User Tools

Site Tools


computing:synapse

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
computing:synapse [2022/11/20 06:11] oemb1905computing:synapse [2024/01/30 03:17] (current) oemb1905
Line 3: Line 3:
   * **Jonathan Haack**   * **Jonathan Haack**
   * **Haack's Networking**   * **Haack's Networking**
-  * **webmaster@haacksnetworking.org**+  * **webmaster@haacksnetworking.org** 
  
 ------------------------------------------- -------------------------------------------
Line 11: Line 11:
 ------------------------------------------- -------------------------------------------
  
-This tutorial is for users of Debian GNU/Linux who want to create their own [[https://matrix-org.github.io/synapse/latest/setup/installation.html|Synapse]] instance. The official documentation was pretty solid, but/and I also used some online tutorials, especially the one at [[https://docs.hackliberty.org/books/self-hosted-services/page/how-to-install-matrix-synapse-on-debian-11|Hack Liberty]]. Although I give credit to these sites, I must say that they both had tons of small to medium mistakes whichcombined with the complexity of the projectmade this a fairly challenging instance to createI am quite glad the VM is builtbacked up and tarballedOkay, so first, install synapse and add the gpg keys for their repoetc.:+This tutorial is for users of Debian GNU/Linux who want to create their own synapse/matrix instance. The  [[https://matrix-org.github.io/synapse/latest/setup/installation.html|official documentation]] was solid and the [[https://docs.hackliberty.org/books/self-hosted-services/page/how-to-install-matrix-synapse-on-debian-11|Hack Liberty]] tutorial had many great insights. I have everything up and running now with nginx except for the MTA/email functionality. Although I originally intended to use apache, I could not get the ProxyPass for .well-known to work and it could not federate, although everything else worked fine. I will solve that issue later and post an addenda here when I do. For now, let me step you through what I did. First, the prerequisites are to set up A records for your domains, and adjust to your needs. I established gnulinux.club, matrix.gnulinux.club, element.gnulinux.club, and jitsi.gnulinux.club. After those cached, I then shelled into my VM and established ufw rules for ssh, http, https, matrix, and jitsi: 
 + 
 +  sudo ufw allow 22                 
 +  sudo ufw allow 80                
 +  sudo ufw allow 443                                
 +  sudo ufw allow 8448               
 +  sudo ufw allow 10000/udp 
 +  sudo ufw allow 3478/udp 
 +  sudo ufw allow 5349/tcp   
 + 
 +You should also make sure that you have [[https://wiki.haacksnetworking.org/doku.php?id=computing:fail2ban|fail2ban]] installed and configured before proceeding. I would also recommend hardening your [[https://wiki.haacksnetworking.org/doku.php?id=computing:ssh|sshd_config]] file. Once those prerequisites are done, let's install nginx web server: 
 + 
 +  sudo apt install nginx 
 +  cd /etc/nginx/sites-enabled 
 +  cp default gnulinux.club 
 +  cp default matrix.gnulinux.club 
 +  cp default element.gnulinux.club 
 +   
 +You will notice that I did not create a server block for jitsi becuase it's installer script will take care of this automatically later on. Once these are created, delete everything in the block file except the [[https://repo.haacksnetworking.org/oemb1905/haackingclub/-/blob/master/nginx/http-block.com|basic http block]] and make some small edits: 
 + 
 +  nano /etc/nginx/sites-enabled/gnulinux.club 
 +  <server_name gnulinux.club;> 
 +  <root /var/www/gnulinux.club/;> 
 + 
 +The matrix.gnulinux.club block needs to have the proxy_pass directive set. To limit confusionI have just provided the config directly. Alsonote that web root is irrelevant for this block because it will not be serving any files directly but is merely sending requests back to matrix/localhost on port 8008.  
 +   
 +  nano /etc/nginx/sites-enabled/matrix.gnulinux.club 
 + 
 +[[https://repo.haacksnetworking.org/oemb1905/haackingclub/-/blob/master/nginx/matrix-block.domain.com|matrix.gnulinux.club]] 
 +   
 +As for the element.gnulinux.club block (adjusted for your domain, of course), make sure to add directory to the end of the block directory itselfThis will help later when upgrades to Element come out, because you can just re-symlink the new update. We will do the symlink later when installing the package, for now: 
 + 
 +  nano /etc/nginx/sites-enabled/element.gnulinux.club 
 +  <server_name element.gnulinux.club;> 
 +  <root /var/www/element.gnulinux.club/element/;> 
 +  systemctl restart nginx 
 +   
 +Conduct a url request on gnulinux.club (adjusted for you) to ensure that your domain resolves and nginx is functioning properly. Once that's confirmedwe can now set up Let's Encrypt certs: 
 + 
 +  sudo apt install python3-certbot-nginx 
 +  certbot --nginx -d gnulinux.club -d matrix.gnulinux.club -d element.gnulinux.club 
 + 
 +Conduct another url request on gnulinux.club (adjusted for you) to ensure that your domain now has the TLS lock and redirected properlyOnce that's setupit is now time to install the matrix-synapse-py3 server. Always check the official documentation page for thisbut as of this installation, that was done as follows:
  
