From d3beee602d83ceb14988c1ab016869a8e60fd3ea Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 13 Jun 2026 14:52:26 +0000
Subject: [PATCH] feat: migrate Matrix federation from port 8448 to
 .well-known/matrix/server on 443

- modules/core/caddy.nix: replace $MATRIX:8448 site with .well-known/matrix/server handler inside $MATRIX vhost
- modules/element-calling.nix: add .well-known/matrix/server respond directive, remove $MATRIX:8448 block
- modules/synapse.nix: remove 8448 TCP/UDP firewall openings
- app/sovran_systemsos_web/server.py: remove _PORTS_MATRIX_FEDERATION constant, set matrix-synapse.service to [], simplify api_service_detail to only check LiveKit extra ports
- app/sovran_systemsos_web/static/onboarding.js: remove 8448 row from Step 4, update totals to 3/8 (3 required + 5 optional)
---
 app/sovran_systemsos_web/server.py            | 23 ++++---------------
 app/sovran_systemsos_web/static/onboarding.js |  7 +++---
 modules/core/caddy.nix                        |  8 +++----
 modules/element-calling.nix                   |  5 +---
 modules/synapse.nix                           |  3 ---
 5 files changed, 12 insertions(+), 34 deletions(-)

diff --git a/app/sovran_systemsos_web/server.py b/app/sovran_systemsos_web/server.py
index 4262ea8..7535467 100644
--- a/app/sovran_systemsos_web/server.py
+++ b/app/sovran_systemsos_web/server.py
@@ -281,9 +281,6 @@ FEATURE_SERVICE_MAP = {
 }
 
 # Port requirements for service tiles (keyed by unit name or icon)
-_PORTS_MATRIX_FEDERATION = [
-    {"port": "8448", "protocol": "TCP", "description": "Matrix server-to-server federation"},
-]
 _PORTS_ELEMENT_CALLING = [
     {"port": "7881",        "protocol": "TCP",     "description": "LiveKit WebRTC signalling"},
     {"port": "7882",        "protocol": "UDP",     "description": "LiveKit media (UDP mux)"},
@@ -296,7 +293,7 @@ SERVICE_PORT_REQUIREMENTS: dict[str, list[dict]] = {
     # Infrastructure
     "caddy.service":                    [],
     # Communication
-    "matrix-synapse.service":           _PORTS_MATRIX_FEDERATION,
+    "matrix-synapse.service":           [],
     "livekit.service":                  _PORTS_ELEMENT_CALLING,
     # Domain-based apps (80/443 handled by end-to-end domain reachability checks)
     "btcpayserver.service":             [],
@@ -2983,28 +2980,16 @@ async def api_service_detail(unit: str, icon: str | None = None):
                 "status": ps,
                 "description": p.get("description", ""),
             })
-    extra_ports = port_statuses if unit in ("matrix-synapse.service", "livekit.service") else []
+    extra_ports = port_statuses if unit == "livekit.service" else []
 
-    if needs_domain and unit in ("matrix-synapse.service", "livekit.service"):
+    if needs_domain and unit == "livekit.service":
         if has_domain_issues:
             domain_check_steps.append({
                 "step": 4,
-                "label": "Federation Port" if unit == "matrix-synapse.service" else "Additional Ports Required",
+                "label": "Additional Ports Required",
                 "status": "skipped",
                 "detail": "Skipped until Steps 1-3 are complete",
             })
-        elif unit == "matrix-synapse.service":
-            if extra_ports:
-                matrix_open = extra_ports[0]["status"] != "closed"
-                domain_check_steps.append({
-                    "step": 4,
-                    "label": "Federation Port",
-                    "status": "ok" if matrix_open else "error",
-                    "detail": (
-                        f"Matrix federation port 8448 (TCP) is {'open' if matrix_open else 'closed'}.\n"
-                        f"Matrix federation requires port 8448 (TCP) forwarded to {internal_ip}"
-                    ),
-                })
         else:
             extra_open = all(p["status"] != "closed" for p in extra_ports)
             domain_check_steps.append({
diff --git a/app/sovran_systemsos_web/static/onboarding.js b/app/sovran_systemsos_web/static/onboarding.js
index 2b0138e..30dd1b8 100644
--- a/app/sovran_systemsos_web/static/onboarding.js
+++ b/app/sovran_systemsos_web/static/onboarding.js
@@ -545,14 +545,13 @@ async function loadStep4() {
   html += '<tr><td class="port-req-port">80</td><td class="port-req-proto">TCP</td><td class="port-req-internal-ip">' + ip + '</td><td class="port-req-desc">HTTP</td></tr>';
   html += '<tr><td class="port-req-port">443</td><td class="port-req-proto">TCP</td><td class="port-req-internal-ip">' + ip + '</td><td class="port-req-desc">HTTPS</td></tr>';
   html += '<tr><td class="port-req-port">22</td><td class="port-req-proto">TCP</td><td class="port-req-internal-ip">' + ip + '</td><td class="port-req-desc">SSH Remote Access</td></tr>';
-  html += '<tr><td class="port-req-port">8448</td><td class="port-req-proto">TCP</td><td class="port-req-internal-ip">' + ip + '</td><td class="port-req-desc">Matrix Federation</td></tr>';
   html += '</tbody></table>';
   html += '</div>';
 
