WIP: temmie/userweb: use IPC to proxy sendmail requests out of sandbox

temmie/userweb: switch from postfix to nullmailer
temmie/userweb: set up sendmail wrapper
2026-05-20 21:41:12 +02:00 · 2026-05-11 14:03:18 +09:00 · 2026-05-11 13:52:58 +09:00 · 2026-05-11 12:26:39 +09:00 · 2026-05-11 10:17:09 +09:00 · 2026-05-09 20:40:14 +02:00
4 changed files with 131 additions and 94 deletions
--- a/hosts/temmie/configuration.nix
+++ b/hosts/temmie/configuration.nix
@@ -6,7 +6,7 @@
    (fp /base)
    ./services/nfs-mounts.nix
-    ./services/userweb.nix
+    ./services/userweb
  ];
  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
--- a/hosts/temmie/services/userweb/default.nix
+++ b/hosts/temmie/services/userweb/default.nix
@@ -7,9 +7,26 @@ let
  # https://nixos.org/manual/nixpkgs/stable/#ssec-php-user-guide-installing-with-extensions
  phpEnv = pkgs.php.buildEnv {
    extensions = { all, ... }: with all; [
      bz2
      curl
      decimal
      gd
      imagick
-      opcache
+      mysqli
-      protobuf
+      mysqlnd
      pgsql
      posix
      protobuf sqlite3
      uuid
      xml
      xsl
      zlib
      zstd
      pdo
      pdo_mysql
      pdo_pgsql
      pdo_sqlite
    ];
    extraConfig = ''
@@ -25,38 +42,15 @@ let
    pkgs.irssi
    pkgs.nix.libs.nix-perl-bindings
    AlgorithmDiff
    AnyEvent
    AnyEventI3
    ArchiveZip
    CGI
    CPAN
    CPANPLUS
    DBDPg
    DBDSQLite
    DBDmysql
    DBI
    EmailAddress
    EmailSimple
    Env
    Git
    HTMLMason
    HTMLParser
    HTMLTagset
    HTTPDAV
    HTTPDaemon
    ImageMagick
    JSON
-    LWP
+    TemplateToolkit
    MozillaCA
    PathTiny
    Switch
    SysSyslog
    TestPostgreSQL
    TextPDF
    TieFile
    Tk
    URI
    XMLLibXML
  ]);
  # https://nixos.org/manual/nixpkgs/stable/#python.buildenv-function
@@ -70,102 +64,88 @@ let
    ignoreCollisions = true;
  };
  sendmailWrapper = pkgs.writeShellApplication {
    name = "sendmail";
    runtimeInputs = [ ];
    text = ''
      args=("$@")
      if [[ "''${PWD:-}" =~ ^/home/pvv/[^/]+/([^/]+) ]] && [[ "''${BASH_REMATCH[1]}" != "pvv" ]]; then
          # Prepend -fusername to the argument list, so bounces go to the user
          args=("-f''${BASH_REMATCH[1]}" "''${args[@]}")
      fi
      exec '${lib.getExe pkgs.system-sendmail}' "''${args[@]}"
    '';
  };
  # https://nixos.org/manual/nixpkgs/stable/#sec-building-environment
  fhsEnv = pkgs.buildEnv {
    name = "userweb-env";
    ignoreCollisions = true;
    paths = with pkgs; [
      bash
      sendmailWrapper
      perlEnv
      pythonEnv
      phpEnv
    ]
    ++ (with phpEnv.packages; [
      # composer
    ])
    ++ [
      # Useful packages for homepages
      exiftool
      gnuplot
      ikiwiki-full
      imagemagick
      jhead
      ruby
      sbcl
      sourceHighlight
      # Missing packages from tom
      # blosxom
      # pyblosxom
      # mediawiki (TODO: do people host their own mediawikis in userweb?)
      # nanoblogger
      # Version control
      cvs
      rcs
      git
      # Compression/Archival
      bzip2
      gnutar
      gzip
      lz4
      unzip
      xz
      zip
      zstd
      # Other tools you might expect to find on a normal system
      acl
      aspell
      autoconf
      autotrash
      bazel
      bintools
      bison
      bsd-finger
      catdoc
      ccache
      clang
      cmake
      coreutils-full
      curl
      devcontainer
      diffutils
      emacs
      # exiftags
      exiftool
      ffmpeg
      file
      findutils
      gawk
      gcc
      glibc
      gnugrep
      gnumake
      gnupg
      gnuplot
      gnused
      gnutar
      gzip
      html-tidy
      imagemagick
      inetutils
      iproute2
      jhead
      less
-      libgcc
+      man
      lndir
      mailutils
      man # TODO: does this one want a mandb instance?
