version (hash + diff) against
+    the local state built by :func:`~cmdeploy.util.get_version_string`.
+    """
+    deployed = ct.deployed_version()
+    if deployed is None:
+        return "NOT DEPLOYED"
+
+    # A container launched from the relay image has the same
+    # git hash but a different domain — always redeploy.
+    deployed_domain = ct.deployed_domain()
+    if deployed_domain and deployed_domain != ct.domain:
+        return f"DOMAIN-MISMATCH (deployed: {deployed_domain})"
+
+    deployed_lines = deployed.splitlines()
+    deployed_hash = deployed_lines[0] if deployed_lines else ""
+    short = deployed_hash[:12]
+
+    if not local_hash:
+        return f"UNKNOWN (deployed: {short})"
+
+    local_short = local_hash[:12]
+    if deployed_hash != local_hash:
+        return f"STALE (deployed: {short}, local: {local_short})"
+
+    # Hash matches — check for uncommitted diffs
+    local_version = get_version_string()
+    if deployed != local_version:
+        return f"DIRTY ({local_short}, undeployed changes)"
+
+    return f"IN-SYNC ({short})"
+
+
+def _add_name_args(parser, help_text=None):
+    """Add optional positional NAME arguments."""
+    parser.add_argument(
+        "names",
+        nargs="*",
+        metavar="NAME",
+        help=help_text or "Relay name(s) to operate on.",
+    )
+
+
+def _run_cmdeploy(subcmd, ct, ix, extra=None, **kwargs):
+    """Run ``cmdeploy <subcmd>`` with standard --config/--ssh flags.
+
+    *ct* is a Container (uses ``ct.ini`` and ``ct.domain``).
+    Returns the subprocess exit code.
+    """
+    extra_str = " ".join(extra) if extra else ""
+    cmd = f"""\
+        cmdeploy {subcmd}
+        --config {ct.ini}
+        --ssh-config {ix.ssh_config_path}
+        --ssh-host {ct.domain}
+        {extra_str}
+    """
+    if "cwd" not in kwargs:
+        kwargs["cwd"] = str(ix.project_root)
+    cmd = collapse(cmd)
+    print(f"  [$ {cmd}]")
+    return shell(cmd, capture_output=False, **kwargs).returncode
diff --git a/cmdeploy/src/cmdeploy/lxc/incus.py b/cmdeploy/src/cmdeploy/lxc/incus.py
new file mode 100644
index 000000000..59d7a3315
--- /dev/null
+++ b/cmdeploy/src/cmdeploy/lxc/incus.py
@@ -0,0 +1,638 @@
+"""Core Incus operations for local chatmail LXC containers."""
+
+import json
+import subprocess
+import textwrap
+import time
+from pathlib import Path
+
+from ..util import shell
+
+LABEL_KEY = "user.localchat-managed"
+SSH_KEY_NAME = "id_localchat"
+DOMAIN_SUFFIX = ".localchat"
+UPSTREAM_IMAGE = "images:debian/12"
+BASE_IMAGE_ALIAS = "localchat-base"
+BASE_SETUP_NAME = "localchat-base-setup"
+RELAY_IMAGE_ALIAS = "localchat-relay"
+
+DNS_CONTAINER_NAME = "ns-localchat"
+DNS_DOMAIN = "ns.localchat"
+
+
+def _extract_ip(net_data, family="inet"):
+    """Extract the first global-scope IP of *family* from network state data.
+
+    *net_data* is the ``state.network`` dict from ``incus list --format=json``.
+    *family* is ``"inet"`` for IPv4 or ``"inet6"`` for IPv6.
+    Returns the address string, or None.
+    """
+    for iface_name, iface in net_data.items():
+        if iface_name == "lo":
+            continue
+        for addr in iface.get("addresses", []):
+            if addr["family"] == family and addr["scope"] == "global":
+                return addr["address"]
+    return None
+
+
+class Incus:
+    """Gateway for all Incus container operations.
+
+    Instantiated once per CLI command and passed around so that
+    all modules share a single entry point for Incus interactions.
+    """
+
+    def __init__(self):
+        self.project_root = Path(__file__).resolve().parent.parent.parent.parent.parent
+        self.lxconfigs_dir = self.project_root / "lxconfigs"
+        self.lxconfigs_dir.mkdir(exist_ok=True)
+        self.ssh_key_path = self.lxconfigs_dir / SSH_KEY_NAME
+        if not self.ssh_key_path.exists():
+            shell(
+                f"ssh-keygen -t ed25519 -f {self.ssh_key_path} -N '' -C localchat",
+                check=True,
+            )
+        self.ssh_config_path = self.lxconfigs_dir / "ssh-config"
+
+    def write_ssh_config(self):
+        """Write ``lxconfigs/ssh-config`` mapping all containers to their IPs.
+
+        Each Host block maps the container name, the domain name, and the
+        short relay name (e.g. ``_test0``) to the container's IP, using the
+        shared localchat SSH key.  Returns the path to the file.
+        """
+        containers = self.list_managed()
+        key_path = self.ssh_key_path
+        lines = ["# Auto-generated by cmdeploy lxc-start — do not edit\n"]
+        for c in containers:
+            hosts = [c["name"]]
+            domain = c.get("domain", "")
+            if domain and domain != c["name"]:
+                hosts.append(domain)
+                short = domain.split(".")[0]
+                if short and short not in hosts:
+                    hosts.append(short)
+            lines.append(f"\nHost {' '.join(hosts)}\n")
+            lines.append(f"    Hostname {c['ip']}\n")
+            lines.append("    User root\n")
+            lines.append(f"    IdentityFile {key_path}\n")
+            lines.append("    IdentitiesOnly yes\n")
+            lines.append("    StrictHostKeyChecking accept-new\n")
+            lines.append("    UserKnownHostsFile /dev/null\n")
+            lines.append("    LogLevel ERROR\n")
+        path = self.ssh_config_path
+        path.write_text("".join(lines))
+        return path
+
+    def check_ssh_include(self):
+        """Check if the user's ~/.ssh/config already includes our ssh-config."""
+        user_ssh_config = Path.home() / ".ssh" / "config"
+        if not user_ssh_config.exists():
+            return False
+        lines = filter(None, map(str.strip, user_ssh_config.open("r")))
+        return f"Include {self.ssh_config_path}" in lines
+
+    def run(self, args, check=True, capture=True, input=None):
+        """Run an incus command."""
+        cmd = ["incus"] + list(args)
+        kwargs = dict(check=check, text=True, input=input)
+        if capture:
+            kwargs["capture_output"] = True
+        else:
+            kwargs["stdout"] = None
+            kwargs["stderr"] = None
+        return subprocess.run(cmd, **kwargs)  # noqa: PLW1510
+
+    def run_json(self, args, check=True):
+        """Run an incus command with ``--format=json``.
+
+        Returns the parsed JSON on success.
+        When *check* is True raises ``subprocess.CalledProcessError``
+        on non-zero exit; when False returns *None* instead.
+        """
+        result = self.run(
+            list(args) + ["--format=json"],
+            check=check,
+        )
+        if result.returncode != 0:
+            return None
+        return json.loads(result.stdout)
+
+    def run_output(self, args, check=True):
+        """Run an incus command and return its stdout.
+
+        When *check* is False, returns *None* on non-zero exit
+        instead of raising.
+        """
+        result = self.run(args, check=check)
+        if result.returncode != 0:
+            return None
+        return result.stdout
+
+    def _find_image(self, alias):
+        """Return *alias* if an image with that alias exists, else None."""
+        images = self.run_json(["image", "list"], check=False) or []
+        for img in images:
+            for a in img.get("aliases", []):
+                if a.get("name") == alias:
+                    return alias
+        return None
+
+    def find_relay_image(self):
+        """Return the relay image alias if it exists, else None."""
+        return self._find_image(RELAY_IMAGE_ALIAS)
+
+    def delete_images(self):
+        """Delete the cached base and relay images."""
+        for alias in (RELAY_IMAGE_ALIAS, BASE_IMAGE_ALIAS):
+            self.run(["image", "delete", alias], check=False)
+
+    def list_managed(self):
+        """Return list of dicts with name, ip, ipv6, domain, status, memory_usage."""
+        containers = []
+        for ct in self.run_json(["list"]):
+            config = ct.get("config", {})
+            if config.get(LABEL_KEY) != "true":
+                continue
+            name = ct["name"]
+            state = ct.get("state", {})
+            net = state.get("network") or {}
+            containers.append(
+                {
+                    "name": name,
+                    "ip": _extract_ip(net, "inet"),
+                    "ipv6": _extract_ip(net, "inet6"),
+                    "domain": config.get(
+                        "user.localchat-domain", f"{name}{DOMAIN_SUFFIX}"
+                    ),
+                    "status": ct.get("status", "Unknown"),
+                    "memory_usage": state.get("memory", {}).get("usage", 0),
+                }
+            )
+        return containers
+
+    def ensure_base_image(self):
+        """Build and cache a base image with openssh and the SSH key.
+
+        The image is published as a local incus image with alias
+        'localchat-base'.  Subsequent container launches use this
+        image instead of the upstream Debian 12, skipping the
+        slow apt-get install step.
+        Returns the image alias.
+        """
+        if self._find_image(BASE_IMAGE_ALIAS):
+            return BASE_IMAGE_ALIAS
+
+        print("  Building base image (one-time setup) ...")
+
+        self.run(["delete", BASE_SETUP_NAME, "--force"], check=False)
+        self.run(["image", "delete", BASE_IMAGE_ALIAS], check=False)
+        self.run(["launch", UPSTREAM_IMAGE, BASE_SETUP_NAME])
+
+        ct = Container(self, BASE_SETUP_NAME)
+        ct.wait_ready()
+
+        key_path = self.ssh_key_path
+        pub_key = key_path.with_suffix(".pub").read_text().strip()
+        ct.bash(f"""\
+            apt-get -o DPkg::Lock::Timeout=60 update
+            DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server python3
+            systemctl enable ssh
+            apt-get clean
+            mkdir -p /root/.ssh
+            chmod 700 /root/.ssh
+            echo '{pub_key}' > /root/.ssh/authorized_keys
+            chmod 600 /root/.ssh/authorized_keys
+        """)
+
+        self.run(["stop", BASE_SETUP_NAME])
+        self.run(["publish", BASE_SETUP_NAME, f"--alias={BASE_IMAGE_ALIAS}"])
+        self.run(["delete", BASE_SETUP_NAME, "--force"])
+        print(f"  Base image '{BASE_IMAGE_ALIAS}' ready.")
+        return BASE_IMAGE_ALIAS
+
+    def get_container(self, name):
+        """Return a container handle for the given name.
+
+        Accepts both short relay names (``test0``) and full Incus
+        container names (``test0-localchat``).  Returns
+        ``DNSContainer`` for the DNS container and
+        ``RelayContainer`` for everything else.
+        """
+        if name == DNS_CONTAINER_NAME:
+            return DNSContainer(self)
+        return RelayContainer(self, name.removesuffix("-localchat"))
+
+    def get_dns_container(self):
+        """Return a DNSContainer handle."""
+        return DNSContainer(self)
+
+
+class Container:
+    """Lightweight handle for an Incus container.
+
+    Carries the container *name* and provides convenience methods
+    for running commands, managing lifecycle, and extracting state
+    so callers don't repeat the name everywhere.
+    """
+
+    def __init__(self, incus, name, domain=None, memory="100MiB"):
+        self.incus = incus
+        self.name = name
+        self.domain = domain or f"{name}{DOMAIN_SUFFIX}"
+        self.memory = memory
+        self.ipv4 = None
+        self.ipv6 = None
+
+    def bash(self, script, check=True):
+        """Returns stdout from executing ``bash -ec <script>`` inside this container.
+
+        *script* is dedented and stripped so callers can use triple-quoted strings.
+        When *check* is False, returns *None* on non-zero exit instead of raising.
+        """
+        cmd = ["exec", self.name, "--", "bash", "-ec", textwrap.dedent(script).strip()]
+        return self.incus.run_output(cmd, check=check)
+
+    def run_cmd(self, *args, check=True):
+        """Return stdout from running a command directly in the container (no shell).
+
+        When *check* is False, returns *None* on non-zero exit instead of raising.
+        """
+        return self.incus.run_output(
+            ["exec", self.name, "--", *args],
+            check=check,
+        )
+
+    def start(self):
+        self.incus.run(["start", self.name])
+
+    def stop(self, force=False):
+        cmd = ["stop", self.name]
+        if force:
+            cmd.append("--force")
+        self.incus.run(cmd, check=False)
+
+    def launch(self):
+        """Launch from the best available image, return the alias used."""
+        image = self.incus.find_relay_image() or self.incus.ensure_base_image()
+        print(f"  Launching from '{image}' image ...")
+        cfg = []
+        cfg += ("-c", f"{LABEL_KEY}=true")
+        cfg += ("-c", f"user.localchat-domain={self.domain}")
+        cfg += ("-c", f"limits.memory={self.memory}")
+        self.incus.run(["launch", image, self.name, *cfg])
+        return image
+
+    def ensure(self):
+        """Create/start this container from the cached base image.
+
+        On first call, builds the base image (~30s).
+        Subsequent containers launch in ~2s from the cached image.
+        Returns ``self`` for chaining.
+        """
+        data = self.incus.run_json(["list", self.name], check=False) or []
+
+        existing = [c for c in data if c["name"] == self.name]
+        if existing:
+            if existing[0]["status"] != "Running":
+                self.start()
+        else:
+            self.launch()
+        self.wait_ready()
+        return self
+
+    def destroy(self):
+        """Stop, delete, and clean up config files."""
+        self.stop(force=True)
+        self.incus.run(["delete", self.name, "--force"], check=False)
+
+    def push_file_content(self, dest_path, content):
+        """Write *content* to *dest_path* inside the container.
+
+        *content* is dedented and stripped so callers can use
+        indented triple-quoted strings.
+        """
+        content = textwrap.dedent(content).strip() + "\n"
+        self.incus.run(
+            ["file", "push", "-", f"{self.name}{dest_path}"],
+            input=content,
+        )
+        self.bash(f"chmod 644 {dest_path}")
+
+    def wait_ready(self, timeout=60):
+        """Wait until the container is running with an IPv4 address.
+
+        Sets ``self.ipv4`` and ``self.ipv6`` (may be *None*),
+        or raises ``TimeoutError``.
+        """
+        deadline = time.time() + timeout
+        while time.time() < deadline:
+            data = self.incus.run_json(
+                ["list", self.name],
+                check=False,
+            )
+            if data and data[0].get("status") == "Running":
+                net = data[0].get("state", {}).get("network", {})
+                self.ipv4 = _extract_ip(net, "inet")
+                self.ipv6 = _extract_ip(net, "inet6")
+                if self.ipv4:
+                    return
+            time.sleep(1)
+        raise TimeoutError(
+            f"Container {self.name!r} did not become ready within {timeout}s"
+        )
+
+    def rss_mib(self):
+        """Return ``(used, total)`` memory from container (or None if unobtainable)."""
+        output = self.bash("free -m", check=False)
+        if output:
+            for line in output.splitlines():
+                if line.startswith("Mem:"):
+                    parts = line.split()
+                    return int(parts[2]), int(parts[1])
+
+
+class RelayContainer(Container):
+    """Container handle for a chatmail relay.
+
+    Accepts the short relay name (e.g. ``test0``) and derives
+    the Incus container name and mail domain automatically.
+    """
+
+    def __init__(self, incus, name):
+        super().__init__(
+            incus,
+            f"{name}-localchat",
+            domain=f"_{name}{DOMAIN_SUFFIX}",
+            memory="500MiB",
+        )
+        self.sname = name
+        self.ini = incus.lxconfigs_dir / f"chatmail-{name}.ini"
+        self.zone = incus.lxconfigs_dir / f"{name}.zone"
+
+    def launch(self):
+        """Launch (from a potentially cached image) and clear inherited chatmail-version."""
+        image = super().launch()
+        self.bash("rm -f /etc/chatmail-version")
+        return image
+
+    def destroy(self):
+        """Stop, delete, and clean up config files."""
+        super().destroy()
+        if self.ini.exists():
+            self.ini.unlink()
+
+    def disable_ipv6(self):
+        """Disable IPv6 inside the container via sysctl."""
+        self.bash("""\
+            sysctl -w net.ipv6.conf.all.disable_ipv6=1
+            sysctl -w net.ipv6.conf.default.disable_ipv6=1
+            mkdir -p /etc/sysctl.d
+            printf 'net.ipv6.conf.all.disable_ipv6=1\\n
+            net.ipv6.conf.default.disable_ipv6=1\\n'
+            > /etc/sysctl.d/99-disable-ipv6.conf
+        """)
+
+    def configure_hosts(self, ip):
+        """Set hostname and /etc/hosts inside the container."""
+        self.bash(f"""\
+            echo '{self.name}' > /etc/hostname
+            hostname {self.name}
+            echo '{ip} {self.name} {self.domain}' >> /etc/hosts
+        """)
+
+    def publish_as_relay_image(self):
+        """Publish this container as a reusable relay image.
+
+        Stops the container, publishes it as 'localchat-relay',
+        then restarts it.
+        """
+        if self.incus.find_relay_image():
+            return
+        print(f"  Publishing {self.name!r} as '{RELAY_IMAGE_ALIAS}' image ...")
+        self.incus.run(
+            ["publish", self.name, f"--alias={RELAY_IMAGE_ALIAS}", "--force"]
+        )
+        self.wait_ready()
+        print(f"  Relay image '{RELAY_IMAGE_ALIAS}' ready.")
+
+    def deployed_version(self):
+        """Read /etc/chatmail-version, or None if absent."""
+        output = self.bash("cat /etc/chatmail-version", check=False)
+        return output.strip() if output else None
+
+    def deployed_domain(self):
+        """Read the domain deployed on the container (postfix myhostname)."""
+        output = self.bash(
+            "postconf -h myhostname 2>/dev/null",
+            check=False,
+        )
+        return output.strip() if output else None
+
+    def verify_ssh(self, ssh_config):
+        """Verify SSH connectivity to this container."""
+        cmd = f"ssh -F {ssh_config} -o ConnectTimeout=10 root@{self.domain} hostname"
+        return shell(cmd, timeout=15).returncode == 0
+
+    def configure_dns(self, dns_ip):
+        """Point this container's resolver at *dns_ip*.
+
+        Disables systemd-resolved to free port 53 and writes
+        a static /etc/resolv.conf.  Also configures unbound
+        (if present) to forward .localchat queries.
+        """
+        self.bash(f"""\
+            systemctl disable --now systemd-resolved 2>/dev/null || true
+            rm -f /etc/resolv.conf
+            echo 'nameserver {dns_ip}' > /etc/resolv.conf
+            mkdir -p /etc/unbound/unbound.conf.d
+            printf 'server:\\n  domain-insecure: "localchat"\\n\\n
+            forward-zone:\\n  name: "localchat"\\n
+              forward-addr: {dns_ip}\\n'
+            > /etc/unbound/unbound.conf.d/localchat-forward.conf
+            systemctl restart unbound 2>/dev/null || true
+        """)
+
+    def write_ini(self, disable_ipv6=False):
+        """Generate a chatmail.ini config file in lxconfigs/."""
+        from chatmaild.config import write_initial_config
+
+        overrides = {
+            "max_user_send_per_minute": 600,
+            "max_user_send_burst_size": 100,
+            "mtail_address": "127.0.0.1",
+        }
+        if disable_ipv6:
+            overrides["disable_ipv6"] = "True"
+        write_initial_config(self.ini, self.domain, overrides)
+        return self.ini
+
+
+class DNSContainer(Container):
+    """Specialised container handle for the PowerDNS name server."""
+
+    def __init__(self, incus):
+        super().__init__(incus, DNS_CONTAINER_NAME, domain=DNS_DOMAIN)
+
+    def pdnsutil(self, *args, check=True):
+        """Run ``pdnsutil <args>`` inside the DNS container."""
+        return self.run_cmd("pdnsutil", *args, check=check)
+
+    def replace_rrset(self, zone, name, rtype, ttl, rdata):
+        """Shortcut for ``pdnsutil replace-rrset``."""
+        self.pdnsutil("replace-rrset", zone, name, rtype, ttl, rdata)
+
+    def restart_services(self):
+        """Restart pdns and pdns-recursor."""
+        self.bash("""\
+            systemctl restart pdns
+            systemctl restart pdns-recursor || true
+        """)
+
+    def ensure(self):
+        """Create the DNS container with PowerDNS if needed.
+
+        Calls ``super().ensure()`` to create/start the container
+        and set up SSH, then installs PowerDNS and configures
+        the Incus bridge to use this container as DNS.
+        """
+        super().ensure()
+        self._install_powerdns()
+        self.incus.run(
+            ["network", "set", "incusbr0", "dns.mode=none"],
+            check=False,
+        )
+        self.incus.run(
+            ["network", "set", "incusbr0", f"raw.dnsmasq=dhcp-option=6,{self.ipv4}"],
+            check=False,
+        )
+
+    def _install_powerdns(self):
+        """Install and configure PowerDNS if not already present."""
+        if self.run_cmd("which", "pdns_server", check=False) is not None:
+            return
+
+        self.bash("""\
+            systemctl disable --now systemd-resolved 2>/dev/null || true
+            rm -f /etc/resolv.conf
+            echo 'nameserver 9.9.9.9' > /etc/resolv.conf
+            apt-get -o DPkg::Lock::Timeout=60 update
+            DEBIAN_FRONTEND=noninteractive apt-get install -y \
+                pdns-server pdns-backend-sqlite3 sqlite3 pdns-recursor dnsutils
+            systemctl stop pdns pdns-recursor || true
+            mkdir -p /var/lib/powerdns
+            sqlite3 /var/lib/powerdns/pdns.sqlite3 \
+                </usr/share/doc/pdns-backend-sqlite3/schema.sqlite3.sql
+            chown -R pdns:pdns /var/lib/powerdns
+        """)
+
+        self.push_file_content(
+            "/etc/powerdns/pdns.conf",
+            """\
+            launch=gsqlite3
+            gsqlite3-database=/var/lib/powerdns/pdns.sqlite3
+            local-address=127.0.0.1
+            local-port=5353
+            """,
+        )
+
+        self.push_file_content(
+            "/etc/powerdns/recursor.conf",
+            """\
+            local-address=0.0.0.0
+            local-port=53
+            forward-zones=localchat=127.0.0.1:5353
+            forward-zones-recurse=.=9.9.9.9;149.112.112.112
+            allow-from=0.0.0.0/0
+            dont-query=
+            dnssec=off
+            """,
+        )
+
+        self.bash("""\
+            systemctl start pdns
+            systemctl start pdns-recursor
+            echo 'nameserver 127.0.0.1' > /etc/resolv.conf
+        """)
+
+    def reset_dns_records(self, dns_ip, domains):
+        """Create DNS zones with initial A records via pdnsutil.
+
+        Only sets SOA, NS, and A records as the minimal set
+        needed for SSH connectivity.  Full records (MX, TXT, SRV,
+        CNAME, DKIM) are added later by ``cmdeploy dns``.
+
+        Args:
+            dns_ip: IP of the DNS container
+            domains: list of dicts with 'name', 'domain', 'ip'
+        """
+        for d in domains:
+            domain = d["domain"]
+            ip = d["ip"]
+            print(f"  {domain} -> {ip}")
+
+            # Delete and recreate zone fresh (removes stale records)
+            self.pdnsutil("delete-zone", domain, check=False)
+            self.pdnsutil("create-zone", domain, f"ns.{domain}")
+
+            serial = str(int(time.time()))
+            soa = f"ns.{domain} hostmaster.{domain} {serial} 3600 900 604800 300"
+            self.replace_rrset(domain, ".", "SOA", "3600", soa)
+            self.replace_rrset(domain, ".", "NS", "3600", f"ns.{domain}.")
+            self.replace_rrset(domain, ".", "A", "3600", ip)
+            self.replace_rrset(domain, "ns", "A", "3600", dns_ip)
+
+            # AAAA (domain -> container IPv6, if available)
+            ipv6 = d.get("ipv6")
+            if ipv6:
+                self.replace_rrset(domain, ".", "AAAA", "3600", ipv6)
+                print(f"    zone reset: SOA, NS, A, AAAA  ({ip}, {ipv6})")
+            else:
+                # Remove any stale AAAA record
+                self.pdnsutil("delete-rrset", domain, ".", "AAAA", check=False)
+                print(f"    zone reset: SOA, NS, A  ({ip}, IPv4-only)")
+
+        self.restart_services()
+
+    def set_dns_records(self, text):
+        """Add or overwrite DNS records from standard BIND format.
+
+        Uses ``cmdeploy.dns.parse_zone_records`` to parse.
+        Zones are created automatically from the record names.
+        """
+        from ..dns import parse_zone_records
+
+        zones_seen = set()
+
+        for name, ttl, rtype, rdata in parse_zone_records(text):
+            # Derive zone from name: find top-level .localchat domain
+            name_parts = name.split(".")
+            zone = name  # fallback
+            for i in range(len(name_parts) - 1):
+                if name_parts[i + 1 :] == ["localchat"]:
+                    zone = ".".join(name_parts[i:])
+                    break
+
+            # Create zone if first time seeing it
+            if zone not in zones_seen:
+                self.pdnsutil(
+                    "create-zone",
+                    zone,
+                    f"ns.{zone}",
+                    check=False,
+                )
+                zones_seen.add(zone)
+
+            # Figure out the record name relative to zone
+            if name == zone:
+                relative = "."
+            elif name.endswith(f".{zone}"):
+                relative = name[: -(len(zone) + 1)]
+            else:
+                relative = name
+
+            self.replace_rrset(zone, relative, rtype, ttl, rdata)
+
+        if zones_seen:
+            self.restart_services()
diff --git a/cmdeploy/src/cmdeploy/remote/rdns.py b/cmdeploy/src/cmdeploy/remote/rdns.py
index 4b6864954..3b1d52922 100644
--- a/cmdeploy/src/cmdeploy/remote/rdns.py
+++ b/cmdeploy/src/cmdeploy/remote/rdns.py
@@ -58,8 +58,8 @@ def get_dkim_entry(mail_domain, pre_command, dkim_selector):
     dkim_value = '" "'.join(re.findall(".{1,255}", dkim_value_raw))
     web_dkim_value = "".join(re.findall(".{1,255}", dkim_value_raw))
     return (
-        f'{dkim_selector}._domainkey.{mail_domain}. TXT "{dkim_value}"',
-        f'{dkim_selector}._domainkey.{mail_domain}. TXT "{web_dkim_value}"',
+        f'{dkim_selector}._domainkey.{mail_domain}.  3600  IN  TXT  "{dkim_value}"',
+        f'{dkim_selector}._domainkey.{mail_domain}.  3600  IN  TXT  "{web_dkim_value}"',
     )
 
