Squash changes containing private information

There were a lot of changes since the previous commit, but a lot of them
contained personnal information about users. All thos changes got
stashed into a single commit (history is kept in a different place) and
private information was moved in a separate private repository

6 files changed, 681 insertions, 0 deletions

diff --git a/flakes/mediagoblin/bower-packages.nix b/flakes/mediagoblin/bower-packages.nix
new file mode 100644
index 0000000..03af849
--- /dev/null
+++ b/flakes/mediagoblin/bower-packages.nix
@@ -0,0 +1,8 @@
+# Generated by bower2nix v3.2.0 (https://github.com/rvl/bower2nix)
+{ fetchbower, buildEnv }:
+buildEnv { name = "bower-env"; ignoreCollisions = true; paths = [
+  (fetchbower "jquery" "2.1.4" "~2.1.3" "1ywrpk2xsr6ghkm3j9gfnl9r3jn6xarfamp99b0bcm57kq9fm2k0")
+  (fetchbower "video.js" "4.11.4" "~4.11.4" "05prdvyk0rxbkh7sdd0d9ns5l5crwvc68wzkyqmrdjw367pcv8sn")
+  (fetchbower "leaflet" "0.7.7" "~0.7.3" "0jim285bljmxxngpm3yx6bnnd10n2whwkgmmhzpcd1rdksnr5nca")
+  (fetchbower "tinymce" "4.1.10" "~4.1.7" "16jyvdb9bq8gjwhs69q8p88vdixalajrz81nsmbrzzxhkih57dyx")
+]; }
diff --git a/flakes/mediagoblin/default.nix b/flakes/mediagoblin/default.nix
new file mode 100644
index 0000000..47cc628
--- /dev/null
+++ b/flakes/mediagoblin/default.nix
@@ -0,0 +1,213 @@
+{ src, makeWrapper, stdenv, writeScript, fetchurl, buildBowerComponents, which, python36, gst_all_1, automake, autoconf, nodejs, nodePackages, lib, callPackage, fetchgit, fetchFromGitHub }:
+let
+  overridePython = let
+    packageOverrides = self: super: {
+      pybcrypt = super.buildPythonPackage rec {
+        pname = "pybcrypt";
+        version = "0.4";
+
+        src = self.fetchPypi {
+          inherit pname version;
+          sha256 = "5fa13bce551468350d66c4883694850570f3da28d6866bb638ba44fe5eabda78";
+        };
+      };
+      celery = super.celery.overridePythonAttrs(old: rec {
+        version = "3.1.26.post2";
+        src = self.fetchPypi {
+          inherit version;
+          inherit (old) pname;
+          sha256 = "5493e172ae817b81ba7d09443ada114886765a8ce02f16a56e6fac68d953a9b2";
+        };
+        patches = [];
+        doCheck = false;
+      });
+      billiard = super.billiard.overridePythonAttrs(old: rec {
+        version = "3.3.0.23";
+        src = self.fetchPypi {
+          inherit version;
+          inherit (old) pname;
+          sha256 = "02wxsc6bhqvzh8j6w758kvgqbnj14l796mvmrcms8fgfamd2lak9";
+        };
+        doCheck = false;
+        doInstallCheck = false;
+      });
+      amqp = super.amqp.overridePythonAttrs(old: rec {
+        version = "1.4.9";
+        src = self.fetchPypi {
+          inherit version;
+          inherit (old) pname;
+          sha256 = "2dea4d16d073c902c3b89d9b96620fb6729ac0f7a923bbc777cb4ad827c0c61a";
+        };
+        doCheck = false;
+      });
+      kombu = super.kombu.overridePythonAttrs(old: rec {
+        version = "3.0.37";
+        src = self.fetchPypi {
+          inherit version;
+          inherit (old) pname;
+          sha256 = "e064a00c66b4d1058cd2b0523fb8d98c82c18450244177b6c0f7913016642650";
+        };
+        propagatedBuildInputs = old.propagatedBuildInputs ++ [ self.anyjson ];
+        doCheck = false;
+      });
+      markdown = super.markdown.overridePythonAttrs(old: rec {
+        version = "3.1.1";
+        src = self.fetchPypi {
+          inherit version;
+          inherit (old) pname;
+          sha256 = "2e50876bcdd74517e7b71f3e7a76102050edec255b3983403f1a63e7c8a41e7a";