   // Optional ports table
   html += '<div class="onboarding-port-section" style="margin-bottom:20px;">';
   html += '<div class="onboarding-port-section-title" style="font-weight:700;margin-bottom:4px;">Optional — Only needed if you enable Element Calling:</div>';
-  html += '<div style="font-size:0.88em;margin-bottom:8px;color:var(--color-text-muted,#888);">These 5 additional port openings are required on top of the 4 required ports above.</div>';
+  html += '<div style="font-size:0.88em;margin-bottom:8px;color:var(--color-text-muted,#888);">These 5 additional port openings are required on top of the 3 required ports above.</div>';
   html += '<table class="onboarding-port-table">';
   html += '<thead><tr><th>Port</th><th>Protocol</th><th>Forward&nbsp;to</th><th>Purpose</th></tr></thead>';
   html += '<tbody>';
@@ -566,8 +565,8 @@ async function loadStep4() {
 
   // Totals
   html += '<div class="onboarding-port-totals">';
-  html += '<strong>Total port openings: 4</strong> (without Element Calling)<br>';
-  html += '<strong>Total port openings: 9</strong> (with Element Calling — 4 required + 5 optional)';
+  html += '<strong>Total port openings: 3</strong> (without Element Calling)<br>';
+  html += '<strong>Total port openings: 8</strong> (with Element Calling — 3 required + 5 optional)';
   html += '</div>';
 
   html += '<div class="onboarding-port-warn" style="margin-bottom:16px;">'
diff --git a/modules/core/caddy.nix b/modules/core/caddy.nix
index 4841d07..9ea7bdf 100755
--- a/modules/core/caddy.nix
+++ b/modules/core/caddy.nix
@@ -94,10 +94,10 @@ EOF
 $MATRIX {
   reverse_proxy /_matrix/* http://localhost:8008
   reverse_proxy /_synapse/client/* http://localhost:8008
-}
-
-$MATRIX:8448 {
-  reverse_proxy http://localhost:8008
+  handle /.well-known/matrix/server {
+    header Content-Type application/json
+    respond \`{"m.server":"$MATRIX:443"}\` 200
+  }
 }
 EOF
         fi
diff --git a/modules/element-calling.nix b/modules/element-calling.nix
index 7f8674b..4ea502b 100755
--- a/modules/element-calling.nix
+++ b/modules/element-calling.nix
@@ -68,10 +68,7 @@ $MATRIX {
   header /.well-known/matrix/* Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
   header /.well-known/matrix/* Access-Control-Allow-Headers "X-Requested-With, Content-Type, Authorization"
   respond /.well-known/matrix/client \`{ "m.homeserver": {"base_url": "https://$MATRIX" }, "org.matrix.msc4143.rtc_foci": [{ "type":"livekit", "livekit_service_url":"https://$ELEMENT_CALLING/livekit/jwt" }] }\`
-}
-
-$MATRIX:8448 {
-  reverse_proxy http://localhost:8008
+  respond /.well-known/matrix/server \`{"m.server":"$MATRIX:443"}\`
 }
 
 $ELEMENT_CALLING {
diff --git a/modules/synapse.nix b/modules/synapse.nix
index fab8552..cbda194 100755
--- a/modules/synapse.nix
+++ b/modules/synapse.nix
@@ -250,9 +250,6 @@ CREDS
     '';
   };
 
-  networking.firewall.allowedTCPPorts = [ 8448 ];
-  networking.firewall.allowedUDPPorts = [ 8448 ];
-
   sovran_systemsOS.domainRequirements = [
     { name = "matrix"; label = "Matrix Synapse"; example = "matrix.yourdomain.com"; }
   ];