commit ecfcf9416cf4e07aa783a6ba9acbc9ec62faa9b6 Author: Ivan Dimitrov Date: Tue Sep 19 15:22:42 2023 +0300 initial commit diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..6f4b908 --- /dev/null +++ b/flake.nix @@ -0,0 +1,32 @@ +{ + inputs = { + nixpkgs.url = "nixpkgs"; + simple-nixos-mailserver = { + url = "gitlab:simple-nixos-mailserver/nixos-mailserver"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + "idimitrov-dev" = { + url = "git+ssh://git@gitlab.com:ivandimitrov8080/idimitrov.dev.git"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + }; + + outputs = + { self + , nixpkgs + , simple-nixos-mailserver + , idimitrov-dev + , ... + }: { + nixosConfigurations = { + mailserver = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + simple-nixos-mailserver.nixosModule + idimitrov-dev + ./mailserver + ]; + }; + }; + }; +} diff --git a/mailserver/configuration.nix b/mailserver/configuration.nix new file mode 100644 index 0000000..8d2a6d2 --- /dev/null +++ b/mailserver/configuration.nix @@ -0,0 +1,19 @@ +{ config, pkgs, ... }: +{ + imports = [ + ./vpsadminos.nix + ]; + + services.openssh.enable = true; + services.openssh.settings.PermitRootLogin = "yes"; + #users.extraUsers.root.openssh.authorizedKeys.keys = + # [ "..." ]; + + systemd.extraConfig = '' + DefaultTimeoutStartSec=900s + ''; + + time.timeZone = "Europe/Amsterdam"; + + system.stateVersion = "23.05"; +} diff --git a/mailserver/default.nix b/mailserver/default.nix new file mode 100644 index 0000000..260c76d --- /dev/null +++ b/mailserver/default.nix @@ -0,0 +1,51 @@ +{ config, pkgs, ... }: +{ + + imports = [ ./configuration.nix ./web.nix ]; + + nix = { + extraOptions = '' + experimental-features = nix-command flakes + ''; + }; + + mailserver = { + enable = true; + fqdn = "mail.idimitrov.dev"; + domains = [ "idimitrov.dev" "mail.idimitrov.dev" ]; + + loginAccounts = { + "ivan@idimitrov.dev" = { + hashedPassword = "$2b$05$rTVIQD98ogXeCBKdk/YufulWHqpMCAlb7SHDPlh5y8Xbukoa/uQLm"; + aliases = [ "admin@idimitrov.dev" ]; + }; + "security@idimitrov.dev" = { + hashedPassword = "$2b$05$rTVIQD98ogXeCBKdk/YufulWHqpMCAlb7SHDPlh5y8Xbukoa/uQLm"; + }; + }; + + certificateScheme = "acme-nginx"; + hierarchySeparator = "/"; + }; + security.acme.acceptTerms = true; + security.acme.defaults.email = "security@idimitrov.dev"; + + users = { + users.ivand = { + isNormalUser = true; + hashedPassword = + "$2b$05$hPrPcewxj4qjLCRQpKBAu.FKvKZdIVlnyn4uYsWE8lc21Jhvc9jWG"; + extraGroups = [ "wheel" "adm" "mlocate" ]; + openssh.authorizedKeys.keys = [ + '' + ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyW157tNiQdeoQsoo5AEzhyi6BvPeqEvChCxCHf3hikmFDqb6bvvlKYb9grW+fqE0HzALRwpXvPKnuUwHKPVG8HZ7NC9bT5RPMO0rFviNoxWF2PNDWG0ivPmLrQGKtCPM3aUIhSdUdlJ7ImYl34KBkUIrSmL7WlLJUvh1PtyyuVfrhpFzFxHwYwVCNO33L89lfl5PY/G9qrjlH64urt/6aWqMdHD8bZ4MHBPcnSwLMd7f0nNa0aTAJMabsfmndZhV24y7T1FUWG0dl27Q4rnpnZJWBDD1IyWIX/aN+DD6eVVWa4tRVJs6ycfw48hft0zs9zLn9mU4a2hxQ6VvfwpqZHOO8XqqOSai9Yw9Ba60iVQokQQiL91KidoSF7zD0U0szdEmylANyAntUcJ1kdu496s21IU2hjYfN/3seH5a9hBk8iPHp/eTeVUXFKh27rRWn0gc+rba1LF0BWfTjRYR7e1uvPEau0I61sNsp3lnMULdkgkZ9rap1sRM6ULlaRXM= ivand@nixos + '' + ]; + }; + extraGroups = { mlocate = { }; }; + }; + + environment = { + systemPackages = with pkgs; [ coreutils-full fd git vim mlocate busybox ]; + }; +} diff --git a/mailserver/vpsadminos.nix b/mailserver/vpsadminos.nix new file mode 100644 index 0000000..070017e --- /dev/null +++ b/mailserver/vpsadminos.nix @@ -0,0 +1,67 @@ +# This file provides compatibility for NixOS to run in a container on vpsAdminOS +# hosts. +# +# If you're experiencing issues, try updating this file to the latest version +# from vpsAdminOS repository: +# +# https://github.com/vpsfreecz/vpsadminos/blob/staging/os/lib/nixos-container/vpsadminos.nix + +{ config, pkgs, lib, ... }: +with lib; +let + nameservers = [ + "1.1.1.1" + "2606:4700:4700::1111" + ]; +in { + networking.nameservers = mkDefault nameservers; + services.resolved = mkDefault { fallbackDns = nameservers; }; + networking.dhcpcd.extraConfig = "noipv4ll"; + + systemd.services.systemd-sysctl.enable = false; + systemd.services.systemd-oomd.enable = false; + systemd.sockets."systemd-journald-audit".enable = false; + systemd.mounts = [ {where = "/sys/kernel/debug"; enable = false;} ]; + systemd.services.rpc-gssd.enable = false; + + # Due to our restrictions in /sys, the default systemd-udev-trigger fails + # on accessing PCI devices, etc. Override it to match only network devices. + # In addition, boot.isContainer prevents systemd-udev-trigger.service from + # being enabled at all, so add it explicitly. + systemd.additionalUpstreamSystemUnits = [ + "systemd-udev-trigger.service" + ]; + systemd.services.systemd-udev-trigger.serviceConfig.ExecStart = [ + "" + "-udevadm trigger --subsystem-match=net --action=add" + ]; + + boot.isContainer = true; + boot.enableContainers = mkDefault true; + boot.loader.initScript.enable = true; + boot.specialFileSystems."/run/keys".fsType = mkForce "tmpfs"; + boot.systemdExecutable = mkDefault "/run/current-system/systemd/lib/systemd/systemd systemd.unified_cgroup_hierarchy=0"; + + # Overrides for + documentation.enable = mkOverride 500 true; + documentation.nixos.enable = mkOverride 500 true; + networking.useHostResolvConf = mkOverride 500 false; + services.openssh.startWhenNeeded = mkOverride 500 false; + + # Bring up the network, /ifcfg.{add,del} are supplied by the vpsAdminOS host + systemd.services.networking-setup = { + description = "Load network configuration provided by the vpsAdminOS host"; + before = [ "network.target" ]; + wantedBy = [ "network.target" ]; + after = [ "network-pre.target" ]; + path = [ pkgs.iproute2 ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStart = "${pkgs.bash}/bin/bash /ifcfg.add"; + ExecStop = "${pkgs.bash}/bin/bash /ifcfg.del"; + }; + unitConfig.ConditionPathExists = "/ifcfg.add"; + restartIfChanged = false; + }; +} diff --git a/mailserver/web.nix b/mailserver/web.nix new file mode 100644 index 0000000..d087713 --- /dev/null +++ b/mailserver/web.nix @@ -0,0 +1,65 @@ +{ config, pkgs, ... }: { + services = { + nginx = { + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + appendHttpConfig = '' + # Add HSTS header with preloading to HTTPS requests. + # Adding this header to HTTP requests is discouraged + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + add_header Strict-Transport-Security $hsts_header; + + # Enable CSP for your services. + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + + # Minimize information leaked to other domains + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + + # Disable embedding as a frame + add_header X-Frame-Options DENY; + + # Prevent injection of code in other mime types (XSS Attacks) + add_header X-Content-Type-Options nosniff; + + # This might create errors + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + ''; + virtualHosts = + let + base = locations: { + inherit locations; + + forceSSL = true; + enableACME = true; + }; + proxy = port: base { + "/".proxyPass = "http://127.0.0.1:" + toString (port) + "/"; + }; + in + { + "idimitrov.dev" = proxy 3000 // { default = true; }; + }; + }; + }; + networking.firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + }; + + systemd.services = { + "idimitrov.dev" = { + description = "My personal website"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${idimitrov-dev}/bin/idimitrov.dev"; + Restart = "always"; + }; + }; + }; + +}