Add 'matrix/' from commit '0a991a5140236eda995e05b5e1a5c38ed54b7a60'

git-subtree-dir: matrix
git-subtree-mainline: c1d2cdc7c1
git-subtree-split: 0a991a5140

matrix/.gitignore

@@ -0,0 +1,34 @@
+# Eerst: GEEN PDF/PS IN GIT!
+*.pdf
+*.ps
+
+# ---> LyX
+# Ignore LyX backup and autosave files
+# http://www.lyx.org/
+*.lyx~
+*.lyx#
+
+# ---> Vim
+# Swap
+[._]*.s[a-v][a-z]
+!*.svg  # comment out if you don't need vector files
+[._]*.sw[a-p]
+[._]s[a-rt-v][a-z]
+[._]ss[a-gi-z]
+[._]sw[a-p]
+
+# Session
+Session.vim
+Sessionx.vim
+
+# Temporary
+.netrwhist
+*~
+# Auto-generated tag files
+tags
+# Persistent undo
+[._]*.un~
+
+# En geen vaults
+/ansible/group_vars/matrix/vault.yaml
+

matrix/README.md

@@ -0,0 +1,51 @@
+---
+gitea: none
+include_toc: true
+---
+
+# A complete Matrix installation
+
+This is going to be a Matrix installation with all bells and whistles. Not
+just the server, but every other bit that you need or want.
+
+We're building it with workers, so it will scale.
+
+## Overview
+
+A complete Matrix environment consists of many parts. Other than the Matrix
+server itself (Synapse) there are all kinds of other things that we need:
+
+* [Synapse](https://element-hq.github.io/synapse/latest/)
+* Webclient ([Element Web](https://github.com/element-hq/element-web))
+* [Element Call](https://github.com/element-hq/element-call) for audio/video
+conferencing
+* Management with [Synapse-Admin](https://github.com/Awesome-Technologies/synapse-admin)
+* Moderation with [Draupnir](https://github.com/the-draupnir-project/Draupnir)
+* [Consent
+tracking](https://element-hq.github.io/synapse/latest/consent_tracking.html)
+* Authentication via
+[OpenID](https://element-hq.github.io/synapse/latest/openid.html)
+* Several [bridges](https://matrix.org/ecosystem/bridges/)
+
+
+# Synapse
+
+This is the core component: the Matrix server itself.
+
+Installation and configuration is documented under [synapse](synapse).
+
+
+# TURN
+
+We may need a TURN server, and we'll use
+[coturn](https://github.com/coturn/coturn) for that.
+
+It's apparently also possible to use the built-in TURN server in Livekit,
+which we'll use if we use [Element Call](call). It's either/or, so make sure
+you pick the right approach.
+
+
+# Wiki
+
+Of course there's a wiki in this repository.
+

matrix/call/README.md

@@ -0,0 +1,16 @@
+---
+gitea: none
+include_toc: true
+---
+
+# Element Call
+
+Element Call enables users to have audio and videocalls with groups, while
+maintaining full E2E encryption.
+
+It requires several bits of software and entries in .well-known/matrix/client
+
+This bit is for later, but here's a nice bit of documentation to start:
+
+https://sspaeth.de/2024/11/sfu/
+

matrix/firewall/README.md

@@ -0,0 +1,13 @@
+# Firewall
+
+This page is mostly a placeholder for now, but configuration of the firewall
+is -of course- very important.
+
+First idea: the ports that need to be opened are:
+
+
+| Port(s) / range | Protocol | Application |
+| :--: | :--: | :-- |
+| 80, 443 | TCP | Reverse proxy |
+| 8443 | TCP | Synapse, federation |
+

