nh2/configuration.nix

## configuration.nix
# Edit this configuration file to define what should be installed on
# your system.  Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).

{ config, pkgs, ... }:
let
  floatingIPv4 = "116.202.188.98";
  floatingIPv6 = "2a01:4f8:1c0c:8227::1";

  # TODO: Once we move the other `nh2.me` services over to this server
  #       (thus also pointing the `nh2.me` A record to this server),
  #       change the reverse DNS of the floating IPs from `mail.nh2.me`
  #       back to `nh2.me`, and re-verify with https://www.mail-tester.com.
in
{
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix

      # simple-nixos-mailserver
      (let commit = "98dc40046eb28a03da3e88d3a14b35cad911cb12"; in builtins.fetchTarball {
        url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/${commit}/nixos-mailserver-${commit}.tar.gz";
        sha256 = "07y565b4jg9z2lx3sh4sl0cxs42dwaw6vhpnml9izh3pm7qagg42";
      })
    ];

  nixpkgs.overlays = [
    (self: super: {
      # TODO Remove when rspamd >= 2.6 is in nixpkgs
      rspamd = super.rspamd.overrideAttrs (old: rec {
        version = "2.6";
        src = super.fetchFromGitHub {
          owner = "rspamd";
          repo = "rspamd";
          rev = version;
          sha256 = "0vwa7k2s2bkfb8w78z5izkd6ywjbzqysb0grls898y549hm8ii70";
        };
      });
    })
  ];

  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "20.03"; # Did you read the comment?

  # Use the GRUB 2 boot loader.
  boot.loader.grub = {
    enable = true;
    version = 2;
    devices = [ "/dev/sda" ];
  };

  networking.hostName = "nh2me"; # Define your hostname.

  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
  # Per-interface useDHCP will be mandatory in the future, so this generated config
  # replicates the default behaviour.
  networking.useDHCP = false;
  # See https://docs.hetzner.com/cloud/servers/static-configuration/
  networking.interfaces.enp1s0.ipv4.addresses = [
    {
      address = "168.119.163.156";
      prefixLength = 32;
    }
    # Floating IP
    {
      address = floatingIPv4;
      prefixLength = 32;
    }
  ];
  networking.interfaces.enp1s0.ipv6.addresses = [
    {
      address = "2a01:4f8:c2c:d3fc::1";
      prefixLength = 64;
    }
    # Floating IP
    {
      address = floatingIPv6;
      prefixLength = 64;
    }
  ];
  networking.defaultGateway = { address = "172.31.1.1"; interface = "enp1s0"; };
  networking.defaultGateway6 = { address = "fe80::1"; interface = "enp1s0"; };
  networking.nameservers = [ "8.8.8.8" ];

  # Select internationalisation properties.
  console = {
    keyMap = "uk";
  };

  # Set your time zone.
  time.timeZone = "Europe/Berlin";

  # List services that you want to enable:

  # Enable the OpenSSH daemon.
  services.openssh = {
    enable = true;
    permitRootLogin = "prohibit-password";
    # Disabling all but pubkey auth helps bruteforce log spam.
    passwordAuthentication = false;
    challengeResponseAuthentication = false;
    # Loses ability to log which key fingerprint logged in,
    # but reduces log spam of failed attempts.
    # logLevel = "INFO";
  };

  # Enable BBR congestion control
  boot.kernelModules = [ "tcp_bbr" ];
  boot.kernel.sysctl."net.ipv4.tcp_congestion_control" = "bbr";
  boot.kernel.sysctl."net.core.default_qdisc" = "fq"; # see https://news.ycombinator.com/item?id=14814530

  networking.firewall = {
    # Reject instead of drop.
    rejectPackets = true;
    logRefusedConnections = false; # Helps with auth brueforce log spam.
    # Open ports in the firewall.
    allowedTCPPorts = [
      80 # nginx
      5201 # iperf3
    ];
    allowedUDPPorts = [
      5201 # iperf3
    ];
    # Or disable the firewall altogether.
    # enable = false;
  };

