WIP: temmie/userweb: use IPC to proxy sendmail requests out of sandbox

It should still be possible for the user to re-enable these with
`.htaccess`

hosts/temmie/configuration.nix

@@ -6,7 +6,7 @@
     (fp /base)
 
     ./services/nfs-mounts.nix
-    ./services/userweb.nix
+    ./services/userweb
   ];
 
   systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {

hosts/temmie/services/userweb/default.nix

@@ -7,9 +7,26 @@ let
   # https://nixos.org/manual/nixpkgs/stable/#ssec-php-user-guide-installing-with-extensions
   phpEnv = pkgs.php.buildEnv {
     extensions = { all, ... }: with all; [
+      bz2
+      curl
+      decimal
+      gd
       imagick
-      opcache
-      protobuf
+      mysqli
+      mysqlnd
+      pgsql
+      posix
+      protobuf sqlite3
+      uuid
+      xml
+      xsl
+      zlib
+      zstd
+
+      pdo
+      pdo_mysql
+      pdo_pgsql
+      pdo_sqlite
     ];
 
     extraConfig = ''
@@ -25,38 +42,15 @@ let
     pkgs.irssi
     pkgs.nix.libs.nix-perl-bindings
 
-    AlgorithmDiff
-    AnyEvent
-    AnyEventI3
-    ArchiveZip
     CGI
-    CPAN
-    CPANPLUS
     DBDPg
     DBDSQLite
+    DBDmysql
     DBI
-    EmailAddress
-    EmailSimple
-    Env
     Git
-    HTMLMason
-    HTMLParser
-    HTMLTagset
-    HTTPDAV
-    HTTPDaemon
     ImageMagick
     JSON
-    LWP
-    MozillaCA
-    PathTiny
-    Switch
-    SysSyslog
-    TestPostgreSQL
-    TextPDF
-    TieFile
-    Tk
-    URI
-    XMLLibXML
+    TemplateToolkit
   ]);
 
   # https://nixos.org/manual/nixpkgs/stable/#python.buildenv-function
@@ -70,102 +64,88 @@ let
     ignoreCollisions = true;
   };
 
+  sendmailWrapper = pkgs.writeShellApplication {
+    name = "sendmail";
+    runtimeInputs = [ ];
+    text = ''
+      args=("$@")
+
+      if [[ "''${PWD:-}" =~ ^/home/pvv/[^/]+/([^/]+) ]] && [[ "''${BASH_REMATCH[1]}" != "pvv" ]]; then
+          # Prepend -fusername to the argument list, so bounces go to the user
+          args=("-f''${BASH_REMATCH[1]}" "''${args[@]}")
+      fi
+
+      exec '${lib.getExe pkgs.system-sendmail}' "''${args[@]}"
+    '';
+  };
+
   # https://nixos.org/manual/nixpkgs/stable/#sec-building-environment
   fhsEnv = pkgs.buildEnv {
     name = "userweb-env";
+    ignoreCollisions = true;
     paths = with pkgs; [
       bash
 
