~piotr-machura/personal

Projects for personal use

b89f3af Auto save playback when playing a m3u file with MPV

10 days ago

531e0da Delete old wallpapers

15 days ago

#My digital home

This is NixOS configuration for my personal server. It includes:

... and anything else I wish to put up on the web.

A simplified scheme of what's happening is portrayed below.

                         ┌───────────────┐
    Port 25/143/587/993  │     NixOS     │
 ───────────────────────►│   mailserver  │◄─┐
     SMTP/ESMTP/IMAP4    └───────────────┘  │
                            mail.$domain    │
                                            │
 Port 80/443 ┌───────┐    ┌─────────────┐◄──┘
 ───────────►│ nginx ├─┬─►│  Roundcube  │
 HTTP/HTTPS  └───────┘ │  └─────────────┘◄──┐
                       │    mail.$domain    │
                       │                    │
                       │  ┌─────────────┐   │
                       ├─►│   Radicale  │◄──┘
                       │  └─────────────┘
                       │   caldav.$domain
                       │   carddav.$domain
                       │
                       │  ┌─────────────┐
                       ├─►│   Website   │
                       │  └─────────────┘
                       │      $domain
                       │     www.$domain
                       │
                       │  ┌─────────────┐
                       └─►│  WebDAV FS  │
                          └─────────────┘
                           webdav.$domain

#Setting up the server

This assumes you have a freshly installed NixOS server, with:

  • X.X.X.X - static host IPv4 address.
  • $domain - domain name purchased at the registrar.

Clone this repository to /etc/nixos, replacing the already present configuration.nix.

#Modifying configuration

Create the secrets file /etc/nixos/secrets.nix. Take a look at the included secrets.example.nixos for an example.

#DNS records

The configuration assumes the following dns records (arrow meaning "pointing to"):

A CNAME MX TXT (see below)
$domainX.X.X.X webdav.$domain$domain emptymail.$domain DKIM
www.$domainX.X.X.X calddav.$domain$domain DMARC
mail.$domainX.X.X.X carddav.$domain$domain SPF

Note: Ensure that RDNS of X.X.X.X resolves to mail.$domain, or your email will still be flagged as spam by eg. Gmail.

#Mailserver TXT records

The TXT records ensure no email spoofing has taken place and greatly decrease the probability of your messages being flagged as spam. They can be obtained once the server is running, so set them up after initial configuration described above.

For DKIM run the following

sudo cat /var/dkim/*.mail.txt | tr -d '\n()' | sed 's/; "\t *"/; /'

For SPF all you need is

(leave hostname empty) IN TXT  "v=spf1 mx ~all"

For DMARC:

_dmarc IN TXT
"v=DMARC1; p=quarantine; rua=mailto:postmaster@$domain; ruf=mailto:postmaster@$domain; sp=none; ri=86400"

Add the contents in appropriate records in your DNS provider's interface. The format is <host name> IN TXT <contents>, note that the SPF record has an empty host name.

#User accounts

User accounts are created declaratively in secrets.nix, with bcrypt-hashed passwords. By default a me@$domain account is created, with contact@$domain and postmaster@$domain aliases. Take a look at nixos-mailserver documentation for all available values.

#Backup servers

If you have backup servers you must whitelist their addresses from SPF by adding them to spf_whitelist in secrets.nix.

#Roundcube GPG

GPG keys are stored server-side in /var/enigma. If your key has no passphrase Roundcube will still ask for one when signing email - in that case you can input anything.

If you don't feel like storing your private keys on the server there is always mailvelope.

#CardDAV

Every user has access to a Card/CalDAV server for easy contact syncing. New calendars/address books can be created at carddav.$domain (or caldav.$domain) after logging in with email credentials (full e-mail address and password).

In order to sync the contacts with the Roundcube client log into your email account under mail.$domain and navigate to "Settings/Preferences/CardDAV. Use your username, password and carddav.$domain (or caldav.$domain) as the server's address. Hit "Save" and the address book should appear in "Contacts". Add contacts to your heart's content.

#WebDAV

By default, all users have access to a WebDAV network file system, used for file sharing. Log in with your email credentials (full e-mail address and password) in your favorite WebDAV client, eg. a fuse-enabled file manager.

#Backup

Snapshots of the relevant directories in /var/ are created using rsnapshot and placed in /.snapshots. Two kinds of snapshots are taken - every 4 hours and daily. 6 and 5 (respectively) most recent snapshots of each kind are kept.