nixos/roundcube: don't use the default and insecure des_key

The php installer creates a random one, but we bypass it, so we have to create one ourselves. This should be backward compatible as encryption is used for session cookies only: users at the time of the upgrade will be logged out but nothing more. 259b7fa065/config/config.inc.php.sample (L73)
2024-11-16 14:54:29 +01:00 · 2020-01-05 12:00:00 +00:00 · 2020-01-05 12:00:00 +00:00 · b6e6bec57c
commit b6e6bec57c
parent 52cf727a53
1 changed files with 10 additions and 0 deletions
--- a/nixos/modules/services/mail/roundcube.nix
+++ b/nixos/modules/services/mail/roundcube.nix
@ -107,6 +107,7 @@ in
      $config['log_driver'] = 'syslog';
      $config['max_message_size'] = '25M';
      $config['plugins'] = [${concatMapStringsSep "," (p: "'${p}'") cfg.plugins}];
+      $config['des_key'] = file_get_contents('/var/lib/roundcube/des_key');
      ${cfg.extraConfig}
    '';

@ -190,12 +191,21 @@ in
            ${psql} -f ${cfg.package}/SQL/postgres.initial.sql
          fi

+          if [ ! -f /var/lib/roundcube/des_key ]; then
+            base64 /dev/urandom | head -c 24 > /var/lib/roundcube/des_key;
+            # we need to log out everyone in case change the des_key
+            # from the default when upgrading from nixos 19.09
+            ${psql} <<< 'TRUNCATE TABLE session;'
+          fi
+
          ${pkgs.php}/bin/php ${cfg.package}/bin/update.sh
        '';
        serviceConfig = {
          Type = "oneshot";
          StateDirectory = "roundcube";
          User = if localDB then user else "nginx";
+          # so that the des_key is not world readable
+          StateDirectoryMode = "0700";
        };
      }
    ];