From 3a92b8805dce415049c1c7e3f5f2ba3138180813 Mon Sep 17 00:00:00 2001
From: s-prechtl <stefan@tague.at>
Date: Tue, 24 Mar 2026 15:22:15 +0100
Subject: [PATCH 01/11] feat: noctalia

---
 flake.lock                        | 106 +++++-
 flake.nix                         |   4 +
 hosts/goingmerry/home.nix         |   1 +
 modules/home-manager/noctalia.nix | 569 ++++++++++++++++++++++++++++++
 4 files changed, 674 insertions(+), 6 deletions(-)
 create mode 100644 modules/home-manager/noctalia.nix

diff --git a/flake.lock b/flake.lock
index cba9b0b..c922979 100644
--- a/flake.lock
+++ b/flake.lock
@@ -607,11 +607,11 @@
     },
     "nixpkgs_4": {
       "locked": {
-        "lastModified": 1774106199,
-        "narHash": "sha256-US5Tda2sKmjrg2lNHQL3jRQ6p96cgfWh3J1QBliQ8Ws=",
+        "lastModified": 1770562336,
+        "narHash": "sha256-ub1gpAONMFsT/GU2hV6ZWJjur8rJ6kKxdm9IlCT0j84=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "6c9a78c09ff4d6c21d0319114873508a6ec01655",
+        "rev": "d6c71932130818840fc8fe9509cf50be8c64634f",
         "type": "github"
       },
       "original": {
@@ -622,6 +622,22 @@
       }
     },
     "nixpkgs_5": {
+      "locked": {
+        "lastModified": 1770107345,
+        "narHash": "sha256-tbS0Ebx2PiA1FRW8mt8oejR0qMXmziJmPaU1d4kYY9g=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "4533d9293756b63904b7238acb84ac8fe4c8c2c4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_6": {
       "locked": {
         "lastModified": 1774192288,
         "narHash": "sha256-vHqcv1WQvmR4hRz0/dUqlA8LjIHtZvWtWrzIX3YTxzQ=",
@@ -637,7 +653,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_6": {
+    "nixpkgs_7": {
       "locked": {
         "lastModified": 1773389992,
         "narHash": "sha256-wvfdLLWJ2I9oEpDd9PfMA8osfIZicoQ5MT1jIwNs9Tk=",
@@ -653,6 +669,50 @@
         "type": "github"
       }
     },
+    "noctalia": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "noctalia-qs": "noctalia-qs"
+      },
+      "locked": {
+        "lastModified": 1774355152,
+        "narHash": "sha256-/LZrWUvaM/arityH0KR2AopnEaXJqR9roSbKLNgFq0w=",
+        "owner": "noctalia-dev",
+        "repo": "noctalia-shell",
+        "rev": "020dab63bf9f77beb8ade278e975be05701bf6c2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "noctalia-dev",
+        "repo": "noctalia-shell",
+        "type": "github"
+      }
+    },
+    "noctalia-qs": {
+      "inputs": {
+        "nixpkgs": [
+          "noctalia",
+          "nixpkgs"
+        ],
+        "systems": "systems_3",
+        "treefmt-nix": "treefmt-nix"
+      },
+      "locked": {
+        "lastModified": 1774304440,
+        "narHash": "sha256-JVLdoEuZUxS6Iujt0rC+Pyxw1pP6JSddGexqD6+yZ64=",
+        "owner": "noctalia-dev",
+        "repo": "noctalia-qs",
+        "rev": "2ddc0266025b9cc196fc28a46f0ed89146834c4c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "noctalia-dev",
+        "repo": "noctalia-qs",
+        "type": "github"
+      }
+    },
     "pyproject-build-systems": {
       "inputs": {
         "nixpkgs": [
@@ -715,6 +775,7 @@
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs_4",
         "nixpkgs-stable": "nixpkgs-stable",
+        "noctalia": "noctalia",
         "simple-nixos-mailserver": "simple-nixos-mailserver",
         "zen-browser": "zen-browser"
       }
@@ -724,7 +785,7 @@
         "blobs": "blobs",
         "flake-compat": "flake-compat_3",
         "git-hooks": "git-hooks",
-        "nixpkgs": "nixpkgs_5"
+        "nixpkgs": "nixpkgs_6"
       },
       "locked": {
         "lastModified": 1774268581,
@@ -771,6 +832,39 @@
         "type": "github"
       }
     },
+    "systems_3": {
+      "locked": {
+        "lastModified": 1689347949,
+        "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
+        "owner": "nix-systems",
+        "repo": "default-linux",
+        "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default-linux",
+        "type": "github"
+      }
+    },
+    "treefmt-nix": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_5"
+      },
+      "locked": {
+        "lastModified": 1772660329,
+        "narHash": "sha256-IjU1FxYqm+VDe5qIOxoW+pISBlGvVApRjiw/Y/ttJzY=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "3710e0e1218041bbad640352a0440114b1e10428",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
+    },
     "uv2nix": {
       "inputs": {
         "nixpkgs": [
@@ -799,7 +893,7 @@
     "zen-browser": {
       "inputs": {
         "home-manager": "home-manager_3",
-        "nixpkgs": "nixpkgs_6"
+        "nixpkgs": "nixpkgs_7"
       },
       "locked": {
         "lastModified": 1774242250,
diff --git a/flake.nix b/flake.nix
index f2a7291..bba8340 100644
--- a/flake.nix
+++ b/flake.nix
@@ -15,6 +15,10 @@
     };
     simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master";
     authentik.url = "github:nix-community/authentik-nix";
+    noctalia = {
+      url = "github:noctalia-dev/noctalia-shell";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
 
