Last active
October 14, 2021 11:47
-
-
Save nh2/6814728dc3bea1508323e9bf2213c28d to your computer and use it in GitHub Desktop.
Revisions
-
nh2 revised this gist
Dec 27, 2020 . No changes.There are no files selected for viewing
-
Dec 27, 2020 . No changes.There are no files selected for viewing
-
Oct 21, 2020 . 1 changed file with 120 additions and 213 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -4,66 +4,43 @@ { config, pkgs, ... }: let floatingIPv4 = "95.216.183.106"; floatingIPv6 = "2a01:4f9:c01f:65::1"; in { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix # Commit from https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/tree/nixos-20.09 (let commit = "02a45d9965133434c7b816cab2f47c8a7505e764"; in builtins.fetchTarball { # Pick a commit from the branch you are interested in url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/${commit}/nixos-mailserver-${commit}.tar.gz"; # And set its hash sha256 = "04v66z0ijjm8bqpiqmq1aqrqj6r6jjz591lgijmk4frz7lksnz8k"; }) ]; # Use the GRUB 2 boot loader. boot.loader.grub.enable = true; boot.loader.grub.version = 2; # boot.loader.grub.efiSupport = true; # boot.loader.grub.efiInstallAsRemovable = true; # boot.loader.efi.efiSysMountPoint = "/boot/efi"; # Define on which hard drive you want to install Grub. # boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only # networking.hostName = "nixos"; # Define your hostname. # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. # The global useDHCP flag is deprecated, therefore explicitly set to false here. # Per-interface useDHCP will be mandatory in the future, so this generated config # replicates the default behaviour. networking.useDHCP = false; # See https://docs.hetzner.com/cloud/servers/static-configuration/ networking.interfaces.ens3.ipv4.addresses = [ { address = "135.181.95.42"; prefixLength = 32; } # Floating IP @@ -72,9 +49,9 @@ in prefixLength = 32; } ]; networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f9:c010:cf13::1"; prefixLength = 64; } # Floating IP @@ -83,121 +60,134 @@ in prefixLength = 64; } ]; networking.defaultGateway = { address = "172.31.1.1"; interface = "ens3"; }; networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; }; networking.nameservers = [ "8.8.8.8" ]; # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; # Select internationalisation properties. # i18n.defaultLocale = "en_US.UTF-8"; # console = { # font = "Lat2-Terminus16"; # keyMap = "us"; # }; # Set your time zone. # time.timeZone = "Europe/Amsterdam"; # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ dnsutils # for `dig` htop iperf3 nload screen vim wget ]; # Some programs need SUID wrappers, can be configured further or are # started in user sessions. # programs.mtr.enable = true; # programs.gnupg.agent = { # enable = true; # enableSSHSupport = true; # pinentryFlavor = "gnome3"; # }; # List services that you want to enable: # Enable the OpenSSH daemon. services.openssh.enable = true; # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ]; # Or disable the firewall altogether. # networking.firewall.enable = false; # Enable CUPS to print documents. # services.printing.enable = true; # Enable sound. # sound.enable = true; # hardware.pulseaudio.enable = true; # Enable the X11 windowing system. # services.xserver.enable = true; # services.xserver.layout = "us"; # services.xserver.xkbOptions = "eurosign:e"; # Enable touchpad support. # services.xserver.libinput.enable = true; # Enable the KDE Desktop Environment. # services.xserver.displayManager.sddm.enable = true; # services.xserver.desktopManager.plasma5.enable = true; # Define a user account. Don't