WIP: temmie/userweb: use bro to proxy sendmail requests out of sandbox

hosts/temmie/services/userweb/default.nix

@@ -67,21 +67,6 @@ let
     ignoreCollisions = true;
   };
 
-  sendmailWrapper = pkgs.writeShellApplication {
-    name = "sendmail";
-    runtimeInputs = [ ];
-    text = ''
-      args=("$@")
-
-      if [[ -z "$USERDIR_USER" ]] && [[ "$USERDIR_USER" != "pvv" ]]; then
-          # Prepend -fusername to the argument list, so bounces go to the user
-          args=("-f$USERDIR_USER" "''${args[@]}")
-      fi
-
-      exec '${lib.getExe pkgs.system-sendmail}' "''${args[@]}"
-    '';
-  };
-
   # https://nixos.org/manual/nixpkgs/stable/#sec-building-environment
   fhsEnv = pkgs.buildEnv {
     name = "userweb-env";
@@ -89,7 +74,7 @@ let
     paths = with pkgs; [
       bash
 
-      sendmailWrapper
+      config.services.bro.instances.userweb-sendmail.client.package
 
       perlEnv
       pythonEnv

hosts/temmie/services/userweb/mail.nix

@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 {
   services.postfix.enable = lib.mkForce false;
 
@@ -9,4 +9,111 @@
       remotes = "mail.pvv.ntnu.no smtp --port=25";
     };
   };
+
+  services.bro = {
+    enable = true;
+
+    instances.userweb-sendmail = {
+      enable = true;
+
+      client = {
+        settings.BRO_FILE_FLAGS = [
+          "-C"
+        ];
+      };
+
+      server = {
+        settings = {
+          executable = let
+            sendmailWrapper = pkgs.writeShellApplication {
+              name = "sendmail";
+              runtimeInputs = [ ];
+              bashOptions = [
+                "errexit"
+                "pipefail"
+              ];
+              text = ''
+                args=("$@")
+
+                if [[ -z "$USERDIR_USER" ]] && [[ "$USERDIR_USER" != "pvv" ]]; then
+                    # Prepend -fusername to the argument list, so bounces go to the user
+                    args=("-f$USERDIR_USER" "''${args[@]}")
+                fi
+
+                exec '${lib.getExe pkgs.system-sendmail}' "''${args[@]}"
+              '';
+            };
+          in lib.getExe sendmailWrapper;
+          allowed-env = [ "USERDIR_USER" ];
+        };
+      };
+    };
+  };
+
+  environment.systemPackages = [
+    (config.services.bro.instances.userweb-sendmail.client.package.overrideAttrs (prev: {
+      buildCommand = prev.buildCommand + ''
+        mv "$out/bin/sendmail" "$out/bin/bro-sendmail"
+      '';
+    }))
+  ];
+
+  users.users.nullmailer-user = {
+    enable = true;
+    isSystemUser = true;
+    group = "nullmailer-user";
+  };
+
+  users.groups.nullmailer-user = { };
+
+  systemd.services.bro-userweb-sendmail = {
+    serviceConfig = {
+      User = "nullmailer-user";
+      Group = "nullmailer-user";
+
+      ReadWritePaths = [
+        "/var/spool/nullmailer"
+      ];
+
+      AmbientCapabilities = "";
+      CapabilityBoundingSet = "";
+      NoNewPrivileges = false;
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      PrivateTmp = true;
+      PrivateDevices = true;
+      PrivateUsers = false;
+      ProtectHostname = true;
+      ProtectClock = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectKernelLogs = true;
+      ProtectControlGroups = true;
+      RestrictAddressFamilies = [
+        "AF_UNIX"
+        "AF_INET"
+        "AF_INET6"
+        "AF_NETLINK"
+      ];
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      PrivateMounts = true;
+      ProcSubset = "pid";
+      ProtectProc = "invisible";
+      RemoveIPC = true;
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+        "~@resources"
+      ];
+      UMask = "0077";
+    };
+  };
+
+  systemd.services.httpd.serviceConfig = {
+    BindPaths = [ (lib.head config.systemd.sockets.bro-userweb-sendmail.listenStreams) ];
+  };
 }