new services

CLAUDE.md

@@ -26,6 +26,7 @@ Primary workstation (i9-13900KF, 96GB, RTX 4090) is **standalone — not in the
 | game | 192.168.40.109 | 10.10.10.172 | Proxmox host |
 | pve-postgres | — | 10.10.10.2 | VM on pve, swarm manager |
 | pve-tools | — | 10.10.10.3 | VM on pve, swarm worker |
+| pve-social | — | 10.10.10.4 | VM on pve, swarm worker |
 | adder-ghost | — | 10.10.10.20 | VM on adder, swarm worker |
 
 All VMs on vmbr1 (internal, not directly LAN-reachable). A gateway LXC on pve is dual-homed vmbr0+vmbr1 and handles WireGuard + iptables DNAT.
@@ -35,8 +36,9 @@ All VMs on vmbr1 (internal, not directly LAN-reachable). A gateway LXC on pve is
 ```
 LXC: gateway        256MB  — WireGuard client, iptables DNAT, SSH jump host
 VM: infra            8GB   — NATS/JetStream, n8n
-VM: data            20GB   — PostgreSQL (shared: Ghost, Forgejo, all apps)
-VM: apps             8GB   — Ghost instances, Forgejo
+VM: data            20GB   — PostgreSQL (shared: Ghost, Forgejo, Synapse, all apps)
+VM: apps             8GB   — Ghost instances
+VM: social          24GB   — Forgejo, Synapse (Matrix), Snikket (XMPP); 1TB NVMe, 4 cores
 VM: redis           14GB   — Redis (own VM required — needs vm.overcommit_memory=1 kernel tuning)
 VM: nextcloud        8GB   — Nextcloud AIO (manages its own isolated internal Postgres)
 ```
@@ -91,7 +93,7 @@ Use SSH config aliases (`pve-postgres`, `pve-tools`, `adder-ghost`, `pve`, `adde
 
 ## Planned Services
 
-NATS JetStream (3-replica cluster service), PostgreSQL, Redis, Neo4j, FusionAuth, Authentik, n8n, Nextcloud, Garage (object storage), Ghost, monerod, monero-wallet-rpc, zanod, Peertube, BTCPay, Jitsi, Caddy, WireGuard.
+NATS JetStream (3-replica cluster service), PostgreSQL, Redis, Neo4j, FusionAuth, Authentik, n8n, Nextcloud, Garage (object storage), Ghost, Forgejo, Synapse (Matrix), Snikket (XMPP), monerod, monero-wallet-rpc, zanod, Peertube, BTCPay, Jitsi, Caddy, WireGuard.
 
 ## Key Files
 

proxmox/services/01-init.sql

@@ -16,3 +16,18 @@ GRANT ALL PRIVILEGES ON DATABASE n8n_db TO n8n_user;
 CREATE USER c4trou_user WITH PASSWORD 'mlhWiZcp5I2kXwRmyFEMPjZz6BX6ZjLi';
 CREATE DATABASE c4trou_db OWNER c4trou_user;
 GRANT ALL PRIVILEGES ON DATABASE c4trou_db TO c4trou_user;
+
+-- Forgejo
+CREATE USER forgejo_user WITH PASSWORD 'K]UrEl=//>8>!cJD[3Z/OdVC3AA{m2F(';
+CREATE DATABASE forgejo_db OWNER forgejo_user;
+GRANT ALL PRIVILEGES ON DATABASE forgejo_db TO forgejo_user;
+
+-- Synapse (requires C locale — do not change template or encoding)
+CREATE USER synapse_user WITH PASSWORD 'mWMb1sIkxYG6aHFkvOMcHg96Y6HZtefx';
+CREATE DATABASE synapse_db
+  ENCODING 'UTF8'
+  LC_COLLATE='C'
+  LC_CTYPE='C'
+  template=template0
+  OWNER synapse_user;
+GRANT ALL PRIVILEGES ON DATABASE synapse_db TO synapse_user;

