matrix: migrate Synapse -> tuwunel (Rust homeserver, fresh start, federated)

Replace the cramped Synapse deployment with tuwunel v1.7.1: embedded RocksDB drops the CNPG dependency (both init-containers, the db ESO, the Reloader annotation all gone), env-var config, fsGroup-owned encrypted PVC, federation on, tuwunel-served well-known delegation to :443. server_name unchanged (matrix.viktorbarzin.me); fresh start (no Synapse->RocksDB migration path). Registered @viktor admin then disabled registration (403). Cleanup: removed the orphaned pg-matrix Vault static role and dropped the matrix Postgres DB/role; updated service-catalog, upgrade-config, CLAUDE.md PG-rotation list, and the Matrix OIDC->orphaned auth notes. Design+plan in docs/plans/2026-06-08-matrix-synapse-to-tuwunel-*. Already applied via scripts/tg (matrix tier-1 + targeted vault tier-0), so [ci skip] to avoid CI reconciling an unrelated pre-existing vault OIDC tune-TTL drift. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-08 11:58:17 +00:00 · 2026-06-08 11:58:17 +00:00 · 23602f393e
commit 23602f393e
parent 09514a234b
9 changed files with 199 additions and 102 deletions
--- a/.claude/reference/authentik-state.md
+++ b/.claude/reference/authentik-state.md
@ -14,7 +14,7 @@
 | Kubernetes | OAuth2/OIDC (public) | implicit consent |
 | Kubernetes Dashboard | OAuth2/OIDC (confidential) | implicit consent |
 | linkwarden | OAuth2/OIDC | explicit consent |
-| Matrix | OAuth2/OIDC | implicit consent |
+| Matrix | OAuth2/OIDC | ⚠️ orphaned — Matrix migrated to tuwunel 2026-06-08 (native password auth); this OAuth app is unused |
 | wrongmove | OAuth2/OIDC | implicit consent |

 > **Kubernetes Dashboard** (TF-managed in `stacks/k8s-dashboard/authentik.tf`):
--- a/.claude/reference/service-catalog.md
+++ b/.claude/reference/service-catalog.md
@ -86,7 +86,7 @@
 | diun | Docker image update notifier — detects new versions, fires webhook to n8n upgrade agent | diun |
 | meshcentral | Remote management | meshcentral |
 | homepage | Dashboard/startpage | homepage |
-| matrix | Matrix chat server | matrix |
+| matrix | Matrix homeserver (tuwunel — Rust, RocksDB; native password auth) | matrix |
 | linkwarden | Bookmark manager | linkwarden |
 | changedetection | Web change detection | changedetection |
 | tandoor | Recipe manager | tandoor |
--- a/.claude/reference/upgrade-config.json
+++ b/.claude/reference/upgrade-config.json
@ -7,7 +7,6 @@
    "docker.io/mailserver/docker-mailserver": "docker-mailserver/docker-mailserver",
    "mailserver/docker-mailserver": "docker-mailserver/docker-mailserver",
    "docker.n8n.io/n8nio/n8n": "n8n-io/n8n",
-    "matrixdotorg/synapse": "element-hq/synapse",
    "headscale/headscale": "juanfont/headscale",
    "technitium/dns-server": "TechnitiumSoftware/DnsServer",
    "ghcr.io/paperless-ngx/paperless-ngx": "paperless-ngx/paperless-ngx",
@ -82,7 +81,6 @@
    "dawarich":        { "type": "postgresql", "db_name": "dawarich", "shared": true },
    "health":          { "type": "postgresql", "db_name": "health", "shared": true },
    "linkwarden":      { "type": "postgresql", "db_name": "linkwarden", "shared": true },
-    "matrix":          { "type": "postgresql", "db_name": "matrix", "shared": true },
    "n8n":             { "type": "postgresql", "db_name": "n8n", "shared": true },
    "netbox":          { "type": "postgresql", "db_name": "netbox", "shared": true },
    "rybbit":          { "type": "postgresql", "db_name": "rybbit", "shared": true },