How I Installed matrix-synapse
1. Set your DNS records.
2. Spin up a beefy container.
- RAM: 4 GiB
- Swap: 8 GiB
- Cores: 4
- Root disk space: 180 GiB
3. Install matrix-synapse stable.
Follow this guide.
I found the trickiest bit to be installing the matrix-synapse repositories, which is not very tricky.
sudo apt install -y lsb-release wget apt-transport-https
sudo wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ $(lsb_release -cs) main" |
sudo tee /etc/apt/sources.list.d/matrix-org.list
sudo apt update
sudo apt install matrix-synapse-py3
4. Install Postgresql.
They said not to use SQLite in production, so I installed Postgresql inside the server container.
I will migrate it to a separate container later. The trick is that the port is exposed within the proxmox environment, so it should be no different than changing the hostname from something like localhost to matrix-db.pluto.sks.lan etc.
Follow this guide.
5. Final homeserver.yaml configuration.
root@matrix:~# cat /etc/matrix-synapse/homeserver.yaml
# Configuration file for Synapse.
#
# This is set in /etc/matrix-synapse/conf.d/server_name.yaml for Debian installations.
# server_name: "SERVERNAME"
pid_file: "/var/run/matrix-synapse.pid"
listeners:
- port: 8008
resources:
- compress: false
names:
- client
- federation
- media
- metrics
- static
- health
tls: false
type: http
x_forwarded: true
database:
name: psycopg2
args:
user: XXXXXXXXXXXXXXX
password: XXXXXXXXXXXXXXXXX
dbname: XXXXXXXXXXXXXXXXX
host: localhost
cp_min: 5
cp_max: 10
log_config: "/etc/matrix-synapse/log.yaml"
media_store_path: /var/lib/matrix-synapse/media
signing_key_path: "/etc/matrix-synapse/homeserver.signing.key"
trusted_key_servers:
- server_name: "matrix.org"
macaroon_secret_key: "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
public_baseurl: "https://solarpunk.au/"
serve_server_wellknown: true
enable_registration: true
enable_registration_without_verification: true
registrations_require_3pid:
- email
registration_shared_secret: "XXXXXXXXXXXXXXXXXXX"
allow_public_rooms_over_federation: true
web_client_location: "https://app.element.io/"
allow_public_rooms_without_auth: true
admin_contact: 'mailto:vidak@member.fsf.org'
max_upload_size: 100M
email:
smtp_host: "mail.riseup.net"
smtp_port: 465
smtp_user: "XXXXXXXXXXXXXXXXXXXXXXXXx"
smtp_pass: "XXXXXXXXXXXXXX"
require_transport_security: true
enable_tls: true
force_tls: true
notif_from: "Your Friendly %(app)s homeserver <moraleconomyinitiative@riseup.net>"
app_name: "solarpunk.au matrix server"
enable_notifs: true
notif_for_new_users: false
validation_token_lifetime: 15m
invite_client_location: https://app.element.io
subjects:
message_from_person_in_room: "[%(app)s] You have a message on %(app)s from %(person)s in the %(room)s room..."
message_from_person: "[%(app)s] You have a message on %(app)s from %(person)s..."
messages_from_person: "[%(app)s] You have messages on %(app)s from %(person)s..."
messages_in_room: "[%(app)s] You have messages on %(app)s in the %(room)s room..."
messages_in_room_and_others: "[%(app)s] You have messages on %(app)s in the %(room)s room and others..."
messages_from_person_and_others: "[%(app)s] You have messages on %(app)s from %(person)s and others..."
invite_from_person_to_room: "[%(app)s] %(person)s has invited you to join the %(room)s room on %(app)s..."
invite_from_person: "[%(app)s] %(person)s has invited you to chat on %(app)s..."
password_reset: "[%(server_name)s] Password reset"
email_validation: "[%(server_name)s] Validate your email"
Final NGINX configuration
vidak@nginx:~$ cat /etc/nginx/sites-enabled/default
# Default server configuration
#
server {
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name solarpunk.au;
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/solarpunk.au/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/solarpunk.au/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
listen 8448 ssl default_server;
listen [::]:8448 ssl default_server;
location ~ ^(/_matrix|/_synapse/client) {
# note: do not add a path (even a single /) after the port in `proxy_pass`,
# otherwise nginx will canonicalise the URI and cause signature verification
# errors.
proxy_pass http://matrix.pluto.sks.lan:8008;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host:$server_port;
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size 100M;
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
proxy_http_version 1.1;
}
location /.well-known/matrix/client {
return 200 '{"m.homeserver": {"base_url": "https://solarpunk.au"}}';
default_type application/json;
add_header Access-Control-Allow-Origin *;
}
location /.well-known/matrix/server {
return 200 '{"m.server": "solarpunk.au:443"}';
default_type application/json;
add_header Access-Control-Allow-Origin *;
}
}
server {
if ($host = solarpunk.au) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 default_server;
listen [::]:80 default_server;
server_name solarpunk.au;
return 404; # managed by Certbot
}