Last active
October 14, 2021 11:47
-
-
Save nh2/6814728dc3bea1508323e9bf2213c28d to your computer and use it in GitHub Desktop.
NixOS configuration for nh2's mail server presentation (https://nh2.me/recent/Running-your-own-mailserver.pdf)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Edit this configuration file to define what should be installed on | |
# your system. Help is available in the configuration.nix(5) man page | |
# and in the NixOS manual (accessible by running ‘nixos-help’). | |
{ config, pkgs, ... }: | |
let | |
floatingIPv4 = "116.202.188.98"; | |
floatingIPv6 = "2a01:4f8:1c0c:8227::1"; | |
# TODO: Once we move the other `nh2.me` services over to this server | |
# (thus also pointing the `nh2.me` A record to this server), | |
# change the reverse DNS of the floating IPs from `mail.nh2.me` | |
# back to `nh2.me`, and re-verify with https://www.mail-tester.com. | |
in | |
{ | |
imports = | |
[ # Include the results of the hardware scan. | |
./hardware-configuration.nix | |
# simple-nixos-mailserver | |
(let commit = "98dc40046eb28a03da3e88d3a14b35cad911cb12"; in builtins.fetchTarball { | |
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/${commit}/nixos-mailserver-${commit}.tar.gz"; | |
sha256 = "07y565b4jg9z2lx3sh4sl0cxs42dwaw6vhpnml9izh3pm7qagg42"; | |
}) | |
]; | |
nixpkgs.overlays = [ | |
(self: super: { | |
# TODO Remove when rspamd >= 2.6 is in nixpkgs | |
rspamd = super.rspamd.overrideAttrs (old: rec { | |
version = "2.6"; | |
src = super.fetchFromGitHub { | |
owner = "rspamd"; | |
repo = "rspamd"; | |
rev = version; | |
sha256 = "0vwa7k2s2bkfb8w78z5izkd6ywjbzqysb0grls898y549hm8ii70"; | |
}; | |
}); | |
}) | |
]; | |
# This value determines the NixOS release from which the default | |
# settings for stateful data, like file locations and database versions | |
# on your system were taken. It‘s perfectly fine and recommended to leave | |
# this value at the release version of the first install of this system. | |
# Before changing this value read the documentation for this option | |
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). | |
system.stateVersion = "20.03"; # Did you read the comment? | |
# Use the GRUB 2 boot loader. | |
boot.loader.grub = { | |
enable = true; | |
version = 2; | |
devices = [ "/dev/sda" ]; | |
}; | |
networking.hostName = "nh2me"; # Define your hostname. | |
# The global useDHCP flag is deprecated, therefore explicitly set to false here. | |
# Per-interface useDHCP will be mandatory in the future, so this generated config | |
# replicates the default behaviour. | |
networking.useDHCP = false; | |
# See https://docs.hetzner.com/cloud/servers/static-configuration/ | |
networking.interfaces.enp1s0.ipv4.addresses = [ | |
{ | |
address = "168.119.163.156"; | |
prefixLength = 32; | |
} | |
# Floating IP | |
{ | |
address = floatingIPv4; | |
prefixLength = 32; | |
} | |
]; | |
networking.interfaces.enp1s0.ipv6.addresses = [ | |
{ | |
address = "2a01:4f8:c2c:d3fc::1"; | |
prefixLength = 64; | |
} | |
# Floating IP | |
{ | |
address = floatingIPv6; | |
prefixLength = 64; | |
} | |
]; | |
networking.defaultGateway = { address = "172.31.1.1"; interface = "enp1s0"; }; | |
networking.defaultGateway6 = { address = "fe80::1"; interface = "enp1s0"; }; | |
networking.nameservers = [ "8.8.8.8" ]; | |
# Select internationalisation properties. | |
console = { | |
keyMap = "uk"; | |
}; | |
# Set your time zone. | |
time.timeZone = "Europe/Berlin"; | |
# List services that you want to enable: | |
# Enable the OpenSSH daemon. | |
services.openssh = { | |
