Berwn
1cb6f39ea2
mx1 runs Simple NixOS Mailserver (Postfix/Dovecot/Rspamd/OpenDKIM) for cnx.email. The TLS cert is obtained via ACME DNS-01 using a dedicated, scoped TSIG key (acme_mx1) that ns1 authorizes for only _acme-challenge.mx1 and _acme-challenge.mta-sts on the cnx.email zone, so the credential can write nothing else. Mailbox passwords are auto-minted by a clan vars generator (four-word passphrase + number). DANE TLSA (3 1 1) is published for _25._tcp.mx1; --reuse-key keeps the key digest stable across renewals. MTA-STS is enforced via a Caddy vhost serving the policy on :443 from the same cert (mta-sts SAN). Firewall opens 25/587/465/143/993/443; 80 stays closed.
20 lines
849 B
Nix
20 lines
849 B
Nix
# Shared TSIG secret for the dedicated acme_mx1 key.
|
|
#
|
|
# This key lets mx1 — and only mx1 — write _acme-challenge.mx1.cnx.email TXT
|
|
# records on ns1 to obtain its mail TLS cert via ACME DNS-01. ns1 scopes it with
|
|
# acl_acme_mx1 (attached only to the cnx.email zone) so the credential can touch
|
|
# nothing else. ns1 renders this secret into a Knot key file; mx1 into a lego
|
|
# rfc2136 env file; both must carry the same secret, hence one shared generator
|
|
# with a per-host renderer that depends on it. Imported by ns1 and (via mail.nix)
|
|
# mx1.
|
|
{ pkgs, ... }:
|
|
{
|
|
clan.core.vars.generators.dns-acme-mx1-secret = {
|
|
share = true;
|
|
files."secret".secret = true;
|
|
runtimeInputs = [ pkgs.openssl ];
|
|
# 32 random bytes, base64 — a valid hmac-sha256 TSIG secret.
|
|
script = ''openssl rand -base64 32 | tr -d '\n' > "$out"/secret'';
|
|
};
|
|
}
|