mailserver: enable arc signing

Works similarly to DKIM and uses the same keys. Went for a 2048 bit RSA
key for compat reasons. Larger ones are probably too large to put them
into DNS.

Author: mweinelt

dns/nixos.org.js

@@ -19,6 +19,7 @@ D("nixos.org",
 	DMARC_BUILDER({
 		policy: "none",
 	}),
+	TXT("arc-2025._domainkey", "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwFK4Z4C0D3ea7Avv+oI25PS6WjcOh3A/2URanFtY6+oLpbtFdZi/Z/ou2VPTNcS1QUxw5pSmV4L1fcaVqM+elPHq1GN/38TkpwcZEnSHK5tX0PS5Jae2Q+e68yEZAwNDi5abjXswehuxX/F9R4GXpC/tOEyeHP8xfvRmDUq3mgIgWpfCcvdwQvxp25/umufjqGHdQXuq9/9yfpAL72hUXbOrvQ5hd56U7tv0/llIs5CyaGU76hA4kRXkd+iYUxcITzLjbc3ZRhIDs9b0zv0z2YPYgVgj2GiKL+TdcQ9z5Y5M0H4EGq6/Gn5fUILGRkCaBGvE3s3mY/aYUCvv4v0W9wIDAQAB"),
 
 	// discourse
 	A("discourse", "195.62.126.31"),

non-critical-infra/modules/mailserver/default.nix

@@ -1,5 +1,11 @@
 { config, pkgs, ... }:
 
+let
+  arc = {
+    selector = "arc-2025";
+  };
+in
+
 {
   imports = [
     ./mailing-lists.nix
@@ -41,6 +47,26 @@
     path = "${config.mailserver.dkimKeyDirectory}/nixos.org.mail.key";
   };
 
+  sops.secrets."nixos.org.${arc.selector}.key" = {
+    format = "binary";
+    owner = "rspamd";
+    group = "rpsamd";
+    mode = "0400";
+    # rspamadm dkim_keygen -s arc-2025 -d nixos.org -t rsa --bits 2048
+    sopsFile = ../../secrets/nixos.org-${arc.selector}-private-key.umbriel;
+    path = "/var/lib/rspamd/arc/nixos.org.${arc.selector}.key";
+  };
+
+  services.rspamd = {
+    overrides."arc.conf".text = ''
+      domain {
+        nixos.org {
+          selector = "${arc.selector}";
+        }
+      }
+    '';
+  };
+
   services.postfix.config.bounce_template_file = "${pkgs.writeText "bounce-template.cf" ''
     failure_template = <<EOF
     Charset: us-ascii

