Run a php-hardened roundcube

passwords.mail.yml

@@ -11,6 +11,8 @@
   description: Encryption key for Roundcube sessions
   type: binary
   length: 24
+- name: roundcube_snuffleupagus_secret
+  length: 36
 
 - name: spamassassin_db_password
   description: MySQL password for the Spamassassin user

roles/mail/tasks/backend.yml

@@ -317,6 +317,11 @@
   with_filetree: "templates/roundcube/"
   when: item.state == 'file'
 
+- name: Install Roundcube Snuffleupagus config
+  copy:
+    content: 'sp.global.secret_key("{{ roundcube_snuffleupagus_secret }}");\n'
+    dest: "/etc/roundcube/snuffleupagus.conf"
+
 - name: Install default empty sieve filter for Roundcube
   copy:
     src: empty.sieve

services.mail.yml

@@ -43,10 +43,11 @@ mail-backend:
     - name: keystore
   containers:
     - name: http
-      image: registry.git.autistici.org/ai3/docker/roundcube:master
+      image: registry.git.autistici.org/ai3/docker/roundcube:hardening
       port: 8084
       volumes:
         - /etc/roundcube: /etc/roundcube
+        - /etc/roundcube/snuffleupagus.conf: /etc/php/snuffleupagus/roundcube.rules
         - /etc/sso/public.key: /etc/sso/public.key
         - /var/lib/roundcube: /data
       env: