147 lines
3.6 KiB
Nix
147 lines
3.6 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
let
|
|
|
|
cfg = config.services.stalwart-tlsa-cloudflare-update;
|
|
|
|
in
|
|
{
|
|
|
|
options = {
|
|
services.stalwart-tlsa-cloudflare-update = {
|
|
|
|
enable = lib.mkOption {
|
|
type = lib.types.bool;
|
|
default = false;
|
|
description = ''
|
|
Enable stalwart-tlsa-cloudflare-update daemon.
|
|
'';
|
|
};
|
|
|
|
settings = lib.mkOption {
|
|
type = lib.types.submodule {
|
|
freeformType = with lib.types; attrsOf anything;
|
|
};
|
|
default = { };
|
|
description = ''
|
|
Extra options which should be used by the stalwart-tlsa-cloudflare-update script.
|
|
'';
|
|
};
|
|
|
|
secretFile = lib.mkOption {
|
|
type = lib.types.nullOr (lib.types.pathWith {
|
|
inStore = false;
|
|
absolute = true;
|
|
});
|
|
default = null;
|
|
example = "/run/keys/cloudflare-api-key";
|
|
description = ''
|
|
Secret file containing cloudflare api key
|
|
'';
|
|
};
|
|
|
|
interval = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "*:00,30:00";
|
|
description = ''
|
|
How often we run the sync. Default is half an hour.
|
|
|
|
The format is described in
|
|
{manpage}`systemd.time(7)`.
|
|
'';
|
|
};
|
|
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
|
|
systemd.services.stalwart-tlsa-cloudflare-update = {
|
|
description = "Check and update TLSA/DANE record for mx1 from Stalwart ACME Cert";
|
|
|
|
after = [ "network-online.target" "stalwart-mail.service" "agenix.service" ];
|
|
wants = [ "network-online.target" "stalwart-mail.service" "agenix.service" ];
|
|
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
User = "stalwart-mail";
|
|
Group = "stalwart-mail";
|
|
EnvironmentFile = cfg.secretFile;
|
|
RuntimeDirectory = "stalwart-tlsa";
|
|
};
|
|
|
|
environment = lib.mapAttrs (_: v: toString v) cfg.settings;
|
|
|
|
path = with pkgs; [
|
|
bash
|
|
coreutils
|
|
openssl
|
|
dnsutils
|
|
gotlsaflare
|
|
rocksdb.tools
|
|
gawk
|
|
];
|
|
|
|
script = ''
|
|
set -eu
|
|
|
|
TLSA_RECORD="_$PORT._tcp.$SUBDOMAIN.$DOMAIN"
|
|
DB_PATH="/var/lib/stalwart-mail/db"
|
|
TEMP_RAW="/run/stalwart-tlsa/cert.bundle"
|
|
TEMP_CRT="/run/stalwart-tlsa/cert.crt"
|
|
|
|
echo "Starting TLSA update process for $DOMAIN"
|
|
|
|
ldb --db="$DB_PATH" --column_family=s get "acme.$ACME_PROVIDER_ID.cert" | base64 -d > "$TEMP_RAW"
|
|
|
|
if [ ! -s "$TEMP_RAW" ]; then
|
|
echo "ERROR: ACME certificate extraction failed"
|
|
exit 1
|
|
fi
|
|
|
|
openssl x509 -in "$TEMP_RAW" -out "$TEMP_CRT"
|
|
|
|
LOCAL_HASH=$(openssl x509 -in "$TEMP_CRT" -pubkey -noout | openssl pkey -pubin -outform DER | openssl sha256 | awk '{print tolower($2)}')
|
|
echo "Local hash: $LOCAL_HASH"
|
|
|
|
UPSTREAM_HASH=$(dig +nosplit +short TLSA "$TLSA_RECORD" | awk '{print tolower($4)}' | head -n1)
|
|
echo "Upstream hash: $UPSTREAM_HASH"
|
|
|
|
if [ "$LOCAL_HASH" = "$UPSTREAM_HASH" ]; then
|
|
echo "Hashes match. DNS is up to date."
|
|
exit 0
|
|
fi
|
|
|
|
echo "Hashes differ! Updating Cloudflare..."
|
|
gotlsaflare update \
|
|
--url "$DOMAIN" \
|
|
--subdomain "$SUBDOMAIN" \
|
|
--tcp"$PORT" \
|
|
--cert "$TEMP_CRT"
|
|
|
|
echo "TLSA update completed successfully."
|
|
'';
|
|
};
|
|
|
|
systemd.timers.stalwart-tlsa-cloudflare-update = {
|
|
description = "Run TLSA check and update";
|
|
wantedBy = [ "timers.target" ];
|
|
timerConfig = {
|
|
OnCalendar = [
|
|
""
|
|
cfg.interval
|
|
];
|
|
};
|
|
};
|
|
|
|
};
|
|
|
|
meta = {
|
|
maintainers = with lib.maintainers; [ onny ];
|
|
};
|
|
|
|
}
|