So, I got into NixOS and installed it on a VPS a few days ago. I’ve previously used yunohost.org (a debian based all-in-one selfhosting solution) and docker-compose. But I (now) really like the Nix(OS) approach, the amount of packaged software and how everything ties together in a clean server configuration.
However… I need a bit more information on the server stuff. Are there nice configurations around which I can incorporate and learn from? Extensive tutorials from other people who run their own services or communities?
I mean the basic stuff isn’t a problem. I got Nextcloud and the most important stuff running, a DNS Adblocker, a chat server, nginx etc. But ultimately I’d like to share some services with friends and family. So I need single sign-on (SSO), preferably with an LDAP directory. An email server… And the Wiki and just googling it stop being helpful at this point.
Are there people who share their experience with LDAP/Authentik/Zitadel/Authelia/Keycloak / whatever SSO/Authentication software is packaged in Nix but I can’t find anything about from people who actually use it? A comparison of the several available email servers?
Here’s mine fwiw - no SSO or LDAP but might add something to what you find. My journey is to move from a NixOS user of 2 years and 1 year ‘all in’. I run my own mail server with NixOS.
nixos-mailserver works well for me. The package set runs faultlessly on the smallest OVH vps. NixOS gives me the ability to redeploy anywhere painlessly and the backup need is limited to a dovecot sync. Dovecot sync is neat: with a 2nd identical vps (match configuration.nix) and non functional but services running duplicates all the live mail data with one command.
I am going all in on Rust too. There is a rust based mail server being developed that I might track as a migration in years to come.
Reading material
Learn { NixOS, Nix }
- https://nixos-and-flakes.thiscute.world/nixos-with-flakes/modularize-the-configuration “The Nix module system provides a parameter, imports, which accepts a list of .nix files and merges all the configuration defined in these files into the current Nix module.”
- https://gitlab.com/famedly/conduit/-/blob/next/nix/README.md
- https://fangpenlin.com/posts/2024/01/14/high-speed-usb4-mesh-network/ Nix package system “beautifully designed but hard to understand at first glance.”
- https://stackoverflow.com/questions/18878117/using-vagrant-to-run-virtual-machines-with-desktop-environment
- https://discourse.nixos.org/t/set-up-vagrant-with-libvirt-qemu-kvm-on-nixos/14653
- https://aldoborrero.com/posts/2023/01/15/setting-up-my-machines-nix-style/
- https://github.com/tweag/rust-wasm-nix
- https://github.com/NixOS/nix.dev
- https://terinstock.com/post/2021/01/Setting-up-a-git-server-on-NixOS/
- https://github.com/nrbray/nixos-configuration
- https://ash64.eu/blog/2022/building-custom-nixos-isos/
- https://github.com/nix-community/disko
- https://github.com/ghostbuster91/blogposts/blob/a2374f0039f8cdf4faddeaaa0347661ffc2ec7cf/router2023-part2/main.md
- https://cola-gang.industries/nixos-for-the-confused-part-2
- https://publish.reddit.com/embed?url=https://www.reddit.com/r/NixOS/comments/12kxmii/comment/jg5kq9n?snippet=2_8_105
- https://github.com/Mic92/dotfiles
- https://www.haskellforall.com/2022/08/stop-calling-everything-nix.html
- https://calendar.google.com/calendar/u/0/embed?src=b9o52fobqjak8oq8lfkhg3t0qg@group.calendar.google.com&ctz=Europe/Amsterdam
- https://publish.reddit.com/embed?url=https://www.reddit.com/r/NixOS/comments/16zs4sn/comment/k3ilo44?snippet=0_12_128
- https://vaibhavsagar.com/blog/2019/08/22/industrial-strength-deployments/
- https://discourse.nixos.org/t/how-do-i-split-common-system-configuration-into-seperate-files/34316/4
- https://discourse.nixos.org/t/cant-get-gnupg-to-work-no-pinentry/15373/31?u=nrbray
- https://github.com/colemickens/nixcfg/blob/52e6f2600b1f01dbd223652849caa32d9a4ef42e/mixins/gpg-agent.nix
- https://github.com/Misterio77/nix-starter-configs/blob/main/README.md
- https://nixos.wiki/wiki/Nix_Cookbook#Creating_shell_scripts
- https://discourse.nixos.org/t/using-deploy-rs-with-existing-configuration/31665/3
Flake specific
are simply a special entry point for Nix code with a built in pinning system
- https://colmena.cli.rs/unstable/tutorial/flakes.html
- https://github.com/erictossell/nixflakes/blob/main/flake.nix
- https://github.com/simonkampe/nixos/blob/main/flake.nix
- https://discourse.nixos.org/t/proper-way-to-build-a-remote-system-with-flakes/17661
- https://fasterthanli.me/series/building-a-rust-service-with-nix
- https://nixos.wiki/wiki/Overlays#In_a_Nix_flake
- https://thiscute.world/en/posts/nixos-and-flake-basics/
- https://drakerossman.com/blog/how-to-convert-default-nixos-to-nixos-with-flakes
- https://flake.parts/best-practices-for-module-writing
- https://www.tweag.io/blog/2022-09-22-rust-nix/
- https://flake.parts/
- https://github.com/nix-community/NUR
- https://lantian.pub/en/article/modify-computer/nixos-packaging.lantian/
- https://tonyfinn.com/blog/nix-from-first-principles-flake-edition/nix-6-nixpkgs-not-reinventing-the-wheel/
Wow. Thanks. Guess the “your previous linux knowledge doesn’t really apply to NixOS” is correct. I already found the lengthy lists of stuff to read up on… I’ll add this to my “read later” list :-D
Stalwart sounds nice, too. Since I’m just setting everything up, maybe I can try both mailservers. I’ve now had 2 people recommend the simple nixos-mailserver.
