From 565bcae08162ee42c6f68437e59fdeb82ae8db79 Mon Sep 17 00:00:00 2001
From: fugi <lucas@fugi.dev>
Date: Sat, 17 Dec 2022 19:11:37 +0100
Subject: [PATCH 1/5] add matrix configuration

---
 flake.nix          |   1 +
 modules/matrix.nix | 126 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 127 insertions(+)
 create mode 100644 modules/matrix.nix

diff --git a/flake.nix b/flake.nix
index bd91d47..973bcda 100755
--- a/flake.nix
+++ b/flake.nix
@@ -64,6 +64,7 @@
             ./modules/wiki.nix
             ./modules/stream.nix
             ./modules/nextcloud.nix
+            ./modules/matrix.nix
             {
               sops.defaultSopsFile = ./secrets/quitte.yaml;
             }
diff --git a/modules/matrix.nix b/modules/matrix.nix
new file mode 100644
index 0000000..493168c
--- /dev/null
+++ b/modules/matrix.nix
@@ -0,0 +1,126 @@
+{ config, pkgs, lib, ... }:
+let
+  domain = "staging.ifsr.de";
+  domainServer = "matrix.${domain}";
+  domainClient = "chat.${domain}";
+  clientConfig = {
+    "m.homeserver" = {
+      base_url = "https://${domainServer}:443";
+      server_name = domainServer;
+    };
+    "m.identity_server" = {};
+  };
+  serverConfig = {
+    "m.server" = "${domainServer}:443";
+  };
+  mkWellKnown = data: ''
+    add_header Content-Type application/json;
+    add_header Access-Control-Allow-Origin *;
+    return 200 '${builtins.toJSON data}';
+  '';
+in
+{
+  #sops.secrets = {
+  #  synapse_registration_secret = {
+  #    owner = "matrix-synapse";
+  #    group = "matrix-synapse";
+  #  };
+  #};
+
+  services = {
+    postgresql = {
+      enable = true;
+      ensureUsers = [
+        {
+          name = "matrix-synapse";
+        }
+      ];
+    };
+
+    nginx = {
+      recommendedProxySettings = true;
+      virtualHosts = {
+        # synapse
+        "${domainServer}" = {
+          enableACME = true;
+          forceSSL = true;
+
+          # homeserver discovery
+          locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
+          locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
+
+          # 404 on /
+          locations."/".extraConfig = "return 404;";
+
+          # proxy to synapse
+          locations."/_matrix".proxyPass = "http://[::1]:8008";
+          locations."/_synapse/client".proxyPass = "http://[::1]:8008";
+        };
+
+        # element
+        "${domainClient}" = {
+          enableACME = true;
+          forceSSL = true;
+
+          root = pkgs.element-web.override {
+            conf = {
+              default_server_config = clientConfig;
+            };
+          };
+        };
+      };
+    };
+
+    matrix-synapse = {
+      enable = true;
+
+      settings = {
+        server_name = domainServer;
+
+        listeners = [{
+          port = 8008;
+          bind_addresses = [ "::1" ];
+          type = "http";
+          tls = false;
+          x_forwarded = true;
+          resources = [{
+            names = [ "client" "federation" ];
+            compress = false;
+          }];
+        }];
+
+        # TODO: ldap
+        registration_shared_secret = "registration_shared_secret";
+      };
+     # extraConfigFiles = [
+     #   (pkgs.writeTextFile {
+     #     name = "matrix-synapse-extra-config.yml";
+     #     text = ''
+     #     '';
+     #   })
+     # ];
+    };
+  };
+
+  systemd.services.matrix-synapse.after = [ "matrix-synapse-pgsetup.service" ];
+
+  systemd.services.matrix-synapse-pgsetup = {
+    description = "Prepare Synapse postgres database";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "networking.target" "postgresql.service" ];
+    serviceConfig.Type = "oneshot";
+
+    path = [ pkgs.sudo config.services.postgresql.package ];
+
+    # create database for synapse. will silently fail if already exists
+    script = ''
+      sudo -u ${config.services.postgresql.superUser} psql <<SQL
+        CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
+          ENCODING 'UTF8'
+          TEMPLATE template0
+          LC_COLLATE = "C"
+          LC_CTYPE = "C";
+      SQL
+    '';
+  };
+}
-- 
2.44.2


