diff options
author | Symphorien Gibol <symphorien+git@xlumurb.eu> | 2020-01-05 12:00:00 +0000 |
---|---|---|
committer | Symphorien Gibol <symphorien+git@xlumurb.eu> | 2020-01-18 16:12:50 +0100 |
commit | b6e6bec57c7ad457ae90a809a9a064b879c7e5f2 (patch) | |
tree | 9e07ec4951ab8b1c69c60ff7abf27d9775457edd /nixos | |
parent | 52cf727a53ff1805da0da9ef86ecc27e20c3d335 (diff) | |
download | nixpkgs-b6e6bec57c7ad457ae90a809a9a064b879c7e5f2.tar nixpkgs-b6e6bec57c7ad457ae90a809a9a064b879c7e5f2.tar.gz nixpkgs-b6e6bec57c7ad457ae90a809a9a064b879c7e5f2.tar.bz2 nixpkgs-b6e6bec57c7ad457ae90a809a9a064b879c7e5f2.tar.lz nixpkgs-b6e6bec57c7ad457ae90a809a9a064b879c7e5f2.tar.xz nixpkgs-b6e6bec57c7ad457ae90a809a9a064b879c7e5f2.tar.zst nixpkgs-b6e6bec57c7ad457ae90a809a9a064b879c7e5f2.zip |
nixos/roundcube: don't use the default and insecure des_key
The php installer creates a random one, but we bypass it, so we have to create one ourselves. This should be backward compatible as encryption is used for session cookies only: users at the time of the upgrade will be logged out but nothing more. https://github.com/roundcube/roundcubemail/blob/259b7fa0650fea9320b38cb17c4e80497acae7a3/config/config.inc.php.sample#L73
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/mail/roundcube.nix | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/nixos/modules/services/mail/roundcube.nix b/nixos/modules/services/mail/roundcube.nix index b064c717958..22c14666a3a 100644 --- a/nixos/modules/services/mail/roundcube.nix +++ b/nixos/modules/services/mail/roundcube.nix @@ -107,6 +107,7 @@ in $config['log_driver'] = 'syslog'; $config['max_message_size'] = '25M'; $config['plugins'] = [${concatMapStringsSep "," (p: "'${p}'") cfg.plugins}]; + $config['des_key'] = file_get_contents('/var/lib/roundcube/des_key'); ${cfg.extraConfig} ''; @@ -190,12 +191,21 @@ in ${psql} -f ${cfg.package}/SQL/postgres.initial.sql fi + if [ ! -f /var/lib/roundcube/des_key ]; then + base64 /dev/urandom | head -c 24 > /var/lib/roundcube/des_key; + # we need to log out everyone in case change the des_key + # from the default when upgrading from nixos 19.09 + ${psql} <<< 'TRUNCATE TABLE session;' + fi + ${pkgs.php}/bin/php ${cfg.package}/bin/update.sh ''; serviceConfig = { Type = "oneshot"; StateDirectory = "roundcube"; User = if localDB then user else "nginx"; + # so that the des_key is not world readable + StateDirectoryMode = "0700"; }; } ]; |