This is NixOS configuration for my personal server. It includes:
... and anything else I wish to put up on the web.
A simplified scheme of what's happening is portrayed below.
┌───────────────┐ Port 25/143/587/993 │ NixOS │ ───────────────────────►│ mailserver │◄─┐ SMTP/ESMTP/IMAP4 └───────────────┘ │ mail.$domain │ │ Port 80/443 ┌───────┐ ┌─────────────┐◄──┘ ───────────►│ nginx ├─┬─►│ Roundcube │ HTTP/HTTPS └───────┘ │ └─────────────┘◄──┐ │ mail.$domain │ │ │ │ ┌─────────────┐ │ ├─►│ Radicale │◄──┘ │ └─────────────┘ │ caldav.$domain │ carddav.$domain │ │ ┌─────────────┐ ├─►│ Website │ │ └─────────────┘ │ $domain │ www.$domain │ │ ┌─────────────┐ └─►│ WebDAV FS │ └─────────────┘ webdav.$domain
This assumes you have a freshly installed NixOS server, with:
X.X.X.X- static host IPv4 address.
$domain- domain name purchased at the registrar.
Clone this repository to
/etc/nixos, replacing the already present
Create the secrets file
/etc/nixos/secrets.nix. Take a look at the included
secrets.example.nixos for an example.
The configuration assumes the following dns records (arrow meaning "pointing to"):
|A||CNAME||MX||TXT (see below)|
Note: Ensure that RDNS of
X.X.X.X resolves to
mail.$domain, or your email will
still be flagged as spam by eg. Gmail.
The TXT records ensure no email spoofing has taken place and greatly decrease the probability of your messages being flagged as spam. They can be obtained once the server is running, so set them up after initial configuration described above.
For DKIM run the following
sudo cat /var/dkim/*.mail.txt | tr -d '\n()' | sed 's/; "\t *"/; /'
For SPF all you need is
(leave hostname empty) IN TXT "v=spf1 mx ~all"
_dmarc IN TXT "v=DMARC1; p=quarantine; rua=mailto:postmaster@$domain; ruf=mailto:postmaster@$domain; sp=none; ri=86400"
Add the contents in appropriate records in your DNS provider's interface. The format is
<host name> IN TXT <contents>, note that the SPF record has an empty host name.
User accounts are created declaratively in
secrets.nix, with bcrypt-hashed
passwords. By default a
me@$domain account is created, with
postmaster@$domain aliases. Take a look at
for all available values.
If you have backup servers you must whitelist their addresses from SPF by adding them
GPG keys are stored server-side in
/var/enigma. If your key has no passphrase
Roundcube will still ask for one when signing email - in that case you can input
If you don't feel like storing your private keys on the server there is always mailvelope.
Every user has access to a Card/CalDAV server for easy contact syncing. New
calendars/address books can be created at
logging in with email credentials (full e-mail address and password).
In order to sync the contacts with the Roundcube client log into your email
mail.$domain and navigate to "Settings/Preferences/CardDAV. Use
your username, password and
caldav.$domain) as the server's
address. Hit "Save" and the address book should appear in "Contacts". Add contacts
to your heart's content.
By default, all users have access to a WebDAV network file system, used for file sharing. Log in with your email credentials (full e-mail address and password) in your favorite WebDAV client, eg. a fuse-enabled file manager.
Snapshots of the relevant directories in
/var/ are created using
rsnapshot and placed in
/.snapshots. Two kinds of snapshots
are taken - every 4 hours and daily. 6 and 5 (respectively) most recent snapshots of
each kind are kept.