From ce7db4dac514ff14a99807d3d7c87f52acc4be7d Mon Sep 17 00:00:00 2001
From: fugi <lucas@fugi.dev>
Date: Sat, 17 Dec 2022 21:23:46 +0100
Subject: [PATCH 2/5] format, use domain option

---
 modules/matrix.nix | 35 ++++++++++++++++++-----------------
 1 file changed, 18 insertions(+), 17 deletions(-)

diff --git a/modules/matrix.nix b/modules/matrix.nix
index 493168c..be57b89 100644
--- a/modules/matrix.nix
+++ b/modules/matrix.nix
@@ -1,18 +1,19 @@
 { config, pkgs, lib, ... }:
 let
-  domain = "staging.ifsr.de";
-  domainServer = "matrix.${domain}";
-  domainClient = "chat.${domain}";
+  domainServer = "matrix.${config.fsr.domain}";
+  domainClient = "chat.${config.fsr.domain}";
+
   clientConfig = {
     "m.homeserver" = {
       base_url = "https://${domainServer}:443";
       server_name = domainServer;
     };
-    "m.identity_server" = {};
+    "m.identity_server" = { };
   };
   serverConfig = {
     "m.server" = "${domainServer}:443";
   };
+
   mkWellKnown = data: ''
     add_header Content-Type application/json;
     add_header Access-Control-Allow-Origin *;
@@ -20,12 +21,12 @@ let
   '';
 in
 {
-  #sops.secrets = {
-  #  synapse_registration_secret = {
-  #    owner = "matrix-synapse";
-  #    group = "matrix-synapse";
-  #  };
-  #};
+  # sops.secrets = {
+  #   synapse_registration_secret = {
+  #     owner = "matrix-synapse";
+  #     group = "matrix-synapse";
+  #   };
+  # };
 
   services = {
     postgresql = {
@@ -92,13 +93,13 @@ in
         # TODO: ldap
         registration_shared_secret = "registration_shared_secret";
       };
-     # extraConfigFiles = [
-     #   (pkgs.writeTextFile {
-     #     name = "matrix-synapse-extra-config.yml";
-     #     text = ''
-     #     '';
-     #   })
-     # ];
+      # extraConfigFiles = [
+      #   (pkgs.writeTextFile {
+      #     name = "matrix-synapse-extra-config.yml";
+      #     text = ''
+      #     '';
+      #   })
+      # ];
     };
   };
 
-- 
2.44.2


From c3134e1e586c5548ac41f12c35876d7fc3793355 Mon Sep 17 00:00:00 2001
From: Fugi <me@fugi.dev>
Date: Wed, 18 Jan 2023 14:12:03 +0100
Subject: [PATCH 3/5] Synapse LDAP config, add Portunus search user, update
 flake

---
 config/portunus_seeds.json | 15 ++++++++++
 flake.lock                 | 18 +++++------
 modules/ldap.nix           | 23 +++++++++-----
 modules/matrix.nix         | 61 ++++++++++++++++++++++++--------------
 secrets/quitte.yaml        |  5 ++--
 secrets/test.yaml          |  5 ++--
 6 files changed, 83 insertions(+), 44 deletions(-)

