nixos/roundcube: don't use the default and insecure des_key

The php installer creates a random one, but we bypass it, so we have
to create one ourselves.

This should be backward compatible as encryption is used for session
cookies only: users at the time of the upgrade will be logged out but
nothing more.

259b7fa065/config/config.inc.php.sample (L73)
This commit is contained in:
Symphorien Gibol 2020-01-05 12:00:00 +00:00
parent 52cf727a53
commit b6e6bec57c

View File

@ -107,6 +107,7 @@ in
$config['log_driver'] = 'syslog';
$config['max_message_size'] = '25M';
$config['plugins'] = [${concatMapStringsSep "," (p: "'${p}'") cfg.plugins}];
$config['des_key'] = file_get_contents('/var/lib/roundcube/des_key');
${cfg.extraConfig}
'';
@ -190,12 +191,21 @@ in
${psql} -f ${cfg.package}/SQL/postgres.initial.sql
fi
if [ ! -f /var/lib/roundcube/des_key ]; then
base64 /dev/urandom | head -c 24 > /var/lib/roundcube/des_key;
# we need to log out everyone in case change the des_key
# from the default when upgrading from nixos 19.09
${psql} <<< 'TRUNCATE TABLE session;'
fi
${pkgs.php}/bin/php ${cfg.package}/bin/update.sh
'';
serviceConfig = {
Type = "oneshot";
StateDirectory = "roundcube";
User = if localDB then user else "nginx";
# so that the des_key is not world readable
StateDirectoryMode = "0700";
};
}
];