  users.users.root = {
    # Empty root password for easy login from Hetzner Cloud terminal:
    initialHashedPassword = "";
    openssh.authorizedKeys.keys = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtwCIGPYJlD2eeUtxngmT+4yR7BMlK0F5kzj+84uHsxxsy+PXFrP/tScCpwmuoiEYNv/9WKnPJJfCA9XlIDr6cla1MLpaW6eg672TRYMmKzH6SLlkg+kyDmPxSIJw+KdKfnPYyva+Y/VocACYJo0voabUeLAVgtSKGz/AFzccjfOR0GmFO911zjAaR+jFb9M7t7dveNVKm9KbuBfu3giMgGg3/mKz1TKY8yk2ZOxpT5CllBb+B5BcEf+7IGNvNxr1Z0zz5cFXQ3LyBIZklnC/OaQCnD78BSiyPTkIXcmBFal2TaFwTDvki6PuCRpJy+dU1fDdgWLql97D0SVnjmmomw=="
    ];
    shell = pkgs.zsh;
  };

  # Define a user account. Don't forget to set a password with ‘passwd’.
  # users.users.jane = {
  #   isNormalUser = true;
  #   extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
  # };

  # zsh
  programs.zsh.enable = true;
  programs.zsh.interactiveShellInit = ''
    source ${pkgs.grml-zsh-config}/etc/zsh/zshrc

    alias d='ls -lah'
    alias g=git
  '';
  programs.zsh.promptInit = ""; # otherwise it'll override the grml prompt

  # LetsEncrypt
  security.acme = {
    email = "mail@nh2.me";
    acceptTerms = true;
  };

  # Enabled just to be able to download Heinline SA rules.
  # services.spamassassin.enable = true;

  # simple-nixos-mailserver
  # Spam trained with archives from https://untroubled.org/spam/.(starting with 2018)
  mailserver = {
    enable = true;
    fqdn = "mail.nh2.me";
    domains = [ "nh2.me" ];

    # A list of all login accounts. To create the password hashes, use
    # mkpasswd -m sha-512 "super secret password"
    loginAccounts = {
      "mail@nh2.me" = {
        hashedPassword = "$6$...";

        aliases = [
          "niklas@nh2.me"
          "postmaster@nh2.me"
        ];

        # Make this user the catchAll address for domains example.com and example2.com
        catchAll = [
          # "example.com"
          # "example2.com"
        ];
      };
      "m@nh2.me" = {
        hashedPassword = "$6$...";
      };
    };

    # Extra virtual aliases. These are email addresses that are forwarded to
    # loginAccounts addresses.
    extraVirtualAliases = {
      # address = forward address;
      "abuse@example.com" = "mail@nh2.me";
    };

    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
    # down nginx and opens port 80.
    certificateScheme = 3;

    # Enable IMAP and POP3
    enableImap = true;
    enablePop3 = false;
    enableImapSsl = true;
    enablePop3Ssl = false;

    # Enable the ManageSieve protocol
    enableManageSieve = true;

    # whether to scan inbound emails for viruses (note that this requires at least
    # 1 Gb RAM for the server. Without virus scanning 256 MB RAM should be plenty)
    virusScanning = false;
  };
  services.postfix.config = {
    # Make the mailserver send outgoing email only via the floating addresses
    # so that we have stable IPs that we can publish in our SPF entry.
    "smtp_bind_address" = floatingIPv4;
    "smtp_bind_address6" = floatingIPv6;
  };

  services.dovecot2.extraConfig =
    let
      # Hardcoded in
      # https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/blob/02a45d9965133434c7b816cab2f47c8a7505e764/mail-server/dovecot.nix#L35
      stateDir = "/var/lib/dovecot";
    in
      # Make a dovecot sieve rule that learns emails moved to it as Ham.
      # This implements
      #     https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/issues/193
      # similar to the rules in
      #     https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/blob/02a45d9965133434c7b816cab2f47c8a7505e764/mail-server/dovecot.nix#L229
      # Multiple dovecot config sections get merged by dovecot, which is why
      # we can just redeclare `plugin` here.
      # A drawback of dovecot's config way enumerating things with `mailboxXXX`
      # (docs: https://wiki.dovecot.org/Pigeonhole/Sieve/Plugins/IMAPSieve)
      # is that this will likely break if `simple-nixos-mailserver` adds a
      # `mailbox3` rule by itself; it would probably define them via nix and then
      # let nix generate the `XXX` sequence numbers, see
      # https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/issues/193#note_431544049.
      ''
        plugin {
          # From anywhere to Ham folder
          imapsieve_mailbox3_name = Ham
          imapsieve_mailbox3_causes = COPY
          imapsieve_mailbox3_before = file:${stateDir}/imap_sieve/report-ham.sieve
        }
      '';