diff --git a/config/portunus_seeds.json b/config/portunus_seeds.json
index 5b213fd..b73bf07 100644
--- a/config/portunus_seeds.json
+++ b/config/portunus_seeds.json
@@ -26,6 +26,15 @@
 				"portunus": { "is_admin": false },
 				"ldap": { "can_read": false }
 			}
+		},
+		{
+			"name": "search",
+			"long_name": "LDAP search group",
+			"members": ["search"],
+			"permissions": {
+				"portunus": { "is_admin": false },
+				"ldap": { "can_read": true }
+			}
 		}
 	],
 	"users": [
@@ -34,6 +43,12 @@
 			"given_name": "admin",
 			"family_name": "admin",
 			"password": { "from_command": ["/usr/bin/env", "cat", "/run/secrets/portunus_admin"] }
+		},
+		{
+			"login_name": "search",
+			"given_name": "search",
+			"family_name": "search",
+			"password": { "from_command": ["/usr/bin/env", "cat", "/run/secrets/portunus_search"] }
 		}
 	]
 }
diff --git a/flake.lock b/flake.lock
index 714027c..84b48fd 100644
--- a/flake.lock
+++ b/flake.lock
@@ -71,11 +71,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1670146390,
-        "narHash": "sha256-XrEoDpuloRHHbUkbPnhF2bQ0uwHllXq3NHxtuVe/QK4=",
+        "lastModified": 1673740915,
+        "narHash": "sha256-MMH8zONfqahgHly3K8/A++X34800rajA/XgZ2DzNL/M=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "86370507cb20c905800527539fc049a2bf09c667",
+        "rev": "7c65528c3f8462b902e09d1ccca23bb9034665c2",
         "type": "github"
       },
       "original": {
@@ -87,11 +87,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1671215800,
-        "narHash": "sha256-2W54K41A7MefEaWzgL/TsaWlhKRK/RhWUybyOW4i0K8=",
+        "lastModified": 1673800717,
+        "narHash": "sha256-SFHraUqLSu5cC6IxTprex/nTsI81ZQAtDvlBvGDWfnA=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "9d692a724e74d2a49f7c985132972f991d144254",
+        "rev": "2f9fd351ec37f5d479556cd48be4ca340da59b8f",
         "type": "github"
       },
       "original": {
@@ -116,11 +116,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1670149631,
-        "narHash": "sha256-rwmtlxx45PvOeZNP51wql/cWjY3rqzIR3Oj2Y+V7jM0=",
+        "lastModified": 1673752321,
+        "narHash": "sha256-EFfXY1ZHJq4FNaNQA9x0djtu/jiOhBbT0Xi+BT06cJw=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "da98a111623101c64474a14983d83dad8f09f93d",
+        "rev": "e18eefd2b133a58309475298052c341c08470717",
         "type": "github"
       },
       "original": {
diff --git a/modules/ldap.nix b/modules/ldap.nix
index 20a8cc8..a1965a6 100644
--- a/modules/ldap.nix
+++ b/modules/ldap.nix
@@ -29,9 +29,15 @@ in
     members = [ "${ldapUser}" ];
   };
 
-  sops.secrets."portunus_admin" = {
-    owner = "${portunusUser}";
-    group = "${portunusGroup}";
+  sops.secrets = {
+    "portunus_admin" = {
+      owner = "${portunusUser}";
+      group = "${portunusGroup}";
+    };
+    "portunus_search" = {
+      owner = "${portunusUser}";
+      group = "${portunusGroup}";
+    };
   };
 
   services.portunus = {
@@ -40,10 +46,16 @@ in
     group = "${portunusGroup}";
     domain = "${domain}";
     port = 8081;
+
     ldap = {
       user = "${ldapUser}";
       group = "${ldapGroup}";
+
       suffix = "dc=ifsr,dc=de";
+      searchUserName = "search";
+
+      # disables port 389, use 636 with tls
+      # `portunus.domain` resolves to localhost
       tls = true;
     };
 
@@ -60,9 +72,4 @@ in
       };
     };
   };
-
-  networking.firewall.allowedTCPPorts = [
-    80 # http
-    443 # https
-  ];
 }
diff --git a/modules/matrix.nix b/modules/matrix.nix
index be57b89..5648c1b 100644
--- a/modules/matrix.nix
+++ b/modules/matrix.nix
@@ -8,7 +8,6 @@ let
       base_url = "https://${domainServer}:443";
       server_name = domainServer;
     };
-    "m.identity_server" = { };
   };
   serverConfig = {
     "m.server" = "${domainServer}:443";
@@ -21,21 +20,17 @@ let
   '';
 in
 {
-  # sops.secrets = {
-  #   synapse_registration_secret = {
-  #     owner = "matrix-synapse";
-  #     group = "matrix-synapse";
-  #   };
-  # };
+  sops.secrets.matrix_ldap_search = {
+    key = "portunus_search";
+    owner = config.systemd.services.matrix-synapse.serviceConfig.User;
+  };
 
   services = {
     postgresql = {
       enable = true;
-      ensureUsers = [
-        {
-          name = "matrix-synapse";
-        }
-      ];
+      ensureUsers = [{
+        name = "matrix-synapse";
+      }];
     };
 
     nginx = {
@@ -66,6 +61,7 @@ in
           root = pkgs.element-web.override {
             conf = {
               default_server_config = clientConfig;
+              disable_3pid_login = true;
             };
           };
         };
@@ -75,6 +71,10 @@ in
     matrix-synapse = {
       enable = true;
 
