From 7e834b0add5f480e0994cec6d8137db5c35d72e9 Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Mon, 26 Sep 2022 08:19:50 +0100
Subject: [PATCH] Run a php-hardened roundcube

---
 passwords.mail.yml           | 2 ++
 roles/mail/tasks/backend.yml | 5 +++++
 services.mail.yml            | 3 ++-
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/passwords.mail.yml b/passwords.mail.yml
index 9c5171cc..0757bf65 100644
--- a/passwords.mail.yml
+++ b/passwords.mail.yml
@@ -11,6 +11,8 @@
   description: Encryption key for Roundcube sessions
   type: binary
   length: 24
+- name: roundcube_snuffleupagus_secret
+  length: 36
 
 - name: spamassassin_db_password
   description: MySQL password for the Spamassassin user
diff --git a/roles/mail/tasks/backend.yml b/roles/mail/tasks/backend.yml
index b5be64c4..d45c8845 100644
--- a/roles/mail/tasks/backend.yml
+++ b/roles/mail/tasks/backend.yml
@@ -317,6 +317,11 @@
   with_filetree: "templates/roundcube/"
   when: item.state == 'file'
 
+- name: Install Roundcube Snuffleupagus config
+  copy:
+    content: 'sp.global.secret_key("{{ roundcube_snuffleupagus_secret }}");\n'
+    dest: "/etc/roundcube/snuffleupagus.conf"
+
 - name: Install default empty sieve filter for Roundcube
   copy:
     src: empty.sieve
diff --git a/services.mail.yml b/services.mail.yml
index e810a793..2e16a41f 100644
--- a/services.mail.yml
+++ b/services.mail.yml
@@ -43,10 +43,11 @@ mail-backend:
     - name: keystore
   containers:
     - name: http
-      image: registry.git.autistici.org/ai3/docker/roundcube:master
+      image: registry.git.autistici.org/ai3/docker/roundcube:hardening
       port: 8084
       volumes:
         - /etc/roundcube: /etc/roundcube
+        - /etc/roundcube/snuffleupagus.conf: /etc/php/snuffleupagus/roundcube.rules
         - /etc/sso/public.key: /etc/sso/public.key
         - /var/lib/roundcube: /data
       env:
-- 
GitLab