First production release. Every fix below was found by deploying to a real, blank cloud VPS, and the final state was re-verified on a from-scratch reinstall of this exact commit — no manual steps after nixos-anywhere.
Verified on a clean deploy
- All services start and stay up (
NRestarts=0): Synapse, MAS, Caddy, nginx, PostgreSQL, LiveKit, lk-jwt-service, FluffyChat. - Real Let's Encrypt certificates on every subdomain.
- Matrix federation tester: green.
- Element Call (LiveKit + JWT service) running.
- Create a user and log in via the Matrix client API — works on first boot.
- Cloud metadata DNS keeps working after containers start (no link-local hijack).
Fixes since v0.1.0
- Element Call:
lk-jwt-servicewas pinned to an image tag that doesn't exist (v0.2.1). The image is published without a leadingv— now pinned to0.4.4. - Federation: port 8448 was open in the firewall but nothing listened on it; Caddy now serves federation there for peers that skip well-known delegation.
- Login / user creation: MAS and Synapse were configured with two different shared secrets, so Synapse rejected MAS's admin calls (
403 "must only be called by MAS"). Both now use the samesynapse_admin_token. - Deploy command: dropped
--force-kexec(unnecessary on a fresh cloud VM, and broken in nixos-anywhere 1.13.0), fixed the README/DEPLOY quick-starts to pass--target-host,--extra-files, and the SSH key, and switched to the canonicalgithub:nix-community/nixos-anywherereference.
Related
Prefer Docker? The same stack as a Docker Compose deployment: https://github.com/wlphi/ess-docker-compose