NixOS configuration for nh2's mail server presentation (https://nh2.me/recent/Running-your-own-mailserver.pdf)

configuration.nix

# Edit this configuration file to define what should be installed on
# your system.  Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).

{ config, pkgs, ... }:
let
  floatingIPv4 = "95.216.183.106";
  floatingIPv6 = "2a01:4f9:c01f:65::1";
in
{
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix

      # Commit from https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/tree/nixos-20.09
      (let commit = "02a45d9965133434c7b816cab2f47c8a7505e764"; in builtins.fetchTarball {
        # Pick a commit from the branch you are interested in
        url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/${commit}/nixos-mailserver-${commit}.tar.gz";
        # And set its hash
        sha256 = "04v66z0ijjm8bqpiqmq1aqrqj6r6jjz591lgijmk4frz7lksnz8k";
      })
    ];

  # Use the GRUB 2 boot loader.
  boot.loader.grub.enable = true;
  boot.loader.grub.version = 2;
  # boot.loader.grub.efiSupport = true;
  # boot.loader.grub.efiInstallAsRemovable = true;
  # boot.loader.efi.efiSysMountPoint = "/boot/efi";
  # Define on which hard drive you want to install Grub.
  # boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only

  # networking.hostName = "nixos"; # Define your hostname.
  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.

  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
  # Per-interface useDHCP will be mandatory in the future, so this generated config
  # replicates the default behaviour.
  networking.useDHCP = false;
  # See https://docs.hetzner.com/cloud/servers/static-configuration/
  networking.interfaces.ens3.ipv4.addresses = [
    {
      address = "135.181.95.42";
      prefixLength = 32;
    }
    # Floating IP
    {
      address = floatingIPv4;
      prefixLength = 32;
    }
  ];
  networking.interfaces.ens3.ipv6.addresses = [
    {
      address = "2a01:4f9:c010:cf13::1";
      prefixLength = 64;
    }
    # Floating IP
    {
      address = floatingIPv6;
      prefixLength = 64;
    }
  ];
  networking.defaultGateway = { address = "172.31.1.1"; interface = "ens3"; };
  networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
  networking.nameservers = [ "8.8.8.8" ];
  # Configure network proxy if necessary
  # networking.proxy.default = "http://user:password@proxy:port/";
  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";

  # Select internationalisation properties.
  # i18n.defaultLocale = "en_US.UTF-8";
  # console = {
  #   font = "Lat2-Terminus16";
  #   keyMap = "us";
  # };

  # Set your time zone.
  # time.timeZone = "Europe/Amsterdam";

  # List packages installed in system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = with pkgs; [
    dnsutils # for `dig`
    htop
    iperf3
    nload
    screen
    vim
    wget
  ];

  # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
  # programs.mtr.enable = true;
  # programs.gnupg.agent = {
  #   enable = true;
  #   enableSSHSupport = true;
  #   pinentryFlavor = "gnome3";
  # };

  # List services that you want to enable:

  # Enable the OpenSSH daemon.
  services.openssh.enable = true;

  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;

  # Enable CUPS to print documents.
  # services.printing.enable = true;

  # Enable sound.
  # sound.enable = true;
  # hardware.pulseaudio.enable = true;

  # Enable the X11 windowing system.
  # services.xserver.enable = true;
  # services.xserver.layout = "us";
  # services.xserver.xkbOptions = "eurosign:e";

  # Enable touchpad support.
  # services.xserver.libinput.enable = true;

  # Enable the KDE Desktop Environment.
  # services.xserver.displayManager.sddm.enable = true;
  # services.xserver.desktopManager.plasma5.enable = true;

  # Define a user account. Don't forget to set a password with ‘passwd’.
  # users.users.jane = {
  #   isNormalUser = true;
  #   extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
  # };

  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "20.03"; # Did you read the comment?




  boot.loader.grub.devices = [ "/dev/sda" ];

  # Initial empty root password for easy login:
  users.users.root.initialHashedPassword = "";
  services.openssh.permitRootLogin = "prohibit-password";

  # Replace this by your SSH pubkey
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtwCIGPYJlD2eeUtxngmT+4yR7BMlK0F5kzj+84uHsxxsy+PXFrP/tScCpwmuoiEYNv/9WKnPJJfCA9XlIDr6cla1MLpaW6eg672TRYMmKzH6SLlkg+kyDmPxSIJw+KdKfnPYyva+Y/VocACYJo0voabUeLAVgtSKGz/AFzccjfOR0GmFO911zjAaR+jFb9M7t7dveNVKm9KbuBfu3giMgGg3/mKz1TKY8yk2ZOxpT5CllBb+B5BcEf+7IGNvNxr1Z0zz5cFXQ3LyBIZklnC/OaQCnD78BSiyPTkIXcmBFal2TaFwTDvki6PuCRpJy+dU1fDdgWLql97D0SVnjmmomw=="
  ];



  mailserver = {
    enable = true;
    fqdn = "mailserver2.aws.nh2.me";
    domains = [ "mailserver2.aws.nh2.me" ];

    # A list of all login accounts. To create the password hashes, use
    # mkpasswd -m sha-512 "super secret password"
    loginAccounts = {
        "user1@mailserver2.aws.nh2.me" = {
            # Password: also "user1"
            hashedPassword = "$6$AsfmuljQlBGtB$/YcnEcCHDiGvhetHud9JFaCzX4ViolNDMS65i8Nw4Uz6XVuzfyDK5/vkjBZ2w7wBacQ5Xn55Mql2vx78FNM7T1";

            aliases = [
                "postmaster@mailserver2.aws.nh2.me"
            ];

            # Make this user the catchAll address for domains example.com and
            # example2.com
            catchAll = [
                # "example.com"
                # "example2.com"
            ];
        };
    };

    # Extra virtual aliases. These are email addresses that are forwarded to
    # loginAccounts addresses.
    extraVirtualAliases = {
        # address = forward address;
        "abuse@example.com" = "user1@mailserver2.aws.nh2.me";
    };

    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
    # down nginx and opens port 80.
    certificateScheme = 3;

    # Enable IMAP and POP3
    enableImap = true;
    # enablePop3 = true;
    enableImapSsl = true;
    # enablePop3Ssl = true;

    # Enable the ManageSieve protocol
    enableManageSieve = true;

    # whether to scan inbound emails for viruses (note that this requires at least
    # 1 Gb RAM for the server. Without virus scanning 256 MB RAM should be plenty)
    virusScanning = false;
  };
  services.postfix.config = {
    # Make the mailserver send outgoing email only via the floating addresses
    # so that we have stable IPs that we can publish in our SPF entry.
    "smtp_bind_address" = floatingIPv4;
    "smtp_bind_address6" = floatingIPv6;
  };
  # Make Redis listen to loopback only, see https://github.com/NixOS/nixpkgs/issues/100192.
  # TODO: Remove when https://github.com/NixOS/nixpkgs/pull/100195 is merged.
  services.redis.bind = "127.0.0.1";


  # LetsEncrypt
  security.acme.email = "mail@nh2.me";
  security.acme.acceptTerms = true;
}