From f07b867af2e9b491ea0f93518d8b349f1d0965d7 Mon Sep 17 00:00:00 2001
From: Alexander Tomokhov <alexoundos@selfprivacy.org>
Date: Thu, 26 Dec 2024 18:42:41 +0400
Subject: [PATCH] security: harden some SP modules NixOS config evaluation
 permissions

---
 sp-modules/auth/config-paths-needed.json        | 17 ++++++++---------
 sp-modules/roundcube/config-paths-needed.json   | 13 ++++++-------
 .../config-paths-needed.json                    |  4 +++-
 3 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/sp-modules/auth/config-paths-needed.json b/sp-modules/auth/config-paths-needed.json
index 2253194..f42cfd1 100644
--- a/sp-modules/auth/config-paths-needed.json
+++ b/sp-modules/auth/config-paths-needed.json
@@ -1,11 +1,10 @@
 [
-  ["mailserver", "fqdn"],
-  ["mailserver", "ldap"],
-  ["mailserver", "vmailUID"],
-  ["passthru", "selfprivacy", "auth"],
-  ["security", "acme", "certs"],
-  ["selfprivacy", "domain"],
-  ["selfprivacy", "modules"],
-  ["services"],
-  ["systemd", "services", "kanidm"]
+  [ "passthru", "selfprivacy", "auth" ],
+  [ "security", "acme", "certs" ],
+  [ "selfprivacy", "domain" ],
+  [ "selfprivacy", "modules", "auth" ],
+  [ "services", "kanidm" ],
+  [ "services", "oauth2-proxy", "enable" ],
+  [ "services", "oauth2-proxy", "nginx" ],
+  [ "systemd", "services", "kanidm" ]
 ]
diff --git a/sp-modules/roundcube/config-paths-needed.json b/sp-modules/roundcube/config-paths-needed.json
index f40e8f4..31c78d0 100644
--- a/sp-modules/roundcube/config-paths-needed.json
+++ b/sp-modules/roundcube/config-paths-needed.json
@@ -1,9 +1,8 @@
 [
-  ["mailserver", "fqdn"],
-  ["passthru", "selfprivacy", "auth", "auth-fqdn"],
-  ["passthru", "selfprivacy", "auth", "oauth2-provider-name"],
-  ["selfprivacy", "domain"],
-  ["selfprivacy", "modules", "auth"],
-  ["selfprivacy", "modules", "roundcube"],
-  ["service", "kanidm"]
+  [ "mailserver", "fqdn" ],
+  [ "passthru", "selfprivacy", "auth", "auth-fqdn" ],
+  [ "passthru", "selfprivacy", "auth", "oauth2-provider-name" ],
+  [ "selfprivacy", "domain" ],
+  [ "selfprivacy", "modules", "auth" ],
+  [ "selfprivacy", "modules", "roundcube" ]
 ]
diff --git a/sp-modules/simple-nixos-mailserver/config-paths-needed.json b/sp-modules/simple-nixos-mailserver/config-paths-needed.json
index 1c1df79..e717a3d 100644
--- a/sp-modules/simple-nixos-mailserver/config-paths-needed.json
+++ b/sp-modules/simple-nixos-mailserver/config-paths-needed.json
@@ -13,6 +13,8 @@
   [ "services", "opendkim" ],
   [ "services", "postfix", "group" ],
   [ "services", "postfix", "user" ],
-  [ "services", "redis" ],
+  [ "services", "redis", "servers", "rspamd", "bind" ],
+  [ "services", "redis", "servers", "rspamd", "port" ],
+  [ "services", "redis", "servers", "rspamd", "requirePass" ],
   [ "services", "rspamd" ]
 ]