  # Make Redis listen to loopback only, see https://github.com/NixOS/nixpkgs/issues/100192.
  # TODO: Remove when https://github.com/NixOS/nixpkgs/pull/100195 is merged.
  services.redis.bind = "127.0.0.1";

  services.rspamd.extraConfig = ''
    # check_all_filters = true;
    # logging {
    #   type = "syslog";
    #   level = "debug";
    # }
  '';
  services.rspamd.locals = {
    "neural.conf".text = ''
      # Important to not make this `localhost`, otherwise it will try via
      # IPv6 and fail when redis is not listening to that, see
      # https://blog.christosoft.de/2019/11/rspamd-redis-connection-refused/
      servers = "127.0.0.1:6379";
      enabled = true; # Important after 1.7

      # train {
      #   max_trains = 100; # Number ham/spam samples needed to start train
      #   max_usages = 20; # Number of learn iterations while ANN data is valid
      #   learning_rate = 0.01; # Rate of learning
      #   max_iterations = 25; # Maximum iterations of learning (better preciseness but also lower speed of learning)
      # }

      # watch_interval = 10;

      # ann_expire = 2d; # For how long ANN should be preserved in Redis
    '';
    "neural_group.conf".text = ''
      "NEURAL_SPAM" {
        weight = 3.0;
        description = "Neural network spam";
      }
      "NEURAL_HAM" {
        weight = -3.0;
        description = "Neural network ham";
      }
    '';
  };

  # List packages installed in system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = with pkgs; [
    file
    gdb
    git
    gptfdisk
    htop
    iperf3
    jq
    kakoune
    ncdu
    nload
    python3
    screen
    sshfs
    strace
    vim
    wget
  ];
}
	# Edit this configuration file to define what should be installed on
	# your system. Help is available in the configuration.nix(5) man page
	# and in the NixOS manual (accessible by running ‘nixos-help’).

	{ config, pkgs, ... }:
	let
	floatingIPv4 = "116.202.188.98";
	floatingIPv6 = "2a01:4f8:1c0c:8227::1";

	# TODO: Once we move the other `nh2.me` services over to this server
	# (thus also pointing the `nh2.me` A record to this server),
	# change the reverse DNS of the floating IPs from `mail.nh2.me`
	# back to `nh2.me`, and re-verify with https://www.mail-tester.com.
	in
	{
	imports =
	[ # Include the results of the hardware scan.
	./hardware-configuration.nix

	# simple-nixos-mailserver
	(let commit = "98dc40046eb28a03da3e88d3a14b35cad911cb12"; in builtins.fetchTarball {
	url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/${commit}/nixos-mailserver-${commit}.tar.gz";
	sha256 = "07y565b4jg9z2lx3sh4sl0cxs42dwaw6vhpnml9izh3pm7qagg42";
	})
	];

	nixpkgs.overlays = [
	(self: super: {
	# TODO Remove when rspamd >= 2.6 is in nixpkgs
	rspamd = super.rspamd.overrideAttrs (old: rec {
	version = "2.6";
	src = super.fetchFromGitHub {
	owner = "rspamd";
	repo = "rspamd";
	rev = version;
	sha256 = "0vwa7k2s2bkfb8w78z5izkd6ywjbzqysb0grls898y549hm8ii70";
	};
	});
	})
	];

	# This value determines the NixOS release from which the default
	# settings for stateful data, like file locations and database versions
	# on your system were taken. It‘s perfectly fine and recommended to leave
	# this value at the release version of the first install of this system.
	# Before changing this value read the documentation for this option
	# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
	system.stateVersion = "20.03"; # Did you read the comment?

	# Use the GRUB 2 boot loader.
	boot.loader.grub = {
	enable = true;
	version = 2;
	devices = [ "/dev/sda" ];
	};

	networking.hostName = "nh2me"; # Define your hostname.

