From 357480c8075d9e80585e13b160fbc2ce3a1f8680 Mon Sep 17 00:00:00 2001
From: s-prechtl <stefan@tague.at>
Date: Tue, 24 Mar 2026 21:20:11 +0100
Subject: [PATCH] feat: matrix oidc

---
 hosts/hitsugibune/matrix.nix |  58 +++++++++++++++++++++++++----------
 secrets/matrix-oidc.age      | Bin 0 -> 939 bytes
 secrets/secrets.nix          |   1 +
 3 files changed, 42 insertions(+), 17 deletions(-)
 create mode 100644 secrets/matrix-oidc.age

diff --git a/hosts/hitsugibune/matrix.nix b/hosts/hitsugibune/matrix.nix
index a04de12..2031fc6 100644
--- a/hosts/hitsugibune/matrix.nix
+++ b/hosts/hitsugibune/matrix.nix
@@ -22,13 +22,19 @@ in {
     group = "matrix-synapse";
   };
 
+  age.secrets.matrix-oidc = {
+    file = ../../secrets/matrix-oidc.age;
+    owner = "matrix-synapse";
+    group = "matrix-synapse";
+  };
+
   age.secrets.mautrix-signal = {
     file = ../../secrets/mautrix-signal.age;
     owner = "mautrix-signal";
     group = "mautrix-signal";
   };
   age.secrets.mautrix-signal-puppeting = {
-    file = ../../secrets/mautrix-signal-puppeting.yaml.age; # your encrypted YAML
+    file = ../../secrets/mautrix-signal-puppeting.yaml.age;
     owner = "mautrix-signal";
     group = "mautrix-signal";
     mode = "0640";
@@ -184,26 +190,44 @@ in {
     settings.public_baseurl = baseUrl;
     settings.enable_registration = false;
     enableRegistrationScript = true;
-    settings.listeners = [
-      {
-        port = 8008;
-        bind_addresses = ["::1"];
-        type = "http";
-        tls = false;
-        x_forwarded = true;
-        resources = [
-          {
-            names = ["client" "federation"];
-            compress = true;
-          }
-        ];
-      }
-    ];
+    settings = {
+      listeners = [
+        {
+          port = 8008;
+          bind_addresses = ["::1"];
+          type = "http";
+          tls = false;
+          x_forwarded = true;
+          resources = [
+            {
+              names = ["client" "federation"];
+              compress = true;
+            }
+          ];
+        }
+      ];
+      oidc_providers = [
+        {
+          idp_id = "authentik";
+          idp_name = "Authentik";
+          issuer = "https://auth.sprechtl.me/application/o/matrix-synapse/.well-known/openid-configuration";
+          client_id = "xoTtitlCqRbK9fjl2VAugYdswYGOLUJUzeV1dacc";
+          scopes = [ "openid" "profile" "email" ];
+          user_mapping_provider.config = {
+            localpart_template = "{{ user.preferred_username }}";
+            display_name_template = "{{ user.name }}";
+          };
+        }
+      ];
+    };
     settings.app_service_config_files = [
       "/var/lib/mautrix-signal/double-puppeting.yaml"
     ];
 
-    extraConfigFiles = [config.age.secrets.matrix.path];
+    extraConfigFiles = [
+      config.age.secrets.matrix.path
+      config.age.secrets.matrix-oidc.path
+    ];
     settings.turn_uris = ["turn:${turn.realm}:3478?transport=udp" "turn:${turn.realm}:3478?transport=tcp"];
     settings.turn_user_lifetime = "1h";
   };
diff --git a/secrets/matrix-oidc.age b/secrets/matrix-oidc.age
new file mode 100644
index 0000000000000000000000000000000000000000..606d7e28e488505ca0cde6a665fa362376a88e80
GIT binary patch
literal 939
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSP5AezMN>}hq_KfuP
z57al#%=PfCGD<b~GWEzS_3?8|uQX3{EUWNO&-O|!w@k@3Oy)|9w8*e1@C}K|4l@aj
zFb?-g@h{U)O3&5zax-=dtaQruv@|NMs_-^2c7)khRGg^blkR5h8p!3DR8k%g<ZoJ@
zk)LN$<(F-il^$8_?^@=mZ{cd1T9us{5MYvFmRuT`VpyK39}${n5#*faQCL~!TM*{%
zT@k<)lo=2Z6qe#_Y2sZTZ0eYtS*)F@AL$d6pJ85{<C5oDl96Mo?d6}QZIqT8VB%U9
z;Z<SgRA6Y4WRMnBoaCFy6<$`ElM>)+=pB+?5#SzK5K&%bnw4bgQCW~}T<%$AkZG2c
z7w(c-84%`C9ub&V5>#5^A5~-=P+^f$Ruo<m#1#?lR+i%(QfXw6ROany;N;<Fl#v;p
zT^gDjl5Ofy7*Z0E9GF+=mSW;<oEMT|?wI0M8Xl3FYT%ad=o^tzZqAibP?lBbXI2#M
zXXzf9o#=1jRvM`9njDpC5awnSkP)1dU*c4nmgEsqP@3Tx98?u#u3woOoS$EkQ683+
zA63Q`5g8PmY~mg4?G+T6m#Cc*8Wd)(ogL(#l~$6H5f&6?;N_d)?B)|1Xr7T698^{r
zQ0n4To)+$5Zt9We6l##jWmfJOU|gYHn(kbc<y_?K<?gH>k(=#YnUiK#>JboS8W5VH
zUs38Fq#bOSo|v2(nC0T>o$ZvD7F6nM<nHO3#N}TZ7?M_2XzcA9;uM-3R^bxm6dL5{
zo1a>gXIku$lv=2rnWOJrlxbA#R^*?o?Ur3$;_g}HQ<&zHmR1x|QOw1qtE;QvS>|tC
z<?LgUYvNg!Qc{uQTvnEE7-DAO>aDLGpdIKMW@b>96>OB2Wo*Ia$ndaaOXbuhfg4R0
zX_Z;Ty<W|mblrMKn#sp^8{Bi1g4JZh6Z19NW_MS859V2tZIydZC(`VUjE~%o+q}Ob
z<}AH6Gos_mqHy;q0h+NfGo8IFuYb-6KBM;6k)PB0MDGikFyH5QUF+WF>BjQhmRR0&
z$+DDLbwSgXMMeDwc5408ulZM(xM*tWZHMV%TV<|hoK9&jP~TVdAggOa7R!CM&i*gE
z#ZGgpuvjnRx1V)xp7=J2yDJUC*Q&-o44oKo@~DcQQ0&bMw<W$D^74P$cz(&!ee9EN
PJb1Wdnen6LX0llT1m#!b

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 6935e19..8e457b9 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -12,6 +12,7 @@ in {
   "speedtest-tracker.age".publicKeys = [saberofxebec key];
   "homarr.age".publicKeys = [saberofxebec key];
   "matrix.age".publicKeys = [hitsugibune key];
+  "matrix-oidc.age".publicKeys = [hitsugibune key];
   "mautrix-signal.age".publicKeys = [hitsugibune key];
   "mautrix-signal-puppeting.yaml.age".publicKeys = [hitsugibune key];
   "mautrix-whatsapp.age".publicKeys = [hitsugibune key];