     home-manager = {
       url = "github:nix-community/home-manager";
diff --git a/hosts/goingmerry/home.nix b/hosts/goingmerry/home.nix
index db90414..d9707ca 100644
--- a/hosts/goingmerry/home.nix
+++ b/hosts/goingmerry/home.nix
@@ -20,6 +20,7 @@
     ../../modules/home-manager/waybar.nix
     ../../modules/home-manager/wofi.nix
     ../../modules/home-manager/zsh.nix
+    # ../../modules/home-manager/noctalia.nix
     inputs.zen-browser.homeModules.twilight
   ];
   home.username = "sprechtl";
diff --git a/modules/home-manager/noctalia.nix b/modules/home-manager/noctalia.nix
new file mode 100644
index 0000000..1fcda08
--- /dev/null
+++ b/modules/home-manager/noctalia.nix
@@ -0,0 +1,569 @@
+{ pkgs, inputs, ... }:
+{
+    imports = [
+      inputs.noctalia.homeModules.default
+    ];
+    programs.noctalia-shell = {
+      enable = true;
+      settings = {
+        settingsVersion = 0;
+        bar = {
+          barType = "simple";
+          position = "top";
+          monitors = [ ];
+          density = "default";
+          showOutline = false;
+          showCapsule = true;
+          capsuleOpacity = 1;
+          capsuleColorKey = "none";
+          widgetSpacing = 6;
+          contentPadding = 2;
+          fontScale = 1;
+          enableExclusionZoneInset = true;
+          backgroundOpacity = 0.93;
+          useSeparateOpacity = false;
+          marginVertical = 4;
+          marginHorizontal = 4;
+          frameThickness = 8;
+          frameRadius = 12;
+          outerCorners = true;
+          hideOnOverview = false;
+          displayMode = "always_visible";
+          autoHideDelay = 500;
+          autoShowDelay = 150;
+          showOnWorkspaceSwitch = true;
+          widgets = {
+            left = [
+              {
+                id = "Launcher";
+              }
+              {
+                id = "Clock";
+              }
+              {
+                id = "SystemMonitor";
+              }
+              {
+                id = "ActiveWindow";
+              }
+              {
+                id = "MediaMini";
+              }
+            ];
+            center = [
+              {
+                id = "Workspace";
+              }
+            ];
+            right = [
+              {
+                id = "Tray";
+              }
+              {
+                id = "NotificationHistory";
+              }
+              {
+                id = "Battery";
+              }
+              {
+                id = "Volume";
+              }
+              {
+                id = "Brightness";
+              }
+              {
+                id = "ControlCenter";
+              }
+            ];
+          };
+          mouseWheelAction = "none";
+          reverseScroll = false;
+          mouseWheelWrap = true;
+          middleClickAction = "none";
+          middleClickFollowMouse = false;
+          middleClickCommand = "";
+          rightClickAction = "controlCenter";
+          rightClickFollowMouse = true;
+          rightClickCommand = "";
+          screenOverrides = [ ];
+        };
+        general = {
+          avatarImage = "";
+          dimmerOpacity = 0.2;
+          showScreenCorners = false;
+          forceBlackScreenCorners = false;
+          scaleRatio = 1;
+          radiusRatio = 1;
+          iRadiusRatio = 1;
+          boxRadiusRatio = 1;
+          screenRadiusRatio = 1;
+          animationSpeed = 1;
+          animationDisabled = false;
+          compactLockScreen = false;
+          lockScreenAnimations = false;
+          lockOnSuspend = true;
+          showSessionButtonsOnLockScreen = true;
+          showHibernateOnLockScreen = false;
+          enableLockScreenMediaControls = false;
+          enableShadows = true;
+          enableBlurBehind = true;
+          shadowDirection = "bottom_right";
+          shadowOffsetX = 2;
+          shadowOffsetY = 3;
+          language = "";
+          allowPanelsOnScreenWithoutBar = true;
+          showChangelogOnStartup = true;
+          telemetryEnabled = false;
+          enableLockScreenCountdown = true;
+          lockScreenCountdownDuration = 10000;
+          autoStartAuth = false;
+          allowPasswordWithFprintd = false;
+          clockStyle = "custom";
+          clockFormat = "hh\nmm";
+          passwordChars = false;
+          lockScreenMonitors = [ ];
+          lockScreenBlur = 0;
+          lockScreenTint = 0;
+          keybinds = {
+            keyUp = [
+              "Up"
+            ];
+            keyDown = [
+              "Down"
+            ];
+            keyLeft = [
+              "Left"
+            ];
+            keyRight = [
+              "Right"
+            ];
+            keyEnter = [
+              "Return"
+              "Enter"
+            ];
+            keyEscape = [
+              "Esc"
+            ];
+            keyRemove = [
+              "Del"
+            ];
+          };
+          reverseScroll = false;
+        };
+        ui = {
+          fontDefault = "";
+          fontFixed = "";
+          fontDefaultScale = 1;
+          fontFixedScale = 1;
+          tooltipsEnabled = true;
+          scrollbarAlwaysVisible = true;
+          boxBorderEnabled = false;
+          panelBackgroundOpacity = 0.93;
+          translucentWidgets = false;
+          panelsAttachedToBar = true;
+          settingsPanelMode = "attached";
+          settingsPanelSideBarCardStyle = false;
+        };
+        location = {
+          name = "Tokyo";
+          weatherEnabled = true;
+          weatherShowEffects = true;
+          useFahrenheit = false;
+          use12hourFormat = false;
+          showWeekNumberInCalendar = false;
+          showCalendarEvents = true;
+          showCalendarWeather = true;
+          analogClockInCalendar = false;
+          firstDayOfWeek = -1;
+          hideWeatherTimezone = false;
+          hideWeatherCityName = false;
+        };
+        calendar = {
+          cards = [
+            {
+              enabled = true;
+              id = "calendar-header-card";
+            }
+            {
+              enabled = true;
+              id = "calendar-month-card";
+            }
+            {
+              enabled = true;
+              id = "weather-card";
+            }
+          ];
+        };
+        wallpaper = {
+          enabled = true;
+          overviewEnabled = false;
+          directory = "";
+          monitorDirectories = [ ];
+          enableMultiMonitorDirectories = false;
+          showHiddenFiles = false;
+          viewMode = "single";
+          setWallpaperOnAllMonitors = true;
+          fillMode = "crop";
+          fillColor = "#000000";
+          useSolidColor = false;
+          solidColor = "#1a1a2e";
+          automationEnabled = false;
+          wallpaperChangeMode = "random";
+          randomIntervalSec = 300;
+          transitionDuration = 1500;
+          transitionType = [
+            "fade"
+            "disc"
+            "stripes"
+            "wipe"
+            "pixelate"
+            "honeycomb"
+          ];
+          skipStartupTransition = false;
+          transitionEdgeSmoothness = 0.05;
+          panelPosition = "follow_bar";
+          hideWallpaperFilenames = false;
+          useOriginalImages = false;
+          overviewBlur = 0.4;
+          overviewTint = 0.6;
+          useWallhaven = false;
+          wallhavenQuery = "";
+          wallhavenSorting = "relevance";
+          wallhavenOrder = "desc";
+          wallhavenCategories = "111";
+          wallhavenPurity = "100";
+          wallhavenRatios = "";
+          wallhavenApiKey = "";
+          wallhavenResolutionMode = "atleast";
+          wallhavenResolutionWidth = "";
+          wallhavenResolutionHeight = "";
+          sortOrder = "name";
+          favorites = [ ];
+        };
+        appLauncher = {
+          enableClipboardHistory = false;
+          autoPasteClipboard = false;
+          enableClipPreview = true;
+          clipboardWrapText = true;
+          enableClipboardSmartIcons = true;
+          enableClipboardChips = true;
+          clipboardWatchTextCommand = "wl-paste --type text --watch cliphist store";
+          clipboardWatchImageCommand = "wl-paste --type image --watch cliphist store";
+          position = "center";
+          pinnedApps = [ ];
+          sortByMostUsed = true;
+          terminalCommand = "alacritty -e";
+          customLaunchPrefixEnabled = false;
+          customLaunchPrefix = "";
+          viewMode = "list";
+          showCategories = true;
+          iconMode = "tabler";
+          showIconBackground = false;
+          enableSettingsSearch = true;
+          enableWindowsSearch = true;
+          enableSessionSearch = true;
+          ignoreMouseInput = false;
+          screenshotAnnotationTool = "";
+          overviewLayer = false;
+          density = "default";
+        };
+        controlCenter = {
+          position = "close_to_bar_button";
+          diskPath = "/";
+          shortcuts = {
+            left = [
+              {
+                id = "Network";
+              }
+              {
+                id = "Bluetooth";
+              }
+              {
+                id = "WallpaperSelector";
+              }
+              {
+                id = "NoctaliaPerformance";
+              }
+            ];
+            right = [
+              {
+                id = "Notifications";
+              }
+              {
+                id = "PowerProfile";
+              }
+              {
+                id = "KeepAwake";
+              }
+              {
+                id = "NightLight";
+              }
+            ];
+          };
+          cards = [
+            {
+              enabled = true;
+              id = "profile-card";
+            }
+            {
+              enabled = true;
+              id = "shortcuts-card";
+            }
+            {
+              enabled = true;
+              id = "audio-card";
+            }
+            {
+              enabled = false;
+              id = "brightness-card";
+            }
+            {
+              enabled = true;
+              id = "weather-card";
+            }
+            {
+              enabled = true;
+              id = "media-sysmon-card";
+            }
+          ];
+        };
+        systemMonitor = {
+          cpuWarningThreshold = 80;
+          cpuCriticalThreshold = 90;
+          tempWarningThreshold = 80;
+          tempCriticalThreshold = 90;
+          gpuWarningThreshold = 80;
+          gpuCriticalThreshold = 90;
+          memWarningThreshold = 80;
+          memCriticalThreshold = 90;
+          swapWarningThreshold = 80;
+          swapCriticalThreshold = 90;
+          diskWarningThreshold = 80;
+          diskCriticalThreshold = 90;
+          diskAvailWarningThreshold = 20;
+          diskAvailCriticalThreshold = 10;
+          batteryWarningThreshold = 20;
+          batteryCriticalThreshold = 5;
+          enableDgpuMonitoring = false;
+          useCustomColors = false;
+          warningColor = "";
+          criticalColor = "";
+          externalMonitor = "resources || missioncenter || jdsystemmonitor || corestats || system-monitoring-center || gnome-system-monitor || plasma-systemmonitor || mate-system-monitor || ukui-system-monitor || deepin-system-monitor || pantheon-system-monitor";
+        };
+        noctaliaPerformance = {
+          disableWallpaper = true;
+          disableDesktopWidgets = true;
+        };
+        dock = {
+          enabled = true;
+          position = "bottom";
+          displayMode = "auto_hide";
+          dockType = "floating";
+          backgroundOpacity = 1;
+          floatingRatio = 1;
+          size = 1;
+          onlySameOutput = true;
+          monitors = [ ];
+          pinnedApps = [ ];
+          colorizeIcons = false;
+          showLauncherIcon = false;
+          launcherPosition = "end";
+          launcherUseDistroLogo = false;
+          launcherIcon = "";
+          launcherIconColor = "none";
+          pinnedStatic = false;
+          inactiveIndicators = false;
+          groupApps = false;
+          groupContextMenuMode = "extended";
+          groupClickAction = "cycle";
+          groupIndicatorStyle = "dots";
+          deadOpacity = 0.6;
+          animationSpeed = 1;
+          sitOnFrame = false;
+          showDockIndicator = false;
+          indicatorThickness = 3;
+          indicatorColor = "primary";
+          indicatorOpacity = 0.6;
+        };
+        network = {
+          airplaneModeEnabled = false;
+          bluetoothRssiPollingEnabled = false;
+          bluetoothRssiPollIntervalMs = 60000;
+          networkPanelView = "wifi";
+          wifiDetailsViewMode = "grid";
+          bluetoothDetailsViewMode = "grid";
+          bluetoothHideUnnamedDevices = false;
+          disableDiscoverability = false;
+          bluetoothAutoConnect = true;
+        };
+        sessionMenu = {
+          enableCountdown = true;
+          countdownDuration = 10000;
+          position = "center";
+          showHeader = true;
+          showKeybinds = true;
+          largeButtonsStyle = true;
+          largeButtonsLayout = "single-row";
+          powerOptions = [
+            {
+              action = "lock";
+              enabled = true;
+              keybind = "1";
+            }
+            {
+              action = "suspend";
+              enabled = true;
+              keybind = "2";
+            }
+            {
+              action = "hibernate";
+              enabled = true;
+              keybind = "3";
+            }
+            {
+              action = "reboot";
+              enabled = true;
+              keybind = "4";
+            }
+            {
+              action = "logout";
+              enabled = true;
+              keybind = "5";
+            }
+            {
+              action = "shutdown";
+              enabled = true;
+              keybind = "6";
+            }
+            {
+              action = "rebootToUefi";
+              enabled = true;
+              keybind = "7";
+            }
+          ];
+        };
+        notifications = {
+          enabled = true;
+          enableMarkdown = false;
+          density = "default";
+          monitors = [ ];
+          location = "top_right";
+          overlayLayer = true;
+          backgroundOpacity = 1;
+          respectExpireTimeout = false;
+          lowUrgencyDuration = 3;
+          normalUrgencyDuration = 8;
+          criticalUrgencyDuration = 15;
+          clearDismissed = true;
+          saveToHistory = {
+            low = true;
+            normal = true;
+            critical = true;
+          };
+          sounds = {
+            enabled = false;
+            volume = 0.5;
+            separateSounds = false;
+            criticalSoundFile = "";
+            normalSoundFile = "";
+            lowSoundFile = "";
+            excludedApps = "discord,firefox,chrome,chromium,edge";
+          };
+          enableMediaToast = false;
+          enableKeyboardLayoutToast = true;
+          enableBatteryToast = true;
+        };
+        osd = {
+          enabled = true;
+          location = "top_right";
+          autoHideMs = 2000;
+          overlayLayer = true;
+          backgroundOpacity = 1;
+          enabledTypes = [
+            0
+            1
+            2
+          ];
+          monitors = [ ];
+        };
+        audio = {
+          volumeStep = 5;
+          volumeOverdrive = false;
+          spectrumFrameRate = 30;
+          visualizerType = "linear";
+          spectrumMirrored = true;
+          mprisBlacklist = [ ];
+          preferredPlayer = "";
+          volumeFeedback = false;
+          volumeFeedbackSoundFile = "";
+        };
+        brightness = {
+          brightnessStep = 5;
+          enforceMinimum = true;
+          enableDdcSupport = false;
+          backlightDeviceMappings = [ ];
+        };
+        colorSchemes = {
+          useWallpaperColors = false;
+          predefinedScheme = "Noctalia (default)";
+          darkMode = true;
+          schedulingMode = "off";
+          manualSunrise = "06:30";
+          manualSunset = "18:30";
+          generationMethod = "tonal-spot";
+          monitorForColors = "";
+          syncGsettings = true;
+        };
+        templates = {
+          activeTemplates = [ ];
+          enableUserTheming = false;
+        };
+        nightLight = {
+          enabled = false;
+          forced = false;
+          autoSchedule = true;
+          nightTemp = "4000";
+          dayTemp = "6500";
+          manualSunrise = "06:30";
+          manualSunset = "18:30";
+        };
+        hooks = {
+          enabled = false;
+          wallpaperChange = "";
+          darkModeChange = "";
+          screenLock = "";
+          screenUnlock = "";
+          performanceModeEnabled = "";
+          performanceModeDisabled = "";
+          startup = "";
+          session = "";
+          colorGeneration = "";
+        };
+        plugins = {
+          autoUpdate = false;
+          notifyUpdates = true;
+        };
+        idle = {
+          enabled = false;
+          screenOffTimeout = 600;
+          lockTimeout = 660;
+          suspendTimeout = 1800;
+          fadeDuration = 5;
+          screenOffCommand = "";
+          lockCommand = "";
+          suspendCommand = "";
+          resumeScreenOffCommand = "";
+          resumeLockCommand = "";
+          resumeSuspendCommand = "";
+          customCommands = "[]";
+        };
+        desktopWidgets = {
+          enabled = false;
+          overviewEnabled = true;
+          gridSnap = false;
+          gridSnapScale = false;
+          monitorWidgets = [ ];
+        };
+      };
+    };
+}