+        };
+      });
+      sqlalchemy = super.sqlalchemy.overridePythonAttrs(old: rec {
+        version = "1.1.18";
+        src = self.fetchPypi {
+          inherit version;
+          inherit (old) pname;
+          sha256 = "8b0ec71af9291191ba83a91c03d157b19ab3e7119e27da97932a4773a3f664a9";
+        };
+        doCheck = false;
+      });
+      tempita_5_3_dev = super.buildPythonPackage rec {
+        version = "47414a7-master";
+        pname = "tempita";
+        name = "${pname}-${version}";
+        src = fetchFromGitHub {
+          owner = "gjhiggins";
+          repo = "tempita";
+          rev = "47414a7c6e46a9a9afe78f0bce2ea299fa84d10d";
+          sha256 = "0f33jjjs5rvp7ar2j6ggyfykcrsrn04jaqcq71qfvycf6b7nw3rn";
+          fetchSubmodules = true;
+        };
+        buildInputs = with self; [ nose ];
+        disabled = false;
+      };
+      sqlalchemy_migrate = super.sqlalchemy_migrate.overridePythonAttrs(old: rec {
+        propagatedBuildInputs = with self; [ pbr tempita_5_3_dev decorator sqlalchemy six sqlparse ];
+      });
+      pasteScript = super.pasteScript.overridePythonAttrs(old: rec {
+        version = "2.0.2";
+        name = "PasteScript-${version}";
+        src = fetchurl {
+          url = "mirror://pypi/P/PasteScript/${name}.tar.gz";
+          sha256 = "1h3nnhn45kf4pbcv669ik4faw04j58k8vbj1hwrc532k0nc28gy0";
+        };
+        propagatedBuildInputs = with self; [ six paste PasteDeploy ];
+      });
+      werkzeug = super.werkzeug.overridePythonAttrs(old: rec {
+        version = "0.16.1";
+        src = self.fetchPypi {
+          inherit version;
+          inherit (old) pname;
+          sha256 = "b353856d37dec59d6511359f97f6a4b2468442e454bd1c98298ddce53cac1f04";
+        };
+      });
+    };
+    in
+      python36.override { inherit packageOverrides; };
+  pythonEnv = python-pkgs: with python-pkgs; [
+    waitress alembic dateutil wtforms pybcrypt
+    pytest pytest_xdist werkzeug celery
+    kombu jinja2 Babel webtest configobj markdown
+    sqlalchemy itsdangerous pytz sphinx six
+    oauthlib unidecode jsonschema PasteDeploy
+    requests PyLD exifread
+    typing pasteScript lxml
+    # For images plugin
+    pillow
+    # For video plugin
+    gst-python
+    # migrations
+    sqlalchemy_migrate
+    # authentication
+    ldap3
+    redis
+    psycopg2
+  ];
+  python = overridePython.withPackages pythonEnv;
+  gmg = writeScript "gmg" ''
+    #!${python}/bin/python
+    __requires__ = 'mediagoblin'
+    import sys
+    from pkg_resources import load_entry_point
+
+    if __name__ == '__main__':
+        sys.exit(
+            load_entry_point('mediagoblin', 'console_scripts', 'gmg')()
+        )
+    '';
+  bowerComponents = buildBowerComponents {
+    name = "mediagoblin-bower-components";
+    generated = ./bower-packages.nix;
+    inherit src;
+  };
+  pluginNames = [ "basicsearch" ];
+  allPlugins = lib.attrsets.genAttrs pluginNames
+    (name: callPackage (./plugins + "/${name}") {});
+  toPassthru = pkg: plugins: {
+    inherit allPlugins plugins;
+    withPlugins = withPlugins pkg;
+  };
+  withPlugins = pkg: toPlugins:
+    let
+      plugins = toPlugins allPlugins;
+      toBuildPlugin = n: "ln -s ${n} mediagoblin/plugins/${n.pluginName}";
+      newMediagoblin = pkg.overrideAttrs(old: {
+        postBuild = old.postBuild + "\n" + builtins.concatStringsSep "\n" (map toBuildPlugin plugins);
+        passthru = toPassthru newMediagoblin plugins;
+      });
+    in newMediagoblin;