forget to set a password with ‘passwd’. # users.users.jane = { # isNormalUser = true; # extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. # }; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "20.03"; # Did you read the comment? boot.loader.grub.devices = [ "/dev/sda" ]; # Initial empty root password for easy login: users.users.root.initialHashedPassword = ""; services.openssh.permitRootLogin = "prohibit-password"; # Replace this by your SSH pubkey users.users.root.openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtwCIGPYJlD2eeUtxngmT+4yR7BMlK0F5kzj+84uHsxxsy+PXFrP/tScCpwmuoiEYNv/9WKnPJJfCA9XlIDr6cla1MLpaW6eg672TRYMmKzH6SLlkg+kyDmPxSIJw+KdKfnPYyva+Y/VocACYJo0voabUeLAVgtSKGz/AFzccjfOR0GmFO911zjAaR+jFb9M7t7dveNVKm9KbuBfu3giMgGg3/mKz1TKY8yk2ZOxpT5CllBb+B5BcEf+7IGNvNxr1Z0zz5cFXQ3LyBIZklnC/OaQCnD78BSiyPTkIXcmBFal2TaFwTDvki6PuCRpJy+dU1fDdgWLql97D0SVnjmmomw==" ]; mailserver = { enable = true; fqdn = "mailserver2.aws.nh2.me"; domains = [ "mailserver2.aws.nh2.me" ]; # A list of all login accounts. To create the password hashes, use # mkpasswd -m sha-512 "super secret password" loginAccounts = { "[email protected]" = { # Password: also "user1" hashedPassword = "$6$AsfmuljQlBGtB$/YcnEcCHDiGvhetHud9JFaCzX4ViolNDMS65i8Nw4Uz6XVuzfyDK5/vkjBZ2w7wBacQ5Xn55Mql2vx78FNM7T1"; aliases = [ "[email protected]" ]; # Make this user the catchAll address for domains example.com and # example2.com catchAll = [ # "example.com" # "example2.com" ]; }; }; # Extra virtual aliases. These are email addresses that are forwarded to # loginAccounts addresses. extraVirtualAliases = { # address = forward address; "[email protected]" = "[email protected].nh2.me"; }; # Use Let's Encrypt certificates. Note that this needs to set up a stripped @@ -206,9 +196,9 @@ in # Enable IMAP and POP3 enableImap = true; # enablePop3 = true; enableImapSsl = true; # enablePop3Ssl = true; # Enable the ManageSieve protocol enableManageSieve = true; @@ -223,95 +213,12 @@ in "smtp_bind_address" = floatingIPv4; "smtp_bind_address6" = floatingIPv6; }; # Make Redis listen to loopback only, see https://github.com/NixOS/nixpkgs/issues/100192. # TODO: Remove when https://github.com/NixOS/nixpkgs/pull/100195 is merged. services.redis.bind = "127.0.0.1"; # LetsEncrypt security.acme.email = "[email protected]"; security.acme.acceptTerms = true; } -
Oct 20, 2020 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,317 @@ # Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). { config, pkgs, ... }: let floatingIPv4 = "116.202.188.98"; floatingIPv6 = "2a01:4f8:1c0c:8227::1"; # TODO: Once we move the other `nh2.me` services over to this server # (thus also pointing the `nh2.me` A record to this server), # change the reverse DNS of the floating IPs from `mail.nh2.me` # back to `nh2.me`, and re-verify with https://www.mail-tester.com. in { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix # simple-nixos-mailserver (let commit = "98dc40046eb28a03da3e88d3a14b35cad911cb12"; in builtins.fetchTarball { url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/${commit}/nixos-mailserver-${commit}.tar.gz"; sha256 = "07y565b4jg9z2lx3sh4sl0cxs42dwaw6vhpnml9izh3pm7qagg42"; }) ]; nixpkgs.overlays = [ (self: super: { # TODO Remove when rspamd >= 2.6 is in nixpkgs rspamd = super.rspamd.overrideAttrs (old: rec { version = "2.6"; src = super.fetchFromGitHub { owner = "rspamd"; repo = "rspamd"; rev = version; sha256 = "0vwa7k2s2bkfb8w78z5izkd6ywjbzqysb0grls898y549hm8ii70"; }; }); }) ]; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "20.03"; # Did you read the comment? # Use the GRUB 2 boot loader. boot.loader.grub = { enable = true; version = 2; devices = [ "/dev/sda" ]; }; networking.hostName = "nh2me"; # Define your hostname. # The global useDHCP flag is deprecated, therefore explicitly set to false here. # Per-interface useDHCP will be mandatory in the future, so this generated config # replicates the default behaviour. networking.useDHCP = false; # See https://docs.hetzner.com/cloud/servers/static-configuration/ networking.interfaces.enp1s0.ipv4.addresses = [ { address = "168.119.163.156"; prefixLength = 32; } # Floating IP { address = floatingIPv4; prefixLength = 32; } ]; networking.interfaces.enp1s0.ipv6.addresses = [ { address = "2a01:4f8:c2c:d3fc::1"; prefixLength = 64; } # Floating IP { address = floatingIPv6; prefixLength = 64; } ]; networking.defaultGateway = { address = "172.31.1.1"; interface = "enp1s0"; }; networking.defaultGateway6 = { address = "fe80::1"; interface = "enp1s0"; }; networking.nameservers = [ "8.8.8.8" ]; # Select internationalisation properties. console = { keyMap = "uk"; }; # Set your time zone. time.timeZone = "Europe/Berlin"; # List services that you want to enable: # Enable the OpenSSH daemon. services.openssh = { enable = true; permitRootLogin = "prohibit-password"; # Disabling all but pubkey auth helps bruteforce log spam. passwordAuthentication = false; challengeResponseAuthentication = false; # Loses ability to log which key fingerprint logged in, # but reduces log spam of failed attempts. # logLevel = "INFO"; }; # Enable BBR congestion control boot.kernelModules = [ "tcp_bbr" ]; boot.kernel.sysctl."net.ipv4.tcp_congestion_control" = "bbr"; boot.kernel.sysctl."net.core.default_qdisc" = "fq"; # see https://news.ycombinator.com/item?id=14814530 networking.firewall = { # Reject instead of drop. rejectPackets = true; logRefusedConnections = false; # Helps with auth brueforce log spam. # Open ports in the firewall. allowedTCPPorts = [ 80 # nginx 5201 # iperf3 ]; allowedUDPPorts = [ 5201 # iperf3 ]; # Or disable the firewall altogether. # enable = false; }; users.users.root = { # Empty root password for easy login from Hetzner Cloud terminal: initialHashedPassword = ""; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtwCIGPYJlD2eeUtxngmT+4yR7BMlK0F5kzj+84uHsxxsy+PXFrP/tScCpwmuoiEYNv/9WKnPJJfCA9XlIDr6cla1MLpaW6eg672TRYMmKzH6SLlkg+kyDmPxSIJw+KdKfnPYyva+Y/VocACYJo0voabUeLAVgtSKGz/AFzccjfOR0GmFO911zjAaR+jFb9M7t7dveNVKm9KbuBfu3giMgGg3/mKz1TKY8yk2ZOxpT5CllBb+B5BcEf+7IGNvNxr1Z0zz5cFXQ3LyBIZklnC/OaQCnD78BSiyPTkIXcmBFal2TaFwTDvki6PuCRpJy+dU1fDdgWLql97D0SVnjmmomw==" ]; shell = pkgs.zsh; }; # Define a user account. Don't forget to set a password with ‘passwd’. # users.users.jane = { # isNormalUser = true; # extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. # }; # zsh programs.zsh.enable = true; programs.zsh.interactiveShellInit = '' source ${pkgs.grml-zsh-config}/etc/zsh/zshrc alias d='ls -lah' alias g=git ''; programs.zsh.promptInit = ""; # otherwise it'll override the grml prompt # LetsEncrypt security.acme = { email = "[email protected]"; acceptTerms = true; }; # Enabled just to be able to download Heinline SA rules. # services.spamassassin.enable = true; # simple-nixos-mailserver # Spam trained with archives from https://untroubled.org/spam/.