non-critical-infra/secrets/nixos.org-arc-2025-private-key.umbriel

@@ -0,0 +1,28 @@
+{
+	"data": "ENC[AES256_GCM,data:yLZZDdjEa4RFc9UnNSYAnYTl4V4xuVm25B4ob2slccZuOiCQVLYMXcemwZYOkb2OBfjcpAa6m7d0IKYyRm395sk4Cwlqdda1VljHN2xmix4ggOCI6nudxRGMA6Az1h8gR64Ls09wWgzHi8Q02LZ6zWQKQXo4E20l6300KZFJWd7ZiidSdxWhz46AGPJV7hzHVcQbAITWMnmUtXJ42VDbRNgmLKNYHV7kvpXj/3W4xWmLzv8XL6XK6aHByzlM5wcrvANo1VLgvP1jhnvndfmYI0w/p1Bbkybl3pnhf0Vr4nkY4JnneHH2HNEO/MBwNcommq+f5M0MCjGzlHKwYAxNV2rwLrrLnkKCr+KKrJ5Iv/A7EjW8crs7R4XWgUFzN+ratcYW5sx/IDwjcs75xfkq/jeyoF3TUsHgruiovOrx+BvpgHTiTSkF7WVZqA4hIeGimCsZ1zveCtKWh0iF3oHZjPQQ44CNFM2Zeh3zvctor5Iem0deG80zRNaoQvsKP1baoe7qcdSD/7IkP0MR/JFIEjbqMfpknshYTttMMXc6CZWkIjwnOi5eRa43rGBv7pjnYrpCIoRxtbUb31XZAajS2uifSofQdZuCO4HDPoYNaxHaMdzfhk7L+CV3Z29cNUt3u8YhweDAJMIxATiPP1+ISTXzSZhvh+d4yaW7BHUV6fSnOlS3F50yWiF1DBJAKs5dKLSEJIQ01R8lrgScebx6GXU2+4gAoYqw0GISwonqL8EcKP3zNCdcnwakEnV91vZ/E4bb1t4i+kUXHSqvgS4yyb+SIAeOu/NtdrNHhxQ/vQafFAsBCMTRUWD5jT5U0gBSWhyP2Ovn4Rpuf93yDtvNB37tWAL5tEZ4HK1Met+65F2c6+Zopv8K+jwegD3Z8EMdoCd/6RUs+nYDDY8xLJvv/8OSXTDsXSJNgtRuunEYyTK13fCIiP3gWBkn70RjScFAp8QKyYekDbKxB+Ohd0qxvh2coZEkJt5z+kyLbwD042L+nK4iO4hywEvY+MNKRsO0jNybgQ7bK9u/PTdzSUZPTOrVl5yGagJ8fRCxJRVR27dQknysIXdRBgnqN7mMCekHehXQJK39YMVNrIoeWPQftD0crbeopCm44DQMp6O3XZgbr5tDDqVNcykierZ62It7WIr0T7blcdPB/8+Zf3osjft/U0DLBBiMkxCEST8lHFZiNwhR/5NNe85EFdSXDxjw9HNxqXAYj7PyEdm+wrmxEFRIOXCky239vugGolU6QtgayuquXe4HUwN4cWPppoUvkSdUuTx0OUWBQNd+oOOKigkqMnmtvNn1VnSBOelme59LmHBVTFwUBnPBXlQuegur2WEEVd9Y9cZSa6OXuimGALYleQRdUoBQcNABkjMc9Q/GGDOrzv+QyQu5UhsdLrdKUsQlj4it050Lq079VxVX3Co/vySTyM9+r35leO6HOKDCmFdfU4D+Rqz3a8IRTVpqOummmQVUhN+dO8aj5bJkeaE+Wes2Nr+u8WvcYaHKTLQjFFgatomb1T+FeXvqq4CtiAD+k0F6GKLZjDUb8JJNDVZx0jnc2YMDatQF35q3JrvYehtOD6wMFGqeizxpXUszSQ8fIeuVykfv8KIBiOxeTOhfEl7oZz7NkUNotRVLyQXT4ZwPy/HhzzWgoXbYH/zIQ831hXxAsCzptrfV/tB77VTYmQ/e7xC2HvUXaR+b+oDgBM6ahWAP/QdPaO+lPqq3PeRYcDtg1HR0t/YrtXO3x3jEUqF+psCdoM9tUUvgc8TvghofdpGpOA+3bN3qs8qC7IjmVDby3OAmOUXn8gyD2kW/G0/kqd4dUPrLQqY7jihIJtlTMsBtdL1dYmkfrtIDHeg5Ygbjta8lVRdH20lfLcTORLpu2H+0r3AFuGUmr0S0dHupsLk3hN9TZn/ZpghKV/50tZ2Iy3Bcri8nNo8Clj4rkKHgT1jIipc5kctXNGVEjeYhgDNmr1e8xBMbEwAkPcAo/DsSmpZrvZFMngLIHXeiORDG5XLOvt9JM6e8h8RkI8AhFv+sKqu1Fk62WyGC2Q4+RkvJz6xLJOSrCrjwpOsorhzk1HptWpad48GbvVDeJ4VvrDUWMXh0ZguTiqmOGPVW1I/nYHOMl7gJ8DP2iNVQmHAae/BPArjcOmz5iP0sK29BdW6fxnIxICx9OO1nlG9XgZzCSYtLAijHpSzxLJ08+WgbR5bi9ovnp8pLxAeryzaBSfQ3DBRdULn8g5B0iP1jCQv+XbCDI6jSx1pi+WadMp/RBRMA,iv:UAcmtZvzQcQMrcnxmT1aTsPWDUlZHirg6siceQpVkhg=,tag:3knhR3raZlCp5WaIYU6r7Q==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLaGRmVk54YWJXQkFsNWlx\neWJybVlxTVhLckRtWEZSd2JyRTI2Zm1qaG53CmcvQ0N1bWtITW5NWHFnb2J3MjFI\nWWwrVXdGTjYvbmJrQml6NER3TnNxSXcKLS0tIFJlUHhMazZIL0xBZlMvZzNOQStC\nNWJ2SEFIV2UxMXk2R3FPR1lycUV5MjQKxUXOxNZPFiw3MUvrE8HGeGNJoxfBehqz\nQCk2DlNHzSmje06mYqRiBMdckqsEzQDjxNH6i+lNNZHR+vgswyDyEg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPbGFxSG5NLzNCdTZNZU5y\nZ2F0aEpleFVGUjNnWUNGNzJSM0FWTUZvMFV3Ck5tNE90dUVBcnRiaW1YdDNjdVlZ\nWEd5R3lDVDhHcGtpYy9sTVVxOFNUbm8KLS0tIDF3MTM2U242R2FBMWtQUzVKSnp4\nWWR3YmhRVEczSnpyV3lWeVNGbDh1cEkKynsmVw4Njmwug6fV3o/2synWpflnw8Pe\nrKrql8zOyjB+ztNV1R2o6+lku0d3H1J1CA24t1vNLQISyT/OsDN93Q==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0RURhMWhnSXBoWStIaFJp\nMkMzZUxBMjFKUlAyMjcvZVA2QVRIcVRvclFRCjIvKzRaeDlKM1p4c3I1a0YrQjJl\nMFcwTXdzY2kvd2cxVE00VFNwbW5ibGsKLS0tIE80eGJNTm4yOWJhK3laN2RqNUU3\nWE5NbFVzQk9USHZLVDdlVDZqdFkvTFEKu7cMgIIFw4y6SOdXmWQ5PYIOGQATOGmp\n54usATZFRFsq3alMNtKet6lyC+b0e/CPpllVI47ha9v0l5S4zLOk0Q==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-04-11T00:17:33Z",
+		"mac": "ENC[AES256_GCM,data:+nITRFl0UPfufPhpTWgZDxeRjmYCy0wZJs7sJ2sp3LwNxCHDonkFph5p8e7Z2TKk4wgXvA0shwv48lavAjT5tiKfanvhMsYUaTZ9LCEYuaJcyEGYNbmRkriAt1m5boOJewvxRuxN6hLF7UMbrVKERNUFvXR7JTU9weBFkuT1dU4=,iv:1VhKbnaoGdSsc3+CnoegWcSSaGiYgKHXllk4lLeaN4c=,tag:IdCakFLjglQ803vyiLlojw==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.4"
+	}
+}