feat(livekit): expose TURN ports UDP 3478 + TCP 5349 (issue 0166)

Integrated LiveKit TURN enabled. Wildcard cert *.organic-machine.com
extracted from Traefik acme.json into configs/livekit/certs/ (gitignored).
livekit.yaml updated with turn.enabled=true, domain=turn-matrix-rtc-320bd4,
udp_port=3478 (NOT 443 — taken by Traefik HTTP/3), tls_port=5349.
external_tls=false (LiveKit terminates TLS directly with mounted cert).
UFW opened 3478/udp + 5349/tcp.

.gitignore

@@ -35,6 +35,11 @@ certs/
 # Configuraciones sensibles generadas en tiempo de despliegue
 configs/livekit/livekit.yaml
 configs/well-known/matrix-client.json
+mas/config.yaml
+mas/secrets/*
+!mas/secrets/.gitkeep
+mas/keys/*
+!mas/keys/.gitkeep
 
 # Archivos de media de Matrix (pueden ser muy grandes)
 */media_store/
@@ -42,3 +47,7 @@ configs/well-known/matrix-client.json
 
 # Archivos de estado de Docker
 .dockerignore
+
+element-call
+
+*.bak.*

README.md

@@ -2,6 +2,8 @@
 
 Configuración completa de servidor Matrix con Element Web y panel de administración usando Docker Compose.
 
+> **CI/CD**: push a Gitea → webhook → deploy_server → `docker compose pull` + `up -d`.
+
 ## 🚀 Servicios incluidos
 
 - **Matrix Synapse**: Servidor Matrix (puerto 8008)

configs/livekit/livekit.example.yaml

@@ -5,13 +5,16 @@ port: 7880
 bind_addresses:
   - "0.0.0.0"
 log_level: info
-region: "us-east-1"
+region: "REGION_PLACEHOLDER"
 
 rtc:
   tcp_port: 7881
   port_range_start: 50000
-  port_range_end: 50200
-  use_external_ip: true
+  port_range_end: 50500
+  # Set use_external_ip to false and hardcode node_ip to your public IPv4 to
+  # prevent LiveKit from probing Google STUN at startup.
+  use_external_ip: false
+  node_ip: "PUBLIC_IPV4_PLACEHOLDER"
   force_tcp: false
 
 # Optional TURN forwarding. Enable only if you already operate a TURN server.

configs/nginx/matrix-rtc-proxy.conf

@@ -1,6 +1,14 @@
 server {
     listen 80;
-    server_name matrix-rtc.localhost;
+    server_name _;
+
+    add_header Access-Control-Allow-Origin * always;
+    add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
+    add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization" always;
+
+    if ($request_method = OPTIONS) {
+        return 204;
+    }
 
     # MatrixRTC Authorization Service (lk-jwt-service)
     location ^~ /livekit/jwt/ {
@@ -8,6 +16,9 @@ server {
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
+        add_header Access-Control-Allow-Origin * always;
+        add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
+        add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization" always;
 
         proxy_pass http://livekit-jwt:6080/;
     }
@@ -21,6 +32,9 @@ server {
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
         proxy_set_header Accept-Encoding gzip;
+        add_header Access-Control-Allow-Origin * always;
+        add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
+        add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization" always;
 
         proxy_send_timeout 120;
         proxy_read_timeout 120;

configs/nginx/well-known.conf

@@ -0,0 +1,55 @@
+server {
+    listen 80;
+    server_name _;
+
+    add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
+    add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization" always;
+
+    if ($request_method = OPTIONS) {
+        return 204;
+    }
+
+    # Serve Matrix well-known documents
+    location /.well-known/matrix/client {
+        default_type application/json;
+        alias /var/www/well-known/matrix-client.json;
+        add_header Access-Control-Allow-Origin * always;
+        try_files $uri =404;
+    }
+
+    location /.well-known/matrix/server {
+        default_type application/json;
+        alias /var/www/well-known/matrix-server.json;
+        add_header Access-Control-Allow-Origin * always;
+        try_files $uri =404;
+    }
+
+    # MatrixRTC Authorization Service (lk-jwt-service)
+    location ^~ /livekit/jwt/ {
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_pass http://livekit-jwt:8080/;
+    }
+
+    # LiveKit SFU Websocket (signalling)
+    location ^~ /livekit/sfu/ {
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Accept-Encoding gzip;
+        proxy_http_version 1.1;
+        proxy_send_timeout 120;
+        proxy_read_timeout 120;
+        proxy_buffering off;
+        proxy_pass http://livekit:7880/;
+    }
+
+    location / {
+        return 404;
+    }
+}