+      plugins = with config.services.matrix-synapse.package.plugins; [
+        matrix-synapse-ldap3
+      ];
+
       settings = {
         server_name = domainServer;
 
@@ -89,17 +89,32 @@ in
             compress = false;
           }];
         }];
-
-        # TODO: ldap
-        registration_shared_secret = "registration_shared_secret";
       };
-      # extraConfigFiles = [
-      #   (pkgs.writeTextFile {
-      #     name = "matrix-synapse-extra-config.yml";
-      #     text = ''
-      #     '';
-      #   })
-      # ];
+
+      extraConfigFiles = [
+        (pkgs.writeTextFile {
+          name = "matrix-synapse-extra-config.yml";
+          text = ''
+            # `password_providers` is deprecated but `modules` is not supported yet.
+            password_providers:
+              - module: ldap_auth_provider.LdapAuthProvider
+                config:
+                  enabled: true
+                  # have to use fqdn here for tls (still connects to localhost)
+                  uri: ldaps://auth.nix.fugi.dev:636
+                  base: ou=users,dc=ifsr,dc=de
+                  # taken from kaki config
+                  attributes:
+                    uid: uid
+                    mail: uid
+                    name: cn
+                  bind_dn: uid=search,ou=users,dc=ifsr,dc=de
+                  # TODO: password file not yet supported - update matrix-synapse-ldap3 or use workaround
+                  bind_password: portunus_search
+                  # bind_password_file: ${config.sops.secrets.portunus_search.path}
+          '';
+        })
+      ];
     };
   };
 
@@ -113,7 +128,7 @@ in
 
     path = [ pkgs.sudo config.services.postgresql.package ];
 