+  package = stdenv.mkDerivation rec {
+    pname = "mediagoblin";
+    name = "${pname}-${version}";
+    version = "cd465eb-stable";
+    inherit src;
+    preConfigure = ''
+      # ./bootstrap.sh
+      aclocal -I m4 --install
+      autoreconf -fvi
+      # end
+      export HOME=$PWD
+      '';
+    configureFlags = [ "--with-python3" "--without-virtualenv" ];
+    postBuild = ''
+      cp -a ${bowerComponents}/bower_components/* extlib
+      chmod -R u+w extlib
+      make extlib
+      '';
+    installPhase = let
+      libpaths = with gst_all_1; [
+        python
+        gstreamer
+        gst-plugins-base
+        gst-libav
+        gst-plugins-good
+        gst-plugins-bad
+        gst-plugins-ugly
+      ];
+      plugin_paths = builtins.concatStringsSep ":" (map (x: "${x}/lib") libpaths);
+      typelib_paths = with gst_all_1; "${gstreamer}/lib/girepository-1.0:${gst-plugins-base}/lib/girepository-1.0";
+    in ''
+      sed -i "s/registry.has_key(current_theme_name)/current_theme_name in registry/" mediagoblin/tools/theme.py
+      sed -i -e "s@\[DEFAULT\]@[DEFAULT]\nhere = $out@" mediagoblin/config_spec.ini
+      sed -i -e "/from gi.repository import GstPbutils/s/^/gi.require_version('GstPbutils', '1.0')\n/" mediagoblin/media_types/video/transcoders.py
+      cp ${./ldap_fix.py} mediagoblin/plugins/ldap/tools.py
+      find . -name '*.pyc' -delete
+      find . -type f -exec sed -i "s|$PWD|$out|g" {} \;
+      python setup.py build
+      cp -a . $out
+      mkdir $out/bin
+      makeWrapper ${gmg} $out/bin/gmg --prefix PYTHONPATH : "$out:$PYTHONPATH" \
+        --prefix GST_PLUGIN_SYSTEM_PATH : ${plugin_paths} \
+        --prefix GI_TYPELIB_PATH : ${typelib_paths}
+      makeWrapper ${python}/bin/paster $out/bin/paster --prefix PYTHONPATH : "$out:$PYTHONPATH" \
+        --prefix GST_PLUGIN_SYSTEM_PATH : ${plugin_paths} \
+        --prefix GI_TYPELIB_PATH : ${typelib_paths}
+      makeWrapper ${python}/bin/celery $out/bin/celery --prefix PYTHONPATH : "$out:$PYTHONPATH" \
+        --prefix GST_PLUGIN_SYSTEM_PATH : ${plugin_paths} \
+        --prefix GI_TYPELIB_PATH : ${typelib_paths}
+      '';
+    buildInputs = [ makeWrapper automake autoconf which nodePackages.bower nodejs python ];
+    propagatedBuildInputs = with gst_all_1; [ python gst-libav gst-plugins-good gst-plugins-bad gst-plugins-ugly gstreamer ];
+    passthru = toPassthru package [];
+  };
+in package
diff --git a/flakes/mediagoblin/flake.lock b/flakes/mediagoblin/flake.lock
new file mode 100644
index 0000000..bba6479
--- /dev/null
+++ b/flakes/mediagoblin/flake.lock
@@ -0,0 +1,78 @@
+{
+  "nodes": {
+    "flake-utils": {
+      "locked": {
+        "lastModified": 1649676176,
+        "narHash": "sha256-OWKJratjt2RW151VUlJPRALb7OU2S5s+f0vLj4o1bHM=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "a4b154ebbdc88c8498a5c7b01589addc9e9cb678",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "mediagoblin": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1531090939,
+        "narHash": "sha256-vSajRbuE/bu2HVsUZm25fkm/vNLXKDIK7Xn8kyKJ5Ps=",
+        "ref": "stable",
+        "rev": "cd465ebfec837a75a44c4ebd727dffe2fff6d850",
+        "revCount": 4805,
+        "submodules": true,
+        "type": "git",
+        "url": "https://git.savannah.gnu.org/git/mediagoblin.git"
+      },
+      "original": {
+        "ref": "stable",
+        "rev": "cd465ebfec837a75a44c4ebd727dffe2fff6d850",
+        "submodules": true,
+        "type": "git",
