From 72d9a66b4f05a9c46f3ff17dfe6845f11672f855 Mon Sep 17 00:00:00 2001
From: DerGrumpf <phil.keier@hotmail.com>
Date: Fri, 15 May 2026 11:06:51 +0200
Subject: [PATCH] Added SSO to synapse

---
 nixos/roles/matrix/synapse.nix | 34 ++++++++++++++++++++++++----------
 secrets/secrets.yaml           |  5 +++--
 2 files changed, 27 insertions(+), 12 deletions(-)

diff --git a/nixos/roles/matrix/synapse.nix b/nixos/roles/matrix/synapse.nix
index 4194074..bf8b498 100644
--- a/nixos/roles/matrix/synapse.nix
+++ b/nixos/roles/matrix/synapse.nix
@@ -38,6 +38,10 @@ in
       owner = "postgres";
       group = "postgres";
     };
+    kanidm_synapse_secret = {
+      owner = "matrix-synapse";
+      group = "matrix-synapse";
+    };
   };
 
   services = {
@@ -60,14 +64,6 @@ in
             }
           ];
         };
-        #experimental_features = {
-        #  msc3266_enabled = true;
-        #  msc3779_enabled = true;
-        #  msc3401_enabled = true;
-        #  msc4143_enabled = true;
-        #  msc4195_enabled = true;
-        #  msc4222_enabled = true;
-        #};
 
         rc_login = {
           address = {
@@ -117,11 +113,30 @@ in
           }
         ];
         enable_metrics = true;
+
+        oidc_providers = [
+          {
+            idp_id = "kanidm";
+            idp_name = "Kanidm";
+            issuer = "https://auth.cyperpunk.de/oauth2/openid/synapse";
+            client_id = "synapse";
+            client_secret_path = config.sops.secrets.kanidm_synapse_secret.path;
+            scopes = [
+              "openid"
+              "profile"
+              "email"
+            ];
+            allow_existing_users = true;
+            user_mapping_provider.config = {
+              localpart_template = "{{ user.preferred_username }}";
+              display_name_template = "{{ user.displayname }}";
+            };
+          }
+        ];
       };
     };
 
     nginx.virtualHosts = {
-      # Matrix homeserver
       "cyperpunk.de" = {
         forceSSL = true;
         enableACME = true;
@@ -184,7 +199,6 @@ in
       authentication = lib.mkAfter ''
         host replication replicator 100.0.0.0/8 scram-sha-256
       '';
-
     };
 
     prometheus.exporters.postgres = {
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
index 895789d..ebaa6d0 100644
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -4,6 +4,7 @@ smb_passwd: ENC[AES256_GCM,data:+9RYomcnCZSME5DzuJWTLbS3IGJHhIYWZ5SmsgOn6YQ=,iv:
 grafana_secret_key: ENC[AES256_GCM,data:d6tu4kL7flfbdeOYk21zkSRmVe+NvVwd14jgr9Ds0adfgYetN852G25Z8/g=,iv:uWuwGBZVK1syhEfO9nLZUWwa801759tNJx+Pmnz3xeg=,tag:X6/NcdGZHAdIlOwxNPo/Ew==,type:str]
 matrix_macaroon_secret: ENC[AES256_GCM,data:a9nMar+p+FXIsxxSqO/to2OJOvD1erfwLwwBeKOcWBu7xykHxqD+pCmrGhg=,iv:rp4ZDVIlZ7SN1RFHB2CfSV5ISPMl9pC4U8Jgqpz48Qs=,tag:LxmWUZE3mG4acagQmlieag==,type:str]
 matrix_registration_secret: ENC[AES256_GCM,data:KhKkJZqwE8xk4/tuQ7NYTv/Ot1qCAiy8yUbDyVvRa0H5BT4amCBIdATfR4Q=,iv:HBN+GorT1VpWCVkDugk4UxYLEYKJIoDZh2d+oUDLc8g=,tag:hHus458yVnH0qaQ4u37IZg==,type:str]
+kanidm_synapse_secret: ENC[AES256_GCM,data:F770siYcYLm3RAQ+3epfVTyp5mv0OJfiOdFiHD8CudjceNkkSuXIX7pxQYkhS3VY,iv:hqYMKLS5m+o3leFE0gBS05Npjy9uyqgSe7yJpPzxvQY=,tag:lLjVZ7/iYoIZh06VyF8zSw==,type:str]
 vaultwarden_admin_token: ENC[AES256_GCM,data:yoBs4CaIEJXB5b3PEwTpXFgxpX39hR9A4r9yamwDV7cTSRRp3n3O2VjDKTcI5Vo6RP2QUjcqUqYf98cZ09wDMc+6+oHHJke7+O0FgRgOC0vOQFs4bfZCBJBLxogrGiwtLGkyykR6VYhrT64AN3CbrXflj82OED2Hl8WwEdruBzGIcfnh6FqQowDx6vDR/kXXJHk=,iv:PJQo5V7FaKPQ+GzZNsy3KB+xyjcDKJ1UBHErrqgn/1U=,tag:BRIDJEDOAeToqio/DHMQaA==,type:str]
 flame_phil_password: ENC[AES256_GCM,data:Xy2ixMeRlnzC2gjKGrjfSbz/ee4=,iv:WFuBS8jn7WYRxEDG3XBzCMnm4eNkHQpSs5+GUwq/dcg=,tag:1zzj0eB9/4KrmYAqcxJMlg==,type:str]
 flame_calvin_password: ENC[AES256_GCM,data:P5ppyqTjAJ1TL4hXtx5WyoS9a+g=,iv:sq98P3Oqud2FXfqsD76YS/p5NEF2xlN0MfG+ukCB9B0=,tag:AeKnu4Hg4xQ3tII0y6oNpQ==,type:str]
@@ -32,7 +33,7 @@ sops:
             N3I5dzUwc3JtYzczMUhyT04vSHlZamMKT+FzYcDLmlEFYxm/XoBpJb8XaZzBH1v9
             6fuez+zApathZfl14w41kAUojPWBznnxDqYtNvzVVLXwnpp3BMx+7w==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-05-09T09:12:42Z"
-    mac: ENC[AES256_GCM,data:sTVJcBb8cBzixOBQNlx44/m8W3smfwP5fhmnm9hlr5iwMuPJ7JeKTUqqlQaeL4RX/MpEuLc+Rm4thromJ11M/aA5yiqgWOY7vn8xYPoScGzx6HfV1cRJTofmrWmpxrDICQULwOaO+c8vwFBPy7fVqF/AacRtejx5sEOxsMzrYR8=,iv:/Fc5//8coI/rdQIyGcxCTgXPzOS9xNd0ChDHNs4yffw=,tag:8w6bbZcWMBZQWkujhXQY0w==,type:str]
+    lastmodified: "2026-05-15T09:03:17Z"
+    mac: ENC[AES256_GCM,data:1rSwkArJPxLpyatnp+EJDX4//B7aWUScfM5u0XEQlWeKWjHPYxvZ7b2Vvqx8RFJcWp3QgqQf3f+Mp2DmuDdxAuK94XxHIRk3c1bimKeNrCBPZqQkTjJH8tyklrW1Grob7Xi82GXhk96/s0bTzU58uSdvJXGReYraqvnAuitehPY=,iv:JsImUF/7zQCmIRz34LEOJStL2kAqw8QcARE5eHGsGyU=,tag:8CpmWPVozDPTyNwhoZqC9A==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.12.2