From 13697bfc51a80ae4aa5fd055a87eaba1da797feb Mon Sep 17 00:00:00 2001
From: chris <chris@kruining.eu>
Date: Mon, 3 Nov 2025 15:22:55 +0000
Subject: [PATCH 1/5] ops(secrets): set secret "synapse/oidc_id" for machine
 "ulmo"

---
 systems/x86_64-linux/ulmo/secrets.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml
index 250b1af..b241d67 100644
--- a/systems/x86_64-linux/ulmo/secrets.yml
+++ b/systems/x86_64-linux/ulmo/secrets.yml
@@ -6,7 +6,7 @@ zitadel:
 forgejo:
     action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str]
 synapse:
-    oidc_id: ENC[AES256_GCM,data:GPc4XBmIqWKbisN8patC0MNR,iv:wKCZ7PWn1WZOboc9I3JQXaxn4NiqMckCgC4d001F7jk=,tag:CBKcW4luhrJ+BOGH+UBmog==,type:str]
+    oidc_id: ENC[AES256_GCM,data:XbCpyGq0LeRJWq8dv/5Dipvp,iv:YDhgl26z1NBbIQLoLdGVz0+ze6o1ZcmgVHPfwoRj57I=,tag:y2vUuqnDmtTvVQmZCAlnLg==,type:str]
     oidc_secret: ENC[AES256_GCM,data:3Z8XwAPBHUG7Z09uTkd0ZH80lRVPF2a8tt0cFvrFA9s5R6G2ULkbHZM5V2VZBZ7FNhv7JINilGdRaibvF3U3Tg==,iv:U5Z3VcuWxwX5kNTvmG7YFiPJSl8Xg2nRDPdz0tekric=,tag:o2s67WjB7mXJlyo8jlcUzw==,type:str]
 sops:
     age:
@@ -28,7 +28,7 @@ sops:
             TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb
             Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-10-30T20:58:01Z"
-    mac: ENC[AES256_GCM,data:7vQ5wV58UNUH5bOgyUxaifAbU3GTqZi2gH+rpAR+d/31rx8yeKVNMj0aWA5ianpUvVt2kbaap6Aj+Sxl3M8wI9jtg2o/3FmR+xEHEWgQ/jw1q9zvKIAUV6SeM1Hg639iV3xcC8F8U+Xy50H85f4B3XQWGJMnUamqH9LYrUjv8nY=,iv:vOGvilRSrPZW3uir1nwlxzhg+hXE5yw6r8vCr5Cxmt0=,tag:X9OYdCPuDz3o5kYLUKHmXg==,type:str]
+    lastmodified: "2025-11-03T15:22:54Z"
+    mac: ENC[AES256_GCM,data:VCZ394QncfeahWhVb08LUUIyGP0XdRkuH+uXij1SF3r9yiNZPS97oDCacoqZ7qZZ0/0jvcPBWp0HuYqLobIT0ACuhndN7nKHo5xZqlVa/nXqclvXU4iXWoqfhFs8vO5eAX+8gOhtTzJxfJF8CXzG4k2NG/wAgoyPWlJP8McnXkk=,iv:/Bkid1GN9o43eEyLokY3TeXOgG05GHKkcVu7D+dXX2g=,tag:4b3U+vTSexPuQHuqNVHACA==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0

From 7125d8d375f542cb5acd0ec4b6d4ff8c06c3f558 Mon Sep 17 00:00:00 2001
From: chris <chris@kruining.eu>
Date: Mon, 3 Nov 2025 15:23:12 +0000
Subject: [PATCH 2/5] ops(secrets): set secret "synapse/oidc_secret" for
 machine "ulmo"