   sudo apt install -y lsb-release wget apt-transport-https   sudo apt install -y lsb-release wget apt-transport-https
Line 18: Line 60:
   sudo apt update   sudo apt update
   sudo apt install matrix-synapse-py3   sudo apt install matrix-synapse-py3
 +  <name of the server: gnulinux.club>
 +  <report statistics yes>
      
-You now need to install postgresql and create a database with a dedicated non-root user:+Verify that the matrix-synapse server is running with ''ps -aux | grep synapse'' and then move on to federating the server. To federate the server, you can either create a srv DNS record, or leverage .well-known. I chose the latter, and did the following: 
 + 
 +  mkdir -p /var/www/gnulinux.club/.well-known/matrix 
 +  cd /var/www/gnulinux.club/.well-known/matrix/ 
 +  nano server 
 +  <{ "m.server": "matrix.gnulinux.club:443" }> 
 +   
 +Once that's created, run curl and make sure the output matches what you specified in the server file: 
 + 
 +  curl -L https://gnulinux.club/.well-known/matrix/server 
 +  { "m.server": "matrix.gnulinux.club:443"
 + 
 +As long as that functions, you can now move on to installing Element. That involves making a web root directory of the server block, creating a dedicated user that owns and downloads the latest package (always check official release page), symlinking the current package to the location specified in the server block, and lastly configuring the config.json file for your domain and particular instance. Here goes: 
 + 
 +  mkdir /var/www/element.gnulinux.club/ 
 +  cd /var/www/elemenet.gnulinux.club/ 
 +  sudo useradd -m elementweb 
 +  <password> 
 +  sudo --user elementweb wget https://github.com/vector-im/element-web/releases/download/v1.10.12/element-v1.10.12.tar.gz 
 +  sudo --user elementweb tar -xvf element-v1.10.12.tar.gz 
 +  rm element-v1.10.12.tar.gz 
 +  cd /var/www/element.gnulinux.club/ 
 +  ln -s element-v1.10.12/ element 
 +  cd /var/www/element.gnulinux.club/element 
 +  cp config-sample.json config.json 
 +  nano config.json 
 +  <"base_url": "https://matrix.gnulinux.club",> 
 +  <"server_name": "gnulinux.club"> 
 + 
 +Once Element is installed, you need to enable registration. Matrix no longer allows unchallenged / non-tokened registration without an explicit override, so after seeing how involved token auth was, I added a [[https://developers.google.com/recaptcha/|Google Captcha v2]] instead. 
 + 
 +  sudo nano /etc/matrix-synapse/homserver.yaml 
 +  enable_registration: true [needs to be disabled when creating the db users from command line] 
 +  enable_registration_captcha: true 
 +  recaptcha_public_key: "yourmomspublickey" 
 +  recaptcha_private_key: "yourdadsprivatekey" #On Google, Turn verify origin off 
 +  registration_shared_secret: "yourcousinssharedsecret" 
 +  federation_client_minimum_tls_version: 1.2 
 +   
 +At this stage, you could theoretically add a user through the web GUI, however the instance is still using sqlite3 and I preferred something more robust. For that reason, I waited and first created a proper database and dedicated database user, both for scaling and hardening purposes:
  
   sudo apt install postgresql   sudo apt install postgresql
   sudo -u postgres bash   sudo -u postgres bash
-  createuser --pwprompt synapse_user +  createuser --pwprompt synapseusr 
-  createdb --encoding=UTF8 --locale=C --template=template0 --owner=synapse_user synapse+  createdb --encoding=UTF8 --locale=C --template=template0 --owner=synapseusr synapsedb
   exit   exit
-   
-After creating the database, inform synapse of how to reach it in the ''pg_hba.conf'' file as follows: 
  