 
@@ -94,9 +94,11 @@ def check_zonefile(zonefile, verbose=True):
         if not zf_line.strip() or zf_line.startswith(";"):
             continue
         print(f"dns-checking {zf_line!r}") if verbose else log_progress("")
-        zf_domain, zf_typ, zf_value = zf_line.split(maxsplit=2)
-        zf_domain = zf_domain.rstrip(".")
-        zf_value = zf_value.strip()
+        parts = zf_line.split(None, 4)
+        zf_domain = parts[0].rstrip(".")
+        # parts[1]=TTL, parts[2]=IN, parts[3]=type, parts[4]=rdata
+        zf_typ = parts[3]
+        zf_value = parts[4].strip()
         query_value = query_dns(zf_typ, zf_domain)
         if zf_value != query_value:
             assert zf_typ in ("A", "AAAA", "CNAME", "CAA", "SRV", "MX", "TXT"), zf_line
diff --git a/cmdeploy/src/cmdeploy/selfsigned/deployer.py b/cmdeploy/src/cmdeploy/selfsigned/deployer.py
index 0faff5e82..f02a5307b 100644
--- a/cmdeploy/src/cmdeploy/selfsigned/deployer.py
+++ b/cmdeploy/src/cmdeploy/selfsigned/deployer.py
@@ -12,13 +12,27 @@ def openssl_selfsigned_args(domain, cert_path, key_path, days=36500):
     ``www.<domain>`` and ``mta-sts.<domain>``.
     """
     return [
-        "openssl", "req", "-x509",
-        "-newkey", "ec", "-pkeyopt", "ec_paramgen_curve:P-256",
-        "-noenc", "-days", str(days),
-        "-keyout", str(key_path),
-        "-out", str(cert_path),
-        "-subj", f"/CN={domain}",
-        "-addext", "extendedKeyUsage=serverAuth,clientAuth",
+        "openssl",
+        "req",
+        "-x509",
+        "-newkey",
+        "ec",
+        "-pkeyopt",
+        "ec_paramgen_curve:P-256",
+        "-noenc",
+        "-days",
+        str(days),
+        "-keyout",
+        str(key_path),
+        "-out",
+        str(cert_path),
+        "-subj",
+        f"/CN={domain}",
+        # Mark as end-entity cert so it cannot be used as a CA to sign others.
+        "-addext",
+        "basicConstraints=critical,CA:FALSE",
+        "-addext",
+        "extendedKeyUsage=serverAuth,clientAuth",
         "-addext",
         f"subjectAltName=DNS:{domain},DNS:www.{domain},DNS:mta-sts.{domain}",
     ]
@@ -40,7 +54,9 @@ def install(self):
 
     def configure(self):
         args = openssl_selfsigned_args(
-            self.mail_domain, self.cert_path, self.key_path,
+            self.mail_domain,
+            self.cert_path,
+            self.key_path,
         )
         cmd = shlex.join(args)
         server.shell(
diff --git a/cmdeploy/src/cmdeploy/sshexec.py b/cmdeploy/src/cmdeploy/sshexec.py
index 7470d9277..00b3cc246 100644
--- a/cmdeploy/src/cmdeploy/sshexec.py
+++ b/cmdeploy/src/cmdeploy/sshexec.py
@@ -49,8 +49,13 @@ class SSHExec:
     RemoteError = execnet.RemoteError
     FuncError = FuncError
 
-    def __init__(self, host, verbose=False, python="python3", timeout=60):
-        self.gateway = execnet.makegateway(f"ssh=root@{host}//python={python}")
+    def __init__(
+        self, host, verbose=False, python="python3", timeout=60, ssh_config=None
+    ):
+        spec = f"ssh=root@{host}//python={python}"
+        if ssh_config:
+            spec += f"//ssh_config={ssh_config}"
+        self.gateway = execnet.makegateway(spec)
         self._remote_cmdloop_channel = bootstrap_remote(self.gateway, remote)
         self.timeout = timeout
         self.verbose = verbose
@@ -113,3 +118,46 @@ def logged(self, call, kwargs: dict):
             res = self(call, kwargs, log_callback=remote.rshell.log_progress)
             print_stderr()
             return res
+
+
+# pyinfra exposes a ``ssh_config_file`` data key that *should* let
+# paramiko parse an SSH config file directly.  In practice it silently
+# fails to connect (zero hosts / zero operations), so we resolve the
+# hostname and identity-file ourselves and pass them via
+# ``--data ssh_hostname`` / ``--data ssh_key`` instead.
+# Execnet uses ssh natively (and not paramiko) and doesn't have this problem.
+
+
+def _get_from_ssh_config(host, ssh_config_path, key):
+    """Internal helper to parse a value for a specific key from ssh-config."""
+    current_hosts = []
+    found_value = None
+    with open(ssh_config_path) as f:
+        for raw_line in f:
+            line = raw_line.strip()
+            if not line or line.startswith("#"):
+                continue
+            parts = line.split(None, 1)
+            if not parts:
+                continue
+            directive = parts[0].lower()
+            if directive == "host":
+                if host in current_hosts and found_value:
+                    return found_value
+                current_hosts = parts[1].split()
+                found_value = None
+            elif directive == key.lower():
+                found_value = parts[1]
+    if host in current_hosts and found_value:
+        return found_value
+    return None
+
+
+def resolve_host_from_ssh_config(host, ssh_config_path):
+    """Resolve a host alias to its IP from an ssh-config file."""
+    return _get_from_ssh_config(host, ssh_config_path, "Hostname") or host
+
+
+def resolve_key_from_ssh_config(host, ssh_config_path):
+    """Resolve a host alias to its IdentityFile from an ssh-config file."""
+    return _get_from_ssh_config(host, ssh_config_path, "IdentityFile")
diff --git a/cmdeploy/src/cmdeploy/tests/data/zftest.zone b/cmdeploy/src/cmdeploy/tests/data/zftest.zone
index 4934c2b44..7ee9f0bfe 100644
--- a/cmdeploy/src/cmdeploy/tests/data/zftest.zone
+++ b/cmdeploy/src/cmdeploy/tests/data/zftest.zone
@@ -1,17 +1,18 @@
-; Required DNS entries for chatmail servers
-zftest.testrun.org.                   A     135.181.204.127
-zftest.testrun.org.                   AAAA  2a01:4f9:c012:52f4::1
-zftest.testrun.org.                   MX 10 zftest.testrun.org.
-_mta-sts.zftest.testrun.org.          TXT "v=STSv1; id=202403211706"
-mta-sts.zftest.testrun.org.           CNAME zftest.testrun.org.
-www.zftest.testrun.org.               CNAME zftest.testrun.org.
-opendkim._domainkey.zftest.testrun.org. TXT "v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoYt82CVUyz2ouaqjX2kB+5J80knAyoOU3MGU5aWppmwUwwTvj/oSTSpkc5JMtVTRmKKr8NUDWAL1Yw7dfGqqPHdHfwwjS3BIvDzYx+hzgtz62RnfNgV+/2MAoNpfX7cAFIHdRzEHNtwugc3RDLquqPoupAE3Y2YRw2T5zG5fILh4vwIcJZL5Uq6B92j8wwJqOex" "33n+vm1NKQ9rxo/UsHAmZlJzpooXcG/4igTBxJyJlamVSRR6N7Nul1v//YJb7J6v2o0iPHW6uE0StzKaPPNC2IVosSRFbD9H2oqppltptFSNPlI0E+t0JBWHem6YK7xcugiO3ImMCaaU8g6Jt/wIDAQAB;s=email;t=s"
+; Required DNS entries
+zftest.testrun.org.  3600  IN  A  135.181.204.127
+zftest.testrun.org.  3600  IN  AAAA  2a01:4f9:c012:52f4::1
+zftest.testrun.org.  3600  IN  MX  10 zftest.testrun.org.
+_mta-sts.zftest.testrun.org.  3600  IN  TXT  "v=STSv1; id=202403211706"
+mta-sts.zftest.testrun.org.  3600  IN  CNAME  zftest.testrun.org.
+www.zftest.testrun.org.  3600  IN  CNAME  zftest.testrun.org.
+opendkim._domainkey.zftest.testrun.org.  3600  IN  TXT  "v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoYt82CVUyz2ouaqjX2kB+5J80knAyoOU3MGU5aWppmwUwwTvj/oSTSpkc5JMtVTRmKKr8NUDWAL1Yw7dfGqqPHdHfwwjS3BIvDzYx+hzgtz62RnfNgV+/2MAoNpfX7cAFIHdRzEHNtwugc3RDLquqPoupAE3Y2YRw2T5zG5fILh4vwIcJZL5Uq6B92j8wwJqOex" "33n+vm1NKQ9rxo/UsHAmZlJzpooXcG/4igTBxJyJlamVSRR6N7Nul1v//YJb7J6v2o0iPHW6uE0StzKaPPNC2IVosSRFbD9H2oqppltptFSNPlI0E+t0JBWHem6YK7xcugiO3ImMCaaU8g6Jt/wIDAQAB;s=email;t=s"
+
 ; Recommended DNS entries
-_submission._tcp.zftest.testrun.org.  SRV 0 1 587 zftest.testrun.org.
-_submissions._tcp.zftest.testrun.org. SRV 0 1 465 zftest.testrun.org.
-_imap._tcp.zftest.testrun.org.        SRV 0 1 143 zftest.testrun.org.
-_imaps._tcp.zftest.testrun.org.       SRV 0 1 993 zftest.testrun.org.
-zftest.testrun.org.                   CAA 0 issue "letsencrypt.org;accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1371472956"
-zftest.testrun.org.                   TXT "v=spf1 a:zftest.testrun.org ~all"
-_dmarc.zftest.testrun.org.            TXT "v=DMARC1;p=reject;adkim=s;aspf=s"
-_adsp._domainkey.zftest.testrun.org.  TXT "dkim=discardable"
+zftest.testrun.org.  3600  IN  TXT  "v=spf1 a ~all"
+_dmarc.zftest.testrun.org.  3600  IN  TXT  "v=DMARC1;p=reject;adkim=s;aspf=s"
+zftest.testrun.org.  3600  IN  CAA  0 issue "letsencrypt.org;accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1371472956"
+_adsp._domainkey.zftest.testrun.org.  3600  IN  TXT  "dkim=discardable"
+_submission._tcp.zftest.testrun.org.  3600  IN  SRV  0 1 587 zftest.testrun.org.
+_submissions._tcp.zftest.testrun.org.  3600  IN  SRV  0 1 465 zftest.testrun.org.
+_imap._tcp.zftest.testrun.org.  3600  IN  SRV  0 1 143 zftest.testrun.org.
+_imaps._tcp.zftest.testrun.org.  3600  IN  SRV  0 1 993 zftest.testrun.org.
diff --git a/cmdeploy/src/cmdeploy/tests/online/test_0_qr.py b/cmdeploy/src/cmdeploy/tests/online/test_0_qr.py
index b916e696a..243aba924 100644
--- a/cmdeploy/src/cmdeploy/tests/online/test_0_qr.py
+++ b/cmdeploy/src/cmdeploy/tests/online/test_0_qr.py
@@ -20,7 +20,7 @@ def test_fastcgi_working(maildomain, chatmail_config):
 
 
 @pytest.mark.filterwarnings("ignore::urllib3.exceptions.InsecureRequestWarning")
-def test_newemail_configure(maildomain, rpc, chatmail_config):
+def test_newemail_configure(maildomain, maildomain_ip, rpc, chatmail_config):
     """Test configuring accounts by scanning a QR code works."""
     url = f"DCACCOUNT:https://{maildomain}/new"
     for i in range(3):
@@ -30,12 +30,15 @@ def test_newemail_configure(maildomain, rpc, chatmail_config):
             # set_config_from_qr, so fetch credentials via requests instead
             res = requests.post(f"https://{maildomain}/new", verify=False)
             data = res.json()
-            rpc.add_or_update_transport(account_id, {
-                "addr": data["email"],
-                "password": data["password"],
-                "imapServer": maildomain,
-                "smtpServer": maildomain,
-                "certificateChecks": "acceptInvalidCertificates",
-            })
+            rpc.add_or_update_transport(
+                account_id,
+                {
+                    "addr": data["email"],
+                    "password": data["password"],
+                    "imapServer": maildomain_ip,
+                    "smtpServer": maildomain_ip,
+                    "certificateChecks": "acceptInvalidCertificates",
+                },
+            )
         else:
             rpc.add_transport_from_qr(account_id, url)
diff --git a/cmdeploy/src/cmdeploy/tests/online/test_1_basic.py b/cmdeploy/src/cmdeploy/tests/online/test_1_basic.py
index 7ff23b5b0..11c7c9051 100644
--- a/cmdeploy/src/cmdeploy/tests/online/test_1_basic.py
+++ b/cmdeploy/src/cmdeploy/tests/online/test_1_basic.py
@@ -1,4 +1,5 @@
 import datetime
+import os
 import smtplib
 import socket
 import subprocess
@@ -13,7 +14,8 @@
 class TestSSHExecutor:
     @pytest.fixture(scope="class")
     def sshexec(self, sshdomain):
-        return get_sshexec(sshdomain)
+        ssh_config = os.environ.get("CHATMAIL_SSH_CONFIG")
+        return get_sshexec(sshdomain, ssh_config=ssh_config)
 
     def test_ls(self, sshexec):
         out = sshexec(call=remote.rdns.shell, kwargs=dict(command="ls"))
@@ -132,11 +134,10 @@ def test_authenticated_from(cmsetup, maildata):
 @pytest.mark.parametrize("from_addr", ["fake@example.org", "fake@testrun.org"])
 def test_reject_missing_dkim(cmsetup, maildata, from_addr):
     domain = cmsetup.maildomain
-    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-    sock.settimeout(10)
     try:
-        sock.connect((domain, 25))
-    except socket.timeout:
+        sock = socket.create_connection((domain, 25), timeout=10)
+        sock.close()
+    except (socket.timeout, OSError):
         pytest.skip(f"port 25 not reachable for {domain}")
 
     recipient = cmsetup.gen_users(1)[0]
diff --git a/cmdeploy/src/cmdeploy/tests/online/test_2_deltachat.py b/cmdeploy/src/cmdeploy/tests/online/test_2_deltachat.py
index 947c34f91..9338afebb 100644
--- a/cmdeploy/src/cmdeploy/tests/online/test_2_deltachat.py
+++ b/cmdeploy/src/cmdeploy/tests/online/test_2_deltachat.py
@@ -1,4 +1,5 @@
 import ipaddress
+import os
 import re
 import time
 
@@ -92,7 +93,9 @@ def parse_size_limit(limit: str) -> int:
         lp.sec(f"filling remote inbox for {user}")
         fn = f"7743102289.M843172P2484002.c20,S={quota},W=2398:2,"
         path = chatmail_config.mailboxes_dir.joinpath(user, "cur", fn)
-        sshexec = get_sshexec(sshdomain)
+        sshexec = get_sshexec(
+            sshdomain, ssh_config=os.environ.get("CHATMAIL_SSH_CONFIG")
+        )
         sshexec(call=rshell.write_numbytes, kwargs=dict(path=str(path), num=120))
         res = sshexec(call=rshell.dovecot_recalc_quota, kwargs=dict(user=user))
         assert res["percent"] >= 100
diff --git a/cmdeploy/src/cmdeploy/tests/online/test_3_status.py b/cmdeploy/src/cmdeploy/tests/online/test_3_status.py
index d505faf7d..f6a4c747f 100644
--- a/cmdeploy/src/cmdeploy/tests/online/test_3_status.py
+++ b/cmdeploy/src/cmdeploy/tests/online/test_3_status.py
@@ -9,6 +9,9 @@ def test_status_cmd(chatmail_config, capsys, request):
     if os.getenv("CHATMAIL_SSH"):
         command.append("--ssh-host")
         command.append(os.getenv("CHATMAIL_SSH"))
+    if os.getenv("CHATMAIL_SSH_CONFIG"):
+        command.append("--ssh-config")
+        command.append(os.getenv("CHATMAIL_SSH_CONFIG"))
     assert main(command) == 0
     status_out = capsys.readouterr()
     print(status_out.out)
diff --git a/cmdeploy/src/cmdeploy/tests/plugin.py b/cmdeploy/src/cmdeploy/tests/plugin.py
index 34f258df3..ccb7bab85 100644
--- a/cmdeploy/src/cmdeploy/tests/plugin.py
+++ b/cmdeploy/src/cmdeploy/tests/plugin.py
@@ -2,7 +2,9 @@
 import itertools
 import os
 import random
+import re
 import smtplib
+import socket
 import ssl
 import subprocess
 import time
@@ -20,6 +22,64 @@ def pytest_addoption(parser):
     )
 
 
+def _parse_ssh_config_hosts(path):
+    """Parse an OpenSSH config file and return a dict of hostname -> IP."""
+    mapping = {}
+    current_names = []
+    for ln in Path(path).read_text().splitlines():
+        line = ln.strip()
+        m = re.match(r"^Host\s+(.+)", line)
+        if m:
+            current_names = m.group(1).split()
+            continue
+        m = re.match(r"^Hostname\s+(\S+)", line)
+        if m and current_names:
+            ip = m.group(1)
+            for name in current_names:
+                mapping[name] = ip
+            current_names = []
+    return mapping
+
+
+_original_getaddrinfo = socket.getaddrinfo
+
+
+def _make_patched_getaddrinfo(host_map):
+    """Return a getaddrinfo that resolves hosts in host_map to their IPs."""
+
+    def patched_getaddrinfo(host, port, family=0, type=0, proto=0, flags=0):
+        if host in host_map:
+            ip = host_map[host]
+            return _original_getaddrinfo(ip, port, family, type, proto, flags)
+        return _original_getaddrinfo(host, port, family, type, proto, flags)
+
+    return patched_getaddrinfo
+
+
+@pytest.fixture(autouse=True, scope="session")
+def _setup_localchat_dns():
+    """Monkey-patch socket.getaddrinfo to resolve .localchat via ssh-config."""
+    ssh_config = os.environ.get("CHATMAIL_SSH_CONFIG")
+    if not ssh_config or not Path(ssh_config).exists():
+        yield {}
+        return
+    host_map = _parse_ssh_config_hosts(ssh_config)
+    if not host_map:
+        yield {}
+        return
+    socket.getaddrinfo = _make_patched_getaddrinfo(host_map)
+    try:
+        yield host_map
+    finally:
+        socket.getaddrinfo = _original_getaddrinfo
+
+
+@pytest.fixture(scope="session")
+def ssh_config_host_map(_setup_localchat_dns):
+    """Return the host-name → IP map parsed from ssh-config."""
+    return _setup_localchat_dns
+
+
 def pytest_configure(config):
     config._benchresults = {}
     config.addinivalue_line(
@@ -35,6 +95,11 @@ def pytest_runtest_setup(item):
 
 
 def _get_chatmail_config():
+    ini = os.environ.get("CHATMAIL_INI")
+    if ini:
+        path = Path(ini).resolve()
+        if path.exists():
+            return read_config(path), path
     current = Path().resolve()
     while 1:
         path = current.joinpath("chatmail.ini").resolve()
@@ -65,6 +130,12 @@ def sshdomain(maildomain):
     return os.environ.get("CHATMAIL_SSH", maildomain)
 
 
+@pytest.fixture(scope="session")
+def maildomain_ip(maildomain, ssh_config_host_map):
+    """Return the IP for maildomain from ssh-config, or maildomain itself."""
+    return ssh_config_host_map.get(maildomain, maildomain)
+
+
 @pytest.fixture
 def maildomain2():
     domain = os.environ.get("CHATMAIL_DOMAIN2")
@@ -306,23 +377,32 @@ def gen(domain=None):
 class ChatmailACFactory:
     """RPC-based account factory for chatmail testing."""
 
-    def __init__(self, rpc, maildomain, gencreds, chatmail_config):
+    def __init__(
+        self,
+        rpc,
+        maildomain,
+        maildomain_ip,
+        gencreds,
+        chatmail_config,
+        ssh_config_host_map,
+    ):
         self.dc = DeltaChat(rpc)
         self.rpc = rpc
         self._maildomain = maildomain
+        self._maildomain_ip = maildomain_ip
         self.gencreds = gencreds
         self.chatmail_config = chatmail_config
+        self._ssh_config_host_map = ssh_config_host_map
 
     def _make_transport(self, domain):
         """Build a transport config dict for the given domain."""
         addr, password = self.gencreds(domain)
+        server = self._ssh_config_host_map.get(domain, domain)
         transport = {
             "addr": addr,
             "password": password,
-            # Setting server explicitly skips requesting autoconfig XML,
-            # see https://datatracker.ietf.org/doc/draft-ietf-mailmaint-autoconfig/
-            "imapServer": domain,
-            "smtpServer": domain,
+            "imapServer": server,
+            "smtpServer": server,
         }
         if self.chatmail_config.tls_cert_mode == "self":
             transport["certificateChecks"] = "acceptInvalidCertificates"
@@ -376,13 +456,17 @@ def rpc(tmp_path_factory):
 
 
 @pytest.fixture
-def cmfactory(rpc, gencreds, maildomain, chatmail_config):
+def cmfactory(
+    rpc, gencreds, maildomain, maildomain_ip, chatmail_config, ssh_config_host_map
+):
     """Return a ChatmailACFactory for creating online Delta Chat accounts."""
     return ChatmailACFactory(
         rpc=rpc,
         maildomain=maildomain,
+        maildomain_ip=maildomain_ip,
         gencreds=gencreds,
         chatmail_config=chatmail_config,
+        ssh_config_host_map=ssh_config_host_map,
     )
 
 
@@ -394,14 +478,21 @@ def remote(sshdomain):
 class Remote:
     def __init__(self, sshdomain):
         self.sshdomain = sshdomain
+        self.ssh_config = os.environ.get("CHATMAIL_SSH_CONFIG")
 
     def iter_output(self, logcmd="", ready=None):
         getjournal = "journalctl -f" if not logcmd else logcmd
         print(self.sshdomain)
         match self.sshdomain:
-            case "@local": command = []
-            case "localhost": command = []
-            case _: command = ["ssh", f"root@{self.sshdomain}"]
+            case "@local":
+                command = []
+            case "localhost":
+                command = []
+            case _:
+                command = ["ssh"]
+                if self.ssh_config:
+                    command.extend(["-F", self.ssh_config])
+                command.append(f"root@{self.sshdomain}")
         [command.append(arg) for arg in getjournal.split()]
         self.popen = subprocess.Popen(
             command,
diff --git a/cmdeploy/src/cmdeploy/tests/test_cmdeploy.py b/cmdeploy/src/cmdeploy/tests/test_cmdeploy.py
index 6e87b4eac..b7b16457f 100644
--- a/cmdeploy/src/cmdeploy/tests/test_cmdeploy.py
+++ b/cmdeploy/src/cmdeploy/tests/test_cmdeploy.py
@@ -23,7 +23,10 @@ def test_parser(self, capsys):
         run = parser.parse_args(["run"])
         assert init and run
 
-    def test_init_not_overwrite(self, capsys):
+    def test_init_not_overwrite(self, tmp_path, capsys, monkeypatch):
+        monkeypatch.delenv("CHATMAIL_INI", raising=False)
+        monkeypatch.chdir(tmp_path)
+
         assert main(["init", "chat.example.org"]) == 0
         capsys.readouterr()
 
diff --git a/cmdeploy/src/cmdeploy/tests/test_dns.py b/cmdeploy/src/cmdeploy/tests/test_dns.py
index 7802948fa..8db498af7 100644
--- a/cmdeploy/src/cmdeploy/tests/test_dns.py
+++ b/cmdeploy/src/cmdeploy/tests/test_dns.py
@@ -3,7 +3,7 @@
 import pytest
 
 from cmdeploy import remote
-from cmdeploy.dns import check_full_zone, check_initial_remote_data
+from cmdeploy.dns import check_full_zone, check_initial_remote_data, parse_zone_records
 
 
 @pytest.fixture
@@ -126,17 +126,11 @@ def test_perform_initial_checks_no_mta_sts_self_signed(self, mockdns):
 
 
 def parse_zonefile_into_dict(zonefile, mockdns_base, only_required=False):
-    for zf_line in zonefile.split("\n"):
-        if zf_line.startswith("#"):
-            if "Recommended" in zf_line and only_required:
-                return
-            continue
-        if not zf_line.strip():
-            continue
-        zf_domain, zf_typ, zf_value = zf_line.split(maxsplit=2)
-        zf_domain = zf_domain.rstrip(".")
-        zf_value = zf_value.strip()
-        mockdns_base.setdefault(zf_typ, {})[zf_domain] = zf_value
+    if only_required:
+        # Only take records before the "; Recommended" section
+        zonefile = zonefile.split("; Recommended")[0]
+    for name, ttl, rtype, rdata in parse_zone_records(zonefile):
+        mockdns_base.setdefault(rtype, {})[name] = rdata
 