+      sendmailWrapper
+
       perlEnv
       pythonEnv
-
       phpEnv
     ]
     ++ (with phpEnv.packages; [
       # composer
     ])
     ++ [
+      # Useful packages for homepages
+      exiftool
+      gnuplot
+      ikiwiki-full
+      imagemagick
+      jhead
+      ruby
+      sbcl
+      sourceHighlight
+
+      # Missing packages from tom
+      # blosxom
+      # pyblosxom
+      # mediawiki (TODO: do people host their own mediawikis in userweb?)
+      # nanoblogger
+
+      # Version control
+      cvs
+      rcs
+      git
+
+      # Compression/Archival
+      bzip2
+      gnutar
+      gzip
+      lz4
+      unzip
+      xz
+      zip
+      zstd
+
+      # Other tools you might expect to find on a normal system
       acl
-      aspell
-      autoconf
-      autotrash
-      bazel
-      bintools
-      bison
-      bsd-finger
-      catdoc
-      ccache
-      clang
-      cmake
       coreutils-full
       curl
-      devcontainer
       diffutils
-      emacs
-      # exiftags
-      exiftool
-      ffmpeg
       file
       findutils
       gawk
-      gcc
-      glibc
       gnugrep
       gnumake
       gnupg
-      gnuplot
       gnused
-      gnutar
-      gzip
-      html-tidy
-      imagemagick
-      inetutils
-      iproute2
-      jhead
       less
-      libgcc
-      lndir
-      mailutils
-      man # TODO: does this one want a mandb instance?
-      meson
-      more
-      mpc
-      mpi
-      mplayer
-      ninja
-      nix
-      openssh
-      openssl
-      patchelf
-      pkg-config
-      ppp
-      procmail
-      procps
-      qemu
-      rc
-      rhash
-      rsync
-      ruby # TODO: does this one want systemwide packages?
-      salt
-      sccache
-      sourceHighlight
-      spamassassin
-      strace
-      subversion
-      system-sendmail
-      systemdMinimal
-      texliveMedium
-      tmux
-      unzip
+      man
       util-linux
-      valgrind
       vim
       wget
       which
-      wine
       xdg-utils
-      zip
-      zstd
     ];
 
     extraOutputsToInstall = [
@@ -175,6 +155,10 @@ let
   };
 in
 {
+  imports = [
+    ./mail.nix
+  ];
+
   services.httpd = {
     enable = true;
     adminAddr = "drift@pvv.ntnu.no";
@@ -231,6 +215,25 @@ in
           AllowOverride All
           Require all granted
         </Directory>
+
+        <DirectoryMatch "^/home/pvv/.*/web-docs/(${lib.concatStringsSep "|" [
+          "\\.git"
+          "\\.hg"
+          "\\.svn"
+          "\\.ssh"
+          "\\.env"
+          "\\.envrc"
+          "\\.bzr"
+          "\\.venv"
+          "CVS"
+          "RCS"
+          ".*\\.swp"
+          ".*\\.bak"
+          ".*~"
+        ]})(/|$)">
+            AllowOverride All
+            Require all denied
+        </DirectoryMatch>
       '';
     };
   };

hosts/temmie/services/userweb/mail.nix

@@ -0,0 +1,34 @@
+{ config, lib, pkgs, ... }:
+{
+  services.postfix.enable = lib.mkForce false;
+
+  services.nullmailer = {
+    enable = true;
+    config = {
+      me = config.networking.fqdn;
+      remotes = "mail.pvv.ntnu.no smtp --port=25";
+    };
+  };
+
+  systemd.sockets.userweb-sendmail-sandbox-proxy = {
+    wantedBy = [ "sockets.target" ];
+    listenStreams = [ "/run/userweb-sendmail-sandbox-proxy.sock" ];
+    socketConfig = {
+      # Accept = true;
+      SocketUser = "httpd";
+      SocketGroup = "httpd"; # TODO: is wwwrun(54) in this group?
+      SocketMode = "0660";
+    };
+  };
+
+  systemd.services.userweb-sendmail-sandbox-proxy = {
+    serviceConfig = {
+      User = "root";
+      Group = "root";
+      Sockets = [
+        "userweb-sendmail-sandbox-proxy.socket"
+      ];
+      ExecStart = "${lib.getExe pkgs.hello}";
+    };
+  };
+}

packages/mediawiki-extensions/update-mediawiki-extensions.py

@@ -83,7 +83,7 @@ def get_newest_commit(project_name: str, tracking_branch: str) -> str:
     content = requests.get(f"{BASE_WEB_URL}/{project_name}/+log/refs/heads/{tracking_branch}/").text
     soup = bs4.BeautifulSoup(content, features="html.parser")
     try:
-        a = soup.find('li').findChild('a')
+        a = soup.find('li').find('a')
         commit_sha = a['href'].split('/')[-1]
     except AttributeError:
         print(f"ERROR: Could not parse page for {project_name}:")