# Shared TSIG secret for the dedicated acme_mx1 key.
#
# This key lets mx1 — and only mx1 — write _acme-challenge.mx1.cnx.email TXT
# records on ns1 to obtain its mail TLS cert via ACME DNS-01. ns1 scopes it with
# acl_acme_mx1 (attached only to the cnx.email zone) so the credential can touch
# nothing else. ns1 renders this secret into a Knot key file; mx1 into a lego
# rfc2136 env file; both must carry the same secret, hence one shared generator
# with a per-host renderer that depends on it. Imported by ns1 and (via mail.nix)
# mx1.
{ pkgs, ... }:
{
  clan.core.vars.generators.dns-acme-mx1-secret = {
    share = true;
    files."secret".secret = true;
    runtimeInputs = [ pkgs.openssl ];
    # 32 random bytes, base64 — a valid hmac-sha256 TSIG secret.
    script = ''openssl rand -base64 32 | tr -d '\n' > "$out"/secret'';
  };
}