WIP: temmie/userweb: use IPC to proxy sendmail requests out of sandbox

It should still be possible for the user to re-enable these with
`.htaccess`

base/default.nix

@@ -13,6 +13,7 @@
     ./mitigations.nix
 
     ./flake-input-exporter.nix
+    ./hardening.nix
     ./networking.nix
     ./nix.nix
     ./programs.nix
@@ -70,8 +71,6 @@
     fi
   '';
 
-  # security.lockKernelModules = true;
-  security.protectKernelImage = true;
   security.sudo.execWheelOnly = true;
   security.sudo.extraConfig = ''
     Defaults lecture = never

base/hardening.nix

@@ -0,0 +1,64 @@
+{ ... }:
+{
+  boot.blacklistedKernelModules = [
+    # Obscure network protocols
+    "appletalk"
+    "atm"
+    "ax25"
+    "batman-adv"
+    "can"
+    "netrom"
+    "psnap"
+    "rds"
+    "rose"
+    "sctp"
+    "tipc"
+
+    # Filesystems we don't use
+    "adfs"
+    "affs"
+    "befs"
+    "bfs"
+    "cifs"
+    "cramfs"
+    "efs"
+    "exofs"
+    "orangefs"
+    "freevxfs"
+    "gfs2"
+    "hfs"
+    "hfsplus"
+    "hpfs"
+    "jffs2"
+    "jfs"
+    "minix"
+    "nilfs2"
+    "ntfs"
+    "omfs"
+    "qnx4"
+    "qnx6"
+    "sysv"
+    "ubifs"
+    "ufs"
+
+    # Legacy hardware
+    "pcspkr"
+    "floppy"
+    "parport"
+    "ppdev"
+
+    # Other stuff we don't use
+    "firewire-core"
+    "firewire-ohci"
+    "ksmbd"
+    "ib_core"
+    "l2tp_eth"
+    "l2tp_netlink"
+    "l2tp_ppp"
+    "nfc"
+    "soundwire"
+  ];
+
+  # security.lockKernelModules = true;
+  security.protectKernelImage = true;
+}

hosts/bekkalokk/services/website/fetch-gallery.nix

@@ -47,8 +47,8 @@ in {
       }}
 
       # Delete files and directories that exists in the gallery that don't exist in the tarball
-      filesToRemove=$(uniq -u <(sort <(find . -not -path "./.thumbnails*") <(tar -tf ${transferDir}/gallery.tar.gz | sed 's|/$||')))
+      filesToRemove=$(uniq -u <(sort <(find . -not -path './.thumbnails*') <(tar -tf '${transferDir}/gallery.tar.gz' | sed 's|/$||')))
-      while IFS= read fname; do
+      while IFS= read -r fname; do
         rm -f "$fname" ||:
         rm -f ".thumbnails/$fname.png" ||:
       done <<< "$filesToRemove"
@@ -56,9 +56,9 @@ in {
       find . -type d -empty -delete
 
       mkdir -p .thumbnails
-      images=$(find . -type f -not -path "./.thumbnails*")
+      images=$(find . -type f -not -path './.thumbnails*')
 
-      while IFS= read fname; do
+      while IFS= read -r fname; do
         # Skip this file if an up-to-date thumbnail already exists
         if [ -f ".thumbnails/$fname.png" ] && \
           [ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ]
@@ -67,7 +67,7 @@ in {
         fi
 
         echo "Creating thumbnail for $fname"
-        mkdir -p $(dirname ".thumbnails/$fname")
+        mkdir -p "$(dirname ".thumbnails/$fname")"
         magick -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
         touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
       done <<< "$images"

hosts/bicep/services/mysql/backup.nix

@@ -57,7 +57,7 @@ in
       rm "$STATE_DIRECTORY/mysql-dump-latest.sql.zst" ||:
       ln -T "$OUT_FILE" "$STATE_DIRECTORY/mysql-dump-latest.sql.zst"
 
-      while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do
+      while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt '${toString (rotations + 1)}' ]; do
         rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
       done
     '';

hosts/bicep/services/postgresql/backup.nix

@@ -58,7 +58,7 @@ in
       rm "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst" ||:
       ln -T "$OUT_FILE" "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst"
 
