| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| computing:synapse [2022/11/24 03:52] – oemb1905 | computing:synapse [2025/04/17 20:38] (current) – oemb1905 |
|---|
| * **Jonathan Haack** | * **Jonathan Haack** |
| * **Haack's Networking** | * **Haack's Networking** |
| * **webmaster@haacksnetworking.org** | * **webmaster@haacksnetworking.org** |
| |
| ------------------------------------------- | ------------------------------------------- |
| ------------------------------------------- | ------------------------------------------- |
| |
| This tutorial is for users of Debian GNU/Linux who want to create their own synapse/matrix instance. The [[https://matrix-org.github.io/synapse/latest/setup/installation.html|official documentation]] was solid and the [[https://docs.hackliberty.org/books/self-hosted-services/page/how-to-install-matrix-synapse-on-debian-11|Hack Liberty]] tutorial had many great insights. I have everything up and running now with nginx except for the MTA/email functionality. Although I originally intended to use apache, I could not get the ProxyPass for .well-known to work and it could not federate, although everything else worked fine. I will solve that issue later and post an addenda here when I do. For now, let me step you through what I did. First, the prerequisites are to set up A records for your domains, and adjust to your needs. I established gnulinux.club, matrix.gnulinux.club, element.gnulinux.club, and jitsi.gnulinux.club. After those cached, I then shelled into my VM and established ufw rules for ssh, http, https, matrix, and jitsi: | This tutorial is for users of Debian GNU/Linux who want to create their own synapse/matrix instance. The [[https://matrix-org.github.io/synapse/latest/setup/installation.html|official documentation]] was solid and the Hack Liberty tutorial at https://docs.hackliberty.org/books/self-hosted-services/page/how-to-install-matrix-synapse-on-debian-11 (now taken down) tutorial had many great insights. Let me step you through what I did. First, the prerequisites are to set up A records for your domains, and adjust to your needs. I established gnulinux.club (tld of host), matrix.gnulinux.club (home server), element.gnulinux.club (element website), and jitsi.gnulinux.club (used for video rooms). After those cached, I then shelled into my VM and established ufw rules for ssh, http, https, matrix, and jitsi: |
| |
| sudo ufw allow 22 | sudo ufw allow 22 |
| cp default element.gnulinux.club | cp default element.gnulinux.club |
| | |
| You will notice that I did not create a server block for jitsi becuase it's installer script will take care of this automatically later on. Once these are created, delete everything in the block file except the [[https://repo.haacksnetworking.org/oemb1905/haackingclub/-/blob/master/nginx/http-block.com|basic http block]] and make some small edits: | You will notice that I did not create a server block for jitsi becuase it's installer script will take care of this automatically later on. Once these are created, delete everything in the block file except the [[https://repo.haacksnetworking.org/haacknet/haackingclub/-/blob/main/configs/webservers/nginx/http-block?ref_type=heads|basic http block]] and make some small edits: |
| |
| nano /etc/nginx/sites-enabled/gnulinux.club | nano /etc/nginx/sites-enabled/gnulinux.club |
| nano /etc/nginx/sites-enabled/matrix.gnulinux.club | nano /etc/nginx/sites-enabled/matrix.gnulinux.club |
| |
| [[https://repo.haacksnetworking.org/oemb1905/haackingclub/-/blob/master/nginx/matrix-block.domain.com|matrix.gnulinux.club]] | [[https://repo.haacksnetworking.org/haacknet/haackingclub/-/blob/main/configs/webservers/nginx/nginx-matrix.gnulinux.club?ref_type=heads|matrix.gnulinux.club]] |
| | |
| As for the element.gnulinux.club block (adjusted for your domain, of course), make sure to add a directory to the end of the block directory itself. This will help later when upgrades to Element come out, because you can just re-symlink the new update. We will do the symlink later when installing the package, for now: | As for the element.gnulinux.club block (adjusted for your domain, of course), make sure to add a directory to the end of the block directory itself. This will help later when upgrades to Element come out, because you can just re-symlink the new update. We will do the symlink later when installing the package, for now: |
