matrix: migrate Synapse -> tuwunel (Rust homeserver, fresh start, federated)

Replace the cramped Synapse deployment with tuwunel v1.7.1: embedded RocksDB drops the CNPG dependency (both init-containers, the db ESO, the Reloader annotation all gone), env-var config, fsGroup-owned encrypted PVC, federation on, tuwunel-served well-known delegation to :443. server_name unchanged (matrix.viktorbarzin.me); fresh start (no Synapse->RocksDB migration path). Registered @viktor admin then disabled registration (403). Cleanup: removed the orphaned pg-matrix Vault static role and dropped the matrix Postgres DB/role; updated service-catalog, upgrade-config, CLAUDE.md PG-rotation list, and the Matrix OIDC->orphaned auth notes. Design+plan in docs/plans/2026-06-08-matrix-synapse-to-tuwunel-*. Already applied via scripts/tg (matrix tier-1 + targeted vault tier-0), so [ci skip] to avoid CI reconciling an unrelated pre-existing vault OIDC tune-TTL drift. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-08 11:58:17 +00:00 · 2026-06-08 11:58:17 +00:00 · 23602f393e
commit 23602f393e
parent 09514a234b
9 changed files with 199 additions and 102 deletions
--- a/docs/architecture/authentication.md
+++ b/docs/architecture/authentication.md
@ -102,7 +102,7 @@ Authentik provides OIDC for 10 applications:
 | Kubernetes | OIDC (public client) | K8s API authentication (kubectl / kubelogin CLI) |
 | Kubernetes Dashboard | OIDC (confidential) | Built for dashboard SSO — currently **idle** (apiserver OIDC blocked; dashboard uses forward-auth + token-paste) |
 | Linkwarden | OIDC | Bookmark manager SSO |
-| Matrix | OIDC | Matrix homeserver SSO |
+| Matrix | OIDC | ⚠️ Legacy/orphaned — Synapse→tuwunel migration 2026-06-08; tuwunel uses native password auth, OIDC SSO not wired |
 | Wrongmove | OIDC | Real estate app SSO |

 ### Kubernetes API authentication (OIDC) — CURRENTLY NON-FUNCTIONAL