Initial commit: beacon-synapse v1.147.1

Production Matrix homeserver image for Tezos Beacon relay nodes.

- Ed25519 crypto auth provider (derived from Papers/AirGap beacon-node)
- Beacon monitor module (logfmt observability for room events, membership, logins)
- Beacon info module (region and known servers endpoint)
- Worker support (4 generic workers with metrics)
- envsubst-based config templating
- CI workflow for GHCR publishing on tagged releases

Author: jevonearth

.github/workflows/docker-publish.yml

@@ -0,0 +1,61 @@
+name: Build and Publish Docker Image
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - 'v*'
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Container Registry
+        if: startsWith(github.ref, 'refs/tags/v')
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          annotations: |
+            org.opencontainers.image.description=Synapse homeserver with Ed25519 Beacon auth for Tezos dApp/wallet relay
+          # Tag scheme: push v1.147.1-ecad.1 -> ghcr tags: v1.147.1-ecad.1, latest
+          tags: |
+            type=semver,pattern={{version}}
+            type=raw,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/v') }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: ${{ startsWith(github.ref, 'refs/tags/v') }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          annotations: ${{ steps.meta.outputs.annotations }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

.gitignore

@@ -0,0 +1,4 @@
+__pycache__/
+*.pyc
+.env
+.claude/settings.local.json

Dockerfile

@@ -0,0 +1,44 @@
+FROM ghcr.io/element-hq/synapse:v1.147.1
+LABEL maintainer="ECAD Infra <ops@ecadinfra.com>"
+LABEL org.opencontainers.image.description="Synapse homeserver with Ed25519 Beacon auth for Tezos dApp/wallet relay"
+LABEL org.opencontainers.image.source="https://github.com/ECADInfra/beacon-synapse"
+LABEL org.opencontainers.image.licenses="AGPL-3.0-only"
+
+# Install dependencies for crypto auth provider
+RUN apt-get update && apt-get install -y libsodium-dev gcc netcat-openbsd gettext-base && apt-get clean && rm -rf /var/lib/apt/lists/*
+
+# Install Python packages
+RUN pip install --no-cache-dir psycopg2 pysodium
+
+# Create keys and data directories
+RUN mkdir -p /keys /data
+
+# Copy custom modules (using Python 3.13 path for Element HQ image)
+COPY crypto_auth_provider.py /usr/local/lib/python3.13/site-packages/
+COPY beacon_info_module.py /usr/local/lib/python3.13/site-packages/
+COPY beacon_monitor_module.py /usr/local/lib/python3.13/site-packages/
+
+# Copy configuration templates (envsubst at runtime) and static configs
+COPY homeserver.yaml /config/homeserver.yaml.template
+COPY synapse.log.config /config/
+COPY shared_config.yaml /config/shared_config.yaml.template
+
+# Copy worker configuration templates
+COPY workers /config/workers.template
+
+# Increase max event size (1MB instead of default 64KB).
+# Beacon messages can exceed the default Matrix PDU size limit.
+RUN sed -i 's/65536/1048576/' /usr/local/lib/python3.13/site-packages/synapse/api/constants.py && \
+    grep -q '1048576' /usr/local/lib/python3.13/site-packages/synapse/api/constants.py || \
+    (echo "FATAL: PDU size patch failed - 65536 not found in constants.py. Upstream may have changed." >&2 && exit 1)
+
+COPY wait-for.sh /usr/local/bin/
+COPY synctl_entrypoint.sh /usr/local/bin/
+
+# Expose ports:
+#   8008: HTTP (client and federation)
+#   19090: Metrics for main process (when SYNAPSE_ENABLE_METRICS=1)
+#   19091-19094: Metrics for workers 1-4 (when SYNAPSE_ENABLE_METRICS=1 and SYNAPSE_WORKERS=true)
+EXPOSE 8008 19090 19091 19092 19093 19094
+
+ENTRYPOINT ["/usr/local/bin/synctl_entrypoint.sh"]