-      while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do
+      while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt '${toString (rotations + 1)}' ]; do
         rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
       done
     '';

hosts/kommode/services/gitea/customization/default.nix

@@ -99,23 +99,23 @@ in
         ];
       } ''
         # Bigger icons
-        install -Dm444 "${cfg.package.src}/templates/repo/icon.tmpl" "$out/repo/icon.tmpl"
+        install -Dm444 '${cfg.package.src}/templates/repo/icon.tmpl' "$out/repo/icon.tmpl"
         sed -i -e 's/24/60/g' "$out/repo/icon.tmpl"
       '';
     in ''
-      install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
+      install -Dm444 '${logo-svg}' '${cfg.customDir}/public/assets/img/logo.svg'
-      install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
+      install -Dm444 '${logo-png}' '${cfg.customDir}/public/assets/img/logo.png'
-      install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
+      install -Dm444 '${./loading.apng}' '${cfg.customDir}/public/assets/img/loading.png'
-      install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
+      install -Dm444 '${extraLinks}' '${cfg.customDir}/templates/custom/extra_links.tmpl'
-      install -Dm444 ${extraLinksFooter} ${cfg.customDir}/templates/custom/extra_links_footer.tmpl
+      install -Dm444 '${extraLinksFooter}' '${cfg.customDir}/templates/custom/extra_links_footer.tmpl'
-      install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml
+      install -Dm444 '${project-labels}' '${cfg.customDir}/options/label/project-labels.yaml'
 
-      install -Dm644 ${./emotes/bruh.png} ${cfg.customDir}/public/assets/img/emoji/bruh.png
+      install -Dm644 '${./emotes/bruh.png}' '${cfg.customDir}/public/assets/img/emoji/bruh.png'
-      install -Dm644 ${./emotes/huh.gif} ${cfg.customDir}/public/assets/img/emoji/huh.png
+      install -Dm644 '${./emotes/huh.gif}' '${cfg.customDir}/public/assets/img/emoji/huh.png'
-      install -Dm644 ${./emotes/grr.png} ${cfg.customDir}/public/assets/img/emoji/grr.png
+      install -Dm644 '${./emotes/grr.png}' '${cfg.customDir}/public/assets/img/emoji/grr.png'
-      install -Dm644 ${./emotes/okiedokie.jpg} ${cfg.customDir}/public/assets/img/emoji/okiedokie.png
+      install -Dm644 '${./emotes/okiedokie.jpg}' '${cfg.customDir}/public/assets/img/emoji/okiedokie.png'
 
-      "${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/
+      '${lib.getExe pkgs.rsync}' -a '${customTemplates}/' '${cfg.customDir}/templates/'
     '';
   };
 }

hosts/temmie/configuration.nix

@@ -6,7 +6,7 @@
     (fp /base)
 
     ./services/nfs-mounts.nix
-    ./services/userweb.nix
+    ./services/userweb
   ];
 
   systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {

hosts/temmie/services/userweb/default.nix

@@ -7,9 +7,26 @@ let
   # https://nixos.org/manual/nixpkgs/stable/#ssec-php-user-guide-installing-with-extensions
   phpEnv = pkgs.php.buildEnv {
     extensions = { all, ... }: with all; [
+      bz2
+      curl
+      decimal
+      gd
       imagick
-      opcache
+      mysqli
-      protobuf
+      mysqlnd
+      pgsql
+      posix
+      protobuf sqlite3
+      uuid
+      xml
+      xsl
+      zlib
+      zstd
+
+      pdo
+      pdo_mysql
+      pdo_pgsql
+      pdo_sqlite
     ];
 
     extraConfig = ''
@@ -25,38 +42,15 @@ let
     pkgs.irssi
     pkgs.nix.libs.nix-perl-bindings
 
-    AlgorithmDiff
-    AnyEvent
-    AnyEventI3
-    ArchiveZip
     CGI
-    CPAN
-    CPANPLUS
     DBDPg
     DBDSQLite
+    DBDmysql
     DBI
-    EmailAddress
-    EmailSimple
-    Env
     Git
-    HTMLMason
-    HTMLParser
-    HTMLTagset
-    HTTPDAV
-    HTTPDaemon
     ImageMagick
     JSON
-    LWP
+    TemplateToolkit
-    MozillaCA
-    PathTiny
-    Switch
-    SysSyslog
-    TestPostgreSQL
-    TextPDF
-    TieFile
-    Tk
-    URI
-    XMLLibXML
   ]);
 