(starting with 2018) mailserver = { enable = true; fqdn = "mail.nh2.me"; domains = [ "nh2.me" ]; # A list of all login accounts. To create the password hashes, use # mkpasswd -m sha-512 "super secret password" loginAccounts = { "[email protected]" = { hashedPassword = "$6$..."; aliases = [ "[email protected]" "[email protected]" ]; # Make this user the catchAll address for domains example.com and example2.com catchAll = [ # "example.com" # "example2.com" ]; }; "[email protected]" = { hashedPassword = "$6$..."; }; }; # Extra virtual aliases. These are email addresses that are forwarded to # loginAccounts addresses. extraVirtualAliases = { # address = forward address; "[email protected]" = "[email protected]"; }; # Use Let's Encrypt certificates. Note that this needs to set up a stripped # down nginx and opens port 80. certificateScheme = 3; # Enable IMAP and POP3 enableImap = true; enablePop3 = false; enableImapSsl = true; enablePop3Ssl = false; # Enable the ManageSieve protocol enableManageSieve = true; # whether to scan inbound emails for viruses (note that this requires at least # 1 Gb RAM for the server. Without virus scanning 256 MB RAM should be plenty) virusScanning = false; }; services.postfix.config = { # Make the mailserver send outgoing email only via the floating addresses # so that we have stable IPs that we can publish in our SPF entry. "smtp_bind_address" = floatingIPv4; "smtp_bind_address6" = floatingIPv6; }; services.dovecot2.extraConfig = let # Hardcoded in # https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/blob/02a45d9965133434c7b816cab2f47c8a7505e764/mail-server/dovecot.nix#L35 stateDir = "/var/lib/dovecot"; in # Make a dovecot sieve rule that learns emails moved to it as Ham. # This implements # https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/issues/193 # similar to the rules in # https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/blob/02a45d9965133434c7b816cab2f47c8a7505e764/mail-server/dovecot.nix#L229 # Multiple dovecot config sections get merged by dovecot, which is why # we can just redeclare `plugin` here. # A drawback of dovecot's config way enumerating things with `mailboxXXX` # (docs: https://wiki.dovecot.org/Pigeonhole/Sieve/Plugins/IMAPSieve) # is that this will likely break if `simple-nixos-mailserver` adds a # `mailbox3` rule by itself; it would probably define them via nix and then # let nix generate the `XXX` sequence numbers, see # https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/issues/193#note_431544049. '' plugin { # From anywhere to Ham folder imapsieve_mailbox3_name = Ham imapsieve_mailbox3_causes = COPY imapsieve_mailbox3_before = file:${stateDir}/imap_sieve/report-ham.sieve } ''; # Make Redis listen to loopback only, see https://github.com/NixOS/nixpkgs/issues/100192. # TODO: Remove when https://github.com/NixOS/nixpkgs/pull/100195 is merged. services.redis.bind = "127.0.0.1"; services.rspamd.extraConfig = '' # check_all_filters = true; # logging { # type = "syslog"; # level = "debug"; # } ''; services.rspamd.locals = { "neural.conf".text = '' # Important to not make this `localhost`, otherwise it will try via # IPv6 and fail when redis is not listening to that, see # https://blog.christosoft.de/2019/11/rspamd-redis-connection-refused/ servers = "127.0.0.1:6379"; enabled = true; # Important after 1.7 # train { # max_trains = 100; # Number ham/spam samples needed to start train # max_usages = 20; # Number of learn iterations while ANN data is valid # learning_rate = 0.01; # Rate of learning # max_iterations = 25; # Maximum iterations of learning (better preciseness but also lower speed of learning) # } # watch_interval = 10; # ann_expire = 2d; # For how long ANN should be preserved in Redis ''; "neural_group.conf".text = '' "NEURAL_SPAM" { weight = 3.0; description = "Neural network spam"; } "NEURAL_HAM" { weight = -3.0; description = "Neural network ham"; } ''; }; # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ file gdb git gptfdisk htop iperf3 jq kakoune ncdu nload python3 screen sshfs strace vim wget ]; }