 
 class MockSSHExec:
diff --git a/cmdeploy/src/cmdeploy/tests/test_lxc.py b/cmdeploy/src/cmdeploy/tests/test_lxc.py
new file mode 100644
index 000000000..ffc8d3ee5
--- /dev/null
+++ b/cmdeploy/src/cmdeploy/tests/test_lxc.py
@@ -0,0 +1,174 @@
+"""Tests for cmdeploy lxc-* subcommands."""
+
+import shutil
+import subprocess
+import sys
+
+import pytest
+
+from cmdeploy.lxc import cli
+from cmdeploy.lxc.incus import Incus
+
+pytestmark = pytest.mark.skipif(
+    not shutil.which("incus") or not shutil.which("lxc"),
+    reason="incus/lxc not installed",
+)
+
+
+# ---------------------------------------------------------------------------
+# Fixtures
+# ---------------------------------------------------------------------------
+
+
+@pytest.fixture
+def ix():
+    return Incus()
+
+
+@pytest.fixture(scope="session")
+def lxc_setup():
+    ix = Incus()
+    ix.get_dns_container().ensure()
+    return ix.list_managed()
+
+
+@pytest.fixture(scope="session")
+def relay_container(lxc_setup):
+    test_names = {f"{n}-localchat" for n in cli.RELAY_NAMES}
+    relays = [c for c in lxc_setup if c["name"] in test_names and c.get("ip")]
+    if not relays:
+        pytest.skip("no test relay containers running")
+    return relays[0]
+
+
+@pytest.fixture
+def cmdeploy():
+
+    def run(*args):
+        return subprocess.run(
+            [sys.executable, "-m", "cmdeploy.cmdeploy", *args],
+            capture_output=True,
+            text=True,
+            check=False,
+        )
+
+    return run
+
+
+# ---------------------------------------------------------------------------
+# Tests
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.parametrize(
+    "subcmd, expected, absent",
+    [
+        (None, ["lxc-start", "lxc-stop", "lxc-test", "lxc-status"], ["lxc-destroy"]),
+        ("lxc-start", ["--ipv4-only", "--run"], ["--config"]),
+        ("lxc-stop", ["--destroy", "--destroy-all"], ["--config"]),
+        ("lxc-test", ["--one"], ["--config"]),
+        ("lxc-status", [], ["--config"]),
+        ("run", ["--ssh-config"], ["--lxc"]),
+        ("dns", ["--ssh-config"], []),
+        ("test", ["--ssh-config"], []),
+        ("status", ["--ssh-config"], []),
+    ],
+)
+def test_help_options(cmdeploy, subcmd, expected, absent):
+    args = [subcmd, "--help"] if subcmd else ["--help"]
+    result = cmdeploy(*args)
+    output = result.stdout + result.stderr
+    assert result.returncode == 0
+    for flag in expected:
+        assert flag in output
+    for flag in absent:
+        assert flag not in output
+
+
+class TestSSHConfig:
+    def test_lxconfigs(self, ix, lxc_setup):
+        d = ix.lxconfigs_dir
+        assert d.name == "lxconfigs"
+        assert d.exists()
+        path = ix.ssh_config_path
+        assert path.name == "ssh-config"
+        assert path.parent.name == "lxconfigs"
+
+    def test_write_ssh_config(self, ix, lxc_setup):
+        path = ix.write_ssh_config()
+        assert path.exists()
+        text = path.read_text()
+
+        for c in lxc_setup:
+            if c.get("ip"):
+                assert c["name"] in text
+                assert f"Hostname {c['ip']}" in text
+
+        assert "User root" in text
+        assert "IdentityFile" in text
+        assert "StrictHostKeyChecking accept-new" in text
+
+
+def test_dns(ix, relay_container):
+    def dig(qname, qtype):
+        ct = ix.get_dns_container()
+        return ct.bash(f"dig @127.0.0.1 {qname} {qtype} +short").strip()
+
+    domain = relay_container["domain"]
+    assert dig(domain, "A") == relay_container["ip"]
+    assert domain in dig(domain, "MX")
+    assert "587" in dig(f"_submission._tcp.{domain}", "SRV")
+
+
+class TestLxcStatus:
+    def test_cli_lxc_status_help(self, cmdeploy):
+        result = cmdeploy("lxc-status", "--help")
+        assert result.returncode == 0
+        assert "status" in result.stdout.lower()
+
+    def test_shows_containers(self, lxc_setup, capsys):
+
+        class QuietOut:
+            def red(self, msg, **kw):
+                pass
+
+            def green(self, msg, **kw):
+                pass
+
+        ret = cli.lxc_status_cmd(None, QuietOut())
+        assert ret == 0
+        captured = capsys.readouterr().out
+        assert "ns-localchat" in captured
+        assert "running" in captured
+
+    def test_deploy_freshness(self, ix, monkeypatch):
+
+        ct = ix.get_container("x")
+
+        monkeypatch.setattr(
+            "cmdeploy.lxc.incus.RelayContainer.deployed_version",
+            lambda _self: "abc123def456",
+        )
+        monkeypatch.setattr(
+            "cmdeploy.lxc.incus.RelayContainer.deployed_domain",
+            lambda _self: ct.domain,
+        )
+        monkeypatch.setattr(
+            "cmdeploy.lxc.cli.get_version_string",
+            lambda: "abc123def456",
+        )
+        assert "IN-SYNC" in cli._deploy_status(ct, "abc123def456", ix)
+        assert "STALE" in cli._deploy_status(ct, "other_hash_here", ix)
+
+        # Hash matches but local has uncommitted changes
+        monkeypatch.setattr(
+            "cmdeploy.lxc.cli.get_version_string",
+            lambda: "abc123def456\ndiff --git a/foo",
+        )
+        assert "DIRTY" in cli._deploy_status(ct, "abc123def456", ix)
+
+        monkeypatch.setattr(
+            "cmdeploy.lxc.incus.RelayContainer.deployed_version",
+            lambda _self: None,
+        )
+        assert "NOT DEPLOYED" in cli._deploy_status(ct, "abc123", ix)
diff --git a/cmdeploy/src/cmdeploy/util.py b/cmdeploy/src/cmdeploy/util.py
new file mode 100644
index 000000000..bd0b2fe30
--- /dev/null
+++ b/cmdeploy/src/cmdeploy/util.py
@@ -0,0 +1,63 @@
+"""Shared utility functions for cmdeploy."""
+
+import subprocess
+import textwrap
+from pathlib import Path
+
+
+def _project_root():
+    """Return the project root directory."""
+    return Path(__file__).resolve().parent.parent.parent.parent
+
+
+def collapse(text):
+    """Dedent, join lines, and strip a (triple-quoted) string.
+
+    Handy for writing shell commands across multiple lines::
+
+        cmd = collapse(f\"""
+            cmdeploy run
+            --config {ct.ini}
+            --ssh-host {ct.domain}
+        \""")
+    """
+    return textwrap.dedent(text).replace("\n", " ").strip()
+
+
+def shell(cmd, check=False, **kwargs):
+    """Run a shell command string with sensible defaults.
+
+    *cmd* is passed through :func:`collapse` first, so callers
+    can use triple-quoted f-strings freely.
+    Captures stdout/stderr by default; pass ``capture_output=False``
+    to stream output to the terminal instead.
+    """
+    if "capture_output" not in kwargs and "stdout" not in kwargs:
+        kwargs["capture_output"] = True
+    return subprocess.run(collapse(cmd), shell=True, text=True, check=check, **kwargs)
+
+
+def get_git_hash():
+    """Return the local HEAD commit hash, or None."""
+    result = shell(
+        "git rev-parse HEAD",
+        cwd=str(_project_root()),
+    )
+    if result.returncode == 0:
+        return result.stdout.strip()
+    return None
+
+
+def get_version_string():
+    """Return ``git_hash\\ngit_diff`` for the local working tree.
+
+    Used by :class:`~cmdeploy.deployers.GithashDeployer` to write
+    ``/etc/chatmail-version`` and by ``lxc-status`` to compare
+    the deployed state against the local checkout.
+    """
+    git_hash = get_git_hash() or "unknown"
+    try:
+        git_diff = shell("git diff", cwd=str(_project_root())).stdout
+    except Exception:
+        git_diff = ""
+    return git_hash + "\n" + git_diff
diff --git a/doc/source/conf.py b/doc/source/conf.py
index 24422df43..85672f76c 100644
--- a/doc/source/conf.py
+++ b/doc/source/conf.py
@@ -15,7 +15,7 @@
 
 extensions = [
     #'sphinx.ext.autodoc',
-    #'sphinx.ext.viewdoc',
+    #'sphinx.ext.viewcode',
     'sphinxcontrib.mermaid',
 ]
 
diff --git a/doc/source/index.rst b/doc/source/index.rst
index d37a10f68..1f133d346 100644
--- a/doc/source/index.rst
+++ b/doc/source/index.rst
@@ -16,5 +16,6 @@ Contributions and feedback welcome through the https://github.com/chatmail/relay
     proxy
     migrate
     overview
+    lxc
     related
     faq
diff --git a/doc/source/lxc.rst b/doc/source/lxc.rst
new file mode 100644
index 000000000..8aec4ffdf
--- /dev/null
+++ b/doc/source/lxc.rst
@@ -0,0 +1,312 @@
+Local testing with LXC/Incus
+============================
+
+.. warning::
+
+   cmdeploy LXC support is geared towards local testing and CI, only.
+   Do not base production setups on it.
+
+
+The ``cmdeploy`` tool includes support for running
+chatmail relays inside local
+`Incus <https://linuxcontainers.org/incus/>`_ LXC containers.
+This is useful for development, testing, and CI
+without requiring a remote server.
+LXC system containers behave like lightweight virtual machines.
+They share the host's kernel but run their own init system
+(systemd), package manager, and network stack,
+so the cmdeploy deployment scripts work exactly
+as they would on a real Debian server or cloud VPS.
+Incus is
+`well supported
+<https://linuxcontainers.org/incus/docs/main/installing/>`_
+on Debian, Ubuntu, Arch, Fedora,
+and other major distributions.
+
+
+Prerequisites
+-------------
+
+Install `Incus <https://linuxcontainers.org/incus/>`_
+(LXC container manager).
+See the `official installation guide
+<https://linuxcontainers.org/incus/docs/main/installing/>`_
+for full details, or use one of the shortcuts below:
+
+**Debian 12+ / Ubuntu 24.04+**
+Incus is in the default repositories::
+
+    sudo apt install incus
+
+**Older Debian / Ubuntu**: Use the
+`Zabbly package repository
+<https://github.com/zabbly/incus>`_::
+
+    curl -fsSL https://pkgs.zabbly.com/get/incus-stable | sudo bash
+
+**Arch Linux**::
+
+    sudo pacman -S incus
+
+After installing, initialise and grant yourself access::
+
+    sudo incus admin init --minimal
+    sudo usermod -aG incus-admin $USER
+
+.. warning::
+
+   You **must log out and back in** (or run ``newgrp incus-admin``)
+   after adding yourself to the group.
+   Without this, all ``cmdeploy lxc-*`` commands
+   will fail with permission errors.
+
+Verify the installation works by running ``incus list``,
+which should print an empty table without errors.
+
+
+Quick start
+-----------
+
+::
+
+    cd relay
+    scripts/initenv.sh               # bootstrap venv
+    cmdeploy lxc-test                # create containers, deploy, test
+
+
+The ``lxc-test`` command executes each ``cmdeploy`` subprocess command
+so you can copy-paste and run them individually.
+No host DNS delegation or ``~/.ssh/config`` changes are needed
+because lxc-test passes ssh-related CLI options to "cmdeploy run" and "cmdeploy test" commands.
+
+
+CLI reference
+--------------
+
+``lxc-start [--ipv4-only] [--run] [NAME ...]``
+    Create and start containers.
+    Without arguments, creates ``test0-localchat`` and ``ns-localchat`` (DNS).
+    Pass one or more ``NAME`` arguments to create user relay containers instead
+    (e.g. ``cmdeploy lxc-start myrelay``).
+    Use ``--ipv4-only`` to set ``disable_ipv6 = True`` in the generated ``chatmail.ini``,
+    producing an IPv4-only relay.
+    Use ``--run`` to automatically run ``cmdeploy run`` on each container after starting it.
+    Generates ``lxconfigs/ssh-config``.
+    It reuses existing containers and resets DNS zones to minimal records.
+
+``lxc-stop [--destroy] [--destroy-all] [NAME ...]``
+    Stop relay containers.
+    Without arguments, stops ``test0-localchat``
+    and ``test1-localchat``.
+    Pass ``NAME`` to stop specific containers.
+    Use ``--destroy`` to also delete the containers
+    and their config files.
+    Use ``--destroy-all`` to additionally destroy
+    the ``ns-localchat`` DNS container **and** remove
+    the cached ``localchat-base`` and ``localchat-relay``
+    images, giving a fully clean slate
+    for the next ``lxc-test``.
+    User containers are **never** destroyed
+    unless named explicitly.
+
+``lxc-test [--one]``
+    Idempotent full pipeline:
+
+    1. ``lxc-start``: create ``test0`` + ``test1``
+       containers, minimal DNS
+
+    2. ``cmdeploy run``: deploy chatmail services on each relay
+
+    3. publish ``localchat-relay`` image after first successful deploy
+
+    4. ``cmdeploy dns --zonefile``: generate standard
+       BIND-format zone files, load full DNS records
+
+    5. ``cmdeploy test``: run full test suite
+       with ``-n4 -x``
+
+    By default creates, deploys, and tests both ``test0`` and ``test1``
+    for dual-domain federation testing (sets ``CHATMAIL_DOMAIN2=_test1.localchat``).
+    test0 runs dual-stack (IPv4 + IPv6) while test1 runs IPv4-only (``disable_ipv6 = True``).
+    Pass ``--one`` to only deploy and test against ``test0``
+    (skips ``test1``, does not set ``CHATMAIL_DOMAIN2``).
+
+``lxc-status``
+    Show live status of all LXC containers (including the DNS container),
+    deploy freshness (comparing ``/etc/chatmail-version``
+    against local ``git rev-parse HEAD`` and ``git diff``),
+    SSH config inclusion, and host DNS forwarding for ``.localchat``.
+    Reports **IN-SYNC**, **DIRTY** (hash matches but uncommitted changes exist),
+    **STALE** (different commit), or **NOT DEPLOYED**.
+
+
+Container types
+-----------------
+
+**Test relay containers** (``test0-localchat``, ``test1-localchat``)
+    Created automatically by ``lxc-test``.
+    **test0** has IPv4 and IPv6 configured,
+    **test1** is IPv4-only (``disable_ipv6 = True``).
+
+**User relay containers** (``<name>-localchat``)
+    Created by ``cmdeploy lxc-start <name>``
+    where ``<name>`` does not start with ``test``.
+    These are personal development instances,
+    never touched by ``lxc-stop --destroy`` unless named explicitly.
+
+**DNS container** (``ns-localchat``)
+    Singleton container running PowerDNS.
+    Created automatically when any relay is started.
+
+
+.. _lxc-ssh-config:
+
+SSH configuration
+-----------------
+
+``cmdeploy lxc-start`` generates ``lxconfigs/ssh-config``,
+a standard OpenSSH config file mapping every container name,
+its domain, and a short alias to the container's IP address::
+
+    Host test0-localchat _test0.localchat _test0
+        Hostname 10.204.0.42
+        User root
+        IdentityFile /path/to/relay/lxconfigs/id_localchat
+        IdentitiesOnly yes
+        StrictHostKeyChecking accept-new
+        UserKnownHostsFile /dev/null
+        LogLevel ERROR
+
+All ``cmdeploy`` commands (``run``, ``dns``, ``status``, ``test``)
+accept ``--ssh-config lxconfigs/ssh-config`` to use this file.
+``lxc-test`` passes it automatically.
+
+**Using containers from the host shell:**
+
+To make ``ssh _test0`` work from any terminal, add one line to ``~/.ssh/config``::
+
+    Include /absolute/path/to/relay/lxconfigs/ssh-config
+
+
+.. _lxc-dns-setup:
+.. _localchat-tld:
+
+``.localchat`` DNS and name resolution
+---------------------------------------
+
+All LXC-managed chatmail domains use the ``.localchat`` pseudo-TLD
+(e.g. ``_test0.localchat``, ``_test1.localchat``),
+a non-delegated suffix that exists only within the local PowerDNS infrastructure.
+A dedicated DNS container (``ns-localchat``)
+is created so that local test relays interact
+with DNS similar to a regular public Internet setup.
+On first start, ``cmdeploy lxc-start`` creates this container
+running two `PowerDNS <https://www.powerdns.com/>`_ services:
+
+* **pdns-server** (authoritative) serves ``.localchat``
+  zones from a local SQLite database.
+
+* **pdns-recursor** (recursive) listens on the Incus
+  bridge so all containers can use it.
+  Forwards ``.localchat`` queries to the local
+  authoritative server and everything else to Quad9 (``9.9.9.9``).
+
+After the DNS container is up, ``lxc-start`` configures the Incus bridge
+to advertise its IP via DHCP and disables Incus's own DNS.
+DNS records are then created in two phases matching the "cmdeploy run" deployment flow:
+
+1. **``lxc-start``** resets each relay zone to
+   **SOA, NS, and A** records (plus **AAAA** for dual-stack containers).
+   If host DNS resolution is configured, users can
+   afterwards run ``cmdeploy run --config lxconfigs/chatmail-test0.ini
+   --ssh-config lxconfigs/ssh-config --ssh-host _test0.localchat``.
+   LXC subcommands do not depend on host DNS resolution
+   and resolve addresses via ``lxconfigs/ssh-config``.
+
+2. **``cmdeploy dns --zonefile``** generates a standard
+   BIND-format zone file (MX, TXT/SPF, TXT/DMARC,
+   TXT/MTA-STS, SRV, CNAME, DKIM) and loads it
+   into PowerDNS.
+
+This two-phase approach prevents premature configuration of mail records
+before the relay is actually deployed and running.
+Once ``cmdeploy run`` deploys `Unbound <https://nlnetlabs.nl/projects/unbound/>`_
+inside a relay container, Unbound has a configuration plugin snippet
+that forwards all ``.localchat`` queries to the PowerDNS recursor,
+and lets all other queries go through normal recursive resolution.
+
+
+State outside the repository
+-----------------------------
+
+All generated configuration by lxc subcommands live in ``lxconfigs/``
+(git-ignored), including the SSH key pair (``id_localchat``),
+per-container ``chatmail-*.ini`` files, zone files, and ``ssh-config``.
+
+The only state *outside* the repository is the Incus containers and images themselves
+(managed via the ``incus`` CLI, labelled with ``user.localchat-managed=true``).
+Two cached images are published to the local Incus image store:
+
+* ``localchat-base``: Debian 12 with openssh-server and Python (built on first run)
+
+* ``localchat-relay``: fully deployed relay snapshot,
+  published after the first successful ``cmdeploy run``.
+  Subsequent relay containers launch from this image
+  so the deploy step is mostly no-ops (roughly 3× faster than a fresh deploy).
+  Relay containers are limited to **500 MiB RAM** and the DNS container to **100 MiB**.
+
+
+.. _lxc-tls:
+
+TLS handling and underscore domains
+------------------------------------
+
+Container domains start with ``_`` (e.g. ``_test0.localchat``).
+As described in :doc:`getting_started` ("Running a relay with self-signed certificates"),
+underscore domains automatically use self-signed TLS
+and ``smtp_tls_security_level = encrypt``.
+This permits cross-relay federation between LXC containers
+without any external certificate authority.
+Delta Chat clients connecting to these relays
+must be configured with
+``certificateChecks = acceptInvalidCertificates``
+(the test fixtures handle this automatically).
+`PR #7926 on chatmail-core <https://github.com/chatmail/core/pull/7926>`_
+is meant to make this special setting unnecessary for chatmail clients
+that are connecting to underscore domains.
+
+
+Known limitations
+------------------
+
+The LXC environment differs from a production
+deployment in several ways:
+
+**No ACME / Let's Encrypt**:
+  Self-signed TLS only (see :ref:`lxc-tls`);
+  ACME code paths are never exercised locally.
+
+**No inbound connections from the internet**:
+  Containers sit on a private Incus bridge and are not port-forwarded.
+  Only the host and other containers on the same bridge can reach them.
+
+**Local federation only**:
+  Cross-relay mail delivery (e.g. test0 → test1) works between containers on the same host,
+  but these relays are invisible to any external mail server.
+
+**DNS is local only**:
+  The ``.localchat`` pseudo-TLD is not resolvable from the wider internet
+  (see :ref:`lxc-dns-setup`).
+
+**IPv6 is ULA-only**:
+  Containers receive IPv6 addresses from the ``fd42:...`` ULA range on the Incus bridge.
+  These are not globally routable, but are sufficient for testing IPv6 service binding
+  (Postfix, Dovecot, Nginx) and DNS AAAA records inside the local environment.
+  test1 runs with ``disable_ipv6 = True`` to exercise the IPv4-only deployment path.
+
+**TURN server does not start**:
+  ``chatmail-turn`` discovers its listen addresses by enumerating globally routable IPs but
+  LXC containers only have private RFC 1918 addresses (``10.x.x.x``),
+  so the address list is empty and the server exits immediately.
+  `PR #11 on chatmail-turn <https://github.com/chatmail/chatmail-turn/pull/11>`_
+  is meant to fix this.

From 49705863d39741fe11be2cac0fe94f4e1221d800 Mon Sep 17 00:00:00 2001
From: holger krekel <holger@merlinux.eu>
Date: Fri, 6 Mar 2026 10:24:15 +0100
Subject: [PATCH 02/31] don't use env vars but explicit pytest options to pass
 ssh info around.

---
 cmdeploy/src/cmdeploy/cmdeploy.py             |  8 +++---
 .../src/cmdeploy/tests/online/test_1_basic.py |  5 ++--
 .../cmdeploy/tests/online/test_2_deltachat.py |  5 ++--
 .../cmdeploy/tests/online/test_3_status.py    | 14 +++++-----
 cmdeploy/src/cmdeploy/tests/plugin.py         | 28 +++++++++++++------
 doc/source/lxc.rst                            | 12 +++-----
 6 files changed, 39 insertions(+), 33 deletions(-)

diff --git a/cmdeploy/src/cmdeploy/cmdeploy.py b/cmdeploy/src/cmdeploy/cmdeploy.py
index 4cd081f6d..d1b90c01a 100644
--- a/cmdeploy/src/cmdeploy/cmdeploy.py
+++ b/cmdeploy/src/cmdeploy/cmdeploy.py
@@ -249,10 +249,6 @@ def test_cmd(args, out):
 
     env = os.environ.copy()
     env["CHATMAIL_INI"] = str(args.inipath.resolve())
-    if args.ssh_host:
-        env["CHATMAIL_SSH"] = args.ssh_host
-    if args.ssh_config:
-        env["CHATMAIL_SSH_CONFIG"] = str(Path(args.ssh_config).resolve())
 
     pytest_path = shutil.which("pytest")
     pytest_args = [
@@ -266,6 +262,10 @@ def test_cmd(args, out):
     ]
     if args.slow:
         pytest_args.append("--slow")
+    if args.ssh_host:
+        pytest_args.extend(["--ssh-host", args.ssh_host])
+    if args.ssh_config:
+        pytest_args.extend(["--ssh-config", str(Path(args.ssh_config).resolve())])
     ret = out.run_ret(pytest_args, env=env)
     return ret
 
diff --git a/cmdeploy/src/cmdeploy/tests/online/test_1_basic.py b/cmdeploy/src/cmdeploy/tests/online/test_1_basic.py
index 11c7c9051..6fa311c74 100644
--- a/cmdeploy/src/cmdeploy/tests/online/test_1_basic.py
+++ b/cmdeploy/src/cmdeploy/tests/online/test_1_basic.py
@@ -1,5 +1,4 @@
 import datetime
-import os
 import smtplib
 import socket
 import subprocess
@@ -13,8 +12,8 @@
 
 class TestSSHExecutor:
     @pytest.fixture(scope="class")
-    def sshexec(self, sshdomain):
-        ssh_config = os.environ.get("CHATMAIL_SSH_CONFIG")
+    def sshexec(self, sshdomain, pytestconfig):
+        ssh_config = pytestconfig.getoption("ssh_config")
         return get_sshexec(sshdomain, ssh_config=ssh_config)
 
     def test_ls(self, sshexec):
diff --git a/cmdeploy/src/cmdeploy/tests/online/test_2_deltachat.py b/cmdeploy/src/cmdeploy/tests/online/test_2_deltachat.py
index 9338afebb..bcfe712be 100644
--- a/cmdeploy/src/cmdeploy/tests/online/test_2_deltachat.py
+++ b/cmdeploy/src/cmdeploy/tests/online/test_2_deltachat.py
@@ -1,5 +1,4 @@
 import ipaddress
-import os
 import re
 import time
 
@@ -68,7 +67,7 @@ def test_one_on_one(self, cmfactory, lp):
         assert msg2.get_snapshot().text == "message0"
 
     def test_exceed_quota(
-        self, cmfactory, lp, tmpdir, remote, chatmail_config, sshdomain
+        self, cmfactory, lp, tmpdir, remote, chatmail_config, sshdomain, pytestconfig
     ):
         """This is a very slow test as it needs to upload >100MB of mail data
         before quota is exceeded, and thus depends on the speed of the upload.
@@ -94,7 +93,7 @@ def parse_size_limit(limit: str) -> int:
         fn = f"7743102289.M843172P2484002.c20,S={quota},W=2398:2,"
         path = chatmail_config.mailboxes_dir.joinpath(user, "cur", fn)
         sshexec = get_sshexec(
-            sshdomain, ssh_config=os.environ.get("CHATMAIL_SSH_CONFIG")
+            sshdomain, ssh_config=pytestconfig.getoption("ssh_config")
         )
         sshexec(call=rshell.write_numbytes, kwargs=dict(path=str(path), num=120))
         res = sshexec(call=rshell.dovecot_recalc_quota, kwargs=dict(user=user))
diff --git a/cmdeploy/src/cmdeploy/tests/online/test_3_status.py b/cmdeploy/src/cmdeploy/tests/online/test_3_status.py
index f6a4c747f..4e3fbaba7 100644
--- a/cmdeploy/src/cmdeploy/tests/online/test_3_status.py
+++ b/cmdeploy/src/cmdeploy/tests/online/test_3_status.py
@@ -3,15 +3,15 @@
 from cmdeploy.cmdeploy import main
 
 
-def test_status_cmd(chatmail_config, capsys, request):
+def test_status_cmd(chatmail_config, capsys, request, pytestconfig):
     os.chdir(request.config.invocation_params.dir)
     command = ["status"]
-    if os.getenv("CHATMAIL_SSH"):
-        command.append("--ssh-host")
-        command.append(os.getenv("CHATMAIL_SSH"))
-    if os.getenv("CHATMAIL_SSH_CONFIG"):
-        command.append("--ssh-config")
-        command.append(os.getenv("CHATMAIL_SSH_CONFIG"))
+    ssh_host = pytestconfig.getoption("ssh_host")
+    if ssh_host:
+        command.extend(["--ssh-host", ssh_host])
+    ssh_config = pytestconfig.getoption("ssh_config")
+    if ssh_config:
+        command.extend(["--ssh-config", ssh_config])
     assert main(command) == 0
     status_out = capsys.readouterr()
     print(status_out.out)
diff --git a/cmdeploy/src/cmdeploy/tests/plugin.py b/cmdeploy/src/cmdeploy/tests/plugin.py
index ccb7bab85..aa3f0b37d 100644
--- a/cmdeploy/src/cmdeploy/tests/plugin.py
+++ b/cmdeploy/src/cmdeploy/tests/plugin.py
@@ -20,6 +20,18 @@ def pytest_addoption(parser):
     parser.addoption(
         "--slow", action="store_true", default=False, help="also run slow tests"
     )
+    parser.addoption(
+        "--ssh-host",
+        dest="ssh_host",
+        default=None,
+        help="SSH host (overrides mail_domain for SSH operations).",
+    )
+    parser.addoption(
+        "--ssh-config",
+        dest="ssh_config",
+        default=None,
+        help="Path to an SSH config file (e.g. lxconfigs/ssh-config).",
+    )
 
 
 def _parse_ssh_config_hosts(path):
@@ -57,9 +69,9 @@ def patched_getaddrinfo(host, port, family=0, type=0, proto=0, flags=0):
 
 
 @pytest.fixture(autouse=True, scope="session")
-def _setup_localchat_dns():
+def _setup_localchat_dns(pytestconfig):
     """Monkey-patch socket.getaddrinfo to resolve .localchat via ssh-config."""
-    ssh_config = os.environ.get("CHATMAIL_SSH_CONFIG")
+    ssh_config = pytestconfig.getoption("ssh_config")
     if not ssh_config or not Path(ssh_config).exists():
         yield {}
         return
@@ -126,8 +138,8 @@ def maildomain(chatmail_config):
 
 
 @pytest.fixture(scope="session")
-def sshdomain(maildomain):
-    return os.environ.get("CHATMAIL_SSH", maildomain)
+def sshdomain(maildomain, pytestconfig):
+    return pytestconfig.getoption("ssh_host") or maildomain
 
 
 @pytest.fixture(scope="session")
@@ -471,14 +483,14 @@ def cmfactory(
 
 
 @pytest.fixture
-def remote(sshdomain):
-    return Remote(sshdomain)
+def remote(sshdomain, pytestconfig):
+    return Remote(sshdomain, ssh_config=pytestconfig.getoption("ssh_config"))
 
 
 class Remote:
-    def __init__(self, sshdomain):
+    def __init__(self, sshdomain, ssh_config=None):
         self.sshdomain = sshdomain
-        self.ssh_config = os.environ.get("CHATMAIL_SSH_CONFIG")
+        self.ssh_config = ssh_config
 
     def iter_output(self, logcmd="", ready=None):
         getjournal = "journalctl -f" if not logcmd else logcmd
diff --git a/doc/source/lxc.rst b/doc/source/lxc.rst
index 8aec4ffdf..d80aec2a8 100644
--- a/doc/source/lxc.rst
+++ b/doc/source/lxc.rst
@@ -96,18 +96,14 @@ CLI reference
 
 ``lxc-stop [--destroy] [--destroy-all] [NAME ...]``
     Stop relay containers.
-    Without arguments, stops ``test0-localchat``
-    and ``test1-localchat``.
+    Without arguments, stops ``test0-localchat`` and ``test1-localchat``.
     Pass ``NAME`` to stop specific containers.
-    Use ``--destroy`` to also delete the containers
-    and their config files.
+    Use ``--destroy`` to also delete the containers and their config files.
     Use ``--destroy-all`` to additionally destroy
     the ``ns-localchat`` DNS container **and** remove
     the cached ``localchat-base`` and ``localchat-relay``
-    images, giving a fully clean slate
-    for the next ``lxc-test``.
-    User containers are **never** destroyed
-    unless named explicitly.
+    images, giving a fully clean slate for the next ``lxc-test``.
+    User containers are **never** destroyed unless named explicitly.
 
