feat(synapse): Matrix Phase 1 — Synapse homeserver deployment stack

Deploy Synapse on Ezra VPS with PostgreSQL backend, bot registration, and management tooling. Closes #272 Components: - docker-compose.yml: Synapse + PostgreSQL 16 stack - homeserver.yaml: Production config (registration disabled, rate limits, retention) - setup.sh: One-shot deploy (generates secrets, starts stack, registers accounts, gets bot token) - manage.sh: Day-to-day ops (status, restart, logs, backup, update, create-user, teardown) - docs/synapse-deployment.md: Full deployment guide with Nginx TLS, DNS, troubleshooting Security: - Registration disabled by default - Rate limiting on login/registration/messages - Client API bound to localhost (Nginx proxy for public access) - Secrets chmod 600, .gitignore'd - Federation certificate verification enabled Bot account auto-registered and access token acquired — credentials written to synapse-credentials.env for hermes-agent integration.
2026-04-13 18:07:15 -04:00
parent 1ec02cf061
commit cc9d7705b6
7 changed files with 818 additions and 0 deletions
--- a/deploy/synapse/docker-compose.yml
+++ b/deploy/synapse/docker-compose.yml
@@ -0,0 +1,82 @@
+# Synapse Homeserver — Docker Compose Stack
+# Matrix Phase 1: Deploy Synapse on Ezra VPS
+#
+# Usage:
+#   cd deploy/synapse
+#   ./setup.sh                   # first-time deploy (generates config + keys)
+#   docker compose up -d         # start
+#   docker compose logs -f       # follow logs
+#   docker compose down          # stop
+#
+# Secrets:
+#   Never commit .env to version control.
+#   setup.sh generates secrets automatically.
+
+services:
+  synapse-db:
+    image: postgres:16-alpine
+    container_name: synapse-db
+    restart: unless-stopped
+    volumes:
+      - synapse_db:/var/lib/postgresql/data
+    environment:
+      POSTGRES_USER: synapse
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?Set POSTGRES_PASSWORD in .env}
+      POSTGRES_INITDB_ARGS: "--encoding=UTF8 --lc-collate=C --lc-ctype=C"
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U synapse"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    networks:
+      - synapse_net
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "20m"
+        max-file: "3"
+
+  synapse:
+    image: matrixdotorg/synapse:latest
+    container_name: synapse
+    restart: unless-stopped
+    depends_on:
+      synapse-db:
+        condition: service_healthy
+    volumes:
+      - synapse_data:/data
+    env_file:
+      - .env
+    environment:
+      SYNAPSE_CONFIG_PATH: /data/homeserver.yaml
+    ports:
+      - "127.0.0.1:8008:8008"   # Client-server API (localhost only)
+      - "8448:8448"              # Federation (public)
+    networks:
+      - synapse_net
+    healthcheck:
+      test: ["CMD", "curl", "-fSs", "http://localhost:8008/health"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 30s
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "50m"
+        max-file: "5"
+    deploy:
+      resources:
+        limits:
+          cpus: "2.0"
+          memory: 2G
+        reservations:
+          memory: 512M
+
+volumes:
+  synapse_data:
+  synapse_db:
+
+networks:
+  synapse_net:
+    driver: bridge