   # https://nixos.org/manual/nixpkgs/stable/#python.buildenv-function
@@ -70,102 +64,88 @@ let
     ignoreCollisions = true;
   };
 
+  sendmailWrapper = pkgs.writeShellApplication {
+    name = "sendmail";
+    runtimeInputs = [ ];
+    text = ''
+      args=("$@")
+
+      if [[ "''${PWD:-}" =~ ^/home/pvv/[^/]+/([^/]+) ]] && [[ "''${BASH_REMATCH[1]}" != "pvv" ]]; then
+          # Prepend -fusername to the argument list, so bounces go to the user
+          args=("-f''${BASH_REMATCH[1]}" "''${args[@]}")
+      fi
+
+      exec '${lib.getExe pkgs.system-sendmail}' "''${args[@]}"
+    '';
+  };
+
   # https://nixos.org/manual/nixpkgs/stable/#sec-building-environment
   fhsEnv = pkgs.buildEnv {
     name = "userweb-env";
+    ignoreCollisions = true;
     paths = with pkgs; [
       bash
 
+      sendmailWrapper
+
       perlEnv
       pythonEnv
-
       phpEnv
     ]
     ++ (with phpEnv.packages; [
       # composer
     ])
     ++ [
+      # Useful packages for homepages
+      exiftool
+      gnuplot
+      ikiwiki-full
+      imagemagick
+      jhead
+      ruby
+      sbcl
+      sourceHighlight
+
+      # Missing packages from tom
+      # blosxom
+      # pyblosxom
+      # mediawiki (TODO: do people host their own mediawikis in userweb?)
+      # nanoblogger
+
+      # Version control
+      cvs
+      rcs
+      git
+
+      # Compression/Archival
+      bzip2
+      gnutar
+      gzip
+      lz4
+      unzip
+      xz
+      zip
+      zstd
+
+      # Other tools you might expect to find on a normal system
       acl
-      aspell
-      autoconf
-      autotrash
-      bazel
-      bintools
-      bison
-      bsd-finger
-      catdoc
-      ccache
-      clang
-      cmake
       coreutils-full
       curl
-      devcontainer
       diffutils
-      emacs
-      # exiftags
-      exiftool
-      ffmpeg
       file
       findutils
       gawk
-      gcc
-      glibc
       gnugrep
       gnumake
       gnupg
-      gnuplot
       gnused
-      gnutar
-      gzip
-      html-tidy
-      imagemagick
-      inetutils
-      iproute2
-      jhead
       less
-      libgcc
+      man
-      lndir
-      mailutils
-      man # TODO: does this one want a mandb instance?
-      meson
-      more
-      mpc
-      mpi
-      mplayer
-      ninja
-      nix
-      openssh
-      openssl
-      patchelf
-      pkg-config
-      ppp
-      procmail
-      procps
-      qemu
-      rc
-      rhash
-      rsync
-      ruby # TODO: does this one want systemwide packages?
-      salt
-      sccache
-      sourceHighlight
-      spamassassin
-      strace
-      subversion
-      system-sendmail
-      systemdMinimal
-      texliveMedium
-      tmux
-      unzip
       util-linux
-      valgrind
       vim
       wget
       which
-      wine
       xdg-utils
-      zip
-      zstd
     ];
 
     extraOutputsToInstall = [
@@ -175,6 +155,10 @@ let
   };
 in
 {
+  imports = [
+    ./mail.nix
+  ];
+
   services.httpd = {
     enable = true;
     adminAddr = "drift@pvv.ntnu.no";
@@ -231,6 +215,25 @@ in
           AllowOverride All
           Require all granted
         </Directory>
+
+        <DirectoryMatch "^/home/pvv/.*/web-docs/(${lib.concatStringsSep "|" [
+          "\\.git"
+          "\\.hg"
+          "\\.svn"
+          "\\.ssh"
+          "\\.env"
+          "\\.envrc"
+          "\\.bzr"
+          "\\.venv"
+          "CVS"
+          "RCS"
+          ".*\\.swp"
+          ".*\\.bak"
+          ".*~"
+        ]})(/|$)">
+            AllowOverride All
+            Require all denied
+        </DirectoryMatch>
       '';
     };
   };

