Synapse Instance


  • synapse
  • Jonathan Haack
  • Haack’s Networking
  • webmaster@haacksnetworking.org

//synapse//


Reminder: Only the Wiki has the latest changes, so for complex live instance, visit the source wiki for the latest updates/corrections/changes.

This tutorial is for users of Debian GNU/Linux who want to create their own synapse/matrix instance. The [[https://matrix-org.github.io/synapse/latest/setup/installation.html|official documentation]] was solid and the [[https://docs.hackliberty.org/books/self-hosted-services/page/how-to-install-matrix-synapse-on-debian-11|Hack Liberty]] tutorial had many great insights. I have everything up and running now with nginx except for the MTA/email functionality. Although I originally intended to use apache, I could not get the ProxyPass for .well-known to work and it could not federate, although everything else worked fine. I will solve that issue later and post an addenda here when I do. For now, let me step you through what I did. First, the prerequisites are to set up A records for your domains, and adjust to your needs. I established gnulinux.club, matrix.gnulinux.club, element.gnulinux.club, and jitsi.gnulinux.club. After those cached, I then shelled into my VM and established ufw rules for ssh, http, https, matrix, and jitsi:

sudo ufw allow 22
sudo ufw allow 80
sudo ufw allow 443
sudo ufw allow 8448
sudo ufw allow 10000/udp
sudo ufw allow 3478/udp
sudo ufw allow 5349/tcp

You should also make sure that you have [[https://wiki.haacksnetworking.org/doku.php?id=computing:fail2ban|fail2ban]] installed and configured before proceeding. I would also recommend hardening your [[https://wiki.haacksnetworking.org/doku.php?id=computing:ssh|sshd_config]] file. Once those prerequisites are done, let’s install nginx web server:

sudo apt install nginx
cd /etc/nginx/sites-enabled
cp default gnulinux.club
cp default matrix.gnulinux.club
cp default element.gnulinux.club

You will notice that I did not create a server block for jitsi becuase it’s installer script will take care of this automatically later on. Once these are created, delete everything in the block file except the [[https://repo.haacksnetworking.org/oemb1905/haackingclub/-/blob/master/nginx/http-block.com|basic http block]] and make some small edits:

nano /etc/nginx/sites-enabled/gnulinux.club

The matrix.gnulinux.club block needs to have the proxy_pass directive set. To limit confusion, I have just provided the config directly. Also, note that web root is irrelevant for this block because it will not be serving any files directly but is merely sending requests back to matrix/localhost on port 8008.

nano /etc/nginx/sites-enabled/matrix.gnulinux.club

[[https://repo.haacksnetworking.org/oemb1905/haackingclub/-/blob/master/nginx/matrix-block.domain.com|matrix.gnulinux.club]]

As for the element.gnulinux.club block (adjusted for your domain, of course), make sure to add a directory to the end of the block directory itself. This will help later when upgrades to Element come out, because you can just re-symlink the new update. We will do the symlink later when installing the package, for now:

nano /etc/nginx/sites-enabled/element.gnulinux.club
systemctl restart nginx

Conduct a url request on gnulinux.club (adjusted for you) to ensure that your domain resolves and nginx is functioning properly. Once that’s confirmed, we can now set up Let’s Encrypt certs:

sudo apt install python3-certbot-nginx
certbot –nginx -d gnulinux.club -d matrix.gnulinux.club -d element.gnulinux.club

Conduct another url request on gnulinux.club (adjusted for you) to ensure that your domain now has the TLS lock and redirected properly. Once that’s setup, it is now time to install the matrix-synapse-py3 server. Always check the official documentation page for this, but as of this installation, that was done as follows:

sudo apt install -y lsb-release wget apt-transport-https
sudo wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg
echo “deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ $(lsb_release -cs) main” | sudo tee /etc/apt/sources.list.d/matrix-org.list
sudo apt update
sudo apt install matrix-synapse-py3

Verify that the matrix-synapse server is running with ”ps -aux | grep synapse” and then move on to federating the server. To federate the server, you can either create a srv DNS record, or leverage .well-known. I chose the latter, and did the following:

mkdir -p /var/www/gnulinux.club/.well-known/matrix
cd /var/www/gnulinux.club/.well-known/matrix/
nano server
<{ “m.server”: “matrix.gnulinux.club:443” }>

Once that’s created, run curl and make sure the output matches what you specified in the server file:

curl -L https://gnulinux.club/.well-known/matrix/server
{ “m.server”: “matrix.gnulinux.club:443” }

