TL;DR: Matrix & Nextcloud setup (geek warning)

This is the BARE minimum of the specific configuration of my setup. Read the detailed setup post here.

Synapse

Synapse runs locally on port 8008 and is served on matrix.sspaeth.de. The only change needed, is to set up MAS as the OIDC server. I put the below in a separate OIDC.yaml file in the conf.d subdirectory of my synapse config:

experimental_features:
  msc3861:
    enabled: true
    issuer: https://auth.sspaeth.de/
    # Matches the `client_id` in the MAS config
    client_id: 00000000000000000SYNAPSE00
    # Matches the `client_auth_method` in the MAS config
    client_auth_method: client_secret_basic
    # Matches the `client_secret` in the MAS config
    client_secret: 1234CLIENTSECRETHERE56789
    # Matches the `matrix.secret` in the MAS config
    admin_token: 0x97531ADMINTOKENHERE13579

MAS

MAS runs locally on port 8080 and is served on auth.sspaeth.de. Below are snippets that I either added to or where I modified the defaults in config.yaml.

# Set up the client talking to Synapse.
clients:
  - client_id: 00000000000000000SYNAPSE00
    client_auth_method: client_secret_basic
    client_secret: 1234CLIENTSECRETHERE56789
    redirect_uris:
      - https://openidconnect.net/callback
# Tell MAS about Synapse and how to talk locally to it:
matrix:
  homeserver: sspaeth.de
  secret: 0x97531ADMINTOKENHERE13579
  endpoint: http://localhost:8008/

This should be OK for local password auth through MAS, but the next section is what I added to configure Nextcloud as an upstream OIDC provider:

upstream_oauth2:
  providers:
  - id: 01B2BSNY1QVVS9ZG3JTVDHNYYE
    # Note, above value is used in the Nextcloud config in the Redirection URI
    human_name: Nextcloud
    issuer: "https://cloud.sspaeth.de"
    client_id: "THISISMYLONGANDSECRETNEXTCLOUDCLIENTID" # needs to be configured in the Nextcloud OIDC settings
    client_secret: "THISISMYLONGANDSECRETNEXTCLOUDCLIENSECRET" # needs to be configured in the Nextcloud OIDC settings
    token_endpoint_auth_method: "client_secret_post"
    scope: "openid profile email"
    claims_imports:
        localpart:
          action: require
          template: "{{ user.preferred_username }}"
        displayname:
          action: suggest
          template: "{{ user.name }}"
        email:
          action: suggest
          template: "{{ user.email }}"
          set_email_verification: import
# Only allow upstream IdP, no local passwords
passwords:
  enabled: false

Nextcloud

The OpenID Connect app/plugin adds the central config option OpenID Connect clients. In this I have set:

Name 	auth.sspaeth.de
# Redirect URI uses the upstream_oauth2->providers->id value from my MAS config
Redirection URI: https://auth.sspaeth.de/upstream/callback/01B2BSNY1QVVS9ZG3JTVDHNYYE
Client Identifier: THISISMYLONGANDSECRETNEXTCLOUDCLIENTID
Secret: THISISMYLONGANDSECRETNEXTCLOUDCLIENTSECRET
Signing Algorithm: RS256
Type: confidential
Flows: Code & Implicit Authorization Flow
Limited to Groups: matrix # my choice to only allow specific users to log in.

That was simple wasn’t it? Again, this is just specific config changes to all components to get things running. Check out the detailed post on my setup and nginx proxy configuration.

Matrix server with Nextcloud login

This is a pretty geeky description of my matrix homeserver setup using Matrix-authentication-service and Nextcloud as the authentication source. It might be useful to others or future me. If not interested in technical details, please skip this post. A minimal version highlighting just the necessary configuration can be found in this TL;DR post. This is the slightly extended version explaining my setup.

Continue reading

Blue Man Group

Been at a show in Chicago, what an event. We had seats in the first row and were greeted with rain coats that we were supposed to put on (so much for nice evening outfits). And what a show! It is hard to describe as it was a firework of ideas. Pantomime, acrobatics, humor, and lots of liquid color. Mix in lots of interactivity with the audience (and pulling aufience members on stage)
P.S. I really need to start practicing catching Marshmallows with my mouth. It is an underdeveloped skill.

Sebastian Spaeth

2024/08/04

Das erste Mal seit 5 Jahren wieder in den USA, und es ist schon beeindruckend. Ich war noch nie vorher in Colorado, Wyoming, Nebraska, South Dakota. Der mit dem Wolf tanzt-Vibes. Aber auch tragisch und interessant, wie mit Indianern und ihrer Geschichte umgegangen wird.

Cycling is dangerous

Biked to work this Monday. When crossing the street on a dedicated bike lane, a bus coming from the left hit me with its front corner. Fortunately, it threw me to the side and not in front under the bus. Lucky me!!!

P.S. yes, the traffic lights were green for me.

Lives used: 1 Lives left: 8

Sebastian Spaeth

2024/03/29

Fertig zum großen Osterfeuer in Volksdorf, wo ich morgen wieder einmal etliche tausend Bratwürste und hundert Kilo Pommes verputzen, ähh, verkaufen werde.

Making your blog a micro-blog

I like decentralized social media and I really like ActivityPub/Mastodon & co. But I have been running my blog since something around 2001 (b2evolution!) and I really do not feel like setting up a ruby server (pleroma is nice though). So it is very cool that you can convert your wordpress into a mastodon server, using the ActivityPub plugin to publish to the Fediverse, the Friends plugin to read and subscribe to ActivityPub content and the Enable Mastodon apps plugin, to post via a Mastodon App. Cool!