hosts/temmie/services/userweb/mail.nix

@@ -0,0 +1,34 @@
+{ config, lib, pkgs, ... }:
+{
+  services.postfix.enable = lib.mkForce false;
+
+  services.nullmailer = {
+    enable = true;
+    config = {
+      me = config.networking.fqdn;
+      remotes = "mail.pvv.ntnu.no smtp --port=25";
+    };
+  };
+
+  systemd.sockets.userweb-sendmail-sandbox-proxy = {
+    wantedBy = [ "sockets.target" ];
+    listenStreams = [ "/run/userweb-sendmail-sandbox-proxy.sock" ];
+    socketConfig = {
+      # Accept = true;
+      SocketUser = "httpd";
+      SocketGroup = "httpd"; # TODO: is wwwrun(54) in this group?
+      SocketMode = "0660";
+    };
+  };
+
+  systemd.services.userweb-sendmail-sandbox-proxy = {
+    serviceConfig = {
+      User = "root";
+      Group = "root";
+      Sockets = [
+        "userweb-sendmail-sandbox-proxy.socket"
+      ];
+      ExecStart = "${lib.getExe pkgs.hello}";
+    };
+  };
+}

modules/matrix-ooye.nix

@@ -77,29 +77,29 @@ in
 
         id
         echo "Before if statement"
-        stat ''${REGISTRATION_FILE}
+        stat "''${REGISTRATION_FILE}"
 
-        if [[ ! -f ''${REGISTRATION_FILE} ]]; then
+        if [[ ! -f "''${REGISTRATION_FILE}" ]]; then
           echo "No registration file found at '$REGISTRATION_FILE'"
-          cp --no-preserve=mode,ownership ${baseConfig} ''${REGISTRATION_FILE}
+          cp --no-preserve=mode,ownership "${baseConfig}" "''${REGISTRATION_FILE}"
         fi
 
         echo "After if statement"
-        stat ''${REGISTRATION_FILE}
+        stat "''${REGISTRATION_FILE}"
 
-        AS_TOKEN=$(${lib.getExe pkgs.jq} -r .as_token ''${REGISTRATION_FILE})
+        AS_TOKEN="$('${lib.getExe pkgs.jq}' -r .as_token "''${REGISTRATION_FILE}")"
-        HS_TOKEN=$(${lib.getExe pkgs.jq} -r .hs_token ''${REGISTRATION_FILE})
+        HS_TOKEN="$('${lib.getExe pkgs.jq}' -r .hs_token "''${REGISTRATION_FILE}")"
-        DISCORD_TOKEN=$(cat /run/credentials/matrix-ooye-pre-start.service/discord_token)
+        DISCORD_TOKEN="$(cat /run/credentials/matrix-ooye-pre-start.service/discord_token)"
-        DISCORD_CLIENT_SECRET=$(cat /run/credentials/matrix-ooye-pre-start.service/discord_client_secret)
+        DISCORD_CLIENT_SECRET="$(cat /run/credentials/matrix-ooye-pre-start.service/discord_client_secret)"
 
         # Check if we have all required tokens
         if [[ -z "$AS_TOKEN" || "$AS_TOKEN" == "null" ]]; then
-          AS_TOKEN=$(${lib.getExe pkgs.openssl} rand -hex 64)
+          AS_TOKEN="$('${lib.getExe pkgs.openssl}' rand -hex 64)"
           echo "Generated new AS token: ''${AS_TOKEN}"
         fi
 
         if [[ -z "$HS_TOKEN" || "$HS_TOKEN" == "null" ]]; then
-          HS_TOKEN=$(${lib.getExe pkgs.openssl} rand -hex 64)
+          HS_TOKEN="$('${lib.getExe pkgs.openssl}' rand -hex 64)"
           echo "Generated new HS token: ''${HS_TOKEN}"
         fi
 
