WIP: temmie/userweb: use IPC to proxy sendmail requests out of sandbox

temmie/userweb: switch from postfix to nullmailer
temmie/userweb: set up sendmail wrapper
2026-05-21 05:51:12 +02:00 · 2026-05-11 14:03:18 +09:00 · 2026-05-11 13:52:58 +09:00 · 2026-05-11 12:26:39 +09:00 · 2026-05-11 10:17:09 +09:00
3 changed files with 90 additions and 67 deletions
--- a/hosts/temmie/configuration.nix
+++ b/hosts/temmie/configuration.nix
@@ -6,7 +6,7 @@
    (fp /base)

    ./services/nfs-mounts.nix
-    ./services/userweb.nix
+    ./services/userweb
  ];

  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
--- a/hosts/temmie/services/userweb/default.nix
+++ b/hosts/temmie/services/userweb/default.nix
@@ -16,8 +16,7 @@ let
      mysqlnd
      pgsql
      posix
-      protobuf
-      sqlite3
+      protobuf sqlite3
      uuid
      xml
      xsl
@@ -65,6 +64,21 @@ let
    ignoreCollisions = true;
  };

+  sendmailWrapper = pkgs.writeShellApplication {
+    name = "sendmail";
+    runtimeInputs = [ ];
+    text = ''
+      args=("$@")
+
+      if [[ "''${PWD:-}" =~ ^/home/pvv/[^/]+/([^/]+) ]] && [[ "''${BASH_REMATCH[1]}" != "pvv" ]]; then
+          # Prepend -fusername to the argument list, so bounces go to the user
+          args=("-f''${BASH_REMATCH[1]}" "''${args[@]}")
+      fi
+
+      exec '${lib.getExe pkgs.system-sendmail}' "''${args[@]}"
+    '';
+  };
+
  # https://nixos.org/manual/nixpkgs/stable/#sec-building-environment
  fhsEnv = pkgs.buildEnv {
    name = "userweb-env";
@@ -72,6 +86,8 @@ let
    paths = with pkgs; [
      bash

+      sendmailWrapper
+
      perlEnv
      pythonEnv
      phpEnv
@@ -80,87 +96,56 @@ let
      # composer
    ])
    ++ [
+      # Useful packages for homepages
+      exiftool
+      gnuplot
+      ikiwiki-full
+      imagemagick
+      jhead
+      ruby
+      sbcl
+      sourceHighlight
+
+      # Missing packages from tom
+      # blosxom
+      # pyblosxom
+      # mediawiki (TODO: do people host their own mediawikis in userweb?)
+      # nanoblogger
+
+      # Version control
+      cvs
+      rcs
+      git
+
+      # Compression/Archival
+      bzip2
+      gnutar
+      gzip
+      lz4
+      unzip
+      xz
+      zip
+      zstd
+
+      # Other tools you might expect to find on a normal system
      acl
-      aspell
-      autoconf
-      autotrash
-      bazel
-      bintools
-      bison
-      bsd-finger
-      catdoc
-      ccache
-      clang
-      cmake
      coreutils-full
      curl
-      devcontainer
      diffutils
-      emacs
-      # exiftags
-      exiftool
-      ffmpeg
      file
      findutils
      gawk
-      gcc
-      glibc
      gnugrep
      gnumake
      gnupg
-      gnuplot
      gnused
-      gnutar
-      gzip
-      html-tidy
-      imagemagick
-      inetutils
-      iproute2
-      jhead
      less
-      libgcc
-      lndir
-      mailutils
-      man # TODO: does this one want a mandb instance?
-      meson
-      more
-      mpc
-      mpi
-      mplayer
-      ninja
-      nix
-      openssh
-      openssl
-      patchelf
-      pkg-config
-      ppp
-      procmail
-      procps
-      qemu
-      rc
-      rhash
-      rsync
-      ruby # TODO: does this one want systemwide packages?
-      salt
-      sccache
-      sourceHighlight
-      spamassassin
-      strace
-      subversion
-      system-sendmail
-      systemdMinimal
-      texliveMedium
-      tmux
-      unzip
+      man
      util-linux
-      valgrind
      vim
      wget
      which
-      wine
      xdg-utils
-      zip
-      zstd
    ];

    extraOutputsToInstall = [
@@ -170,6 +155,10 @@ let
  };
 in
 {
+  imports = [
+    ./mail.nix
+  ];
+
  services.httpd = {
    enable = true;
    adminAddr = "drift@pvv.ntnu.no";
--- a/hosts/temmie/services/userweb/mail.nix
+++ b/hosts/temmie/services/userweb/mail.nix
@@ -0,0 +1,34 @@
+{ config, lib, pkgs, ... }:
+{
+  services.postfix.enable = lib.mkForce false;
+
+  services.nullmailer = {
+    enable = true;
+    config = {
+      me = config.networking.fqdn;
+      remotes = "mail.pvv.ntnu.no smtp --port=25";
+    };
+  };
+
+  systemd.sockets.userweb-sendmail-sandbox-proxy = {
+    wantedBy = [ "sockets.target" ];
+    listenStreams = [ "/run/userweb-sendmail-sandbox-proxy.sock" ];
+    socketConfig = {
+      # Accept = true;
+      SocketUser = "httpd";
+      SocketGroup = "httpd"; # TODO: is wwwrun(54) in this group?
+      SocketMode = "0660";
+    };
+  };
+
+  systemd.services.userweb-sendmail-sandbox-proxy = {
+    serviceConfig = {
+      User = "root";
+      Group = "root";
+      Sockets = [
+        "userweb-sendmail-sandbox-proxy.socket"
+      ];
+      ExecStart = "${lib.getExe pkgs.hello}";
+    };
+  };
+}
Author	SHA1	Message	Date
h7x4	9c6a812334	WIP: temmie/userweb: use IPC to proxy sendmail requests out of sandbox	2026-05-11 14:03:18 +09:00
h7x4	5e50b617fb	temmie/userweb: switch from postfix to nullmailer	2026-05-11 13:52:58 +09:00
h7x4	258c5a7b25	temmie/userweb: set up sendmail wrapper	2026-05-11 12:26:39 +09:00
h7x4	b9eda3dc56	temmie/userweb: reduce package list	2026-05-11 10:17:09 +09:00