| sudo --user elementweb tar -xvf element-v1.10.12.tar.gz | sudo --user elementweb tar -xvf element-v1.10.12.tar.gz |
| rm element-v1.10.12.tar.gz | rm element-v1.10.12.tar.gz |
| cd /var/www/elemenet.gnulinux.club/ | cd /var/www/element.gnulinux.club/ |
| ln -s element-v1.10.12/ element | ln -s element-v1.10.12/ element |
| cd /var/www/elemenet.gnulinux.club/element | cd /var/www/element.gnulinux.club/element |
| cp config-sample.json config.jason | cp config-sample.json config.json |
| nano config.json | nano config.json |
| <"base_url": "https://matrix.gnulinux.club",> | <"base_url": "https://matrix.gnulinux.club",> |
| register_new_matrix_user -c /etc/matrix-synapse/homeserver.yaml http://localhost:8008 | register_new_matrix_user -c /etc/matrix-synapse/homeserver.yaml http://localhost:8008 |
| | |
| Record the password you chose in a safe location, and then uncomment the user registration on ''/etc/matrix-synapse/homeserver.yaml'' again and once again restart the service ''systemctl restart matrix-synapse''. This is required because you cannot manually create users while the ''enable_registration: true'' parameter is active. Likely, you will now want to also create a non-admin user for yourself, and the webgui is very convenient for this so just visit element.gnulinux.club and then register. Once you log in, make sure that you can access federated instances, spaces, and rooms. The last thing we need to do is add the ability for the server to send emails so users can recover accounts when needed via email. To do that, first make sure you have a working [[https://wiki.haacksnetworking.org/doku.php?id=computing:exim4|https://wiki.haacksnetworking.org/doku.php?id=computing:exim4]]email server. Please note that an incoming (IMAP) server is not needed, only outgoing (smtp/MTA). Once that is setup, add the following lines to your ''/etc/matrix-synapse/homeserver.yaml'' configuration: | Record the password you chose in a safe location, and then uncomment the user registration on ''/etc/matrix-synapse/homeserver.yaml'' again and once again restart the service ''systemctl restart matrix-synapse''. This is required because you cannot manually create users while the ''enable_registration: true'' parameter is active. Likely, you will now want to also create a non-admin user for yourself, and the webgui is very convenient for this so just visit element.gnulinux.club and then register. Once you log in, make sure that you can access federated instances, spaces, and rooms. The last thing we need to do is add the ability for the server to send emails so users can recover accounts when needed via email. To do that, first make sure you have a working email server. Please note that an incoming (IMAP) server is not needed, only outgoing (smtp/MTA). Once that is setup, add the following lines to your ''/etc/matrix-synapse/homeserver.yaml'' configuration: |
| |
| sudo nano /etc/matrix-synapse/homeserver.yaml | sudo nano /etc/matrix-synapse/homeserver.yaml |
| <require_transport_security: true> | <require_transport_security: true> |
| |
| Again, note that there is no need to set up an incoming email server nor tolerate spam on the server you are sending to. In my case, my smtp server / MTA is a relay with domains that are allowed to send through it explicitly white listed. Alright, so now it's time to carry on with setting up jitsi. Again, as with element and matrix, always check the [[https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart/|official documentation]] for the latest releases/gpg keys, etc.: | Again, note that there is no need to set up an incoming email server nor tolerate spam on the server you are sending to. In my case, my smtp server / MTA is a relay/MTA (only) with domains that are allowed to send through it explicitly white listed. Now that email is up, let's tweak the upload settings so that people can upload images that are larger than a megabyte and have reasonable purge directives: |
| | |
| | sudo nano /etc/matrix-synapse/homeserver.yaml |
| | <max_upload_size: 1000M> |
| | <dynamic_thumbnails: true> |
| | <media_retention:> |
| | <local_media_lifetime: 90d> |
| | <remote_media_lifetime: 14d> |
| | |
| | After this, your config should look something like this [[https://repo.haacksnetworking.org/haacknet/haackingclub/-/blob/main/configs/synapse/homeserver.yaml?ref_type=heads|example homeserver.yaml]]. Also, make sure to add the following line of code within each nginx http server block: |
| | |