	# The global useDHCP flag is deprecated, therefore explicitly set to false here.
	# Per-interface useDHCP will be mandatory in the future, so this generated config
	# replicates the default behaviour.
	networking.useDHCP = false;
	# See https://docs.hetzner.com/cloud/servers/static-configuration/
	networking.interfaces.enp1s0.ipv4.addresses = [
	{
	address = "168.119.163.156";
	prefixLength = 32;
	}
	# Floating IP
	{
	address = floatingIPv4;
	prefixLength = 32;
	}
	];
	networking.interfaces.enp1s0.ipv6.addresses = [
	{
	address = "2a01:4f8:c2c:d3fc::1";
	prefixLength = 64;
	}
	# Floating IP
	{
	address = floatingIPv6;
	prefixLength = 64;
	}
	];
	networking.defaultGateway = { address = "172.31.1.1"; interface = "enp1s0"; };
	networking.defaultGateway6 = { address = "fe80::1"; interface = "enp1s0"; };
	networking.nameservers = [ "8.8.8.8" ];

	# Select internationalisation properties.
	console = {
	keyMap = "uk";
	};

	# Set your time zone.
	time.timeZone = "Europe/Berlin";

	# List services that you want to enable:

	# Enable the OpenSSH daemon.
	services.openssh = {
	enable = true;
	permitRootLogin = "prohibit-password";
	# Disabling all but pubkey auth helps bruteforce log spam.
	passwordAuthentication = false;
	challengeResponseAuthentication = false;
	# Loses ability to log which key fingerprint logged in,
	# but reduces log spam of failed attempts.
	# logLevel = "INFO";
	};

	# Enable BBR congestion control
	boot.kernelModules = [ "tcp_bbr" ];
	boot.kernel.sysctl."net.ipv4.tcp_congestion_control" = "bbr";
	boot.kernel.sysctl."net.core.default_qdisc" = "fq"; # see https://news.ycombinator.com/item?id=14814530

	networking.firewall = {
	# Reject instead of drop.
	rejectPackets = true;
	logRefusedConnections = false; # Helps with auth brueforce log spam.
	# Open ports in the firewall.
	allowedTCPPorts = [
	80 # nginx
	5201 # iperf3
	];
	allowedUDPPorts = [
	5201 # iperf3
	];
	# Or disable the firewall altogether.
	# enable = false;
	};

	users.users.root = {
	# Empty root password for easy login from Hetzner Cloud terminal:
	initialHashedPassword = "";
	openssh.authorizedKeys.keys = [
	"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtwCIGPYJlD2eeUtxngmT+4yR7BMlK0F5kzj+84uHsxxsy+PXFrP/tScCpwmuoiEYNv/9WKnPJJfCA9XlIDr6cla1MLpaW6eg672TRYMmKzH6SLlkg+kyDmPxSIJw+KdKfnPYyva+Y/VocACYJo0voabUeLAVgtSKGz/AFzccjfOR0GmFO911zjAaR+jFb9M7t7dveNVKm9KbuBfu3giMgGg3/mKz1TKY8yk2ZOxpT5CllBb+B5BcEf+7IGNvNxr1Z0zz5cFXQ3LyBIZklnC/OaQCnD78BSiyPTkIXcmBFal2TaFwTDvki6PuCRpJy+dU1fDdgWLql97D0SVnjmmomw=="
	];
	shell = pkgs.zsh;
	};

	# Define a user account. Don't forget to set a password with ‘passwd’.
	# users.users.jane = {
	# isNormalUser = true;
	# extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
	# };

	# zsh
	programs.zsh.enable = true;
	programs.zsh.interactiveShellInit = ''
	source ${pkgs.grml-zsh-config}/etc/zsh/zshrc

	alias d='ls -lah'
	alias g=git
	'';
	programs.zsh.promptInit = ""; # otherwise it'll override the grml prompt

	# LetsEncrypt
	security.acme = {
	email = "mail@nh2.me";
	acceptTerms = true;
	};

	# Enabled just to be able to download Heinline SA rules.
	# services.spamassassin.enable = true;

	# simple-nixos-mailserver
	# Spam trained with archives from https://untroubled.org/spam/.(starting with 2018)
	mailserver = {
	enable = true;
	fqdn = "mail.nh2.me";
	domains = [ "nh2.me" ];

	# A list of all login accounts. To create the password hashes, use
	# mkpasswd -m sha-512 "super secret password"
	loginAccounts = {
	"mail@nh2.me" = {
	hashedPassword = "$6$...";

	aliases = [
	"niklas@nh2.me"
	"postmaster@nh2.me"
	];

