fix\!: fix group check

hosts/vm/collabora/collabora.nix

@@ -1,5 +1,15 @@
-{ config, ... }:
+{ config, pkgs, ... }:
 
+let
+  authorizedGroupsFile = pkgs.writeText "collabora-admin-groups" ''
+    root
+    _nounou
+  '';
+
+  pam_modules_path = "${pkgs.pam}/lib/security";
+  # nixos/modules/security/pam.nix
+  pam_ldap = "${if config.users.ldap.daemon.enable then pkgs.nss_pam_ldapd else pkgs.pam_ldap}/lib/security";
+in
 {
   services.collabora-online = {
     enable = true;
@@ -28,14 +38,22 @@
   };
 
   # Authentification pour la console d'administration (accès pour les nounous)
-  security.pam.services.coolwsd = {
-    unixAuth = true;
-    requireWheel = true;
-    rules.auth.wheel = {
-      order = config.security.pam.services.login.rules.auth.ldap.order + 10;
-      settings.group = "_nounou";
-    };
-  };
+  security.pam.services.coolwsd.text = ''
+    # Accounts
+    account sufficient ${pam_ldap}/pam_ldap.so
+    account required ${pam_modules_path}/pam_unix.so
+
+    # Authentification
+
+    # On teste un compte unix. Si on en a un, on passe la règle ldap et on lance la règle des groupes.
+    auth [success=1 new_authtok_reqd=1 default=ignore] ${pam_modules_path}/pam_unix.so likeauth try_first_pass
+    # On tente le ldap et on fail sinon.
+    auth requisite ${pam_ldap}/pam_ldap.so use_first_pass
+    # On vérifie le groupe de l'utilisateur
+    auth require ${pam_modules_path}/pam_listfile.so item=group sense=allow file=${authorizedGroupsFile} onerr=fail
+
+    # session et password ne sont pas pertinents pour de l'authentification de coolwsd.
+  '';
 
   services.nginx = {
     enable = true;