127 lines
4.8 KiB
Markdown
127 lines
4.8 KiB
Markdown
|
# Decision Framework: Matrix Host, Domain, and Proxy (#187)
|
||
|
|
|
||
|
|
> **Issue**: [#187](http://143.198.27.163:3000/Timmy_Foundation/timmy-config/issues/187) — Decide Matrix host, domain, and proxy prerequisites so #166 can deploy
|
||
|
|
> **Parent**: [#166](http://143.198.27.163:3000/Timmy_Foundation/timmy-config/issues/166) — Stand up Matrix/Conduit for human-to-fleet encrypted communication
|
||
|
|
> **Created**: 2026-04-05 by Ezra (burn mode)
|
||
|
|
> **Purpose**: Turn the #187 blocker into a checkbox. One recommendation, two alternatives, explicit trade-offs.
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## Executive Summary
|
||
|
|
|
||
|
|
**Recommended Path (Option A)**
|
||
|
|
- **Host**: Existing Hermes VPS (`143.198.27.163` — already hosts Gitea, Bezalel, Allegro-Primus)
|
||
|
|
- **Domain**: `matrix.timmytime.net`
|
||
|
|
- **Proxy**: Caddy (dedicated to Matrix, auto-TLS, auto-federation headers)
|
||
|
|
- **TLS**: Let's Encrypt via Caddy (ports 80/443/8448 exposed)
|
||
|
|
|
||
|
|
**Why**: It reuses a known sovereign host, keeps comms infrastructure under one roof, and Caddy is the simplest path to working federation.
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## Option A — Recommended: Hermes VPS + Caddy
|
||
|
|
|
||
|
|
### Host: Hermes VPS (`143.198.27.163`)
|
||
|
|
| Factor | Assessment |
|
||
|
|
|--------|------------|
|
||
|
|
| Sovereignty | ✅ Full root, no platform lock-in |
|
||
|
|
| Uptime | ✅ 24/7 VPS, better than home broadband |
|
||
|
|
| Existing load | ⚠️ Gitea + wizard gateways running; Conduit is lightweight (~200MB RAM) |
|
||
|
|
| Cost | ✅ Sunk cost — no new provider needed |
|
||
|
|
|
||
|
|
### Domain: `matrix.timmytime.net`
|
||
|
|
| Factor | Assessment |
|
||
|
|
|--------|------------|
|
||
|
|
| DNS control | ✅ `timmytime.net` is already under fleet control |
|
||
|
|
| Federation SRV | Simple A record + optional `_matrix._tcp` SRV record |
|
||
|
|
| TLS cert | Caddy auto-provisions for this subdomain |
|
||
|
|
|
||
|
|
### Proxy: Caddy
|
||
|
|
| Factor | Assessment |
|
||
|
|
|--------|------------|
|
||
|
|
| TLS automation | ✅ Built-in ACME, auto-renewal |
|
||
|
|
| Federation headers | ✅ Easy `.well-known` + SRV support |
|
||
|
|
| Config complexity | ✅ Single `Caddyfile`, no label magic |
|
||
|
|
| Traefik conflict | None — Caddy binds its own ports directly |
|
||
|
|
|
||
|
|
### Required Actions for Option A
|
||
|
|
1. Delegate `matrix.timmytime.net` A record → `143.198.27.163`
|
||
|
|
2. Open VPS firewall: `80`, `443`, `8448` inbound
|
||
|
|
3. Clone `timmy-config` to VPS
|
||
|
|
4. `cd infra/matrix && ./host-readiness-check.sh`
|
||
|
|
5. Edit `conduit.toml` → `server_name = "matrix.timmytime.net"`
|
||
|
|
6. Run `./deploy-matrix.sh`
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## Option B — Conservative: Timmy-Home Bare Metal + Traefik
|
||
|
|
|
||
|
|
| Factor | Assessment |
|
||
|
|
|--------|------------|
|
||
|
|
| Host | Timmy-Home Mac Mini / server |
|
||
|
|
| Domain | `matrix.home.timmytime.net` |
|
||
|
|
| Proxy | Existing Traefik instance |
|
||
|
|
| Pros | Full physical sovereignty; no cloud dependency |
|
||
|
|
| Cons | Home IP dynamic (requires DDNS); port-forwarding dependency; power/network outages |
|
||
|
|
| Verdict | 🔶 Viable backup, not primary |
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## Option C — Fast but Costly: DigitalOcean Droplet
|
||
|
|
|
||
|
|
| Factor | Assessment |
|
||
|
|
|--------|------------|
|
||
|
|
| Host | Fresh `$6-12/mo` Ubuntu droplet |
|
||
|
|
| Domain | `matrix.timmytime.net` |
|
||
|
|
| Proxy | Caddy or Nginx |
|
||
|
|
| Pros | Clean slate, static IP, easy snapshot backups |
|
||
|
|
| Cons | New monthly bill, another host to patch/monitor |
|
||
|
|
| Verdict | 🔶 Overkill while Hermes VPS has headroom |
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## Comparative Matrix
|
||
|
|
|
||
|
|
| Criterion | Option A (Recommended) | Option B (Home) | Option C (DO) |
|
||
|
|
|-----------|------------------------|-----------------|---------------|
|
||
|
|
| Speed to deploy | 🟢 Fast | 🟡 Medium | 🟡 Medium |
|
||
|
|
| Sovereignty | 🟢 High | 🟢 Highest | 🟢 High |
|
||
|
|
| Reliability | 🟢 Good | 🔴 Variable | 🟢 Good |
|
||
|
|
| Cost | 🟢 $0 extra | 🟢 $0 extra | 🔴 +$6-12/mo |
|
||
|
|
| Operational load | 🟢 Low | 🟡 Medium | 🔴 Higher |
|
||
|
|
| Federation ease | 🟢 Caddy simple | 🟡 Traefik doable | 🟢 Caddy simple |
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## Port & TLS Requirements (All Options)
|
||
|
|
|
||
|
|
| Port | Direction | Purpose | Notes |
|
||
|
|
|------|-----------|---------|-------|
|
||
|
|
| `80` | Inbound | ACME challenge + `.well-known` redirect | Must be reachable from internet |
|
||
|
|
| `443` | Inbound | Client HTTPS (Element, mobile apps) | Caddy/Traefik terminates TLS |
|
||
|
|
| `8448` | Inbound | Federation (server-to-server) | Matrix spec default; can proxy from 443 but 8448 is safest |
|
||
|
|
| `6167` | Internal | Conduit replication (optional) | Not needed for single-node |
|
||
|
|
|
||
|
|
**TLS Path**: Let's Encrypt HTTP-01 challenge (no manual cert purchase).
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## The Actual Checklist to Close #187
|
||
|
|
|
||
|
|
- [ ] **Alexander selects one option** (A recommended)
|
||
|
|
- [ ] Domain/subdomain is chosen and confirmed available
|
||
|
|
- [ ] Target host IP is known and firewall ports are confirmed open
|
||
|
|
- [ ] Reverse proxy choice is locked
|
||
|
|
- [ ] #166 is updated with the decision
|
||
|
|
- [ ] Allegro or Ezra is tasked with live deployment
|
||
|
|
|
||
|
|
**If you check these 6 boxes, #166 is unblocked.**
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## Suggested Comment to Resolve #187
|
||
|
|
|
||
|
|
> "Go with Option A. Domain: `matrix.timmytime.net`. Host: Hermes VPS. Proxy: Caddy. @ezra or @allegro deploy when ready."
|
||
|
|
|
||
|
|
That is all that is required.
|