+        "url": "https://git.savannah.gnu.org/git/mediagoblin.git"
+      }
+    },
+    "myuids": {
+      "locked": {
+        "lastModified": 1,
+        "narHash": "sha256-HkW9YCLQCNBX3Em7J7MjraVEZO3I3PizkVV2QrUdULQ=",
+        "path": "../myuids",
+        "type": "path"
+      },
+      "original": {
+        "path": "../myuids",
+        "type": "path"
+      }
+    },
+    "nixpkgs": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1596265691,
+        "narHash": "sha256-9ofCzFqttTsGrvTaS4RrDSTNQO9PFOz5uyn8V+2eA5M=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "840c782d507d60aaa49aa9e3f6d0b0e780912742",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "840c782d507d60aaa49aa9e3f6d0b0e780912742",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "mediagoblin": "mediagoblin",
+        "myuids": "myuids",
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/flakes/mediagoblin/flake.nix b/flakes/mediagoblin/flake.nix
new file mode 100644
index 0000000..2e821d5
--- /dev/null
+++ b/flakes/mediagoblin/flake.nix
@@ -0,0 +1,271 @@
+{
+  description = "a free software media publishing platform that anyone can run.";
+  inputs.myuids = {
+    url = "path:../myuids";
+  };
+  inputs.flake-utils.url = "github:numtide/flake-utils";
+  inputs.nixpkgs = {
+    url = "github:NixOS/nixpkgs/840c782d507d60aaa49aa9e3f6d0b0e780912742";
+    flake = false;
+  };
+  inputs.mediagoblin = {
+    url = "git+https://git.savannah.gnu.org/git/mediagoblin.git?submodules=1&ref=stable&rev=cd465ebfec837a75a44c4ebd727dffe2fff6d850";
+    flake = false;
+  };
+
+  outputs = { self, myuids, nixpkgs, mediagoblin, flake-utils }: flake-utils.lib.eachSystem ["x86_64-linux"] (system:
+    let
+      pkgs = import nixpkgs { inherit system; overlays = []; };
+      version = (builtins.fromJSON (builtins.readFile ./flake.lock)).nodes.mediagoblin.original.ref;
+      inherit (pkgs) callPackage;
+    in rec {
+      packages.mediagoblin = callPackage ./. { src = mediagoblin // { inherit version; }; };
+      defaultPackage = packages.mediagoblin;
+      legacyPackages.mediagoblin = packages.mediagoblin;
+      checks = {
+        build = defaultPackage;
+      };
+    }
+  ) // rec {
+    overlays = {
+      mediagoblin = final: prev: {
+        mediagoblin = self.defaultPackage."${final.system}";
+      };
+    };
+    overlay = overlays.mediagoblin;
+    nixosModule = { lib, pkgs, config, ... }:
+      let
+        name = "mediagoblin";
+        cfg = config.services.mediagoblin;
+
+        uid = config.ids.uids.mediagoblin;
+        gid = config.ids.gids.mediagoblin;
+
+        paste_local = pkgs.writeText "paste_local.ini" ''
+          [DEFAULT]
+          debug = false
+
+          [pipeline:main]
+          pipeline = mediagoblin
+
+          [app:mediagoblin]
+          use = egg:mediagoblin#app
+          config = ${cfg.configFile} ${cfg.package}/mediagoblin.ini
+          /mgoblin_static = ${cfg.package}/mediagoblin/static
+
+          [loggers]
+          keys = root
+
+          [handlers]
+          keys = console
+
+          [formatters]
+          keys = generic
+
+          [logger_root]
+          level = INFO
+          handlers = console
+
+          [handler_console]
+          class = StreamHandler
+          args = (sys.stderr,)
+          level = NOTSET
+          formatter = generic
+
+          [formatter_generic]
+          format = %(levelname)-7.7s [%(name)s] %(message)s
+
+          [filter:errors]
+          use = egg:mediagoblin#errors
+          debug = false
+
+          [server:main]
