From 35b1cfca26cf040bb7b477508710523209250249 Mon Sep 17 00:00:00 2001
From: rnhmjoj <rnhmjoj@inventati.org>
Date: Sun, 5 Mar 2023 21:05:44 +0100
Subject: [PATCH] email: set up for DANE

---
 email.nix | 40 +++++++++++++++++++++++++++++++++++++++-
 1 file changed, 39 insertions(+), 1 deletion(-)

diff --git a/email.nix b/email.nix
index 7baf089..ba55c88 100644
--- a/email.nix
+++ b/email.nix
@@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, pkgs, ... }:
 
 {
   imports = [
@@ -55,4 +55,42 @@
     smtp_bind_address6 = 2001:470:c8e8:0:230:48ff:fefa:91e1
   '';
 
+  # Keep the key stable across renewals (for DANE)
+  security.acme.certs.${config.mailserver.fqdn}.extraLegoRenewFlags = [ "--reuse-key" ];
+
+  # Utilities
+  environment.systemPackages = [
+    # computes the DANE records
+    (pkgs.writers.writeDashBin "mailserver-dane" ''
+      set -e
+      export PATH=${with pkgs; lib.makeBinPath [ coreutils openssl gawk ]}:$PATH
+
+      pubkey_hash() {
+        openssl x509 -noout -pubkey | \
+        openssl pkey -pubin -outform DER | \
+        sha256sum | cut -f1 -d' '
+      }
+
+      fqdn=${config.mailserver.fqdn}
+      cert="/var/lib/acme/$fqdn/cert.pem"
+      self=$(awk '{print $0} /END CERT/{exit}' "$cert" | pubkey_hash)
+      ca=$(awk '{if(keep) print $0} /END CERT/{keep=1}' "$cert" | pubkey_hash)
+
+      # main: DANE-EE(3) SPKI(1) SHA2-256(1)
+      printf '_25._tcp.%s. IN TLSA 3 1 1 %s\n' "$fqdn" "$self"
+      # fallback: DANE-TA(2) SPKI(1) SHA2-256(1)
+      printf '_25._tcp.%s. IN TLSA 2 1 1 %s\n' "$fqdn" "$ca"
+    '')
+
+    # computes the DKIM record
+    (pkgs.writers.writeDashBin "mailserver-dkim" ''
+      set -e
+      export PATH=${with pkgs; lib.makeBinPath [ coreutils gawk ]}:$PATH
+
+      domain=${builtins.elemAt config.mailserver.domains 0}
+      raw=$(cat ${config.mailserver.dkimKeyDirectory}/*.txt | tr -d '\n\t' | awk -F'"' '{print $2$4}')
+      printf 'mail._domainkey.%s IN TXT %s' "$domain" "$raw"
+    '')
+
+  ];
 }