Start9Labs
diff --git a/‎.github/workflows/releaseService.yml‎
Lines changed: 5 additions & 2 deletions b/‎.github/workflows/releaseService.yml‎
Lines changed: 5 additions & 2 deletions
diff --git a/‎CONTRIBUTING.md‎
Lines changed: 15 additions & 0 deletions b/‎CONTRIBUTING.md‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 293 additions & 7 deletions b/‎README.md‎
Lines changed: 293 additions & 7 deletions
@@ -10,8 +10,11 @@ jobs:
     uses: start9labs/shared-workflows/.github/workflows/releaseService.yml@master
     with:
       # FREE_DISK_SPACE: true
-      REGISTRY: ${{ vars.REGISTRY }} # Optional. Defaults to https://alpha-registry-x.start9.com
+      REGISTRY: ${{ vars.REGISTRY }}
+      S3_S9PKS_BASE_URL: ${{ vars.S3_S9PKS_BASE_URL }}
     secrets:
-      DEV_KEY: ${{ secrets.DEV_KEY }} # Required
+      DEV_KEY: ${{ secrets.DEV_KEY }}
+      S3_ACCESS_KEY: ${{ secrets.S3_ACCESS_KEY }}
+      S3_SECRET_KEY: ${{ secrets.S3_SECRET_KEY }}
     permissions:
       contents: write
@@ -0,0 +1,15 @@
+# Contributing
+
+## Building and Development
+
+See the [StartOS Packaging Guide](https://docs.start9.com/packaging-guide/) for complete environment setup and build instructions.
+
+### Quick Start
+
+```bash
+# Install dependencies
+npm ci
+
+# Build universal package
+make
+```
@@ -1,15 +1,301 @@
 <p align="center">
-  <img src="icon.png" alt="Project Logo" width="21%">
+  <img src="icon.png" alt="Synapse Logo" width="21%">
 </p>
 
-## Building from source
+# Synapse on StartOS
 
-1. Set up your [environment](https://docs.start9.com/packaging-guide/environment-setup.html).
+> **Upstream docs:** <https://element-hq.github.io/synapse/>
+>
+> Everything not listed in this document should behave the same as upstream
+> Synapse v1.144.0. If a feature, setting, or behavior is not mentioned
+> here, the upstream documentation is accurate and fully applicable.
 
-1. Clone this repository and `cd` into it.
+[Synapse](https://github.com/element-hq/synapse) is the battle-tested, reference implementation of the [Matrix](https://matrix.org/) protocol -- a next-generation, federated, full-featured, encrypted, independent messaging system.
 