      meson
      more
      mpc
      mpi
      mplayer
      ninja
      nix
      openssh
      openssl
      patchelf
      pkg-config
      ppp
      procmail
      procps
      qemu
      rc
      rhash
      rsync
      ruby # TODO: does this one want systemwide packages?
      salt
      sccache
      sourceHighlight
      spamassassin
      strace
      subversion
      system-sendmail
      systemdMinimal
      texliveMedium
      tmux
      unzip
      util-linux
      valgrind
      vim
      wget
      which
      wine
      xdg-utils
      zip
      zstd
    ];
    extraOutputsToInstall = [
@@ -175,6 +155,10 @@ let
  };
 in
 {
  imports = [
    ./mail.nix
  ];
  services.httpd = {
    enable = true;
    adminAddr = "drift@pvv.ntnu.no";
@@ -231,6 +215,25 @@ in
          AllowOverride All
          Require all granted
        </Directory>
        <DirectoryMatch "^/home/pvv/.*/web-docs/(${lib.concatStringsSep "|" [
          "\\.git"
          "\\.hg"
          "\\.svn"
          "\\.ssh"
          "\\.env"
          "\\.envrc"
          "\\.bzr"
          "\\.venv"
          "CVS"
          "RCS"
          ".*\\.swp"
          ".*\\.bak"
          ".*~"
        ]})(/|$)">
            AllowOverride All
            Require all denied
        </DirectoryMatch>
      '';
    };
  };
--- a/hosts/temmie/services/userweb/mail.nix
+++ b/hosts/temmie/services/userweb/mail.nix
@@ -0,0 +1,34 @@
 { config, lib, pkgs, ... }:
 {
  services.postfix.enable = lib.mkForce false;
  services.nullmailer = {
    enable = true;
    config = {
      me = config.networking.fqdn;
      remotes = "mail.pvv.ntnu.no smtp --port=25";
    };
  };
  systemd.sockets.userweb-sendmail-sandbox-proxy = {
    wantedBy = [ "sockets.target" ];
    listenStreams = [ "/run/userweb-sendmail-sandbox-proxy.sock" ];
    socketConfig = {
      # Accept = true;
      SocketUser = "httpd";
      SocketGroup = "httpd"; # TODO: is wwwrun(54) in this group?
      SocketMode = "0660";
    };
  };
  systemd.services.userweb-sendmail-sandbox-proxy = {
    serviceConfig = {
      User = "root";
      Group = "root";
      Sockets = [
        "userweb-sendmail-sandbox-proxy.socket"
      ];
      ExecStart = "${lib.getExe pkgs.hello}";
    };
  };
 }
--- a/packages/mediawiki-extensions/update-mediawiki-extensions.py
+++ b/packages/mediawiki-extensions/update-mediawiki-extensions.py
@@ -83,7 +83,7 @@ def get_newest_commit(project_name: str, tracking_branch: str) -> str:
    content = requests.get(f"{BASE_WEB_URL}/{project_name}/+log/refs/heads/{tracking_branch}/").text
    soup = bs4.BeautifulSoup(content, features="html.parser")
    try:
-        a = soup.find('li').findChild('a')
+        a = soup.find('li').find('a')
        commit_sha = a['href'].split('/')[-1]
    except AttributeError:
        print(f"ERROR: Could not parse page for {project_name}:")
Author	SHA1	Message	Date
h7x4	9c6a812334	WIP: temmie/userweb: use IPC to proxy sendmail requests out of sandbox	2026-05-11 14:03:18 +09:00
h7x4	5e50b617fb	temmie/userweb: switch from postfix to nullmailer	2026-05-11 13:52:58 +09:00
h7x4	258c5a7b25	temmie/userweb: set up sendmail wrapper	2026-05-11 12:26:39 +09:00
h7x4	b9eda3dc56	temmie/userweb: reduce package list	2026-05-11 10:17:09 +09:00
Vegard Bieker Matthey	2fcaf5893f	fix deprecation warning for mediawiki update script	2026-05-09 20:40:14 +02:00
h7x4	b009da31af	temmie/userweb: deny a bunch of spooky directories by default It should still be possible for the user to re-enable these with `.htaccess`	2026-05-10 03:33:43 +09:00
h7x4	e9a267e2a3	temmie/userweb: ignore collisions in fhs env	2026-05-10 03:02:27 +09:00
h7x4	338c2f2531	temmie/userweb: adjust perl and php env This adds and removes a few packages to make the environments closer to how they are on tom	2026-05-10 03:02:26 +09:00