{ config, pkgs, ... }: let authorizedGroupsFile = pkgs.writeText "collabora-admin-groups" '' root _nounou ''; pam_modules_path = "${pkgs.pam}/lib/security"; # nixos/modules/security/pam.nix pam_ldap = "${if config.users.ldap.daemon.enable then pkgs.nss_pam_ldapd else pkgs.pam_ldap}/lib/security"; in { services.collabora-online = { enable = true; settings = { ssl = { enable = false; termination = true; }; net = { listen = "loopback"; post_allow.host = ["::1" "172.0.0.1"]; }; # ouvre seulement les fichiers depuis nextcloud storage.wopi = { "@allow" = true; host = ["nextcloud.crans.org" "nextcloud.adm.crans.org"]; }; admin_console.enable_pam = true; server_name = "collabora.crans.org"; }; }; # Authentification pour la console d'administration (accès pour les nounous) security.pam.services.coolwsd.text = '' # Accounts account sufficient ${pam_ldap}/pam_ldap.so account required ${pam_modules_path}/pam_unix.so # Authentification # On teste un compte unix. Si on en a un, on passe la règle ldap et on lance la règle des groupes. auth [success=1 new_authtok_reqd=1 default=ignore] ${pam_modules_path}/pam_unix.so likeauth try_first_pass # On tente le ldap et on fail sinon. auth requisite ${pam_ldap}/pam_ldap.so use_first_pass # On vérifie le groupe de l'utilisateur auth require ${pam_modules_path}/pam_listfile.so item=group sense=allow file=${authorizedGroupsFile} onerr=fail # session et password ne sont pas pertinents pour de l'authentification de coolwsd. ''; services.nginx = { enable = true; virtualHosts = { "collabora.crans.org" = { locations."/" = { proxyPass = "http://localhost:${toString config.services.collabora-online.port}"; proxyWebsockets = true; # collabora a besoin des websockets }; }; "collabora.adm.crans.org" = { locations."/" = { proxyPass = "http://localhost:${toString config.services.collabora-online.port}"; proxyWebsockets = true; # collabora a besoin des websockets }; }; }; }; }