-1. run `make`.
+---
 
-1. The resulting `.s9pk` can be side loaded into StartOS.
+## Table of Contents
 
-For a complete list of build options, see the [docs](https://docs.start9.com/packaging-guide/building.html)
+- [Image and Container Runtime](#image-and-container-runtime)
+- [Volume and Data Layout](#volume-and-data-layout)
+- [Installation and First-Run Flow](#installation-and-first-run-flow)
+- [Configuration Management](#configuration-management)
+- [Network Access and Interfaces](#network-access-and-interfaces)
+- [Actions (StartOS UI)](#actions-startos-ui)
+- [Dependencies](#dependencies)
+- [Backups and Restore](#backups-and-restore)
+- [Health Checks](#health-checks)
+- [Limitations and Differences](#limitations-and-differences)
+- [What Is Unchanged from Upstream](#what-is-unchanged-from-upstream)
+- [Contributing](#contributing)
+- [Quick Reference for AI Consumers](#quick-reference-for-ai-consumers)
+
+---
+
+## Image and Container Runtime
+
+| Property | Value |
+|----------|-------|
+| Synapse image | Custom `dockerBuild` from upstream source (workdir `./synapse`) |
+| Nginx image | `nginx:stable-alpine` (upstream unmodified) |
+| SQLite3 image | Custom `dockerBuild` (for admin password operations) |
+| Architectures | x86_64, aarch64 |
+
+Synapse runs behind an Nginx reverse proxy. Nginx handles client requests on port 80, proxies Matrix API traffic to Synapse on port 8008, and serves the [Synapse Admin](https://github.com/etkecc/synapse-admin) dashboard on port 8080.
+
+---
+
+## Volume and Data Layout
+
+| Volume | Mount Point | Purpose |
+|--------|-------------|---------|
+| `main` | `/data` | All Synapse data (config, database, media, keys, appservices) |
+
+**Key files on the `main` volume:**
+
+- `homeserver.yaml` -- primary Synapse configuration (managed by StartOS)
+- `homeserver.db` -- SQLite database
+- `homeserver.signing.key` -- server signing key (auto-generated by Synapse)
+- `homeserver.log.config` -- logging configuration
+- `media_store/` -- uploaded media files
+- `store.json` -- StartOS metadata (admin state, SMTP config)
+- `appservices/*.yaml` -- registered bridge/appservice configurations
+
+---
+
+## Installation and First-Run Flow
+
+| Step | Upstream | StartOS |
+|------|----------|---------|
+| Generate config | `python -m synapse.app.homeserver --generate-config` | Automatic via `preInstall` |
+| Set server name | Edit `homeserver.yaml` | "Set Server Address/URL" action (critical task) |
+| Create admin user | `register_new_matrix_user` CLI | "Create Admin User" action (optional task) |
+
+**Key difference:** On first install, StartOS generates the initial Synapse config automatically. You must run the "Set Server Address/URL" action (created as a critical task) to choose your permanent domain before starting. The "Create Admin User" action is created as an optional task.
+
+**Warning:** The server address/URL is permanent and cannot be changed after the first start.
+
+---
+
+## Configuration Management
+
+| Setting | Upstream Method | StartOS Method |
+|---------|-----------------|----------------|
+| `server_name` | `homeserver.yaml` | "Set Server Address/URL" action (one-time) |
+| `enable_registration` | `homeserver.yaml` | "Config" action |
+| Federation | `homeserver.yaml` listeners | "Config" action (enable/disable + domain whitelist) |
+| `max_upload_size` | `homeserver.yaml` | "Config" action (1-2000 MB) |
+| SMTP/email | `homeserver.yaml` | "Config" action (disabled/system/custom) |
+| Admin password | `register_new_matrix_user` | "Reset Admin Password" action |
+| Appservices | Manual YAML files | Register/List/Delete Appservice actions |
+
+**Configuration NOT exposed on StartOS:**
+
+- `log_config` -- fixed logging configuration
+- `database` -- always SQLite3 at `/data/homeserver.db`
+- `trusted_key_servers` -- defaults to `matrix.org`
+- `report_stats` -- always disabled
+- Listener bind addresses and ports
+
+---
+
+## Network Access and Interfaces
+
+| Interface | Port | Protocol | Type | Purpose |
+|-----------|------|----------|------|---------|
+| Homeserver | 80 (nginx) | HTTP | API | Matrix client and federation API |
+| Admin Dashboard | 8080 (nginx) | HTTP | UI | Synapse Admin web interface |
+
+Internally, Synapse listens on port 8008. Nginx proxies traffic from port 80, handles `.well-known/matrix/server` responses, and enforces `max_upload_size` on Matrix API routes.
+
+**Access methods (StartOS 0.4.0):**
+
+- LAN IP with unique port
+- `<hostname>.local` with unique port
+- Tor `.onion` address
+- Custom domains (if configured)
+
+---
+
+## Actions (StartOS UI)
+
+### Set Server Address/URL
+
+| Property | Value |
+|----------|-------|
+| ID | `set-server-name` |
+| Visibility | Hidden after first start |
+| Availability | Only when stopped |
+| Purpose | Choose permanent server domain (clearnet or Tor) |
+
+Presents available hostnames from the homeserver interface. Sets `server_name` and `public_baseurl` in `homeserver.yaml`. **Cannot be changed after first start.**
+
+### Create Admin User / Reset Admin Password