configs/well-known/matrix-server.json

@@ -0,0 +1,3 @@
+{
+  "m.server": "matrix-af2f3d.organic-machine.com:443"
+}

docker-compose.livekit.yml

@@ -5,17 +5,23 @@ services:
     command: --config /etc/livekit/livekit.yaml
     volumes:
       - ./configs/livekit/livekit.yaml:/etc/livekit/livekit.yaml:ro
+      - ./configs/livekit/certs:/etc/livekit/certs:ro
     ports:
       - "${LIVEKIT_HTTP_PORT:-7880}:7880/tcp"
       - "${LIVEKIT_TCP_PORT:-7881}:7881/tcp"
       - "${LIVEKIT_HEALTH_PORT:-7882}:7882/tcp"
       - "${LIVEKIT_UDP_PORT_RANGE_START:-50000}-${LIVEKIT_UDP_PORT_RANGE_END:-50200}:${LIVEKIT_UDP_PORT_RANGE_START:-50000}-${LIVEKIT_UDP_PORT_RANGE_END:-50200}/udp"
+      # TURN ports (issue 0166)
+      - "${LIVEKIT_TURN_UDP_PORT:-3478}:3478/udp"
+      - "${LIVEKIT_TURN_TLS_PORT:-5349}:5349/tcp"
     networks:
       default:
-        ipv4_address: 10.10.10.6
+        ipv4_address: 10.10.10.10
+    extra_hosts:
+      - "matrix-rtc-320bd4.organic-machine.com:10.10.10.6"
 
   livekit-jwt:
-    image: ghcr.io/element-hq/lk-jwt-service:latest-ci
+    image: ghcr.io/element-hq/lk-jwt-service:latest
     restart: unless-stopped
     environment:
       LIVEKIT_JWT_BIND: ${LIVEKIT_JWT_BIND:-:6080}
@@ -26,21 +32,10 @@ services:
       LIVEKIT_INSECURE_SKIP_VERIFY_TLS: ${LIVEKIT_INSECURE_SKIP_VERIFY_TLS:-false}
     networks:
       default:
-        ipv4_address: 10.10.10.7
-
-  matrix-rtc-proxy:
-    image: nginx:alpine
-    restart: unless-stopped
-    depends_on:
-      - livekit
-      - livekit-jwt
-    volumes:
-      - ./configs/nginx/matrix-rtc-proxy.conf:/etc/nginx/conf.d/default.conf:ro
-    ports:
-      - "${LIVEKIT_JWT_PORT:-6080}:80"
-    networks:
-      default:
-        ipv4_address: 10.10.10.9
+        ipv4_address: 10.10.10.11
+    extra_hosts:
+      - "matrix-af2f3d.organic-machine.com:10.10.10.6"
+      - "matrix-rtc-320bd4.organic-machine.com:10.10.10.6"
 
 networks:
   default:

docker-compose.yml

@@ -14,6 +14,19 @@ services:
     ports:
       - "5432:5432"
 
+  mas-postgres:
+    image: postgres:16
+    restart: unless-stopped
+    networks:
+      default:
+        ipv4_address: 10.10.10.14
+    volumes:
+      - mas_postgres_data:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_DB=mas
+      - POSTGRES_USER=mas_user
+      - POSTGRES_PASSWORD=mas_password
+
   element:
     image: vectorim/element-web:latest
     restart: unless-stopped
@@ -40,21 +53,62 @@ services:
       - UID=1000
       - GID=1000
 