	# Make this user the catchAll address for domains example.com and example2.com
	catchAll = [
	# "example.com"
	# "example2.com"
	];
	};
	"m@nh2.me" = {
	hashedPassword = "$6$...";
	};
	};

	# Extra virtual aliases. These are email addresses that are forwarded to
	# loginAccounts addresses.
	extraVirtualAliases = {
	# address = forward address;
	"abuse@example.com" = "mail@nh2.me";
	};

	# Use Let's Encrypt certificates. Note that this needs to set up a stripped
	# down nginx and opens port 80.
	certificateScheme = 3;

	# Enable IMAP and POP3
	enableImap = true;
	enablePop3 = false;
	enableImapSsl = true;
	enablePop3Ssl = false;

	# Enable the ManageSieve protocol
	enableManageSieve = true;

	# whether to scan inbound emails for viruses (note that this requires at least
	# 1 Gb RAM for the server. Without virus scanning 256 MB RAM should be plenty)
	virusScanning = false;
	};
	services.postfix.config = {
	# Make the mailserver send outgoing email only via the floating addresses
	# so that we have stable IPs that we can publish in our SPF entry.
	"smtp_bind_address" = floatingIPv4;
	"smtp_bind_address6" = floatingIPv6;
	};

	services.dovecot2.extraConfig =
	let
	# Hardcoded in
	# https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/blob/02a45d9965133434c7b816cab2f47c8a7505e764/mail-server/dovecot.nix#L35
	stateDir = "/var/lib/dovecot";
	in
	# Make a dovecot sieve rule that learns emails moved to it as Ham.
	# This implements
	# https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/issues/193
	# similar to the rules in
	# https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/blob/02a45d9965133434c7b816cab2f47c8a7505e764/mail-server/dovecot.nix#L229
	# Multiple dovecot config sections get merged by dovecot, which is why
	# we can just redeclare `plugin` here.
	# A drawback of dovecot's config way enumerating things with `mailboxXXX`
	# (docs: https://wiki.dovecot.org/Pigeonhole/Sieve/Plugins/IMAPSieve)
	# is that this will likely break if `simple-nixos-mailserver` adds a
	# `mailbox3` rule by itself; it would probably define them via nix and then
	# let nix generate the `XXX` sequence numbers, see
	# https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/issues/193#note_431544049.
	''
	plugin {
	# From anywhere to Ham folder
	imapsieve_mailbox3_name = Ham
	imapsieve_mailbox3_causes = COPY
	imapsieve_mailbox3_before = file:${stateDir}/imap_sieve/report-ham.sieve
	}
	'';

	# Make Redis listen to loopback only, see https://github.com/NixOS/nixpkgs/issues/100192.
	# TODO: Remove when https://github.com/NixOS/nixpkgs/pull/100195 is merged.
	services.redis.bind = "127.0.0.1";

	services.rspamd.extraConfig = ''
	# check_all_filters = true;
	# logging {
	# type = "syslog";
	# level = "debug";
	# }
	'';
	services.rspamd.locals = {
	"neural.conf".text = ''
	# Important to not make this `localhost`, otherwise it will try via
	# IPv6 and fail when redis is not listening to that, see
	# https://blog.christosoft.de/2019/11/rspamd-redis-connection-refused/
	servers = "127.0.0.1:6379";
	enabled = true; # Important after 1.7

	# train {
	# max_trains = 100; # Number ham/spam samples needed to start train
	# max_usages = 20; # Number of learn iterations while ANN data is valid
	# learning_rate = 0.01; # Rate of learning
	# max_iterations = 25; # Maximum iterations of learning (better preciseness but also lower speed of learning)
	# }

	# watch_interval = 10;

	# ann_expire = 2d; # For how long ANN should be preserved in Redis
	'';
	"neural_group.conf".text = ''
	"NEURAL_SPAM" {
	weight = 3.0;
	description = "Neural network spam";
	}
	"NEURAL_HAM" {
	weight = -3.0;
	description = "Neural network ham";
	}
	'';
	};

	# List packages installed in system profile. To search, run:
	# $ nix search wget
	environment.systemPackages = with pkgs; [
	file
	gdb
	git
	gptfdisk
	htop
	iperf3
	jq
	kakoune
	ncdu
	nload
	python3
	screen
	sshfs
	strace
	vim
	wget
	];
	}