+
+| Property | Value |
+|----------|-------|
+| ID | `reset-admin` |
+| Visibility | Enabled |
+| Availability | Only when running (create) / Only when stopped (reset) |
+| Purpose | Create or reset the admin account |
+
+Generates a random 22-character password. On first use, creates the admin user via `register_new_matrix_user`. On subsequent uses, updates the password hash directly in SQLite.
+
+### Config
+
+| Property | Value |
+|----------|-------|
+| ID | `config` |
+| Visibility | Enabled |
+| Availability | Any status |
+| Purpose | Configure registration, federation, upload limits, SMTP |
+
+**Settings:**
+
+| Setting | Default | Description |
+|---------|---------|-------------|
+| Registration | Disabled | Allow public account creation |
+| Federation | Disabled | Enable/disable with optional domain whitelist |
+| Max Upload Size | 50 MB | File upload limit (1-2000 MB) |
+| SMTP | Disabled | Email notifications (disabled/system/custom) |
+
+### Register Appservice
+
+| Property | Value |
+|----------|-------|
+| ID | `register-appservice` |
+| Visibility | Enabled |
+| Availability | Any status |
+| Purpose | Register a Matrix bridge with the homeserver |
+
+Accepts appservice credentials (ID, tokens, URL, namespace regex) and writes the registration YAML. Typically triggered automatically by bridge services via the exported `ensureAppserviceRegistration` API.
+
+### List Appservices
+
+| Property | Value |
+|----------|-------|
+| ID | `list-appservices` |
+| Visibility | Enabled |
+| Availability | Any status |
+| Purpose | View all registered bridges |
+
+### Delete Appservice
+
+| Property | Value |
+|----------|-------|
+| ID | `delete-appservice` |
+| Visibility | Enabled |
+| Availability | Any status |
+| Purpose | Remove a registered bridge |
+
+### Create Bot User
+
+| Property | Value |
+|----------|-------|
+| ID | `create-bot-user` |
+| Visibility | Hidden |
+| Availability | Only when running |
+| Purpose | Create non-admin bot accounts for bridge services |
+
+---
+
+## Dependencies
+
+None. Synapse is a standalone application.
+
+---
+
+## Backups and Restore
+
+**Included in backup:**
+
+- `main` volume -- all Synapse data (config, database, media, keys, appservice registrations)
+
+**Restore behavior:**
+
+- All data, users, rooms, and settings are restored
+- Server name, keys, and admin credentials remain the same
+
+---
+
+## Health Checks
+
+| Check | Method | Grace Period | Display |
+|-------|--------|--------------|---------|
+| Homeserver | HTTP GET `http://localhost:8008/health` | 15 seconds | "Homeserver" |
+| Nginx | Port listening on 80 | Default | Hidden |
+| Admin Dashboard | HTTP GET `http://localhost:8080` | Default | "Admin Dashboard" |
+
+---
+
+## Limitations and Differences
+
+1. **Server name is permanent** -- once set and started, the server address/URL cannot be changed
+2. **SQLite only** -- does not support PostgreSQL (upstream default for large deployments)
+3. **Admin username fixed** -- always `admin`; only password can be changed
+4. **No workers** -- runs as a single monolith process (no worker-based scaling)
+5. **Fixed logging** -- log configuration is not user-configurable (INFO level, 100 MB rotation)
+6. **No direct `homeserver.yaml` editing** -- configuration is managed through StartOS actions
+7. **Tor federation limitations** -- `.onion` servers can only federate with other `.onion` servers
+
+---
+
+## What Is Unchanged from Upstream
+
+- Full Matrix protocol compliance (client-server and server-server APIs)
+- End-to-end encryption support
+- Federation (when enabled)
+- Room creation, membership, and permissions
+- Media uploads and downloads
+- Push notifications
+- Account data and device management
+- Presence and typing indicators
+- All Matrix client compatibility (Element, FluffyChat, etc.)
+
+---
+
+## Contributing
+
+See [CONTRIBUTING.md](CONTRIBUTING.md) for build instructions and development workflow.
+
+---
+
+## Quick Reference for AI Consumers
+
+```yaml
+package_id: synapse
+upstream_version: 1.144.0
+images:
+  synapse: dockerBuild (./synapse/Dockerfile)
+  nginx: nginx:stable-alpine
+  sqlite3: dockerBuild (./Dockerfile-sqlite)
+architectures: [x86_64, aarch64]
+volumes:
+  main: /data
+ports:
+  homeserver: 80 (nginx proxy to synapse:8008)
+  admin: 8080 (synapse-admin dashboard)
+dependencies: none
+startos_managed_config:
+  - server_name (one-time, permanent)
+  - enable_registration
+  - federation (listeners + domain whitelist)
+  - max_upload_size
+  - smtp
+actions:
+  - set-server-name (enabled/hidden, only-stopped)
+  - reset-admin (enabled, only-running/only-stopped)
+  - config (enabled, any)
+  - register-appservice (enabled, any)
+  - list-appservices (enabled, any)
+  - delete-appservice (enabled, any)
+  - create-bot-user (hidden, only-running)
+health_checks:
+  - http_get: /health (port 8008, 15s grace)
+  - port_listening: 80
+  - http_get: / (port 8080)
+backup_volumes:
+  - main
+public_api:
+  - ensureAppserviceRegistration (for bridge services)
+```