57 lines
1.8 KiB
Nix
57 lines
1.8 KiB
Nix
{ pkgs
|
|
, config
|
|
, lib
|
|
, ... }:
|
|
let
|
|
ldap-auth-sh = pkgs.stdenv.mkDerivation {
|
|
name = "ldap-auth-sh";
|
|
|
|
src = pkgs.fetchFromGitHub {
|
|
owner = "efficiosoft";
|
|
repo = "ldap-auth-sh";
|
|
rev = "93b2c00413942908139e37c7432a12bcb705ac87";
|
|
sha256 = "1pymp6ki353aqkigr89g7hg5x1mny68m31c3inxf1zr26n5s2kz8";
|
|
};
|
|
|
|
nativeBuildInputs = [ pkgs.makeWrapper ];
|
|
installPhase = ''
|
|
mkdir -p $out/etc
|
|
cat > $out/etc/home-assistant.cfg << 'EOF'
|
|
CLIENT="ldapsearch"
|
|
SERVER="ldaps://ldap.cloonar.com:636"
|
|
USERDN="cn=home-assistant,ou=system,ou=users,dc=cloonar,dc=com"
|
|
PW="$(</run/secrets/home-assistant-ldap)"
|
|
BASEDN="ou=users,dc=cloonar,dc=com"
|
|
SCOPE="one"
|
|
FILTER="(&(objectClass=cloonarUser)(memberOf=cn=HomeAssistant,ou=groups,dc=cloonar,dc=com)(mail=$(ldap_dn_escape "$username")))"
|
|
USERNAME_PATTERN='^[a-z|A-Z|0-9|_|-|.|@]+$'
|
|
on_auth_success() {
|
|
# print the meta entries for use in HA
|
|
if echo "$output" | grep -qE '^(dn|DN):: '; then
|
|
# ldapsearch base64 encodes non-ascii
|
|
output=$(echo "$output" | sed -n -e "s/^\(dn\|DN\)\s*::\s*\(.*\)$/\2/p" | base64 -d)
|
|
else
|
|
output=$(echo "$output" | sed -n -e "s/^\(dn\|DN\)\s*:\s*\(.*\)$/\2/p")
|
|
fi
|
|
name=$(echo "$output" | sed -nr 's/^cn=([^,]+).*/\1/Ip')
|
|
[ -z "$name" ] || echo "name=$name"
|
|
}
|
|
EOF
|
|
install -D -m755 ldap-auth.sh $out/bin/ldap-auth.sh
|
|
wrapProgram $out/bin/ldap-auth.sh \
|
|
--prefix PATH : ${lib.makeBinPath [pkgs.openldap pkgs.coreutils pkgs.gnused pkgs.gnugrep]} \
|
|
--add-flags "$out/etc/home-assistant.cfg"
|
|
'';
|
|
};
|
|
in
|
|
{
|
|
services.home-assistant.config.homeassistant.auth_providers = [
|
|
{
|
|
type = "command_line";
|
|
command = "${ldap-auth-sh}/bin/ldap-auth.sh";
|
|
meta = true;
|
|
}
|
|
];
|
|
}
|
|
|