Add parsedmarc DMARC report analyzer on control

Deliver cnx.email DMARC aggregate/forensic reports to a dedicated dmarc@cnx.email
mailbox on mx1 and analyze them with parsedmarc on control, storing parsed
reports in a local loopback Elasticsearch and visualizing via the auto-provisioned
Grafana dashboard. parsedmarc fetches the mailbox over IMAPS across the mesh
(mx1.cnx.email pinned to its mesh address so TLS still validates), using a shared
mail-dmarc-cred clan var so mx1's mailserver and control see the same password.

modules/mail.nix

@@ -60,15 +60,27 @@ let
     }) accounts
   );
 
-  loginAccounts = lib.listToAttrs (
-    map (addr: {
-      name = addr;
-      value.hashedPasswordFile = config.clan.core.vars.generators.${genName addr}.files."hash".path;
-    }) accounts
-  );
+  loginAccounts =
+    lib.listToAttrs (
+      map (addr: {
+        name = addr;
+        value.hashedPasswordFile = config.clan.core.vars.generators.${genName addr}.files."hash".path;
+      }) accounts
+    )
+    // {
+      # DMARC report inbox (rua/ruf target in the cnx.email zone). Its password
+      # comes from the *shared* mail-dmarc-cred generator instead of the per-machine
+      # set above, so parsedmarc on control can read the same passphrase over the
+      # mesh. Retrieve it with: clan vars get mx1 mail-dmarc-cred/passphrase
+      "dmarc@cnx.email".hashedPasswordFile =
+        config.clan.core.vars.generators.mail-dmarc-cred.files."hash".path;
+    };
 in
 {
-  imports = [ ./dns/acme-mx1-secret.nix ];
+  imports = [
+    ./dns/acme-mx1-secret.nix
+    ./mail-dmarc-cred.nix
+  ];
 
   clan.core.vars.generators = passwdGenerators // {
     # Render the shared acme_mx1 TSIG secret into a lego rfc2136 env file. lego