# Synapse Deployment Reference # Generated: 2026-04-09 (Phase 1) ## Install Method - Docker Compose at /opt/matrix/docker-compose.yml - Four containers on `matrix-net` bridge network: - matrix-synapse (matrixdotorg/synapse:latest) → 127.0.0.1:8008 - matrix-mas (ghcr.io/element-hq/matrix-authentication-service:latest) → 127.0.0.1:8085 - matrix-postgres (postgres:16-alpine) → internal 5432 - matrix-element (vectorim/element-web:latest) → 127.0.0.1:8088 ## Synapse Version - 1.147.1 (confirmed via admin API and docker exec) ## Key Config Values (from homeserver.yaml) - server_name: echo6.co - public_baseurl: https://matrix.echo6.co/ - listeners: port 8008, HTTP, x_forwarded=true, bind 0.0.0.0, resources=[client, federation] - database: psycopg2 → matrix-postgres:5432, db=synapse, user=synapse - media_store_path: /data/media_store (95 MB used) - registration_shared_secret: PRESENT (not redacted here — see synapse_homeserver.yaml.sanitized) - signing_key_path: /data/echo6.co.signing.key - enable_registration: false - url_preview_enabled: true - report_stats: false - app_service_config_files: NOT PRESENT (no appservices currently registered) - encryption_enabled_by_default_for_room_type: NOT SET (default=off) - MAS delegation: enabled, endpoint=http://matrix-mas:8080/, shared secret present ## MAS (Matrix Authentication Service) - Version: v1.12.0 - Listen: 8080 (web), 8081 (internal/health) - Database: postgresql://mas:***@matrix-postgres:5432/mas - Upstream OAuth2: Authentik (auth.echo6.co) via OIDC - Client ID: 93kCoZkBlnJyD9EcAm7E4btKflecOcBm9DGONB5T - Issuer: https://auth.echo6.co/application/o/matrix/ - Matrix integration: kind=synapse, homeserver=echo6.co, endpoint=http://matrix-synapse:8008/ - Passwords: enabled (bcrypt v1 + argon2id v2) - Email transport: blackhole (not sending) ## Database (PostgreSQL) - Version: 16.12 (Alpine) - Host: matrix-postgres container on matrix-net - Databases: synapse (owner: synapse), mas (owner: mas), postgres, template0, template1 - Users: synapse (Superuser, Create role, Create DB), mas (regular) - Auth: password from .env file (POSTGRES_PASSWORD) - New DB/user can be created without collision — synapse user has Superuser/Create role privileges ## Reverse Proxy (Caddy on Contabo) - matrix.echo6.co routes: - /_matrix/client/*/login|logout|refresh|auth_metadata → MAS (127.0.0.1:8085) - /_matrix/* → Synapse (127.0.0.1:8008) - /_synapse/* → Synapse (127.0.0.1:8008) - Everything else → MAS (127.0.0.1:8085) - element.echo6.co → 127.0.0.1:8088 ## Federation - Well-known served from echo6.co (utility Caddy, NOT matrix.echo6.co) - /.well-known/matrix/server: {"m.server": "matrix.echo6.co:443"} - /.well-known/matrix/client: base_url=https://matrix.echo6.co, issuer=https://matrix.echo6.co/ - Federation tester: AllChecksOK=true, TLS 1.3, valid Ed25519 key, valid certificates - Port 8448 exposed in container but NOT used externally (federation via 443 + well-known) ## Existing Appservices - NONE — no app_service_config_files in homeserver.yaml, no registration files in /opt/matrix/synapse/ ## Backup - Cron: daily at 3 AM via /opt/matrix/scripts/pg_backup.sh - Backs up synapse DB only (NOT mas DB) - Retention: 14 days - Location: /opt/matrix/backups/ ## Ports in 29xxx Range - NONE in use — confirmed via ss -tlnp ## MSC4190 Support - Synapse 1.147.1 supports MSC4190 (merged in 1.121.0) - Requires io.element.msc4190: true in appservice registration file - Also requires experimental_features.msc3202_transaction_extensions: true in homeserver.yaml