-    # create database for synapse. will silently fail if already exists
+    # create database for synapse. will silently fail if it already exists
     script = ''
       sudo -u ${config.services.postgresql.superUser} psql <<SQL
         CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
diff --git a/secrets/quitte.yaml b/secrets/quitte.yaml
index 716bca9..c01f749 100644
--- a/secrets/quitte.yaml
+++ b/secrets/quitte.yaml
@@ -5,6 +5,7 @@ nextcloud_adminpass: ENC[AES256_GCM,data:EMvcFOGJz45P4nvJ5Yy4SziWa2pUWBqt4ZZdde6
 hedgedoc_session_secret: ENC[AES256_GCM,data:uz7KggZqeZ2eqiCnOcnYh2I1p5BBXTQbC8PUhB2kM2U=,iv:aJDHKCPkccCT/OF6AGZMfRESNmoV9muGHbuCUfLQhH8=,tag:uEVXylpE8MSebqRr+4mQOw==,type:str]
 wg-seckey: ENC[AES256_GCM,data:NHk6E5uu3CshC/0//LoGk6iCGKWbx49wVVkjoMqF19gc7MhdHAn9aJD+0Zc=,iv:N3PuU7+QSW9aD0ZhTI7CmMI3drLIzO7XaW3mgEDp/sk=,tag:fxH4eRIboy9O15oul7JOTw==,type:str]
 portunus_admin: ENC[AES256_GCM,data:bPuYdfpWJtYib9lUcXHVZeGerskd5vs5IOe+DE9Q7OOPkAwp,iv:6ZjjfQ3E1xxYjmEg7o849RZzUt8dyXjI84DSfPYGUWQ=,tag:JJpOLjPs8YdEBl3xGGAzbg==,type:str]
+portunus_search: ENC[AES256_GCM,data:WEpw/Ii8UI9TpTSQSU/QVhnhU0huAhhVwRlnWaqD4yg=,iv:kLgoXHIqRDOEzPCgKBqkouJu+Wu8RLxL54P/jykqCC8=,tag:iOxrKhTuHGoTxD86Ae9hnA==,type:str]
 mediawiki:
     postgres: ENC[AES256_GCM,data:XRfUc2PRMJcoILAnm5MWr2Cg5u4e/IhGMUnz/oIQSzY=,iv:8U+qlD1SQzxUyD/6QK4SdwRCDyMODK/lP0IDrLlcQ4U=,tag:2spNMj9dY2wWilOusq24yQ==,type:str]
     initial_admin: ENC[AES256_GCM,data:iET5rz9rygx49NDBjKwqAlRgpeS+jq5iM5zmjnoKcyk=,iv:11iDbCrpzjCdyAB22R8NknJ6vzcpVZXCXB3iWsGWXw0=,tag:1RCyg1ysOWaXKdqqdHqRrw==,type:str]
@@ -24,8 +25,8 @@ sops:
             Z212K3JDWmRsZmVpdjBaUE1kL3phMm8K/x3Ssn0LEO7BfTUoOJQ6h88vlwA/AvQj
             KsosHSWO7vsgqKPPO+OPbHV1y8OTAKubcrk5szTUWBNOvggIw3nWDA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-12-17T17:42:18Z"
-    mac: ENC[AES256_GCM,data:qLBASH8XmcHjTFrxdEqyk7KwXHEGx9hT6Jvqw1JMtZDhP95OjKNRySh5fptG1+Jz1ZIaG5zwDWdzV2/GXGru06dDR8bZYoXCboa0YR1NSESZ9f95n9v1HYQf/oSww8KHTP3METZ/1oS7i1nQdL5FxLFTK+nx77uQ1VxX7Ztl85Y=,iv:jEWOsxeTamGGNVw8OXFQT9o5MIyE7EMPAYEdfQesLZw=,tag:vUZK+H93qUursPwfoTpEJg==,type:str]
+    lastmodified: "2023-01-17T22:50:14Z"
+    mac: ENC[AES256_GCM,data:+I8oEl35XylSZVi4m6vY/Z9wsMqt2BER04gu7aXt9+cjg4X2NBEFE9qjZKB9vVLaC1D1El7UUs4oZcAu1bpJ9IGL5eBy1nT9Ei8cxRRlbh3cDnC6QIOE66fcq/gDJHnT7u3figsO/MKZenIpfKbEA+88iJkGm8/61qjESPGUjpk=,iv:ZDkAjdpFU3IMVJkzKAXNtD5nAn9USbRb0pUXDfKEWto=,tag:b7ybgB85dEBKWADLyWi36g==,type:str]
     pgp:
         - created_at: "2022-11-18T16:37:48Z"
           enc: |
diff --git a/secrets/test.yaml b/secrets/test.yaml
index a5e8835..bc0d72f 100644
--- a/secrets/test.yaml
+++ b/secrets/test.yaml
@@ -5,6 +5,7 @@ nextcloud_adminpass: ENC[AES256_GCM,data:G3FcJIAl0HmpCu4JAXQOZPmWCg==,iv:Bgk7j3E
 hedgedoc_session_secret: ENC[AES256_GCM,data:wi2hWcIAU2u2t0hJkSUBI5pp2T29V/M=,iv:Iph099lne6cH6V1gnobcGZl/mfJZiw1bFJMdSTiVsxE=,tag:xGI+S3Uygzmdnmd0l1kCaQ==,type:str]
 wg-seckey: ENC[AES256_GCM,data:wuDmkZgUzzK5,iv:sa2I3qVkXWddcZlItfmKj3K5vT10WE/knoVOaA/HrIQ=,tag:SzGnDifhyol63eQKeJevcA==,type:str]
 portunus_admin: ENC[AES256_GCM,data:2X7cz7nRN2lvubR0e+8=,iv:NRXWAbK6DouyGzW6yiJ8tNYKcXNWbt7uy3eTMmybrRk=,tag:7itZnw28EQCmGBBF9Ctb3A==,type:str]
+portunus_search: ENC[AES256_GCM,data:nqCvit2p8YE8XJ3Z+PEP,iv:k2dC6TTI70M8raOTNnp1TsPiDmF3ssPPhIe6cjMevBA=,tag:CG1uvLQSxSQzVsGYxG7YUw==,type:str]
 mediawiki:
     postgres: ENC[AES256_GCM,data:bna6ksGVOHWor7OqVL/jgeDIxA==,iv:bgkQh+NgPE/hr4N4YOCzSCfs7vaOx4pSWlc8WxI8qMc=,tag:WIjyu1i0M7flGFFovH5jWQ==,type:str]
     initial_admin: ENC[AES256_GCM,data:YRd3O5774NTmshxbQPbFjg==,iv:/Ra3WbZKcnUMf99ujN9qd/+DkOkFKv4cIEfUdmxpqMw=,tag:gj7ZbwIB1HLuPpGTgiz7Vg==,type:str]
@@ -24,8 +25,8 @@ sops:
             MERVUkh2ck9YWnJ5TXJDVmxpem1kTXMKCeOyjV/se1nRXsi15m/3i48hP7As6SEk
             ygtLt+UueHStX/b/OzrXk8IC5dj/mARGIJI5S61IKln6SZFbJGT6cQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-12-17T20:37:05Z"
-    mac: ENC[AES256_GCM,data:zRn9Y43k9jEYmI9gU5vKPAEcG0N+O7ILFisyttXDHbdaiYJfAWu8556Hkofq1hS6WByB/ZE+BZO9vJ9JFzGxodCDeOTF0XLmFeb5frL7Vb9u2MXvT+z640kwA9VJUoLligoqmVt4O+ba3Tr+wU1qy85vLxyDFeEIj6ATo68E8b0=,iv:LaB6cJx5oXGVNNWvfwIievTm8KmVCAJ1j6RVOwFsyBU=,tag:3H7PnmpU65ub6ysVLsB3bQ==,type:str]
+    lastmodified: "2023-01-17T22:26:52Z"
+    mac: ENC[AES256_GCM,data:0Ngy2Ixk+HUsGbAMvNLCKGn7iCIZeOGjYsyzjwwRt/ATnOVVvcdSi9P1Ib4vcRl4OJJKO9fMVIJFkXutZYPiT2JnnPRWIokr39a7wMMMgljDrxS8Nzry2CJkELRpuu9vd/tkSc6dcmhnK1wraI1YRf23HIuukmLxei9BkS+dB+M=,iv:92za85tuTI6NtCqx+K6/MXME6+2vHpGhBVZrlwqMp0I=,tag:h8aWvsJ0t3SyY0tNtEIxLw==,type:str]
     pgp:
         - created_at: "2022-11-18T16:37:58Z"
           enc: |
-- 
2.44.2