enable = true; | |
permitRootLogin = "prohibit-password"; | |
# Disabling all but pubkey auth helps bruteforce log spam. | |
passwordAuthentication = false; | |
challengeResponseAuthentication = false; | |
# Loses ability to log which key fingerprint logged in, | |
# but reduces log spam of failed attempts. | |
# logLevel = "INFO"; | |
}; | |
# Enable BBR congestion control | |
boot.kernelModules = [ "tcp_bbr" ]; | |
boot.kernel.sysctl."net.ipv4.tcp_congestion_control" = "bbr"; | |
boot.kernel.sysctl."net.core.default_qdisc" = "fq"; # see https://news.ycombinator.com/item?id=14814530 | |
networking.firewall = { | |
# Reject instead of drop. | |
rejectPackets = true; | |
logRefusedConnections = false; # Helps with auth brueforce log spam. | |
# Open ports in the firewall. | |
allowedTCPPorts = [ | |
80 # nginx | |
5201 # iperf3 | |
]; | |
allowedUDPPorts = [ | |
5201 # iperf3 | |
]; | |
# Or disable the firewall altogether. | |
# enable = false; | |
}; | |
users.users.root = { | |
# Empty root password for easy login from Hetzner Cloud terminal: | |
initialHashedPassword = ""; | |
openssh.authorizedKeys.keys = [ | |
"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtwCIGPYJlD2eeUtxngmT+4yR7BMlK0F5kzj+84uHsxxsy+PXFrP/tScCpwmuoiEYNv/9WKnPJJfCA9XlIDr6cla1MLpaW6eg672TRYMmKzH6SLlkg+kyDmPxSIJw+KdKfnPYyva+Y/VocACYJo0voabUeLAVgtSKGz/AFzccjfOR0GmFO911zjAaR+jFb9M7t7dveNVKm9KbuBfu3giMgGg3/mKz1TKY8yk2ZOxpT5CllBb+B5BcEf+7IGNvNxr1Z0zz5cFXQ3LyBIZklnC/OaQCnD78BSiyPTkIXcmBFal2TaFwTDvki6PuCRpJy+dU1fDdgWLql97D0SVnjmmomw==" | |
]; | |
shell = pkgs.zsh; | |
}; | |
# Define a user account. Don't forget to set a password with ‘passwd’. | |
# users.users.jane = { | |
# isNormalUser = true; | |
# extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. | |
# }; | |
# zsh | |
programs.zsh.enable = true; | |
programs.zsh.interactiveShellInit = '' | |
source ${pkgs.grml-zsh-config}/etc/zsh/zshrc | |
alias d='ls -lah' | |
alias g=git | |
''; | |
programs.zsh.promptInit = ""; # otherwise it'll override the grml prompt | |
# LetsEncrypt | |
security.acme = { | |
email = "mail@nh2.me"; | |
acceptTerms = true; | |
}; | |
# Enabled just to be able to download Heinline SA rules. | |
# services.spamassassin.enable = true; | |
# simple-nixos-mailserver | |
# Spam trained with archives from https://untroubled.org/spam/.(starting with 2018) | |
mailserver = { | |
enable = true; | |
fqdn = "mail.nh2.me"; | |
domains = [ "nh2.me" ]; | |
# A list of all login accounts. To create the password hashes, use | |
# mkpasswd -m sha-512 "super secret password" | |
loginAccounts = { | |
"mail@nh2.me" = { | |
hashedPassword = "$6$..."; | |
aliases = [ | |
"niklas@nh2.me" | |
"postmaster@nh2.me" | |
]; | |
# Make this user the catchAll address for domains example.com and example2.com | |
catchAll = [ | |
# "example.com" | |
# "example2.com" | |
]; | |
}; | |
"m@nh2.me" = { | |
hashedPassword = "$6$..."; | |
}; | |
}; | |
# Extra virtual aliases. These are email addresses that are forwarded to | |
# loginAccounts addresses. | |
extraVirtualAliases = { | |
# address = forward address; | |
"abuse@example.com" = "mail@nh2.me"; | |
}; | |
# Use Let's Encrypt certificates. Note that this needs to set up a stripped | |
# down nginx and opens port 80. | |
certificateScheme = 3; | |
# Enable IMAP and POP3 | |
enableImap = true; | |
enablePop3 = false; | |
enableImapSsl = true; | |
enablePop3Ssl = false; | |
# Enable the ManageSieve protocol | |
enableManageSieve = true; | |
