simplify cert loading and triggering, add a note for cross-bind mounts

hpk42 · hpk42 · commit 3f05a9a8b4b2 · 2026-02-24T00:15:20.000+01:00
diff --git a/cmdeploy/src/cmdeploy/external/deployer.py b/cmdeploy/src/cmdeploy/external/deployer.py
@@ -63,11 +63,5 @@ def activate(self):
             restarted=self.need_restart,
             daemon_reload=self.need_restart,
         )
-        # Trigger the oneshot service so services pick up the current cert.
-        # The path unit handles future changes via inotify.
-        systemd.service(
-            name="Reload TLS services for current certificate",
-            service="tls-cert-reload.service",
-            running=True,
-            daemon_reload=False,
-        )
+        # No explicit reload needed here: dovecot/nginx read the cert
+        # on startup, and the .path watcher handles live changes.
diff --git a/cmdeploy/src/cmdeploy/external/tls-cert-reload.path.f b/cmdeploy/src/cmdeploy/external/tls-cert-reload.path.f
@@ -1,6 +1,10 @@
 # Watch the TLS certificate file for changes.
 # When the cert is updated (e.g. renewed by an external process),
-# this triggers tls-cert-reload.service to restart the affected services.
+# this triggers tls-cert-reload.service to reload the affected services.
+#
+# NOTE: changes to the certificates are not detected if they cross bind-mount boundaries. 
+# After cert renewal, you must then trigger the reload explicitly:
+#   systemctl start tls-cert-reload.service
 [Unit]
 Description=Watch TLS certificate for changes
 
diff --git a/cmdeploy/src/cmdeploy/external/tls-cert-reload.service b/cmdeploy/src/cmdeploy/external/tls-cert-reload.service
@@ -11,5 +11,5 @@ Description=Reload TLS services after certificate change
 
 [Service]
 Type=oneshot
-ExecStart=/bin/systemctl reload dovecot
-ExecStart=/bin/systemctl reload nginx
+ExecStart=/bin/systemctl try-reload-or-restart dovecot
+ExecStart=/bin/systemctl try-reload-or-restart nginx
diff --git a/doc/source/getting_started.rst b/doc/source/getting_started.rst
@@ -229,7 +229,11 @@ The deploy will verify that both files exist on the server.
    You are responsible for certificate renewal.
    When the certificate file changes on disk,
    all relay services pick up the new certificate automatically
-   (via a systemd path watcher installed during deploy).
+   via a systemd path watcher installed during deploy.
+   The watcher uses inotify, which does not cross bind-mount boundaries.
+   If you use such a setup, you must trigger the reload explicitly after renewal::
+
+      systemctl start tls-cert-reload.service
 
 
 Migrating to a new build machine
