support CHATMAIL_SERVER in generate-dns-zone.sh

Revert "generate-dns-zone.sh doesn't need to support CHATMAIL_SERVER env var for now, let's assume A/AAAA point to the chatmail server, too" This reverts commit 51ebd74e700eb65594c7b42dd2179141504cf666.
generate-dns-zone.sh doesn't need to support CHATMAIL_SERVER env var for now, let's assume A/AAAA point to the chatmail server, too
2026-05-10 16:04:37 +00:00 · 2023-11-25 00:59:30 +01:00 · 2023-11-25 00:59:30 +01:00 · 2023-11-25 00:59:07 +01:00 · 2023-11-25 00:58:42 +01:00 · 2023-11-25 00:56:28 +01:00
4 changed files with 43 additions and 14 deletions
--- a/deploy-chatmail/src/deploy_chatmail/init.py
+++ b/deploy-chatmail/src/deploy_chatmail/init.py
@@ -245,7 +245,7 @@ def _configure_dovecot(mail_server: str, debug: bool = False) -> bool:
    return need_restart


-def _configure_nginx(domain: str, debug: bool = False) -> bool:
+def _configure_nginx(domain: str, mail_server: str) -> bool:
    """Configures nginx HTTP server."""
    need_restart = False

@@ -275,7 +275,7 @@ def _configure_nginx(domain: str, debug: bool = False) -> bool:
        user="root",
        group="root",
        mode="644",
-        config={"domain_name": domain},
+        config={"mail_server": mail_server},
    )
    need_restart |= mta_sts_config.changed

@@ -333,7 +333,7 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
    dovecot_need_restart = _configure_dovecot(mail_server, debug=debug)
    postfix_need_restart = _configure_postfix(mail_domain, debug=debug)
    opendkim_need_restart = _configure_opendkim(mail_domain, dkim_selector)
-    nginx_need_restart = _configure_nginx(mail_domain)
+    nginx_need_restart = _configure_nginx(mail_domain, mail_server)
    mta_sts_need_restart = _install_mta_sts_daemon()

    # deploy web pages and info if we have them
--- a/deploy-chatmail/src/deploy_chatmail/nginx/mta-sts.txt.j2
+++ b/deploy-chatmail/src/deploy_chatmail/nginx/mta-sts.txt.j2
@@ -1,4 +1,4 @@
 version: STSv1
 mode: enforce
-mx: {{ config.domain_name }}
+mx: {{ config.mail_server }}
 max_age: 2419200
--- a/deploy-chatmail/src/deploy_chatmail/nginx/nginx.conf.j2
+++ b/deploy-chatmail/src/deploy_chatmail/nginx/nginx.conf.j2
@@ -20,8 +20,6 @@ http {

 	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
 	ssl_prefer_server_ciphers on;
-	ssl_certificate /var/lib/acme/live/{{ config.domain_name }}/fullchain;
-	ssl_certificate_key /var/lib/acme/live/{{ config.domain_name }}/privkey;

 	gzip on;

@@ -30,6 +28,8 @@ http {
 		listen [::]:80 default_server;
 		listen 443 ssl default_server;
 		listen [::]:443 ssl default_server;
+        ssl_certificate /var/lib/acme/live/{{ config.domain_name }}/fullchain;
+        ssl_certificate_key /var/lib/acme/live/{{ config.domain_name }}/privkey;

 		root /var/www/html;

@@ -37,6 +37,28 @@ http {

 		server_name _;

+		location / {
+			# First attempt to serve request as file, then
+			# as directory, then fall back to displaying a 404.
+			try_files $uri $uri/ =404;
+		}
+	}
+	server {
+		listen 80;
+		listen [::]:80;
+		listen 443 ssl;
+		listen [::]:443 ssl;
+
+		root /var/www/html;
+
+		index index.html index.htm;
+
+		server_name mta-sts.{{ config.domain_name }};
+
+        ssl_certificate /var/lib/acme/live/mta-sts.{{ config.domain_name }}/fullchain;
+    	ssl_certificate_key /var/lib/acme/live/mta-sts.{{ config.domain_name }}/privkey;
+
+
 		location / {
 			# First attempt to serve request as file, then
 			# as directory, then fall back to displaying a 404.
--- a/scripts/generate-dns-zone.sh
+++ b/scripts/generate-dns-zone.sh
@@ -1,5 +1,6 @@
 #!/bin/sh
 : ${CHATMAIL_DOMAIN:=c1.testrun.org}
+: ${CHATMAIL_SERVER:=$CHATMAIL_DOMAIN}
 : ${CHATMAIL_SSH:=$CHATMAIL_DOMAIN}

