feat(matrix): 4 synapse quick wins applied + 6 follow-up issues

Server-side homeserver.yaml on organic-machine VPS:
- encryption_enabled_by_default_for_room_type: invite -> all
- presence.enabled: false (block EDU metadata leak)
- url_preview_enabled: false (block SSRF + IP leak)
- msc4108 rendezvous endpoint uncommented (QR login)

Synapse restarted, /versions shows e2ee_forced.* + msc4108 unstable
features active. Backup at synapse_data/homeserver.yaml.bak.1779659423.

Issues opened for remaining gaps:
- 0165 LUKS for media_store (at-rest encryption)
- 0166 LiveKit TURN deploy (NAT traversal gap)
- 0167 STUN leak to Google (hardcode external_ip)
- 0168 UDP range expand 200 -> 500
- 0169 LIVEKIT_SECRET rotation (audit exposure)
- 0170 livekit.example.yaml rename hygiene

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

dev/issues/0165-matrix-media-store-luks.md

@@ -0,0 +1,65 @@
+---
+id: "0165"
+title: "Cifrar media_store/ Synapse con LUKS at-rest"
+status: pendiente
+type: infra
+domain:
+  - matrix
+scope: app:element_matrix_chat
+priority: media
+depends: []
+blocks: []
+related: ["0162"]
+created: 2026-05-24
+updated: 2026-05-24
+tags: [matrix, synapse, encryption, security, luks]
+---
+# 0165 — Cifrar media_store/ Synapse con LUKS at-rest
+
+**Status:** pendiente
+**Created:** 2026-05-24
+**Type:** infra
+**Priority:** media
+**Domain:** matrix
+**Scope:** app:element_matrix_chat
+**Depends:** —
+**Blocks:** —
+
+## Problema
+
+`synapse_data/media_store/` contiene archivos subidos (fotos, voice messages, attachments) + thumbnails. Rooms NO-E2EE: media cleartext en disco. Tabla `media_repository` Postgres: filename/mime/uploader/room_id siempre cleartext. Riesgo: VPS provider snapshot disk, backups desencriptados, disco fisico.
+
+## Objetivo
+
+`media_store/` cifrado at-rest. Synapse arranca y sirve media normal. Decrypt automatico via keyfile en TPM o passphrase al boot.
+
+## Plan
+
+1. Decidir estrategia: LUKS container file-based (loop device) vs LUKS sobre volumen Docker dedicado.
+2. Crear LUKS container 50GB (ajustar segun crecimiento previsto).
+3. Montar como `/home/ubuntu/CodeProyects/element_matrix_chat/synapse_data/media_store_encrypted/`.
+4. Stop Synapse → rsync `media_store/` → `media_store_encrypted/` → swap mountpoint.
+5. Verificar Synapse sirve thumbnails + uploads OK.
+6. Configurar auto-unlock via keyfile en `/root/.luks-media.key` con permisos 0400.
+7. Documentar recovery passphrase en `pass` (entry `matrix/luks-media-passphrase`).
+
+## Acceptance
+
+- [ ] `media_store/` montado sobre LUKS, `lsblk -f` muestra crypto_LUKS.
+- [ ] Synapse arranca tras reboot completo del VPS sin intervencion manual.
+- [ ] Test: subir imagen via Element, verificar thumb generado.
+- [ ] Test: leer media_store via `dd if=/dev/sdX` directo retorna basura cifrada.
+- [ ] Passphrase backed up en `pass`.
+
+## Definition of Done
+
+- [ ] Repetibilidad: reboot VPS, media accesible sin intervencion.
+- [ ] Observabilidad: log entry en `journalctl -u systemd-cryptsetup@*`.
+- [ ] User-facing: clientes Element no notan diferencia.
+- [ ] Recovery probado: detach LUKS y reattach con passphrase.
+
+## Notas
+
+LUKS solo protege at-rest. VPS provider con acceso a RAM viva ve plaintext via memory dump. Sin TPM atestado, utilidad real = anti-snapshot/anti-backup-leak/anti-physical-theft.
+
+Caveat: si keyfile vive en mismo disco que LUKS device, no protege contra disk theft. Mover keyfile a USB removible o TPM2 (`systemd-cryptenroll`).