Self-Hosting Matrix: Lessons Learned
Running your own Matrix homeserver sounds straightforward until you actually do it. Here is what I learned deploying Synapse, Element, and MAS on a single VPS.
Why Self-Host?
- Data sovereignty — your messages, your server, your rules
- Custom integrations — bridges, bots, and webhooks without vendor approval
- Learning — nothing teaches networking like debugging federation
The Architecture
The stack runs on a single 8-core, 32GB VPS with two orchestration layers:
| Layer | Purpose |
|---|---|
| Docker Compose | Reverse proxy, auth (Zitadel), email relay |
| K3s | Matrix stack (Synapse, MAS, Element Web) |
Why two layers?
helm upgrade.Element Server Suite (ESS) ships as a Helm chart. Running it in K3s keeps the Matrix stack self-contained and upgradeable via
The Hard Parts
1. TLS Termination Chain
Traffic flows through three layers:
Internet → Cloudflare → Host Traefik (TLS) → K3s Traefik (HTTP) → Pods
Getting the SSL modes right between Cloudflare (Full, not Flexible) and the two Traefik instances took several attempts.
2. Federation DNS
Matrix federation requires .well-known delegation at the server name domain. Since revur.net is both the landing page and the Matrix server name, the well-known paths need careful routing.
3. Authentication
Wiring Zitadel as the upstream OIDC provider for MAS (Matrix Authentication Service) means users get SSO across all services — but the initial setup has many moving parts.
Was It Worth It?
Absolutely. The infrastructure is the product for a privacy-focused community. Every message stays on hardware I control, and I understand every layer of the stack.