Fix secret permissions

[perso/Immae/Config/Nix.git] / nixops / modules / websites / tools / tools / roundcubemail.nix

diff --git a/nixops/modules/websites/tools/tools/roundcubemail.nix b/nixops/modules/websites/tools/tools/roundcubemail.nix
index 877ea8b9cbf501f79bde2cc470601b104961f569..5fc34126e9fb4606aa19b6aa89e65d3ce6220f60 100644 (file)
--- a/nixops/modules/websites/tools/tools/roundcubemail.nix
+++ b/nixops/modules/websites/tools/tools/roundcubemail.nix
@@ -1,73 +1,177 @@
-{ lib, env, writeText, stdenv, fetchurl }:
+{ lib, env, writeText, stdenv, fetchurl, fetchedGithub, phpPackages, apacheHttpd }:
 let
   roundcubemail = let
-    plugins = {};
+    defaultInstall = ''
+      mkdir -p $out
+      cp -R . $out/
+      cd $out
+      if [ -d skins -a -d skins/larry -a ! -d skins/elastic ]; then
+        ln -s larry skins/elastic
+      fi
+      '';
+    buildPlugin = { appName, version, url, sha256, installPhase ? defaultInstall }:
+      stdenv.mkDerivation rec {
+        name = "roundcube-${appName}-${version}";
+        inherit version;
+        phases = "unpackPhase installPhase";
+        inherit installPhase;
+        src = fetchurl { inherit url sha256; };
+      };
+    plugins = {
+      carddav = buildPlugin rec {
+        appName = "carddav";
+        version = "3.0.3";
+        url = "https://github.com/blind-coder/rcmcarddav/releases/download/v${version}/${appName}-${version}.tar.bz2";
+        sha256 = "0cf5rnqkhhag2vdy808zfpr4l5586fn43nvcia8ac1ha58azrxal";
+      };
+      contextmenu = buildPlugin rec {
+        appName = "contextmenu";
+        version = "2.3";
+        url = "https://github.com/johndoh/roundcube-${appName}/archive/${version}.tar.gz";
+        sha256 = "1rb8n821ylfniiiccfskc534vd6rczhk3g82455ks3m09q6l8hif";
+      };
+      contextmenu_folder = buildPlugin rec {
+        appName = "contextmenu_folder";
+        version = "1.3.3";
+        url = "https://github.com/random-cuber/${appName}/archive/${version}.tar.gz";
+        sha256 = "1ngfws1v8qrpa52rjh7kirc98alchk2vbqwra86h00agyjjlcc57";
+      };
+      automatic_addressbook = buildPlugin rec {
+        appName = "automatic_addressbook";
+        version = "0.4.3";
+        url = "https://github.com/sblaisot/${appName}/archive/${version}.tar.gz";
+        sha256 = "0bx5qjzp3a3wc72fr295bvgsy5n15949c041hq76n6c7sqdn7inc";
+      };
+      message_highlight = buildPlugin rec {
+        appName = "message_highlight";
+        version = "4.4";
+        url = "https://github.com/corbosman/${appName}/archive/${version}.tar.gz";
+        sha256 = "12c4x47y70xdl5pgm8csh5i4yiyhpi232lvjbixmca6di4lkhh9j";
+      };
+      thunderbird_labels = buildPlugin rec {
+        appName = "thunderbird_labels";
+        version = "v1.3.2";
+        url = "https://github.com/mike-kfed/roundcube-${appName}/archive/${version}.tar.gz";
+        sha256 = "1q4x30w66m02v3lw2n8020g0158rmyfzs6gydfk89pa1hs28k9bg";
+      };
+      html5_notifier = buildPlugin rec {
+        appName = "html5_notifier";
+        version = "v0.6.2";
+        url = "https://github.com/stremlau/${appName}/archive/${version}.tar.gz";
+        sha256 = "0s1wq9ira4bcd8jvhn93nhxiqzpp92i0za2kw37kf7ksyhr0xslq";
+      };
+      ident_switch = buildPlugin rec {
+        appName = "ident_switch";
+        version = "4.0.1";
+        url = "https://bitbucket.org/BoresExpress/${appName}/get/${version}.tar.gz";
+        sha256 = "1zyy40lfq2kn7hkghbl8lgp18fb634zr4fxmmxvb1wqyvqdpdpyk";
+      };
+    };
+    skins = {};
   in rec {
     varDir = "/var/lib/roundcubemail";
     activationScript = {
       deps = [ "wrappers" ];
       text = ''
         install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \
-          ${varDir}/cache
+          ${varDir}/cache ${varDir}/logs
         install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions
       '';
     };
-    config = writeText "config.php" ''
-      <?php
-        $config['db_dsnw'] = '${env.psql_url}';
-        $config['default_host'] = 'ssl://mail.immae.eu';
-        $config['imap_conn_options'] = array("ssl" => array("verify_peer" => false));
-        $config['smtp_server'] = 'tls://mail.immae.eu';
+    keys.tools-roundcube = {
+      destDir = "/run/keys/webapps";
+      user = apache.user;
+      group = apache.group;
+      permissions = "0400";
+      text = ''
+        <?php
+          $config['db_dsnw'] = '${env.psql_url}';
+          $config['default_host'] = 'ssl://mail.immae.eu';
+          $config['imap_conn_options'] = array("ssl" => array("verify_peer" => false));
+          $config['smtp_server'] = 'tls://mail.immae.eu';
+          $config['smtp_port'] = '25';
+          $config['managesieve_host'] = 'mail.immae.eu';
+          $config['managesieve_port'] = '4190';
+          $config['managesieve_usetls'] = true;
+          $config['managesieve_conn_options'] = array("ssl" => array("verify_peer" => false));
+
+          $config['imap_cache'] = 'db';
+          $config['messages_cache'] = 'db';
 
