open-productive-stack/scripts/README-TLSA.md

# TLSA Record Automation

This directory contains scripts to automatically update TLSA/DANE records when certificates are renewed.

## Setup

### 1. Install Systemd Timer (Recommended)

```bash
sudo cp /var/deploy/scripts/tlsa-timer.service /etc/systemd/system/
sudo cp /var/deploy/scripts/tlsa-timer.timer /etc/systemd/system/
sudo systemctl daemon-reload
sudo systemctl enable tlsa-timer.timer
sudo systemctl start tlsa-timer.timer
```

The timer will:
- Run 5 minutes after boot
- Check every hour for certificate changes
- Update TLSA records automatically when certificates change

### 2. Manual Setup (Alternative)

Add to crontab:
```bash
crontab -e
# Add this line:
0 * * * * /var/deploy/scripts/tlsa-monitor.sh >> /var/deploy/scripts/tlsa-cron.log 2>&1
```

### 3. DNS Provider API Configuration (Optional)

To enable automatic DNS updates via your DNS provider's API, set these environment variables:

```bash
export DNS_API_KEY="your-api-key"
export DNS_API_PASSWORD="your-api-password"
export DNS_CUSTOMER_NUMBER="your-customer-number"
```

Or add to `/var/deploy/scripts/update-tlsa.sh`:
```bash
dnsApiKey="your-api-key"
dnsApiPassword="your-api-password"
dnsCustomerNumber="your-customer-number"
```

**Note:** DNS provider API integration is not yet fully implemented. Currently, the script logs the required TLSA values for manual DNS updates. You'll need to implement the API call for your specific DNS provider.

## Manual TLSA Record Update

If automation is not set up, run manually after certificate renewal:

```bash
/var/deploy/scripts/update-tlsa.sh
```

This will output the TLSA records that need to be added/updated in your DNS provider.

## Current TLSA Hash

The current certificate hash is:
```
5206c4482b4378bd3e86d22d7afd8f341eec95aa999aeff7d94454c197223418
```

Add these TLSA records in your DNS provider:
- `_25._tcp.mail.nasarek.dev` → `3 1 1 5206c4482b4378bd3e86d22d7afd8f341eec95aa999aeff7d94454c197223418`
- `_465._tcp.mail.nasarek.dev` → `3 1 1 5206c4482b4378bd3e86d22d7afd8f341eec95aa999aeff7d94454c197223418`
- `_587._tcp.mail.nasarek.dev` → `3 1 1 5206c4482b4378bd3e86d22d7afd8f341eec95aa999aeff7d94454c197223418`

## Verification

Check if TLSA records are published:
```bash
dig +short TLSA _25._tcp.mail.nasarek.dev
dig +short TLSA _465._tcp.mail.nasarek.dev
dig +short TLSA _587._tcp.mail.nasarek.dev
```

## Troubleshooting

- Check logs: `/var/deploy/scripts/tlsa-update.log`
- Test script manually: `/var/deploy/scripts/tlsa-monitor.sh`
- Verify certificate: `openssl x509 -in /var/deploy/mailcow/data/assets/ssl/cert.pem -noout -dates`