WIP: temmie/userweb: use IPC to proxy sendmail requests out of sandbox

hosts/temmie/configuration.nix

@@ -6,7 +6,7 @@
     (fp /base)
 
     ./services/nfs-mounts.nix
-    ./services/userweb.nix
+    ./services/userweb
   ];
 
   systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {

hosts/temmie/services/userweb/default.nix

@@ -16,8 +16,7 @@ let
       mysqlnd
       pgsql
       posix
-      protobuf
+      protobuf sqlite3
-      sqlite3
       uuid
       xml
       xsl
@@ -65,6 +64,21 @@ let
     ignoreCollisions = true;
   };
 
+  sendmailWrapper = pkgs.writeShellApplication {
+    name = "sendmail";
+    runtimeInputs = [ ];
+    text = ''
+      args=("$@")
+
+      if [[ "''${PWD:-}" =~ ^/home/pvv/[^/]+/([^/]+) ]] && [[ "''${BASH_REMATCH[1]}" != "pvv" ]]; then
+          # Prepend -fusername to the argument list, so bounces go to the user
+          args=("-f''${BASH_REMATCH[1]}" "''${args[@]}")
+      fi
+
+      exec '${lib.getExe pkgs.system-sendmail}' "''${args[@]}"
+    '';
+  };
+
   # https://nixos.org/manual/nixpkgs/stable/#sec-building-environment
   fhsEnv = pkgs.buildEnv {
     name = "userweb-env";
@@ -72,6 +86,8 @@ let
     paths = with pkgs; [
       bash
 
+      sendmailWrapper
+
       perlEnv
       pythonEnv
       phpEnv
@@ -80,87 +96,56 @@ let
       # composer
     ])
     ++ [
+      # Useful packages for homepages
+      exiftool
+      gnuplot
+      ikiwiki-full
+      imagemagick
+      jhead
+      ruby
+      sbcl
+      sourceHighlight
+
+      # Missing packages from tom
+      # blosxom
+      # pyblosxom
+      # mediawiki (TODO: do people host their own mediawikis in userweb?)
+      # nanoblogger
+
+      # Version control
+      cvs
+      rcs
+      git
+
+      # Compression/Archival
+      bzip2
+      gnutar
+      gzip
+      lz4
+      unzip
+      xz
+      zip
+      zstd
+
+      # Other tools you might expect to find on a normal system
       acl
-      aspell
-      autoconf
-      autotrash
-      bazel
-      bintools
-      bison
-      bsd-finger
-      catdoc
-      ccache
-      clang
-      cmake
       coreutils-full
       curl
-      devcontainer
       diffutils
-      emacs
-      # exiftags
-      exiftool
-      ffmpeg
       file
       findutils
       gawk
-      gcc
-      glibc
       gnugrep
       gnumake
       gnupg
-      gnuplot
       gnused
-      gnutar
-      gzip
-      html-tidy
-      imagemagick
-      inetutils
-      iproute2
-      jhead
       less
-      libgcc
+      man
-      lndir
-      mailutils
-      man # TODO: does this one want a mandb instance?
-      meson
-      more
-      mpc
-      mpi
-      mplayer
-      ninja
-      nix
-      openssh
-      openssl
-      patchelf
-      pkg-config
-      ppp
-      procmail
-      procps
-      qemu
-      rc
-      rhash
-      rsync
-      ruby # TODO: does this one want systemwide packages?
-      salt
-      sccache
-      sourceHighlight
-      spamassassin
-      strace
-      subversion
-      system-sendmail
-      systemdMinimal
-      texliveMedium
-      tmux
-      unzip
       util-linux
-      valgrind
       vim
       wget
       which
-      wine
       xdg-utils
-      zip
-      zstd
     ];
 
     extraOutputsToInstall = [
@@ -170,6 +155,10 @@ let
   };
 in
 {
+  imports = [
+    ./mail.nix
+  ];
+
   services.httpd = {
     enable = true;
     adminAddr = "drift@pvv.ntnu.no";

hosts/temmie/services/userweb/mail.nix

@@ -0,0 +1,34 @@
+{ config, lib, pkgs, ... }:
+{
+  services.postfix.enable = lib.mkForce false;
+
+  services.nullmailer = {
+    enable = true;
+    config = {
+      me = config.networking.fqdn;
+      remotes = "mail.pvv.ntnu.no smtp --port=25";
+    };
+  };
+
+  systemd.sockets.userweb-sendmail-sandbox-proxy = {
+    wantedBy = [ "sockets.target" ];
+    listenStreams = [ "/run/userweb-sendmail-sandbox-proxy.sock" ];
+    socketConfig = {
+      # Accept = true;
+      SocketUser = "httpd";
+      SocketGroup = "httpd"; # TODO: is wwwrun(54) in this group?
+      SocketMode = "0660";
+    };
+  };
+
+  systemd.services.userweb-sendmail-sandbox-proxy = {
+    serviceConfig = {
+      User = "root";
+      Group = "root";
+      Sockets = [
+        "userweb-sendmail-sandbox-proxy.socket"
+      ];
+      ExecStart = "${lib.getExe pkgs.hello}";
+    };
+  };
+}