# Decision Framework: Matrix Host, Domain, and Proxy (#187) > **Issue**: [#187](http://143.198.27.163:3000/Timmy_Foundation/timmy-config/issues/187) — Decide Matrix host, domain, and proxy prerequisites so #166 can deploy > **Parent**: [#166](http://143.198.27.163:3000/Timmy_Foundation/timmy-config/issues/166) — Stand up Matrix/Conduit for human-to-fleet encrypted communication > **Created**: 2026-04-05 by Ezra (burn mode) > **Purpose**: Turn the #187 blocker into a checkbox. One recommendation, two alternatives, explicit trade-offs. --- ## Executive Summary **Recommended Path (Option A)** - **Host**: Existing Hermes VPS (`143.198.27.163` — already hosts Gitea, Bezalel, Allegro-Primus) - **Domain**: `matrix.timmytime.net` - **Proxy**: Caddy (dedicated to Matrix, auto-TLS, auto-federation headers) - **TLS**: Let's Encrypt via Caddy (ports 80/443/8448 exposed) **Why**: It reuses a known sovereign host, keeps comms infrastructure under one roof, and Caddy is the simplest path to working federation. --- ## Option A — Recommended: Hermes VPS + Caddy ### Host: Hermes VPS (`143.198.27.163`) | Factor | Assessment | |--------|------------| | Sovereignty | ✅ Full root, no platform lock-in | | Uptime | ✅ 24/7 VPS, better than home broadband | | Existing load | ⚠️ Gitea + wizard gateways running; Conduit is lightweight (~200MB RAM) | | Cost | ✅ Sunk cost — no new provider needed | ### Domain: `matrix.timmytime.net` | Factor | Assessment | |--------|------------| | DNS control | ✅ `timmytime.net` is already under fleet control | | Federation SRV | Simple A record + optional `_matrix._tcp` SRV record | | TLS cert | Caddy auto-provisions for this subdomain | ### Proxy: Caddy | Factor | Assessment | |--------|------------| | TLS automation | ✅ Built-in ACME, auto-renewal | | Federation headers | ✅ Easy `.well-known` + SRV support | | Config complexity | ✅ Single `Caddyfile`, no label magic | | Traefik conflict | None — Caddy binds its own ports directly | ### Required Actions for Option A 1. Delegate `matrix.timmytime.net` A record → `143.198.27.163` 2. Open VPS firewall: `80`, `443`, `8448` inbound 3. Clone `timmy-config` to VPS 4. `cd infra/matrix && ./host-readiness-check.sh` 5. Edit `conduit.toml` → `server_name = "matrix.timmytime.net"` 6. Run `./deploy-matrix.sh` --- ## Option B — Conservative: Timmy-Home Bare Metal + Traefik | Factor | Assessment | |--------|------------| | Host | Timmy-Home Mac Mini / server | | Domain | `matrix.home.timmytime.net` | | Proxy | Existing Traefik instance | | Pros | Full physical sovereignty; no cloud dependency | | Cons | Home IP dynamic (requires DDNS); port-forwarding dependency; power/network outages | | Verdict | 🔶 Viable backup, not primary | --- ## Option C — Fast but Costly: DigitalOcean Droplet | Factor | Assessment | |--------|------------| | Host | Fresh `$6-12/mo` Ubuntu droplet | | Domain | `matrix.timmytime.net` | | Proxy | Caddy or Nginx | | Pros | Clean slate, static IP, easy snapshot backups | | Cons | New monthly bill, another host to patch/monitor | | Verdict | 🔶 Overkill while Hermes VPS has headroom | --- ## Comparative Matrix | Criterion | Option A (Recommended) | Option B (Home) | Option C (DO) | |-----------|------------------------|-----------------|---------------| | Speed to deploy | 🟢 Fast | 🟡 Medium | 🟡 Medium | | Sovereignty | 🟢 High | 🟢 Highest | 🟢 High | | Reliability | 🟢 Good | 🔴 Variable | 🟢 Good | | Cost | 🟢 $0 extra | 🟢 $0 extra | 🔴 +$6-12/mo | | Operational load | 🟢 Low | 🟡 Medium | 🔴 Higher | | Federation ease | 🟢 Caddy simple | 🟡 Traefik doable | 🟢 Caddy simple | --- ## Port & TLS Requirements (All Options) | Port | Direction | Purpose | Notes | |------|-----------|---------|-------| | `80` | Inbound | ACME challenge + `.well-known` redirect | Must be reachable from internet | | `443` | Inbound | Client HTTPS (Element, mobile apps) | Caddy/Traefik terminates TLS | | `8448` | Inbound | Federation (server-to-server) | Matrix spec default; can proxy from 443 but 8448 is safest | | `6167` | Internal | Conduit replication (optional) | Not needed for single-node | **TLS Path**: Let's Encrypt HTTP-01 challenge (no manual cert purchase). --- ## The Actual Checklist to Close #187 - [ ] **Alexander selects one option** (A recommended) - [ ] Domain/subdomain is chosen and confirmed available - [ ] Target host IP is known and firewall ports are confirmed open - [ ] Reverse proxy choice is locked - [ ] #166 is updated with the decision - [ ] Allegro or Ezra is tasked with live deployment **If you check these 6 boxes, #166 is unblocked.** --- ## Suggested Comment to Resolve #187 > "Go with Option A. Domain: `matrix.timmytime.net`. Host: Hermes VPS. Proxy: Caddy. @ezra or @allegro deploy when ready." That is all that is required.