 ``lxc-test [--one]``
     Idempotent full pipeline:

From b59417128c59cc26b6022256404880dfd98c14f6 Mon Sep 17 00:00:00 2001
From: holger krekel <holger@merlinux.eu>
Date: Fri, 6 Mar 2026 10:52:08 +0100
Subject: [PATCH 03/31] fix lxc-test to not re-run deploy when nothing changed
 + some other beautifications

---
 cmdeploy/src/cmdeploy/lxc/cli.py   | 12 +++++-------
 cmdeploy/src/cmdeploy/lxc/incus.py | 13 ++++++-------
 cmdeploy/src/cmdeploy/util.py      |  6 ++++--
 3 files changed, 15 insertions(+), 16 deletions(-)

diff --git a/cmdeploy/src/cmdeploy/lxc/cli.py b/cmdeploy/src/cmdeploy/lxc/cli.py
index 1718a74da..df536e027 100644
--- a/cmdeploy/src/cmdeploy/lxc/cli.py
+++ b/cmdeploy/src/cmdeploy/lxc/cli.py
@@ -37,15 +37,13 @@ def lxc_start_cmd_options(parser):
 def lxc_start_cmd(args, out):
     """Create/Ensure and start LXC relay and DNS containers."""
     ix = Incus()
-    relays = [ix.get_container(n) for n in args.names] or [
-        ix.get_container(RELAY_NAMES[0])
-    ]
     out.green("Ensuring DNS container (ns-localchat) ...")
     dns_ct = ix.get_dns_container()
     dns_ct.ensure()
-    dns_ip = dns_ct.ipv4
-    print(f"  DNS container IP: {dns_ip}")
+    print(f"  DNS container IP: {dns_ct.ipv4}")
 
+    names = args.names if args.names else RELAY_NAMES
+    relays = list(ix.get_container(n) for n in names)
     for ct in relays:
         out.green(f"Ensuring container {ct.name!r} ({ct.domain}) ...")
         ct.ensure()
@@ -81,12 +79,12 @@ def lxc_start_cmd(args, out):
         print(
             f"Resetting DNS zones for {len(started)} domain(s) (A + AAAA records) ..."
         )
-        dns_ct.reset_dns_records(dns_ip, started)
+        dns_ct.reset_dns_records(dns_ct.ipv4, started)
 
         for ct in relays:
             if ct.name in started_cnames:
                 print(f"  Configuring DNS in {ct.name} ...")
-                ct.configure_dns(dns_ip)
+                ct.configure_dns(dns_ct.ipv4)
 
     # Generate the unified SSH config
     out.green("Writing ssh-config ...")
diff --git a/cmdeploy/src/cmdeploy/lxc/incus.py b/cmdeploy/src/cmdeploy/lxc/incus.py
index 59d7a3315..dd2bb6a55 100644
--- a/cmdeploy/src/cmdeploy/lxc/incus.py
+++ b/cmdeploy/src/cmdeploy/lxc/incus.py
@@ -120,7 +120,7 @@ def run_json(self, args, check=True):
         return json.loads(result.stdout)
 
     def run_output(self, args, check=True):
-        """Run an incus command and return its stdout.
+        """Run an incus command and return its stripped stdout.
 
         When *check* is False, returns *None* on non-zero exit
         instead of raising.
@@ -128,7 +128,7 @@ def run_output(self, args, check=True):
         result = self.run(args, check=check)
         if result.returncode != 0:
             return None
-        return result.stdout
+        return result.stdout.strip()
 
     def _find_image(self, alias):
         """Return *alias* if an image with that alias exists, else None."""
@@ -396,9 +396,10 @@ def disable_ipv6(self):
 
     def configure_hosts(self, ip):
         """Set hostname and /etc/hosts inside the container."""
-        self.bash(f"""\
+        self.bash(f"""
             echo '{self.name}' > /etc/hostname
             hostname {self.name}
+            sed -i '/ {self.domain}$/d' /etc/hosts
             echo '{ip} {self.name} {self.domain}' >> /etc/hosts
         """)
 
@@ -419,16 +420,14 @@ def publish_as_relay_image(self):
 
     def deployed_version(self):
         """Read /etc/chatmail-version, or None if absent."""
-        output = self.bash("cat /etc/chatmail-version", check=False)
-        return output.strip() if output else None
+        return self.bash("cat /etc/chatmail-version", check=False)
 
     def deployed_domain(self):
         """Read the domain deployed on the container (postfix myhostname)."""
-        output = self.bash(
+        return self.bash(
             "postconf -h myhostname 2>/dev/null",
             check=False,
         )
-        return output.strip() if output else None
 
     def verify_ssh(self, ssh_config):
         """Verify SSH connectivity to this container."""
diff --git a/cmdeploy/src/cmdeploy/util.py b/cmdeploy/src/cmdeploy/util.py
index bd0b2fe30..9f2c2da03 100644
--- a/cmdeploy/src/cmdeploy/util.py
+++ b/cmdeploy/src/cmdeploy/util.py
@@ -57,7 +57,9 @@ def get_version_string():
     """
     git_hash = get_git_hash() or "unknown"
     try:
-        git_diff = shell("git diff", cwd=str(_project_root())).stdout
+        git_diff = shell("git diff", cwd=str(_project_root())).stdout.strip()
     except Exception:
         git_diff = ""
-    return git_hash + "\n" + git_diff
+    if git_diff:
+        return f"{git_hash}\n{git_diff}"
+    return git_hash

From 3021e47866369179ebc76cbfed3154def6586b2b Mon Sep 17 00:00:00 2001
From: holger krekel <holger@merlinux.eu>
Date: Fri, 6 Mar 2026 10:58:36 +0100
Subject: [PATCH 04/31] make helpers testable and test them, also streamline
 intro of docs

---
 cmdeploy/src/cmdeploy/tests/test_util.py | 54 ++++++++++++++++++++++++
 cmdeploy/src/cmdeploy/util.py            | 14 +++---
 doc/source/lxc.rst                       | 17 +-------
 3 files changed, 65 insertions(+), 20 deletions(-)
 create mode 100644 cmdeploy/src/cmdeploy/tests/test_util.py

diff --git a/cmdeploy/src/cmdeploy/tests/test_util.py b/cmdeploy/src/cmdeploy/tests/test_util.py
new file mode 100644
index 000000000..486186c7f
--- /dev/null
+++ b/cmdeploy/src/cmdeploy/tests/test_util.py
@@ -0,0 +1,54 @@
+
+from cmdeploy.util import collapse, get_git_hash, get_version_string, shell
+
+
+def test_collapse():
+    text = """
+        line 1
+        line 2
+    """
+    assert collapse(text) == "line 1 line 2"
+    assert collapse("  single line  ") == "single line"
+
+
+def test_git_helpers_no_git(tmp_path):
+    # Not a git repo
+    assert get_git_hash(root=tmp_path) is None
+    assert get_version_string(root=tmp_path) == "unknown"
+
+
+def test_git_helpers_empty_repo(tmp_path):
+    shell("git init", cwd=tmp_path, check=True)
+    # No commits yet
+    assert get_git_hash(root=tmp_path) is None
+    assert get_version_string(root=tmp_path) == "unknown"
+
+
+def test_git_helpers_with_commits_and_diffs(tmp_path):
+    shell("git init", cwd=tmp_path, check=True)
+    shell("git config user.email you@example.com", cwd=tmp_path, check=True)
+    shell("git config user.name 'Your Name'", cwd=tmp_path, check=True)
+
+    # First commit
+    path = tmp_path / "file.txt"
+    path.write_text("content")
+    shell("git add file.txt", cwd=tmp_path, check=True)
+    shell("git commit -m initial", cwd=tmp_path, check=True)
+
+    git_hash = get_git_hash(root=tmp_path)
+    assert len(git_hash) >= 7  # usually 40, but git is git
+    assert get_version_string(root=tmp_path) == git_hash
+
+    # Create a diff
+    path.write_text("new content")
+    v = get_version_string(root=tmp_path)
+    assert v.startswith(git_hash + "\n")
+    assert "new content" in v
+    assert not v.endswith("\n")
+
+    # Commit again -> no diff
+    shell("git add file.txt", cwd=tmp_path, check=True)
+    shell("git commit -m second", cwd=tmp_path, check=True)
+    new_hash = get_git_hash(root=tmp_path)
+    assert new_hash != git_hash
+    assert get_version_string(root=tmp_path) == new_hash
diff --git a/cmdeploy/src/cmdeploy/util.py b/cmdeploy/src/cmdeploy/util.py
index 9f2c2da03..ed70236d1 100644
--- a/cmdeploy/src/cmdeploy/util.py
+++ b/cmdeploy/src/cmdeploy/util.py
@@ -37,27 +37,31 @@ def shell(cmd, check=False, **kwargs):
     return subprocess.run(collapse(cmd), shell=True, text=True, check=check, **kwargs)
 
 
-def get_git_hash():
+def get_git_hash(root=None):
     """Return the local HEAD commit hash, or None."""
+    if root is None:
+        root = _project_root()
     result = shell(
         "git rev-parse HEAD",
-        cwd=str(_project_root()),
+        cwd=str(root),
     )
     if result.returncode == 0:
         return result.stdout.strip()
     return None
 
 
-def get_version_string():
+def get_version_string(root=None):
     """Return ``git_hash\\ngit_diff`` for the local working tree.
 
     Used by :class:`~cmdeploy.deployers.GithashDeployer` to write
     ``/etc/chatmail-version`` and by ``lxc-status`` to compare
     the deployed state against the local checkout.
     """
-    git_hash = get_git_hash() or "unknown"
+    if root is None:
+        root = _project_root()
+    git_hash = get_git_hash(root=root) or "unknown"
     try:
-        git_diff = shell("git diff", cwd=str(_project_root())).stdout.strip()
+        git_diff = shell("git diff", cwd=str(root)).stdout.strip()
     except Exception:
         git_diff = ""
     if git_diff:
diff --git a/doc/source/lxc.rst b/doc/source/lxc.rst
index d80aec2a8..f4519aca3 100644
--- a/doc/source/lxc.rst
+++ b/doc/source/lxc.rst
@@ -17,12 +17,6 @@ They share the host's kernel but run their own init system
 (systemd), package manager, and network stack,
 so the cmdeploy deployment scripts work exactly
 as they would on a real Debian server or cloud VPS.
-Incus is
-`well supported
-<https://linuxcontainers.org/incus/docs/main/installing/>`_
-on Debian, Ubuntu, Arch, Fedora,
-and other major distributions.
-
 
 Prerequisites
 -------------
@@ -38,15 +32,8 @@ Incus is in the default repositories::
 
     sudo apt install incus
 
-**Older Debian / Ubuntu**: Use the
-`Zabbly package repository
-<https://github.com/zabbly/incus>`_::
-
-    curl -fsSL https://pkgs.zabbly.com/get/incus-stable | sudo bash
-
-**Arch Linux**::
-
-    sudo pacman -S incus
+For other distros like Arch, Fedora etc. please check out
+`Incus support on many linux distros <https://linuxcontainers.org/incus/docs/main/installing/>`_.
 
 After installing, initialise and grant yourself access::
 

From 1a578ecc66978d7d452100b0e7c07f1bc6ae4fd9 Mon Sep 17 00:00:00 2001
From: holger krekel <holger@merlinux.eu>
Date: Fri, 6 Mar 2026 12:11:02 +0100
Subject: [PATCH 05/31] simplify start instructions

---
 doc/source/lxc.rst | 15 ++++-----------
 1 file changed, 4 insertions(+), 11 deletions(-)

diff --git a/doc/source/lxc.rst b/doc/source/lxc.rst
index f4519aca3..ce4535d1e 100644
--- a/doc/source/lxc.rst
+++ b/doc/source/lxc.rst
@@ -25,24 +25,16 @@ Install `Incus <https://linuxcontainers.org/incus/>`_
 (LXC container manager).
 See the `official installation guide
 <https://linuxcontainers.org/incus/docs/main/installing/>`_
-for full details, or use one of the shortcuts below:
+for full details.
 
-**Debian 12+ / Ubuntu 24.04+**
-Incus is in the default repositories::
-
-    sudo apt install incus
-
-For other distros like Arch, Fedora etc. please check out
-`Incus support on many linux distros <https://linuxcontainers.org/incus/docs/main/installing/>`_.
-
-After installing, initialise and grant yourself access::
+After installing incus, initialise and grant yourself access::
 
     sudo incus admin init --minimal
     sudo usermod -aG incus-admin $USER
 
 .. warning::
 
-   You **must log out and back in** (or run ``newgrp incus-admin``)
+   You **must now log out and back in** (or run ``newgrp incus-admin``)
    after adding yourself to the group.
    Without this, all ``cmdeploy lxc-*`` commands
    will fail with permission errors.
@@ -58,6 +50,7 @@ Quick start
 
     cd relay
     scripts/initenv.sh               # bootstrap venv
+    source venv/bin/activate         # activate venv
     cmdeploy lxc-test                # create containers, deploy, test
 
 

From ea7b875eb11d8d1d513adf0962e609522ec7b4b5 Mon Sep 17 00:00:00 2001
From: holger krekel <holger@merlinux.eu>
Date: Sat, 7 Mar 2026 07:25:14 +0100
Subject: [PATCH 06/31] address link2xt comments (zone parsing and turn v0.4
 release

---
 cmdeploy/src/cmdeploy/deployers.py       |  8 ++++----
 cmdeploy/src/cmdeploy/dns.py             | 14 +++++++-------
 cmdeploy/src/cmdeploy/tests/test_dns.py  | 21 +++++++++++++++++++++
 cmdeploy/src/cmdeploy/tests/test_lxc.py  |  3 ---
 cmdeploy/src/cmdeploy/tests/test_util.py |  1 -
 doc/source/lxc.rst                       |  7 -------
 6 files changed, 32 insertions(+), 22 deletions(-)

diff --git a/cmdeploy/src/cmdeploy/deployers.py b/cmdeploy/src/cmdeploy/deployers.py
index c298d8035..2bee1784d 100644
--- a/cmdeploy/src/cmdeploy/deployers.py
+++ b/cmdeploy/src/cmdeploy/deployers.py
@@ -343,12 +343,12 @@ def __init__(self, mail_domain):
     def install(self):
         (url, sha256sum) = {
             "x86_64": (
-                "https://github.com/chatmail/chatmail-turn/releases/download/v0.3/chatmail-turn-x86_64-linux",
-                "841e527c15fdc2940b0469e206188ea8f0af48533be12ecb8098520f813d41e4",
+                "https://github.com/chatmail/chatmail-turn/releases/download/v0.4/chatmail-turn-x86_64-linux",
+                "1ec1f5c50122165e858a5a91bcba9037a28aa8cb8b64b8db570aa457c6141a8a",
             ),
             "aarch64": (
-                "https://github.com/chatmail/chatmail-turn/releases/download/v0.3/chatmail-turn-aarch64-linux",
-                "a5fc2d06d937b56a34e098d2cd72a82d3e89967518d159bf246dc69b65e81b42",
+                "https://github.com/chatmail/chatmail-turn/releases/download/v0.4/chatmail-turn-aarch64-linux",
+                "0fb3e792419494e21ecad536464929dba706bb2c88884ed8f1788141d26fc756",
             ),
         }[host.get_fact(facts.server.Arch)]
 
diff --git a/cmdeploy/src/cmdeploy/dns.py b/cmdeploy/src/cmdeploy/dns.py
index 2370ef7df..b519e71c6 100644
--- a/cmdeploy/src/cmdeploy/dns.py
+++ b/cmdeploy/src/cmdeploy/dns.py
@@ -9,16 +9,16 @@ def parse_zone_records(text):
     Skips comment lines (starting with ``;``) and blank lines.
     Each record line must have the format ``name TTL IN type rdata``.
     """
-    for raw_line in text.strip().splitlines():
+    for raw_line in text.splitlines():
         line = raw_line.strip()
         if not line or line.startswith(";"):
             continue
-        parts = line.split(None, 4)
-        if len(parts) < 5:
-            raise ValueError(f"Bad zone record line: {line}")
-        name = parts[0].rstrip(".")
-        # parts[2] is the IN class — ignored
-        yield name, parts[1], parts[3].upper(), parts[4]
+        try:
+            name, ttl, _in, rtype, rdata = line.split(None, 4)
+        except ValueError:
+            raise ValueError(f"Bad zone record line: {line!r}") from None
+        name = name.rstrip(".")
+        yield name, ttl, rtype.upper(), rdata
 
 
 def get_initial_remote_data(sshexec, mail_domain):
diff --git a/cmdeploy/src/cmdeploy/tests/test_dns.py b/cmdeploy/src/cmdeploy/tests/test_dns.py
index 8db498af7..fc9cd2994 100644
--- a/cmdeploy/src/cmdeploy/tests/test_dns.py
+++ b/cmdeploy/src/cmdeploy/tests/test_dns.py
@@ -125,6 +125,27 @@ def test_perform_initial_checks_no_mta_sts_self_signed(self, mockdns):
         assert not l
 
 
+def test_parse_zone_records():
+    text = """
+    ; This is a comment
+    some.domain. 3600 IN A 1.1.1.1
+
+    ; Another comment
+    www.some.domain. 3600 IN CNAME some.domain.
+    """
+    records = list(parse_zone_records(text))
+    assert records == [
+        ("some.domain", "3600", "A", "1.1.1.1"),
+        ("www.some.domain", "3600", "CNAME", "some.domain."),
+    ]
+
+
+def test_parse_zone_records_invalid_line():
+    text = "invalid line"
+    with pytest.raises(ValueError, match="Bad zone record line"):
+        list(parse_zone_records(text))
+
+
 def parse_zonefile_into_dict(zonefile, mockdns_base, only_required=False):
     if only_required:
         # Only take records before the "; Recommended" section
diff --git a/cmdeploy/src/cmdeploy/tests/test_lxc.py b/cmdeploy/src/cmdeploy/tests/test_lxc.py
index ffc8d3ee5..504e1f4ab 100644
--- a/cmdeploy/src/cmdeploy/tests/test_lxc.py
+++ b/cmdeploy/src/cmdeploy/tests/test_lxc.py
@@ -43,7 +43,6 @@ def relay_container(lxc_setup):
 
 @pytest.fixture
 def cmdeploy():
-
     def run(*args):
         return subprocess.run(
             [sys.executable, "-m", "cmdeploy.cmdeploy", *args],
@@ -127,7 +126,6 @@ def test_cli_lxc_status_help(self, cmdeploy):
         assert "status" in result.stdout.lower()
 
     def test_shows_containers(self, lxc_setup, capsys):
-
         class QuietOut:
             def red(self, msg, **kw):
                 pass
@@ -142,7 +140,6 @@ def green(self, msg, **kw):
         assert "running" in captured
 
     def test_deploy_freshness(self, ix, monkeypatch):
-
         ct = ix.get_container("x")
 
         monkeypatch.setattr(
diff --git a/cmdeploy/src/cmdeploy/tests/test_util.py b/cmdeploy/src/cmdeploy/tests/test_util.py
index 486186c7f..e2fa45d95 100644
--- a/cmdeploy/src/cmdeploy/tests/test_util.py
+++ b/cmdeploy/src/cmdeploy/tests/test_util.py
@@ -1,4 +1,3 @@
-
 from cmdeploy.util import collapse, get_git_hash, get_version_string, shell
 
 
diff --git a/doc/source/lxc.rst b/doc/source/lxc.rst
index ce4535d1e..546212239 100644
--- a/doc/source/lxc.rst
+++ b/doc/source/lxc.rst
@@ -279,10 +279,3 @@ deployment in several ways:
   These are not globally routable, but are sufficient for testing IPv6 service binding
   (Postfix, Dovecot, Nginx) and DNS AAAA records inside the local environment.
   test1 runs with ``disable_ipv6 = True`` to exercise the IPv4-only deployment path.
-
-**TURN server does not start**:
-  ``chatmail-turn`` discovers its listen addresses by enumerating globally routable IPs but
-  LXC containers only have private RFC 1918 addresses (``10.x.x.x``),
-  so the address list is empty and the server exits immediately.
-  `PR #11 on chatmail-turn <https://github.com/chatmail/chatmail-turn/pull/11>`_
-  is meant to fix this.

From cd16ef8c4a094bb8970203437bdffab942e347b3 Mon Sep 17 00:00:00 2001
From: holger krekel <holger@merlinux.eu>
Date: Sat, 7 Mar 2026 21:16:49 +0100
Subject: [PATCH 07/31] address link2xt review comments

---
 cmdeploy/src/cmdeploy/lxc/incus.py      | 10 +++-------
 cmdeploy/src/cmdeploy/tests/test_lxc.py |  2 +-
 doc/source/lxc.rst                      |  7 +++----
 3 files changed, 7 insertions(+), 12 deletions(-)

diff --git a/cmdeploy/src/cmdeploy/lxc/incus.py b/cmdeploy/src/cmdeploy/lxc/incus.py
index dd2bb6a55..e21d44478 100644
--- a/cmdeploy/src/cmdeploy/lxc/incus.py
+++ b/cmdeploy/src/cmdeploy/lxc/incus.py
@@ -230,12 +230,7 @@ def get_dns_container(self):
 
 
 class Container:
-    """Lightweight handle for an Incus container.
-
-    Carries the container *name* and provides convenience methods
-    for running commands, managing lifecycle, and extracting state
-    so callers don't repeat the name everywhere.
-    """
+    """The base container handle wraps all interactions with incus."""
 
     def __init__(self, incus, name, domain=None, memory="100MiB"):
         self.incus = incus
@@ -385,6 +380,7 @@ def destroy(self):
 
     def disable_ipv6(self):
         """Disable IPv6 inside the container via sysctl."""
+        # incus provides net.* virtalization
         self.bash("""\
             sysctl -w net.ipv6.conf.all.disable_ipv6=1
             sysctl -w net.ipv6.conf.default.disable_ipv6=1
@@ -469,7 +465,7 @@ def write_ini(self, disable_ipv6=False):
 
 
 class DNSContainer(Container):
-    """Specialised container handle for the PowerDNS name server."""
+    """Container handle for the PowerDNS name server."""
 
     def __init__(self, incus):
         super().__init__(incus, DNS_CONTAINER_NAME, domain=DNS_DOMAIN)
diff --git a/cmdeploy/src/cmdeploy/tests/test_lxc.py b/cmdeploy/src/cmdeploy/tests/test_lxc.py
index 504e1f4ab..cf156b613 100644
--- a/cmdeploy/src/cmdeploy/tests/test_lxc.py
+++ b/cmdeploy/src/cmdeploy/tests/test_lxc.py
@@ -10,7 +10,7 @@
 from cmdeploy.lxc.incus import Incus
 
 pytestmark = pytest.mark.skipif(
-    not shutil.which("incus") or not shutil.which("lxc"),
+    not shutil.which("incus"),
     reason="incus/lxc not installed",
 )
 
diff --git a/doc/source/lxc.rst b/doc/source/lxc.rst
index 546212239..066624625 100644
--- a/doc/source/lxc.rst
+++ b/doc/source/lxc.rst
@@ -93,13 +93,12 @@ CLI reference
 
     2. ``cmdeploy run``: deploy chatmail services on each relay
 
-    3. publish ``localchat-relay`` image after first successful deploy
+    3. locally cache ``localchat-relay`` image after first successful deploy
 
     4. ``cmdeploy dns --zonefile``: generate standard
        BIND-format zone files, load full DNS records
 
     5. ``cmdeploy test``: run full test suite
-       with ``-n4 -x``
 
     By default creates, deploys, and tests both ``test0`` and ``test1``
     for dual-domain federation testing (sets ``CHATMAIL_DOMAIN2=_test1.localchat``).
@@ -221,12 +220,12 @@ per-container ``chatmail-*.ini`` files, zone files, and ``ssh-config``.
 
 The only state *outside* the repository is the Incus containers and images themselves
 (managed via the ``incus`` CLI, labelled with ``user.localchat-managed=true``).
-Two cached images are published to the local Incus image store:
+The Incus image store retains the following snapshot images:
 
 * ``localchat-base``: Debian 12 with openssh-server and Python (built on first run)
 
 * ``localchat-relay``: fully deployed relay snapshot,
-  published after the first successful ``cmdeploy run``.
+  cached after the first successful ``cmdeploy run``.
   Subsequent relay containers launch from this image
   so the deploy step is mostly no-ops (roughly 3× faster than a fresh deploy).
   Relay containers are limited to **500 MiB RAM** and the DNS container to **100 MiB**.

From 75c42dc8c7b7042e6435a9eac99166c40eef20c5 Mon Sep 17 00:00:00 2001
From: holger krekel <holger@merlinux.eu>
Date: Sat, 7 Mar 2026 21:43:04 +0100
Subject: [PATCH 08/31] ignore sysctl permission problems (likely in
 containers)

---
 cmdeploy/src/cmdeploy/dovecot/deployer.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/cmdeploy/src/cmdeploy/dovecot/deployer.py b/cmdeploy/src/cmdeploy/dovecot/deployer.py
index 2e9bf5b66..ad4c7c1d0 100644
--- a/cmdeploy/src/cmdeploy/dovecot/deployer.py
+++ b/cmdeploy/src/cmdeploy/dovecot/deployer.py
@@ -141,11 +141,15 @@ def _configure_dovecot(config: Config, debug: bool = False) -> (bool, bool):
                 # Skip updating limits if already sufficient
                 # (enables running in incus containers where sysctl readonly)
                 continue
+            # in containers the following can fail see also
+            # https://docs.pyinfra.com/en/3.x/arguments.html#operation-meta-callbacks
             server.sysctl(
                 name=f"Change {key}",
                 key=key,
                 value=65535,
                 persist=True,
+                _ignore_errors=True,
+                _continue_on_error=True,
             )
 
     timezone_env = files.line(

From 010e9de08eb6b1aa7f877f79ece31e79c5bad774 Mon Sep 17 00:00:00 2001
From: holger krekel <holger@merlinux.eu>
Date: Sun, 8 Mar 2026 18:07:36 +0100
Subject: [PATCH 09/31] lxc: poll until DNS answers before continuing; reset
 bridge on --destroy-all

After restarting pdns/pdns-recursor, wait up to 10 s for the recursor
to actually answer a query before proceeding.  Likewise, after
configure_dns(), poll from inside the relay container until the
configured DNS IP responds.

On --destroy-all, unset the incusbr0 dns.mode and raw.dnsmasq network
options so the next lxc-start starts from a clean bridge state.

DNSConfigurationError (caught in main()) is raised on timeout so the
CLI prints a clean error instead of failing later with a cryptic message.
---
 cmdeploy/src/cmdeploy/cmdeploy.py  |  4 +++
 cmdeploy/src/cmdeploy/lxc/incus.py | 56 +++++++++++++++++++++++++++---
 2 files changed, 55 insertions(+), 5 deletions(-)

diff --git a/cmdeploy/src/cmdeploy/cmdeploy.py b/cmdeploy/src/cmdeploy/cmdeploy.py
index d1b90c01a..d9b432cfb 100644
--- a/cmdeploy/src/cmdeploy/cmdeploy.py
+++ b/cmdeploy/src/cmdeploy/cmdeploy.py
@@ -28,6 +28,7 @@
     lxc_test_cmd,
     lxc_test_cmd_options,
 )
+from .lxc.incus import DNSConfigurationError
 from .sshexec import (
     LocalExec,
     SSHExec,
@@ -464,6 +465,9 @@ def main(args=None):
         if res is None:
             res = 0
         return res
+    except DNSConfigurationError as exc:
+        out.red(str(exc))
+        return 1
     except KeyboardInterrupt:
         out.red("KeyboardInterrupt")
         sys.exit(130)
diff --git a/cmdeploy/src/cmdeploy/lxc/incus.py b/cmdeploy/src/cmdeploy/lxc/incus.py
index e21d44478..391c8b517 100644
--- a/cmdeploy/src/cmdeploy/lxc/incus.py
+++ b/cmdeploy/src/cmdeploy/lxc/incus.py
@@ -20,6 +20,10 @@
 DNS_DOMAIN = "ns.localchat"
 
 
+class DNSConfigurationError(Exception):
+    """Raised when the DNS container is not reachable or not answering."""
+
+
 def _extract_ip(net_data, family="inet"):
     """Extract the first global-scope IP of *family* from network state data.
 
@@ -196,6 +200,7 @@ def ensure_base_image(self):
         key_path = self.ssh_key_path
         pub_key = key_path.with_suffix(".pub").read_text().strip()
         ct.bash(f"""\
+            echo 'nameserver 9.9.9.9' > /etc/resolv.conf
             apt-get -o DPkg::Lock::Timeout=60 update
             DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server python3
             systemctl enable ssh
@@ -431,11 +436,10 @@ def verify_ssh(self, ssh_config):
         return shell(cmd, timeout=15).returncode == 0
 
     def configure_dns(self, dns_ip):
-        """Point this container's resolver at *dns_ip*.
+        """Point this container's resolver at *dns_ip* and verify it works.
 
