From fab0899e7eff764dc773693208fc77b00cd4ffb0 Mon Sep 17 00:00:00 2001
From: Fugi <me@fugi.dev>
Date: Sat, 21 Jan 2023 21:26:24 +0100
Subject: [PATCH] package ldap3 plugin

---
 modules/matrix.nix                    | 25 ++++++++++++-------------
 modules/pkgs/matrix-synapse-ldap3.nix | 21 +++++++++++++++++++++
 2 files changed, 33 insertions(+), 13 deletions(-)
 create mode 100644 modules/pkgs/matrix-synapse-ldap3.nix

diff --git a/modules/matrix.nix b/modules/matrix.nix
index 5648c1b..d1d0938 100644
--- a/modules/matrix.nix
+++ b/modules/matrix.nix
@@ -18,6 +18,10 @@ let
     add_header Access-Control-Allow-Origin *;
     return 200 '${builtins.toJSON data}';
   '';
+
+  # build ldap3 plugin from git because it's very outdated in nixpkgs
+  matrix-synapse-ldap3 = pkgs.python3.pkgs.callPackage ./pkgs/matrix-synapse-ldap3.nix { };
+  # matrix-synapse-ldap3 = config.services.matrix-synapse.package.plugins.matrix-synapse-ldap3;
 in
 {
   sops.secrets.matrix_ldap_search = {
@@ -71,9 +75,7 @@ in
     matrix-synapse = {
       enable = true;
 
-      plugins = with config.services.matrix-synapse.package.plugins; [
-        matrix-synapse-ldap3
-      ];
+      plugins = [ matrix-synapse-ldap3 ];
 
       settings = {
         server_name = domainServer;
@@ -94,24 +96,21 @@ in
       extraConfigFiles = [
         (pkgs.writeTextFile {
           name = "matrix-synapse-extra-config.yml";
-          text = ''
-            # `password_providers` is deprecated but `modules` is not supported yet.
-            password_providers:
-              - module: ldap_auth_provider.LdapAuthProvider
+          text = let portunus = config.services.portunus; in ''
+            modules:
+              - module: ldap_auth_provider.LdapAuthProviderModule
                 config:
                   enabled: true
                   # have to use fqdn here for tls (still connects to localhost)
-                  uri: ldaps://auth.nix.fugi.dev:636
-                  base: ou=users,dc=ifsr,dc=de
+                  uri: ldaps://${portunus.domain}:636
+                  base: ou=users,${portunus.ldap.suffix}
                   # taken from kaki config
                   attributes:
                     uid: uid
                     mail: uid
                     name: cn
-                  bind_dn: uid=search,ou=users,dc=ifsr,dc=de
-                  # TODO: password file not yet supported - update matrix-synapse-ldap3 or use workaround
-                  bind_password: portunus_search
-                  # bind_password_file: ${config.sops.secrets.portunus_search.path}
+                  bind_dn: uid=search,ou=users,${portunus.ldap.suffix}
+                  bind_password_file: ${config.sops.secrets.matrix_ldap_search.path}
           '';
         })
       ];
diff --git a/modules/pkgs/matrix-synapse-ldap3.nix b/modules/pkgs/matrix-synapse-ldap3.nix
new file mode 100644
index 0000000..0635ab0
--- /dev/null
+++ b/modules/pkgs/matrix-synapse-ldap3.nix
@@ -0,0 +1,21 @@
+{ isPy3k, buildPythonPackage, pkgs, service-identity, ldap3, twisted, ldaptor, mock }:
+
+buildPythonPackage rec {
+  pname = "matrix-synapse-ldap3";
+  version = "0.2.2";
+
+  format = "pyproject";
+
+  src = pkgs.fetchFromGitHub {
+    owner = "matrix-org";
+    repo = "matrix-synapse-ldap3";
+    rev = "2584736204165f16c176567183f9c350ee253f74";
+    sha256 = "gMsC5FpC2zt5hypPdGgPbWT/Rwz38EoQz3tj5dQ9BQ8=";
+  };
+
+  propagatedBuildInputs = [ service-identity ldap3 twisted ];
+
+  # ldaptor is not ready for py3 yet
+  doCheck = !isPy3k;
+  checkInputs = [ ldaptor mock ];
+}