diff --git a/nixos/modules/services/mail/roundcube.nix b/nixos/modules/services/mail/roundcube.nix
index 36dda619ad06..0bb0eaedad50 100644
--- a/nixos/modules/services/mail/roundcube.nix
+++ b/nixos/modules/services/mail/roundcube.nix
@@ -5,6 +5,8 @@ with lib;
let
cfg = config.services.roundcube;
fpm = config.services.phpfpm.pools.roundcube;
+ localDB = cfg.database.host == "localhost";
+ user = cfg.database.username;
in
{
options.services.roundcube = {
@@ -44,7 +46,10 @@ in
username = mkOption {
type = types.str;
default = "roundcube";
- description = "Username for the postgresql connection";
+ description = ''
+ Username for the postgresql connection.
+ If database.host is set to localhost, a unix user and group of the same name will be created as well.
+ '';
};
host = mkOption {
type = types.str;
@@ -58,7 +63,12 @@ in
};
password = mkOption {
type = types.str;
- description = "Password for the postgresql connection";
+ description = "Password for the postgresql connection. Do not use: the password will be stored world readable in the store; use passwordFile instead.";
+ default = "";
+ };
+ passwordFile = mkOption {
+ type = types.str;
+ description = "Password file for the postgresql connection. Must be readable by user nginx. Ignored if database.host is set to localhost, as peer authentication will be used.";
};
dbname = mkOption {
type = types.str;
@@ -83,14 +93,22 @@ in
};
config = mkIf cfg.enable {
+ # backward compatibility: if password is set but not passwordFile, make one.
+ services.roundcube.database.passwordFile = mkIf (!localDB && cfg.database.password != "") (mkDefault ("${pkgs.writeText "roundcube-password" cfg.database.password}"));
+ warnings = lib.optional (!localDB && cfg.database.password != "") "services.roundcube.database.password is deprecated and insecure; use services.roundcube.database.passwordFile instead";
+
environment.etc."roundcube/config.inc.php".text = ''
/var/lib/roundcube/des_key;
+ # we need to log out everyone in case change the des_key
+ # from the default when upgrading from nixos 19.09
+ ${psql} <<< 'TRUNCATE TABLE session;'
fi
${pkgs.php}/bin/php ${cfg.package}/bin/update.sh
'';
- serviceConfig.Type = "oneshot";
+ serviceConfig = {
+ Type = "oneshot";
+ StateDirectory = "roundcube";
+ User = if localDB then user else "nginx";
+ # so that the des_key is not world readable
+ StateDirectoryMode = "0700";
+ };
}
];
};