-        Disables systemd-resolved to free port 53 and writes
-        a static /etc/resolv.conf.  Also configures unbound
-        (if present) to forward .localchat queries.
+        Disables systemd-resolved, writes a static /etc/resolv.conf,
+        and configures unbound to forward .localchat queries to *dns_ip*.
         """
         self.bash(f"""\
             systemctl disable --now systemd-resolved 2>/dev/null || true
@@ -448,6 +452,27 @@ def configure_dns(self, dns_ip):
             > /etc/unbound/unbound.conf.d/localchat-forward.conf
             systemctl restart unbound 2>/dev/null || true
         """)
+        self._wait_dns_reachable(dns_ip)
+
+    def _wait_dns_reachable(self, dns_ip, timeout=10):
+        """Poll until *dns_ip* answers a DNS query from this container."""
+        if self.bash("which dig", check=False) is None:
+            self.bash(
+                "DEBIAN_FRONTEND=noninteractive "
+                "apt-get install -y dnsutils 2>/dev/null || true"
+            )
+        deadline = time.time() + timeout
+        while time.time() < deadline:
+            result = self.bash(
+                f"dig @{dns_ip} . SOA +short +time=1 +tries=1",
+                check=False,
+            )
+            if result and result.strip():
+                return
+            time.sleep(0.5)
+        raise DNSConfigurationError(
+            f"DNS at {dns_ip} not reachable from {self.name} after {timeout}s"
+        )
 
     def write_ini(self, disable_ipv6=False):
         """Generate a chatmail.ini config file in lxconfigs/."""
@@ -479,11 +504,25 @@ def replace_rrset(self, zone, name, rtype, ttl, rdata):
         self.pdnsutil("replace-rrset", zone, name, rtype, ttl, rdata)
 
     def restart_services(self):
-        """Restart pdns and pdns-recursor."""
+        """Restart pdns and pdns-recursor, then wait until DNS is answering."""
         self.bash("""\
             systemctl restart pdns
             systemctl restart pdns-recursor || true
         """)
+        self._wait_dns_ready()
+
+    def _wait_dns_ready(self, timeout=10):
+        """Poll until the recursor answers a query on port 53."""
+        deadline = time.time() + timeout
+        while time.time() < deadline:
+            result = self.bash(
+                "dig @127.0.0.1 . SOA +short +time=1 +tries=1",
+                check=False,
+            )
+            if result and result.strip():
+                return
+            time.sleep(0.5)
+        raise DNSConfigurationError(f"DNS recursor not answering after {timeout}s")
 
     def ensure(self):
         """Create the DNS container with PowerDNS if needed.
@@ -503,6 +542,12 @@ def ensure(self):
             check=False,
         )
 
+    def destroy(self):
+        """Stop, delete, and reset bridge DNS config."""
+        super().destroy()
+        self.incus.run(["network", "unset", "incusbr0", "dns.mode"], check=False)
+        self.incus.run(["network", "unset", "incusbr0", "raw.dnsmasq"], check=False)
+
     def _install_powerdns(self):
         """Install and configure PowerDNS if not already present."""
         if self.run_cmd("which", "pdns_server", check=False) is not None:
@@ -550,6 +595,7 @@ def _install_powerdns(self):
             systemctl start pdns-recursor
             echo 'nameserver 127.0.0.1' > /etc/resolv.conf
         """)
+        self._wait_dns_ready()
 
     def reset_dns_records(self, dns_ip, domains):
         """Create DNS zones with initial A records via pdnsutil.

From a102ed7d61aae75571e91a61ad7c9a92d8ea7db2 Mon Sep 17 00:00:00 2001
From: holger krekel <holger@merlinux.eu>
Date: Sun, 8 Mar 2026 18:07:45 +0100
Subject: [PATCH 10/31] lxc: add Out class with --verbose, section timing, and
 coloured shell output

Move the Out output-printer class to cmdeploy/util.py so it is shared
across CLI modules.  All print/shell calls in lxc/cli.py, lxc/incus.py,
and dns.py now route through Out instead of bare print().

Key additions:
- Out.section() / Out.section_line(): coloured section headers scaled
  to the current terminal width (or $_CMDEPLOY_WIDTH for sub-processes).
- Out.shell(): merges stdout/stderr, prefixes each output line, and
  prints a red error line with the exit code on failure.
- Out.new_prefixed_out(): indented sub-printer that shares section_timings.
- 'cmdeploy -v / -vv' exposes the verbosity levels.
- Tests for Out added to test_util.py.
---
 chatmaild/src/chatmaild/tests/plugin.py  |   6 +-
 cmdeploy/src/cmdeploy/cmdeploy.py        |  62 +++-----
 cmdeploy/src/cmdeploy/deployers.py       |   4 +-
 cmdeploy/src/cmdeploy/dns.py             |  15 +-
 cmdeploy/src/cmdeploy/lxc/cli.py         | 171 +++++++++++------------
 cmdeploy/src/cmdeploy/lxc/incus.py       |  88 +++++++++---
 cmdeploy/src/cmdeploy/tests/test_lxc.py  |   9 +-
 cmdeploy/src/cmdeploy/tests/test_util.py |  69 ++++++++-
 cmdeploy/src/cmdeploy/util.py            |  99 +++++++++++++
 9 files changed, 355 insertions(+), 168 deletions(-)

diff --git a/chatmaild/src/chatmaild/tests/plugin.py b/chatmaild/src/chatmaild/tests/plugin.py
index b57418a3a..165de3e0c 100644
--- a/chatmaild/src/chatmaild/tests/plugin.py
+++ b/chatmaild/src/chatmaild/tests/plugin.py
@@ -85,13 +85,13 @@ class MockOut:
         captured_green = []
         captured_plain = []
 
-        def red(self, msg):
+        def red(self, msg, **kw):
             self.captured_red.append(msg)
 
-        def green(self, msg):
+        def green(self, msg, **kw):
             self.captured_green.append(msg)
 
-        def __call__(self, msg):
+        def print(self, msg="", **kw):
             self.captured_plain.append(msg)
 
     return MockOut()
diff --git a/cmdeploy/src/cmdeploy/cmdeploy.py b/cmdeploy/src/cmdeploy/cmdeploy.py
index d9b432cfb..29d140460 100644
--- a/cmdeploy/src/cmdeploy/cmdeploy.py
+++ b/cmdeploy/src/cmdeploy/cmdeploy.py
@@ -15,9 +15,8 @@
 import pyinfra
 from chatmaild.config import read_config, write_initial_config
 from packaging import version
-from termcolor import colored
 
-from . import dns, remote
+from . import dns, remote  # noqa: F401
 from .lxc.cli import (  # noqa: F401
     lxc_start_cmd,
     lxc_start_cmd_options,
@@ -35,6 +34,7 @@
     resolve_host_from_ssh_config,
     resolve_key_from_ssh_config,
 )
+from .util import Out
 from .www import main as webdev_main
 
 #
@@ -124,6 +124,8 @@ def run_cmd(args, out):
     if not args.dns_check_disabled:
         env["CHATMAIL_ADDR_V4"] = remote_data.get("A") or ""
         env["CHATMAIL_ADDR_V6"] = remote_data.get("AAAA") or ""
+    env["DEBIAN_FRONTEND"] = "noninteractive"
+    env["TERM"] = "linux"
     deploy_path = importlib.resources.files(__package__).joinpath("run.py").resolve()
     pyinf = "pyinfra --dry" if args.dry_run else "pyinfra"
 
@@ -151,7 +153,10 @@ def run_cmd(args, out):
         return 1
 
     try:
-        out.check_call(cmd, env=env)
+        ret = out.shell(cmd, env=env)
+        if ret:
+            out.red("Deploy failed")
+            return 1
         if args.website_only:
             out.green("Website deployment completed.")
         elif (
@@ -267,7 +272,7 @@ def test_cmd(args, out):
         pytest_args.extend(["--ssh-host", args.ssh_host])
     if args.ssh_config:
         pytest_args.extend(["--ssh-config", str(Path(args.ssh_config).resolve())])
-    ret = out.run_ret(pytest_args, env=env)
+    ret = out.shell(" ".join(pytest_args), env=env)
     return ret
 
 
@@ -304,8 +309,8 @@ def fmt_cmd(args, out):
     format_args.extend(sources)
     check_args.extend(sources)
 
-    out.check_call(" ".join(format_args), quiet=not args.verbose)
-    out.check_call(" ".join(check_args), quiet=not args.verbose)
+    out.shell(" ".join(format_args), quiet=not args.verbose)
+    out.shell(" ".join(check_args), quiet=not args.verbose)
 
 
 def bench_cmd(args, out):
@@ -326,32 +331,6 @@ def webdev_cmd(args, out):
 #
 
 
-class Out:
-    """Convenience output printer providing coloring."""
-
-    def red(self, msg, file=sys.stderr):
-        print(colored(msg, "red"), file=file)
-
-    def green(self, msg, file=sys.stderr):
-        print(colored(msg, "green"), file=file)
-
-    def __call__(self, msg, red=False, green=False, file=sys.stdout):
-        color = "red" if red else ("green" if green else None)
-        print(colored(msg, color), file=file)
-
-    def check_call(self, arg, env=None, quiet=False):
-        if not quiet:
-            self(f"[$ {arg}]", file=sys.stderr)
-        return subprocess.check_call(arg, shell=True, env=env)
-
-    def run_ret(self, args, env=None, quiet=False):
-        if not quiet:
-            cmdstring = " ".join(args)
-            self(f"[$ {cmdstring}]", file=sys.stderr)
-        proc = subprocess.run(args, env=env, check=False)
-        return proc.returncode
-
-
 def add_ssh_host_option(parser):
     parser.add_argument(
         "--ssh-host",
@@ -381,15 +360,6 @@ def add_config_option(parser):
         help="path to the chatmail.ini file",
     )
 
-    parser.add_argument(
-        "--verbose",
-        "-v",
-        dest="verbose",
-        action="store_true",
-        default=False,
-        help="provide verbose logging",
-    )
-
 
 def add_subcommand(subparsers, func, add_config=True):
     name = func.__name__
@@ -415,6 +385,14 @@ def get_parser():
 
     parser = argparse.ArgumentParser(description=description.strip())
     parser.set_defaults(func=None, inipath=None)
+    parser.add_argument(
+        "-v",
+        "--verbose",
+        dest="verbose",
+        action="count",
+        default=0,
+        help="increase verbosity (can be repeated: -v, -vv)",
+    )
     subparsers = parser.add_subparsers(title="subcommands")
 
     # find all subcommands in the module namespace
@@ -447,7 +425,7 @@ def main(args=None):
     if args.func is None:
         return parser.parse_args(["-h"])
 
-    out = Out()
+    out = Out(sepchar="\u2501", verbosity=args.verbose)
     kwargs = {}
 
     if args.inipath is not None and args.func.__name__ not in ("init_cmd", "fmt_cmd"):
diff --git a/cmdeploy/src/cmdeploy/deployers.py b/cmdeploy/src/cmdeploy/deployers.py
index 2bee1784d..db952e8b4 100644
--- a/cmdeploy/src/cmdeploy/deployers.py
+++ b/cmdeploy/src/cmdeploy/deployers.py
@@ -17,9 +17,6 @@
 from pyinfra.facts.systemd import SystemdEnabled
 from pyinfra.operations import apt, files, pip, server, systemd
 
-from cmdeploy.cmdeploy import Out
-from cmdeploy.util import get_version_string
-
 from .acmetool import AcmetoolDeployer
 from .basedeploy import (
     Deployer,
@@ -37,6 +34,7 @@
 from .opendkim.deployer import OpendkimDeployer
 from .postfix.deployer import PostfixDeployer
 from .selfsigned.deployer import SelfSignedTlsDeployer
+from .util import Out, get_version_string
 from .www import build_webpages, find_merge_conflict, get_paths
 
 
diff --git a/cmdeploy/src/cmdeploy/dns.py b/cmdeploy/src/cmdeploy/dns.py
index b519e71c6..adfdb3f4a 100644
--- a/cmdeploy/src/cmdeploy/dns.py
+++ b/cmdeploy/src/cmdeploy/dns.py
@@ -91,18 +91,19 @@ def check_full_zone(sshexec, remote_data, out, zonefile) -> int:
     if required_diff:
         out.red("Please set required DNS entries at your DNS provider:\n")
         for line in required_diff:
-            out(line)
-        out("")
+            out.print(line)
+        out.print()
         returncode = 1
     if remote_data.get("dkim_entry") in required_diff:
-        out(
-            "If the DKIM entry above does not work with your DNS provider, you can try this one:\n"
+        out.print(
+            "If the DKIM entry above does not work with your DNS provider,"
+            " you can try this one:\n"
         )
-        out(remote_data.get("web_dkim_entry") + "\n")
+        out.print(remote_data.get("web_dkim_entry") + "\n")
     if recommended_diff:
-        out("WARNING: these recommended DNS entries are not set:\n")
+        out.print("WARNING: these recommended DNS entries are not set:\n")
         for line in recommended_diff:
-            out(line)
+            out.print(line)
 
     if not (recommended_diff or required_diff):
         out.green("Great! All your DNS entries are verified and correct.")
diff --git a/cmdeploy/src/cmdeploy/lxc/cli.py b/cmdeploy/src/cmdeploy/lxc/cli.py
index df536e027..c4569d153 100644
--- a/cmdeploy/src/cmdeploy/lxc/cli.py
+++ b/cmdeploy/src/cmdeploy/lxc/cli.py
@@ -1,11 +1,9 @@
 """lxc-start/stop/status/test subcommands for testing with local containers."""
 
 import os
-import subprocess
 import time
-from contextlib import contextmanager
 
-from ..util import collapse, get_git_hash, get_version_string, shell
+from ..util import get_git_hash, get_version_string, shell
 from .incus import Incus, RelayContainer
 
 RELAY_NAMES = ("test0", "test1")
@@ -36,11 +34,20 @@ def lxc_start_cmd_options(parser):
 
 def lxc_start_cmd(args, out):
     """Create/Ensure and start LXC relay and DNS containers."""
-    ix = Incus()
+
+    with out.section("Preparing container setup"):
+        _lxc_start_cmd(args, out)
+
+
+def _lxc_start_cmd(args, out):
+    ix = Incus(out)
+    sub = out.new_prefixed_out()
+    out.green("Ensuring base image ...")
+    ix.ensure_base_image()
     out.green("Ensuring DNS container (ns-localchat) ...")
     dns_ct = ix.get_dns_container()
     dns_ct.ensure()
-    print(f"  DNS container IP: {dns_ct.ipv4}")
+    sub.print(f"DNS container IP: {dns_ct.ipv4}")
 
     names = args.names if args.names else RELAY_NAMES
     relays = list(ix.get_container(n) for n in names)
@@ -49,12 +56,12 @@ def lxc_start_cmd(args, out):
         ct.ensure()
         ip = ct.ipv4
 
-        print("  Configuring container hostname ...")
+        sub.print("Configuring container hostname ...")
         ct.configure_hosts(ip)
 
-        print(f"  Writing {ct.ini.name} ...")
+        sub.print(f"Writing {ct.ini.name} ...")
         ct.write_ini(disable_ipv6=args.ipv4_only)
-        print(f"  Config: {ct.ini}")
+        sub.print(f"Config: {ct.ini}")
         if args.ipv4_only:
             ct.disable_ipv6()
             ipv6 = None
@@ -65,10 +72,10 @@ def lxc_start_cmd(args, out):
                 check=False,
             )
             ipv6 = output.strip() if output else None
-        print(f"  {_format_addrs(ip, ipv6)}")
+        sub.print(f"{_format_addrs(ip, ipv6)}")
 
-        out.green(f"  Container {ct.name!r} ready: {ct.domain} -> {ip}")
-        print()
+        sub.green(f"Container {ct.name!r} ready: {ct.domain} -> {ip}")
+        out.print()
 
     # Reset DNS zones only for the containers we just started
     started_cnames = {ct.name for ct in relays}
@@ -76,42 +83,42 @@ def lxc_start_cmd(args, out):
     started = [c for c in managed if c["name"] in started_cnames]
 
     if started:
-        print(
+        out.print(
             f"Resetting DNS zones for {len(started)} domain(s) (A + AAAA records) ..."
         )
         dns_ct.reset_dns_records(dns_ct.ipv4, started)
 
         for ct in relays:
             if ct.name in started_cnames:
-                print(f"  Configuring DNS in {ct.name} ...")
+                sub.print(f"Configuring DNS in {ct.name} ...")
                 ct.configure_dns(dns_ct.ipv4)
 
     # Generate the unified SSH config
     out.green("Writing ssh-config ...")
     ssh_cfg = ix.write_ssh_config()
-    print(f"  {ssh_cfg}")
+    sub.print(f"{ssh_cfg}")
 
     # Verify SSH via the generated config
     for ct in relays:
-        print(f"  Verifying SSH to {ct.name} via ssh-config ...")
+        sub.print(f"Verifying SSH to {ct.name} via ssh-config ...")
         if ct.verify_ssh(ssh_cfg):
-            print(f"  SSH OK: ssh -F lxconfigs/ssh-config {ct.domain}")
+            sub.print(f"SSH OK: ssh -F lxconfigs/ssh-config {ct.domain}")
         else:
-            out.red(f"  WARNING: SSH verification failed for {ct.name}")
+            sub.red(f"WARNING: SSH verification failed for {ct.name}")
 
     # Print integration suggestions
     ssh_cfg = ix.ssh_config_path
     if not ix.check_ssh_include():
-        out.green(
-            "\n  (Optional) To use containers from any SSH client, add to ~/.ssh/config:"
+        sub.green(
+            "\n(Optional) To use containers from any SSH client, add to ~/.ssh/config:"
         )
-        out.green(f"      Include {ssh_cfg}")
+        sub.green(f"    Include {ssh_cfg}")
 
     # Optionally run cmdeploy run on each relay
     if args.run:
         for ct in relays:
-            with _section(out, f"cmdeploy run: {ct.sname} ({ct.domain})"):
-                ret = _run_cmdeploy("run", ct, ix, extra=["--skip-dns-check"])
+            with out.section(f"cmdeploy run: {ct.sname} ({ct.domain})"):
+                ret = _run_cmdeploy("run", ct, ix, out, extra=["--skip-dns-check"])
                 if ret:
                     out.red(f"Deploy to {ct.sname} failed (exit {ret})")
                     return ret
@@ -142,7 +149,7 @@ def lxc_stop_cmd_options(parser):
 
 def lxc_stop_cmd(args, out):
     """Stop (and optionally destroy) local LXC relay containers."""
-    ix = Incus()
+    ix = Incus(out)
     names = args.names or RELAY_NAMES
     destroy = args.destroy or args.destroy_all
 
@@ -186,7 +193,7 @@ def lxc_test_cmd(args, out):
     All commands run directly on the host using
     ``--ssh-config lxconfigs/ssh-config`` for SSH access.
     """
-    ix = Incus()
+    ix = Incus(out)
     t_total = time.time()
     relay_names = list(RELAY_NAMES)
     if args.one:
@@ -201,59 +208,64 @@ def lxc_test_cmd(args, out):
     for ct in map(ix.get_container, relay_names):
         name = ct.sname
         ipv4_only = ipv4_only_flags.get(name, False)
-        label = "IPv4-only" if ipv4_only else "dual-stack"
-
-        with _section(out, f"LXC: lxc-start {name} ({label})"):
-            args.names = [name]
-            args.ipv4_only = ipv4_only
-            args.run = False
-            ret = lxc_start_cmd(args, out)
+        v_flag = " -" + "v" * out.verbosity if out.verbosity > 0 else ""
+        start_cmd = f"cmdeploy{v_flag} lxc-start {name}"
+        if ipv4_only:
+            start_cmd += " --ipv4-only"
+        with out.section(f"cmdeploy lxc-start: {name}"):
+            ret = out.shell(start_cmd, cwd=str(ix.project_root))
             if ret:
                 return ret
 
         status = _deploy_status(ct, local_hash, ix)
-        if "IN-SYNC" in status:
-            _section_line(out, f"cmdeploy run: {name} — {status}, skipping")
-        else:
-            with _section(out, f"cmdeploy run: {name} ({ct.domain})"):
-                ret = _run_cmdeploy("run", ct, ix, extra=["--skip-dns-check"])
+        with out.section(f"cmdeploy run: {name}"):
+            if "IN-SYNC" in status:
+                out.print(f"{name} is {status}, skipping")
+            else:
+                ret = _run_cmdeploy("run", ct, ix, out, extra=["--skip-dns-check"])
                 if ret:
                     out.red(f"Deploy to {name} failed (exit {ret})")
                     return ret
 
         # Snapshot the first relay so subsequent ones launch pre-deployed
         if not ix.find_relay_image():
-            with _section(out, "LXC: publishing relay image"):
+            with out.section("lxc-test: caching relay image"):
                 ct.publish_as_relay_image()
 
     for ct in map(ix.get_container, relay_names):
-        with _section(out, f"cmdeploy dns: {ct.sname} ({ct.domain})"):
-            ret = _run_cmdeploy("dns", ct, ix, extra=["--zonefile", str(ct.zone)])
+        with out.section(f"cmdeploy dns: {ct.sname} ({ct.domain})"):
+            ret = _run_cmdeploy("dns", ct, ix, out, extra=["--zonefile", str(ct.zone)])
             if ret:
                 out.red(f"DNS for {ct.sname} failed (exit {ret})")
                 return ret
 
-    with _section(out, "LXC: PowerDNS zone update"):
+    with out.section(f"lxc-test: loading DNS zones {' & '.join(relay_names)}"):
         dns_ct = ix.get_dns_container()
         for ct in map(ix.get_container, relay_names):
             if ct.zone.exists():
                 zone_data = ct.zone.read_text()
-                print(f"  Loading {ct.zone} into PowerDNS ...")
+                out.print(f"Loading {ct.zone} into PowerDNS ...")
                 dns_ct.set_dns_records(zone_data)
 
-    with _section(out, "cmdeploy test"):
+    with out.section("cmdeploy test"):
         first = ix.get_container(relay_names[0])
         env = None
         if len(relay_names) > 1:
             env = os.environ.copy()
             env["CHATMAIL_DOMAIN2"] = ix.get_container(relay_names[1]).domain
-        ret = _run_cmdeploy("test", first, ix, **({"env": env} if env else {}))
+        ret = _run_cmdeploy("test", first, ix, out, **({"env": env} if env else {}))
         if ret:
             out.red(f"Tests failed (exit {ret})")
             return ret
 
     elapsed = time.time() - t_total
-    _section_line(out, f"lxc-test complete ({elapsed:.1f}s)")
+    out.section_line(f"lxc-test complete ({elapsed:.1f}s)")
+    if out.section_timings:
+        out.print("Section timings:")
+        for name, secs in out.section_timings:
+            out.print(f"  {name:.<50s} {secs:5.1f}s")
+        out.print(f"  {'total':.<50s} {elapsed:5.1f}s")
+    out.section_timings.clear()
     return 0
 
 
@@ -268,7 +280,7 @@ def lxc_status_cmd_options(parser):
 
 def lxc_status_cmd(args, out):
     """Show status of local LXC chatmail containers."""
-    ix = Incus()
+    ix = Incus(out)
     containers = ix.list_managed()
     if not containers:
         out.red("No LXC containers found.  Run 'cmdeploy lxc-start' first.")
@@ -281,23 +293,24 @@ def lxc_status_cmd(args, out):
     data = ix.run_json(["storage", "show", "default"], check=False)
     if data:
         storage_path = data.get("config", {}).get("source")
+    msg = "Container status"
     if storage_path:
-        out.green(f"Containers: ({storage_path})")
-    else:
-        out.green("Containers:")
+        msg += f": {storage_path}"
+    out.section_line(msg)
 
     dns_ip = None
     for c in containers:
-        _print_container_status(c, ix, local_hash)
+        _print_container_status(out, c, ix, local_hash)
         if c["name"] == ix.get_dns_container().name:
             dns_ip = c["ip"]
 
+    out.section_line("Host ssh and DNS configuration")
     _print_ssh_status(out, ix)
     _print_dns_forwarding_status(out, dns_ip)
     return 0
 
 
-def _print_container_status(c, ix, local_hash):
+def _print_container_status(out, c, ix, local_hash):
     """Print name/status, domain/IPs, and RAM for one container."""
     cname = c["name"]
     is_running = c.get("status") == "Running"
@@ -310,16 +323,16 @@ def _print_container_status(c, ix, local_hash):
         tag = "running"
     else:
         tag = f"running {_deploy_status(ct, local_hash, ix)}"
-    print(f"  {cname:20s} {tag}")
+    out.print(f"{cname:20s} {tag}")
 
     # Second line: domain, IPv4, IPv6
     domain = c.get("domain", "")
     ip = c.get("ip") or "?"
     ipv6 = c.get("ipv6")
-    print(f"  {domain:20s} {_format_addrs(ip, ipv6)}")
+    out.print(f"{domain:20s} {_format_addrs(ip, ipv6)}")
 
     # Third line: RAM (RSS), config
-    indent = " " * 21
+    detail_out = out.new_prefixed_out(" " * 21)
     try:
         used, total = ct.rss_mib()
     except Exception:
@@ -332,41 +345,42 @@ def _print_container_status(c, ix, local_hash):
     else:
         detail = ram_str
 
-    print(f"  {indent}{detail}")
-    print()
+    detail_out.print(detail)
+    out.print()
 
 
 def _print_ssh_status(out, ix):
     """Print SSH integration status."""
-    print()
     ssh_cfg = ix.ssh_config_path
     if ix.check_ssh_include():
         out.green("SSH: ~/.ssh/config includes lxconfigs/ssh-config ✓")
     else:
         out.red("SSH: ~/.ssh/config does NOT include lxconfigs/ssh-config")
-        print("  Add to ~/.ssh/config:")
-        print(f"      Include {ssh_cfg}")
+        sub = out.new_prefixed_out()
+        sub.print("Add to ~/.ssh/config:")
+        sub.print(f"    Include {ssh_cfg}")
 
 
 def _print_dns_forwarding_status(out, dns_ip):
     """Print host DNS forwarding status for .localchat."""
+    sub = out.new_prefixed_out()
     if not dns_ip:
         out.red("DNS: ns-localchat container not found")
         return
     try:
-        rv = shell("resolvectl status incusbr0", timeout=5)
+        rv = shell("resolvectl status incusbr0")
         dns_ok = dns_ip in rv.stdout and "localchat" in rv.stdout
-    except (FileNotFoundError, subprocess.TimeoutExpired, OSError):
+    except Exception:
         dns_ok = None
     if dns_ok is True:
         out.green(f"DNS: .localchat forwarding to {dns_ip} ✓")
     elif dns_ok is False:
         out.red("DNS: .localchat forwarding NOT configured")
-        print("  Run:")
-        print(f"      sudo resolvectl dns incusbr0 {dns_ip}")
-        print("      sudo resolvectl domain incusbr0 ~localchat")
+        sub.print("Run:")
+        sub.print(f"    sudo resolvectl dns incusbr0 {dns_ip}")
+        sub.print("    sudo resolvectl domain incusbr0 ~localchat")
     else:
-        print("  DNS: .localchat forwarding status UNKNOWN")
+        sub.print("DNS: .localchat forwarding status UNKNOWN")
 
 
 # -------------------------------------------------------------------
@@ -381,26 +395,6 @@ def _format_addrs(ip, ipv6=None):
     return ", ".join(parts)
 
 
-SECTION_WIDTH = 72
-
-
-@contextmanager
-def _section(out, title):
-    bar = "\u2501" * (SECTION_WIDTH - len(title) - 5)
-    out.green(f"\u2501\u2501\u2501 {title} {bar}")
-    t0 = time.time()
-    yield
-    elapsed = time.time() - t0
-    print(f"{'':>{SECTION_WIDTH - 10}}({elapsed:.1f}s)")
-    print()
-
-
-def _section_line(out, title):
-    bar = "\u2501" * (SECTION_WIDTH - len(title) - 5)
-    out.green(f"\u2501\u2501\u2501 {title} {bar}")
-    print()
-
-
 def _deploy_status(ct, local_hash, ix):
     """Return a human-readable deploy status string.
 
