feat: matrix oidc

2026-03-24 21:20:11 +01:00 · 2026-03-24 21:20:11 +01:00 · 357480c807
commit 357480c807
parent 62bb7aa2ea
3 changed files with 42 additions and 17 deletions
--- a/hosts/hitsugibune/matrix.nix
+++ b/hosts/hitsugibune/matrix.nix
@ -22,13 +22,19 @@ in {
    group = "matrix-synapse";
  };

+  age.secrets.matrix-oidc = {
+    file = ../../secrets/matrix-oidc.age;
+    owner = "matrix-synapse";
+    group = "matrix-synapse";
+  };
+
  age.secrets.mautrix-signal = {
    file = ../../secrets/mautrix-signal.age;
    owner = "mautrix-signal";
    group = "mautrix-signal";
  };
  age.secrets.mautrix-signal-puppeting = {
-    file = ../../secrets/mautrix-signal-puppeting.yaml.age; # your encrypted YAML
+    file = ../../secrets/mautrix-signal-puppeting.yaml.age;
    owner = "mautrix-signal";
    group = "mautrix-signal";
    mode = "0640";
@ -184,26 +190,44 @@ in {
    settings.public_baseurl = baseUrl;
    settings.enable_registration = false;
    enableRegistrationScript = true;
-    settings.listeners = [
-      {
-        port = 8008;
-        bind_addresses = ["::1"];
-        type = "http";
-        tls = false;
-        x_forwarded = true;
-        resources = [
-          {
-            names = ["client" "federation"];
-            compress = true;
-          }
-        ];
-      }
-    ];
+    settings = {
+      listeners = [
+        {
+          port = 8008;
+          bind_addresses = ["::1"];
+          type = "http";
+          tls = false;
+          x_forwarded = true;
+          resources = [
+            {
+              names = ["client" "federation"];
+              compress = true;
+            }
+          ];
+        }
+      ];
+      oidc_providers = [
+        {
+          idp_id = "authentik";
+          idp_name = "Authentik";
+          issuer = "https://auth.sprechtl.me/application/o/matrix-synapse/.well-known/openid-configuration";
+          client_id = "xoTtitlCqRbK9fjl2VAugYdswYGOLUJUzeV1dacc";
+          scopes = [ "openid" "profile" "email" ];
+          user_mapping_provider.config = {
+            localpart_template = "{{ user.preferred_username }}";
+            display_name_template = "{{ user.name }}";
+          };
+        }
+      ];
+    };
    settings.app_service_config_files = [
      "/var/lib/mautrix-signal/double-puppeting.yaml"
    ];

-    extraConfigFiles = [config.age.secrets.matrix.path];
+    extraConfigFiles = [
+      config.age.secrets.matrix.path
+      config.age.secrets.matrix-oidc.path
+    ];
    settings.turn_uris = ["turn:${turn.realm}:3478?transport=udp" "turn:${turn.realm}:3478?transport=tcp"];
    settings.turn_user_lifetime = "1h";
  };
--- a/secrets/matrix-oidc.age
+++ b/secrets/matrix-oidc.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -12,6 +12,7 @@ in {
  "speedtest-tracker.age".publicKeys = [saberofxebec key];
  "homarr.age".publicKeys = [saberofxebec key];
  "matrix.age".publicKeys = [hitsugibune key];
+  "matrix-oidc.age".publicKeys = [hitsugibune key];
  "mautrix-signal.age".publicKeys = [hitsugibune key];
  "mautrix-signal-puppeting.yaml.age".publicKeys = [hitsugibune key];
  "mautrix-whatsapp.age".publicKeys = [hitsugibune key];