diff --git a/nixos/modules/services/mail/roundcube.nix b/nixos/modules/services/mail/roundcube.nix
index 36dda619ad06..b064c717958d 100644
--- a/nixos/modules/services/mail/roundcube.nix
+++ b/nixos/modules/services/mail/roundcube.nix
@@ -5,6 +5,8 @@ with lib;
let
cfg = config.services.roundcube;
fpm = config.services.phpfpm.pools.roundcube;
+ localDB = cfg.database.host == "localhost";
+ user = cfg.database.username;
in
{
options.services.roundcube = {
@@ -44,7 +46,10 @@ in
username = mkOption {
type = types.str;
default = "roundcube";
- description = "Username for the postgresql connection";
+ description = ''
+ Username for the postgresql connection.
+ If database.host is set to localhost, a unix user and group of the same name will be created as well.
+ '';
};
host = mkOption {
type = types.str;
@@ -58,7 +63,12 @@ in
};
password = mkOption {
type = types.str;
- description = "Password for the postgresql connection";
+ description = "Password for the postgresql connection. Do not use: the password will be stored world readable in the store; use passwordFile instead.";
+ default = "";
+ };
+ passwordFile = mkOption {
+ type = types.str;
+ description = "Password file for the postgresql connection. Must be readable by user nginx. Ignored if database.host is set to localhost, as peer authentication will be used.";
};
dbname = mkOption {
type = types.str;
@@ -83,11 +93,17 @@ in
};
config = mkIf cfg.enable {
+ # backward compatibility: if password is set but not passwordFile, make one.
+ services.roundcube.database.passwordFile = mkIf (!localDB && cfg.database.password != "") (mkDefault ("${pkgs.writeText "roundcube-password" cfg.database.password}"));
+ warnings = lib.optional (!localDB && cfg.database.password != "") "services.roundcube.database.password is deprecated and insecure; use services.roundcube.database.passwordFile instead";
+
environment.etc."roundcube/config.inc.php".text = ''