proxmox/services/forgejo.yml

@@ -0,0 +1,47 @@
+version: '3.8'
+
+# Deploy with:
+#   docker stack deploy -c forgejo.yml forgejo
+#
+# Runs on: pve-social
+# Self-hosted Git forge (Gitea fork).
+# Web UI on port 3000. Uses shared PostgreSQL on pve-postgres.
+
+services:
+  forgejo:
+    image: codeberg.org/forgejo/forgejo:9
+    environment:
+      USER_UID: 1000
+      USER_GID: 1000
+      FORGEJO__database__DB_TYPE: postgres
+      FORGEJO__database__HOST: postgres_postgres:5432
+      FORGEJO__database__NAME: forgejo_db
+      FORGEJO__database__USER: forgejo_user
+      FORGEJO__database__PASSWD: ${FORGEJO_DB_PASSWORD}
+      FORGEJO__server__HTTP_PORT: 3000
+    ports:
+      - target: 3000
+        published: 3000
+        protocol: tcp
+        mode: host
+    volumes:
+      - forgejo_data:/data
+    networks:
+      - overlay-net
+    deploy:
+      replicas: 1
+      placement:
+        constraints:
+          - node.hostname == pve-social
+      restart_policy:
+        condition: on-failure
+        delay: 5s
+        max_attempts: 3
+
+volumes:
+  forgejo_data:
+
+networks:
+  overlay-net:
+    external: true
+    name: ${OVERLAY_NETWORK:-homelab-net}

proxmox/services/snikket.yml

@@ -0,0 +1,74 @@
+version: '3.8'
+
+# Deploy with:
+#   docker stack deploy -c snikket.yml snikket
+#
+# Runs on: pve-social
+# XMPP server (Prosody-based). TLS terminated externally by Caddy at the hub.
+# Certs must be bind-mounted into the container when ready.
+#
+# Web portal (invites/admin): port 80 — proxied by Caddy
+# XMPP client connections:    port 5222
+# XMPP federation:            port 5269
+# File transfer proxy:        port 5000
+
+services:
+  snikket-web:
+    image: snikket/snikket-server:latest
+    command: web
+    ports:
+      - target: 80
+        published: 80
+        protocol: tcp
+        mode: host
+    volumes:
+      - snikket_data:/snikket
+    networks:
+      - overlay-net
+    deploy:
+      replicas: 1
+      placement:
+        constraints:
+          - node.hostname == pve-social
+      restart_policy:
+        condition: on-failure
+        delay: 5s
+        max_attempts: 3
+
+  snikket-server:
+    image: snikket/snikket-server:latest
+    command: server
+    ports:
+      - target: 5222
+        published: 5222
+        protocol: tcp
+        mode: host
+      - target: 5269
+        published: 5269
+        protocol: tcp
+        mode: host
+      - target: 5000
+        published: 5000
+        protocol: tcp
+        mode: host
+    volumes:
+      - snikket_data:/snikket
+    networks:
+      - overlay-net
+    deploy:
+      replicas: 1
+      placement:
+        constraints:
+          - node.hostname == pve-social
+      restart_policy:
+        condition: on-failure
+        delay: 5s
+        max_attempts: 3
+
+volumes:
+  snikket_data:
+
+networks:
+  overlay-net:
+    external: true
+    name: ${OVERLAY_NETWORK:-homelab-net}

proxmox/services/synapse.yml

@@ -0,0 +1,52 @@
+version: '3.8'
+
+# Deploy with:
+#   docker stack deploy -c synapse.yml synapse
+#
+# Runs on: pve-social
+# Matrix homeserver. Client/federation API on port 8008.
+#
+# First deploy generates /data/homeserver.yaml automatically.
+# After first boot, update homeserver.yaml on pve-social to add PostgreSQL:
+#   database:
+#     name: psycopg2
+#     args:
+#       user: synapse_user
+#       password: <from pass homelab/SYNAPSE_DB_PASSWORD>
+#       database: synapse_db
+#       host: postgres_postgres
+#       cp_min: 5
+#       cp_max: 10
+
+services:
+  synapse:
+    image: matrixdotorg/synapse:latest
+    environment:
+      SYNAPSE_SERVER_NAME: pve-social
+      SYNAPSE_REPORT_STATS: "no"
+    ports:
+      - target: 8008
+        published: 8008
+        protocol: tcp
+        mode: host
+    volumes:
+      - synapse_data:/data
+    networks:
+      - overlay-net
+    deploy:
+      replicas: 1
+      placement:
+        constraints:
+          - node.hostname == pve-social
+      restart_policy:
+        condition: on-failure
+        delay: 5s
+        max_attempts: 3
+
+volumes:
+  synapse_data:
+
+networks:
+  overlay-net:
+    external: true
+    name: ${OVERLAY_NETWORK:-homelab-net}