matrix sops

2025-12-19 13:02:58 -06:00
parent 05486efb75
commit ba446f408a
2 changed files with 249 additions and 224 deletions
--- a/modules/nixos/services/matrix/default.nix
+++ b/modules/nixos/services/matrix/default.nix
@@ -13,11 +13,56 @@ let
    description = "config";
    options = { };
    moduleConfig = {
+      sops = {
+        secrets = {
+          "jallen-nas/matrix/client-id" = {
+            sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
+            owner = "matrix-synapse";
+            group = "matrix-synapse";
+          };
+          "jallen-nas/matrix/client-secret" = {
+            sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
+            owner = "matrix-synapse";
+            group = "matrix-synapse";
+          };
+        };
+        templates = {
+          "matrix-authentik.yaml" = {
+            owner = "matrix-synapse";
+            group = "matrix-synapse";
+            restartUnits = [ "matrix-synapse.service" ];
+            content = ''
+              oidc_providers:
+                - idp_id: authentik
+                  idp_name: authentik
+                  discover: true
+                  issuer: https://authentik.mjallen.dev/application/o/matrix/
+                  client_id: ${config.sops.placeholder."jallen-nas/matrix/client-id"}
+                  client_secret: ${config.sops.placeholder."jallen-nas/matrix/client-secret"}
+                  scopes:
+                    - openid
+                    - profile
+                    - email
+                  user_mapping_provider:
+                    config:
+                      localpart_template: "{{ user.preferred_username }}"
+                      display_name_template: "{{ user.preferred_username|capitalize }}"
+                  allow_existing_users: true
+            '';
+          };
+        };
+      };
+
      services.matrix-synapse = {
        enable = true;
        dataDir = "${cfg.configDir}/matrix-synapse";
        configureRedisLocally = true;
        enableRegistrationScript = true;
+        extras = [
+          "oidc"
+          "redis"
+        ];
+        extraConfigFiles = [ config.sops.templates."matrix-authentik.yaml".path ];
        settings = {
          server_name = "mjallen.dev";
          public_baseurl = "https://matrix.mjallen.dev";
@@ -44,29 +89,6 @@ let
            }
          ];

-          oidc_providers = [
-            {
-              idp_id = "authentik";
-              idp_name = "authentik";
-              discover = true;
-              issuer = "https://authentik.mjallen.dev/application/o/matrix/";
-              client_id = "KiChwyQn2kMtXU6LU0x3dlCb0jO6VB6e9xsN9NPs"; # TO BE FILLED
-              client_secret = "6XRfNCUayZqnyaMv0QSEeFz98x2y8BkXnDyylmvAbg71YkQVtpEybP6jmPzncpJsx4k5evtziicgu8p9dOa2oADHL6Ao13643VMTsI4BSel1sbIICA2TH755BpB9J39A"; # TO BE FILLED
-              scopes = [
-                "openid"
-                "profile"
-                "email"
-              ];
-              user_mapping_provider = {
-                config = {
-                  localpart_template = "{{ user.preferred_username }}";
-                  display_name_template = "{{ user.preferred_username|capitalize }}"; # TO BE FILLED: If your users have names in Authentik and you want those in Synapse, this should be replaced with user.name|capitalize.
-                };
-              };
-              allow_existing_users = true;
-            }
-          ];
-
          # Database configuration
          database = {
            name = "psycopg2";
--- a/secrets/nas-secrets.yaml
+++ b/secrets/nas-secrets.yaml