From cf8182afd61938a7cc52ba3b3361f8ebe7571226 Mon Sep 17 00:00:00 2001
From: s-prechtl <stefan@tague.at>
Date: Tue, 24 Mar 2026 15:24:19 +0100
Subject: [PATCH 02/11] feat: uncap file size for immich

---
 hosts/hitsugibune/immich.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hosts/hitsugibune/immich.nix b/hosts/hitsugibune/immich.nix
index 0c09030..dcf9b7f 100644
--- a/hosts/hitsugibune/immich.nix
+++ b/hosts/hitsugibune/immich.nix
@@ -36,7 +36,7 @@ in
     locations."/" = {
       proxyPass = "http://localhost:2283";
       proxyWebsockets = true;
-      extraConfig = "client_max_body_size 50000M;";  # for large video uploads
+      extraConfig = "client_max_body_size 0;";
     };
   };
 }

From fffdc559ab63f0272761384584840b1c4fc23591 Mon Sep 17 00:00:00 2001
From: s-prechtl <stefan@tague.at>
Date: Tue, 24 Mar 2026 15:34:31 +0100
Subject: [PATCH 03/11] feat: bigger files bigger birds

---
 hosts/hitsugibune/immich.nix | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/hosts/hitsugibune/immich.nix b/hosts/hitsugibune/immich.nix
index dcf9b7f..f7d4fd2 100644
--- a/hosts/hitsugibune/immich.nix
+++ b/hosts/hitsugibune/immich.nix
@@ -36,7 +36,15 @@ in
     locations."/" = {
       proxyPass = "http://localhost:2283";
       proxyWebsockets = true;
-      extraConfig = "client_max_body_size 0;";
+      extraConfig = """
+        client_max_body_size 0;
+
+        # Timeouts for large/slow uploads
+        proxy_connect_timeout 3600s;
+        proxy_send_timeout 3600s;
+        proxy_read_timeout 3600s;
+        send_timeout 3600s;
+      """;
     };
   };
 }

