Last active
October 14, 2021 11:47
-
-
Save nh2/6814728dc3bea1508323e9bf2213c28d to your computer and use it in GitHub Desktop.
NixOS configuration for nh2's mail server presentation (https://nh2.me/recent/Running-your-own-mailserver.pdf)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Edit this configuration file to define what should be installed on | |
# your system. Help is available in the configuration.nix(5) man page | |
# and in the NixOS manual (accessible by running ‘nixos-help’). | |
{ config, pkgs, ... }: | |
let | |
floatingIPv4 = "95.216.183.106"; | |
floatingIPv6 = "2a01:4f9:c01f:65::1"; | |
in | |
{ | |
imports = | |
[ # Include the results of the hardware scan. | |
./hardware-configuration.nix | |
# Commit from https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/tree/nixos-20.09 | |
(let commit = "02a45d9965133434c7b816cab2f47c8a7505e764"; in builtins.fetchTarball { | |
# Pick a commit from the branch you are interested in | |
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/${commit}/nixos-mailserver-${commit}.tar.gz"; | |
# And set its hash | |
sha256 = "04v66z0ijjm8bqpiqmq1aqrqj6r6jjz591lgijmk4frz7lksnz8k"; | |
}) | |
]; | |
# Use the GRUB 2 boot loader. | |
boot.loader.grub.enable = true; | |
boot.loader.grub.version = 2; | |
# boot.loader.grub.efiSupport = true; | |
# boot.loader.grub.efiInstallAsRemovable = true; | |
# boot.loader.efi.efiSysMountPoint = "/boot/efi"; | |
# Define on which hard drive you want to install Grub. | |
# boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only | |
# networking.hostName = "nixos"; # Define your hostname. | |
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. | |
# The global useDHCP flag is deprecated, therefore explicitly set to false here. | |
# Per-interface useDHCP will be mandatory in the future, so this generated config | |
# replicates the default behaviour. | |
networking.useDHCP = false; | |
# See https://docs.hetzner.com/cloud/servers/static-configuration/ | |
networking.interfaces.ens3.ipv4.addresses = [ | |
{ | |
address = "135.181.95.42"; | |
prefixLength = 32; | |
} | |
# Floating IP | |
{ | |
address = floatingIPv4; | |
prefixLength = 32; | |
} | |
]; | |
networking.interfaces.ens3.ipv6.addresses = [ | |
{ | |
address = "2a01:4f9:c010:cf13::1"; | |
prefixLength = 64; | |
} | |
# Floating IP | |
{ | |
address = floatingIPv6; | |
prefixLength = 64; | |
} | |
]; | |
networking.defaultGateway = { address = "172.31.1.1"; interface = "ens3"; }; | |
networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; }; | |
networking.nameservers = [ "8.8.8.8" ]; | |
# Configure network proxy if necessary | |
# networking.proxy.default = "http://user:password@proxy:port/"; | |
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; | |
# Select internationalisation properties. | |
# i18n.defaultLocale = "en_US.UTF-8"; | |
# console = { | |
# font = "Lat2-Terminus16"; | |
# keyMap = "us"; | |
# }; | |
# Set your time zone. | |
# time.timeZone = "Europe/Amsterdam"; | |
# List packages installed in system profile. To search, run: | |
# $ nix search wget | |
environment.systemPackages = with pkgs; [ | |
dnsutils # for `dig` | |
htop | |
iperf3 | |
nload | |
screen | |
vim | |
wget | |
]; | |
# Some programs need SUID wrappers, can be configured further or are | |
# started in user sessions. | |
# programs.mtr.enable = true; | |
# programs.gnupg.agent = { | |
# enable = true; | |
# enableSSHSupport = true; | |
# pinentryFlavor = "gnome3"; | |
# }; | |
# List services that you want to enable: | |
# Enable the OpenSSH daemon. | |
services.openssh.enable = true; | |
