From 2af4a9bc09bccb74cda5eefb98193b4bbbb0eba5 Mon Sep 17 00:00:00 2001
From: Andreas Brinner <andreas@everlanes.net>
Date: Sun, 23 Apr 2023 11:35:04 +0200
Subject: nixos/roundcube: fix PostgreSQL password

Extract PostgreSQL database password for Roundcube from .pgpass file.
The password file is used in two locations:

  1. in the Roundcube config.php
  2. in the systemd setup service that initializes the roundcube
     database

These two services need the password in different formats.

Keep the password file in PostgreSQL standard format and extract the
password for the Roundcube config (see #215986).
---
 nixos/modules/services/mail/roundcube.nix | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

(limited to 'nixos')

diff --git a/nixos/modules/services/mail/roundcube.nix b/nixos/modules/services/mail/roundcube.nix
index 3aaec145930db..70ec3707dc187 100644
--- a/nixos/modules/services/mail/roundcube.nix
+++ b/nixos/modules/services/mail/roundcube.nix
@@ -123,7 +123,15 @@ in
     environment.etc."roundcube/config.inc.php".text = ''
       <?php
 
-      ${lib.optionalString (!localDB) "$password = file_get_contents('${cfg.database.passwordFile}');"}
+      ${lib.optionalString (!localDB) ''
+        # Password file should be formated according to PostgreSQL .pgpass standard
+        # see https://www.postgresql.org/docs/current/libpq-pgpass.html
+        $password = file_get_contents('${cfg.database.passwordFile}');
+        $password = preg_split('~\\\\.(*SKIP)(*FAIL)|\:~s', $password);
+        $password = end($password);
+        $password = str_replace("\\:", ":", $password);
+        $password = str_replace("\\\\", "\\", $password);
+      ''}
 
       $config = array();
       $config['db_dsnw'] = 'pgsql://${cfg.database.username}${lib.optionalString (!localDB) ":' . $password . '"}@${if localDB then "unix(/run/postgresql)" else cfg.database.host}/${cfg.database.dbname}';
-- 
cgit 1.4.1


From 279eeae178543bfd0a8b5f04793f586699f64555 Mon Sep 17 00:00:00 2001
From: Andreas Brinner <andreas@everlanes.net>
Date: Sun, 23 Apr 2023 12:16:43 +0200
Subject: nixos/roundcube: fix roundcube-setup start

When using Roundcube with a non local PostgreSQL database wait for
network start before running roundcube-setup.service
Otherwise the database is not reachable and the service fails.
---
 nixos/modules/services/mail/roundcube.nix | 1 +
 1 file changed, 1 insertion(+)

(limited to 'nixos')

diff --git a/nixos/modules/services/mail/roundcube.nix b/nixos/modules/services/mail/roundcube.nix
index 70ec3707dc187..09c31181491cb 100644
--- a/nixos/modules/services/mail/roundcube.nix
+++ b/nixos/modules/services/mail/roundcube.nix
@@ -231,6 +231,7 @@ in
         path = [ config.services.postgresql.package ];
       })
       {
+        after = [ "network-online.target" ];
         wantedBy = [ "multi-user.target" ];
         script = let
           psql = "${lib.optionalString (!localDB) "PGPASSFILE=${cfg.database.passwordFile}"} ${pkgs.postgresql}/bin/psql ${lib.optionalString (!localDB) "-h ${cfg.database.host} -U ${cfg.database.username} "} ${cfg.database.dbname}";
-- 
cgit 1.4.1


From 78fb35ce39b9f4db45999457c170f65ed153f3eb Mon Sep 17 00:00:00 2001
From: Andreas Brinner <andreas@everlanes.net>
Date: Sun, 23 Apr 2023 14:05:40 +0200
Subject: nixos/roundcube: extend documentation for passwordFile

The passwordFile must be formatted correctly. Added some information
about how the file content should look like.
---
 nixos/modules/services/mail/roundcube.nix | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

(limited to 'nixos')

diff --git a/nixos/modules/services/mail/roundcube.nix b/nixos/modules/services/mail/roundcube.nix
index 09c31181491cb..ecf4d3ebc4d84 100644
--- a/nixos/modules/services/mail/roundcube.nix
+++ b/nixos/modules/services/mail/roundcube.nix
@@ -70,7 +70,11 @@ in
       };
       passwordFile = mkOption {
         type = types.str;
-        description = lib.mdDoc "Password file for the postgresql connection. Must be readable by user `nginx`. Ignored if `database.host` is set to `localhost`, as peer authentication will be used.";
+        description = lib.mdDoc ''
+          Password file for the postgresql connection.
+          Must be formated according to PostgreSQL .pgpass standard (see https://www.postgresql.org/docs/current/libpq-pgpass.html)
+          and readable by user `nginx`. Ignored if `database.host` is set to `localhost`, as peer authentication will be used.
+        '';
       };
       dbname = mkOption {
         type = types.str;
@@ -124,8 +128,6 @@ in
       <?php
 
       ${lib.optionalString (!localDB) ''
-        # Password file should be formated according to PostgreSQL .pgpass standard
-        # see https://www.postgresql.org/docs/current/libpq-pgpass.html
         $password = file_get_contents('${cfg.database.passwordFile}');
         $password = preg_split('~\\\\.(*SKIP)(*FAIL)|\:~s', $password);
         $password = end($password);
-- 
cgit 1.4.1


From 9d5dba717041400aececbb86b46896cd18d8b84d Mon Sep 17 00:00:00 2001
From: Andreas Brinner <andreas@everlanes.net>
Date: Sun, 23 Apr 2023 20:28:00 +0200
Subject: nixos/roundcube: read only first line of password file

Only read the first line of the password file, if has multiple lines.
Mention that behaviour in options documentation.
---
 nixos/modules/services/mail/roundcube.nix | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'nixos')

diff --git a/nixos/modules/services/mail/roundcube.nix b/nixos/modules/services/mail/roundcube.nix
index ecf4d3ebc4d84..b9cf526b0bbe2 100644
--- a/nixos/modules/services/mail/roundcube.nix
+++ b/nixos/modules/services/mail/roundcube.nix
@@ -73,7 +73,8 @@ in
         description = lib.mdDoc ''
           Password file for the postgresql connection.
           Must be formated according to PostgreSQL .pgpass standard (see https://www.postgresql.org/docs/current/libpq-pgpass.html)
-          and readable by user `nginx`. Ignored if `database.host` is set to `localhost`, as peer authentication will be used.
+          but only one line, no comments and readable by user `nginx`.
+          Ignored if `database.host` is set to `localhost`, as peer authentication will be used.
         '';
       };
       dbname = mkOption {
@@ -128,7 +129,7 @@ in
       <?php
 
       ${lib.optionalString (!localDB) ''
-        $password = file_get_contents('${cfg.database.passwordFile}');
+        $password = file('${cfg.database.passwordFile}')[0];
         $password = preg_split('~\\\\.(*SKIP)(*FAIL)|\:~s', $password);
         $password = end($password);
         $password = str_replace("\\:", ":", $password);
-- 
cgit 1.4.1