From dde3bfaad402f55ab77ef07a9ddd3acf7a9165dd Mon Sep 17 00:00:00 2001
From: Hans van Zijst <hans@woefdram.nl>
Date: Sun, 22 Dec 2024 17:07:39 +0100
Subject: [PATCH] Updated some stuff about directory and systemd.

---
 matrix/synapse/workers.md | 44 +++++++++++++++++++++++++++------------
 1 file changed, 31 insertions(+), 13 deletions(-)

diff --git a/matrix/synapse/workers.md b/matrix/synapse/workers.md
index 8654bda0..3d9d42a2 100644
--- a/matrix/synapse/workers.md
+++ b/matrix/synapse/workers.md
@@ -20,7 +20,10 @@ themselves. Redirect specific tasks to them and you have several different
 servers doing all kinds of tasks at the same time. A busy room will no longer
 freeze the rest.
 
-Workers communicate with each other via socket files and Redis.
+Workers communicate with each other via UNIX sockets and Redis. We choose
+UNIX sockets because they're much more efficient than network sockets. Of
+course, if you scale to more than one machine, you will need network sockets
+instead.
 
 **Important note**
 
@@ -46,7 +49,8 @@ examples.
 
 # Redis
 
-First step is to install Redis.
+Workers need Redis as part of their communication, so our first step is
+to install Redis.
 
 ```
 apt install redis-server
@@ -65,33 +69,47 @@ unixsocketperm 770
 
 Our matrix user (`matrix-synapse`) has to be able to read from and write to
 that socket, which is created by Redis and owned by `redis:redis`, so we add
-user `matrix-synapse` to the group `redis`.
+user `matrix-synapse` to the group `redis`. You may come up with a
+finer-grained permission solution, but for our example this will do.
 
 ```
 adduser matrix-synapse redis
 ```
 
-Restart Redis for these changes to take effect. Check if port 6379 is no
-longer active, and if the socketfile `/run/redis/redis-server.sock` exists.
+Restart Redis for these changes to take effect. Check for error messages in
+the logs, if port 6379 is no longer active, and if the socketfile
+`/run/redis/redis-server.sock` exists.
 
 
 # Synapse
 
 Workers communicate with each other over sockets, that are all placed in one
 directory. To make sure only the users that need access will have it, we
-create a new group and add the users to it.
+create a new group and add the users to it. Remember that nginx needs to be
+able to write to many of these sockets.
 
-Then, create the directory where all the socket files for workers will come,
-and give it the correct user, group and permission:
+Then, make sure systemd creates the directory for the sockets as soon as
+Synapse starts, and let it have the correct group.
 
 ```
-groupadd --system clubmatrix
-useradd matrix-synapse clubmatrix
-useradd www-data clubmatrix
-mkdir /run/matrix-synapse
-dpkg-statoverride --add --update matrix-synapse clubmatrix 2770 /run/matrix-synapse
+systemctl edit matrix-synapse
 ```
 
+Now override parts of the `Service` stanza to look like this:
+
+```
+[Service]
+User=matrix-synapse
+Group=clubmatrix
+RuntimeDirectory=matrix-synapse
+RuntimeDirectoryPreserve=yes
+```
+
+Synapse will, from now on, run as group `clubmatrix` instead of
+`matrix-synapse`. The directory `/run/matrix-synapse` will be created as soon
+as Synapse starts, and will not be removed on restart or stop, because that
+would create problems with workers who suddenly lose their sockets.
+
 First we change Synapse from listening on `localhost:8008` to listening on a
 socket. We'll do most of our workers work in `conf.d/listeners.yaml`, so let's
 put the new configuration for the main proccess there: