From 02a6ad71657badbb52eef14bfc324d62e87652e2 Mon Sep 17 00:00:00 2001
From: Alex Denes <caskd@redxen.eu>
Date: Sat, 8 Feb 2025 16:28:49 +0000
Subject: [PATCH] Add DANE automated cert records

---
 redxen.eu/config.mk                          | 10 ++++-
 redxen.eu/data/dns/dane/Containerfile        | 16 ++++++++
 redxen.eu/data/dns/dane/gen-record.sh        | 15 +++++++
 redxen.eu/data/dns/dane/recordlist           | 42 ++++++++++++++++++++
 redxen.eu/data/dns/zone/Containerfile        |  5 +++
 redxen.eu/data/pki/letsencrypt/Containerfile |  5 ++-
 6 files changed, 90 insertions(+), 3 deletions(-)
 create mode 100644 redxen.eu/data/dns/dane/Containerfile
 create mode 100644 redxen.eu/data/dns/dane/gen-record.sh
 create mode 100644 redxen.eu/data/dns/dane/recordlist

diff --git a/redxen.eu/config.mk b/redxen.eu/config.mk
index afb612f..4f1e694 100644
--- a/redxen.eu/config.mk
+++ b/redxen.eu/config.mk
@@ -34,8 +34,14 @@ redxen.eu/daemons/nsd/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \
 redxen.eu/data/dns/zone/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \
 	%/redxen.eu \
 	%/internal \
-	redxen.eu/data/dns/dnssec/${BUILD_ID_OUT} \
-	redxen.eu/data/opendkim/${BUILD_ID_OUT}
+	redxen.eu/data/opendkim/${BUILD_ID_OUT} \
+	redxen.eu/data/dns/dane/${BUILD_ID_OUT} \
+	redxen.eu/data/dns/dnssec/${BUILD_ID_OUT}
+
+redxen.eu/data/dns/dane/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \
+	%/recordlist \
+	%/gen-record.sh \
+	redxen.eu/data/pki/letsencrypt/${BUILD_ID_OUT}
 
 # Certificates
 redxen.eu/data/pki/self/client/dovecot/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \
diff --git a/redxen.eu/data/dns/dane/Containerfile b/redxen.eu/data/dns/dane/Containerfile
new file mode 100644
index 0000000..b71daae
--- /dev/null
+++ b/redxen.eu/data/dns/dane/Containerfile
@@ -0,0 +1,16 @@
+FROM alpine AS preparer
+
+RUN --network=host apk add cmd:xxd cmd:openssl
+
+WORKDIR /root
+ADD recordlist recordlist
+ADD gen-record.sh gen-record.sh
+RUN chmod +x ./gen-record.sh
+
+RUN \
+	--mount=type=bind,from=redxen.eu/data/pki/letsencrypt:latest,src=/,dst=/letsencrypt \
+	< ./recordlist ./gen-record.sh /letsencrypt/cert.cer | tee ./records
+
+FROM scratch
+
+COPY --from=preparer /root/records /redxen.eu
diff --git a/redxen.eu/data/dns/dane/gen-record.sh b/redxen.eu/data/dns/dane/gen-record.sh
new file mode 100644
index 0000000..c644c0b
--- /dev/null
+++ b/redxen.eu/data/dns/dane/gen-record.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+set -e
+
+CERT="$1"
+grep -v '^#' | \
+grep -v '^\s*$' | \
+while read -r RECORD; do
+	SHA256="$(openssl x509 -in "$1" -pubkey -noout | \
+		openssl pkey -pubin -outform der | \
+		openssl dgst -sha256 -binary | \
+		xxd -p -u -c 32)"
+
+	echo "$RECORD TLSA 3 1 1 $SHA256"
+done
diff --git a/redxen.eu/data/dns/dane/recordlist b/redxen.eu/data/dns/dane/recordlist
new file mode 100644
index 0000000..c5604f4
--- /dev/null
+++ b/redxen.eu/data/dns/dane/recordlist
@@ -0,0 +1,42 @@
+#
+# HAProxy
+#
+
+_443._tcp
+_443._tcp.stats
+_443._tcp.git
+_443._tcp.sd
+_443._tcp.seed
+_443._tcp.packages
+_443._tcp.cal
+_443._tcp.wssproxy
+
+##
+## SMTP (legacy/well-known with StartTLS)
+##
+#_25._tcp.mail
+#_25._tcp.smtp
+#
+##
+## SMTP (TLS only)
+##
+#_465._tcp.mail
+#_465._tcp.smtp
+#
+##
+## SMTP (StartTLS, non-legacy)
+##
+#_587._tcp.mail
+#_587._tcp.smtp
+#
+##
+## IMAP (legacy)
+##
+#_143._tcp.mail
+#_143._tcp.imap
+#
+##
+## IMAP (TLS)
+##
+#_993._tcp.mail
+#_993._tcp.imap
diff --git a/redxen.eu/data/dns/zone/Containerfile b/redxen.eu/data/dns/zone/Containerfile
index ff1f905..68c5b62 100644
--- a/redxen.eu/data/dns/zone/Containerfile
+++ b/redxen.eu/data/dns/zone/Containerfile
@@ -24,6 +24,11 @@ RUN \
 	--mount=type=bind,from=redxen.eu/data/opendkim:latest,src=/redxen.eu,dst=/tmp/opendkim/redxen.eu \
 	cat /tmp/opendkim/redxen.eu/*.txt | tee -a /tmp/zones/redxen.eu
 
+# Add DANE records to zone
+RUN \
+	--mount=type=bind,from=redxen.eu/data/dns/dane:latest,src=/,dst=/tmp/dane/ \
+	cat /tmp/dane/redxen.eu | tee -a /tmp/zones/redxen.eu
+
 # Sign zone
 RUN \
 	--mount=type=bind,from=redxen.eu/data/dns/dnssec:latest,src=/redxen.eu,dst=/tmp/keys/redxen.eu \
diff --git a/redxen.eu/data/pki/letsencrypt/Containerfile b/redxen.eu/data/pki/letsencrypt/Containerfile
index 27738b4..2f82493 100644
--- a/redxen.eu/data/pki/letsencrypt/Containerfile
+++ b/redxen.eu/data/pki/letsencrypt/Containerfile
@@ -21,13 +21,16 @@ RUN --network=host acme.sh \
 	--stateless \
 		-d 'redxen.eu' \
 		-d 'stats.redxen.eu' \
-		-d 'social.redxen.eu' \
 		-d 'git.redxen.eu' \
 		-d 'sd.redxen.eu' \
 		-d 'seed.redxen.eu' \
 		-d 'packages.redxen.eu' \
 		-d 'cal.redxen.eu' \
 		-d 'wssproxy.redxen.eu'
+#		TODO: Route these via HAProxy to allow easy cert gen
+#		-d 'mail.redxen.eu' \
+#		-d 'smtp.redxen.eu' \
+#		-d 'imap.redxen.eu' \
 
 FROM scratch