---
 systems/x86_64-linux/ulmo/secrets.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml
index b241d67..0222f74 100644
--- a/systems/x86_64-linux/ulmo/secrets.yml
+++ b/systems/x86_64-linux/ulmo/secrets.yml
@@ -7,7 +7,7 @@ forgejo:
     action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str]
 synapse:
     oidc_id: ENC[AES256_GCM,data:XbCpyGq0LeRJWq8dv/5Dipvp,iv:YDhgl26z1NBbIQLoLdGVz0+ze6o1ZcmgVHPfwoRj57I=,tag:y2vUuqnDmtTvVQmZCAlnLg==,type:str]
-    oidc_secret: ENC[AES256_GCM,data:3Z8XwAPBHUG7Z09uTkd0ZH80lRVPF2a8tt0cFvrFA9s5R6G2ULkbHZM5V2VZBZ7FNhv7JINilGdRaibvF3U3Tg==,iv:U5Z3VcuWxwX5kNTvmG7YFiPJSl8Xg2nRDPdz0tekric=,tag:o2s67WjB7mXJlyo8jlcUzw==,type:str]
+    oidc_secret: ENC[AES256_GCM,data:nVFi5EFbNMZ0mvrDHVYC0NiwJlo2eEw44D+Fcv9SKSb2oO00lGEDkP/oXDj5YgDq6RLQSe3f/SUOn77ntwnZYg==,iv:awe7VNUYOn9ofl1QlQTrEN5d0i5WkVM35qndruL4VXo=,tag:8Yoc9lFF9aWbtAa5fzQGEA==,type:str]
 sops:
     age:
         - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq
@@ -28,7 +28,7 @@ sops:
             TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb
             Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-11-03T15:22:54Z"
-    mac: ENC[AES256_GCM,data:VCZ394QncfeahWhVb08LUUIyGP0XdRkuH+uXij1SF3r9yiNZPS97oDCacoqZ7qZZ0/0jvcPBWp0HuYqLobIT0ACuhndN7nKHo5xZqlVa/nXqclvXU4iXWoqfhFs8vO5eAX+8gOhtTzJxfJF8CXzG4k2NG/wAgoyPWlJP8McnXkk=,iv:/Bkid1GN9o43eEyLokY3TeXOgG05GHKkcVu7D+dXX2g=,tag:4b3U+vTSexPuQHuqNVHACA==,type:str]
+    lastmodified: "2025-11-03T15:23:12Z"
+    mac: ENC[AES256_GCM,data:XJW6H5FTjkGhbXtiGvscfm5W+04OqtUmYPrrzfZ5brNRviYiikwKR4OB2yFFNmRpMxseWOy+3a4Nk+/oTqJ4ycBIlatzoL3GxwfysLi6f5+Qtdjr+EG4MzZRaQobJ9NXjB6pAYGBe5OxDMvHHOuhv5lMI9SFsNzdIHzFRLQv0QQ=,iv:UUZzsyqnJG/eZktkRrnPhC5DYB3MeACh7ldx/k9+ZDk=,tag:42cI9dvQowQzeqkqFvzUGQ==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0

From 7100d1c59c1b73dca6d6e0f67ef205c79fe0fb2c Mon Sep 17 00:00:00 2001
From: Chris Kruining <c.kruining@4dotnet.nl>
Date: Mon, 3 Nov 2025 16:33:08 +0100
Subject: [PATCH 3/5] restart synapse when secrets change

---
 modules/nixos/services/communication/matrix/default.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/nixos/services/communication/matrix/default.nix b/modules/nixos/services/communication/matrix/default.nix
index 2d9ecd5..f84c002 100644
--- a/modules/nixos/services/communication/matrix/default.nix
+++ b/modules/nixos/services/communication/matrix/default.nix
@@ -187,6 +187,7 @@ in
                 client_id: '${config.sops.placeholder."synapse/oidc_id"}'
                 client_secret: '${config.sops.placeholder."synapse/oidc_secret"}'
           '';
+          restartUnits = [ "matrix-synapse.service" ];
         };
       };
     };

From 8104ba7e932d028a0a3beba6047cc4fecf8bb451 Mon Sep 17 00:00:00 2001
From: Chris Kruining <c.kruining@4dotnet.nl>
Date: Mon, 3 Nov 2025 16:36:19 +0100
Subject: [PATCH 4/5] feat(zitadel): change the default value of the username
 to the key instead of the email.

This should ensure that binding to the apps goes more smoothly
---
 modules/nixos/services/authentication/zitadel/default.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix
index 917bde4..7540e2f 100644
--- a/modules/nixos/services/authentication/zitadel/default.nix
+++ b/modules/nixos/services/authentication/zitadel/default.nix
@@ -165,10 +165,10 @@ in
 
                 userName = mkOption {
                   type = types.nullOr types.str;
-                  default = cfg.organization.${org}.user.${username}.email;
-                  example = "someone@some.domain";
+                  default = username;
+                  example = "some_user_name";
                   description = ''
-                    Username. Default value is the user's email, you can overwrite that by setting this option
+                    Username. Default value is the key of the config object you created, you can overwrite that by setting this option
                   '';
                 };
 

From 5668e1048da9153d17336616c8bcc93fe4ad1911 Mon Sep 17 00:00:00 2001
From: Chris Kruining <c.kruining@4dotnet.nl>
Date: Mon, 3 Nov 2025 16:47:09 +0100
Subject: [PATCH 5/5] chore: create temporary extra user in zitadel

---
 systems/x86_64-linux/ulmo/default.nix | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix
index 0c8a67b..7657eac 100644
--- a/systems/x86_64-linux/ulmo/default.nix
+++ b/systems/x86_64-linux/ulmo/default.nix
@@ -53,6 +53,12 @@
                 roles = [ "ORG_OWNER" ];
                 instanceRoles = [ "IAM_OWNER" ];
               };
+
+              kaas = {
+                email = "chris+kaas@kruining.eu";
+                firstName = "Kaas";
+                lastName = "Kruining";
+              };
             };
 
             project = {
@@ -72,6 +78,7 @@
 
                 assign = {
                   chris = [ "jellyfin" "jellyfin_admin" ];
+                  kaas = [ "jellyfin" ];
                 };
 
                 application = {