Architecture

How It Works

Three containers, one Docker network, zero exposed services.

┌─────────────────────────────────────────────────────────────────┐ │ Internet │ │ Ports 80, 443, 8448, 3478, 5349 │ └───────────────────────────┬─────────────────────────────────────┘ │ ┌──────────▼──────────┐ │ Caddy (Reverse │ ← Auto HTTPS & TLS │ Proxy) │ ← Routes all traffic └──────────┬──────────┘ │ ┌──────────▼──────────┐ │ Conduit (Matrix │ ← No ports exposed! │ Homeserver) │ ← Internal network only └─────────────────────┘ │ ┌──────────▼──────────┐ │ Coturn (TURN/ │ ← Voice/video relay │ STUN server) │ ← NAT traversal └─────────────────────┘

Port Table

Port	Protocol	Service	Purpose
80	TCP	Caddy	HTTP → HTTPS redirect
443	TCP	Caddy	HTTPS (Client-Server API)
443	UDP	Coturn (redirected)	UDP redirect to port 5349 via firewalld forward-port — allows clients to reach TURN on standard port
8448	TCP	Caddy	Matrix federation (S2S)
3478	UDP	Coturn	STUN (NAT discovery)
5349	TCP/UDP	Coturn	TURNS (encrypted relay)

Docker Compose Setup

Everything lives in /opt/conduit/ — one folder, easy to find:

/opt/conduit/
├── docker-compose.yml  # All 3 containers, networks, volumes, ports
├── .env                # Your config: domain, secrets, IP
├── Caddyfile           # Reverse proxy + TLS (auto-generated)
├── turnserver.conf     # TURN/STUN for voice/video calls
├── conduit.toml        # Media retention settings
├── CREDENTIALS.txt     # Your registration token (delete after saving!)
├── certs/              # TLS certificates for Coturn
│   ├── turn.crt
│   └── turn.key
└── .image-versions    # Pinned Docker image digests (created by backup)

/opt/conduit-backups/   # Backups (separate folder, survives uninstall)
└── conduit-backup-2025-03-15-020000.tar.gz

Common Docker Compose commands (run from /opt/conduit/):

sudo docker compose up -d       # Start all containers
sudo docker compose down         # Stop all containers
sudo docker compose restart      # Restart all containers
sudo docker compose logs -f      # View live logs
sudo docker compose pull         # Pull latest images (update)
sudo docker compose ps           # Show container status
sudo docker stats --no-stream    # Show CPU/RAM usage

System Requirements

Component	Minimum	Recommended
CPU	1 core (ARM or x86)	2+ cores
RAM	1 GB (tested)	2+ GB for heavy use
Disk	2GB	10GB+ (media)
OS	Linux (Docker)	Debian 13 (tested). Other Debian/Ubuntu may work but untested.
Network	Public IP + domain	Static IP preferred

🧪

Tested on: DigitalOcean $6/mo Droplet (1 GB RAM, 1 CPU, 25 GB SSD, Debian 13). Not tested on other platforms or providers.

What the Script Installs

The script will automatically install any missing packages. Here's exactly what gets added to your system:

Package	What it does	Why it's needed
Docker	Container runtime	Runs Conduit, Caddy, and Coturn in isolated containers
firewalld	Firewall	Blocks unauthorized access, opens only needed ports
Fail2ban	Brute-force protection	Automatically bans IPs that try too many failed logins
unattended-upgrades	OS security patches	Downloads and installs security fixes automatically. No auto-reboot — you decide when to restart.
firewalld forward-port	Firewall rule	firewalld forward-port rule (UDP 443→5349)

System utilities (installed if missing):

Command	Package	Used for
`curl`	curl	Downloading files, API calls, connectivity checks
`openssl`	openssl	Generating secure tokens and secrets
`dig`	dnsutils	DNS verification before install
`ss`	iproute2	Checking if ports are available
`tar`	tar	Creating and restoring backups
`free`	procps	Checking available RAM
`awk`	gawk	Text processing (parsing outputs)

📋

Most of these are already pre-installed on Debian. The script checks each one and only installs what's missing. Nothing is installed without showing you first.