From 53ec53388eeec1a829e1ad971dcf44b59779e4f1 Mon Sep 17 00:00:00 2001
From: s-prechtl <stefan@tague.at>
Date: Tue, 24 Mar 2026 15:35:23 +0100
Subject: [PATCH 04/11] fix: schauer

---
 hosts/hitsugibune/immich.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hosts/hitsugibune/immich.nix b/hosts/hitsugibune/immich.nix
index f7d4fd2..1cd18fe 100644
--- a/hosts/hitsugibune/immich.nix
+++ b/hosts/hitsugibune/immich.nix
@@ -36,7 +36,7 @@ in
     locations."/" = {
       proxyPass = "http://localhost:2283";
       proxyWebsockets = true;
-      extraConfig = """
+      extraConfig = ''
         client_max_body_size 0;
 
         # Timeouts for large/slow uploads
@@ -44,7 +44,7 @@ in
         proxy_send_timeout 3600s;
         proxy_read_timeout 3600s;
         send_timeout 3600s;
-      """;
+      '';
     };
   };
 }

From f4ebd7fe79478c77b3f3a54ff046393ba6fa05f5 Mon Sep 17 00:00:00 2001
From: s-prechtl <stefan@tague.at>
Date: Tue, 24 Mar 2026 15:51:07 +0100
Subject: [PATCH 05/11] feat: bigger uploads

---
 hosts/hitsugibune/immich.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/hosts/hitsugibune/immich.nix b/hosts/hitsugibune/immich.nix
index 1cd18fe..1062d32 100644
--- a/hosts/hitsugibune/immich.nix
+++ b/hosts/hitsugibune/immich.nix
@@ -39,6 +39,8 @@ in
       extraConfig = ''
         client_max_body_size 0;
 
+        proxy_request_buffering off;
+
         # Timeouts for large/slow uploads
         proxy_connect_timeout 3600s;
         proxy_send_timeout 3600s;

From 62bb7aa2eab926075b4c11b0d23eaa1ec99ba046 Mon Sep 17 00:00:00 2001
From: s-prechtl <stefan@tague.at>
Date: Tue, 24 Mar 2026 15:54:51 +0100
Subject: [PATCH 06/11] feat: full config from docs

---
 hosts/hitsugibune/immich.nix | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/hosts/hitsugibune/immich.nix b/hosts/hitsugibune/immich.nix
index 1062d32..2f5cd76 100644
--- a/hosts/hitsugibune/immich.nix
+++ b/hosts/hitsugibune/immich.nix
@@ -36,17 +36,23 @@ in
     locations."/" = {
       proxyPass = "http://localhost:2283";
       proxyWebsockets = true;
+      # https://docs.immich.app/administration/reverse-proxy/
       extraConfig = ''
-        client_max_body_size 0;
+          # allow large file uploads
+          client_max_body_size 50000M;
 
-        proxy_request_buffering off;
+          # disable buffering uploads to prevent OOM on reverse proxy server and make uploads twice as fast (no pause)
+          proxy_request_buffering off;
 
-        # Timeouts for large/slow uploads
-        proxy_connect_timeout 3600s;
-        proxy_send_timeout 3600s;
-        proxy_read_timeout 3600s;
-        send_timeout 3600s;
-      '';
+          # increase body buffer to avoid limiting upload speed
+          client_body_buffer_size 1024k;
+
+          # Set headers
+          proxy_set_header Host              $host;
+          proxy_set_header X-Real-IP         $remote_addr;
+          proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+          proxy_set_header X-Forwarded-Proto $scheme;
+    '';
     };
   };
 }

From 357480c8075d9e80585e13b160fbc2ce3a1f8680 Mon Sep 17 00:00:00 2001
From: s-prechtl <stefan@tague.at>
Date: Tue, 24 Mar 2026 21:20:11 +0100
Subject: [PATCH 07/11] feat: matrix oidc

---
 hosts/hitsugibune/matrix.nix |  58 +++++++++++++++++++++++++----------
 secrets/matrix-oidc.age      | Bin 0 -> 939 bytes
 secrets/secrets.nix          |   1 +
 3 files changed, 42 insertions(+), 17 deletions(-)
 create mode 100644 secrets/matrix-oidc.age

diff --git a/hosts/hitsugibune/matrix.nix b/hosts/hitsugibune/matrix.nix
index a04de12..2031fc6 100644
--- a/hosts/hitsugibune/matrix.nix
+++ b/hosts/hitsugibune/matrix.nix
@@ -22,13 +22,19 @@ in {
     group = "matrix-synapse";
   };
 
+  age.secrets.matrix-oidc = {
+    file = ../../secrets/matrix-oidc.age;
+    owner = "matrix-synapse";
+    group = "matrix-synapse";
+  };
+
   age.secrets.mautrix-signal = {
     file = ../../secrets/mautrix-signal.age;
     owner = "mautrix-signal";
     group = "mautrix-signal";
   };
   age.secrets.mautrix-signal-puppeting = {
-    file = ../../secrets/mautrix-signal-puppeting.yaml.age; # your encrypted YAML
+    file = ../../secrets/mautrix-signal-puppeting.yaml.age;
     owner = "mautrix-signal";
     group = "mautrix-signal";
     mode = "0640";
@@ -184,26 +190,44 @@ in {
     settings.public_baseurl = baseUrl;
     settings.enable_registration = false;
     enableRegistrationScript = true;
-    settings.listeners = [
-      {
-        port = 8008;
-        bind_addresses = ["::1"];
-        type = "http";
-        tls = false;
-        x_forwarded = true;
-        resources = [
-          {
-            names = ["client" "federation"];
-            compress = true;
-          }
-        ];
-      }
-    ];
+    settings = {
+      listeners = [
+        {
+          port = 8008;
+          bind_addresses = ["::1"];
+          type = "http";
+          tls = false;
+          x_forwarded = true;
+          resources = [
+            {
+              names = ["client" "federation"];
+              compress = true;
+            }
+          ];
+        }
+      ];
+      oidc_providers = [
+        {
+          idp_id = "authentik";
+          idp_name = "Authentik";
+          issuer = "https://auth.sprechtl.me/application/o/matrix-synapse/.well-known/openid-configuration";
+          client_id = "xoTtitlCqRbK9fjl2VAugYdswYGOLUJUzeV1dacc";
+          scopes = [ "openid" "profile" "email" ];
+          user_mapping_provider.config = {
+            localpart_template = "{{ user.preferred_username }}";
+            display_name_template = "{{ user.name }}";
+          };
+        }
+      ];
+    };
     settings.app_service_config_files = [
       "/var/lib/mautrix-signal/double-puppeting.yaml"
     ];
 
