diff --git a/hosts/vm/collabora/collabora.nix b/hosts/vm/collabora/collabora.nix
index c6b15ef..9956ee1 100644
--- a/hosts/vm/collabora/collabora.nix
+++ b/hosts/vm/collabora/collabora.nix
@@ -1,5 +1,15 @@
-{ config, ... }:
+{ config, pkgs, ... }:
 
+let
+  authorizedGroupsFile = pkgs.writeText "collabora-admin-groups" ''
+    root
+    _nounou
+  '';
+
+  pam_modules_path = "${pkgs.pam}/lib/security";
+  # nixos/modules/security/pam.nix
+  pam_ldap = "${if config.users.ldap.daemon.enable then pkgs.nss_pam_ldapd else pkgs.pam_ldap}/lib/security";
+in
 {
   services.collabora-online = {
     enable = true;
@@ -21,10 +31,30 @@
         host = ["nextcloud.crans.org" "nextcloud.adm.crans.org"];
       };
 
+      admin_console.enable_pam = true;
+
       server_name = "collabora.crans.org";
     };
   };
 
+  # Authentification pour la console d'administration (accès pour les nounous)
+  security.pam.services.coolwsd.text = ''
+    # Accounts
+    account sufficient ${pam_ldap}/pam_ldap.so
+    account required ${pam_modules_path}/pam_unix.so
+
+    # Authentification
+
+    # On teste un compte unix. Si on en a un, on passe la règle ldap et on lance la règle des groupes.
+    auth [success=1 new_authtok_reqd=1 default=ignore] ${pam_modules_path}/pam_unix.so likeauth try_first_pass
+    # On tente le ldap et on fail sinon.
+    auth requisite ${pam_ldap}/pam_ldap.so use_first_pass
+    # On vérifie le groupe de l'utilisateur
+    auth [success=done new_authtok_reqd=done default=die] ${pam_modules_path}/pam_listfile.so item=group sense=allow file=${authorizedGroupsFile} onerr=fail
+
+    # session et password ne sont pas pertinents pour de l'authentification de coolwsd.
+  '';
+
   services.nginx = {
     enable = true;