As long as that functions, you can now move on to installing Element. That involves making a web root directory of the server block, creating a dedicated user that owns and downloads the latest package (always check official release page), symlinking the current package to the location specified in the server block, and lastly configuring the config.json file for your domain and particular instance. Here goes:

mkdir /var/www/element.gnulinux.club/
cd /var/www/elemenet.gnulinux.club/
sudo useradd -m elementweb

sudo –user elementweb wget https://github.com/vector-im/element-web/releases/download/v1.10.12/element-v1.10.12.tar.gz
sudo –user elementweb tar -xvf element-v1.10.12.tar.gz
rm element-v1.10.12.tar.gz
cd /var/www/elemenet.gnulinux.club/
ln -s element-v1.10.12/ element
cd /var/www/elemenet.gnulinux.club/element
cp config-sample.json config.jason
nano config.json
<“base_url”: “https://matrix.gnulinux.club”,>
<“server_name”: “gnulinux.club”>

Once Element is installed, you need to enable registration. Matrix no longer allows unchallenged / non-tokened registration without an explicit override, so after seeing how involved token auth was, I added a [[https://developers.google.com/recaptcha/|Google Captcha v2]] instead.

sudo nano /etc/matrix-synapse/homserver.yaml
enable_registration: true [needs to be disabled when creating the db users from command line]
enable_registration_captcha: true
recaptcha_public_key: “yourmomspublickey”
recaptcha_private_key: “yourdadsprivatekey” #On Google, Turn verify origin off
registration_shared_secret: “yourcousinssharedsecret”
federation_client_minimum_tls_version: 1.2

At this stage, you could theoretically add a user through the web GUI, however the instance is still using sqlite3 and I preferred something more robust. For that reason, I waited and first created a proper database and dedicated database user, both for scaling and hardening purposes:

sudo apt install postgresql
sudo -u postgres bash
createuser –pwprompt synapseusr
createdb –encoding=UTF8 –locale=C –template=template0 –owner=synapseusr synapsedb
exit

After recording the password you specified, make sure to configure ”homeserver.yaml” to use the database instead of the default sqlite3 one.

sudo nano /etc/matrix-synapse/homeserver.yaml

After creating the database, inform synapse of how to reach it in the ”pg_hba.conf” file as follows:

nano /etc/postgresql/13/main/pg_hba.conf
sudo systemctl reload postgresql

Check that the configuration you established is functioning by restarting the service with ”systemctl restart matrix-synapse”. As long as everything is functioning, you can now create an admin user. Temporarily comment out user registration on ”/etc/matrix-synapse/homeserver.yaml” and restart the service again ”systemctl restart matrix-synapse” in order to create the user. Note: the user creation will fail if you do not do this.

sudo -u postgres bash
register_new_matrix_user -c /etc/matrix-synapse/homeserver.yaml http://localhost:8008

Record the password you chose in a safe location, and then uncomment the user registration on ”/etc/matrix-synapse/homeserver.yaml” again and once again restart the service ”systemctl restart matrix-synapse”. This is required because you cannot manually create users while the ”enable_registration: true” parameter is active. Likely, you will now want to also create a non-admin user for yourself, and the webgui is very convenient for this so just visit element.gnulinux.club and then register. Once you log in, make sure that you can access federated instances, spaces, and rooms. So long as everything is working, let’s carry on with setting up jitsi. Again, as with element and matrix, always check the [[https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart/|official documentation]] for the latest releases/gpg keys, etc.:

curl https://download.jitsi.org/jitsi-key.gpg.key | sudo sh -c ‘gpg –dearmor > /usr/share/keyrings/jitsi-keyring.gpg’
echo ‘deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg] https://download.jitsi.org stable/’ | sudo tee /etc/apt/sources.list.d/jitsi-stable.list > /dev/null
sudo apt update
sudo apt install jitsi-meet

Once the install finishes, let’s create let’s encrypt using the official script from Jitsi, which will automatically configure a turn server and create a server block in nginx for us:

/usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh

We now need to configure Element to use jitsi, which we do as follows:

nano /var/www/element.gnulinux.club/element/config.json
<“preferredDomain”: “jitsi.gnulinux.club”>
systemctl restart matrix-synapse

You can verify that jitsi is working by ”ps -aux | jitsi” and then visit jitsi.gnulinux.club (adjusted for your domain) to verify you can create and join a new meeting. Additionally, you can navigate to ”etc/turnserver.conf” to see the entries jitsi created and likewise verify the server block it created at ”/etc/nginx/sites-enabled/jitsi.gnulinux.club”. Note: I can’t seem to get jitsi to work as intended withing the matrix rooms, but it does work on it’s own; I suspect it is glitching with the video lab. You are now done! However, make sure to snapshot your VPS if in a cloud, and/or if you are using kvm and a virtual machine on your own hardware, consider creating a backup script for the vms as follows:

[[https://repo.haacksnetworking.org/oemb1905/haackingclub/-/blob/master/scripts/sane-vm-backup.sh|appropriate backup scripts]]

Utilize rsync or similar to ensure you have those backups offsite as well as on site, and also provision a hot-spare in case your self-hosted or co-located hardware fails.

Leave a Reply

Your email address will not be published. Required fields are marked *

Close
JavaScript licenses