@@ -115,13 +115,13 @@ in
           exit 1
         fi
 
-        shred -u ''${REGISTRATION_FILE}
+        shred -u "''${REGISTRATION_FILE}"
-        cp --no-preserve=mode,ownership ${baseConfig} ''${REGISTRATION_FILE}
+        cp --no-preserve=mode,ownership "${baseConfig}" "''${REGISTRATION_FILE}"
 
-        ${lib.getExe pkgs.jq} '.as_token = "'$AS_TOKEN'" | .hs_token = "'$HS_TOKEN'" | .ooye.discord_token = "'$DISCORD_TOKEN'" | .ooye.discord_client_secret = "'$DISCORD_CLIENT_SECRET'"' ''${REGISTRATION_FILE} > ''${REGISTRATION_FILE}.tmp
+        '${lib.getExe pkgs.jq}' '.as_token = "'$AS_TOKEN'" | .hs_token = "'$HS_TOKEN'" | .ooye.discord_token = "'$DISCORD_TOKEN'" | .ooye.discord_client_secret = "'$DISCORD_CLIENT_SECRET'"' "''${REGISTRATION_FILE}" > "''${REGISTRATION_FILE}.tmp"
 
-        shred -u ''${REGISTRATION_FILE}
+        shred -u "''${REGISTRATION_FILE}"
-        mv ''${REGISTRATION_FILE}.tmp ''${REGISTRATION_FILE}
+        mv "''${REGISTRATION_FILE}.tmp" "''${REGISTRATION_FILE}"
       '';
 
     in

modules/snakeoil-certs.nix

@@ -51,24 +51,24 @@ in
       script = let
         openssl = lib.getExe pkgs.openssl;
       in lib.concatMapStringsSep "\n" ({ name, value }: ''
-        mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}")
+        mkdir -p "$(dirname '${value.certificate}')" "$(dirname '${value.certificateKey}')"
-        if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate}
+        if ! ${openssl} x509 -checkend 86400 -noout -in '${value.certificate}'
         then
           echo "Regenerating '${value.certificate}'"
           ${openssl} req \
             -newkey rsa:4096 \
             -new -x509 \
-            -days "${toString value.daysValid}" \
+            -days '${toString value.daysValid}' \
             -nodes \
-            -subj "${value.subject}" \
+            -subj '${value.subject}' \
-            -out "${value.certificate}" \
+            -out '${value.certificate}' \
-            -keyout "${value.certificateKey}" \
+            -keyout '${value.certificateKey}' \
             ${lib.escapeShellArgs value.extraOpenSSLArgs}
         fi
-        chown "${value.owner}:${value.group}" "${value.certificate}"
+        chown '${value.owner}:${value.group}' '${value.certificate}'
-        chown "${value.owner}:${value.group}" "${value.certificateKey}"
+        chown '${value.owner}:${value.group}' '${value.certificateKey}'
-        chmod "${value.mode}" "${value.certificate}"
+        chmod '${value.mode}' '${value.certificate}'
-        chmod "${value.mode}" "${value.certificateKey}"
+        chmod '${value.mode}' '${value.certificateKey}'
 
         echo "\n-----------------\n"
       '') (lib.attrsToList cfg);

packages/mediawiki-extensions/update-mediawiki-extensions.py

@@ -83,7 +83,7 @@ def get_newest_commit(project_name: str, tracking_branch: str) -> str:
     content = requests.get(f"{BASE_WEB_URL}/{project_name}/+log/refs/heads/{tracking_branch}/").text
     soup = bs4.BeautifulSoup(content, features="html.parser")
     try:
-        a = soup.find('li').findChild('a')
+        a = soup.find('li').find('a')
         commit_sha = a['href'].split('/')[-1]
     except AttributeError:
         print(f"ERROR: Could not parse page for {project_name}:")

topology/default.nix

@@ -228,6 +228,7 @@ in {
         (mkConnection "demiurgen" "eno1")
         (mkConnection "sanctuary" "ethernet_0")
         (mkConnection "torskas" "eth0")
+        (mkConnection "skrot" "enp2s0")
         (mkConnection "homeassistant" "eth0")
         (mkConnection "orchid" "eth0")
         (mkConnection "principal" "em0")