Berwn
60db8c60b0
Deliver cnx.email DMARC aggregate/forensic reports to a dedicated dmarc@cnx.email mailbox on mx1 and analyze them with parsedmarc on control, storing parsed reports in a local loopback Elasticsearch and visualizing via the auto-provisioned Grafana dashboard. parsedmarc fetches the mailbox over IMAPS across the mesh (mx1.cnx.email pinned to its mesh address so TLS still validates), using a shared mail-dmarc-cred clan var so mx1's mailserver and control see the same password.
27 lines
1.1 KiB
Nix
27 lines
1.1 KiB
Nix
# Shared credential for the dmarc@cnx.email mailbox.
|
|
#
|
|
# DMARC aggregate/forensic reports are delivered to dmarc@cnx.email on mx1;
|
|
# parsedmarc on control fetches them over IMAPS across the mesh and needs the
|
|
# *plaintext* passphrase, while mx1's mailserver only needs the sha-512 hash.
|
|
# clan vars secrets are per-machine, so this generator is shared (share = true)
|
|
# to make the same value available on both hosts. Files are root-owned: SNM reads
|
|
# the hash as root, and parsedmarc's ExecStartPre reads the passphrase as root.
|
|
# Imported by mx1 (via mail.nix) and control (via monitoring/parsedmarc.nix).
|
|
{ pkgs, ... }:
|
|
{
|
|
clan.core.vars.generators.mail-dmarc-cred = {
|
|
share = true;
|
|
files."passphrase".secret = true; # read by parsedmarc on control
|
|
files."hash".secret = true; # consumed by the mailserver on mx1
|
|
runtimeInputs = [
|
|
pkgs.xkcdpass
|
|
pkgs.mkpasswd
|
|
];
|
|
script = ''
|
|
pass="$(xkcdpass --numwords=4 --delimiter=- --case=lower)-$((RANDOM % 90 + 10))"
|
|
printf '%s' "$pass" > "$out"/passphrase
|
|
printf '%s' "$pass" | mkpasswd -s -m sha-512 > "$out"/hash
|
|
'';
|
|
};
|
|
}
|