fastcgi.conf

fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

nginx.conf

user nginx nginx;
error_log stderr;
daemon off;



events {
  
}


http {
  include /nix/store/vq7b87c3ds9kfvcdd71xa50kcazzpzvf-nginx-1.14.1/conf/mime.types;
  include /nix/store/vq7b87c3ds9kfvcdd71xa50kcazzpzvf-nginx-1.14.1/conf/fastcgi.conf;
  include /nix/store/vq7b87c3ds9kfvcdd71xa50kcazzpzvf-nginx-1.14.1/conf/uwsgi_params;

  
  

  

  ssl_protocols TLSv1.2;
  ssl_ciphers EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL;
  

  

  

  

  # $connection_upgrade is used for websocket proxying
  map $http_upgrade $connection_upgrade {
      default upgrade;
      ''      close;
  }
  client_max_body_size 10m;

  server_tokens off;

  

  

server {
  listen 0.0.0.0:80 ;
listen [::]:80 ;
  server_name mailtest ;
  
  root /nix/store/hn719gylar3n8bh6x1660l0x6n1z2n46-postfixadmin-3.2/public;
  
  
  

  

  

  access_log /tmp/nginx/log/$host combined;
charset utf-8;

index index.php;

# block these file types
#location ~* \.(tpl|md|tgz|log|out|tar|gz|db)$ {
  #deny all;
#}

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
# or a unix socket
location ~* \.php$ {
  # Zero-day exploit defense.
  # http://forum.nginx.org/read.php?2,88845,page=3
  # Won't work properly (404 error) if the file is not stored on this
  # server, which is entirely possible with php-fpm/php-fcgi.
  # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on
  # another machine.  And then cross your fingers that you won't get hacked.
  try_files $uri =404;
  # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
  fastcgi_split_path_info ^(.+\.php)(/.+)$;
  # With php5-cgi alone:
  fastcgi_pass 127.0.0.1:9000;
  fastcgi_index index.php;
  fastcgi_param   QUERY_STRING            $query_string;
  fastcgi_param   REQUEST_METHOD          $request_method;
  fastcgi_param   CONTENT_TYPE            $content_type;
  fastcgi_param   CONTENT_LENGTH          $content_length;

  fastcgi_param   SCRIPT_FILENAME         $document_root$fastcgi_script_name;
  fastcgi_param   SCRIPT_NAME             $fastcgi_script_name;
  fastcgi_param   PATH_INFO               $fastcgi_path_info;
  fastcgi_param   PATH_TRANSLATED         $document_root$fastcgi_path_info;
  fastcgi_param   REQUEST_URI             $request_uri;
  fastcgi_param   DOCUMENT_URI            $document_uri;
  fastcgi_param   DOCUMENT_ROOT           $document_root;
  fastcgi_param   SERVER_PROTOCOL         $server_protocol;

  fastcgi_param   GATEWAY_INTERFACE       CGI/1.1;
  fastcgi_param   SERVER_SOFTWARE         nginx/$nginx_version;

  fastcgi_param   REMOTE_ADDR             $remote_addr;
  fastcgi_param   REMOTE_PORT             $remote_port;
  fastcgi_param   SERVER_ADDR             $server_addr;
  fastcgi_param   SERVER_PORT             $server_port;
  fastcgi_param   SERVER_NAME             $server_name;

  fastcgi_param   HTTPS                   $https;
  fastcgi_param   HTTP_PROXY              "";
}

}


  

  
}

postfixadmin.nix

{ config, lib, pkgs, ... }:

let
  postfixadminpkg = (pkgs.callPackage ./pkg-postfixadmin.nix {
    config = (pkgs.writeText "postfixadmin-config.local.php" ''
      <?php
      $CONF['configured'] = true;
      $CONF['setup_password'] = 'changeme';
      $CONF['database_type'] = 'sqlite';
      $CONF['database_name'] = '${dataDir}/postfixadmin.db'
      ?>
    '');
    cacheDir = "${cacheDir}";
  } );
  phppoolName = "postfixadmin_pool";
  cacheDir = "/var/cache/postfixadmin";
  dataDir = "/var/lib/postfixadmin";
  pfauser = "pfauser";
  pfagroup = "pfagroup";
in
{
  # Setup the user and group
  users.groups."${pfagroup}" = { };
  users.users."${pfauser}" = {
    isSystemUser = true;
    group = "${pfagroup}";
    description = "PHP User for postfixadmin";
  };