-    extraConfigFiles = [config.age.secrets.matrix.path];
+    extraConfigFiles = [
+      config.age.secrets.matrix.path
+      config.age.secrets.matrix-oidc.path
+    ];
     settings.turn_uris = ["turn:${turn.realm}:3478?transport=udp" "turn:${turn.realm}:3478?transport=tcp"];
     settings.turn_user_lifetime = "1h";
   };
diff --git a/secrets/matrix-oidc.age b/secrets/matrix-oidc.age
new file mode 100644
index 0000000000000000000000000000000000000000..606d7e28e488505ca0cde6a665fa362376a88e80
GIT binary patch
literal 939
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSP5AezMN>}hq_KfuP
z57al#%=PfCGD<b~GWEzS_3?8|uQX3{EUWNO&-O|!w@k@3Oy)|9w8*e1@C}K|4l@aj
zFb?-g@h{U)O3&5zax-=dtaQruv@|NMs_-^2c7)khRGg^blkR5h8p!3DR8k%g<ZoJ@
zk)LN$<(F-il^$8_?^@=mZ{cd1T9us{5MYvFmRuT`VpyK39}${n5#*faQCL~!TM*{%
zT@k<)lo=2Z6qe#_Y2sZTZ0eYtS*)F@AL$d6pJ85{<C5oDl96Mo?d6}QZIqT8VB%U9
z;Z<SgRA6Y4WRMnBoaCFy6<$`ElM>)+=pB+?5#SzK5K&%bnw4bgQCW~}T<%$AkZG2c
z7w(c-84%`C9ub&V5>#5^A5~-=P+^f$Ruo<m#1#?lR+i%(QfXw6ROany;N;<Fl#v;p
zT^gDjl5Ofy7*Z0E9GF+=mSW;<oEMT|?wI0M8Xl3FYT%ad=o^tzZqAibP?lBbXI2#M
zXXzf9o#=1jRvM`9njDpC5awnSkP)1dU*c4nmgEsqP@3Tx98?u#u3woOoS$EkQ683+
zA63Q`5g8PmY~mg4?G+T6m#Cc*8Wd)(ogL(#l~$6H5f&6?;N_d)?B)|1Xr7T698^{r
zQ0n4To)+$5Zt9We6l##jWmfJOU|gYHn(kbc<y_?K<?gH>k(=#YnUiK#>JboS8W5VH
zUs38Fq#bOSo|v2(nC0T>o$ZvD7F6nM<nHO3#N}TZ7?M_2XzcA9;uM-3R^bxm6dL5{
zo1a>gXIku$lv=2rnWOJrlxbA#R^*?o?Ur3$;_g}HQ<&zHmR1x|QOw1qtE;QvS>|tC
z<?LgUYvNg!Qc{uQTvnEE7-DAO>aDLGpdIKMW@b>96>OB2Wo*Ia$ndaaOXbuhfg4R0
zX_Z;Ty<W|mblrMKn#sp^8{Bi1g4JZh6Z19NW_MS859V2tZIydZC(`VUjE~%o+q}Ob
z<}AH6Gos_mqHy;q0h+NfGo8IFuYb-6KBM;6k)PB0MDGikFyH5QUF+WF>BjQhmRR0&
z$+DDLbwSgXMMeDwc5408ulZM(xM*tWZHMV%TV<|hoK9&jP~TVdAggOa7R!CM&i*gE
z#ZGgpuvjnRx1V)xp7=J2yDJUC*Q&-o44oKo@~DcQQ0&bMw<W$D^74P$cz(&!ee9EN
PJb1Wdnen6LX0llT1m#!b

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 6935e19..8e457b9 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -12,6 +12,7 @@ in {
   "speedtest-tracker.age".publicKeys = [saberofxebec key];
   "homarr.age".publicKeys = [saberofxebec key];
   "matrix.age".publicKeys = [hitsugibune key];
+  "matrix-oidc.age".publicKeys = [hitsugibune key];
   "mautrix-signal.age".publicKeys = [hitsugibune key];
   "mautrix-signal-puppeting.yaml.age".publicKeys = [hitsugibune key];
   "mautrix-whatsapp.age".publicKeys = [hitsugibune key];

From b9684e2362a834761db280fe6f12c5c884c45ce1 Mon Sep 17 00:00:00 2001
From: s-prechtl <stefan@tague.at>
Date: Tue, 24 Mar 2026 21:43:47 +0100
Subject: [PATCH 08/11] fix: move all oidc stuff to extrafile

---
 hosts/hitsugibune/matrix.nix |  13 -------------
 secrets/matrix-oidc.age      | Bin 939 -> 1334 bytes
 2 files changed, 13 deletions(-)

diff --git a/hosts/hitsugibune/matrix.nix b/hosts/hitsugibune/matrix.nix
index 2031fc6..d4dcee0 100644
--- a/hosts/hitsugibune/matrix.nix
+++ b/hosts/hitsugibune/matrix.nix
@@ -206,19 +206,6 @@ in {
           ];
         }
       ];
-      oidc_providers = [
-        {
-          idp_id = "authentik";
-          idp_name = "Authentik";
-          issuer = "https://auth.sprechtl.me/application/o/matrix-synapse/.well-known/openid-configuration";
-          client_id = "xoTtitlCqRbK9fjl2VAugYdswYGOLUJUzeV1dacc";
-          scopes = [ "openid" "profile" "email" ];
-          user_mapping_provider.config = {
-            localpart_template = "{{ user.preferred_username }}";
-            display_name_template = "{{ user.name }}";
-          };
-        }
-      ];
     };
     settings.app_service_config_files = [
       "/var/lib/mautrix-signal/double-puppeting.yaml"
diff --git a/secrets/matrix-oidc.age b/secrets/matrix-oidc.age
index 606d7e28e488505ca0cde6a665fa362376a88e80..5471554b3e1c1225ee88841be72747ad99d98155 100644
GIT binary patch
delta 1307
zcmZ3@zKv^wPJKb7WwxnfRI){3N<d_Zk&%&kRc@kDn6G!Zwqd?=R-U)Bwo{3dg-Nbq
zHkV0qT6(FwV@|$hrE8K?q?ct#Mv`Tst66bXka1XMv8B5~a(I@bw|7B6F_*5LLUD11
zZc%Zff={}ev1=e#u|ZBnX;r1ZbB1q9dZBhej=4!*RK0$lwqvNizJZ&sQB{d^fO}Sk
zzf(nUl(wfuWKf!gTd=mVky(IonR}p-BbT$AzHy4NNr-1ud1O*lmQh8Zi&L>lk#}a5
zc4DP*p}vd0t64~Co_3~7aX^t-S$R}Zx}{l?Z)8AGlxtF&TNziFi9t}Bvs0F9MVUcb
zifcfCW4()8u}@l{vvX->X|7?Kc7>OrXL*2GMS7T{Pq2ShX}*hbR!B&;zjstwaB;dX
zm%F>6Z$x&wzE_S(Nq9k?MWt(`wzjulW@cefxSO+Msk?imb6Jj`v2S^4fQeaUNO_)f
zimORjdbwF}m}zEt3YTG}t8<~LX=p@#pkY#JT78nIXINTTqPJgqh@+3CwvVSzu6K!3
zWL9uWVWdGtsCTxRNtR!frFNlVg_%oKVTl=+r+<ZcWQm_asCk}en14z^Wr>@2YN=bE
zQ)yCRm_dbwSx}{ShDD)4flE<pmbqhAMMOoRx3`OVZn;@-p;JIAmwtI-PE|@|R#2f|
zYJG5`pJ7p!cb=Dic!W`Ip?`*Bxj{jGiI=N;ah9vGX?m84wyRT>WpJ`%WJy3~rKP7)
zq(4_+l%aEavX?=yw^w*sUU-&IxlvTUyGeLpg-KyxQIS(|Rbg6INk~OOdAV^?x_hR6
zm3yvNM3SLLN@#k7XP7e=m#(g^f|GN2V7<3@T4|Z3ds=X4Zc=`QS#nZZri+WEW3aiU
ze`-a#hlO)Mm_d4QK39fM?-r-d^b@_BOK1IPsh$uym64t2O7|<J_~7&Hfm1i6ItNPp
zbW=UXc=)YSmrSLGE64fVf<(i;qTg}^%2}r--Tl|Md4BLE`|5h;yr_V_w2kMa&xJ4?
zudn~t%aOl;c}?Wf|Am{EF{R5}IK(EDw#|u5^ANWa-v9eG+rE{nGmHP~-FR}h<HNGJ
z_X{u8|J@YrX(v>Xrt$3g_SSjx7DR~aze<?F*xu~G@A`4VmI7v@>}Y*u&TE%GzjD@c
zd8nhZ@)xg8bnV}DoqyCCC%8?%FO>6b${Ue`Z8Dbix&{qAd;OxXt@wZT!-4e1!uaUy
z#J@%Lry1O=vfsX29ezK5$}eq!_V*48EiQak4u7zVZCe}1sm82@_on;2pI5St>F#FH
zOx{-CNzZP0Uw^&teFpa)rTuf=_1rGFsBB$kvt#jl9tV@M>GQV6E|QCweNueoR_3nw
z9=oOT67o`oL0t7$%vTrg5Dto8aCpI&{m&MZNU0odeOY+!wU<r`e}0+5Z8za?@n<15
zOB1(DJ)jgk$L~3}>}>0I#qJLn*=EhsK6Q6PBiqsiN6-JVE@nEIVw&*Uz*}+g(%8m*
zto^xsN{qi{q$i3N2XkIOp=|8=L1H(%-b3ptTV7@6S3h|EG}G=dYkg~aTlkx-r{9)m
z#ME`4x#-DU;&VYh@K})jalOfJUP!;petY$4+*GElutSQfjpg5pCY_dJtlRkdfY+(y
z%9S_FShdwA#mBSE+QoY&ZLdbr#B9^X(zQl^-_Cio<!;v0=1s<n&+0g8?wKX2(eU!Q
uRe)5nUGiR${V%6qSBp@a{)~-L#O}g}*~bD8^JH?AKHkOrK{?rWiwXdRZwp!g

