ctucx.git: dns.nix

DMARC: Fix the order of `p`

The specfication could be more clear, but after carefully reading it
I realised that not only `v=` MUST be the first tag, it also MUST
be followed by `p=`.

Tweak the DMARC record generation code to treat `p=` specially by
pulling it in the front of the list of tags. It is a required tag
anyway, so it is pretty straightforward.

diff --git a/dns/types/records/DMARC.nix b/dns/types/records/DMARC.nix
@@ -95,9 +95,11 @@ rec {
   };
   dataToString = data:
     let
-      items = ["v=DMARC1"] ++ lib.pipe data [
+      # The specification could be more clear on this, but `v` and `p` MUST
+      # be the first two tags in the record.
+      items = ["v=DMARC1; p=${data.p}"] ++ lib.pipe data [
         (builtins.intersectAttrs options)  # remove garbage list `_module`
-        (lib.filterAttrs (_k: v: v != null && v != ""))
+        (lib.filterAttrs (k: v: v != null && v != "" && k != "p"))
         (lib.mapAttrsToList (k: v: "${k}=${v}"))
       ];
       result = lib.concatStringsSep "; " items + ";";

diff --git a/example.nix b/example.nix
@@ -36,6 +36,8 @@ let
       (with spf; strict ["a:mail.example.com" google])
     ];
 
+    DMARC = [ (dmarc.postmarkapp "mailto:re+abcdefghijk@dmarc.postmarkapp.com") ];
+
     CAA = letsEncrypt "admin@example.com";
 
     SRV = [