-  nano /etc/postgresql/13/main/pg_hba.conf +After recording the password you specified, make sure to configure ''homeserver.yaml'' to use the database instead of the default sqlite3 one.
-  <host    synapse     synapse_user    ::1/128     md5> +
-  sudo systemctl reload postgresql +
-   +
-It's now time to edit the file ''/etc/matrix-synapse/homeserver.yaml''. Remove the default database configuration, and replace it with the credentials you just made:+
  
 +  sudo nano /etc/matrix-synapse/homeserver.yaml
   <database:>   <database:>
   <name: psycopg2>   <name: psycopg2>
   <txn_limit: 10000>   <txn_limit: 10000>
   <args:>   <args:>
-    <user: synapse_user+    <user: synapseusr
-    <password: secretpassword+    <password: mommalovesU
-    <database: synapse>+    <database: synapsedb>
     <host: localhost>     <host: localhost>
     <port: 5432>     <port: 5432>
Line 47: Line 125:
     <cp_max: 10>     <cp_max: 10>
  
-There are now some options that you can configure based on personal preference. Hack Liberty has its own recommendationsand I agreed with some and not with others. Moreover, I also found that Matrix/Synapse is currently requiring a stricter recipe for the yaml config than their template or even the official docs recommend. I was unable to get to the ''homeserver.yaml'' to work without adding a ''base_url'' line and a Google V2 challenge. Make sure to refer to Synapse's [[https://matrix-org.github.io/synapse/develop/usage/configuration/config_documentation.html|official docs]] for your use case and so that you understand what they each do. Here are the "optional" configurations that I have active, some of which I had to configure to make everything work:+After creating the databaseinform synapse of how to reach it in the ''pg_hba.conf'' file as follows:
  
-  public_baseurl: "https://gnulinux.club" +  nano /etc/postgresql/13/main/pg_hba.conf 
-  require_auth_for_profile_requeststrue +  <host    synapsedb     synapseusr    ::1/128     md5> 
-  limit_profile_requests_to_users_who_share_roomstrue +  sudo systemctl reload postgresql 
-  include_profile_data_on_invite: false + 
-  allow_public_rooms_over_federation: true +Check that the configuration you established is functioning by restarting the service with ''systemctl restart matrix-synapse''. As long as everything is functioning, you can now create an admin user. Temporarily comment out user registration on ''/etc/matrix-synapse/homeserver.yaml'' and restart the service again ''systemctl restart matrix-synapse'' in order to create the user. Notethe user creation will fail if you do not do this. 
-  allow_profile_lookup_over_federationtrue + 
-  allow_device_name_lookup_over_federation: true +  sudo -u postgres bash 
-  enable_registration: True +  register_new_matrix_user -c /etc/matrix-synapse/homeserver.yaml http://localhost:8008
-  enable_registration_captchaTrue +
-  recaptcha_public_key: "enter pub key here" +
-  recaptcha_private_key: "enter priv key here" +
-  registration_shared_secret"yourmomismykey"+
      
-In my case, matrix was not currently allowing un-challengedor un-tokened user registrationso adding the Google Challenge was required in order to make it functional.+Record the password you chose in a safe locationand then uncomment the user registration on ''/etc/matrix-synapse/homeserver.yaml'' again and once again restart the service ''systemctl restart matrix-synapse''. This is required because you cannot manually create users while the ''enable_registration: true'' parameter is active. Likelyyou will now want to also create a non-admin user for yourselfand the webgui is very convenient for this so just visit element.gnulinux.club and then register. Once you log in, make sure that you can access federated instances, spaces, and rooms. The last thing we need to do is add the ability for the server to send emails so users can recover accounts when needed via email. To do that, first make sure you have a working [[https://wiki.haacksnetworking.org/doku.php?id=computing:exim4|https://wiki.haacksnetworking.org/doku.php?id=computing:exim4]]email server. Please note that an incoming (IMAP) server is not needed, only outgoing (smtp/MTA). Once that is setup, add the following lines to your ''/etc/matrix-synapse/homeserver.yaml'' configuration:
  