# whether to scan inbound emails for viruses (note that this requires at least | |
# 1 Gb RAM for the server. Without virus scanning 256 MB RAM should be plenty) | |
virusScanning = false; | |
}; | |
services.postfix.config = { | |
# Make the mailserver send outgoing email only via the floating addresses | |
# so that we have stable IPs that we can publish in our SPF entry. | |
"smtp_bind_address" = floatingIPv4; | |
"smtp_bind_address6" = floatingIPv6; | |
}; | |
services.dovecot2.extraConfig = | |
let | |
# Hardcoded in | |
# https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/blob/02a45d9965133434c7b816cab2f47c8a7505e764/mail-server/dovecot.nix#L35 | |
stateDir = "/var/lib/dovecot"; | |
in | |
# Make a dovecot sieve rule that learns emails moved to it as Ham. | |
# This implements | |
# https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/issues/193 | |
# similar to the rules in | |
# https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/blob/02a45d9965133434c7b816cab2f47c8a7505e764/mail-server/dovecot.nix#L229 | |
# Multiple dovecot config sections get merged by dovecot, which is why | |
# we can just redeclare `plugin` here. | |
# A drawback of dovecot's config way enumerating things with `mailboxXXX` | |
# (docs: https://wiki.dovecot.org/Pigeonhole/Sieve/Plugins/IMAPSieve) | |
# is that this will likely break if `simple-nixos-mailserver` adds a | |
# `mailbox3` rule by itself; it would probably define them via nix and then | |
# let nix generate the `XXX` sequence numbers, see | |
# https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/issues/193#note_431544049. | |
'' | |
plugin { | |
# From anywhere to Ham folder | |
imapsieve_mailbox3_name = Ham | |
imapsieve_mailbox3_causes = COPY | |
imapsieve_mailbox3_before = file:${stateDir}/imap_sieve/report-ham.sieve | |
} | |
''; | |
# Make Redis listen to loopback only, see https://github.com/NixOS/nixpkgs/issues/100192. | |
# TODO: Remove when https://github.com/NixOS/nixpkgs/pull/100195 is merged. | |
services.redis.bind = "127.0.0.1"; | |
services.rspamd.extraConfig = '' | |
# check_all_filters = true; | |
# logging { | |
# type = "syslog"; | |
# level = "debug"; | |
# } | |
''; | |
services.rspamd.locals = { | |
"neural.conf".text = '' | |
# Important to not make this `localhost`, otherwise it will try via | |
# IPv6 and fail when redis is not listening to that, see | |
# https://blog.christosoft.de/2019/11/rspamd-redis-connection-refused/ | |
servers = "127.0.0.1:6379"; | |
enabled = true; # Important after 1.7 | |
# train { | |
# max_trains = 100; # Number ham/spam samples needed to start train | |
# max_usages = 20; # Number of learn iterations while ANN data is valid | |
# learning_rate = 0.01; # Rate of learning | |
# max_iterations = 25; # Maximum iterations of learning (better preciseness but also lower speed of learning) | |
# } | |
# watch_interval = 10; | |
# ann_expire = 2d; # For how long ANN should be preserved in Redis | |
''; | |
"neural_group.conf".text = '' | |
"NEURAL_SPAM" { | |
weight = 3.0; | |
description = "Neural network spam"; | |
} | |
"NEURAL_HAM" { | |
weight = -3.0; | |
description = "Neural network ham"; | |
} | |
''; | |
}; | |
# List packages installed in system profile. To search, run: | |
# $ nix search wget | |
environment.systemPackages = with pkgs; [ | |
file | |
gdb | |
git | |
gptfdisk | |
htop | |
iperf3 | |
jq | |
kakoune | |
ncdu | |
nload | |
python3 | |
screen | |
sshfs | |
strace | |
vim | |
wget | |
]; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment