echo6-docs/synapse.ref

# Synapse Deployment Reference
# Generated: 2026-04-09 (Phase 1)

## Install Method
- Docker Compose at /opt/matrix/docker-compose.yml
- Four containers on `matrix-net` bridge network:
  - matrix-synapse (matrixdotorg/synapse:latest) → 127.0.0.1:8008
  - matrix-mas (ghcr.io/element-hq/matrix-authentication-service:latest) → 127.0.0.1:8085
  - matrix-postgres (postgres:16-alpine) → internal 5432
  - matrix-element (vectorim/element-web:latest) → 127.0.0.1:8088

## Synapse Version
- 1.147.1 (confirmed via admin API and docker exec)

## Key Config Values (from homeserver.yaml)
- server_name: echo6.co
- public_baseurl: https://matrix.echo6.co/
- listeners: port 8008, HTTP, x_forwarded=true, bind 0.0.0.0, resources=[client, federation]
- database: psycopg2 → matrix-postgres:5432, db=synapse, user=synapse
- media_store_path: /data/media_store (95 MB used)
- registration_shared_secret: PRESENT (not redacted here — see synapse_homeserver.yaml.sanitized)
- signing_key_path: /data/echo6.co.signing.key
- enable_registration: false
- url_preview_enabled: true
- report_stats: false
- app_service_config_files: NOT PRESENT (no appservices currently registered)
- encryption_enabled_by_default_for_room_type: NOT SET (default=off)
- MAS delegation: enabled, endpoint=http://matrix-mas:8080/, shared secret present

## MAS (Matrix Authentication Service)
- Version: v1.12.0
- Listen: 8080 (web), 8081 (internal/health)
- Database: postgresql://mas:***@matrix-postgres:5432/mas
- Upstream OAuth2: Authentik (auth.echo6.co) via OIDC
  - Client ID: 93kCoZkBlnJyD9EcAm7E4btKflecOcBm9DGONB5T
  - Issuer: https://auth.echo6.co/application/o/matrix/
- Matrix integration: kind=synapse, homeserver=echo6.co, endpoint=http://matrix-synapse:8008/
- Passwords: enabled (bcrypt v1 + argon2id v2)
- Email transport: blackhole (not sending)

## Database (PostgreSQL)
- Version: 16.12 (Alpine)
- Host: matrix-postgres container on matrix-net
- Databases: synapse (owner: synapse), mas (owner: mas), postgres, template0, template1
- Users: synapse (Superuser, Create role, Create DB), mas (regular)
- Auth: password from .env file (POSTGRES_PASSWORD)
- New DB/user can be created without collision — synapse user has Superuser/Create role privileges

## Reverse Proxy (Caddy on Contabo)
- matrix.echo6.co routes:
  - /_matrix/client/*/login|logout|refresh|auth_metadata → MAS (127.0.0.1:8085)
  - /_matrix/* → Synapse (127.0.0.1:8008)
  - /_synapse/* → Synapse (127.0.0.1:8008)
  - Everything else → MAS (127.0.0.1:8085)
- element.echo6.co → 127.0.0.1:8088

## Federation
- Well-known served from echo6.co (utility Caddy, NOT matrix.echo6.co)
  - /.well-known/matrix/server: {"m.server": "matrix.echo6.co:443"}
  - /.well-known/matrix/client: base_url=https://matrix.echo6.co, issuer=https://matrix.echo6.co/
- Federation tester: AllChecksOK=true, TLS 1.3, valid Ed25519 key, valid certificates
- Port 8448 exposed in container but NOT used externally (federation via 443 + well-known)

## Existing Appservices
- NONE — no app_service_config_files in homeserver.yaml, no registration files in /opt/matrix/synapse/

## Backup
- Cron: daily at 3 AM via /opt/matrix/scripts/pg_backup.sh
- Backs up synapse DB only (NOT mas DB)
- Retention: 14 days
- Location: /opt/matrix/backups/

## Ports in 29xxx Range
- NONE in use — confirmed via ss -tlnp

## MSC4190 Support
- Synapse 1.147.1 supports MSC4190 (merged in 1.121.0)
- Requires io.element.msc4190: true in appservice registration file
- Also requires experimental_features.msc3202_transaction_extensions: true in homeserver.yaml
Migration: consolidate Echo6 docs to cortex with full infrastructure cleanup sync - Documents recent infrastructure cleanup (8 CTs destroyed, 35 DNS records removed, Headscale cleanup) - Adds 24 new runbooks covering Authentik, PeerTube, Meshtastic, RECON, Proxmox, Mailcow, Internet Archive, GPU routing - Adds project documentation for headscale, vaultwarden, peertube, matrix, mmud, advbbs, arr stack - Updates services.md, environment.md, caddy.md, authentik.md to match live infrastructure - Removes 4 deprecated runbook duplicates (canonical versions live in projects/) - Adds .gitignore for binary archives and editor temp files Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-04-13 06:02:16 +00:00			`# Synapse Deployment Reference`
			`# Generated: 2026-04-09 (Phase 1)`