-  synapse-admin:
-    image: awesometechnologies/synapse-admin:latest
+  # synapse-admin removed 2026-05-24 — replaced by custom admin panel (issue 0163)
+  # synapse-admin:
+  # image: awesometechnologies/synapse-admin:latest
+  # restart: unless-stopped
+  # networks:
+  # default:
+  # ipv4_address: 10.10.10.5
+  # ports:
+  # - "8082:80"
+  # depends_on:
+  # - synapse
+
+  mas:
+    image: ghcr.io/element-hq/matrix-authentication-service:latest
+    restart: unless-stopped
+    depends_on:
+      - mas-postgres
+      - synapse
+    networks:
+      default:
+        ipv4_address: 10.10.10.15
+    volumes:
+      - ./mas/config.yaml:/etc/mas/config.yaml:ro
+      - ./mas/secrets:/run/mas/secrets:ro
+      - ./mas/keys:/run/mas/keys:ro
+    environment:
+      - MAS_CONFIG=/etc/mas/config.yaml
+    command: ["server", "--config", "/etc/mas/config.yaml"]
+    ports:
+      - "8083:8080"
+
+  wellknown:
+    image: nginx:alpine
     restart: unless-stopped
     networks:
       default:
-        ipv4_address: 10.10.10.5
-    ports:
-      - "8082:80"
-    depends_on:
-      - synapse
+        ipv4_address: 10.10.10.12
+    volumes:
+      - ./configs/well-known:/var/www/well-known:ro
+      - ./configs/nginx/well-known.conf:/etc/nginx/conf.d/default.conf:ro
+
+  element-call-web:
+    image: nginx:alpine
+    restart: unless-stopped
+    networks:
+      default:
+        ipv4_address: 10.10.10.13
+    volumes:
+      - ./element-call/dist:/usr/share/nginx/html:ro
 
 volumes:
   matrix_postgres_data:
     external: true
     name: matrix_postgres_data
+  mas_postgres_data:
+    driver: local
 
 networks:
   default:

docs/livekit-deployment.md

@@ -0,0 +1,52 @@
+# Element Call + LiveKit Deployment Notes
+
+Resumen rápido de los pasos que seguimos para que Element Web use LiveKit como backend:
+
+1. **Synapse listo para MatrixRTC**
+   - Listener HTTP con `resources: [client, federation, openid]`.
+   - Flags `experimental_features` (MSC3266/4222/4354), `max_event_delay_duration`, `rc_message` y `rc_delayed_event_mgmt` activados.
+   - Reinicio de `synapse` tras editar `synapse_data/homeserver.yaml`.
+
+2. **Stack base en Docker**
+   - `docker-compose.yml` levanta Synapse, Element Web, Synapse Admin y el proxy `wellknown` (Nginx).
+   - El proxy sirve `/.well-known/...` y ahora también enruta `/livekit/jwt` y `/livekit/sfu`.
+
+3. **Servicios LiveKit**
+   - `docker-compose.livekit.yml` inicia `livekit` y `livekit-jwt`.
+   - `configs/livekit/livekit.yaml` define puertos, región y las claves `LIVEKIT_API_KEY/SECRET`.
+   - `extra_hosts` para que `livekit` y `livekit-jwt` resuelvan `matrix-af2f3d...` y `matrix-rtc-320bd4...` al Traefik interno (`10.10.10.6`).
+
+4. **Traefik / Coolify**
+   - Routers para:
+     - `element-a05ae4...` → contenedor Element Web.
+     - `matrix-af2f3d...` → Synapse + `/.well-known`.
+     - `matrix-rtc-320bd4...` → Nginx (`wellknown`) que reenvía a `livekit-jwt` y `livekit`.
+     - `call-681f3d...` → frontend Element Call (`element-call-web`).
+   - Middleware de redirección HTTPS y CORS (solo se permite `https://element-a05ae4...`).
+
+5. **Element Call frontend**
+   - En `element-call/`: configuramos `config/config.organic-machine.json`, copiamos a `public/config.json` y ejecutamos `yarn install`, `yarn build`.
+   - El servicio `element-call-web` (Nginx) sirve `element-call/dist` y se expone como `https://call-681f3d.organic-machine.com`.
+
+6. **Element Web**
+   - `element-config.json` habilita los labs (`feature_group_calls`, `feature_element_call_video_rooms`, etc.) y define `element_call.url` → `https://call-681f3d...`.
+   - Reiniciamos el contenedor para que sirviera el nuevo `config.json`.
+
+7. **CORS y salud**
+   - Nginx responde 204 a los preflight y añade las cabeceras `Access-Control-Allow-*`.
+   - Traefik refuerza CORS para que solo el origen de Element Web pueda usar `/livekit/jwt` y `/livekit/sfu`.
+   - `livekit-jwt` valida tokens OpenID contra Synapse y crea salas vía Twirp en LiveKit.
+
+8. **Dominios implicados**
+   - `matrix-af2f3d.organic-machine.com` – Synapse y `.well-known`.
+   - `element-a05ae4.organic-machine.com` – Element Web.
+   - `admin-0cc4d3.organic-machine.com` – Synapse Admin.
+   - `call-681f3d.organic-machine.com` – Element Call frontend.
+   - `matrix-rtc-320bd4.organic-machine.com` – LiveKit JWT + SFU.
+
+9. **Diagnóstico rápido**
+   - `sudo docker compose -f docker-compose.livekit.yml logs -f livekit-jwt livekit` – tokens y salas.
+   - `sudo docker compose logs synapse | grep openid` – emisión de OpenID.
+   - DevTools → Network → `livekit/jwt/sfu/get` – debe responder 200 con CORS correcto.
+
+Con todo esto, Element Web usa Element Call (widget) y LiveKit como backend SFU.

