# Shared credential for the dmarc@cnx.email mailbox.
#
# DMARC aggregate/forensic reports are delivered to dmarc@cnx.email on mx1;
# parsedmarc on control fetches them over IMAPS across the mesh and needs the
# *plaintext* passphrase, while mx1's mailserver only needs the sha-512 hash.
# clan vars secrets are per-machine, so this generator is shared (share = true)
# to make the same value available on both hosts. Files are root-owned: SNM reads
# the hash as root, and parsedmarc's ExecStartPre reads the passphrase as root.
# Imported by mx1 (via mail.nix) and control (via monitoring/parsedmarc.nix).
{ pkgs, ... }:
{
  clan.core.vars.generators.mail-dmarc-cred = {
    share = true;
    files."passphrase".secret = true; # read by parsedmarc on control
    files."hash".secret = true; # consumed by the mailserver on mx1
    runtimeInputs = [
      pkgs.xkcdpass
      pkgs.mkpasswd
    ];
    script = ''
      pass="$(xkcdpass --numwords=4 --delimiter=- --case=lower)-$((RANDOM % 90 + 10))"
      printf '%s' "$pass" > "$out"/passphrase
      printf '%s' "$pass" | mkpasswd -s -m sha-512 > "$out"/hash
    '';
  };
}