From fab0899e7eff764dc773693208fc77b00cd4ffb0 Mon Sep 17 00:00:00 2001
From: Fugi <me@fugi.dev>
Date: Sat, 21 Jan 2023 21:26:24 +0100
Subject: [PATCH 4/5] package ldap3 plugin

---
 modules/matrix.nix                    | 25 ++++++++++++-------------
 modules/pkgs/matrix-synapse-ldap3.nix | 21 +++++++++++++++++++++
 2 files changed, 33 insertions(+), 13 deletions(-)
 create mode 100644 modules/pkgs/matrix-synapse-ldap3.nix

diff --git a/modules/matrix.nix b/modules/matrix.nix
index 5648c1b..d1d0938 100644
--- a/modules/matrix.nix
+++ b/modules/matrix.nix
@@ -18,6 +18,10 @@ let
     add_header Access-Control-Allow-Origin *;
     return 200 '${builtins.toJSON data}';
   '';
+
+  # build ldap3 plugin from git because it's very outdated in nixpkgs
+  matrix-synapse-ldap3 = pkgs.python3.pkgs.callPackage ./pkgs/matrix-synapse-ldap3.nix { };
+  # matrix-synapse-ldap3 = config.services.matrix-synapse.package.plugins.matrix-synapse-ldap3;
 in
 {
   sops.secrets.matrix_ldap_search = {
@@ -71,9 +75,7 @@ in
     matrix-synapse = {
       enable = true;
 