# Open ports in the firewall. | |
# networking.firewall.allowedTCPPorts = [ ... ]; | |
# networking.firewall.allowedUDPPorts = [ ... ]; | |
# Or disable the firewall altogether. | |
# networking.firewall.enable = false; | |
# Enable CUPS to print documents. | |
# services.printing.enable = true; | |
# Enable sound. | |
# sound.enable = true; | |
# hardware.pulseaudio.enable = true; | |
# Enable the X11 windowing system. | |
# services.xserver.enable = true; | |
# services.xserver.layout = "us"; | |
# services.xserver.xkbOptions = "eurosign:e"; | |
# Enable touchpad support. | |
# services.xserver.libinput.enable = true; | |
# Enable the KDE Desktop Environment. | |
# services.xserver.displayManager.sddm.enable = true; | |
# services.xserver.desktopManager.plasma5.enable = true; | |
# Define a user account. Don't forget to set a password with ‘passwd’. | |
# users.users.jane = { | |
# isNormalUser = true; | |
# extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. | |
# }; | |
# This value determines the NixOS release from which the default | |
# settings for stateful data, like file locations and database versions | |
# on your system were taken. It‘s perfectly fine and recommended to leave | |
# this value at the release version of the first install of this system. | |
# Before changing this value read the documentation for this option | |
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). | |
system.stateVersion = "20.03"; # Did you read the comment? | |
boot.loader.grub.devices = [ "/dev/sda" ]; | |
# Initial empty root password for easy login: | |
users.users.root.initialHashedPassword = ""; | |
services.openssh.permitRootLogin = "prohibit-password"; | |
# Replace this by your SSH pubkey | |
users.users.root.openssh.authorizedKeys.keys = [ | |
"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtwCIGPYJlD2eeUtxngmT+4yR7BMlK0F5kzj+84uHsxxsy+PXFrP/tScCpwmuoiEYNv/9WKnPJJfCA9XlIDr6cla1MLpaW6eg672TRYMmKzH6SLlkg+kyDmPxSIJw+KdKfnPYyva+Y/VocACYJo0voabUeLAVgtSKGz/AFzccjfOR0GmFO911zjAaR+jFb9M7t7dveNVKm9KbuBfu3giMgGg3/mKz1TKY8yk2ZOxpT5CllBb+B5BcEf+7IGNvNxr1Z0zz5cFXQ3LyBIZklnC/OaQCnD78BSiyPTkIXcmBFal2TaFwTDvki6PuCRpJy+dU1fDdgWLql97D0SVnjmmomw==" | |
]; | |
mailserver = { | |
enable = true; | |
fqdn = "mailserver2.aws.nh2.me"; | |
domains = [ "mailserver2.aws.nh2.me" ]; | |
# A list of all login accounts. To create the password hashes, use | |
# mkpasswd -m sha-512 "super secret password" | |
loginAccounts = { | |
"user1@mailserver2.aws.nh2.me" = { | |
# Password: also "user1" | |
hashedPassword = "$6$AsfmuljQlBGtB$/YcnEcCHDiGvhetHud9JFaCzX4ViolNDMS65i8Nw4Uz6XVuzfyDK5/vkjBZ2w7wBacQ5Xn55Mql2vx78FNM7T1"; | |
aliases = [ | |
"postmaster@mailserver2.aws.nh2.me" | |
]; | |
# Make this user the catchAll address for domains example.com and | |
# example2.com | |
catchAll = [ | |
# "example.com" | |
# "example2.com" | |
]; | |
}; | |
}; | |
# Extra virtual aliases. These are email addresses that are forwarded to | |
# loginAccounts addresses. | |
extraVirtualAliases = { | |
# address = forward address; | |
"abuse@example.com" = "user1@mailserver2.aws.nh2.me"; | |
}; | |
# Use Let's Encrypt certificates. Note that this needs to set up a stripped | |
# down nginx and opens port 80. | |
certificateScheme = 3; | |
# Enable IMAP and POP3 | |
enableImap = true; | |
# enablePop3 = true; | |
enableImapSsl = true; | |
# enablePop3Ssl = true; | |
# Enable the ManageSieve protocol | |
enableManageSieve = true; | |
# whether to scan inbound emails for viruses (note that this requires at least | |
# 1 Gb RAM for the server. Without virus scanning 256 MB RAM should be plenty) | |
virusScanning = false; | |
}; | |
services.postfix.config = { | |
# Make the mailserver send outgoing email only via the floating addresses | |
# so that we have stable IPs that we can publish in our SPF entry. | |
"smtp_bind_address" = floatingIPv4; | |
"smtp_bind_address6" = floatingIPv6; | |
}; | |
# Make Redis listen to loopback only, see https://github.com/NixOS/nixpkgs/issues/100192. | |
# TODO: Remove when https://github.com/NixOS/nixpkgs/pull/100195 is merged. | |
services.redis.bind = "127.0.0.1"; | |
# LetsEncrypt | |
security.acme.email = "mail@nh2.me"; | |
security.acme.acceptTerms = true; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment