From b6e6bec57c7ad457ae90a809a9a064b879c7e5f2 Mon Sep 17 00:00:00 2001 From: Symphorien Gibol Date: Sun, 5 Jan 2020 12:00:00 +0000 Subject: nixos/roundcube: don't use the default and insecure des_key The php installer creates a random one, but we bypass it, so we have to create one ourselves. This should be backward compatible as encryption is used for session cookies only: users at the time of the upgrade will be logged out but nothing more. https://github.com/roundcube/roundcubemail/blob/259b7fa0650fea9320b38cb17c4e80497acae7a3/config/config.inc.php.sample#L73 --- nixos/modules/services/mail/roundcube.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/nixos/modules/services/mail/roundcube.nix b/nixos/modules/services/mail/roundcube.nix index b064c717958..22c14666a3a 100644 --- a/nixos/modules/services/mail/roundcube.nix +++ b/nixos/modules/services/mail/roundcube.nix @@ -107,6 +107,7 @@ in $config['log_driver'] = 'syslog'; $config['max_message_size'] = '25M'; $config['plugins'] = [${concatMapStringsSep "," (p: "'${p}'") cfg.plugins}]; + $config['des_key'] = file_get_contents('/var/lib/roundcube/des_key'); ${cfg.extraConfig} ''; @@ -190,12 +191,21 @@ in ${psql} -f ${cfg.package}/SQL/postgres.initial.sql fi + if [ ! -f /var/lib/roundcube/des_key ]; then + base64 /dev/urandom | head -c 24 > /var/lib/roundcube/des_key; + # we need to log out everyone in case change the des_key + # from the default when upgrading from nixos 19.09 + ${psql} <<< 'TRUNCATE TABLE session;' + fi + ${pkgs.php}/bin/php ${cfg.package}/bin/update.sh ''; serviceConfig = { Type = "oneshot"; StateDirectory = "roundcube"; User = if localDB then user else "nginx"; + # so that the des_key is not world readable + StateDirectoryMode = "0700"; }; } ]; -- cgit 1.4.1