crans
/
nixos
mirror of https://gitlab.crans.org/nounous/nixos
19
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nixos/hosts/vm/collabora/collabora.nix

77 lines
2.2 KiB
Nix
Raw Blame History

{ config, pkgs, ... }:
let
authorizedGroupsFile = pkgs.writeText "collabora-admin-groups" ''
root
_nounou
'';
pam_modules_path = "${pkgs.pam}/lib/security";
# nixos/modules/security/pam.nix
pam_ldap = "${if config.users.ldap.daemon.enable then pkgs.nss_pam_ldapd else pkgs.pam_ldap}/lib/security";
in
{
services.collabora-online = {
enable = true;
settings = {
ssl = {
enable = false;
termination = true;
};
net = {
listen = "loopback";
post_allow.host = ["::1" "172.0.0.1"];
};
# ouvre seulement les fichiers depuis nextcloud
storage.wopi = {
"@allow" = true;
host = ["nextcloud.crans.org" "nextcloud.adm.crans.org"];
};
admin_console.enable_pam = true;
server_name = "collabora.crans.org";
};
};
# Authentification pour la console d'administration (accès pour les nounous)
security.pam.services.coolwsd.text = ''
# Accounts
account sufficient ${pam_ldap}/pam_ldap.so
account required ${pam_modules_path}/pam_unix.so
# Authentification
# On teste un compte unix. Si on en a un, on passe la règle ldap et on lance la règle des groupes.
auth [success=1 new_authtok_reqd=1 default=ignore] ${pam_modules_path}/pam_unix.so likeauth try_first_pass
# On tente le ldap et on fail sinon.
auth requisite ${pam_ldap}/pam_ldap.so use_first_pass
# On vérifie le groupe de l'utilisateur
auth [success=done new_authtok_reqd=done default=die] ${pam_modules_path}/pam_listfile.so item=group sense=allow file=${authorizedGroupsFile} onerr=fail
# session et password ne sont pas pertinents pour de l'authentification de coolwsd.
'';
services.nginx = {
enable = true;
virtualHosts = {
"collabora.crans.org" = {
locations."/" = {
proxyPass = "http://localhost:${toString config.services.collabora-online.port}";
proxyWebsockets = true; # collabora a besoin des websockets
};
};
"collabora.adm.crans.org" = {
locations."/" = {
proxyPass = "http://localhost:${toString config.services.collabora-online.port}";
proxyWebsockets = true; # collabora a besoin des websockets
};
};
};
};
}
Reference in New Issue View Git Blame Copy Permalink