initial commit

flake.nix

@@ -0,0 +1,32 @@
+{
+  inputs = {
+    nixpkgs.url = "nixpkgs";
+    simple-nixos-mailserver = {
+      url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    "idimitrov-dev" = {
+      url = "git+ssh://git@gitlab.com:ivandimitrov8080/idimitrov.dev.git";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  outputs =
+    { self
+    , nixpkgs
+    , simple-nixos-mailserver
+    , idimitrov-dev
+    , ...
+    }: {
+      nixosConfigurations = {
+        mailserver = nixpkgs.lib.nixosSystem {
+          system = "x86_64-linux";
+          modules = [
+            simple-nixos-mailserver.nixosModule
+            idimitrov-dev
+            ./mailserver
+          ];
+        };
+      };
+    };
+}

mailserver/configuration.nix

@@ -0,0 +1,19 @@
+{ config, pkgs, ... }:
+{
+  imports = [
+    ./vpsadminos.nix
+  ];
+
+  services.openssh.enable = true;
+  services.openssh.settings.PermitRootLogin = "yes";
+  #users.extraUsers.root.openssh.authorizedKeys.keys =
+  #  [ "..." ];
+
+  systemd.extraConfig = ''
+    DefaultTimeoutStartSec=900s
+  '';
+
+  time.timeZone = "Europe/Amsterdam";
+
+  system.stateVersion = "23.05";
+}

mailserver/default.nix

@@ -0,0 +1,51 @@
+{ config, pkgs, ... }:
+{
+
+  imports = [ ./configuration.nix ./web.nix ];
+
+  nix = {
+    extraOptions = ''
+      experimental-features = nix-command flakes
+    '';
+  };
+
+  mailserver = {
+    enable = true;
+    fqdn = "mail.idimitrov.dev";
+    domains = [ "idimitrov.dev" "mail.idimitrov.dev" ];
+
+    loginAccounts = {
+      "ivan@idimitrov.dev" = {
+        hashedPassword = "$2b$05$rTVIQD98ogXeCBKdk/YufulWHqpMCAlb7SHDPlh5y8Xbukoa/uQLm";
+        aliases = [ "admin@idimitrov.dev" ];
+      };
+      "security@idimitrov.dev" = {
+        hashedPassword = "$2b$05$rTVIQD98ogXeCBKdk/YufulWHqpMCAlb7SHDPlh5y8Xbukoa/uQLm";
+      };
+    };
+
+    certificateScheme = "acme-nginx";
+    hierarchySeparator = "/";
+  };
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = "security@idimitrov.dev";
+
+  users = {
+    users.ivand = {
+      isNormalUser = true;
+      hashedPassword =
+        "$2b$05$hPrPcewxj4qjLCRQpKBAu.FKvKZdIVlnyn4uYsWE8lc21Jhvc9jWG";
+      extraGroups = [ "wheel" "adm" "mlocate" ];
+      openssh.authorizedKeys.keys = [
+        ''
+          ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyW157tNiQdeoQsoo5AEzhyi6BvPeqEvChCxCHf3hikmFDqb6bvvlKYb9grW+fqE0HzALRwpXvPKnuUwHKPVG8HZ7NC9bT5RPMO0rFviNoxWF2PNDWG0ivPmLrQGKtCPM3aUIhSdUdlJ7ImYl34KBkUIrSmL7WlLJUvh1PtyyuVfrhpFzFxHwYwVCNO33L89lfl5PY/G9qrjlH64urt/6aWqMdHD8bZ4MHBPcnSwLMd7f0nNa0aTAJMabsfmndZhV24y7T1FUWG0dl27Q4rnpnZJWBDD1IyWIX/aN+DD6eVVWa4tRVJs6ycfw48hft0zs9zLn9mU4a2hxQ6VvfwpqZHOO8XqqOSai9Yw9Ba60iVQokQQiL91KidoSF7zD0U0szdEmylANyAntUcJ1kdu496s21IU2hjYfN/3seH5a9hBk8iPHp/eTeVUXFKh27rRWn0gc+rba1LF0BWfTjRYR7e1uvPEau0I61sNsp3lnMULdkgkZ9rap1sRM6ULlaRXM= ivand@nixos
+        ''
+      ];
+    };
+    extraGroups = { mlocate = { }; };
+  };
+
+  environment = {
+    systemPackages = with pkgs; [ coreutils-full fd git vim mlocate busybox ];
+  };
+}

