WIP: temmie/userweb: use IPC to proxy sendmail requests out of sandbox

hosts/bekkalokk/services/mediawiki/default.nix

@@ -210,8 +210,6 @@ in {
 
       # EXT:WikiEditor
       $wgWikiEditorRealtimePreview = true;
-
-      $wgSecretKey = file_get_contents("${config.sops.secrets."mediawiki/secret-key".path}");
     '';
   };
 
@@ -275,6 +273,8 @@ in {
   systemd.services.mediawiki-init = lib.mkIf cfg.enable {
     after = [ "sops-install-secrets.service" ];
     serviceConfig = {
+      BindReadOnlyPaths = [ "/run/credentials/mediawiki-init.service/secret-key:/var/lib/mediawiki/secret.key" ];
+      LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
       UMask = lib.mkForce "0007";
     };
   };
@@ -282,6 +282,8 @@ in {
   systemd.services.phpfpm-mediawiki = lib.mkIf cfg.enable {
     after = [ "sops-install-secrets.service" ];
     serviceConfig = {
+      BindReadOnlyPaths = [ "/run/credentials/phpfpm-mediawiki.service/secret-key:/var/lib/mediawiki/secret.key" ];
+      LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
       UMask = lib.mkForce "0007";
     };
   };

hosts/ildkule/services/monitoring/uptime-kuma.nix

@@ -19,7 +19,7 @@ in {
     locations."/".proxyPass = "http://${cfg.settings.HOST}:${cfg.settings.PORT}";
   };
 
-  fileSystems."/var/lib/private/uptime-kuma" = {
+  fileSystems."/var/lib/uptime-kuma" = {
     device = stateDir;
     fsType = "bind";
     options = [ "bind" ];

hosts/kommode/services/gitea/default.nix

@@ -228,9 +228,14 @@ in {
       };
     in lib.mkForce "${lib.getExe cfg.package} dump ${args}";
 
-    # Only keep a single backup file at a time.
+    # Only keep n backup files at a time
-    postStop = ''
+    postStop = let
-      ${lib.getExe' pkgs.coreutils "mv"} '${cfg.dump.backupDir}'/gitea-dump-*.tar.gz gitea-dump.tar.gz
+      cu = prog: "'${lib.getExe' pkgs.coreutils prog}'";
-    '';
+      backupCount = 3;
+    in ''
+      for file in $(${cu "ls"} -t1 '${cfg.dump.backupDir}' | ${cu "sort"} --reverse | ${cu "tail"} -n+${toString (backupCount + 1)}); do
+        ${cu "rm"} "$file"
+      done
+      '';
   };
 }

hosts/temmie/services/userweb/mail.nix

@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 {
   services.postfix.enable = lib.mkForce false;
 
@@ -9,4 +9,26 @@
       remotes = "mail.pvv.ntnu.no smtp --port=25";
     };
   };
+
+  systemd.sockets.userweb-sendmail-sandbox-proxy = {
+    wantedBy = [ "sockets.target" ];
+    listenStreams = [ "/run/userweb-sendmail-sandbox-proxy.sock" ];
+    socketConfig = {
+      # Accept = true;
+      SocketUser = "httpd";
+      SocketGroup = "httpd"; # TODO: is wwwrun(54) in this group?
+      SocketMode = "0660";
+    };
+  };
+
+  systemd.services.userweb-sendmail-sandbox-proxy = {
+    serviceConfig = {
+      User = "root";
+      Group = "root";
+      Sockets = [
+        "userweb-sendmail-sandbox-proxy.socket"
+      ];
+      ExecStart = "${lib.getExe pkgs.hello}";
+    };
+  };
 }