Great, please may I ask if you would share other sources worth reading.
I think previous Linux knowledge helps, just less needed for newcomers; NixOS has been described as capturing others’ 20 years experience for us to use. Nixos-mailserver is a great example. I used that out of the box and only with user knowledge of NixOS, none of mail tools. Otherwise mail servers are too hard I gathered.
I’ve found lots more to learn about Nix for development environments.
You might want to use nixos-mailserver first for production - after my research I was gobsmacked at how quickly it went. I relied totally on NixOS. Your milage might vary but I’d be shocked if it takes less than 10 times as long another way.
Uh, just tried to install Stalwart, the Rust mailserver suite. It’s nice. But you have to switch to nixos-unstable to get some important features as of now. And then I can’t find any resources on how to set it up. Meaning there are no sane defaults floating around on the internet and it’s really a chore to learn the internals and come up with a proper config. Maybe the nix-mailserver is a better choice for now.
Good that you tried. Nix simple mailserver is really neat. I am very pleased with it. I feel something like stalwart might take years to mature, but worth watching.
For a mail server, I use https://nixos-mailserver.readthedocs.io/en/latest/index.html . Very easy to set up, and it seems to work. But I do get a lot of anxiety about it because of all the people who say you should never under any circumstances set up your own mail server because of reputation and whatever. Just be aware that although mail-tester.com doesn’t ding you for it, you really have to make sure your rDNS entry is set up correctly, and you need your own /64 IPv6 range.
i guess those who say you should not run your own mail server are maybe those who run one, earning money with it?
I am running my own mail server for >15 years now. What you should do:
- check your ip and the subnet your server is in is not found in blacklists (mxtoolbox has blacklist check)
- make sure you do not run an open relay server, thus only allow authenticated users to send email, use good passwords and youre likely done
- stay up to date and read security notes for your server, especially whatever you run as exposed service, register on security news etc.
- do not use software that is known to make trouble (no M$, maybe better also avoid microsofts systemd)
- setup your config to match exactly what you need, disable unneeded features (like if you use cram-md5 for auth, disable plain and all others)
- send mails via deliver port and only receive them via port 25.
- setup dkim
- setup dmarc
- check DNS to be precisely how it should be, MX record to match PTR, correct dmarc and dkim settings, setup spf records for your domain and *.yourdomain.tld too (using txt records this could collide with letsencrypt certupdates via dns)
- use mailserver check services i.e. mxtoolbox but you will need others to also check dmarc and dkim (services where you can send an email to and they tell you problems)
- use publicly validatrable ssl certificates (letsencrypt) so other servers are not “scared” to send emails using tls instead of plaintext. (disable plaintext transfer anyway) update the certificates regulary before they expire. you can use ssl checkers (ssl labs) to validate your certificate
- verify sending and receiving using some external email accounts from other providers (google microsoft, a small hoster is good too, but for big ones checking with their system sometimes shines light on their bad services ;-)) and keep in mind that the big ones are not doing everything right or sane.
- do not send spam or mass mailings (even if this is your business, please stop, get a good job instead, if you know how to sneak emails through filters, maybe someone pays you to do the opposite)
- regulary check your server logs for weird things
- maybe use vpn to access imap and deliver port do reduce the exposed services to minimum
- disallow ipv6 to all providers that do not allow sending to them via ipv6 (like google)
- use fail2ban to block abusers in the firewall (less for security but for keeping logs cleaner) sometimes you need to block others misconfigured servers forever (like if one server tries to send an email to your server for a domain that you dont host, but this email is one of an autogenerated error sort that just sits in the logs every few minutes for as long as you let it. be aware that fail2ban blocks ip addresses while with ipv6 spammers like all others have billions of them in their range.