element-config.json

@@ -15,12 +15,17 @@
     "feature_custom_tags": true,
     "feature_state_counters": true,
     "feature_user_directory": true,
-    "feature_explore_rooms": true
+    "feature_explore_rooms": true,
+    "feature_group_calls": true,
+    "feature_video_rooms": true,
+    "feature_element_call_video_rooms": true
   },
   "default_federate": false,
   "default_theme": "light",
   "room_directory": {
-    "servers": ["matrix-af2f3d.organic-machine.com"]
+    "servers": [
+      "matrix-af2f3d.organic-machine.com"
+    ]
   },
   "enable_presence_by_hs_url": {
     "https://matrix-af2f3d.organic-machine.com": true
@@ -32,9 +37,22 @@
   "brand_image_url": "",
   "welcomeUserId": "@welcome-bot:matrix-af2f3d.organic-machine.com",
   "roomDirectory": {
-    "servers": ["matrix-af2f3d.organic-machine.com"],
+    "servers": [
+      "matrix-af2f3d.organic-machine.com"
+    ],
     "include_all_known_servers": false
   },
   "permalink_prefix": "https://element-a05ae4.organic-machine.com",
-  "bug_report_endpoint_url": ""
+  "bug_report_endpoint_url": "",
+  "setting_defaults": {
+    "feature_group_calls": true,
+    "feature_video_rooms": true,
+    "feature_element_call_video_rooms": true,
+    "hideCallButtonsInComposer": true
+  },
+  "element_call": {
+    "url": "https://call-681f3d.organic-machine.com/",
+    "participant_limit": 16,
+    "brand": "Element Call"
+  }
 }

element-web-custom/hide-legacy-calls.css

@@ -0,0 +1,10 @@
+/* Hide legacy (1:1) call entry points, keeping only Element Call buttons */
+button[aria-label*="voice call" i],
+button[aria-label*="video call" i],
+button[aria-label*="llamada" i],
+button[aria-label*="videollamada" i],
+.mx_MessageComposer_buttonCall,
+.mx_MessageComposer_buttonGroup .mx_MessageComposer_button:nth-child(3),
+.mx_MessageComposer_buttonGroup .mx_MessageComposer_button:nth-child(4) {
+    display: none !important;
+}