@@ -446,15 +440,16 @@ def _add_name_args(parser, help_text=None):
     )
 
 
-def _run_cmdeploy(subcmd, ct, ix, extra=None, **kwargs):
+def _run_cmdeploy(subcmd, ct, ix, out, extra=None, **kwargs):
     """Run ``cmdeploy <subcmd>`` with standard --config/--ssh flags.
 
     *ct* is a Container (uses ``ct.ini`` and ``ct.domain``).
     Returns the subprocess exit code.
     """
     extra_str = " ".join(extra) if extra else ""
+    v_flag = " -" + "v" * out.verbosity if out.verbosity > 0 else ""
     cmd = f"""\
-        cmdeploy {subcmd}
+        cmdeploy{v_flag} {subcmd}
         --config {ct.ini}
         --ssh-config {ix.ssh_config_path}
         --ssh-host {ct.domain}
@@ -462,6 +457,4 @@ def _run_cmdeploy(subcmd, ct, ix, extra=None, **kwargs):
     """
     if "cwd" not in kwargs:
         kwargs["cwd"] = str(ix.project_root)
-    cmd = collapse(cmd)
-    print(f"  [$ {cmd}]")
-    return shell(cmd, capture_output=False, **kwargs).returncode
+    return out.shell(cmd, **kwargs)
diff --git a/cmdeploy/src/cmdeploy/lxc/incus.py b/cmdeploy/src/cmdeploy/lxc/incus.py
index 391c8b517..61abe0f1f 100644
--- a/cmdeploy/src/cmdeploy/lxc/incus.py
+++ b/cmdeploy/src/cmdeploy/lxc/incus.py
@@ -47,7 +47,8 @@ class Incus:
     all modules share a single entry point for Incus interactions.
     """
 
-    def __init__(self):
+    def __init__(self, out):
+        self.out = out
         self.project_root = Path(__file__).resolve().parent.parent.parent.parent.parent
         self.lxconfigs_dir = self.project_root / "lxconfigs"
         self.lxconfigs_dir.mkdir(exist_ok=True)
@@ -98,15 +99,58 @@ def check_ssh_include(self):
         return f"Include {self.ssh_config_path}" in lines
 
     def run(self, args, check=True, capture=True, input=None):
-        """Run an incus command."""
+        """Run an incus command.
+
+        When *capture* is True and *verbosity* >= 1, output is streamed
+        to the terminal line-by-line while also being captured for
+        later return via result.stdout.
+        """
         cmd = ["incus"] + list(args)
-        kwargs = dict(check=check, text=True, input=input)
-        if capture:
-            kwargs["capture_output"] = True
-        else:
-            kwargs["stdout"] = None
-            kwargs["stderr"] = None
-        return subprocess.run(cmd, **kwargs)  # noqa: PLW1510
+        sub = self.out.new_prefixed_out("  ")
+
+        if not capture:
+            # Simple case: let subprocess handle streams (no capture)
+            if self.out.verbosity >= 1:
+                sub.print(f"$ {' '.join(cmd)}")
+            return subprocess.run(
+                cmd, text=True, input=input, check=check, stdout=None, stderr=None
+            )
+
+        # Capture case: we may need to stream while capturing
+        if sub.verbosity >= 1:
+            cmd_lines = " ".join(cmd).splitlines()
+            sub.print(f"$ {cmd_lines.pop(0)}")
+            if sub.verbosity >= 2:
+                for line in cmd_lines:
+                    sub.print(f"  {line}")
+
+        proc = subprocess.Popen(
+            cmd,
+            text=True,
+            stdin=subprocess.PIPE if input else None,
+            stdout=subprocess.PIPE,
+            stderr=subprocess.STDOUT,
+        )
+
+        stdout_lines = []
+        if input:
+            proc.stdin.write(input)
+            proc.stdin.close()
+
+        for line in proc.stdout:
+            stdout_lines.append(line)
+            if sub.verbosity >= 2:
+                sub.print(f"  > {line.rstrip()}")
+
+        ret = proc.wait()
+        stdout = "".join(stdout_lines)
+        if check and ret != 0:
+            for line in stdout.splitlines():
+                if sub.verbosity < 1:  # and we haven't printed it yet
+                    sub.red(line)
+            raise subprocess.CalledProcessError(ret, cmd, output=stdout)
+
+        return subprocess.CompletedProcess(cmd, ret, stdout=stdout)
 
     def run_json(self, args, check=True):
         """Run an incus command with ``--format=json``.
@@ -186,9 +230,10 @@ def ensure_base_image(self):
         Returns the image alias.
         """
         if self._find_image(BASE_IMAGE_ALIAS):
+            self.out.print(f"  Base image '{BASE_IMAGE_ALIAS}' already cached.")
             return BASE_IMAGE_ALIAS
 
-        print("  Building base image (one-time setup) ...")
+        self.out.print("  Building base image (one-time setup) ...")
 
         self.run(["delete", BASE_SETUP_NAME, "--force"], check=False)
         self.run(["image", "delete", BASE_IMAGE_ALIAS], check=False)
@@ -214,7 +259,7 @@ def ensure_base_image(self):
         self.run(["stop", BASE_SETUP_NAME])
         self.run(["publish", BASE_SETUP_NAME, f"--alias={BASE_IMAGE_ALIAS}"])
         self.run(["delete", BASE_SETUP_NAME, "--force"])
-        print(f"  Base image '{BASE_IMAGE_ALIAS}' ready.")
+        self.out.print(f"  Base image '{BASE_IMAGE_ALIAS}' ready.")
         return BASE_IMAGE_ALIAS
 
     def get_container(self, name):
@@ -239,6 +284,7 @@ class Container:
 
     def __init__(self, incus, name, domain=None, memory="100MiB"):
         self.incus = incus
+        self.out = incus.out
         self.name = name
         self.domain = domain or f"{name}{DOMAIN_SUFFIX}"
         self.memory = memory
@@ -251,7 +297,8 @@ def bash(self, script, check=True):
         *script* is dedented and stripped so callers can use triple-quoted strings.
         When *check* is False, returns *None* on non-zero exit instead of raising.
         """
-        cmd = ["exec", self.name, "--", "bash", "-ec", textwrap.dedent(script).strip()]
+        script = textwrap.dedent(script).strip()
+        cmd = ["exec", self.name, "--", "bash", "-ec", script]
         return self.incus.run_output(cmd, check=check)
 
     def run_cmd(self, *args, check=True):
@@ -276,7 +323,7 @@ def stop(self, force=False):
     def launch(self):
         """Launch from the best available image, return the alias used."""
         image = self.incus.find_relay_image() or self.incus.ensure_base_image()
-        print(f"  Launching from '{image}' image ...")
+        self.out.print(f"  Launching from '{image}' image ...")
         cfg = []
         cfg += ("-c", f"{LABEL_KEY}=true")
         cfg += ("-c", f"user.localchat-domain={self.domain}")
@@ -407,17 +454,18 @@ def configure_hosts(self, ip):
     def publish_as_relay_image(self):
         """Publish this container as a reusable relay image.
 
-        Stops the container, publishes it as 'localchat-relay',
-        then restarts it.
+        Stops the container, 'publishes' it as 'localchat-relay', then restarts it.
         """
         if self.incus.find_relay_image():
             return
-        print(f"  Publishing {self.name!r} as '{RELAY_IMAGE_ALIAS}' image ...")
+        self.out.print(
+            f"  Locally caching {self.name!r} as '{RELAY_IMAGE_ALIAS}' image ..."
+        )
         self.incus.run(
             ["publish", self.name, f"--alias={RELAY_IMAGE_ALIAS}", "--force"]
         )
         self.wait_ready()
-        print(f"  Relay image '{RELAY_IMAGE_ALIAS}' ready.")
+        self.out.print(f"  Relay image '{RELAY_IMAGE_ALIAS}' ready.")
 
     def deployed_version(self):
         """Read /etc/chatmail-version, or None if absent."""
@@ -611,7 +659,7 @@ def reset_dns_records(self, dns_ip, domains):
         for d in domains:
             domain = d["domain"]
             ip = d["ip"]
-            print(f"  {domain} -> {ip}")
+            self.out.print(f"  {domain} -> {ip}")
 
             # Delete and recreate zone fresh (removes stale records)
             self.pdnsutil("delete-zone", domain, check=False)
@@ -628,11 +676,11 @@ def reset_dns_records(self, dns_ip, domains):
             ipv6 = d.get("ipv6")
             if ipv6:
                 self.replace_rrset(domain, ".", "AAAA", "3600", ipv6)
-                print(f"    zone reset: SOA, NS, A, AAAA  ({ip}, {ipv6})")
+                self.out.print(f"    zone reset: SOA, NS, A, AAAA  ({ip}, {ipv6})")
             else:
                 # Remove any stale AAAA record
                 self.pdnsutil("delete-rrset", domain, ".", "AAAA", check=False)
-                print(f"    zone reset: SOA, NS, A  ({ip}, IPv4-only)")
+                self.out.print(f"    zone reset: SOA, NS, A  ({ip}, IPv4-only)")
 
         self.restart_services()
 
diff --git a/cmdeploy/src/cmdeploy/tests/test_lxc.py b/cmdeploy/src/cmdeploy/tests/test_lxc.py
index cf156b613..c9f402496 100644
--- a/cmdeploy/src/cmdeploy/tests/test_lxc.py
+++ b/cmdeploy/src/cmdeploy/tests/test_lxc.py
@@ -8,6 +8,7 @@
 
 from cmdeploy.lxc import cli
 from cmdeploy.lxc.incus import Incus
+from cmdeploy.util import Out
 
 pytestmark = pytest.mark.skipif(
     not shutil.which("incus"),
@@ -22,12 +23,14 @@
 
 @pytest.fixture
 def ix():
-    return Incus()
+    out = Out()
+    return Incus(out)
 
 
 @pytest.fixture(scope="session")
 def lxc_setup():
-    ix = Incus()
+    out = Out()
+    ix = Incus(out)
     ix.get_dns_container().ensure()
     return ix.list_managed()
 
@@ -126,7 +129,7 @@ def test_cli_lxc_status_help(self, cmdeploy):
         assert "status" in result.stdout.lower()
 
     def test_shows_containers(self, lxc_setup, capsys):
-        class QuietOut:
+        class QuietOut(Out):
             def red(self, msg, **kw):
                 pass
 
diff --git a/cmdeploy/src/cmdeploy/tests/test_util.py b/cmdeploy/src/cmdeploy/tests/test_util.py
index e2fa45d95..b1f22ef2b 100644
--- a/cmdeploy/src/cmdeploy/tests/test_util.py
+++ b/cmdeploy/src/cmdeploy/tests/test_util.py
@@ -1,4 +1,71 @@
-from cmdeploy.util import collapse, get_git_hash, get_version_string, shell
+import sys
+
+from cmdeploy.util import Out, collapse, get_git_hash, get_version_string, shell
+
+
+class TestOut:
+    def test_prefix_default(self, capsys):
+        out = Out()
+        out.print("hello")
+        assert capsys.readouterr().out == "hello\n"
+
+    def test_prefix_custom(self, capsys):
+        out = Out(prefix=">> ")
+        out.print("hello")
+        assert capsys.readouterr().out == ">> hello\n"
+
+    def test_prefix_print_file(self):
+        import io
+
+        buf = io.StringIO()
+        out = Out(prefix=":: ")
+        out.print("msg", file=buf)
+        assert ":: msg" in buf.getvalue()
+
+    def test_new_prefixed_out(self, capsys):
+        parent = Out(prefix="A")
+        child = parent.new_prefixed_out("B")
+        child.print("x")
+        assert capsys.readouterr().out == "ABx\n"
+        # shares section_timings
+        assert child.section_timings is parent.section_timings
+
+    def test_section_no_auto_indent(self, capsys):
+        out = Out(prefix="")
+        with out.section("test"):
+            out.print("inside")
+        captured = capsys.readouterr().out
+        # "inside" should NOT be indented by section()
+        lines = captured.strip().splitlines()
+        inside_line = [l for l in lines if "inside" in l][0]
+        assert inside_line == "inside"
+
+    def test_section_records_timing(self):
+        out = Out()
+        with out.section("s1"):
+            pass
+        assert len(out.section_timings) == 1
+        assert out.section_timings[0][0] == "s1"
+
+    def test_shell_failure_shows_output(self):
+        """When a shell command fails, its output and exit code are shown."""
+        import subprocess
+
+        result = subprocess.run(
+            [
+                sys.executable,
+                "-c",
+                "from cmdeploy.util import Out; Out(prefix='').shell("
+                "\"echo 'boom on stderr' >&2; exit 42\")",
+            ],
+            capture_output=True,
+            text=True,
+            check=False,
+        )
+        # the command's stderr is merged into stdout by Popen
+        assert "boom on stderr" in result.stdout
+        # Out.red() prints the failure notice to stderr
+        assert "exit code 42" in result.stderr
 
 
 def test_collapse():
diff --git a/cmdeploy/src/cmdeploy/util.py b/cmdeploy/src/cmdeploy/util.py
index ed70236d1..3832202ba 100644
--- a/cmdeploy/src/cmdeploy/util.py
+++ b/cmdeploy/src/cmdeploy/util.py
@@ -1,9 +1,108 @@
 """Shared utility functions for cmdeploy."""
 
+import os
+import shutil
 import subprocess
+import sys
 import textwrap
+import time
+from contextlib import contextmanager
 from pathlib import Path
 
+from termcolor import colored
+
+
+class Out:
+    """Convenience output printer providing coloring and section formatting."""
+
+    def __init__(self, sepchar="\u2501", prefix="", verbosity=0):
+        self.section_timings = []
+        self.prefix = prefix
+        self.sepchar = sepchar
+        self.verbosity = verbosity
+        env_width = os.environ.get("_CMDEPLOY_WIDTH")
+        if env_width:
+            self.section_width = int(env_width)
+        else:
+            self.section_width = shutil.get_terminal_size((80, 24)).columns
+
+    def new_prefixed_out(self, newprefix="  "):
+        """Return a new Out with an extended prefix,
+        sharing section_timings with the parent.
+        """
+        out = Out(
+            sepchar=self.sepchar,
+            prefix=self.prefix + newprefix,
+            verbosity=self.verbosity,
+        )
+        out.section_timings = self.section_timings
+        return out
+
+    def red(self, msg, file=sys.stderr):
+        print(colored(self.prefix + msg, "red"), file=file, flush=True)
+
+    def green(self, msg, file=sys.stderr):
+        print(colored(self.prefix + msg, "green"), file=file, flush=True)
+
+    def print(self, msg="", **kwargs):
+        """Print to stdout with automatic flush."""
+        if msg:
+            msg = self.prefix + msg
+        print(msg, flush=True, **kwargs)
+
+    def _format_header(self, title):
+        """Return a formatted section header string."""
+        width = self.section_width - len(self.prefix)
+        bar = self.sepchar * (width - len(title) - 5)
+        return f"{self.sepchar * 3} {title} {bar}"
+
+    @contextmanager
+    def section(self, title):
+        """Context manager that prints a section header and records elapsed time."""
+        self.green(self._format_header(title))
+        t0 = time.time()
+        yield
+        elapsed = time.time() - t0
+        self.section_timings.append((title, elapsed))
+
+    def section_line(self, title):
+        """Print a section header without timing."""
+        self.green(self._format_header(title))
+
+    def shell(self, cmd, quiet=False, **kwargs):
+        """Print *cmd*, run it, and re-print its output with the current prefix.
+
+        *cmd* is passed through :func:`collapse`, so callers
+        can use triple-quoted f-strings freely.
+        Stdout and stderr are merged, read line-by-line,
+        and each line is printed with ``self.prefix`` prepended.
+        When the command exits non-zero, a red error line is printed.
+        """
+        cmd = collapse(cmd)
+        if not quiet:
+            self.print(f"$ {cmd}")
+        indent = self.prefix + "  "
+        env = kwargs.pop("env", None)
+        if env is None:
+            env = os.environ.copy()
+        env["_CMDEPLOY_WIDTH"] = str(self.section_width - len(indent))
+        proc = subprocess.Popen(
+            cmd,
+            shell=True,
+            text=True,
+            stdout=subprocess.PIPE,
+            stderr=subprocess.STDOUT,
+            env=env,
+            **kwargs,
+        )
+        for line in proc.stdout:
+            sys.stdout.write(indent + line)
+            sys.stdout.flush()
+        ret = proc.wait()
+        if ret:
+            self.red(f"command failed with exit code {ret}: {cmd}")
+        return ret
+
 
 def _project_root():
     """Return the project root directory."""

From 62fe113b590e27a023842a83aa11d4c755557b40 Mon Sep 17 00:00:00 2001
From: holger krekel <holger@merlinux.eu>
Date: Sun, 8 Mar 2026 18:07:56 +0100
Subject: [PATCH 11/31] lxc: extract blocked_service_startup() context manager
 into basedeploy
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Move the policy-rc.d install/remove boilerplate into a shared context
manager in basedeploy.py so both UnboundDeployer and DovecotDeployer use
the same abstraction, and the DNS container's _install_powerdns() inline
shell uses the same pattern.

DovecotDeployer now wraps its three package installs in
blocked_service_startup() to prevent Dovecot from auto-starting on
initial install — avoiding bind conflicts on IPv4-only systems.
---
 cmdeploy/src/cmdeploy/basedeploy.py       | 23 ++++++++++++++
 cmdeploy/src/cmdeploy/deployers.py        | 38 +++++++----------------
 cmdeploy/src/cmdeploy/dovecot/deployer.py |  9 ++++--
 cmdeploy/src/cmdeploy/lxc/incus.py        |  9 ++++++
 4 files changed, 49 insertions(+), 30 deletions(-)

diff --git a/cmdeploy/src/cmdeploy/basedeploy.py b/cmdeploy/src/cmdeploy/basedeploy.py
index 45654c27e..732ed0490 100644
--- a/cmdeploy/src/cmdeploy/basedeploy.py
+++ b/cmdeploy/src/cmdeploy/basedeploy.py
@@ -1,6 +1,7 @@
 import importlib.resources
 import io
 import os
+from contextlib import contextmanager
 
 from pyinfra.operations import files, server, systemd
 
@@ -10,6 +11,28 @@ def has_systemd():
     return os.path.isdir("/run/systemd/system")
 
 
+@contextmanager
+def blocked_service_startup():
+    """Prevent services from auto-starting during package installation.
+
+    Installs a ``/usr/sbin/policy-rc.d`` that exits 101, blocking any
+    service from being started by the package manager.  This avoids bind
+    conflicts and CPU/RAM spikes during initial setup.  The file is removed
+    when the context exits.
+    """
+    # For documentation about policy-rc.d, see:
+    # https://people.debian.org/~hmh/invokerc.d-policyrc.d-specification.txt
+    files.put(
+        src=get_resource("policy-rc.d"),
+        dest="/usr/sbin/policy-rc.d",
+        user="root",
+        group="root",
+        mode="755",
+    )
+    yield
+    files.file("/usr/sbin/policy-rc.d", present=False)
+
+
 def get_resource(arg, pkg=__package__):
     return importlib.resources.files(pkg).joinpath(arg)
 
diff --git a/cmdeploy/src/cmdeploy/deployers.py b/cmdeploy/src/cmdeploy/deployers.py
index db952e8b4..b259c9681 100644
--- a/cmdeploy/src/cmdeploy/deployers.py
+++ b/cmdeploy/src/cmdeploy/deployers.py
@@ -22,6 +22,7 @@
     Deployer,
     Deployment,
     activate_remote_units,
+    blocked_service_startup,
     configure_remote_units,
     get_resource,
     has_systemd,
@@ -148,33 +149,16 @@ def __init__(self, config):
         self.need_restart = False
 
     def install(self):
-        # Run local DNS resolver `unbound`.
-        # `resolvconf` takes care of setting up /etc/resolv.conf
-        # to use 127.0.0.1 as the resolver.
-
-        #
-        # On an IPv4-only system, if unbound is started but not
-        # configured, it causes subsequent steps to fail to resolve hosts.
-        # Here, we use policy-rc.d to prevent unbound from starting up
-        # on initial install.  Later, we will configure it and start it.
-        #
-        # For documentation about policy-rc.d, see:
-        # https://people.debian.org/~hmh/invokerc.d-policyrc.d-specification.txt
-        #
-        files.put(
-            src=get_resource("policy-rc.d"),
-            dest="/usr/sbin/policy-rc.d",
-            user="root",
-            group="root",
-            mode="755",
-        )
-
-        apt.packages(
-            name="Install unbound",
-            packages=["unbound", "unbound-anchor", "dnsutils"],
-        )
-
-        files.file("/usr/sbin/policy-rc.d", present=False)
+        # Run local DNS resolver `unbound`. `resolvconf` takes care of
+        # setting up /etc/resolv.conf to use 127.0.0.1 as the resolver.
+
+        # On an IPv4-only system, if unbound is started but not configured,
+        # it causes subsequent steps to fail to resolve hosts.
+        with blocked_service_startup():
+            apt.packages(
+                name="Install unbound",
+                packages=["unbound", "unbound-anchor", "dnsutils"],
+            )
 
     def configure(self):
         server.shell(
diff --git a/cmdeploy/src/cmdeploy/dovecot/deployer.py b/cmdeploy/src/cmdeploy/dovecot/deployer.py
index ad4c7c1d0..076278887 100644
--- a/cmdeploy/src/cmdeploy/dovecot/deployer.py
+++ b/cmdeploy/src/cmdeploy/dovecot/deployer.py
@@ -10,6 +10,7 @@
 from cmdeploy.basedeploy import (
     Deployer,
     activate_remote_units,
+    blocked_service_startup,
     configure_remote_units,
     get_resource,
     has_systemd,
@@ -28,9 +29,11 @@ def install(self):
         arch = host.get_fact(Arch)
         if has_systemd() and "dovecot.service" in host.get_fact(SystemdEnabled):
             return  # already installed and running
-        _install_dovecot_package("core", arch)
-        _install_dovecot_package("imapd", arch)
-        _install_dovecot_package("lmtpd", arch)
+
+        with blocked_service_startup():
+            _install_dovecot_package("core", arch)
+            _install_dovecot_package("imapd", arch)
+            _install_dovecot_package("lmtpd", arch)
 
     def configure(self):
         configure_remote_units(self.config.mail_domain, self.units)
diff --git a/cmdeploy/src/cmdeploy/lxc/incus.py b/cmdeploy/src/cmdeploy/lxc/incus.py
index 61abe0f1f..baf8e303d 100644
--- a/cmdeploy/src/cmdeploy/lxc/incus.py
+++ b/cmdeploy/src/cmdeploy/lxc/incus.py
@@ -605,9 +605,18 @@ def _install_powerdns(self):
             systemctl disable --now systemd-resolved 2>/dev/null || true
             rm -f /etc/resolv.conf
             echo 'nameserver 9.9.9.9' > /etc/resolv.conf
+
+            # Block automatic service startup during package installation
+            printf '#!/bin/sh\\nexit 101\\n' > /usr/sbin/policy-rc.d
+            chmod +x /usr/sbin/policy-rc.d
+
             apt-get -o DPkg::Lock::Timeout=60 update
             DEBIAN_FRONTEND=noninteractive apt-get install -y \
                 pdns-server pdns-backend-sqlite3 sqlite3 pdns-recursor dnsutils
+
+            # Remove the startup block
+            rm /usr/sbin/policy-rc.d
+
             systemctl stop pdns pdns-recursor || true
             mkdir -p /var/lib/powerdns
             sqlite3 /var/lib/powerdns/pdns.sqlite3 \

From 405dc2d1eedf7788c07535fcab342bbda2a1078f Mon Sep 17 00:00:00 2001
From: holger krekel <holger@merlinux.eu>
Date: Sun, 8 Mar 2026 18:08:05 +0100
Subject: [PATCH 12/31] lxc: simplify to a single find_image(aliases) method

Replace the two-function find_relay_image / _find_relay_image pair
with Incus.find_image(aliases), which returns the first alias
that exists in the local image store, or None.

Container.launch() passes [RELAY_IMAGE_ALIAS, BASE_IMAGE_ALIAS]
and ensure_base_image() passes [BASE_IMAGE_ALIAS].
---
 cmdeploy/src/cmdeploy/lxc/cli.py   |  4 ++--
 cmdeploy/src/cmdeploy/lxc/incus.py | 37 ++++++++++++++----------------
 doc/source/lxc.rst                 |  1 -
 3 files changed, 19 insertions(+), 23 deletions(-)

diff --git a/cmdeploy/src/cmdeploy/lxc/cli.py b/cmdeploy/src/cmdeploy/lxc/cli.py
index c4569d153..f22bed960 100644
--- a/cmdeploy/src/cmdeploy/lxc/cli.py
+++ b/cmdeploy/src/cmdeploy/lxc/cli.py
@@ -4,7 +4,7 @@
 import time
 
 from ..util import get_git_hash, get_version_string, shell
-from .incus import Incus, RelayContainer
+from .incus import RELAY_IMAGE_ALIAS, Incus, RelayContainer
 
 RELAY_NAMES = ("test0", "test1")
 
@@ -228,7 +228,7 @@ def lxc_test_cmd(args, out):
                     return ret
 
         # Snapshot the first relay so subsequent ones launch pre-deployed
-        if not ix.find_relay_image():
+        if not ix.find_image([RELAY_IMAGE_ALIAS]):
             with out.section("lxc-test: caching relay image"):
                 ct.publish_as_relay_image()
 
diff --git a/cmdeploy/src/cmdeploy/lxc/incus.py b/cmdeploy/src/cmdeploy/lxc/incus.py
index baf8e303d..a2fa6a2a9 100644
--- a/cmdeploy/src/cmdeploy/lxc/incus.py
+++ b/cmdeploy/src/cmdeploy/lxc/incus.py
@@ -178,19 +178,15 @@ def run_output(self, args, check=True):
             return None
         return result.stdout.strip()
 
-    def _find_image(self, alias):
-        """Return *alias* if an image with that alias exists, else None."""
+    def find_image(self, aliases):
+        """Return the first alias from *aliases* that exists, else None."""
         images = self.run_json(["image", "list"], check=False) or []
-        for img in images:
-            for a in img.get("aliases", []):
-                if a.get("name") == alias:
-                    return alias
+        existing = {a.get("name") for img in images for a in img.get("aliases", [])}
+        for alias in aliases:
+            if alias in existing:
+                return alias
         return None
 
-    def find_relay_image(self):
-        """Return the relay image alias if it exists, else None."""
-        return self._find_image(RELAY_IMAGE_ALIAS)
-
     def delete_images(self):
         """Delete the cached base and relay images."""
         for alias in (RELAY_IMAGE_ALIAS, BASE_IMAGE_ALIAS):
@@ -229,7 +225,7 @@ def ensure_base_image(self):
         slow apt-get install step.
         Returns the image alias.
         """
-        if self._find_image(BASE_IMAGE_ALIAS):
+        if self.find_image([BASE_IMAGE_ALIAS]):
             self.out.print(f"  Base image '{BASE_IMAGE_ALIAS}' already cached.")
             return BASE_IMAGE_ALIAS
 
@@ -282,7 +278,7 @@ def get_dns_container(self):
 class Container:
     """The base container handle wraps all interactions with incus."""
 
