matrix: open (tokenless) registration + bot mitigations + #security alert

User-chosen fully-open registration on tuwunel (no CAPTCHA support; browser
challenges break native clients). Bot defense is layered instead:
- Traefik rate-limit Middleware on a path-scoped /register ingress carve-out,
  keyed on request Host (GLOBAL /register cap) not source IP — the host is
  reachable via both Cloudflare-IPv4 (CF-Connecting-IP) and IPv6-direct (HE
  tunnel, no CF header), so a per-source key let IPv6 bots bypass. 10/min,
  burst 20, per replica; CrowdSec is the hard backstop on both paths.
- Loki ruler rule MatrixNewUserRegistered -> lane=security -> existing
  #security Slack receiver (matches "registered on this server", never the
  rejection line). tuwunel's admin bot also posts signups to the admin room.

Dropped the REGISTRATION_TOKEN env (secret/matrix + ESO kept for revert).
Applied via scripts/tg (matrix tier-1 + targeted monitoring configmap), so
[ci skip] to avoid CI full-applying monitoring (unrelated grafana-acl drift).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

docs/plans/2026-06-08-matrix-synapse-to-tuwunel-plan.md

@@ -57,3 +57,36 @@ RocksDB dir.
   predates this migration and was **not** applied. Resolve separately.
 - **Synapse leftover files** remain on the encrypted PVC volume root (unused by
   tuwunel). Can be `rm`'d after confidence in the new server.
+
+## Follow-up: open registration + bot mitigations (2026-06-08, user-chosen)
+
+Registration was opened **fully (tokenless)** — `TUWUNEL_ALLOW_REGISTRATION=true`
++ `TUWUNEL_YES_I_AM_VERY_VERY_SURE_I_WANT_AN_OPEN_REGISTRATION_SERVER_PRONE_TO_ABUSE=true`,
+dropped the `TUWUNEL_REGISTRATION_TOKEN` env (the Vault `secret/matrix` token +
+`matrix-secrets` ESO are kept for one-env-change revert to token-gated). tuwunel
+has **no CAPTCHA** (only Synapse does) and a browser challenge would break native
+clients, so bot defense is layered instead:
+
+- **Traefik rate-limit on `/register`** — a `register-ratelimit` Middleware
+  (`stacks/matrix`) on a path-scoped `ingress_register` carve-out (longer prefix
+  wins over the catch-all). Keyed on the **request Host (global `/register` cap),
+  not source IP** — because the host is reachable both via Cloudflare-IPv4
+  (`CF-Connecting-IP`) and **IPv6-direct (HE tunnel → pfSense HAProxy → Traefik,
+  no CF header)**; a per-source key let IPv6 bots bypass entirely (found during
+  testing). 10/min, burst 20, **per Traefik replica (×3)**.
+- **CrowdSec** (already on the ingress chain) is the hard backstop — bans abusive
+  IPs on both paths; covers the per-replica looseness of the soft rate-limit.
+- **Notification:** Loki ruler rule `MatrixNewUserRegistered` (`stacks/monitoring`,
+  matches `... registered on this server`, never the rejection line) → `lane=security`
+  → existing `#security` Slack receiver. Also note tuwunel's admin bot
+  (`@conduit:matrix.viktorbarzin.me`) **natively posts every registration to the
+  server admin room**, so there's an in-Matrix notice too.
+- **Verification:** open signup returns 200 (`@regtest1`, since deactivated via
+  `!admin users deactivate` in the admin room); Traefik access logs confirm
+  `/register` routes through the rate-limited carve-out router. A live 429 was not
+  force-tested (per-replica burst ~60 across 3 replicas; avoided hammering so as
+  not to trip CrowdSec on the test source IP).
+
+**Add a user:** anyone can self-register now. To provision manually instead:
+`!admin users create-user <name>` in the admin room (first user `@viktor` is admin).
+**Revert to token-gated:** drop the YES_I_AM... flag, re-add `TUWUNEL_REGISTRATION_TOKEN`.