 set -e
@@ -8,16 +9,22 @@ EMAIL="root@$CHATMAIL_DOMAIN"
 ACME_ACCOUNT_URL="$($SSH -- acmetool account-url)"

 cat <<EOF
-$CHATMAIL_DOMAIN. MX 10 $CHATMAIL_DOMAIN.
-$CHATMAIL_DOMAIN. TXT "v=spf1 a:$CHATMAIL_DOMAIN -all"
+$CHATMAIL_DOMAIN. MX 10 $CHATMAIL_SERVER.
+$CHATMAIL_DOMAIN. TXT "v=spf1 a:$CHATMAIL_SERVER -all"
 _dmarc.$CHATMAIL_DOMAIN. TXT "v=DMARC1;p=reject;rua=mailto:$EMAIL;ruf=mailto:$EMAIL;fo=1;adkim=r;aspf=r"
-_submission._tcp.$CHATMAIL_DOMAIN.  SRV 0 1 587 $CHATMAIL_DOMAIN.
-_submissions._tcp.$CHATMAIL_DOMAIN. SRV 0 1 465 $CHATMAIL_DOMAIN.
-_imap._tcp.$CHATMAIL_DOMAIN.        SRV 0 1 143 $CHATMAIL_DOMAIN.
-_imaps._tcp.$CHATMAIL_DOMAIN.       SRV 0 1 993 $CHATMAIL_DOMAIN.
+_submission._tcp.$CHATMAIL_SERVER.  SRV 0 1 587 $CHATMAIL_SERVER.
+_submissions._tcp.$CHATMAIL_SERVER. SRV 0 1 465 $CHATMAIL_SERVER.
+_imap._tcp.$CHATMAIL_SERVER.        SRV 0 1 143 $CHATMAIL_SERVER.
+_imaps._tcp.$CHATMAIL_SERVER.       SRV 0 1 993 $CHATMAIL_SERVER.
 $CHATMAIL_DOMAIN. IN CAA 128 issue "letsencrypt.org;accounturi=$ACME_ACCOUNT_URL"
 _mta-sts.$CHATMAIL_DOMAIN. IN TXT "v=STSv1; id=$(date -u '+%Y%m%d%H%M')"
-mta-sts.$CHATMAIL_DOMAIN. IN CNAME $CHATMAIL_DOMAIN.
-_smtp._tls.$CHATMAIL_DOMAIN. IN TXT "v=TLSRPTv1;rua=mailto:$EMAIL"
+mta-sts.$CHATMAIL_SERVER. IN CNAME $CHATMAIL_SERVER.
+_smtp._tls.$CHATMAIL_SERVER. IN TXT "v=TLSRPTv1;rua=mailto:$EMAIL"
 EOF
+if [ "$CHATMAIL_DOMAIN" != "$CHATMAIL_SERVER" ]; then
+cat <<EOF
+mta-sts.$CHATMAIL_DOMAIN. IN CNAME mta-sts.$CHATMAIL_SERVER.
+_smtp._tls.$CHATMAIL_DOMAIN. IN CNAME _smtp._tls.$CHATMAIL_SERVER.
+EOF
+fi
 $SSH opendkim-genzone -F | sed 's/^;.*$//;/^$/d'
Author	SHA1	Message	Date
missytake	3a32817de8	support CHATMAIL_SERVER in generate-dns-zone.sh Revert "generate-dns-zone.sh doesn't need to support CHATMAIL_SERVER env var for now, let's assume A/AAAA point to the chatmail server, too" This reverts commit 51ebd74e700eb65594c7b42dd2179141504cf666.	2023-11-25 00:59:30 +01:00
missytake	c6dd4f9b21	generate-dns-zone.sh doesn't need to support CHATMAIL_SERVER env var for now, let's assume A/AAAA point to the chatmail server, too	2023-11-25 00:59:30 +01:00
missytake	a420e37612	MTA-STS: the HTTPS route needs to be mta-sts.@ not _mta-sts	2023-11-25 00:59:07 +01:00
missytake	5429f3e379	fix: hetzner doesn't accept whitespace in TXT and CAA records apparently	2023-11-25 00:58:42 +01:00
missytake	d2c98e9afc	DNS: distinguish between mail_server and mail_domain	2023-11-25 00:56:28 +01:00
missytake	658d6923ae	Added MTA-STS records and .well-known file	2023-11-25 00:54:39 +01:00