WIP: temmie/userweb: use bro to proxy sendmail requests out of sandbox

hosts/temmie/services/userweb/mail.nix

@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 {
   services.postfix.enable = lib.mkForce false;
 
@@ -9,4 +9,74 @@
       remotes = "mail.pvv.ntnu.no smtp --port=25";
     };
   };
+
+  services.bro = {
+    enable = true;
+
+    instances.userweb-sendmail = {
+      enable = true;
+
+      client = {
+        settings.BRO_FILE_FLAGS = [
+          "-C"
+        ];
+      };
+
+      server = {
+        settings = {
+          executable = lib.getExe pkgs.system-sendmail;
+          # allowed-env = [  ];
+        };
+      };
+    };
+  };
+
+  environment.systemPackages = [
+    (config.services.bro.instances.userweb-sendmail.client.package.overrideAttrs (prev: {
+      postInstall = (prev.postInstall or "") + ''
+        mv "$out/bin/sendmail" "$out/bin/bro-sendmail"
+      '';
+    }))
+  ];
+
+  systemd.services.bro-userweb-sendmail = {
+    serviceConfig = {
+      User = "nobody";
+      Group = "nobody";
+
+      AmbientCapabilities = "";
+      CapabilityBoundingSet = "";
+      NoNewPrivileges = false;
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      PrivateTmp = true;
+      PrivateDevices = true;
+      PrivateUsers = false;
+      ProtectHostname = true;
+      ProtectClock = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectKernelLogs = true;
+      ProtectControlGroups = true;
+      RestrictAddressFamilies = [
+        "AF_UNIX"
+        "AF_INET"
+        "AF_INET6"
+        "AF_NETLINK"
+      ];
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      PrivateMounts = true;
+      ProcSubset = "pid";
+      ProtectProc = "invisible";
+      RemoveIPC = true;
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      UMask = "0027";
+      SystemCallArchitectures = "native";
+      # SystemCallFilter = [
+      # ];
+    };
+  };
 }