diff --git a/nixos/modules/services/web-apps/atlassian/confluence.nix b/nixos/modules/services/web-apps/atlassian/confluence.nix index c1d7d4ea06d..33ba444d097 100644 --- a/nixos/modules/services/web-apps/atlassian/confluence.nix +++ b/nixos/modules/services/web-apps/atlassian/confluence.nix @@ -6,7 +6,22 @@ let cfg = config.services.confluence; - pkg = pkgs.atlassian-confluence; + pkg = pkgs.atlassian-confluence.override { + enableSSO = cfg.sso.enable; + crowdProperties = '' + application.name ${cfg.sso.applicationName} + application.password ${cfg.sso.applicationPassword} + application.login.url ${cfg.sso.crowd}/console/ + + crowd.server.url ${cfg.sso.crowd}/services/ + crowd.base.url ${cfg.sso.crowd}/ + + session.isauthenticated session.isauthenticated + session.tokenkey session.tokenkey + session.validationinterval ${toString cfg.sso.validationInterval} + session.lastvalidation session.lastvalidation + ''; + }; in @@ -76,6 +91,42 @@ in }; }; + sso = { + enable = mkEnableOption "SSO with Atlassian Crowd"; + + crowd = mkOption { + type = types.str; + example = "http://localhost:8095/crowd"; + description = "Crowd Base URL without trailing slash"; + }; + + applicationName = mkOption { + type = types.str; + example = "jira"; + description = "Exact name of this Confluence instance in Crowd"; + }; + + applicationPassword = mkOption { + type = types.str; + description = "Application password of this Confluence instance in Crowd"; + }; + + validationInterval = mkOption { + type = types.int; + default = 2; + example = 0; + description = '' + Set to 0, if you want authentication checks to occur on each + request. Otherwise set to the number of minutes between request + to validate if the user is logged in or out of the Crowd SSO + server. Setting this value to 1 or higher will increase the + performance of Crowd's integration. + ''; + }; + }; + + + jrePackage = let jreSwitch = unfree: free: if config.nixpkgs.config.allowUnfree or false then unfree else free; in mkOption { diff --git a/nixos/modules/services/web-apps/atlassian/jira.nix b/nixos/modules/services/web-apps/atlassian/jira.nix index 0ab94d95eee..19b6a8d3085 100644 --- a/nixos/modules/services/web-apps/atlassian/jira.nix +++ b/nixos/modules/services/web-apps/atlassian/jira.nix @@ -6,7 +6,22 @@ let cfg = config.services.jira; - pkg = pkgs.atlassian-jira; + pkg = pkgs.atlassian-jira.override { + enableSSO = cfg.sso.enable; + crowdProperties = '' + application.name ${cfg.sso.applicationName} + application.password ${cfg.sso.applicationPassword} + application.login.url ${cfg.sso.crowd}/console/ + + crowd.server.url ${cfg.sso.crowd}/services/ + crowd.base.url ${cfg.sso.crowd}/ + + session.isauthenticated session.isauthenticated + session.tokenkey session.tokenkey + session.validationinterval ${toString cfg.sso.validationInterval} + session.lastvalidation session.lastvalidation + ''; + }; in @@ -82,6 +97,40 @@ in }; }; + sso = { + enable = mkEnableOption "SSO with Atlassian Crowd"; + + crowd = mkOption { + type = types.str; + example = "http://localhost:8095/crowd"; + description = "Crowd Base URL without trailing slash"; + }; + + applicationName = mkOption { + type = types.str; + example = "jira"; + description = "Exact name of this JIRA instance in Crowd"; + }; + + applicationPassword = mkOption { + type = types.str; + description = "Application password of this JIRA instance in Crowd"; + }; + + validationInterval = mkOption { + type = types.int; + default = 2; + example = 0; + description = '' + Set to 0, if you want authentication checks to occur on each + request. Otherwise set to the number of minutes between request + to validate if the user is logged in or out of the Crowd SSO + server. Setting this value to 1 or higher will increase the + performance of Crowd's integration. + ''; + }; + }; + jrePackage = let jreSwitch = unfree: free: if config.nixpkgs.config.allowUnfree or false then unfree else free; in mkOption { diff --git a/pkgs/servers/atlassian/confluence.nix b/pkgs/servers/atlassian/confluence.nix index 3c1cdda8361..ea8d2651836 100644 --- a/pkgs/servers/atlassian/confluence.nix +++ b/pkgs/servers/atlassian/confluence.nix @@ -1,4 +1,7 @@ -{ stdenv, fetchurl }: +{ stdenv, lib, fetchurl +, enableSSO ? false +, crowdProperties ? null +}: stdenv.mkDerivation rec { name = "atlassian-confluence-${version}"; @@ -19,6 +22,14 @@ stdenv.mkDerivation rec { rm -r logs; ln -sf /run/confluence/logs/ . rm -r work; ln -sf /run/confluence/work/ . rm -r temp; ln -sf /run/confluence/temp/ . + '' + lib.optionalString enableSSO '' + substituteInPlace confluence/WEB-INF/classes/seraph-config.xml \ + --replace com.atlassian.confluence.user.ConfluenceAuthenticator\ + com.atlassian.confluence.user.ConfluenceCrowdSSOAuthenticator + '' + lib.optionalString (crowdProperties != null) '' + cat < confluence/WEB-INF/classes/crowd.properties + ${crowdProperties} + EOF ''; installPhase = '' diff --git a/pkgs/servers/atlassian/jira.nix b/pkgs/servers/atlassian/jira.nix index bd044975f22..0013286c03c 100644 --- a/pkgs/servers/atlassian/jira.nix +++ b/pkgs/servers/atlassian/jira.nix @@ -1,4 +1,7 @@ -{ stdenv, fetchurl }: +{ stdenv, lib, fetchurl +, enableSSO ? false +, crowdProperties ? null +}: stdenv.mkDerivation rec { name = "atlassian-jira-${version}"; @@ -17,6 +20,14 @@ stdenv.mkDerivation rec { rm -r logs; ln -sf /run/atlassian-jira/logs/ . rm -r work; ln -sf /run/atlassian-jira/work/ . rm -r temp; ln -sf /run/atlassian-jira/temp/ . + '' + lib.optionalString enableSSO '' + substituteInPlace atlassian-jira/WEB-INF/classes/seraph-config.xml \ + --replace com.atlassian.jira.security.login.JiraSeraphAuthenticator \ + com.atlassian.jira.security.login.SSOSeraphAuthenticator + '' + lib.optionalString (crowdProperties != null) '' + cat < atlassian-jira/WEB-INF/classes/crowd.properties + ${crowdProperties} + EOF ''; installPhase = ''