+          use = egg:waitress#main
+          unix_socket = ${cfg.sockets.paster}
+          unix_socket_perms = 777
+          url_scheme = https
+          '';
+      in
+      {
+        options.services.mediagoblin = {
+          enable = lib.mkEnableOption "Enable Mediagoblin’s service";
+          user = lib.mkOption {
+            type = lib.types.str;
+            default = name;
+            description = "User account under which Mediagoblin runs";
+          };
+          group = lib.mkOption {
+            type = lib.types.str;
+            default = name;
+            description = "Group under which Mediagoblin runs";
+          };
+          dataDir = lib.mkOption {
+            type = lib.types.path;
+            default = "/var/lib/${name}";
+            description = ''
+              The directory where Mediagoblin stores its data.
+            '';
+          };
+          socketsDir = lib.mkOption {
+            type = lib.types.path;
+            default = "/run/${name}";
+            description = ''
+              The directory where Mediagoblin puts runtime files and sockets.
+              '';
+          };
+          configFile = lib.mkOption {
+            type = lib.types.path;
+            description = ''
+              The configuration file path for Mediagoblin.
+              '';
+          };
+          package = lib.mkOption {
+            type = lib.types.package;
+            default = pkgs.mediagoblin;
+            example = lib.literalExample ''
+              pkgs.webapps.mediagoblin.withPlugins (p: [p.basicsearch])
+            '';
+            description = ''
+              Mediagoblin package to use.
+              '';
+          };
+          systemdStateDirectory = lib.mkOption {
+            type = lib.types.str;
+            # Use ReadWritePaths= instead if varDir is outside of /var/lib
+            default = assert lib.strings.hasPrefix "/var/lib/" cfg.dataDir;
+              lib.strings.removePrefix "/var/lib/" cfg.dataDir;
+            description = ''
+            Adjusted Mediagoblin data directory for systemd
+            '';
+            readOnly = true;
+          };
+          systemdRuntimeDirectory = lib.mkOption {
+            type = lib.types.str;
+            # Use ReadWritePaths= instead if socketsDir is outside of /run
+            default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir;
+              lib.strings.removePrefix "/run/" cfg.socketsDir;
+            description = ''
+            Adjusted Mediagoblin sockets directory for systemd
+            '';
+            readOnly = true;
+          };
+          sockets = lib.mkOption {
+            type = lib.types.attrsOf lib.types.path;
+            default = {
+              paster = "${cfg.socketsDir}/mediagoblin.sock";
+            };
+            readOnly = true;
+            description = ''
+              Mediagoblin sockets
+              '';
+          };
+          pids = lib.mkOption {
+            type = lib.types.attrsOf lib.types.path;
+            default = {
+              paster = "${cfg.socketsDir}/mediagoblin.pid";
+              celery = "${cfg.socketsDir}/mediagoblin-celeryd.pid";
+            };
+            readOnly = true;
+            description = ''
+              Mediagoblin pid files
+              '';
+          };
+        };
+
+        config = lib.mkIf cfg.enable {
+          nixpkgs.overlays = [ self.overlay ];
+          users.users = lib.optionalAttrs (cfg.user == name) {
+            "${name}" = {
