[-] [email protected] 2 points 1 week ago* (last edited 1 week ago)

I'm using Cloudflare and I get no output from dig 1.0.0.1.email.teatastic.org +short which should mean that my dns is not blocked. Additionally, I discovered that my self hosted email just appeared as a destination address on Cloudflare. The problem is that it's "Pending verification", yet I don't receive any mails to actually confirm it.

I've tried to email myself from both proton and gmail, but no emails appear in Roundcube. Since I have no prior experience with this, I might be overlooking something important, yet I'm not sure what.

10
submitted 1 week ago by [email protected] to c/nix

I've been trying to achieve a working mail setup on nixos by using simple-nixos-mailserver.

  mailserver = {
    enable = true;
    certificateScheme = "acme-nginx";
    enableManageSieve = true;
    fqdn = "email.teatastic.org";
    domains = ["teatastic.org"];
    mailboxes = {
      Drafts = {
        auto = "subscribe";
        specialUse = "Drafts";
      };
      Junk = {
        auto = "subscribe";
        specialUse = "Junk";
      };
      Sent = {
        auto = "subscribe";
        specialUse = "Sent";
      };
      Trash = {
        auto = "no";
        specialUse = "Trash";
      };
    };

    loginAccounts = {
      "[email protected]" = {
        hashedPasswordFile = config.sops.secrets.password.path;
        aliases = ["[email protected]"];
      };
    };

    fullTextSearch = {
      enable = false;
      enforced = "body";
      indexAttachments = true;
      memoryLimit = 512;
    };

    enableImap = true;
    enablePop3 = true;
    enableImapSsl = true;
    enablePop3Ssl = true;

    virusScanning = false;
  };
  services.roundcube = {
    enable = true;
    package = pkgs.roundcube.withPlugins (
      plugins: [
        plugins.carddav
        plugins.contextmenu
        plugins.custom_from
        plugins.persistent_login
        plugins.thunderbird_labels
      ]
    );
    plugins = [
      "attachment_reminder" # Roundcube internal plugin
      "carddav"
      "contextmenu"
      "custom_from"
      "managesieve" # Roundcube internal plugin
      "newmail_notifier" # Roundcube internal plugin
      "persistent_login"
      "thunderbird_labels"
      "zipdownload" # Roundcube internal plugin
    ];
    #dicts = with pkgs.aspellDicts; [en];
    hostName = config.mailserver.fqdn;
    maxAttachmentSize = 100;
    extraConfig = ''
      $config['smtp_server'] = "tls://${config.mailserver.fqdn}";
      $config['smtp_user'] = "%u";
      $config['smtp_pass'] = "%p";
    '';
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "[email protected]";
  };
    firewall = {
      enable = true;
      allowedTCPPorts = [
        25 587 143 993 110 995 # Email
        80 # Nginx
      ];
    };

I'm logging in through roundcube, which works as expected. However, when I get to the point of composing an email to somebody, it just starts a "Sending message..." loop without actually sending anything.

I've forwarded the aforementioned ports on my router, yet it fails.

[-] [email protected] 2 points 1 week ago

I have firewall disabled for my ports, so that's not the issue here.

17
submitted 1 week ago* (last edited 1 week ago) by [email protected] to c/nix

To increase the security of my NAT configuration, I opted to implement port triggering instead of the traditional port forwarding on my router. I chose this approach in order to configure it from my nix configuration.

Specifically, I have enabled port 443 triggering on my router and included the following configuration:

 nftables = {
   enable = true;
   ruleset = ''
     table ip nat {
       chain PREROUTING {
         type nat hook prerouting priority dstnat; policy accept;
         iifname "wlp2s0" tcp dport 443 dnat to 10.100.0.3:443
       }
     }
   '';
 };
 nat = {
   enable = true;
   internalInterfaces = ["lo"];
   externalInterface = "wlp2s0";
   forwardPorts = [
     {
       sourcePort = 443;
       proto = "tcp";
       destination = "10.100.0.3:443";
     }
   ];
 };

Now, after rebuilding, it still does not work and I'm left to wonder why. Are both the NAT and nftables settings even meant to run at the same time?

[-] [email protected] 7 points 1 week ago

Awesome, you were right! Thank you!

systemd.services.nginx.serviceConfig.ProtectHome = false;
users.groups.searx.members = [ "nginx" ];

For anyone looking to test it out, it's https://search.teatastic.org/

[-] [email protected] 2 points 1 week ago

Yeah, good point about the localhost. The ports are fine however. The actual error that I'm getting is coming from nginx: *1 connect() to unix:/run/searx/searx.sock failed (13: Permission denied) while connecting to upstream. I have added the searx and nginx groups to my main user (which I have to find a workout for anyway, since it might prove to be a security problem), yet it still does not work.

19
submitted 1 week ago* (last edited 1 week ago) by [email protected] to c/nix

I've been trying to create a public instance of SearXNG by using NixOS, Cloudflare and Nginx, but I can't seem to make it open to the internet and I've ran out of ideas. Is there anything I'm overlooking?

services.searx = {
    enable = true;
    redisCreateLocally = true;
        limiterSettings = {
      real_ip = {
        x_for = 1;

        ipv4_prefix = 32;
        ipv6_prefix = 56;
      };
    botdetection = {
        ip_limit = {
          filter_link_local = true;
          link_token = true;
        };
        ip_lists = {
          pass_ip = [
            "192.168.0.0/16"
            "fe80::/10"
          ];
          pass_searxng_org = true;
        };
      };
    };
    runInUwsgi = true;
    uwsgiConfig = {
      socket = "/run/searx/searx.sock";
      http = ":8888";
      chmod-socket = "660";
      disable-logging = true;
    };
    settings = {
      general = {
        debug = false;
        instance_name = "SearXNG Instance";
        donation_url = false;
        contact_url = false;
        enable_metrics = false;
      };

      ui = {
        static_use_hash = true;
        theme_args.simple_style = "dark";
        query_in_title = true;
        center_alignment = true;
        results_on_new_tab = false;
      };

      search = {
        safe_search = 2;
        autocomplete_min = 2;
        autocomplete = "duckduckgo";
      };

      server = {
        port = 8888;
        bind_address = "0.0.0.0";
        secret_key = config.sops.secrets.searx.path;
        image_proxy = true;
        method = "GET";

        default_locale = "en";
        default_lang = "en-US";
        base_url = "https://myinstance.org";
        public_instance = true;
      };
      engines = lib.mapAttrsToList (name: value: {inherit name;} // value) {
        "duckduckgo".disabled = false;
        "brave".disabled = true;
      };
      outgoing = {
        request_timeout = 5.0;
        max_request_timeout = 15.0;
        pool_connections = 100;
        pool_maxsize = 15;
        enable_http2 = true;
      };
    };
  };
  services.nginx = {
    enable = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    virtualHosts = {
      "myinstance.org" = {
        forceSSL = true;
        sslCertificate = config.sops.secrets."SSL-Certificates/Cloudflare/Cert".path;
        sslCertificateKey = config.sops.secrets."SSL-Certificates/Cloudflare/Key".path;
        locations = {
          "/" = {
            extraConfig = ''
              uwsgi_pass unix:${config.services.searx.uwsgiConfig.socket};
            '';
          };
        };
      };
    };
  };

TeaTastic

joined 1 week ago