  # Setup nginx
  networking.firewall.allowedTCPPorts = [ 80 ];
  services.nginx.enable = true;
  services.nginx.virtualHosts."mailtest" = {
    forceSSL = false;
    enableACME = false;
    root = "${postfixadminpkg}/public";
    extraConfig = ''
      access_log /tmp/nginx/log/$host combined;
      charset utf-8;

      index index.php;
      # block these file types
      #location ~* \.(tpl|md|tgz|log|out|tar|gz|db)$ {
        #deny all;
      #}

      # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
      # or a unix socket
      location ~* \.php$ {
        # Zero-day exploit defense.
        # http://forum.nginx.org/read.php?2,88845,page=3
        # Won't work properly (404 error) if the file is not stored on this
        # server, which is entirely possible with php-fpm/php-fcgi.
        # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on
        # another machine.  And then cross your fingers that you won't get hacked.
        try_files $uri =404;
        # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        # With php5-cgi alone:
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        fastcgi_param   QUERY_STRING            $query_string;
        fastcgi_param   REQUEST_METHOD          $request_method;
        fastcgi_param   CONTENT_TYPE            $content_type;
        fastcgi_param   CONTENT_LENGTH          $content_length;

        fastcgi_param   SCRIPT_FILENAME         $document_root$fastcgi_script_name;
        fastcgi_param   SCRIPT_NAME             $fastcgi_script_name;
        fastcgi_param   PATH_INFO               $fastcgi_path_info;
        fastcgi_param   PATH_TRANSLATED         $document_root$fastcgi_path_info;
        fastcgi_param   REQUEST_URI             $request_uri;
        fastcgi_param   DOCUMENT_URI            $document_uri;
        fastcgi_param   DOCUMENT_ROOT           $document_root;
        fastcgi_param   SERVER_PROTOCOL         $server_protocol;

        fastcgi_param   GATEWAY_INTERFACE       CGI/1.1;
        fastcgi_param   SERVER_SOFTWARE         nginx/$nginx_version;

        fastcgi_param   REMOTE_ADDR             $remote_addr;
        fastcgi_param   REMOTE_PORT             $remote_port;
        fastcgi_param   SERVER_ADDR             $server_addr;
        fastcgi_param   SERVER_PORT             $server_port;
        fastcgi_param   SERVER_NAME             $server_name;

        fastcgi_param   HTTPS                   $https;
        fastcgi_param   HTTP_PROXY              "";
      }
    '';
  };
    systemd.services."postfixadmin-setup" = {
    serviceConfig.Type = "oneshot";
    wantedBy = [ "multi-user.target" ];
    script = ''
      # Setup the data directory with the database and the cache directory
      mkdir -p ${dataDir}
      chmod -c 751 ${dataDir}
      chown -c ${pfauser}:${pfagroup} ${dataDir}

      mkdir -p ${cacheDir}/templates_c
      chown -Rc ${pfauser}:${pfagroup} ${cacheDir}/templates_c
      chmod -Rc 751 ${cacheDir}/templates_c
    '';
  };
  services.phpfpm.pools."${phppoolName}" = {
    listen = "127.0.0.1:9000";
    extraConfig = ''
      user = ${pfauser}
      pm = dynamic
      pm.max_children = 75
      pm.min_spare_servers = 5
      pm.max_spare_servers = 20
      pm.max_requests = 10
      catch_workers_output = 1
      php_admin_value[upload_max_filesize] = 42M
      php_admin_value[post_max_size] = 42M
      php_admin_value[memory_limit] = 128M
      php_admin_value[cgi.fix_pathinfo] = 0
    '';
  };
}

Trying to access http://mailtest/index.php yields in
Jan 12 15:32:53 mailtest php-fpm[30644]: [WARNING] [pool postfixadmin_pool] child 30656 said into stderr: "NOTICE: Access to the script '/nix/store/hn719gylar3n8bh6x1660l0x6n1z2n46-postfixadmin-3.2/public' has been denied (see security.limit_extensions)"
Indicating that somewhere the "index.php" seems to have been lost and only the directory survives.

nginx shows this in its log:
Jan 12 15:32:53 mailtest nginx[7074]: 2019/01/12 15:32:53 [error] 7082#7082: *1 FastCGI sent in stderr: "Access to the script '/nix/store/hn719gylar3n8bh6x1660l0x6n1z2n46-postfixadmin-3.2/public' has been denied (see security.limit_extensions)" while reading response header from upstream, client: 192.168.X.X, server: mailtest, request: "GET /index.php HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "mailtest"