2023-02-03 15:10:19 +01:00 · 2022-12-17 19:43:15 +01:00 · 2022-12-17 19:43:15 +01:00 · 2022-12-17 19:43:15 +01:00 · 2022-12-17 19:43:15 +01:00 · 2022-12-17 19:43:15 +01:00
2 changed files with 33 additions and 13 deletions
--- a/modules/matrix.nix
+++ b/modules/matrix.nix
@ -18,6 +18,10 @@ let
    add_header Access-Control-Allow-Origin *;
    return 200 '${builtins.toJSON data}';
  '';
  # build ldap3 plugin from git because it's very outdated in nixpkgs
  matrix-synapse-ldap3 = pkgs.python3.pkgs.callPackage ./pkgs/matrix-synapse-ldap3.nix { };
  # matrix-synapse-ldap3 = config.services.matrix-synapse.package.plugins.matrix-synapse-ldap3;
 in
 {
  sops.secrets.matrix_ldap_search = {
@ -71,9 +75,7 @@ in
    matrix-synapse = {
      enable = true;
-      plugins = with config.services.matrix-synapse.package.plugins; [
+      plugins = [ matrix-synapse-ldap3 ];
        matrix-synapse-ldap3
      ];
      settings = {
        server_name = domainServer;
@ -94,24 +96,21 @@ in
      extraConfigFiles = [
        (pkgs.writeTextFile {
          name = "matrix-synapse-extra-config.yml";
-          text = ''
+          text = let portunus = config.services.portunus; in ''
-            # `password_providers` is deprecated but `modules` is not supported yet.
+            modules:
-            password_providers:
+              - module: ldap_auth_provider.LdapAuthProviderModule
              - module: ldap_auth_provider.LdapAuthProvider
                config:
                  enabled: true
                  # have to use fqdn here for tls (still connects to localhost)
-                  uri: ldaps://auth.nix.fugi.dev:636
+                  uri: ldaps://${portunus.domain}:636
-                  base: ou=users,dc=ifsr,dc=de
+                  base: ou=users,${portunus.ldap.suffix}
                  # taken from kaki config
                  attributes:
                    uid: uid
                    mail: uid
                    name: cn
-                  bind_dn: uid=search,ou=users,dc=ifsr,dc=de
+                  bind_dn: uid=search,ou=users,${portunus.ldap.suffix}
-                  # TODO: password file not yet supported - update matrix-synapse-ldap3 or use workaround
+                  bind_password_file: ${config.sops.secrets.matrix_ldap_search.path}
                  bind_password: portunus_search
                  # bind_password_file: ${config.sops.secrets.portunus_search.path}
          '';
        })
      ];
--- a/modules/pkgs/matrix-synapse-ldap3.nix
+++ b/modules/pkgs/matrix-synapse-ldap3.nix
@ -0,0 +1,21 @@
 { isPy3k, buildPythonPackage, pkgs, service-identity, ldap3, twisted, ldaptor, mock }:
 buildPythonPackage rec {
  pname = "matrix-synapse-ldap3";
  version = "0.2.2";
  format = "pyproject";
  src = pkgs.fetchFromGitHub {
    owner = "matrix-org";
    repo = "matrix-synapse-ldap3";
    rev = "2584736204165f16c176567183f9c350ee253f74";
    sha256 = "gMsC5FpC2zt5hypPdGgPbWT/Rwz38EoQz3tj5dQ9BQ8=";
  };
  propagatedBuildInputs = [ service-identity ldap3 twisted ];
  # ldaptor is not ready for py3 yet
  doCheck = !isPy3k;
  checkInputs = [ ldaptor mock ];
 }