mas/README.md

@@ -0,0 +1,74 @@
+# Matrix Authentication Service setup
+
+Este directorio contiene la configuración base para desplegar
+[Matrix Authentication Service (MAS)](https://github.com/element-hq/matrix-authentication-service)
+junto al stack de Synapse/Element. MAS es el componente necesario para poder
+delegar el inicio de sesión al flujo OIDC moderno y activar el acceso mediante
+código QR (MSC4108) desde Element móvil.
+
+## Estructura
+
+```
+mas/
+├── config.example.yaml   # Plantilla de configuración
+├── config.yaml           # (generado) Config en uso por el contenedor
+├── keys/                 # Claves de firma de OIDC (no se versionan)
+├── scripts/bootstrap.sh  # Script para generar secretos/clave y copiar la config
+└── secrets/              # Secretos usados tanto por MAS como por Synapse
+```
+
+Los archivos dentro de `keys/` y `secrets/` están ignorados en git para evitar
+exponer credenciales. El script `scripts/bootstrap.sh` genera la estructura
+mínima necesaria y solo debe ejecutarse una vez (puedes volver a lanzarlo si
+algún archivo falta).
+
+## Pasos rápidos
+
+1. Copia la plantilla de configuración y genera secretos/clave privada:
+   ```bash
+   cd mas
+   ./scripts/bootstrap.sh
+   ```
+   Esto crea:
+   - `config.yaml` (copiado desde `config.example.yaml`).
+   - `secrets/encryption.key`: clave hex de 32 bytes para cifrado interno.
+   - `secrets/shared_secret.txt`: token compartido con Synapse (MAS API).
+   - `keys/mas_signing.key`: clave RSA 2048 bits para firmar tokens OIDC.
+
+2. Edita `config.yaml` y ajusta:
+   - `http.public_base`: dominio público donde expondrás MAS
+     (ej. `https://auth-af2f3d.organic-machine.com/`).
+   - `matrix.homeserver`: nombre del servidor Matrix si cambia.
+   - El string de conexión a Postgres si usas credenciales distintas.
+
+3. Copia el contenido de `secrets/shared_secret.txt` y pégalo en
+   `synapse_data/homeserver.yaml` dentro de
+   `matrix_authentication_service.secret` (agregado en este PR).
+
+4. Publica MAS detrás de tu reverse-proxy/Coolify redirigiendo
+   `/_matrix/client/*/(login|logout|refresh)` hacia el puerto del servicio.
+
+Consulta la guía en la raíz (`README.md`) para reiniciar los contenedores con
+`docker compose`. Una vez que Synapse y MAS estén en marcha verás el flag
+`org.matrix.msc4108: true` al consultar
+`https://matrix-af2f3d.organic-machine.com/_matrix/client/versions` y Element
+mostrará el inicio de sesión por QR.
+
+## Reverse proxy / Coolify
+
+- Publica MAS en un subdominio (p.ej. `auth-af2f3d.organic-machine.com`) que
+  apunte al puerto `8083` definido en `docker-compose.yml`.
+- Copia las rutas de compatibilidad:
+  ```
+  location ~ ^/_matrix/client/(.*)/(login|logout|refresh) {
+      proxy_pass http://10.10.10.7:8080;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header Host $host;
+  }
+  ```
+  Ajusta la IP/puerto si usas otra red interna o si el reverse proxy corre en
+  otro host. En Coolify puedes crear una regla HTTP adicional que apunte al
+  contenedor `mas`.
+- Expón el endpoint de rendezvous en `https://auth.../_matrix/client/unstable/org.matrix.msc4108/rendezvous`
+  para que el valor coincida con `msc4108_delegation_endpoint` en
+  `synapse_data/homeserver.yaml`.