-        $config['imap_cache'] = 'db';
-        $config['messages_cache'] = 'db';
+          $config['support_url'] = ''';
 
-        $config['support_url'] = ''';
+          $config['des_key'] = '${env.secret}';
 
-        $config['des_key'] = '${env.secret}';
+          $config['skin'] = 'elastic';
+          $config['plugins'] = array(
+            'attachment_reminder',
+            'emoticons',
+            'filesystem_attachments',
+            'hide_blockquote',
+            'identicon',
+            'identity_select',
+            'jqueryui',
+            'managesieve',
+            'newmail_notifier',
+            'vcard_attachments',
+            'zipdownload',
 
-        $config['plugins'] = array();
+            'automatic_addressbook',
+            'message_highlight',
+            'carddav',
+            // Ne marche pas ?: 'ident_switch',
+            // Ne marche pas ?: 'thunderbird_labels',
+          );
 
-        $config['language'] = 'fr_FR';
+          $config['language'] = 'fr_FR';
 
-        $config['drafts_mbox'] = 'Mail/Drafts';
-        $config['junk_mbox'] = 'Mail/Spam';
-        $config['sent_mbox'] = 'Mail/sent';
-        $config['trash_mbox'] = ''';
-        $config['default_folders'] = array('INBOX', 'Mail/Drafts', 'Mail/sent', 'Mail/Spam', ''');
-        $config['draft_autosave'] = 60;
-        $config['enable_installer'] = false;
-        $config['log_driver'] = 'stdout';
-        $config['temp_dir'] = '${varDir}/cache';
-        $config['debug_level'] = 1;
+          $config['drafts_mbox'] = 'Mail/Drafts';
+          $config['junk_mbox'] = 'Mail/Spam';
+          $config['sent_mbox'] = 'Mail/sent';
+          $config['trash_mbox'] = ''';
+          $config['default_folders'] = array('INBOX', 'Mail/Drafts', 'Mail/sent', 'Mail/Spam', ''');
+          $config['draft_autosave'] = 60;
+          $config['enable_installer'] = false;
+          $config['log_driver'] = 'file';
+          $config['temp_dir'] = '${varDir}/cache';
+          $config['mime_types'] = '${apacheHttpd}/conf/mime.types';
       '';
+    };
     webRoot = stdenv.mkDerivation rec {
-      version = "1.3.8";
+      version = "1.4-rc1";
       name = "roundcubemail-${version}";
       src= fetchurl {
         url = "https://github.com/roundcube/roundcubemail/releases/download/${version}/${name}-complete.tar.gz";
-        sha256 = "018djad7ygfl9c9f2l2j42qkg31ml3hs2f01f0dk361zckwk77n4";
+        sha256 = "0p18wffwi2prh6vxhx1bc69qd1vwybggm8gvg3shahfdknxci9i4";
       };
       buildPhase = ''
         sed -i \
           -e "s|RCUBE_INSTALL_PATH . 'temp.*|'${varDir}/cache';|" \
           config/defaults.inc.php
+        sed -i \
+          -e "s|RCUBE_INSTALL_PATH . 'logs.*|'${varDir}/logs';|" \
+          config/defaults.inc.php
       '';
       installPhase = ''
         cp -a . $out
-        ln -s ${config} $out/config/config.inc.php
+        ln -s /run/keys/webapps/tools-roundcube $out/config/config.inc.php
         ${builtins.concatStringsSep "\n" (
           lib.attrsets.mapAttrsToList (name: value: "ln -sf ${value} $out/plugins/${name}") plugins
         )}
+        ${builtins.concatStringsSep "\n" (
+          lib.attrsets.mapAttrsToList (name: value: "ln -sf ${value} $out/skins/${name}") skins
+        )}
       '';
     };
-    apache = {
+    apache = rec {
       user = "wwwrun";
       group = "wwwrun";
       modules = [ "proxy_fcgi" ];
+      webappName = "tools_roundcubemail";
+      root = "/run/current-system/webapps/${webappName}";
       vhostConf = ''
-      Alias /roundcube "${webRoot}"
-      <Directory "${webRoot}">
+      Alias /roundcube "${root}"
+      <Directory "${root}">
           DirectoryIndex index.php
           AllowOverride All
           Options FollowSymlinks
@@ -80,9 +184,15 @@ let
         '';
     };
     phpFpm = rec {
+      serviceDeps = [ "postgresql.service" "tools-roundcube-key.service" ];
       basedir = builtins.concatStringsSep ":" (
-        [ webRoot config varDir ]
-        ++ lib.attrsets.mapAttrsToList (name: value: value) plugins);
+        [ webRoot "/run/keys/webapps/tools-roundcube" varDir ]
+        ++ lib.attrsets.mapAttrsToList (name: value: value) plugins
+        ++ lib.attrsets.mapAttrsToList (name: value: value) skins);
+      phpConfig = ''
+        date.timezone = 'CET'
+        extension=${phpPackages.imagick}/lib/php/extensions/imagick.so
+        '';
       socket = "/var/run/phpfpm/roundcubemail.sock";
       pool = ''
         listen = ${socket}
@@ -96,7 +206,9 @@ let
 
         ; Needed to avoid clashes in browser cookies (same domain)
         php_value[session.name] = RoundcubemailPHPSESSID
-        php_admin_value[open_basedir] = "${basedir}:/tmp"
+        php_admin_value[upload_max_filesize] = 200M
+        php_admin_value[post_max_size] = 200M
+        php_admin_value[open_basedir] = "${basedir}:${apacheHttpd}/conf/mime.types:/tmp"
         php_admin_value[session.save_path] = "${varDir}/phpSessions"
         '';
     };