delta 909
zcmdnSwVHi`PQ7QcXQZ!xpuTZtu7_`xQL4F@sYhO^kDp_DrFoiTS%rUkwpVJoWlFAL
zGFMupMTSLzZ%9;jm`P}aakx*4f0=$#dak~go3UG9rBk-2rBP{Bg|~sRBbTn7LUD11
zZc%Zff={}ev1=fgXHrRdK#;#_c}9MoNtIu=Syp;valOB5nWw&mt7&Rgc4k0;NrqW+
zX<&+Bd8U3uXqrWkbDBqCWtDG1n7emH09R0EKtNDfinFDOcX_a>V{&G(cBX!$Pf&h_
zd2x<Qo@Yr$j;Xenf10*YT55oaYgvR>g_%=<p+%BGT2yh8ZzflGS!GU2fUBW*NP0zp
zdt^aGd3}{>R+6blWkI%axo4F@rdd{AxJzbbK$u5)L||S?P-%&ORFQE&g+)qPQFuuZ
zS46m5S&nx|rIA5WnYW{XlZT&CMrL?+X=rXpwy8&9NJ&I;U|ykHiix*zUPy+yV~Sg8
zctmQdfm^<#Z$wJDIaf+SSyrK+Sy8y3rF&#{V!gkGTWO%aYjRYoL71CSKt^y*eu-0Q
zT9QXdL1~6(a8Ol{xqfACaDIMCMtN9PepDG(L}XBKvWa)Fw^vYPUZQqNXi%8Bc6N||
zR$56)Mp#goftPQFvzt$7pm|1Oa8OxgK&gvUd0M!Kxv58<Q>Z~Amsz=EfN_O(X}WV&
zR=snPvzNQGenf7zb7fANS*b@rlxaX{hJHn<dysapVR~Y6YG9U&r+2nfURqG8uaUc_
zYZ8}#Wnf5JS)sAFZ-`T9a#)2+lv8Msqi=p{QJ!hBM^b8`c4m&gcTuKMv0IUUvbI}x
zd5ODcl}}-sPg+`0L`5+dm#(g^f@hh(aebAuk4dhHXIV-~MUHb>S-xS2nT4yjzIK3i
zplg_!L0ML?QCgO<1(zek!;&qPQ<ns8G+CroW)b&#HE+^&>m6w(AKz_o&s7RmlMPSI
z*JzvFUG+VfXGykI?meAIvokV2ayxGG{)(8h^w!LXjxUSC-KPX-#>UKa_O87CIV1Rt
zTK!)~eopHXy)R_Ke4pQSt$UlN8_RQBVtLag%Ti|51x;HP74;w3sr664=3ianqN$~~
z9j1$ImARU6I;FWleP7XotgZ=JEce+u`@ifKJI$@aV!eppe%85p;@c$dt~3Z=s~Y<-
sbYj5Cqbhnru{ST=miThW%l~QP`6WyDu}`}3;Ng;GY{rk4o5^MY07ySikpKVy


From 07f653908b6a599daed74e282835c5954f57b776 Mon Sep 17 00:00:00 2001
From: s-prechtl <stefan@tague.at>
Date: Tue, 24 Mar 2026 21:54:20 +0100
Subject: [PATCH 09/11] feat: oidc matrix

---
 hosts/hitsugibune/matrix.nix | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/hosts/hitsugibune/matrix.nix b/hosts/hitsugibune/matrix.nix
index d4dcee0..b40ab61 100644
--- a/hosts/hitsugibune/matrix.nix
+++ b/hosts/hitsugibune/matrix.nix
@@ -182,15 +182,16 @@ in {
 
   services.matrix-synapse = {
     enable = true;
-    settings.server_name = config.networking.domain;
+    extras = [ "oidc" ];
     # The public base URL value must match the `base_url` value set in `clientConfig` above.
     # The default value here is based on `server_name`, so if your `server_name` is different
     # from the value of `fqdn` above, you will likely run into some mismatched domain names
     # in client applications.
-    settings.public_baseurl = baseUrl;
-    settings.enable_registration = false;
-    enableRegistrationScript = true;
     settings = {
+      server_name = config.networking.domain;
+      public_baseurl = baseUrl;
+      enable_registration = false;
+      enableRegistrationScript = true;
       listeners = [
         {
           port = 8008;
@@ -206,6 +207,7 @@ in {
           ];
         }
       ];
+      log_level = "DEBUG";
     };
     settings.app_service_config_files = [
       "/var/lib/mautrix-signal/double-puppeting.yaml"

From d915a3fe2d67ecca5b22f9c8087931782edbfbac Mon Sep 17 00:00:00 2001
From: s-prechtl <stefan@tague.at>
Date: Tue, 24 Mar 2026 21:57:35 +0100
Subject: [PATCH 10/11] fix: issuer url format

