rnsrk/open-productive-stack
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

now with dnsec

Browse source
This commit is contained in:
rnsrk 2026-01-19 13:10:13 +01:00
parent b006c8f809
commit fb22e9cab4
118 changed files with 8306 additions and 2337 deletions
Download patch file Download diff file Expand all files Collapse all files

85
scripts/README-TLSA.md Normal file
View file

@ -0,0 +1,85 @@
# TLSA Record Automation
This directory contains scripts to automatically update TLSA/DANE records when certificates are renewed.
## Setup
### 1. Install Systemd Timer (Recommended)
```bash
sudo cp /var/deploy/scripts/tlsa-timer.service /etc/systemd/system/
sudo cp /var/deploy/scripts/tlsa-timer.timer /etc/systemd/system/
sudo systemctl daemon-reload
sudo systemctl enable tlsa-timer.timer
sudo systemctl start tlsa-timer.timer
```
The timer will:
- Run 5 minutes after boot
- Check every hour for certificate changes
- Update TLSA records automatically when certificates change
### 2. Manual Setup (Alternative)
Add to crontab:
```bash
crontab -e
# Add this line:
0 * * * * /var/deploy/scripts/tlsa-monitor.sh >> /var/deploy/scripts/tlsa-cron.log 2>&1
```
### 3. DNS Provider API Configuration (Optional)
To enable automatic DNS updates via your DNS provider's API, set these environment variables:
```bash
export DNS_API_KEY="your-api-key"
export DNS_API_PASSWORD="your-api-password"
export DNS_CUSTOMER_NUMBER="your-customer-number"
```
Or add to `/var/deploy/scripts/update-tlsa.sh`:
```bash
dnsApiKey="your-api-key"
dnsApiPassword="your-api-password"
dnsCustomerNumber="your-customer-number"
```
**Note:** DNS provider API integration is not yet fully implemented. Currently, the script logs the required TLSA values for manual DNS updates. You'll need to implement the API call for your specific DNS provider.
## Manual TLSA Record Update
If automation is not set up, run manually after certificate renewal:
```bash
/var/deploy/scripts/update-tlsa.sh
```
This will output the TLSA records that need to be added/updated in your DNS provider.
## Current TLSA Hash
The current certificate hash is:
```
5206c4482b4378bd3e86d22d7afd8f341eec95aa999aeff7d94454c197223418
```
Add these TLSA records in your DNS provider:
- `_25._tcp.mail.nasarek.dev``3 1 1 5206c4482b4378bd3e86d22d7afd8f341eec95aa999aeff7d94454c197223418`
- `_465._tcp.mail.nasarek.dev``3 1 1 5206c4482b4378bd3e86d22d7afd8f341eec95aa999aeff7d94454c197223418`
- `_587._tcp.mail.nasarek.dev``3 1 1 5206c4482b4378bd3e86d22d7afd8f341eec95aa999aeff7d94454c197223418`
## Verification
Check if TLSA records are published:
```bash
dig +short TLSA _25._tcp.mail.nasarek.dev
dig +short TLSA _465._tcp.mail.nasarek.dev
dig +short TLSA _587._tcp.mail.nasarek.dev
```
## Troubleshooting
- Check logs: `/var/deploy/scripts/tlsa-update.log`
- Test script manually: `/var/deploy/scripts/tlsa-monitor.sh`
- Verify certificate: `openssl x509 -in /var/deploy/mailcow/data/assets/ssl/cert.pem -noout -dates`