- be aware that some providers do weird checks “before” trying to send email to you like deutsche telekom, checking some html page on your domain to show a postal address before they try sending an email to you. these basically betray their customers. depending on how important this one provider is for you, you can do what they want (the postal address telekom checks could be set to the name of their CEO to actually work lol) but you do not have to fulfill every wish other platforms would like to force you into, regulary those who want so send emails to you, will deliver them for their customers (not deutsche telekom though)
- be aware thar your emails that you send to other servers could end up in spamfilters, no matter what you do, spam filters are error prone and CEOs tend to hire less than a quarter of how many admins they need to not betray their customers with ads vs reality, but (!) mostly the receiver (companies) “wants” to get your email thus checks spam folders anyway or you could be added to contacts (friends). if your email is lost completely (microsoft cloud services tended to do so for years and during that time even turned off sending DSNs which i had used to proof the regular email loss to the M$ enthusiasts muahahaa) and if that email is important, you have to “ensure” checking its delivery anyway maybe also send via postal services. thus normally spam filters - as of my feeling for this - are not really a problem, google is a problem (reported emails as received, then always deleted them directly without notice to neither sender nor receiver, betraying their customers while breaking some laws too), microsoft is a problem and some other providers too, but that has exactly nothing to do with your domain or your email server, you are not responsible for their (intentional) errors or crimes.
- regulary repeat your checks especially for blacklists - some blacklists show your ip as blacklisted because another ip that “looks similar” - same provider/network - is found in another blacklist (they dont like you cause you live in the same city as that other guy wich they were told was bad - weird though but some blacklist should be blacklisted… ) but has nothing to do with you, just a blacklist that is f***ed up. depending on what is the problem, your hoster can help, or you can choose another (cheaper or better) hoster anyway.
- setup monitoring for mail roundtrip using a mailaccount at another provider and there a forwarding back to your server so you get an alarm if something breaks.
- filter incoming emails by SPF (reject before they are received, but do not filter by bad dmarc setup of other providers (the CEO problem mentioned above, even most newsletters i receive show to have a broken email setup even if “professional” paid services are used) . setup all your filters with relaxed settings (warning only) first before you enforce them
- consiser firewall blocking on port probes: every ip who probes ports where you have no services running on, could imho get immediately blocked with packet drop immediately forel 24h just to keep logs a bit cleaner ;-)
- setup your email server with at least two nodes on different hosters in different regions so that any problem local to a hoster or region does not affect both and you stay online with sending and receiving. (hosting your own DNS is even more reliable)
never under no circumstances? sure, of course yes! but it can be some work to do. but if you do, its in my experience more stable than any provider, paid or unpaid, cloud or not, and you get the most possible privacy (all of your non-internal-only emails are available to at least one other server anyway) and flexibility too, and you have the possibility to proof that the other server lost your email, not yours as they like to just blindly claim by default =D
Thank you. That one already appeared in my search results. Seems like a traditional postfix/dovecot/rspamd setup.
I know. People always say you shouldn’t run your own mailserver. I have. For like 10 years or so and I’m fine. Well… I’m more than fine. I really like the idea that my mailbox is stored on an encrypted volume at home and not somewhere in the cloud. Also it comes without any noticeable capacity limit, I got a large harddisk in my NAS/server. It’s a bit annoying, though. I forward some email. And some of that goes to a gmail.com account of a friend. It’s important first contact and admin mail, so the spam filter isn’t super strict. And I got greylisted by gmail for doing that. Once a few spam mails slip through, google will stop talking to you. So I currently can’t send mail to gmail users. I have a few free email accounts I use as a relay so I myself can still send mails. But it’s annoying. It’s part of the reason why I now want to redo my mailserver and have an updated rspamd and stuff. I get why people say you should let other people provide email service to you, but I don’t see a proper reason except for it’s annoying and frustrating and odds are against you. (Additionally it is a bit complicated to set up reverse pointers and MX records.)
deleted by creator
Thank you, that is good advice. Unfortunately I get 4 pages of forks of the nixpkgs repository and like 6 results from people who use nix to spin up the docker containers for the respective software… But it’s something. And all I need is one reasonable result. I’ll keep looking.
Try posting at https://discourse.nixos.org/
I’m using LLDAP with Authelia on NixOS, it works fine for what I do but it’s somewhat limited, haven’t used it as an OIDC provider yet but that’s on the list.