---
 secrets/matrix-oidc.age | Bin 1334 -> 1302 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/secrets/matrix-oidc.age b/secrets/matrix-oidc.age
index 5471554b3e1c1225ee88841be72747ad99d98155..7523d8ecb02913d08e5fc84a29092fba70b1008d 100644
GIT binary patch
delta 1274
zcmdnSHH~Y6PJM-ii&;rvK!ICQfuU1=VO5HkNuF_4n3-9gPr0j;OHo>>VQ#8(UPw}g
z0hd{@b9zCJPexd<Uzt&%d!$)KWtdxTinD%XVUBZ{ft#;UrbVJjXjN%)K9{bYLUD11
zZc%Zff={}ev1=e#q`#wqr(2LwO1@D<Np4wyVPd7DMSX!uzKdyynVU~}esM&Jwr8eO
zrBiWkl5t+Hi&J5#Q<-6Td9GPWwo`slBA20wacY*cw~<FsMOe6dgil1UYi5pnWpbK%
zpi5%0OIoInNo7h}L2h|ak!e<zcci6Zj+b#^MXEu%xo>fBunSjcqNQU|xsP$0yK$9U
zhM#djX1%syRg_1Pxo@^fwxf$*Ze*mhUrCm~uTP3svR^^2Wm$=Na+<M|MU`izQ9-5w
zmv?Ato=;Mudqzf7ph1v{xj}GArB6giP-U2FhDTa{q)(QSn|rcHdYNm1tFKp9zPEN(
zzJGF#ONO^cex!w^H&;QSzei$;lZRoTtA}}-N4<WES+KjMuV=DlaAbC%g@>C_g}+Ip
zOL}0wi%UsnwqcT+t3|4hm$8MVzDbFZzh5qwcT`DwQJz;+sb6JOjzzYapHHNIMNqJd
ze|UIGM!2z8g`Y)Xq@hQiuU~43k(s|~c!s-kVwGW1NV!LTvb&!)S9q9vplf-aYoM=3
zRlQF|SZQijRB(E7j=Q6;n^9Vzn?Y#4e|nHta!Ej*Q+bBBwp(d(KwxNkn6b8TWJpL+
zN-<Y{c1}S`fNNN>zd@L1PH{zcg;_>GaEgAeMQBlkv0JWtwqICad9ij;iK~IJahgS$
zL1lq&hH;Q%s%fFVfpaJqm#(g^g1eD_YQ0;gTa;0$Q=ms;u9=@%l2KHuSz1*@xIwl@
zu5X2DpsQnEdZk}QAlIHFndNtdR^+gJU-F|gX6Ff^ry7x_Sz9Ju3S3mp>$mUBrm2n7
z>e(OdnHOK=ksa^5bz@cMHR+p|G<(HmUrxH{EjIOSh1sk*w+_@6miqZDELxI!H~7ib
zlg{<?w)`pletNao&4!D210(8xh$yVgKGN4P-}mJafv43w*j)~N(|n;V{kTWu7AMPz
z8p&xkOa5<^`DA$|{kN&l!cVIz__q{$WJdLHO%z)5`hnq{uT>v!>sTdDP-*x#o7?t#
z2it+$JH59Q>zg+gZqbZdDL3iS!jDh2&*tadw3<1qrJ+9e_Uj{?f9Aeh{OpGK-|bH)
zzt3*}eX2WqrpwEM-El7ua8Fq4KbzyG%F<OAPo;^kUat2qzGkCy*vGe5>%J~rxOq{o
z=Dw9d0)9Tbx8Hm@t4;Xa1GBDe`D@opr%HuSU%aE|q+ht|hs&MiJi$#>g4TcPPgdUE
zv&U0&p&ZYgGwq)ljoItX8?Vhwd2S{!$8?!Y==$VMKANG*)k2q8gpSExP*W*u<-ePk
z+G@Av<&}A<$(wc-ODCi#@pvuijX3!!?v?clo!N)1Z*eg=-1c}Z6u-%P>tXLrE%Wbw
z$(QOp5wdum<;mmmg_|yIHaq@w`m-5dy}iF=YtB4h^<dr2O2dik9Haif(JFp0(dpjp
zw4<C?jiNheWqh7-T0!V>=6h*P`{YJOq3KSUiq1c!+{5}VA71~u?4*)Cv&}|t{k9!1
zKh9p5Io0y>^I5x`&V`6Qs*%_AZ&0&yj!V{cuCj4DIs11-(AMM9;%j&O>%1B_dG?vv
QR+jzDcFUicDKokN04WX+`v3p{

delta 1307
zcmbQnwT)|nPJKb7WwxnfRI){3N<d_Zk&%&kRc@kDn6G!Zwqd?=R-U)Bwo{3dg-Nbq
zHkV0qT6(FwV@|$hrE8K?q?ct#Mv`Tst66bXka1XMv8B5~a(I@bw|7B6F_*5LLUD11
zZc%Zff={}ev1=e#u|ZBnX;r1ZbB1q9dZBhej=4!*RK0$lwqvNizJZ&sQB{d^fO}Sk
zzf(nUl(wfuWKf!gTd=mVky(IonR}p-BbT$AzHy4NNr-1ud1O*lmQh8Zi&L>lk#}a5
zc4DP*p}vd0t64~Co_3~7aX^t-S$R}Zx}{l?Z)8AGlxtF&TNziFi9t}Bvs0F9MVUcb
zifcfCW4()8u}@l{vvX->X|7?Kc7>OrXL*2GMS7T{Pq2ShX}*hbR!B&;zjstwaB;dX
zm%F>6Z$x&wzE_S(Nq9k?MWt(`wzjulW@cefxSO+Msk?imb6Jj`v2S^4fQeaUNO_)f
zimORjdbwF}m}zEt3YTG}t8<~LX=p@#pkY#JT78nIXINTTqPJgqh@+3CwvVSzu6K!3
zWL9uWVWdGtsCTxRNtR!frFNlVg_%oKVTl=+r+<ZcWQm_asCk}en14z^Wr>@2YN=bE
zQ)yCRm_dbwSx}{ShDD)4flE<pmbqhAMMOoRx3`OVZn;@-p;JIAmwtI-PE|@|R#2f|
zYJG5`pJ7p!cb=Dic!W`Ip?`*Bxj{jGiI=N;ah9vGX?m84wyRT>WpJ`%WJy3~rKP7)
zq(4_+l%aEavX?=yw^w*sUU-&IxlvTUyGeLpg-KyxQIS(|Rbg6INk~OOdAV^?x_hR6
zm3yvNM3SLLN@#k7XP7e=m#(g^f|GN2V7<3@T4|Z3ds=X4Zc=`QS#nZZri+WEW3aiU
ze`-a#hlO)Mm_d4QK39fM?-r-d^b@_BOK1IPsh$uym64t2O7|<J_~7&Hfm1i6ItNPp
zbW=UXc=)YSmrSLGE64fVf<(i;qTg}^%2}r--Tl|Md4BLE`|5h;yr_V_w2kMa&xJ4?
zudn~t%aOl;c}?Wf|Am{EF{R5}IK(EDw#|u5^ANWa-v9eG+rE{nGmHP~-FR}h<HNGJ
z_X{u8|J@YrX(v>Xrt$3g_SSjx7DR~aze<?F*xu~G@A`4VmI7v@>}Y*u&TE%GzjD@c
zd8nhZ@)xg8bnV}DoqyCCC%8?%FO>6b${Ue`Z8Dbix&{qAd;OxXt@wZT!-4e1!uaUy
z#J@%Lry1O=vfsX29ezK5$}eq!_V*48EiQak4u7zVZCe}1sm82@_on;2pI5St>F#FH
zOx{-CNzZP0Uw^&teFpa)rTuf=_1rGFsBB$kvt#jl9tV@M>GQV6E|QCweNueoR_3nw
z9=oOT67o`oL0t7$%vTrg5Dto8aCpI&{m&MZNU0odeOY+!wU<r`e}0+5Z8za?@n<15
zOB1(DJ)jgk$L~3}>}>0I#qJLn*=EhsK6Q6PBiqsiN6-JVE@nEIVw&*Uz*}+g(%8m*
zto^xsN{qi{q$i3N2XkIOp=|8=L1H(%-b3ptTV7@6S3h|EG}G=dYkg~aTlkx-r{9)m
z#ME`4x#-DU;&VYh@K})jalOfJUP!;petY$4+*GElutSQfjpg5pCY_dJtlRkdfY+(y
z%9S_FShdwA#mBSE+QoY&ZLdbr#B9^X(zQl^-_Cio<!;v0=1s<n&+0g8?wKX2(eU!Q
uRe)5nUGiR${V%6qSBp@a{)~-L#O}g}*~bD8^JH?AKHkOrK{?rWiwXcKh6_jl


From 6fed3ee43b71b503bee913f4cd803a3926d510a9 Mon Sep 17 00:00:00 2001
From: s-prechtl <stefan@tague.at>
Date: Tue, 24 Mar 2026 22:30:17 +0100
Subject: [PATCH 11/11] feat: samc