-    def __init__(self, incus, name, domain=None, memory="100MiB"):
+    def __init__(self, incus, name, domain=None, memory="200MiB"):
         self.incus = incus
         self.out = incus.out
         self.name = name
@@ -322,7 +318,12 @@ def stop(self, force=False):
 
     def launch(self):
         """Launch from the best available image, return the alias used."""
-        image = self.incus.find_relay_image() or self.incus.ensure_base_image()
+        image = self.incus.find_image([RELAY_IMAGE_ALIAS, BASE_IMAGE_ALIAS])
+        if not image:
+            raise RuntimeError(
+                f"No base image '{BASE_IMAGE_ALIAS}' found. "
+                "Call ensure_base_image() before launching containers."
+            )
         self.out.print(f"  Launching from '{image}' image ...")
         cfg = []
         cfg += ("-c", f"{LABEL_KEY}=true")
@@ -412,7 +413,7 @@ def __init__(self, incus, name):
             incus,
             f"{name}-localchat",
             domain=f"_{name}{DOMAIN_SUFFIX}",
-            memory="500MiB",
+            memory="600MiB",
         )
         self.sname = name
         self.ini = incus.lxconfigs_dir / f"chatmail-{name}.ini"
@@ -456,7 +457,7 @@ def publish_as_relay_image(self):
 
         Stops the container, 'publishes' it as 'localchat-relay', then restarts it.
         """
-        if self.incus.find_relay_image():
+        if self.incus.find_image([RELAY_IMAGE_ALIAS]):
             return
         self.out.print(
             f"  Locally caching {self.name!r} as '{RELAY_IMAGE_ALIAS}' image ..."
@@ -484,11 +485,7 @@ def verify_ssh(self, ssh_config):
         return shell(cmd, timeout=15).returncode == 0
 
     def configure_dns(self, dns_ip):
-        """Point this container's resolver at *dns_ip* and verify it works.
-
-        Disables systemd-resolved, writes a static /etc/resolv.conf,
-        and configures unbound to forward .localchat queries to *dns_ip*.
-        """
+        """Point this container's resolver at *dns_ip* and verify it works."""
         self.bash(f"""\
             systemctl disable --now systemd-resolved 2>/dev/null || true
             rm -f /etc/resolv.conf
diff --git a/doc/source/lxc.rst b/doc/source/lxc.rst
index 066624625..da0a8fab6 100644
--- a/doc/source/lxc.rst
+++ b/doc/source/lxc.rst
@@ -228,7 +228,6 @@ The Incus image store retains the following snapshot images:
   cached after the first successful ``cmdeploy run``.
   Subsequent relay containers launch from this image
   so the deploy step is mostly no-ops (roughly 3× faster than a fresh deploy).
-  Relay containers are limited to **500 MiB RAM** and the DNS container to **100 MiB**.
 
 
 .. _lxc-tls:

From 783904f244c342b2c0131a4797f0cdc15ad20258 Mon Sep 17 00:00:00 2001
From: holger krekel <holger@merlinux.eu>
Date: Sun, 8 Mar 2026 18:12:49 +0100
Subject: [PATCH 13/31] lxc: code cleanup and docs polish from review

Code:
- Fix check_ssh_config_include() to do a case-insensitive line match
  (read_text().splitlines() instead of filter(None, map(..., open()))).
- Drop the default help_text= from _add_name_args(); callers now must
  supply an explicit string.
- Expand the DNSContainer class docstring.
- Fix sysctl comment: note that incus provides net.* virtualization
  so the sysctl only affects the container's network namespace.

Docs (doc/source/lxc.rst):
- Remove double blank line after page title; fix missing comma.
- Replace the plain-text root-access note with a .. caution:: block.
- Tighten the Quick-start section and lxc-test CLI entry.
---
 cmdeploy/src/cmdeploy/lxc/cli.py        | 10 +----
 cmdeploy/src/cmdeploy/lxc/incus.py      | 18 ++++++---
 cmdeploy/src/cmdeploy/tests/test_lxc.py |  2 +-
 doc/source/lxc.rst                      | 50 +++++++++++--------------
 4 files changed, 36 insertions(+), 44 deletions(-)

diff --git a/cmdeploy/src/cmdeploy/lxc/cli.py b/cmdeploy/src/cmdeploy/lxc/cli.py
index f22bed960..5dc098d02 100644
--- a/cmdeploy/src/cmdeploy/lxc/cli.py
+++ b/cmdeploy/src/cmdeploy/lxc/cli.py
@@ -430,14 +430,8 @@ def _deploy_status(ct, local_hash, ix):
     return f"IN-SYNC ({short})"
 
 
-def _add_name_args(parser, help_text=None):
-    """Add optional positional NAME arguments."""
-    parser.add_argument(
-        "names",
-        nargs="*",
-        metavar="NAME",
-        help=help_text or "Relay name(s) to operate on.",
-    )
+def _add_name_args(parser, help_text):
+    parser.add_argument("names", nargs="*", metavar="NAME", help=help_text)
 
 
 def _run_cmdeploy(subcmd, ct, ix, out, extra=None, **kwargs):
diff --git a/cmdeploy/src/cmdeploy/lxc/incus.py b/cmdeploy/src/cmdeploy/lxc/incus.py
index a2fa6a2a9..97f2c661d 100644
--- a/cmdeploy/src/cmdeploy/lxc/incus.py
+++ b/cmdeploy/src/cmdeploy/lxc/incus.py
@@ -95,8 +95,9 @@ def check_ssh_include(self):
         user_ssh_config = Path.home() / ".ssh" / "config"
         if not user_ssh_config.exists():
             return False
-        lines = filter(None, map(str.strip, user_ssh_config.open("r")))
-        return f"Include {self.ssh_config_path}" in lines
+        lines = user_ssh_config.read_text().splitlines()
+        target = f"include {self.ssh_config_path}".lower()
+        return any(line.strip().lower() == target for line in lines)
 
     def run(self, args, check=True, capture=True, input=None):
         """Run an incus command.
@@ -190,7 +191,7 @@ def find_image(self, aliases):
     def delete_images(self):
         """Delete the cached base and relay images."""
         for alias in (RELAY_IMAGE_ALIAS, BASE_IMAGE_ALIAS):
-            self.run(["image", "delete", alias], check=False)
+            self.run(["image", "delete", alias], check=False)  # ok if absent
 
     def list_managed(self):
         """Return list of dicts with name, ip, ipv6, domain, status, memory_usage."""
@@ -433,7 +434,8 @@ def destroy(self):
 
     def disable_ipv6(self):
         """Disable IPv6 inside the container via sysctl."""
-        # incus provides net.* virtalization
+        # incus provides net.* virtualization for LXC containers so that
+        # these sysctls only affect the container's network namespace.
         self.bash("""\
             sysctl -w net.ipv6.conf.all.disable_ipv6=1
             sysctl -w net.ipv6.conf.default.disable_ipv6=1
@@ -485,7 +487,7 @@ def verify_ssh(self, ssh_config):
         return shell(cmd, timeout=15).returncode == 0
 
     def configure_dns(self, dns_ip):
-        """Point this container's resolver at *dns_ip* and verify it works."""
+        """Point this container's resolver at *dns_ip* and verify DNS is reachable."""
         self.bash(f"""\
             systemctl disable --now systemd-resolved 2>/dev/null || true
             rm -f /etc/resolv.conf
@@ -535,7 +537,11 @@ def write_ini(self, disable_ipv6=False):
 
 
 class DNSContainer(Container):
-    """Container handle for the PowerDNS name server."""
+    """Container handle for the PowerDNS name server.
+
+    Manages the authoritative and recursive DNS services required for
+    name resolution in the local testing environment.
+    """
 
     def __init__(self, incus):
         super().__init__(incus, DNS_CONTAINER_NAME, domain=DNS_DOMAIN)
diff --git a/cmdeploy/src/cmdeploy/tests/test_lxc.py b/cmdeploy/src/cmdeploy/tests/test_lxc.py
index c9f402496..18c703009 100644
--- a/cmdeploy/src/cmdeploy/tests/test_lxc.py
+++ b/cmdeploy/src/cmdeploy/tests/test_lxc.py
@@ -12,7 +12,7 @@
 
 pytestmark = pytest.mark.skipif(
     not shutil.which("incus"),
-    reason="incus/lxc not installed",
+    reason="incus not installed",
 )
 
 
diff --git a/doc/source/lxc.rst b/doc/source/lxc.rst
index da0a8fab6..5662d305f 100644
--- a/doc/source/lxc.rst
+++ b/doc/source/lxc.rst
@@ -1,21 +1,15 @@
 Local testing with LXC/Incus
 ============================
 
-.. warning::
-
-   cmdeploy LXC support is geared towards local testing and CI, only.
-   Do not base production setups on it.
-
-
 The ``cmdeploy`` tool includes support for running
 chatmail relays inside local
 `Incus <https://linuxcontainers.org/incus/>`_ LXC containers.
-This is useful for development, testing, and CI
+This is meant for development, testing, and CI
 without requiring a remote server.
-LXC system containers behave like lightweight virtual machines.
-They share the host's kernel but run their own init system
-(systemd), package manager, and network stack,
-so the cmdeploy deployment scripts work exactly
+LXC system containers are lightweight virtual machines
+that share the host's kernel but run their own init system,
+package manager, and network stack,
+so the cmdeploy deployment scripts work pretty much
 as they would on a real Debian server or cloud VPS.
 
 Prerequisites
@@ -32,6 +26,16 @@ After installing incus, initialise and grant yourself access::
     sudo incus admin init --minimal
     sudo usermod -aG incus-admin $USER
 
+
+.. caution::
+
+   Adding yourself to ``incus-admin`` grants effective root access
+   to the host: any member can mount host directories into a container
+   and manipulate them as root.
+   This is fine for local testing of your own relay branches,
+   but do **not** use it for production setups
+   or for testing untrusted relay branches from others.
+
 .. warning::
 
    You **must now log out and back in** (or run ``newgrp incus-admin``)
@@ -53,11 +57,13 @@ Quick start
     source venv/bin/activate         # activate venv
     cmdeploy lxc-test                # create containers, deploy, test
 
-
-The ``lxc-test`` command executes each ``cmdeploy`` subprocess command
-so you can copy-paste and run them individually.
+The ``lxc-test`` command provides an automated way
+to run the full deployment and test pipeline.
+It executes several ``cmdeploy`` subcommands in sequential steps.
+If a step fails, you can copy-paste the printed command
+and run it manually to debug.
 No host DNS delegation or ``~/.ssh/config`` changes are needed
-because lxc-test passes ssh-related CLI options to "cmdeploy run" and "cmdeploy test" commands.
+because ``lxc-test`` passes the required SSH and DNS options directly.
 
 
 CLI reference
@@ -86,20 +92,6 @@ CLI reference
     User containers are **never** destroyed unless named explicitly.
 
 ``lxc-test [--one]``
-    Idempotent full pipeline:
-
-    1. ``lxc-start``: create ``test0`` + ``test1``
-       containers, minimal DNS
-
-    2. ``cmdeploy run``: deploy chatmail services on each relay
-
-    3. locally cache ``localchat-relay`` image after first successful deploy
-
-    4. ``cmdeploy dns --zonefile``: generate standard
-       BIND-format zone files, load full DNS records
-
-    5. ``cmdeploy test``: run full test suite
-
     By default creates, deploys, and tests both ``test0`` and ``test1``
     for dual-domain federation testing (sets ``CHATMAIL_DOMAIN2=_test1.localchat``).
     test0 runs dual-stack (IPv4 + IPv6) while test1 runs IPv4-only (``disable_ipv6 = True``).

From 6c95eeea809885aaf7c58951fc4e1eed44213c6b Mon Sep 17 00:00:00 2001
From: holger krekel <holger@merlinux.eu>
Date: Sun, 8 Mar 2026 18:13:00 +0100
Subject: [PATCH 14/31] lxc: dovecot sysctl: warn but skip when running in
 shared-kernel container Replace the CHATMAIL_NOSYSCTL guard with an explicit
 systemd-detect-virt -c check.

---
 cmdeploy/src/cmdeploy/dovecot/deployer.py | 37 ++++++++++++-----------
 1 file changed, 19 insertions(+), 18 deletions(-)

diff --git a/cmdeploy/src/cmdeploy/dovecot/deployer.py b/cmdeploy/src/cmdeploy/dovecot/deployer.py
index 076278887..ecf3213b7 100644
--- a/cmdeploy/src/cmdeploy/dovecot/deployer.py
+++ b/cmdeploy/src/cmdeploy/dovecot/deployer.py
@@ -1,9 +1,8 @@
-import os
 import urllib.request
 
 from chatmaild.config import Config
 from pyinfra import host
-from pyinfra.facts.server import Arch, Sysctl
+from pyinfra.facts.server import Arch, Command, Sysctl
 from pyinfra.facts.systemd import SystemdEnabled
 from pyinfra.operations import apt, files, server, systemd
 
@@ -137,23 +136,25 @@ def _configure_dovecot(config: Config, debug: bool = False) -> (bool, bool):
 
     # as per https://doc.dovecot.org/2.3/configuration_manual/os/
     # it is recommended to set the following inotify limits
-    if not os.environ.get("CHATMAIL_NOSYSCTL"):
-        for name in ("max_user_instances", "max_user_watches"):
-            key = f"fs.inotify.{name}"
-            if host.get_fact(Sysctl)[key] > 65535:
-                # Skip updating limits if already sufficient
-                # (enables running in incus containers where sysctl readonly)
-                continue
-            # in containers the following can fail see also
-            # https://docs.pyinfra.com/en/3.x/arguments.html#operation-meta-callbacks
-            server.sysctl(
-                name=f"Change {key}",
-                key=key,
-                value=65535,
-                persist=True,
-                _ignore_errors=True,
-                _continue_on_error=True,
+    can_modify = host.get_fact(Command, "systemd-detect-virt -c || true") == "none"
+    for name in ("max_user_instances", "max_user_watches"):
+        key = f"fs.inotify.{name}"
+        value = host.get_fact(Sysctl)[key]
+        if value > 65534:
+            continue
+        if not can_modify:
+            print(
+                "\n!!!! refusing to attempt sysctl setting in shared-kernel containers\n"
+                f"!!!! dovecot: sysctl {key!r}={value}, should be >65535 for production setups\n"
+                "!!!!"
             )
+            continue
+        server.sysctl(
+            name=f"Change {key}",
+            key=key,
+            value=65535,
+            persist=True,
+        )
 
     timezone_env = files.line(
         name="Set TZ environment variable",

From 3ba2703d042130f02d7224f954f832109857b393 Mon Sep 17 00:00:00 2001
From: holger krekel <holger@merlinux.eu>
Date: Sun, 8 Mar 2026 18:19:06 +0100
Subject: [PATCH 15/31] cmdeploy: replace globals() subcommand scan with
 explicit SUBCOMMANDS list

The get_parser() loop that scanned globals() for *_cmd names was fragile
and forced # noqa: F401 on all lxc imports (ruff couldn't see they were
used dynamically).

Replace it with an explicit SUBCOMMANDS list of
(cmd_func, options_func, needs_config) tuples.  This makes the full set
of subcommands visible at a glance, their registration order defined,
and the imports unconditionally used (no more noqa suppressions).
---
 cmdeploy/src/cmdeploy/cmdeploy.py | 34 +++++++++++++++++++++----------
 1 file changed, 23 insertions(+), 11 deletions(-)

diff --git a/cmdeploy/src/cmdeploy/cmdeploy.py b/cmdeploy/src/cmdeploy/cmdeploy.py
index 29d140460..c30a5a284 100644
--- a/cmdeploy/src/cmdeploy/cmdeploy.py
+++ b/cmdeploy/src/cmdeploy/cmdeploy.py
@@ -16,8 +16,8 @@
 from chatmaild.config import read_config, write_initial_config
 from packaging import version
 
-from . import dns, remote  # noqa: F401
-from .lxc.cli import (  # noqa: F401
+from . import dns, remote
+from .lxc.cli import (
     lxc_start_cmd,
     lxc_start_cmd_options,
     lxc_status_cmd,
@@ -379,6 +379,23 @@ def add_subcommand(subparsers, func, add_config=True):
 deploy it via SSH to your remote location.
 """
 
+# Explicit subcommand registry: (cmd_func, options_func_or_None, needs_config).
+# LXC commands don't need a chatmail.ini (no config); all others do.
+SUBCOMMANDS = [
+    (init_cmd, init_cmd_options, True),
+    (run_cmd, run_cmd_options, True),
+    (dns_cmd, dns_cmd_options, True),
+    (status_cmd, status_cmd_options, True),
+    (test_cmd, test_cmd_options, True),
+    (fmt_cmd, fmt_cmd_options, True),
+    (bench_cmd, None, True),
+    (webdev_cmd, None, True),
+    (lxc_start_cmd, lxc_start_cmd_options, False),
+    (lxc_stop_cmd, lxc_stop_cmd_options, False),
+    (lxc_status_cmd, lxc_status_cmd_options, False),
+    (lxc_test_cmd, lxc_test_cmd_options, False),
+]
+
 
 def get_parser():
     """Return an ArgumentParser for the 'cmdeploy' CLI"""
@@ -395,15 +412,10 @@ def get_parser():
     )
     subparsers = parser.add_subparsers(title="subcommands")
 
-    # find all subcommands in the module namespace
-    glob = globals()
-    for name, func in glob.items():
-        if name.endswith("_cmd"):
-            needs_config = not name.startswith("lxc_")
-            subparser = add_subcommand(subparsers, func, add_config=needs_config)
-            addopts = glob.get(name + "_options")
-            if addopts is not None:
-                addopts(subparser)
+    for func, addopts, needs_config in SUBCOMMANDS:
+        subparser = add_subcommand(subparsers, func, add_config=needs_config)
+        if addopts is not None:
+            addopts(subparser)
 
     return parser
 

From 785efabe4c0f3c7fa6d5e84d88839328496d6b01 Mon Sep 17 00:00:00 2001
From: holger krekel <holger@merlinux.eu>
Date: Sun, 8 Mar 2026 18:35:13 +0100
Subject: [PATCH 16/31] move --verbose option back to subcommands

---
 cmdeploy/src/cmdeploy/cmdeploy.py | 16 ++++++++--------
 cmdeploy/src/cmdeploy/lxc/cli.py  |  4 ++--
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/cmdeploy/src/cmdeploy/cmdeploy.py b/cmdeploy/src/cmdeploy/cmdeploy.py
index c30a5a284..d98ebfe0e 100644
--- a/cmdeploy/src/cmdeploy/cmdeploy.py
+++ b/cmdeploy/src/cmdeploy/cmdeploy.py
@@ -371,6 +371,14 @@ def add_subcommand(subparsers, func, add_config=True):
     p.set_defaults(func=func)
     if add_config:
         add_config_option(p)
+    p.add_argument(
+        "-v",
+        "--verbose",
+        dest="verbose",
+        action="count",
+        default=0,
+        help="increase verbosity (can be repeated: -v, -vv)",
+    )
     return p
 
 
@@ -402,14 +410,6 @@ def get_parser():
 
     parser = argparse.ArgumentParser(description=description.strip())
     parser.set_defaults(func=None, inipath=None)
-    parser.add_argument(
-        "-v",
-        "--verbose",
-        dest="verbose",
-        action="count",
-        default=0,
-        help="increase verbosity (can be repeated: -v, -vv)",
-    )
     subparsers = parser.add_subparsers(title="subcommands")
 
     for func, addopts, needs_config in SUBCOMMANDS:
diff --git a/cmdeploy/src/cmdeploy/lxc/cli.py b/cmdeploy/src/cmdeploy/lxc/cli.py
index 5dc098d02..7c43241a1 100644
--- a/cmdeploy/src/cmdeploy/lxc/cli.py
+++ b/cmdeploy/src/cmdeploy/lxc/cli.py
@@ -209,7 +209,7 @@ def lxc_test_cmd(args, out):
         name = ct.sname
         ipv4_only = ipv4_only_flags.get(name, False)
         v_flag = " -" + "v" * out.verbosity if out.verbosity > 0 else ""
-        start_cmd = f"cmdeploy{v_flag} lxc-start {name}"
+        start_cmd = f"cmdeploy lxc-start{v_flag} {name}"
         if ipv4_only:
             start_cmd += " --ipv4-only"
         with out.section(f"cmdeploy lxc-start: {name}"):
@@ -443,7 +443,7 @@ def _run_cmdeploy(subcmd, ct, ix, out, extra=None, **kwargs):
     extra_str = " ".join(extra) if extra else ""
     v_flag = " -" + "v" * out.verbosity if out.verbosity > 0 else ""
     cmd = f"""\
-        cmdeploy{v_flag} {subcmd}
+        cmdeploy {subcmd}{v_flag}
         --config {ct.ini}
         --ssh-config {ix.ssh_config_path}
         --ssh-host {ct.domain}

From 68d1fa8f01b0df83bb1b7b55eed29a35cb3fd507 Mon Sep 17 00:00:00 2001
From: holger krekel <holger@merlinux.eu>
Date: Sun, 8 Mar 2026 22:44:51 +0100
Subject: [PATCH 17/31] only use explicit server settings if the host resolves
 to ip address via ssh config

---
 cmdeploy/src/cmdeploy/tests/plugin.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/cmdeploy/src/cmdeploy/tests/plugin.py b/cmdeploy/src/cmdeploy/tests/plugin.py
index aa3f0b37d..e7d1cefdb 100644
--- a/cmdeploy/src/cmdeploy/tests/plugin.py
+++ b/cmdeploy/src/cmdeploy/tests/plugin.py
@@ -409,13 +409,16 @@ def __init__(
     def _make_transport(self, domain):
         """Build a transport config dict for the given domain."""
         addr, password = self.gencreds(domain)
-        server = self._ssh_config_host_map.get(domain, domain)
         transport = {
             "addr": addr,
             "password": password,
-            "imapServer": server,
-            "smtpServer": server,
         }
+        # To support running against local relays without host DNS resolution
+        # we attempt resolving the domain via ssh-config
+        # because otherwise core fails to find the address
+        server = self._ssh_config_host_map.get(domain)
+        if server is not None:
+            transport.update({"imapServer": server, "smtpServer": server})
         if self.chatmail_config.tls_cert_mode == "self":
             transport["certificateChecks"] = "acceptInvalidCertificates"
         return transport

From 7570c57d7e94f94cee09b45b708dffecfa456dd4 Mon Sep 17 00:00:00 2001
From: holger krekel <holger@merlinux.eu>
Date: Mon, 9 Mar 2026 00:51:33 +0100
Subject: [PATCH 18/31] remove superflous """\

---
 cmdeploy/src/cmdeploy/lxc/cli.py   |  2 +-
 cmdeploy/src/cmdeploy/lxc/incus.py | 16 ++++++++--------
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/cmdeploy/src/cmdeploy/lxc/cli.py b/cmdeploy/src/cmdeploy/lxc/cli.py
index 7c43241a1..df8594481 100644
--- a/cmdeploy/src/cmdeploy/lxc/cli.py
+++ b/cmdeploy/src/cmdeploy/lxc/cli.py
@@ -442,7 +442,7 @@ def _run_cmdeploy(subcmd, ct, ix, out, extra=None, **kwargs):
     """
     extra_str = " ".join(extra) if extra else ""
     v_flag = " -" + "v" * out.verbosity if out.verbosity > 0 else ""
-    cmd = f"""\
+    cmd = f"""
         cmdeploy {subcmd}{v_flag}
         --config {ct.ini}
         --ssh-config {ix.ssh_config_path}
diff --git a/cmdeploy/src/cmdeploy/lxc/incus.py b/cmdeploy/src/cmdeploy/lxc/incus.py
index 97f2c661d..f65bc4647 100644
--- a/cmdeploy/src/cmdeploy/lxc/incus.py
+++ b/cmdeploy/src/cmdeploy/lxc/incus.py
@@ -241,7 +241,7 @@ def ensure_base_image(self):
 
         key_path = self.ssh_key_path
         pub_key = key_path.with_suffix(".pub").read_text().strip()
-        ct.bash(f"""\
+        ct.bash(f"""
             echo 'nameserver 9.9.9.9' > /etc/resolv.conf
             apt-get -o DPkg::Lock::Timeout=60 update
             DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server python3
@@ -436,7 +436,7 @@ def disable_ipv6(self):
         """Disable IPv6 inside the container via sysctl."""
         # incus provides net.* virtualization for LXC containers so that
         # these sysctls only affect the container's network namespace.
-        self.bash("""\
+        self.bash("""
             sysctl -w net.ipv6.conf.all.disable_ipv6=1
             sysctl -w net.ipv6.conf.default.disable_ipv6=1
             mkdir -p /etc/sysctl.d
@@ -488,7 +488,7 @@ def verify_ssh(self, ssh_config):
 
     def configure_dns(self, dns_ip):
         """Point this container's resolver at *dns_ip* and verify DNS is reachable."""
-        self.bash(f"""\
+        self.bash(f"""
             systemctl disable --now systemd-resolved 2>/dev/null || true
             rm -f /etc/resolv.conf
             echo 'nameserver {dns_ip}' > /etc/resolv.conf
@@ -556,7 +556,7 @@ def replace_rrset(self, zone, name, rtype, ttl, rdata):
 
     def restart_services(self):
         """Restart pdns and pdns-recursor, then wait until DNS is answering."""
-        self.bash("""\
+        self.bash("""
             systemctl restart pdns
             systemctl restart pdns-recursor || true
         """)
@@ -604,7 +604,7 @@ def _install_powerdns(self):
         if self.run_cmd("which", "pdns_server", check=False) is not None:
             return
 
-        self.bash("""\
+        self.bash("""
             systemctl disable --now systemd-resolved 2>/dev/null || true
             rm -f /etc/resolv.conf
             echo 'nameserver 9.9.9.9' > /etc/resolv.conf
@@ -629,7 +629,7 @@ def _install_powerdns(self):
 
         self.push_file_content(
             "/etc/powerdns/pdns.conf",
-            """\
+            """
             launch=gsqlite3
             gsqlite3-database=/var/lib/powerdns/pdns.sqlite3
             local-address=127.0.0.1
@@ -639,7 +639,7 @@ def _install_powerdns(self):
 
         self.push_file_content(
             "/etc/powerdns/recursor.conf",
-            """\
+            """
             local-address=0.0.0.0
             local-port=53
             forward-zones=localchat=127.0.0.1:5353
@@ -650,7 +650,7 @@ def _install_powerdns(self):
             """,
         )
 
-        self.bash("""\
+        self.bash("""
             systemctl start pdns
             systemctl start pdns-recursor
             echo 'nameserver 127.0.0.1' > /etc/resolv.conf

From c4b018b7f2b6b378e2369e92fe538b859ee69237 Mon Sep 17 00:00:00 2001
From: holger krekel <holger@merlinux.eu>
Date: Mon, 9 Mar 2026 16:39:08 +0100
Subject: [PATCH 19/31] change all timeouts to 60

---
 cmdeploy/src/cmdeploy/lxc/incus.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/cmdeploy/src/cmdeploy/lxc/incus.py b/cmdeploy/src/cmdeploy/lxc/incus.py
index f65bc4647..7df9663be 100644
--- a/cmdeploy/src/cmdeploy/lxc/incus.py
+++ b/cmdeploy/src/cmdeploy/lxc/incus.py
@@ -483,8 +483,8 @@ def deployed_domain(self):
 
     def verify_ssh(self, ssh_config):
         """Verify SSH connectivity to this container."""
-        cmd = f"ssh -F {ssh_config} -o ConnectTimeout=10 root@{self.domain} hostname"
-        return shell(cmd, timeout=15).returncode == 0
+        cmd = f"ssh -F {ssh_config} -o ConnectTimeout=60 root@{self.domain} hostname"
+        return shell(cmd, timeout=60).returncode == 0
 
     def configure_dns(self, dns_ip):
         """Point this container's resolver at *dns_ip* and verify DNS is reachable."""
@@ -562,7 +562,7 @@ def restart_services(self):
         """)
         self._wait_dns_ready()
 
