From d2c3bac8f0521e5df107f90aac824918964fa147 Mon Sep 17 00:00:00 2001 From: Pyjacpp Date: Mon, 22 Dec 2025 14:08:52 +0100 Subject: [PATCH] fix\!: fix group check --- hosts/vm/collabora/collabora.nix | 36 ++++++++++++++++++++++++-------- 1 file changed, 27 insertions(+), 9 deletions(-) diff --git a/hosts/vm/collabora/collabora.nix b/hosts/vm/collabora/collabora.nix index ad0f3d5..971ef2e 100644 --- a/hosts/vm/collabora/collabora.nix +++ b/hosts/vm/collabora/collabora.nix @@ -1,5 +1,15 @@ -{ config, ... }: +{ config, pkgs, ... }: +let + authorizedGroupsFile = pkgs.writeText "collabora-admin-groups" '' + root + _nounou + ''; + + pam_modules_path = "${pkgs.pam}/lib/security"; + # nixos/modules/security/pam.nix + pam_ldap = "${if config.users.ldap.daemon.enable then pkgs.nss_pam_ldapd else pkgs.pam_ldap}/lib/security"; +in { services.collabora-online = { enable = true; @@ -28,14 +38,22 @@ }; # Authentification pour la console d'administration (accès pour les nounous) - security.pam.services.coolwsd = { - unixAuth = true; - requireWheel = true; - rules.auth.wheel = { - order = config.security.pam.services.login.rules.auth.ldap.order + 10; - settings.group = "_nounou"; - }; - }; + security.pam.services.coolwsd.text = '' + # Accounts + account sufficient ${pam_ldap}/pam_ldap.so + account required ${pam_modules_path}/pam_unix.so + + # Authentification + + # On teste un compte unix. Si on en a un, on passe la règle ldap et on lance la règle des groupes. + auth [success=1 new_authtok_reqd=1 default=ignore] ${pam_modules_path}/pam_unix.so likeauth try_first_pass + # On tente le ldap et on fail sinon. + auth requisite ${pam_ldap}/pam_ldap.so use_first_pass + # On vérifie le groupe de l'utilisateur + auth require ${pam_modules_path}/pam_listfile.so item=group sense=allow file=${authorizedGroupsFile} onerr=fail + + # session et password ne sont pas pertinents pour de l'authentification de coolwsd. + ''; services.nginx = { enable = true;