WIP: temmie/userweb: use bro to proxy sendmail requests out of sandbox

2026-05-25 07:41:13 +02:00 · 2026-05-25 13:56:46 +09:00
3 changed files with 122 additions and 20 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,27 @@
 {
  "nodes": {
    "bro": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ],
        "rust-overlay": "rust-overlay"
      },
      "locked": {
        "lastModified": 1779629827,
        "narHash": "sha256-nrlB50/oelB8oFx9DhOoXI5z0VoTZGEA6XxYvkvpqDA=",
        "ref": "main",
        "rev": "7d0f35e12e4dec39f981c08fc33515589f41f4a5",
        "revCount": 3,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/bro.git"
      },
      "original": {
        "ref": "main",
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/bro.git"
      }
    },
    "crane": {
      "locked": {
        "lastModified": 1776635034,
@@ -101,7 +123,7 @@
        "nixpkgs": [
          "nixpkgs-unstable"
        ],
-        "rust-overlay": "rust-overlay"
+        "rust-overlay": "rust-overlay_2"
      },
      "locked": {
        "lastModified": 1777019032,
@@ -165,7 +187,7 @@
        "nixpkgs": [
          "nixpkgs"
        ],
-        "rust-overlay": "rust-overlay_2"
+        "rust-overlay": "rust-overlay_3"
      },
      "locked": {
        "lastModified": 1767906976,
@@ -352,6 +374,7 @@
    },
    "root": {
      "inputs": {
        "bro": "bro",
        "dibbler": "dibbler",
        "disko": "disko",
        "gergle": "gergle",
@@ -377,7 +400,7 @@
        "nixpkgs": [
          "nixpkgs"
        ],
-        "rust-overlay": "rust-overlay_3"
+        "rust-overlay": "rust-overlay_4"
      },
      "locked": {
        "lastModified": 1778600367,
@@ -396,6 +419,27 @@
      }
    },
    "rust-overlay": {
      "inputs": {
        "nixpkgs": [
          "bro",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1779419951,
        "narHash": "sha256-dMX0PUslUHPajP6o8FEoRdFv9afq/dec4POR0vVfjK4=",
        "owner": "oxalica",
        "repo": "rust-overlay",
        "rev": "5b5c521d6cae9ef4aa32f888eb2c0ce595c9be52",
        "type": "github"
      },
      "original": {
        "owner": "oxalica",
        "repo": "rust-overlay",
        "type": "github"
      }
    },
    "rust-overlay_2": {
      "inputs": {
        "nixpkgs": [
          "greg-ng",
@@ -416,7 +460,7 @@
        "type": "github"
      }
    },
-    "rust-overlay_2": {
+    "rust-overlay_3": {
      "inputs": {
        "nixpkgs": [
          "minecraft-heatmap",
@@ -437,7 +481,7 @@
        "type": "github"
      }
    },
-    "rust-overlay_3": {
+    "rust-overlay_4": {
      "inputs": {
        "nixpkgs": [
          "roowho2",
--- a/flake.nix
+++ b/flake.nix
@@ -47,6 +47,9 @@
    qotd.url = "git+https://git.pvv.ntnu.no/Projects/qotd.git?ref=main";
    qotd.inputs.nixpkgs.follows = "nixpkgs";
    bro.url = "git+https://git.pvv.ntnu.no/Projects/bro.git?ref=main";
    bro.inputs.nixpkgs.follows = "nixpkgs";
  };
  outputs = {
@@ -214,7 +217,14 @@
        };
        shark = stableNixosConfig "shark" {};
        wenche = stableNixosConfig "wenche" {};
-        temmie = stableNixosConfig "temmie" {};
+        temmie = stableNixosConfig "temmie" {
          overlays = [
            inputs.bro.overlays.default
          ];
          modules = [
            inputs.bro.nixosModules.default
          ];
        };
        gluttony = stableNixosConfig "gluttony" {
          overlays = [
            (final: prev: { bluemap = final.callPackage ./packages/bluemap.nix {}; })
--- a/hosts/temmie/services/userweb/mail.nix
+++ b/hosts/temmie/services/userweb/mail.nix
@@ -10,25 +10,73 @@
    };
  };
-  systemd.sockets.userweb-sendmail-sandbox-proxy = {
+  services.bro = {
-    wantedBy = [ "sockets.target" ];
+    enable = true;
-    listenStreams = [ "/run/userweb-sendmail-sandbox-proxy.sock" ];
+
-    socketConfig = {
+    instances.userweb-sendmail = {
-      # Accept = true;
+      enable = true;
-      SocketUser = "httpd";
+
-      SocketGroup = "httpd"; # TODO: is wwwrun(54) in this group?
+      client = {
-      SocketMode = "0660";
+        settings.BRO_FILE_FLAGS = [
          "-C"
        ];
      };
      server = {
        settings = {
          executable = lib.getExe pkgs.system-sendmail;
          # allowed-env = [  ];
        };
      };
    };
  };
-  systemd.services.userweb-sendmail-sandbox-proxy = {
+  environment.systemPackages = [
-    serviceConfig = {
+    (config.services.bro.instances.userweb-sendmail.client.package.overrideAttrs (prev: {
-      User = "root";
+      postInstall = (prev.postInstall or "") + ''
-      Group = "root";
+        mv "$out/bin/sendmail" "$out/bin/bro-sendmail"
-      Sockets = [
+      '';
-        "userweb-sendmail-sandbox-proxy.socket"
+    }))
  ];
-      ExecStart = "${lib.getExe pkgs.hello}";
+
  systemd.services.bro-userweb-sendmail = {
    serviceConfig = {
      User = "nobody";
      Group = "nobody";
      AmbientCapabilities = "";
      CapabilityBoundingSet = "";
      NoNewPrivileges = false;
      ProtectSystem = "strict";
      ProtectHome = true;
      PrivateTmp = true;
      PrivateDevices = true;
      PrivateUsers = false;
      ProtectHostname = true;
      ProtectClock = true;
      ProtectKernelTunables = true;
      ProtectKernelModules = true;
      ProtectKernelLogs = true;
      ProtectControlGroups = true;
      RestrictAddressFamilies = [
        "AF_UNIX"
        "AF_INET"
        "AF_INET6"
        "AF_NETLINK"
      ];
      LockPersonality = true;
      MemoryDenyWriteExecute = true;
      PrivateMounts = true;
      ProcSubset = "pid";
      ProtectProc = "invisible";
      RemoveIPC = true;
      RestrictNamespaces = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      UMask = "0027";
      SystemCallArchitectures = "native";
      # SystemCallFilter = [
      # ];
    };
  };
 }