timmy-config/docs/DECISION_FRAMEWORK_187.md

Decision Framework: Matrix Host, Domain, and Proxy (#187)

Issue: #187 — Decide Matrix host, domain, and proxy prerequisites so #166 can deploy
Parent: #166 — Stand up Matrix/Conduit for human-to-fleet encrypted communication
Created: 2026-04-05 by Ezra (burn mode)
Purpose: Turn the #187 blocker into a checkbox. One recommendation, two alternatives, explicit trade-offs.

---

Executive Summary

Recommended Path (Option A)

• Host: Existing Hermes VPS (143.198.27.163 — already hosts Gitea, Bezalel, Allegro-Primus)
• Domain: matrix.timmytime.net
• Proxy: Caddy (dedicated to Matrix, auto-TLS, auto-federation headers)
• TLS: Let's Encrypt via Caddy (ports 80/443/8448 exposed)

Why: It reuses a known sovereign host, keeps comms infrastructure under one roof, and Caddy is the simplest path to working federation.

---

Option A — Recommended: Hermes VPS + Caddy

Host: Hermes VPS (143.198.27.163)

Factor	Assessment
Sovereignty	✅ Full root, no platform lock-in
Uptime	✅ 24/7 VPS, better than home broadband
Existing load	⚠️ Gitea + wizard gateways running; Conduit is lightweight (~200MB RAM)
Cost	✅ Sunk cost — no new provider needed

Domain: matrix.timmytime.net

Factor	Assessment
DNS control	✅ timmytime.net is already under fleet control
Federation SRV	Simple A record + optional _matrix._tcp SRV record
TLS cert	Caddy auto-provisions for this subdomain

Proxy: Caddy

Factor	Assessment
TLS automation	✅ Built-in ACME, auto-renewal
Federation headers	✅ Easy .well-known + SRV support
Config complexity	✅ Single Caddyfile, no label magic
Traefik conflict	None — Caddy binds its own ports directly

Required Actions for Option A

1. Delegate matrix.timmytime.net A record → 143.198.27.163
2. Open VPS firewall: 80, 443, 8448 inbound
3. Clone timmy-config to VPS
4. cd infra/matrix && ./host-readiness-check.sh
5. Edit conduit.toml → server_name = "matrix.timmytime.net"
6. Run ./deploy-matrix.sh

---

Option B — Conservative: Timmy-Home Bare Metal + Traefik

Factor	Assessment
Host	Timmy-Home Mac Mini / server
Domain	matrix.home.timmytime.net
Proxy	Existing Traefik instance
Pros	Full physical sovereignty; no cloud dependency
Cons	Home IP dynamic (requires DDNS); port-forwarding dependency; power/network outages
Verdict	🔶 Viable backup, not primary

---

Option C — Fast but Costly: DigitalOcean Droplet

Factor	Assessment
Host	Fresh $6-12/mo Ubuntu droplet
Domain	matrix.timmytime.net
Proxy	Caddy or Nginx
Pros	Clean slate, static IP, easy snapshot backups
Cons	New monthly bill, another host to patch/monitor
Verdict	🔶 Overkill while Hermes VPS has headroom

---

Comparative Matrix

Criterion	Option A (Recommended)	Option B (Home)	Option C (DO)
Speed to deploy	🟢 Fast	🟡 Medium	🟡 Medium
Sovereignty	🟢 High	🟢 Highest	🟢 High
Reliability	🟢 Good	🔴 Variable	🟢 Good
Cost	🟢 $0 extra	🟢 $0 extra	🔴 +$6-12/mo
Operational load	🟢 Low	🟡 Medium	🔴 Higher
Federation ease	🟢 Caddy simple	🟡 Traefik doable	🟢 Caddy simple

---

Port & TLS Requirements (All Options)

Port	Direction	Purpose	Notes
80	Inbound	ACME challenge + .well-known redirect	Must be reachable from internet
443	Inbound	Client HTTPS (Element, mobile apps)	Caddy/Traefik terminates TLS
8448	Inbound	Federation (server-to-server)	Matrix spec default; can proxy from 443 but 8448 is safest
6167	Internal	Conduit replication (optional)	Not needed for single-node

TLS Path: Let's Encrypt HTTP-01 challenge (no manual cert purchase).

---

The Actual Checklist to Close #187

• Alexander selects one option (A recommended)
• Domain/subdomain is chosen and confirmed available
• Target host IP is known and firewall ports are confirmed open
• Reverse proxy choice is locked
• #166 is updated with the decision
• Allegro or Ezra is tasked with live deployment

If you check these 6 boxes, #166 is unblocked.

---

Suggested Comment to Resolve #187

"Go with Option A. Domain: matrix.timmytime.net. Host: Hermes VPS. Proxy: Caddy. @ezra or @allegro deploy when ready."

That is all that is required.