			`## Install Method`
			`- Docker Compose at /opt/matrix/docker-compose.yml`
			- Four containers on `matrix-net` bridge network:
			`- matrix-synapse (matrixdotorg/synapse:latest) → 127.0.0.1:8008`
			`- matrix-mas (ghcr.io/element-hq/matrix-authentication-service:latest) → 127.0.0.1:8085`
			`- matrix-postgres (postgres:16-alpine) → internal 5432`
			`- matrix-element (vectorim/element-web:latest) → 127.0.0.1:8088`

			`## Synapse Version`
			`- 1.147.1 (confirmed via admin API and docker exec)`

			`## Key Config Values (from homeserver.yaml)`
			`- server_name: echo6.co`
			`- public_baseurl: https://matrix.echo6.co/`
			`- listeners: port 8008, HTTP, x_forwarded=true, bind 0.0.0.0, resources=[client, federation]`
			`- database: psycopg2 → matrix-postgres:5432, db=synapse, user=synapse`
			`- media_store_path: /data/media_store (95 MB used)`
			`- registration_shared_secret: PRESENT (not redacted here — see synapse_homeserver.yaml.sanitized)`
			`- signing_key_path: /data/echo6.co.signing.key`
			`- enable_registration: false`
			`- url_preview_enabled: true`
			`- report_stats: false`
			`- app_service_config_files: NOT PRESENT (no appservices currently registered)`
			`- encryption_enabled_by_default_for_room_type: NOT SET (default=off)`
			`- MAS delegation: enabled, endpoint=http://matrix-mas:8080/, shared secret present`

			`## MAS (Matrix Authentication Service)`
			`- Version: v1.12.0`
			`- Listen: 8080 (web), 8081 (internal/health)`
			`- Database: postgresql://mas:***@matrix-postgres:5432/mas`
			`- Upstream OAuth2: Authentik (auth.echo6.co) via OIDC`
			`- Client ID: 93kCoZkBlnJyD9EcAm7E4btKflecOcBm9DGONB5T`
			`- Issuer: https://auth.echo6.co/application/o/matrix/`
			`- Matrix integration: kind=synapse, homeserver=echo6.co, endpoint=http://matrix-synapse:8008/`
			`- Passwords: enabled (bcrypt v1 + argon2id v2)`
			`- Email transport: blackhole (not sending)`

			`## Database (PostgreSQL)`
			`- Version: 16.12 (Alpine)`
			`- Host: matrix-postgres container on matrix-net`
			`- Databases: synapse (owner: synapse), mas (owner: mas), postgres, template0, template1`
			`- Users: synapse (Superuser, Create role, Create DB), mas (regular)`
			`- Auth: password from .env file (POSTGRES_PASSWORD)`
			`- New DB/user can be created without collision — synapse user has Superuser/Create role privileges`

			`## Reverse Proxy (Caddy on Contabo)`
			`- matrix.echo6.co routes:`
			`- /_matrix/client/*/login\|logout\|refresh\|auth_metadata → MAS (127.0.0.1:8085)`
			`- /_matrix/* → Synapse (127.0.0.1:8008)`
			`- /_synapse/* → Synapse (127.0.0.1:8008)`
			`- Everything else → MAS (127.0.0.1:8085)`
			`- element.echo6.co → 127.0.0.1:8088`

			`## Federation`
			`- Well-known served from echo6.co (utility Caddy, NOT matrix.echo6.co)`
			`- /.well-known/matrix/server: {"m.server": "matrix.echo6.co:443"}`
			`- /.well-known/matrix/client: base_url=https://matrix.echo6.co, issuer=https://matrix.echo6.co/`
			`- Federation tester: AllChecksOK=true, TLS 1.3, valid Ed25519 key, valid certificates`
			`- Port 8448 exposed in container but NOT used externally (federation via 443 + well-known)`

			`## Existing Appservices`
			`- NONE — no app_service_config_files in homeserver.yaml, no registration files in /opt/matrix/synapse/`

			`## Backup`
			`- Cron: daily at 3 AM via /opt/matrix/scripts/pg_backup.sh`
			`- Backs up synapse DB only (NOT mas DB)`
			`- Retention: 14 days`
			`- Location: /opt/matrix/backups/`

			`## Ports in 29xxx Range`
			`- NONE in use — confirmed via ss -tlnp`

			`## MSC4190 Support`
			`- Synapse 1.147.1 supports MSC4190 (merged in 1.121.0)`
			`- Requires io.element.msc4190: true in appservice registration file`
			`- Also requires experimental_features.msc3202_transaction_extensions: true in homeserver.yaml`