+              inherit uid;
+              group = cfg.group;
+              description = "Mediagoblin user";
+              home = cfg.dataDir;
+              useDefaultShell = true;
+            };
+          };
+          users.groups = lib.optionalAttrs (cfg.group == name) {
+            "${name}" = {
+              inherit gid;
+            };
+          };
+
+          systemd.slices.mediagoblin = {
+            description = "Mediagoblin slice";
+          };
+          systemd.services.mediagoblin-web = {
+            description = "Mediagoblin service";
+            wantedBy = [ "multi-user.target" ];
+            after = [ "network.target" ];
+            wants = [ "postgresql.service" "redis.service" ];
+
+            environment.SCRIPT_NAME = "/mediagoblin/";
+
+            script = ''
+              exec ./bin/paster serve \
+                ${paste_local} \
+                --pid-file=${cfg.pids.paster}
+              '';
+            preStop = ''
+              exec ./bin/paster serve \
+                --pid-file=${cfg.pids.paster} \
+                ${paste_local} stop
+              '';
+            preStart = ''
+              if [ -d ${cfg.dataDir}/plugin_static/ ]; then
+                rm ${cfg.dataDir}/plugin_static/coreplugin_basic_auth
+                ln -sf ${cfg.package}/mediagoblin/plugins/basic_auth/static ${cfg.dataDir}/plugin_static/coreplugin_basic_auth
+              fi
+              ./bin/gmg -cf ${cfg.configFile} dbupdate
+              '';
+
+            serviceConfig = {
+              Slice = "mediagoblin.slice";
+              User = cfg.user;
+              PrivateTmp = true;
+              Restart = "always";
+              TimeoutSec = 15;
+              Type = "simple";
+              WorkingDirectory = cfg.package;
+              RuntimeDirectory = cfg.systemdRuntimeDirectory;
+              StateDirectory= cfg.systemdStateDirectory;
+              PIDFile = cfg.pids.paster;
+            };
+
+            unitConfig.RequiresMountsFor = cfg.dataDir;
+          };
+
+          systemd.services.mediagoblin-celeryd = {
+            description = "Mediagoblin service";
+            wantedBy = [ "multi-user.target" ];
+            after = [ "network.target" "mediagoblin-web.service" ];
+
+            environment.MEDIAGOBLIN_CONFIG = cfg.configFile;
+            environment.CELERY_CONFIG_MODULE = "mediagoblin.init.celery.from_celery";
+
+            script = ''
+              exec ./bin/celery worker \
+                --logfile=${cfg.dataDir}/celery.log \
+                --loglevel=INFO
+              '';
+
+            serviceConfig = {
+              Slice = "mediagoblin.slice";
+              User = cfg.user;
+              PrivateTmp = true;
+              Restart = "always";
+              TimeoutSec = 60;
+              Type = "simple";
+              WorkingDirectory = cfg.package;
+              RuntimeDirectory = cfg.systemdRuntimeDirectory;
+              StateDirectory= cfg.systemdStateDirectory;
+              PIDFile = cfg.pids.celery;
+            };
+
+            unitConfig.RequiresMountsFor = cfg.dataDir;
+          };
+        };
+      };
+  };
+}
+
+
diff --git a/flakes/mediagoblin/ldap_fix.py b/flakes/mediagoblin/ldap_fix.py
new file mode 100644
index 0000000..10cc375
--- /dev/null
+++ b/flakes/mediagoblin/ldap_fix.py
@@ -0,0 +1,93 @@
+# GNU MediaGoblin -- federated, autonomous media hosting
+# Copyright (C) 2011, 2012 MediaGoblin contributors.  See AUTHORS.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+from ldap3 import Server, Connection, SUBTREE