-https://www.google.com/recaptcha/about/+  sudo nano /etc/matrix-synapse/homeserver.yaml 
 +  <public_baseurl: "https://matrix.gnulinux.club"> 
 +  <email:> 
 +    <smtp_host: haacksnetworking.org> 
 +    <smpt_port: 25> 
 +    <notif_from: "admin@gnulinux.club"> 
 +    <require_transport_security: true>
  
 +Again, note that there is no need to set up an incoming email server nor tolerate spam on the server you are sending to. In my case, my smtp server / MTA is a relay/MTA (only) with domains that are allowed to send through it explicitly white listed. Now that email is up, let's tweak the upload settings so that people can upload images that are larger than a megabyte and have reasonable purge directives:
  
 +  sudo nano /etc/matrix-synapse/homeserver.yaml
 +  <max_upload_size: 1000M>
 +  <dynamic_thumbnails: true>
 +  <media_retention:>
 +      <local_media_lifetime: 90d>
 +      <remote_media_lifetime: 14d>
 +      
 +Also, make sure to add the following line of code within each nginx http server block:
      
 +  <client_max_body_size 1000M;>
 +
 +Alright, so now it's time to carry on with setting up jitsi. Again, as with element and matrix, always check the [[https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart/|official documentation]] for the latest releases/gpg keys, etc.:
 +
 +  curl https://download.jitsi.org/jitsi-key.gpg.key | sudo sh -c 'gpg --dearmor > /usr/share/keyrings/jitsi-keyring.gpg'
 +  echo 'deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg] https://download.jitsi.org stable/' | sudo tee /etc/apt/sources.list.d/jitsi-stable.list > /dev/null
 +  sudo apt update
 +  sudo apt install jitsi-meet
 +  <enter domain jitsi.gnulinux.club>
 +  <generate self-signed>
 +  
 +Once the install finishes, let's create let's encrypt using the official script from Jitsi, which will automatically configure a turn server and create a server block in nginx for us:
 +
 +  /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh
 +  
 +We now need to configure Element to use jitsi, which we do as follows:
 +
 +  nano /var/www/element.gnulinux.club/element/config.json
 +  <"preferredDomain": "jitsi.gnulinux.club">
 +  systemctl restart matrix-synapse
 +  
 +You can verify that jitsi is working by ''ps -aux | jitsi'' and then visit jitsi.gnulinux.club (adjusted for your domain) to verify you can create and join a new meeting. Additionally, you can navigate to ''etc/turnserver.conf'' to see the entries jitsi created and likewise verify the server block it created at ''/etc/nginx/sites-enabled/jitsi.gnulinux.club''. To upgrade, find the latest release, and download it:
 +
 +  https://github.com/element-hq/element-web/releases
 +  wget https://github.com/element-hq/element-web/releases/download/v1.11.55/element-v1.11.55.tar.gz
 +  tar -xvf element-v1.11.55.tar.gz
 +  cd /var/www/gnulinux.club/element
 +  cp -ar config.json ../
 +  ln -s element-v1.10.12/ element
 +  
 +Make sure to have .well-knowns established for client and support as well:
 +  
 +  sudo touch /var/www/gnulinux.club/.well-known/matrix/client
 +  
 +With the following:
 +  
 +  {
 +    "m.homeserver": {
 +        "base_url": "https://matrix.gnulinux.club"
 +    }
 +  }
 +  
 +Also identify support:
 +  
 +  sudo touch /var/www/gnulinux.club/.well-known/matrix/support
 +
 +With the following:
 +
 +  {"contacts": [{"matrix_id": "@oemb1905:gnulinux.club", "email_address": "webmaster@haacksnetworking.org","club.gnulinux.phone_number": "+13105651874", "role": "m.role.admin"}],"support_page": "https://gnulinux.club/code-conduct.pdf"}
 +
 +Finally, make sure that browsers don't download these by adding a location to your TLD block:
 +
 +  location /.well-known/matrix {
 +    allow all;
 +    add_header access-control-allow-origin *;
 +    add_header content-type application/json;
 +  }
  
 +More updates below when they come.
  
- --- //[[jonathan@haacksnetworking.org|oemb1905]] 2022/11/19 22:17//+ --- //[[jonathan@haacksnetworking.org|oemb1905]] 2024/01/30 03:09//
computing/synapse.1668924680.txt.gz · Last modified: 2022/11/20 06:11 by oemb1905