---
 secrets/matrix-oidc.age | Bin 1302 -> 1330 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/secrets/matrix-oidc.age b/secrets/matrix-oidc.age
index 7523d8ecb02913d08e5fc84a29092fba70b1008d..83ecc9cb6ef12638d5d62f2ed45252f56b20ab69 100644
GIT binary patch
delta 1303
zcmbQnwTWwjPJKjVqPbI)pI5R^YNA`ZWq?6eSXG(6e{oqrxoLP*hGU+mS7b_Ixx1gc
z0hdQ$TA*KqpPRQ~pk<ziQ(#I;q;|G{sik3hp0;6brBPOKu)k5JYj}a9BbTn7LUD11
zZc%Zff={}ev1=e#L56mEh_-8fj-Pg(Q;wyDrKz!DWPOgSc1eC_Vp^1?b7-kodRCTG
zX0C6BWr}flM5;-YW28^HyG4a>UR7p56j!-ph_jDNs9{i^vtdbjxr>i~mZ`s?xl2k}
zewvF{dYWO9shhuPeuaOTZ)IUhYLa_#g-fPaU~pb>PLi8>jyG44qi14hVN$q$h<;F7
zfp2h>Z@sZ)Xi>Pnx3O2MV@RTZhEYmoo_ADKxND$KN?t^XacHQ%kC%RAlyjhCd5KRp
zm%eM6Q(#$oZg#49O1M#FWQ0L*vSnaYS!#$^cu7c*UrA(^t5I3Hv#D`qNshLcXMuN$
zXF#}qQI>XDN|vc>3YTYiXkvw>rDuU}iicy4N4=A&qj!0fcdk#We?gL)Z-$q*vq7P@
zzp<}dPH0N5o403VUU^AasZp+JRJe9QRFXEAXGDQza7tF7iA#xvWpap_g;|M5x~q1&
zM`c+?c~quHuAfVim$#3;v1z4qM7ft|innWcR<gfwmZ5i9P^P{Im%l-7ae!Z5L1ble
zVSP@ziL;@HK|yh5X_Rrgd8mFsWJb1QK!~?fVpd{WfPZpIig%K~SE^4`zGbO_d3s=!
zYZ6yQs$WGwW|^ypd621zc4}atV}yQ+zeizKdTNf7lVO^ZpI>;CK|rZ~dSHlQUSvg3
zP<Vb}R!T@py1QR#X>uSJm#(g^f_qkkbG@m1Xt;%TQd)tjSCWx-MpdSfW0YTMTAHUp
zNO@>#rB7mLpkruxIoGY5B^#BOo=!Y<$;4pob7z*<B8}T-COaB@=TH1&Aa(5Mp9w9^
zyXWbBHl4GqL1MFH<fjw!*jG>ekW=}oqjVADzU)<QbFPZ7J-WP7F@47l`~Nq4!?P!<
ztnsPOW9(_@xscY*R>Hk`aVw9tHq)l(7sPgiaO%&w(ey4<IMkVOxr&hbbkE&tqOz~#
zj;M(&d?K3lMp)x@Pr63<wCgeoX8RNRqLwL~D{M?+?LR*$SJ3NN?a?#)-n>}$M#lU0
z_roFvj=}2!<QJA+edY6g!iW8tf^p1Nw<lb+?YXS>r(V|~-$|o9V$DB+;B_o#GJ-Z6
zKKb<Riu#rn5^q)JMx0a0WM4gvWnIY?_f7Fe?<Y-E+G85s>EF=Q%@&q=&uVk!*}}Ou
zx@{tor#_HcE!loL%df5F@@ajMeQ%gOC#<=4kB|ALsqi{pu1>R-$#>rzisYzb7mQeS
z$E`}k>>ArO#_03)NyQuV7U-oX?Fbg!<3204e?m>ta{u;MFPs)GbPzuFeM|Os<708n
z*ETiysw%r!_sKch{4ch6;(z14cB)U)w!ep8CD)|rs)ngcJ1ZsD?%rm9w))kphkJfx
zhaC9Gaa=U>eAl-x3FlJv#Hu#fUwiJ#dsF-WnV+_4QH^ODpRc|@&stx2V#akJU6v+&
zPva$aQ~xUbetD;NZ_RDH^!Z}Pw<r9OTQo)3Wy7_tvO-Leb`wsf2=YB%{dO9+O7}(S
zW%InVovsG|T5vb_{Ph+|`^1*0OR7Ct2IZZzSD)OsH&AZA%AM|l-<MCM3G6G$;C-gc
q*}2*{+R^CEoYpD7t$d0FG!{G*5eU89{*qVrH@h|;qt*AwSC;|Ny$n<U

delta 1274
zcmdnQHH~Y6PJM-ii&;rvK!ICQfuU1=VO5HkNuF_4n3-9gPr0j;OHo>>VQ#8(UPw}g
z0hd{@b9zCJPexd<Uzt&%d!$)KWtdxTinD%XVUBZ{ft#;UrbVJjXjN%)K9{bYLUD11
zZc%Zff={}ev1=e#q`#wqr(2LwO1@D<Np4wyVPd7DMSX!uzKdyynVU~}esM&Jwr8eO
zrBiWkl5t+Hi&J5#Q<-6Td9GPWwo`slBA20wacY*cw~<FsMOe6dgil1UYi5pnWpbK%
zpi5%0OIoInNo7h}L2h|ak!e<zcci6Zj+b#^MXEu%xo>fBunSjcqNQU|xsP$0yK$9U
zhM#djX1%syRg_1Pxo@^fwxf$*Ze*mhUrCm~uTP3svR^^2Wm$=Na+<M|MU`izQ9-5w
zmv?Ato=;Mudqzf7ph1v{xj}GArB6giP-U2FhDTa{q)(QSn|rcHdYNm1tFKp9zPEN(
zzJGF#ONO^cex!w^H&;QSzei$;lZRoTtA}}-N4<WES+KjMuV=DlaAbC%g@>C_g}+Ip
zOL}0wi%UsnwqcT+t3|4hm$8MVzDbFZzh5qwcT`DwQJz;+sb6JOjzzYapHHNIMNqJd
ze|UIGM!2z8g`Y)Xq@hQiuU~43k(s|~c!s-kVwGW1NV!LTvb&!)S9q9vplf-aYoM=3
zRlQF|SZQijRB(E7j=Q6;n^9Vzn?Y#4e|nHta!Ej*Q+bBBwp(d(KwxNkn6b8TWJpL+
zN-<Y{c1}S`fNNN>zd@L1PH{zcg;_>GaEgAeMQBlkv0JWtwqICad9ij;iK~IJahgS$
zL1lq&hH;Q%s%fFVfpaJqm#(g^g1eD_YQ0;gTa;0$Q=ms;u9=@%l2KHuSz1*@xIwl@
zu5X2DpsQnEdZk}QAlIHFndNtdR^+gJU-F|gX6Ff^ry7x_Sz9Ju3S3mp>$mUBrm2n7
z>e(OdnHOK=ksa^5bz@cMHR+p|G<(HmUrxH{EjIOSh1sk*w+_@6miqZDELxI!H~7ib
zlg{<?w)`pletNao&4!D210(8xh$yVgKGN4P-}mJafv43w*j)~N(|n;V{kTWu7AMPz
z8p&xkOa5<^`DA$|{kN&l!cVIz__q{$WJdLHO%z)5`hnq{uT>v!>sTdDP-*x#o7?t#
z2it+$JH59Q>zg+gZqbZdDL3iS!jDh2&*tadw3<1qrJ+9e_Uj{?f9Aeh{OpGK-|bH)
zzt3*}eX2WqrpwEM-El7ua8Fq4KbzyG%F<OAPo;^kUat2qzGkCy*vGe5>%J~rxOq{o
z=Dw9d0)9Tbx8Hm@t4;Xa1GBDe`D@opr%HuSU%aE|q+ht|hs&MiJi$#>g4TcPPgdUE
zv&U0&p&ZYgGwq)ljoItX8?Vhwd2S{!$8?!Y==$VMKANG*)k2q8gpSExP*W*u<-ePk
z+G@Av<&}A<$(wc-ODCi#@pvuijX3!!?v?clo!N)1Z*eg=-1c}Z6u-%P>tXLrE%Wbw
z$(QOp5wdum<;mmmg_|yIHaq@w`m-5dy}iF=YtB4h^<dr2O2dik9Haif(JFp0(dpjp
zw4<C?jiNheWqh7-T0!V>=6h*P`{YJOq3KSUiq1c!+{5}VA71~u?4*)Cv&}|t{k9!1
zKh9p5Io0y>^I5x`&V`6Qs*%_AZ&0&yj!V{cuCj4DIs11-(AMM9;%j&O>%1B_dG?vv
QR+jzDcFUicDKokN02L+=_W%F@