| | <client_max_body_size 1000M;> |
| | |
| | Alright, so now it's time to carry on with setting up jitsi. Again, as with element and matrix, always check the [[https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart/|official documentation]] for the latest releases/gpg keys, etc.: |
| |
| curl https://download.jitsi.org/jitsi-key.gpg.key | sudo sh -c 'gpg --dearmor > /usr/share/keyrings/jitsi-keyring.gpg' | curl https://download.jitsi.org/jitsi-key.gpg.key | sudo sh -c 'gpg --dearmor > /usr/share/keyrings/jitsi-keyring.gpg' |
| systemctl restart matrix-synapse | systemctl restart matrix-synapse |
| | |
| You can verify that jitsi is working by ''ps -aux | jitsi'' and then visit jitsi.gnulinux.club (adjusted for your domain) to verify you can create and join a new meeting. Additionally, you can navigate to ''etc/turnserver.conf'' to see the entries jitsi created and likewise verify the server block it created at ''/etc/nginx/sites-enabled/jitsi.gnulinux.club''. You are now done! However, make sure to run regular snapshots on a cron job, and consider some simple shell scripts to monitor nginx, postgres, and fail2ban and if they fail, to restart them and email you. I also have a separate script that dumps the entire database daily with a time stamp. Here are the scripts currently in use: | You can verify that jitsi is working by ''ps -aux | jitsi'' and then visit jitsi.gnulinux.club (adjusted for your domain) to verify you can create and join a new meeting. Additionally, you can navigate to ''etc/turnserver.conf'' to see the entries jitsi created and likewise verify the server block it created at ''/etc/nginx/sites-enabled/jitsi.gnulinux.club''. To upgrade, find the latest release, and download it: |
| |
| - Keep Fail2Ban Running:[[https://repo.haacksnetworking.org/oemb1905/haackingclub/-/blob/master/scripts/fail2ban-restart.sh|fail2ban-restart.sh]] | https://github.com/element-hq/element-web/releases |
| - Keep Postgres Running: [[https://repo.haacksnetworking.org/oemb1905/haackingclub/-/blob/master/scripts/postgres-restart.sh|postgres-restart.sh]] | wget https://github.com/element-hq/element-web/releases/download/v1.11.55/element-v1.11.55.tar.gz |
| - Keep Nginx Running: [[https://repo.haacksnetworking.org/oemb1905/haackingclub/-/blob/master/scripts/nginx-restart.sh|nginx-restart.sh]] | tar -xvf element-v1.11.55.tar.gz |
| - Nightly DB Dumps: [[https://repo.haacksnetworking.org/oemb1905/haackingclub/-/blob/master/scripts/postgres-dump.sh|postgres-dump.sh]] | cd /var/www/gnulinux.club/element |
| | cp -ar config.json ../ |
| | ln -s element-v1.10.12/ element |
| | |
| Also, there's no point in setting this up unless you have regular backups! In my case, since this is a VM, I just use the same script as I use for all my other instances. That script powers down the VM, and copies a sparse file, then tarballs it. After restarting the VM, my backup workstation pulls down the tarballs (also sparse) on a set schedule, keeping approximately 90 days of restore points. The backup script I use is found here and, of course, this runs on the host OS (not the Synapse VM instance): | Make sure to have .well-knowns established for client and support as well: |
| | |
| | sudo touch /var/www/gnulinux.club/.well-known/matrix/client |
| | |
| | With the following: |
| | |
| | { |
| | "m.homeserver": { |
| | "base_url": "https://matrix.gnulinux.club" |
| | } |
| | } |
| | |
| | Also identify support: |
| | |
| | sudo touch /var/www/gnulinux.club/.well-known/matrix/support |
| | |
| | With the following: |
| | |
| | {"contacts": [{"matrix_id": "@oemb1905:gnulinux.club", "email_address": "webmaster@haacksnetworking.org","club.gnulinux.phone_number": "+13105651874", "role": "m.role.admin"}],"support_page": "https://gnulinux.club/code-conduct.pdf"} |
| | |
| | Finally, make sure that browsers don't download these by adding a location to your TLD block: |
| |
| - VM Backup Script: [[https://repo.haacksnetworking.org/oemb1905/haackingclub/-/blob/master/scripts/sane-vm-backup.sh|sane-vm-backup.sh]] | location /.well-known/matrix { |
| | allow all; |
| | add_header access-control-allow-origin *; |
| | add_header content-type application/json; |
| | } |
| |
| Lastly, I also have a hot-spare in case my co-located hardware fails. | More updates below when they come. |
| |
| --- //[[jonathan@haacksnetworking.org|oemb1905]] 2022/11/23 20:49// | --- //[[alerts@haacksnetworking.org|oemb1905]] 2025/04/17 20:38// |