-    def _wait_dns_ready(self, timeout=10):
+    def _wait_dns_ready(self, timeout=60):
         """Poll until the recursor answers a query on port 53."""
         deadline = time.time() + timeout
         while time.time() < deadline:

From 550498e93615e3c726a9b0e148a6e5ee1491e220 Mon Sep 17 00:00:00 2001
From: holger krekel <holger@merlinux.eu>
Date: Mon, 9 Mar 2026 16:44:33 +0100
Subject: [PATCH 20/31] force tcp connections for dns resolution

---
 cmdeploy/src/cmdeploy/lxc/incus.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmdeploy/src/cmdeploy/lxc/incus.py b/cmdeploy/src/cmdeploy/lxc/incus.py
index 7df9663be..ca7df4335 100644
--- a/cmdeploy/src/cmdeploy/lxc/incus.py
+++ b/cmdeploy/src/cmdeploy/lxc/incus.py
@@ -491,7 +491,7 @@ def configure_dns(self, dns_ip):
         self.bash(f"""
             systemctl disable --now systemd-resolved 2>/dev/null || true
             rm -f /etc/resolv.conf
-            echo 'nameserver {dns_ip}' > /etc/resolv.conf
+            printf 'nameserver {dns_ip}\noptions use-vc\n' >/etc/resolv.conf
             mkdir -p /etc/unbound/unbound.conf.d
             printf 'server:\\n  domain-insecure: "localchat"\\n\\n
             forward-zone:\\n  name: "localchat"\\n

From da5c2485628a056fa1858fed3920c0d98527f26a Mon Sep 17 00:00:00 2001
From: holger krekel <holger@merlinux.eu>
Date: Mon, 9 Mar 2026 17:32:55 +0100
Subject: [PATCH 21/31] try fix some test hangs potentially caused by
 filtermail's DNS cache

---
 cmdeploy/src/cmdeploy/lxc/cli.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/cmdeploy/src/cmdeploy/lxc/cli.py b/cmdeploy/src/cmdeploy/lxc/cli.py
index df8594481..98dfea04e 100644
--- a/cmdeploy/src/cmdeploy/lxc/cli.py
+++ b/cmdeploy/src/cmdeploy/lxc/cli.py
@@ -247,6 +247,13 @@ def lxc_test_cmd(args, out):
                 out.print(f"Loading {ct.zone} into PowerDNS ...")
                 dns_ct.set_dns_records(zone_data)
 
+        # Restart filtermail so its in-process DNS cache
+        # does not hold stale negative DKIM responses
+        # from before the zones were loaded.
+        for ct in map(ix.get_container, relay_names):
+            out.print(f"Restarting filtermail-incoming on {ct.name} ...")
+            ct.bash("systemctl restart filtermail-incoming")
+
     with out.section("cmdeploy test"):
         first = ix.get_container(relay_names[0])
         env = None

From dcb9fbe73fde0cd4aba6116589d685d54f71c6fa Mon Sep 17 00:00:00 2001
From: holger krekel <holger@merlinux.eu>
Date: Tue, 10 Mar 2026 10:54:27 +0100
Subject: [PATCH 22/31] make sure subprocesses by defaulit don't inherit stdin
 FD

---
 cmdeploy/src/cmdeploy/lxc/incus.py | 2 +-
 cmdeploy/src/cmdeploy/util.py      | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/cmdeploy/src/cmdeploy/lxc/incus.py b/cmdeploy/src/cmdeploy/lxc/incus.py
index ca7df4335..740b77d2e 100644
--- a/cmdeploy/src/cmdeploy/lxc/incus.py
+++ b/cmdeploy/src/cmdeploy/lxc/incus.py
@@ -128,7 +128,7 @@ def run(self, args, check=True, capture=True, input=None):
         proc = subprocess.Popen(
             cmd,
             text=True,
-            stdin=subprocess.PIPE if input else None,
+            stdin=subprocess.PIPE if input else subprocess.DEVNULL,
             stdout=subprocess.PIPE,
             stderr=subprocess.STDOUT,
         )
diff --git a/cmdeploy/src/cmdeploy/util.py b/cmdeploy/src/cmdeploy/util.py
index 3832202ba..83bc5ea91 100644
--- a/cmdeploy/src/cmdeploy/util.py
+++ b/cmdeploy/src/cmdeploy/util.py
@@ -90,6 +90,7 @@ def shell(self, cmd, quiet=False, **kwargs):
             cmd,
             shell=True,
             text=True,
+            stdin=subprocess.DEVNULL,
             stdout=subprocess.PIPE,
             stderr=subprocess.STDOUT,
             env=env,
@@ -133,6 +134,7 @@ def shell(cmd, check=False, **kwargs):
     """
     if "capture_output" not in kwargs and "stdout" not in kwargs:
         kwargs["capture_output"] = True
+    kwargs.setdefault("stdin", subprocess.DEVNULL)
     return subprocess.run(collapse(cmd), shell=True, text=True, check=check, **kwargs)
 
 

From 8a49489d54c8762f75b9757f8d36cc187e4b1ae0 Mon Sep 17 00:00:00 2001
From: holger krekel <holger@merlinux.eu>
Date: Tue, 10 Mar 2026 13:25:52 +0100
Subject: [PATCH 23/31] try to discover and use host dns settings instead of
 9.9.9.9

---
 cmdeploy/src/cmdeploy/deployers.py | 11 +++++++++++
 cmdeploy/src/cmdeploy/lxc/incus.py | 30 +++++++++++++++++++++++++-----
 doc/source/lxc.rst                 |  2 +-
 3 files changed, 37 insertions(+), 6 deletions(-)

diff --git a/cmdeploy/src/cmdeploy/deployers.py b/cmdeploy/src/cmdeploy/deployers.py
index b259c9681..2b809dda1 100644
--- a/cmdeploy/src/cmdeploy/deployers.py
+++ b/cmdeploy/src/cmdeploy/deployers.py
@@ -493,6 +493,17 @@ def install(self):
         )
 
     def configure(self):
+        # Ensure the per-domain mailbox directory exists before
+        # chatmail-metadata starts (it crashes without it).
+        files.directory(
+            name="Ensure vmail mailbox directory exists",
+            path=f"/home/vmail/mail/{self.mail_domain}",
+            user="vmail",
+            group="vmail",
+            mode="700",
+            present=True,
+        )
+
         # This file is used by auth proxy.
         # https://wiki.debian.org/EtcMailName
         server.shell(
diff --git a/cmdeploy/src/cmdeploy/lxc/incus.py b/cmdeploy/src/cmdeploy/lxc/incus.py
index 740b77d2e..779fa8438 100644
--- a/cmdeploy/src/cmdeploy/lxc/incus.py
+++ b/cmdeploy/src/cmdeploy/lxc/incus.py
@@ -99,6 +99,22 @@ def check_ssh_include(self):
         target = f"include {self.ssh_config_path}".lower()
         return any(line.strip().lower() == target for line in lines)
 
+    def get_host_nameservers(self):
+        """Return upstream nameservers found on the host."""
+        ns = []
+        for path in ["/run/systemd/resolve/resolv.conf", "/etc/resolv.conf"]:
+            p = Path(path)
+            if p.exists():
+                for line in p.read_text().splitlines():
+                    if line.strip().startswith("nameserver "):
+                        addr = line.split()[1]
+                        if addr not in ("127.0.0.1", "127.0.0.53", "::1"):
+                            if addr not in ns:
+                                ns.append(addr)
+                if ns:
+                    break
+        return ns
+
     def run(self, args, check=True, capture=True, input=None):
         """Run an incus command.
 
@@ -241,8 +257,10 @@ def ensure_base_image(self):
 
         key_path = self.ssh_key_path
         pub_key = key_path.with_suffix(".pub").read_text().strip()
+        host_ns = self.get_host_nameservers()
+        ns_lines = "\n".join(f"nameserver {n}" for n in host_ns)
         ct.bash(f"""
-            echo 'nameserver 9.9.9.9' > /etc/resolv.conf
+            printf '{ns_lines}\n' > /etc/resolv.conf
             apt-get -o DPkg::Lock::Timeout=60 update
             DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server python3
             systemctl enable ssh
@@ -491,7 +509,7 @@ def configure_dns(self, dns_ip):
         self.bash(f"""
             systemctl disable --now systemd-resolved 2>/dev/null || true
             rm -f /etc/resolv.conf
-            printf 'nameserver {dns_ip}\noptions use-vc\n' >/etc/resolv.conf
+            printf 'nameserver {dns_ip}\n' >/etc/resolv.conf
             mkdir -p /etc/unbound/unbound.conf.d
             printf 'server:\\n  domain-insecure: "localchat"\\n\\n
             forward-zone:\\n  name: "localchat"\\n
@@ -604,10 +622,13 @@ def _install_powerdns(self):
         if self.run_cmd("which", "pdns_server", check=False) is not None:
             return
 
-        self.bash("""
+        host_ns = self.incus.get_host_nameservers()
+        ns_lines = "\n".join(f"nameserver {n}" for n in host_ns)
+
+        self.bash(f"""
             systemctl disable --now systemd-resolved 2>/dev/null || true
             rm -f /etc/resolv.conf
-            echo 'nameserver 9.9.9.9' > /etc/resolv.conf
+            printf '{ns_lines}\n' > /etc/resolv.conf
 
             # Block automatic service startup during package installation
             printf '#!/bin/sh\\nexit 101\\n' > /usr/sbin/policy-rc.d
@@ -643,7 +664,6 @@ def _install_powerdns(self):
             local-address=0.0.0.0
             local-port=53
             forward-zones=localchat=127.0.0.1:5353
-            forward-zones-recurse=.=9.9.9.9;149.112.112.112
             allow-from=0.0.0.0/0
             dont-query=
             dnssec=off
diff --git a/doc/source/lxc.rst b/doc/source/lxc.rst
index 5662d305f..6bd60da1e 100644
--- a/doc/source/lxc.rst
+++ b/doc/source/lxc.rst
@@ -176,7 +176,7 @@ running two `PowerDNS <https://www.powerdns.com/>`_ services:
 * **pdns-recursor** (recursive) listens on the Incus
   bridge so all containers can use it.
   Forwards ``.localchat`` queries to the local
-  authoritative server and everything else to Quad9 (``9.9.9.9``).
+  authoritative server and resolves everything else recursively.
 
 After the DNS container is up, ``lxc-start`` configures the Incus bridge
 to advertise its IP via DHCP and disables Incus's own DNS.

From 7450143c8643198abf62f474db7f1f48415cc6b2 Mon Sep 17 00:00:00 2001
From: holger krekel <holger@merlinux.eu>
Date: Tue, 10 Mar 2026 13:31:53 +0100
Subject: [PATCH 24/31] fix a potential hang because "journalctl -f" never
 finishes by itself, and handles might stay open if we don't close them during
 test teardown.

---
 cmdeploy/src/cmdeploy/tests/plugin.py | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/cmdeploy/src/cmdeploy/tests/plugin.py b/cmdeploy/src/cmdeploy/tests/plugin.py
index e7d1cefdb..8e8bf2d66 100644
--- a/cmdeploy/src/cmdeploy/tests/plugin.py
+++ b/cmdeploy/src/cmdeploy/tests/plugin.py
@@ -487,13 +487,16 @@ def cmfactory(
 
 @pytest.fixture
 def remote(sshdomain, pytestconfig):
-    return Remote(sshdomain, ssh_config=pytestconfig.getoption("ssh_config"))
+    r = Remote(sshdomain, ssh_config=pytestconfig.getoption("ssh_config"))
+    yield r
+    r.close()
 
 
 class Remote:
     def __init__(self, sshdomain, ssh_config=None):
         self.sshdomain = sshdomain
         self.ssh_config = ssh_config
+        self._procs = []
 
     def iter_output(self, logcmd="", ready=None):
         getjournal = "journalctl -f" if not logcmd else logcmd
@@ -509,12 +512,14 @@ def iter_output(self, logcmd="", ready=None):
                     command.extend(["-F", self.ssh_config])
                 command.append(f"root@{self.sshdomain}")
         [command.append(arg) for arg in getjournal.split()]
-        self.popen = subprocess.Popen(
+        popen = subprocess.Popen(
             command,
+            stdin=subprocess.DEVNULL,
             stdout=subprocess.PIPE,
         )
+        self._procs.append(popen)
         while 1:
-            line = self.popen.stdout.readline()
+            line = popen.stdout.readline()
             res = line.decode().strip().lower()
             if not res:
                 break
@@ -523,6 +528,12 @@ def iter_output(self, logcmd="", ready=None):
                 ready = None
             yield res
 
+    def close(self):
+        while self._procs:
+            proc = self._procs.pop()
+            proc.kill()
+            proc.wait()
+
 
 @pytest.fixture
 def lp(request):

From ef7e06d9f95101eb25aef29283731ea5f26d7eea Mon Sep 17 00:00:00 2001
From: holger krekel <holger@merlinux.eu>
Date: Tue, 10 Mar 2026 14:14:40 +0100
Subject: [PATCH 25/31] remove memory limits in containers

---
 cmdeploy/src/cmdeploy/lxc/incus.py | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/cmdeploy/src/cmdeploy/lxc/incus.py b/cmdeploy/src/cmdeploy/lxc/incus.py
index 779fa8438..371768beb 100644
--- a/cmdeploy/src/cmdeploy/lxc/incus.py
+++ b/cmdeploy/src/cmdeploy/lxc/incus.py
@@ -297,12 +297,11 @@ def get_dns_container(self):
 class Container:
     """The base container handle wraps all interactions with incus."""
 
-    def __init__(self, incus, name, domain=None, memory="200MiB"):
+    def __init__(self, incus, name, domain=None):
         self.incus = incus
         self.out = incus.out
         self.name = name
         self.domain = domain or f"{name}{DOMAIN_SUFFIX}"
-        self.memory = memory
         self.ipv4 = None
         self.ipv6 = None
 
@@ -347,7 +346,6 @@ def launch(self):
         cfg = []
         cfg += ("-c", f"{LABEL_KEY}=true")
         cfg += ("-c", f"user.localchat-domain={self.domain}")
-        cfg += ("-c", f"limits.memory={self.memory}")
         self.incus.run(["launch", image, self.name, *cfg])
         return image
 
@@ -432,7 +430,6 @@ def __init__(self, incus, name):
             incus,
             f"{name}-localchat",
             domain=f"_{name}{DOMAIN_SUFFIX}",
-            memory="600MiB",
         )
         self.sname = name
         self.ini = incus.lxconfigs_dir / f"chatmail-{name}.ini"

From 22a2b6a1c47236ede1c6097461b4768e1c05ea08 Mon Sep 17 00:00:00 2001
From: holger krekel <holger@merlinux.eu>
Date: Tue, 10 Mar 2026 19:12:31 +0100
Subject: [PATCH 26/31] remove superflous sepchar argument

---
 cmdeploy/src/cmdeploy/cmdeploy.py | 2 +-
 cmdeploy/src/cmdeploy/util.py     | 5 ++---
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/cmdeploy/src/cmdeploy/cmdeploy.py b/cmdeploy/src/cmdeploy/cmdeploy.py
index d98ebfe0e..f5050271d 100644
--- a/cmdeploy/src/cmdeploy/cmdeploy.py
+++ b/cmdeploy/src/cmdeploy/cmdeploy.py
@@ -437,7 +437,7 @@ def main(args=None):
     if args.func is None:
         return parser.parse_args(["-h"])
 
-    out = Out(sepchar="\u2501", verbosity=args.verbose)
+    out = Out(verbosity=args.verbose)
     kwargs = {}
 
     if args.inipath is not None and args.func.__name__ not in ("init_cmd", "fmt_cmd"):
diff --git a/cmdeploy/src/cmdeploy/util.py b/cmdeploy/src/cmdeploy/util.py
index 83bc5ea91..4a5178b78 100644
--- a/cmdeploy/src/cmdeploy/util.py
+++ b/cmdeploy/src/cmdeploy/util.py
@@ -15,10 +15,10 @@
 class Out:
     """Convenience output printer providing coloring and section formatting."""
 
-    def __init__(self, sepchar="\u2501", prefix="", verbosity=0):
+    def __init__(self, prefix="", verbosity=0):
         self.section_timings = []
         self.prefix = prefix
-        self.sepchar = sepchar
+        self.sepchar = "\u2501"
         self.verbosity = verbosity
         env_width = os.environ.get("_CMDEPLOY_WIDTH")
         if env_width:
@@ -31,7 +31,6 @@ def new_prefixed_out(self, newprefix="  "):
         sharing section_timings with the parent.
         """
         out = Out(
-            sepchar=self.sepchar,
             prefix=self.prefix + newprefix,
             verbosity=self.verbosity,
         )

From de1a53b135b7ff92b3be0a455b2bd5504aead62a Mon Sep 17 00:00:00 2001
From: holger krekel <holger@merlinux.eu>
Date: Tue, 10 Mar 2026 17:49:48 +0100
Subject: [PATCH 27/31] fix: separate stderr capture in incus and suppress in
 test plugin

Capture stderr separately in Incus.run() instead of merging
it into stdout, which corrupted JSON parsing in run_json().
Add --quiet flag to reduce incus noise.
Suppress stderr in Remote subprocess to prevent pytest-xdist
communication issues.
---
 cmdeploy/src/cmdeploy/lxc/incus.py    | 12 +++++++-----
 cmdeploy/src/cmdeploy/tests/plugin.py |  1 +
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/cmdeploy/src/cmdeploy/lxc/incus.py b/cmdeploy/src/cmdeploy/lxc/incus.py
index 371768beb..54b6dfe61 100644
--- a/cmdeploy/src/cmdeploy/lxc/incus.py
+++ b/cmdeploy/src/cmdeploy/lxc/incus.py
@@ -122,7 +122,7 @@ def run(self, args, check=True, capture=True, input=None):
         to the terminal line-by-line while also being captured for
         later return via result.stdout.
         """
-        cmd = ["incus"] + list(args)
+        cmd = ["incus", "--quiet"] + list(args)
         sub = self.out.new_prefixed_out("  ")
 
         if not capture:
@@ -146,7 +146,7 @@ def run(self, args, check=True, capture=True, input=None):
             text=True,
             stdin=subprocess.PIPE if input else subprocess.DEVNULL,
             stdout=subprocess.PIPE,
-            stderr=subprocess.STDOUT,
+            stderr=subprocess.PIPE,
         )
 
         stdout_lines = []
@@ -159,15 +159,17 @@ def run(self, args, check=True, capture=True, input=None):
             if sub.verbosity >= 2:
                 sub.print(f"  > {line.rstrip()}")
 
+        stderr = proc.stderr.read()
         ret = proc.wait()
         stdout = "".join(stdout_lines)
         if check and ret != 0:
-            for line in stdout.splitlines():
+            full_output = stdout + stderr
+            for line in full_output.splitlines():
                 if sub.verbosity < 1:  # and we haven't printed it yet
                     sub.red(line)
-            raise subprocess.CalledProcessError(ret, cmd, output=stdout)
+            raise subprocess.CalledProcessError(ret, cmd, output=stdout, stderr=stderr)
 
-        return subprocess.CompletedProcess(cmd, ret, stdout=stdout)
+        return subprocess.CompletedProcess(cmd, ret, stdout=stdout, stderr=stderr)
 
     def run_json(self, args, check=True):
         """Run an incus command with ``--format=json``.
diff --git a/cmdeploy/src/cmdeploy/tests/plugin.py b/cmdeploy/src/cmdeploy/tests/plugin.py
index 8e8bf2d66..50ff905b4 100644
--- a/cmdeploy/src/cmdeploy/tests/plugin.py
+++ b/cmdeploy/src/cmdeploy/tests/plugin.py
@@ -516,6 +516,7 @@ def iter_output(self, logcmd="", ready=None):
             command,
             stdin=subprocess.DEVNULL,
             stdout=subprocess.PIPE,
+            stderr=subprocess.DEVNULL,
         )
         self._procs.append(popen)
         while 1:

From a61bbcade2b92a66d5ca0fe99dc3c9fd1b48126e Mon Sep 17 00:00:00 2001
From: holger krekel <holger@merlinux.eu>
Date: Tue, 10 Mar 2026 17:49:58 +0100
Subject: [PATCH 28/31] fix: pass full config to ChatmailDeployer and ensure
 mailboxes_dir

ChatmailDeployer now receives the full config object
so it can access mailboxes_dir and create this directory
during deployment, preventing mail delivery failures.
---
 cmdeploy/src/cmdeploy/deployers.py | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/cmdeploy/src/cmdeploy/deployers.py b/cmdeploy/src/cmdeploy/deployers.py
index 2b809dda1..a11e45610 100644
--- a/cmdeploy/src/cmdeploy/deployers.py
+++ b/cmdeploy/src/cmdeploy/deployers.py
@@ -463,8 +463,9 @@ class ChatmailDeployer(Deployer):
         ("iroh", None, None),
     ]
 
-    def __init__(self, mail_domain):
-        self.mail_domain = mail_domain
+    def __init__(self, config):
+        self.config = config
+        self.mail_domain = config.mail_domain
 
     def install(self):
         files.put(
@@ -513,6 +514,15 @@ def configure(self):
             ],
         )
 
+        files.directory(
+            name=f"Ensure mailboxes directory {self.config.mailboxes_dir} exists",
+            path=str(self.config.mailboxes_dir),
+            user="vmail",
+            group="vmail",
+            mode="700",
+            present=True,
+        )
+
 
 class FcgiwrapDeployer(Deployer):
     def install(self):
@@ -631,7 +641,7 @@ def deploy_chatmail(config_path: Path, disable_mail: bool, website_only: bool) -
     tls_deployer = get_tls_deployer(config, mail_domain)
 
     all_deployers = [
-        ChatmailDeployer(mail_domain),
+        ChatmailDeployer(config),
         LegacyRemoveDeployer(),
         FiltermailDeployer(),
         JournaldDeployer(),

From e6db359a342111ad0592de8ed7541a6bac27f215 Mon Sep 17 00:00:00 2001
From: holger krekel <holger@merlinux.eu>
Date: Tue, 10 Mar 2026 17:50:08 +0100
Subject: [PATCH 29/31] fix: run cmdeploy dns and restart filtermail in
 lxc-start --run

lxc-start --run deployed the relay but never loaded DNS zones
or restarted filtermail-incoming, so DKIM verification and
outgoing mail failed.
---
 cmdeploy/src/cmdeploy/lxc/cli.py | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/cmdeploy/src/cmdeploy/lxc/cli.py b/cmdeploy/src/cmdeploy/lxc/cli.py
index 98dfea04e..eddd3b5e7 100644
--- a/cmdeploy/src/cmdeploy/lxc/cli.py
+++ b/cmdeploy/src/cmdeploy/lxc/cli.py
@@ -114,7 +114,7 @@ def _lxc_start_cmd(args, out):
         )
         sub.green(f"    Include {ssh_cfg}")
 
-    # Optionally run cmdeploy run on each relay
+    # Optionally run cmdeploy run + dns on each relay
     if args.run:
         for ct in relays:
             with out.section(f"cmdeploy run: {ct.sname} ({ct.domain})"):
@@ -123,6 +123,20 @@ def _lxc_start_cmd(args, out):
                     out.red(f"Deploy to {ct.sname} failed (exit {ret})")
                     return ret
 
+        with out.section("loading DNS zones"):
+            for ct in relays:
+                ret = _run_cmdeploy(
+                    "dns", ct, ix, out,
+                    extra=["--zonefile", str(ct.zone)],
+                )
+                if ret:
+                    out.red(f"DNS for {ct.sname} failed (exit {ret})")
+                    return ret
+                if ct.zone.exists():
+                    dns_ct.set_dns_records(ct.zone.read_text())
+                out.print(f"Restarting filtermail-incoming on {ct.name}")
+                ct.bash("systemctl restart filtermail-incoming")
+
 
 # -------------------------------------------------------------------
 # lxc-stop

From 4b1dbc3d435f4dee44df6183f695c6c6f0e9aec0 Mon Sep 17 00:00:00 2001
From: holger krekel <holger@merlinux.eu>
Date: Tue, 10 Mar 2026 19:40:55 +0100
Subject: [PATCH 30/31] fix: use push_file_content for unbound and sysctl
 config files

fixes silent fail on invalid configuration file.
---
 cmdeploy/src/cmdeploy/lxc/incus.py | 30 ++++++++++++++++++++----------
 1 file changed, 20 insertions(+), 10 deletions(-)

diff --git a/cmdeploy/src/cmdeploy/lxc/incus.py b/cmdeploy/src/cmdeploy/lxc/incus.py
index 54b6dfe61..36700c1d4 100644
--- a/cmdeploy/src/cmdeploy/lxc/incus.py
+++ b/cmdeploy/src/cmdeploy/lxc/incus.py
@@ -456,11 +456,14 @@ def disable_ipv6(self):
         self.bash("""
             sysctl -w net.ipv6.conf.all.disable_ipv6=1
             sysctl -w net.ipv6.conf.default.disable_ipv6=1
-            mkdir -p /etc/sysctl.d
-            printf 'net.ipv6.conf.all.disable_ipv6=1\\n
-            net.ipv6.conf.default.disable_ipv6=1\\n'
-            > /etc/sysctl.d/99-disable-ipv6.conf
         """)
+        self.push_file_content(
+            "/etc/sysctl.d/99-disable-ipv6.conf",
+            """
+            net.ipv6.conf.all.disable_ipv6=1
+            net.ipv6.conf.default.disable_ipv6=1
+            """,
+        )
 
     def configure_hosts(self, ip):
         """Set hostname and /etc/hosts inside the container."""
@@ -508,14 +511,21 @@ def configure_dns(self, dns_ip):
         self.bash(f"""
             systemctl disable --now systemd-resolved 2>/dev/null || true
             rm -f /etc/resolv.conf
-            printf 'nameserver {dns_ip}\n' >/etc/resolv.conf
+            printf 'nameserver {dns_ip}\\n' >/etc/resolv.conf
             mkdir -p /etc/unbound/unbound.conf.d
-            printf 'server:\\n  domain-insecure: "localchat"\\n\\n
-            forward-zone:\\n  name: "localchat"\\n
-              forward-addr: {dns_ip}\\n'
-            > /etc/unbound/unbound.conf.d/localchat-forward.conf
-            systemctl restart unbound 2>/dev/null || true
         """)
+        self.push_file_content(
+            "/etc/unbound/unbound.conf.d/localchat-forward.conf",
+            f"""
+            server:
+              domain-insecure: "localchat"
+
+            forward-zone:
+              name: "localchat"
+              forward-addr: {dns_ip}
+            """,
+        )
+        self.bash("systemctl restart unbound 2>/dev/null || true")
         self._wait_dns_reachable(dns_ip)
 
     def _wait_dns_reachable(self, dns_ip, timeout=10):

From 260ace5ab0161c592ceb88337cf6dee8501b060f Mon Sep 17 00:00:00 2001
From: holger krekel <holger@merlinux.eu>
Date: Fri, 13 Mar 2026 13:35:56 +0100
Subject: [PATCH 31/31] fix off-by-one

---
 cmdeploy/src/cmdeploy/dovecot/deployer.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmdeploy/src/cmdeploy/dovecot/deployer.py b/cmdeploy/src/cmdeploy/dovecot/deployer.py
index ecf3213b7..6d44e9cd3 100644
--- a/cmdeploy/src/cmdeploy/dovecot/deployer.py
+++ b/cmdeploy/src/cmdeploy/dovecot/deployer.py
@@ -145,7 +145,7 @@ def _configure_dovecot(config: Config, debug: bool = False) -> (bool, bool):
         if not can_modify:
             print(
                 "\n!!!! refusing to attempt sysctl setting in shared-kernel containers\n"
-                f"!!!! dovecot: sysctl {key!r}={value}, should be >65535 for production setups\n"
+                f"!!!! dovecot: sysctl {key!r}={value}, should be >65534 for production setups\n"
                 "!!!!"
             )
             continue