matrix/nginx/README.md

@@ -0,0 +1,131 @@
+---
+gitea: none
+include_toc: true
+---
+
+# Reverse proxy with nginx
+
+Clients connecting from the Internet to our Matrix environment will usually
+use SSL/TLS to encrypt whatever they want to send. This is one thing that
+nginx does better than Synapse.
+
+Furthermore, granting or denying access to specific endpoints is much easier
+in nginx.
+
+Synapse listens only on localhost, so nginx has to pass connections on from
+the wild west that is the Internet to our server listening on the inside.
+
+
+# Installing
+
+Installing nginx and the [Let's Encrypt](https://letsencrypt.org/) plugin is
+easy:
+
+```
+apt install nginx python3-certbot-nginx
+```
+
+Get your certificate:
+
+```
+certbot certonly --nginx --agree-tos -m systeemmail@procolix.com --non-interactive -d matrixdev.procolix.com
+```
+
+Substitute the correct e-mailaddress and FQDN, or course.
+
+
+# Configuration
+
+Almost all traffic should be encrypted, so a redirect from http to https seems
+like a good idea.
+
+However, `.well-known/matrix/client` has to be available via http and https,
+so that should *NOT* be redirected to https. Some clients don't understand the
+redirect and will therefore not find the server if you redirect everything.
+
+Under the `server_name` (the "domain name", the part after the username) you
+will need a configuration like this:
+
+```
+server {
+    listen 80;
+    listen [::]:80;
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    ssl_certificate /etc/letsencrypt/live/matrixdev.procolix.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/matrixdev.procolix.com/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/ssl/dhparams.pem;
+
+    server_name matrixdev.procolix.com;
+
+    location /.well-known/matrix/client {
+       return 200 '{
+          "m.homeserver": {"base_url": "https://vm02199.procolix.com"},
+          "org.matrix.msc3575.proxy": {"url": "https://vm02199.procolix.com"}
+       }';
+       default_type application/json;
+    }
+
+    location /.well-known/matrix/server {
+       return 200 '{"m.server": "vm02199.procolix.com"}';
+       default_type application/json;
+    }
+
+    location / {
+      if ($scheme = http) {
+        return 301 https://$host$request_uri;
+      }
+    }
+
+    access_log /var/log/nginx/matrixdev-access.log;
+    error_log /var/log/nginx/matrixdev-error.log;
+
+}
+```
+
+This defines a server that listens on both http and https. It hands out two
+.well-known entries over both http and https, and every other request over
+http is forwarded to https.
+
+Be sure to substitute the correct values for `server_name`, `base_url` and the
+certificate files.
+
+For the actual proxy in front of Synapse, this is what you need:
+
+```
+server {
+	listen 443 ssl;
+	listen [::]:443 ssl;
+
+	# For the federation port
+	listen 8448 ssl default_server;
+	listen [::]:8448 ssl default_server;
+
+	ssl_certificate /etc/letsencrypt/live/vm02199.procolix.com/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/vm02199.procolix.com/privkey.pem;
+	include /etc/letsencrypt/options-ssl-nginx.conf;
+	ssl_dhparam /etc/ssl/dhparams.pem;
+
+	server_name vm02199.procolix.com;
+
+	location ~ ^(/_matrix|/_synapse/client) {
+		proxy_pass http://localhost:8008;
+		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header Host $host;
+		client_max_body_size 50M;
+		proxy_http_version 1.1;
+	}
+
+}
+```
+
+Again, substitute the correct values. Don't forget to open the relevant ports
+in the firewall. Ports 80 and 443 may already be open, 8448 is probably not.
+
+
+# Firewall
+
+For normal use, at least ports 80 and 443 must be openend, see [Firewall](../firewall).

matrix/postgresql/README.md

@@ -0,0 +1,82 @@
+---
+gitea: none
+include_toc: true
+---
+
+# Installing PostgreSQL and creating database and user
+
+Installing [PostgreSQL](https://www.postgresql.org/) on Debian is very easy:
+
+```
+apt install postgresql python3-psycopg
+
+sudo -u postgres bash
+
+createuser --pwprompt synapse
+createdb --encoding=UTF8 --locale=C --template=template0 --owner=synapse synapse
+
+```
+
+After this, PostgreSQL is installed, the database `synapse` exists and so does
+the database user `synapse`. Make sure you choose a strong password.
+
+
+# Configuring access
+
+After a clean installation, PostgreSQL will listen on localhost, both IPv4 and
+IPv6 (if available). In many cases, this is exactly what you want.
+
+## Network
+
+PostgreSQL will listen on localhost, this is configured in
+`/etc/postgresql/<version>/main/postgresql.conf`:
+
+```
+listen_addresses = 'localhost'
+```
+
+This line is usually commented out, but as it is the default, it's really
+there.
+
+
+## UNIX socket
+
+If you want PostgreSQL to listen only to a local UNIX socket (more efficient
+than network and -depending on the configuration of the rest of you system-
+easier to protect), make the aforementioned option explicitly empty and
+uncomment it:
+
+```
+listen_addresses = ''
+```
+
+Check these options to make sure the socket is placed in the right spot and
+given the correct permissions:
+
+```
+unix_socket_directories = '/var/run/postgresql'
+#unix_socket_group = ''
+#unix_socket_permissions = 0777
+```
+
+
+## Permissions
+
+Add permission for the user to connect to the database from localhost (if
+PostgreSQL listens on localhost), or the socket (if you use that). This is
+configured in `/etc/postgresql/<version>/main/pg_hba.conf`:
+
+```
+local    synapse     synapse     password                     # for use with UNIX sockets
+host     synapse     synapse     localhost       md5          # for use with localhost network
+```
+
+Make sure you add these lines under the one that gives access to the postgres
+superuser, the first line.
+
+
+# Tuning
+
+This is for later, check [Tuning your PostgreSQL Server](https://wiki.postgresql.org/wiki/Tuning_Your_PostgreSQL_Server)
+on the PostgreSQL wiki.
+

