Thanks for this! I tried following your instructions (just for the matrix bit so far) and it mostly seems to work fine, just a couple of notes:
- I had to add
listenconfiguration for the nginx reverse proxy to forward port 8448 as well as 443: otherwise it doesn’t listen on 8448 for me at all. - You can skip
"webclient"in the listener resources: apparently this does nothing and synapse warns about it in the startup logs.
Am glad it worked.
I thought port 8448 is the federation port which is required by other servers and is default unless one setup delegation for servers to check .well-known/matrix/server directory for the federation path as described here - synapse/delegate.md at 883ac4b1bb7c520e928e8a42d7700de7f0d56055 · matrix-org/synapse · GitHub
Do you have to take care of 8448 with .well-known based delegation as well?
Great article! Thanks for mentioning my PR 
I just want to point out that the following bit is no longer true (your configs do it manually so they are correct however):
and enable LetsEncrypt certification for the same
Btw I’m also running Synapse on single port (proxy 443 → synapse 8448), no .well-known based delegation, and following SRV record, and it seems to work fine:
_matrix._tcp.example.org has SRV record 10 0 443 example.org