From 3e3704e10455178f7750ddaa24c28955c62c4183 Mon Sep 17 00:00:00 2001 From: Pyjacpp Date: Sun, 21 Dec 2025 19:01:58 +0100 Subject: [PATCH 1/6] feat: add authentification for collabora admin page via pam https://sdk.collaboraonline.com/docs/installation/Configuration.html#admin-console --- hosts/vm/collabora/collabora.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/hosts/vm/collabora/collabora.nix b/hosts/vm/collabora/collabora.nix index c6b15ef..01935aa 100644 --- a/hosts/vm/collabora/collabora.nix +++ b/hosts/vm/collabora/collabora.nix @@ -25,6 +25,13 @@ }; }; + # Authentification pour la console d'administration (accès pour les nounous) + security.pam.services.coolwsd.text = '' + auth required pam_unix.so + auth required pam_wheel.so group=_nounou + account required pam_unix.so + ''; + services.nginx = { enable = true; From 12ebc83336406bfec5beeada36ca8fb6bba2d29e Mon Sep 17 00:00:00 2001 From: Pyjacpp Date: Sun, 21 Dec 2025 19:22:30 +0100 Subject: [PATCH 2/6] fix: enable pam admin console --- hosts/vm/collabora/collabora.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hosts/vm/collabora/collabora.nix b/hosts/vm/collabora/collabora.nix index 01935aa..bf9032a 100644 --- a/hosts/vm/collabora/collabora.nix +++ b/hosts/vm/collabora/collabora.nix @@ -21,6 +21,8 @@ host = ["nextcloud.crans.org" "nextcloud.adm.crans.org"]; }; + admin_console.enable_pam = true; + server_name = "collabora.crans.org"; }; }; From e2cd45a7c302643efa336754a59265d913acc10e Mon Sep 17 00:00:00 2001 From: Pyjacpp Date: Sun, 21 Dec 2025 20:25:17 +0100 Subject: [PATCH 3/6] fix: pam modules path --- hosts/vm/collabora/collabora.nix | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/hosts/vm/collabora/collabora.nix b/hosts/vm/collabora/collabora.nix index bf9032a..c61f5ea 100644 --- a/hosts/vm/collabora/collabora.nix +++ b/hosts/vm/collabora/collabora.nix @@ -28,11 +28,11 @@ }; # Authentification pour la console d'administration (accès pour les nounous) - security.pam.services.coolwsd.text = '' - auth required pam_unix.so - auth required pam_wheel.so group=_nounou - account required pam_unix.so - ''; + security.pam.services.coolwsd = { + unixAuth = true; + requireWheel = true; + rules.auth.wheel.settings.group = "_nounou"; + }; services.nginx = { enable = true; From bb3add09608195747038a529642b2d26eddb81d8 Mon Sep 17 00:00:00 2001 From: Pyjacpp Date: Mon, 22 Dec 2025 00:02:28 +0100 Subject: [PATCH 4/6] fix: pam_wheel order --- hosts/vm/collabora/collabora.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/hosts/vm/collabora/collabora.nix b/hosts/vm/collabora/collabora.nix index c61f5ea..ad0f3d5 100644 --- a/hosts/vm/collabora/collabora.nix +++ b/hosts/vm/collabora/collabora.nix @@ -31,7 +31,10 @@ security.pam.services.coolwsd = { unixAuth = true; requireWheel = true; - rules.auth.wheel.settings.group = "_nounou"; + rules.auth.wheel = { + order = config.security.pam.services.login.rules.auth.ldap.order + 10; + settings.group = "_nounou"; + }; }; services.nginx = { From d2c3bac8f0521e5df107f90aac824918964fa147 Mon Sep 17 00:00:00 2001 From: Pyjacpp Date: Mon, 22 Dec 2025 14:08:52 +0100 Subject: [PATCH 5/6] fix\!: fix group check --- hosts/vm/collabora/collabora.nix | 36 ++++++++++++++++++++++++-------- 1 file changed, 27 insertions(+), 9 deletions(-) diff --git a/hosts/vm/collabora/collabora.nix b/hosts/vm/collabora/collabora.nix index ad0f3d5..971ef2e 100644 --- a/hosts/vm/collabora/collabora.nix +++ b/hosts/vm/collabora/collabora.nix @@ -1,5 +1,15 @@ -{ config, ... }: +{ config, pkgs, ... }: +let + authorizedGroupsFile = pkgs.writeText "collabora-admin-groups" '' + root + _nounou + ''; + + pam_modules_path = "${pkgs.pam}/lib/security"; + # nixos/modules/security/pam.nix + pam_ldap = "${if config.users.ldap.daemon.enable then pkgs.nss_pam_ldapd else pkgs.pam_ldap}/lib/security"; +in { services.collabora-online = { enable = true; @@ -28,14 +38,22 @@ }; # Authentification pour la console d'administration (accès pour les nounous) - security.pam.services.coolwsd = { - unixAuth = true; - requireWheel = true; - rules.auth.wheel = { - order = config.security.pam.services.login.rules.auth.ldap.order + 10; - settings.group = "_nounou"; - }; - }; + security.pam.services.coolwsd.text = '' + # Accounts + account sufficient ${pam_ldap}/pam_ldap.so + account required ${pam_modules_path}/pam_unix.so + + # Authentification + + # On teste un compte unix. Si on en a un, on passe la règle ldap et on lance la règle des groupes. + auth [success=1 new_authtok_reqd=1 default=ignore] ${pam_modules_path}/pam_unix.so likeauth try_first_pass + # On tente le ldap et on fail sinon. + auth requisite ${pam_ldap}/pam_ldap.so use_first_pass + # On vérifie le groupe de l'utilisateur + auth require ${pam_modules_path}/pam_listfile.so item=group sense=allow file=${authorizedGroupsFile} onerr=fail + + # session et password ne sont pas pertinents pour de l'authentification de coolwsd. + ''; services.nginx = { enable = true; From 4688961ba5016f8f5b7b23a87de3a5dfa8e9de48 Mon Sep 17 00:00:00 2001 From: Pyjacpp Date: Mon, 22 Dec 2025 14:25:21 +0100 Subject: [PATCH 6/6] fix: add return values --- hosts/vm/collabora/collabora.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/vm/collabora/collabora.nix b/hosts/vm/collabora/collabora.nix index 971ef2e..9956ee1 100644 --- a/hosts/vm/collabora/collabora.nix +++ b/hosts/vm/collabora/collabora.nix @@ -50,7 +50,7 @@ in # On tente le ldap et on fail sinon. auth requisite ${pam_ldap}/pam_ldap.so use_first_pass # On vérifie le groupe de l'utilisateur - auth require ${pam_modules_path}/pam_listfile.so item=group sense=allow file=${authorizedGroupsFile} onerr=fail + auth [success=done new_authtok_reqd=done default=die] ${pam_modules_path}/pam_listfile.so item=group sense=allow file=${authorizedGroupsFile} onerr=fail # session et password ne sont pas pertinents pour de l'authentification de coolwsd. '';