-      plugins = with config.services.matrix-synapse.package.plugins; [
-        matrix-synapse-ldap3
-      ];
+      plugins = [ matrix-synapse-ldap3 ];
 
       settings = {
         server_name = domainServer;
@@ -94,24 +96,21 @@ in
       extraConfigFiles = [
         (pkgs.writeTextFile {
           name = "matrix-synapse-extra-config.yml";
-          text = ''
-            # `password_providers` is deprecated but `modules` is not supported yet.
-            password_providers:
-              - module: ldap_auth_provider.LdapAuthProvider
+          text = let portunus = config.services.portunus; in ''
+            modules:
+              - module: ldap_auth_provider.LdapAuthProviderModule
                 config:
                   enabled: true
                   # have to use fqdn here for tls (still connects to localhost)
-                  uri: ldaps://auth.nix.fugi.dev:636
-                  base: ou=users,dc=ifsr,dc=de
+                  uri: ldaps://${portunus.domain}:636
+                  base: ou=users,${portunus.ldap.suffix}
                   # taken from kaki config
                   attributes:
                     uid: uid
                     mail: uid
                     name: cn
-                  bind_dn: uid=search,ou=users,dc=ifsr,dc=de
-                  # TODO: password file not yet supported - update matrix-synapse-ldap3 or use workaround
-                  bind_password: portunus_search
-                  # bind_password_file: ${config.sops.secrets.portunus_search.path}
+                  bind_dn: uid=search,ou=users,${portunus.ldap.suffix}
+                  bind_password_file: ${config.sops.secrets.matrix_ldap_search.path}
           '';
         })
       ];
diff --git a/modules/pkgs/matrix-synapse-ldap3.nix b/modules/pkgs/matrix-synapse-ldap3.nix
new file mode 100644
index 0000000..0635ab0
--- /dev/null
+++ b/modules/pkgs/matrix-synapse-ldap3.nix
@@ -0,0 +1,21 @@
+{ isPy3k, buildPythonPackage, pkgs, service-identity, ldap3, twisted, ldaptor, mock }:
+
+buildPythonPackage rec {
+  pname = "matrix-synapse-ldap3";
+  version = "0.2.2";
+
+  format = "pyproject";
+
+  src = pkgs.fetchFromGitHub {
+    owner = "matrix-org";
+    repo = "matrix-synapse-ldap3";
+    rev = "2584736204165f16c176567183f9c350ee253f74";
+    sha256 = "gMsC5FpC2zt5hypPdGgPbWT/Rwz38EoQz3tj5dQ9BQ8=";
+  };
+
+  propagatedBuildInputs = [ service-identity ldap3 twisted ];
+
+  # ldaptor is not ready for py3 yet
+  doCheck = !isPy3k;
+  checkInputs = [ ldaptor mock ];
+}
-- 
2.44.2


From eeac519650a261134320cd1510fdf9bdb01b01ac Mon Sep 17 00:00:00 2001
From: Fugi <me@fugi.dev>
Date: Thu, 2 Feb 2023 21:16:55 +0100
Subject: [PATCH 5/5] move matrix-synapse-ldap3.nix to /pkgs

---
 modules/matrix.nix                              | 2 +-
 {modules/pkgs => pkgs}/matrix-synapse-ldap3.nix | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
 rename {modules/pkgs => pkgs}/matrix-synapse-ldap3.nix (100%)

diff --git a/modules/matrix.nix b/modules/matrix.nix
index d1d0938..82cfa0f 100644
--- a/modules/matrix.nix
+++ b/modules/matrix.nix
@@ -20,7 +20,7 @@ let
   '';
 
   # build ldap3 plugin from git because it's very outdated in nixpkgs
-  matrix-synapse-ldap3 = pkgs.python3.pkgs.callPackage ./pkgs/matrix-synapse-ldap3.nix { };
+  matrix-synapse-ldap3 = pkgs.python3.pkgs.callPackage ../pkgs/matrix-synapse-ldap3.nix { };
   # matrix-synapse-ldap3 = config.services.matrix-synapse.package.plugins.matrix-synapse-ldap3;
 in
 {
diff --git a/modules/pkgs/matrix-synapse-ldap3.nix b/pkgs/matrix-synapse-ldap3.nix
similarity index 100%
rename from modules/pkgs/matrix-synapse-ldap3.nix
rename to pkgs/matrix-synapse-ldap3.nix
-- 
2.44.2