public
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/roundcube: don't use the default and insecure des_key 

The php installer creates a random one, but we bypass it, so we have
to create one ourselves.

This should be backward compatible as encryption is used for session
cookies only: users at the time of the upgrade will be logged out but
nothing more.

259b7fa065/config/config.inc.php.sample (L73)
This commit is contained in:
Symphorien Gibol 2020-01-05 12:00:00 +00:00
parent 52cf727a53
commit b6e6bec57c
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
nixos/modules/services/mail/roundcube.nix
View File

@ -107,6 +107,7 @@ in
$config['log_driver'] = 'syslog'; $config['log_driver'] = 'syslog';
$config['max_message_size'] = '25M'; $config['max_message_size'] = '25M';
$config['plugins'] = [${concatMapStringsSep "," (p: "'${p}'") cfg.plugins}]; $config['plugins'] = [${concatMapStringsSep "," (p: "'${p}'") cfg.plugins}];
$config['des_key'] = file_get_contents('/var/lib/roundcube/des_key');
${cfg.extraConfig} ${cfg.extraConfig}
''; '';
@ -190,12 +191,21 @@ in
${psql} -f ${cfg.package}/SQL/postgres.initial.sql ${psql} -f ${cfg.package}/SQL/postgres.initial.sql
fi fi
if [ ! -f /var/lib/roundcube/des_key ]; then
base64 /dev/urandom | head -c 24 > /var/lib/roundcube/des_key;
# we need to log out everyone in case change the des_key
# from the default when upgrading from nixos 19.09
${psql} <<< 'TRUNCATE TABLE session;'
fi
${pkgs.php}/bin/php ${cfg.package}/bin/update.sh ${pkgs.php}/bin/php ${cfg.package}/bin/update.sh
''; '';
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
StateDirectory = "roundcube"; StateDirectory = "roundcube";
User = if localDB then user else "nginx"; User = if localDB then user else "nginx";
# so that the des_key is not world readable
StateDirectoryMode = "0700";
}; };
} }
]; ];