mas/config.example.yaml

@@ -0,0 +1,65 @@
+# Configuration example for Matrix Authentication Service.
+# Copia este archivo a `config.yaml` y ajusta los valores necesarios.
+
+http:
+  public_base: https://auth-af2f3d.organic-machine.com/
+  listeners:
+    - name: web
+      resources:
+        - name: discovery
+        - name: human
+        - name: oauth
+        - name: compat
+        - name: graphql
+        - name: assets
+      binds:
+        - host: 0.0.0.0
+          port: 8080
+      proxy_protocol: false
+
+  trusted_proxies:
+    - 192.168.0.0/16
+    - 172.16.0.0/12
+    - 10.0.0.0/10
+    - 127.0.0.1/8
+    - fd00::/8
+    - ::1/128
+
+database:
+  uri: postgresql://mas_user:mas_password@mas-postgres:5432/mas
+  max_connections: 5
+  min_connections: 1
+  connect_timeout: 30
+
+email:
+  transport: blackhole
+  from: '"Matrix Authentication Service" <noreply@auth.local>'
+
+matrix:
+  kind: synapse
+  homeserver: matrix-af2f3d.organic-machine.com
+  endpoint: http://synapse:8008
+  secret_file: /run/mas/secrets/shared_secret.txt
+
+secrets:
+  encryption_file: /run/mas/secrets/encryption.key
+  keys:
+    - key_file: /run/mas/keys/mas_signing.key
+
+policy:
+  path: /usr/local/share/mas-cli/policy.wasm
+
+templates:
+  path: /usr/local/share/mas-cli/templates/
+  assets_manifest: /usr/local/share/mas-cli/assets/manifest.json
+  translations_path: /usr/local/share/mas-cli/translations/
+
+compat:
+  login:
+    enabled: true
+  logout:
+    enabled: true
+  refresh:
+    enabled: true
+
+clients: []

mas/scripts/bootstrap.sh

@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+CONFIG_FILE="${ROOT_DIR}/config.yaml"
+CONFIG_TEMPLATE="${ROOT_DIR}/config.example.yaml"
+SECRETS_DIR="${ROOT_DIR}/secrets"
+KEYS_DIR="${ROOT_DIR}/keys"
+ENCRYPTION_FILE="${SECRETS_DIR}/encryption.key"
+SHARED_SECRET_FILE="${SECRETS_DIR}/shared_secret.txt"
+SIGNING_KEY_FILE="${KEYS_DIR}/mas_signing.key"
+
+command -v openssl >/dev/null 2>&1 || {
+  echo "openssl es requerido para generar los secretos." >&2
+  exit 1
+}
+
+mkdir -p "${SECRETS_DIR}" "${KEYS_DIR}"
+
+if [ ! -f "${CONFIG_TEMPLATE}" ]; then
+  echo "No se encontró ${CONFIG_TEMPLATE}, abortando." >&2
+  exit 1
+fi
+
+if [ ! -f "${CONFIG_FILE}" ]; then
+  cp "${CONFIG_TEMPLATE}" "${CONFIG_FILE}"
+  echo "Se creó ${CONFIG_FILE} a partir de la plantilla."
+else
+  echo "Ya existe ${CONFIG_FILE}, se deja intacto."
+fi
+
+if [ ! -f "${ENCRYPTION_FILE}" ]; then
+  openssl rand -hex 32 > "${ENCRYPTION_FILE}"
+  chmod 600 "${ENCRYPTION_FILE}"
+  echo "Generada clave de cifrado en ${ENCRYPTION_FILE}"
+else
+  echo "Ya existe ${ENCRYPTION_FILE}"
+fi
+
+if [ ! -f "${SHARED_SECRET_FILE}" ]; then
+  openssl rand -hex 48 > "${SHARED_SECRET_FILE}"
+  chmod 600 "${SHARED_SECRET_FILE}"
+  echo "Generado secreto compartido en ${SHARED_SECRET_FILE}"
+else
+  echo "Ya existe ${SHARED_SECRET_FILE}"
+fi
+
+if [ ! -f "${SIGNING_KEY_FILE}" ]; then
+  openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out "${SIGNING_KEY_FILE}" >/dev/null
+  chmod 600 "${SIGNING_KEY_FILE}"
+  echo "Generada clave RSA en ${SIGNING_KEY_FILE}"
+else
+  echo "Ya existe ${SIGNING_KEY_FILE}"
+fi
+
+cat <<MSG
+
+============================================
+Recuerda copiar el contenido de:
+  ${SHARED_SECRET_FILE}
+al bloque matrix_authentication_service.secret en synapse_data/homeserver.yaml.
+Revisa también ${CONFIG_FILE} para ajustar dominios/URLs públicas.
+============================================
+MSG