+from ldap3.core.exceptions import LDAPException
+import logging
+
+import six
+
+from mediagoblin.tools import pluginapi
+
+_log = logging.getLogger(__name__)
+
+
+class LDAP(object):
+    def __init__(self):
+        self.ldap_settings = pluginapi.get_config('mediagoblin.plugins.ldap')
+
+    def _connect(self, server):
+        _log.info('Connecting to {0}.'.format(server['LDAP_SERVER_URI']))
+        self.server = Server(server['LDAP_SERVER_URI'])
+
+        if 'LDAP_START_TLS' in server and server['LDAP_START_TLS'] == 'true':
+            _log.info('Initiating TLS')
+            self.server.start_tls()
+
+    def _manager_auth(self, settings, username, password):
+        conn = Connection(self.server,
+                settings['LDAP_BIND_DN'],
+                settings['LDAP_BIND_PW'],
+                auto_bind=True)
+        found = conn.search(
+                search_base=settings['LDAP_SEARCH_BASE'],
+                search_filter=settings['LDAP_SEARCH_FILTER'].format(username=username),
+                search_scope=SUBTREE,
+                attributes=[settings['EMAIL_SEARCH_FIELD']])
+        if (not found) or len(conn.entries) > 1:
+            return False, None
+
+        user = conn.entries[0]
+        user_dn = user.entry_dn
+        try:
+            email = user.entry_attributes_as_dict[settings['EMAIL_SEARCH_FIELD']][0]
+        except KeyError:
+            email = None
+
+        Connection(self.server, user_dn, password, auto_bind=True)
+
+        return username, email
+
+    def _direct_auth(self, settings, username, password):
+        user_dn = settings['LDAP_USER_DN_TEMPLATE'].format(username=username)
+        conn = Connection(self.server, user_dn, password, auto_bind=True)
+        email_found = conn.search(
+                search_base=settings['LDAP_SEARCH_BASE'],
+                search_filter='uid={0}'.format(username),
+                search_scope=SUBTREE,
+                attributes=[settings['EMAIL_SEARCH_FIELD']])
+
+        if email_found:
+            try:
+                email = conn.entries[0].entry_attributes_as_dict[settings['EMAIL_SEARCH_FIELD']][0]
+            except KeyError:
+                email = None
+
+        return username, email
+
+    def login(self, username, password):
+        for k, v in six.iteritems(self.ldap_settings):
+            try:
+                self._connect(v)
+
+                if 'LDAP_BIND_DN' in v:
+                    return self._manager_auth(v, username, password)
+                else:
+                    return self._direct_auth(v, username, password)
+
+            except LDAPException as e:
+                _log.info(e)
+
+        return False, None
diff --git a/flakes/mediagoblin/plugins/basicsearch/default.nix b/flakes/mediagoblin/plugins/basicsearch/default.nix
new file mode 100644
index 0000000..16be613
--- /dev/null
+++ b/flakes/mediagoblin/plugins/basicsearch/default.nix
@@ -0,0 +1,18 @@
+{ stdenv, fetchFromGitHub }:
+stdenv.mkDerivation rec {
+  name = "mediagoblin-plugin-basicsearch-${version}";
+  version = "ba0a154-master";
+  src = fetchFromGitHub {
+    owner = "ayleph";
+    repo = "mediagoblin-basicsearch";
+    rev = "ba0a1547bd24ebaf363227fe17644d38c6ce8a6b";
+    sha256 = "0d4r7xkf4gxmgaxlb264l44xbanis77g49frwfhfzsflxmdwgncy";
+  };
+  phases = "unpackPhase installPhase";
+  installPhase = ''
+    cp -R ./basicsearch $out
+    '';
+  passthru = {
+    pluginName = "basicsearch";
+  };
+}