matrix/synapse/README.md

@@ -0,0 +1,120 @@
+---
+gitea: none
+include_toc: true
+---
+
+# Installation and configuration of Synapse
+
+Mind you: this an installation on Debian Linux (at least for now).
+
+Start by installing the latest Synapse server, see the [upstream
+documentation](https://element-hq.github.io/synapse/latest/setup/installation.html).
+
+```
+apt install -y lsb-release wget apt-transport-https build-essential python3-dev libffi-dev \
+               python3-pip python3-setuptools sqlite3 \
+               libssl-dev virtualenv libjpeg-dev libxslt1-dev libicu-dev
+
+wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg
+
+echo "deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ $(lsb_release -cs) main" |
+    tee /etc/apt/sources.list.d/matrix-org.list
+
+apt update
+apt install matrix-synapse-py3
+```
+
+This leaves a very basic configuration in `/etc/matrix-synapse/homeserver.yaml`
+and  two settings under `/etc/conf.d`. All other configuration items will also
+be configured with yaml-files in this directory.
+
+Configure the domain you with to use in `/etc/matrix-synapse/conf.d/server_name.yaml`.
+What you configure here will also be the global part of your Matrix handles
+(the part after the colon).
+
+You now have a standard Matrix server that uses sqlite. You really don't want
+to use this in production, so probably want to replace this with PostgreSQL.
+
+There are two different ways to configure Synapse, documented here:
+
+* [Monolithic](monolithic)
+* [Workers](workers)
+
+We'll use Synapse, using the workers architecture to make it scalable, flexible and reusable.
+
+
+## Listeners
+
+A fresh installation configures one listener, for both client and federation
+traffic. This listens on port 8008 on localhost (IPv4 and IPv6) and does not
+do TLS:
+
+```
+listeners:
+  - port: 8008
+    tls: false
+    type: http
+    x_forwarded: true
+    bind_addresses: ['::1', '127.0.0.1']
+    resources:
+      - names: [client, federation]
+        compress: false
+```
+
+
+
+
+# Database
+
+The default installation leaves you with an sqlite3 database. Nice for experimenting, but
+unsuitable for a production environment.
+
+[Here's how you setup PostgreSQL](../postgresql).
+
+Once you've created a database and user in PostgreSQL, you configure Synapse
+to use it.
+
+First delete (or comment out) the SQLITE datbase in `homeserver.yaml`:
+
+```
+#database:
+#  name: sqlite3
+#  args:
+#    database: /var/lib/matrix-synapse/homeserver.db
+```
+
+Then create the database configuration for PostgreSQL in
+`conf.d/database.yaml`:
+
+```
+database:
+  name: psycopg2
+  args:
+    user: synapse
+    password: <password>
+    dbname: synapse
+    host: /var/run/postgresql
+    cp_min: 5
+    cp_max: 10
+```
+
+Note: you configure the directory where the UNIX socket file lives, not the
+actual file.
+
+Of course, if you use localhost, you should configure it like this:
+
+```
+    host: localhost
+    port: 5432
+```
+
+After changing the database, restart Synapse and check whether it can connect
+and create the tables it needs.
+
+
+# Logging
+
+Logging is configured in `log.yaml`. Some logging should go to systemd, the
+more specific logging to Synapse's own logfile(s).
+
+

matrix/synapse/monolithic/README.md

@@ -0,0 +1,10 @@
+---
+gitea: none
+include_toc: true
+---
+
+# Standard, monolithic configuration
+
+This configuration will be enough for most installations.
+
+

matrix/synapse/workers/README.md

@@ -0,0 +1,11 @@
+---
+gitea: none
+include_toc: true
+---
+
+# Advanced configuration with workers
+
+This configuration allows optimizing performance, meant for big, busy
+installations.
+
+