mailserver/vpsadminos.nix

@@ -0,0 +1,67 @@
+# This file provides compatibility for NixOS to run in a container on vpsAdminOS
+# hosts.
+#
+# If you're experiencing issues, try updating this file to the latest version
+# from vpsAdminOS repository:
+#
+#   https://github.com/vpsfreecz/vpsadminos/blob/staging/os/lib/nixos-container/vpsadminos.nix
+
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  nameservers = [
+    "1.1.1.1"
+    "2606:4700:4700::1111"
+  ];
+in {
+  networking.nameservers = mkDefault nameservers;
+  services.resolved = mkDefault { fallbackDns = nameservers; };
+  networking.dhcpcd.extraConfig = "noipv4ll";
+
+  systemd.services.systemd-sysctl.enable = false;
+  systemd.services.systemd-oomd.enable = false;
+  systemd.sockets."systemd-journald-audit".enable = false;
+  systemd.mounts = [ {where = "/sys/kernel/debug"; enable = false;} ];
+  systemd.services.rpc-gssd.enable = false;
+
+  # Due to our restrictions in /sys, the default systemd-udev-trigger fails
+  # on accessing PCI devices, etc. Override it to match only network devices.
+  # In addition, boot.isContainer prevents systemd-udev-trigger.service from
+  # being enabled at all, so add it explicitly.
+  systemd.additionalUpstreamSystemUnits = [
+    "systemd-udev-trigger.service"
+  ];
+  systemd.services.systemd-udev-trigger.serviceConfig.ExecStart = [
+    ""
+    "-udevadm trigger --subsystem-match=net --action=add"
+  ];
+
+  boot.isContainer = true;
+  boot.enableContainers = mkDefault true;
+  boot.loader.initScript.enable = true;
+  boot.specialFileSystems."/run/keys".fsType = mkForce "tmpfs";
+  boot.systemdExecutable = mkDefault "/run/current-system/systemd/lib/systemd/systemd systemd.unified_cgroup_hierarchy=0";
+
+  # Overrides for <nixpkgs/nixos/modules/virtualisation/container-config.nix>
+  documentation.enable = mkOverride 500 true;
+  documentation.nixos.enable = mkOverride 500 true;
+  networking.useHostResolvConf = mkOverride 500 false;
+  services.openssh.startWhenNeeded = mkOverride 500 false;
+
+  # Bring up the network, /ifcfg.{add,del} are supplied by the vpsAdminOS host
+  systemd.services.networking-setup = {
+    description = "Load network configuration provided by the vpsAdminOS host";
+    before = [ "network.target" ];
+    wantedBy = [ "network.target" ];
+    after = [ "network-pre.target" ];
+    path = [ pkgs.iproute2 ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStart = "${pkgs.bash}/bin/bash /ifcfg.add";
+      ExecStop = "${pkgs.bash}/bin/bash /ifcfg.del";
+    };
+    unitConfig.ConditionPathExists = "/ifcfg.add";
+    restartIfChanged = false;
+  };
+}

mailserver/web.nix

@@ -0,0 +1,65 @@
+{ config, pkgs, ... }: {
+  services = {
+    nginx = {
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+      appendHttpConfig = ''
+        # Add HSTS header with preloading to HTTPS requests.
+        # Adding this header to HTTP requests is discouraged
+        map $scheme $hsts_header {
+            https   "max-age=31536000; includeSubdomains; preload";
+        }
+        add_header Strict-Transport-Security $hsts_header;
+
+        # Enable CSP for your services.
+        #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+
+        # Minimize information leaked to other domains
+        add_header 'Referrer-Policy' 'origin-when-cross-origin';
+
+        # Disable embedding as a frame
+        add_header X-Frame-Options DENY;
+
+        # Prevent injection of code in other mime types (XSS Attacks)
+        add_header X-Content-Type-Options nosniff;
+
+        # This might create errors
+        proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+      '';
+      virtualHosts =
+        let
+          base = locations: {
+            inherit locations;
+
+            forceSSL = true;
+            enableACME = true;
+          };
+          proxy = port: base {
+            "/".proxyPass = "http://127.0.0.1:" + toString (port) + "/";
+          };
+        in
+        {
+          "idimitrov.dev" = proxy 3000 // { default = true; };
+        };
+    };
+  };
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [ 80 443 ];
+  };
+
+  systemd.services = {
+    "idimitrov.dev" = {
+      description = "My personal website";
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        ExecStart = "${idimitrov-dev}/bin/idimitrov.dev";
+        Restart = "always";
+      };
+    };
+  };
+
+}