diff --git a/matrix/.gitignore b/matrix/.gitignore new file mode 100644 index 0000000..c234679 --- /dev/null +++ b/matrix/.gitignore @@ -0,0 +1,34 @@ +# Eerst: GEEN PDF/PS IN GIT! +*.pdf +*.ps + +# ---> LyX +# Ignore LyX backup and autosave files +# http://www.lyx.org/ +*.lyx~ +*.lyx# + +# ---> Vim +# Swap +[._]*.s[a-v][a-z] +!*.svg # comment out if you don't need vector files +[._]*.sw[a-p] +[._]s[a-rt-v][a-z] +[._]ss[a-gi-z] +[._]sw[a-p] + +# Session +Session.vim +Sessionx.vim + +# Temporary +.netrwhist +*~ +# Auto-generated tag files +tags +# Persistent undo +[._]*.un~ + +# En geen vaults +/ansible/group_vars/matrix/vault.yaml + diff --git a/matrix/README.md b/matrix/README.md new file mode 100644 index 0000000..1d564cb --- /dev/null +++ b/matrix/README.md @@ -0,0 +1,51 @@ +--- +gitea: none +include_toc: true +--- + +# A complete Matrix installation + +This is going to be a Matrix installation with all bells and whistles. Not +just the server, but every other bit that you need or want. + +We're building it with workers, so it will scale. + +## Overview + +A complete Matrix environment consists of many parts. Other than the Matrix +server itself (Synapse) there are all kinds of other things that we need: + +* [Synapse](https://element-hq.github.io/synapse/latest/) +* Webclient ([Element Web](https://github.com/element-hq/element-web)) +* [Element Call](https://github.com/element-hq/element-call) for audio/video +conferencing +* Management with [Synapse-Admin](https://github.com/Awesome-Technologies/synapse-admin) +* Moderation with [Draupnir](https://github.com/the-draupnir-project/Draupnir) +* [Consent +tracking](https://element-hq.github.io/synapse/latest/consent_tracking.html) +* Authentication via +[OpenID](https://element-hq.github.io/synapse/latest/openid.html) +* Several [bridges](https://matrix.org/ecosystem/bridges/) + + +# Synapse + +This is the core component: the Matrix server itself. + +Installation and configuration is documented under [synapse](synapse). + + +# TURN + +We may need a TURN server, and we'll use +[coturn](https://github.com/coturn/coturn) for that. + +It's apparently also possible to use the built-in TURN server in Livekit, +which we'll use if we use [Element Call](call). It's either/or, so make sure +you pick the right approach. + + +# Wiki + +Of course there's a wiki in this repository. + diff --git a/matrix/call/README.md b/matrix/call/README.md new file mode 100644 index 0000000..049dcb5 --- /dev/null +++ b/matrix/call/README.md @@ -0,0 +1,16 @@ +--- +gitea: none +include_toc: true +--- + +# Element Call + +Element Call enables users to have audio and videocalls with groups, while +maintaining full E2E encryption. + +It requires several bits of software and entries in .well-known/matrix/client + +This bit is for later, but here's a nice bit of documentation to start: + +https://sspaeth.de/2024/11/sfu/ + diff --git a/matrix/firewall/README.md b/matrix/firewall/README.md new file mode 100644 index 0000000..7d0f09f --- /dev/null +++ b/matrix/firewall/README.md @@ -0,0 +1,13 @@ +# Firewall + +This page is mostly a placeholder for now, but configuration of the firewall +is -of course- very important. + +First idea: the ports that need to be opened are: + + +| Port(s) / range | Protocol | Application | +| :--: | :--: | :-- | +| 80, 443 | TCP | Reverse proxy | +| 8443 | TCP | Synapse, federation | + diff --git a/matrix/nginx/README.md b/matrix/nginx/README.md new file mode 100644 index 0000000..10a30b4 --- /dev/null +++ b/matrix/nginx/README.md @@ -0,0 +1,131 @@ +--- +gitea: none +include_toc: true +--- + +# Reverse proxy with nginx + +Clients connecting from the Internet to our Matrix environment will usually +use SSL/TLS to encrypt whatever they want to send. This is one thing that +nginx does better than Synapse. + +Furthermore, granting or denying access to specific endpoints is much easier +in nginx. + +Synapse listens only on localhost, so nginx has to pass connections on from +the wild west that is the Internet to our server listening on the inside. + + +# Installing + +Installing nginx and the [Let's Encrypt](https://letsencrypt.org/) plugin is +easy: + +``` +apt install nginx python3-certbot-nginx +``` + +Get your certificate: + +``` +certbot certonly --nginx --agree-tos -m systeemmail@procolix.com --non-interactive -d matrixdev.procolix.com +``` + +Substitute the correct e-mailaddress and FQDN, or course. + + +# Configuration + +Almost all traffic should be encrypted, so a redirect from http to https seems +like a good idea. + +However, `.well-known/matrix/client` has to be available via http and https, +so that should *NOT* be redirected to https. Some clients don't understand the +redirect and will therefore not find the server if you redirect everything. + +Under the `server_name` (the "domain name", the part after the username) you +will need a configuration like this: + +``` +server { + listen 80; + listen [::]:80; + listen 443 ssl; + listen [::]:443 ssl; + + ssl_certificate /etc/letsencrypt/live/matrixdev.procolix.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/matrixdev.procolix.com/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/ssl/dhparams.pem; + + server_name matrixdev.procolix.com; + + location /.well-known/matrix/client { + return 200 '{ + "m.homeserver": {"base_url": "https://vm02199.procolix.com"}, + "org.matrix.msc3575.proxy": {"url": "https://vm02199.procolix.com"} + }'; + default_type application/json; + } + + location /.well-known/matrix/server { + return 200 '{"m.server": "vm02199.procolix.com"}'; + default_type application/json; + } + + location / { + if ($scheme = http) { + return 301 https://$host$request_uri; + } + } + + access_log /var/log/nginx/matrixdev-access.log; + error_log /var/log/nginx/matrixdev-error.log; + +} +``` + +This defines a server that listens on both http and https. It hands out two +.well-known entries over both http and https, and every other request over +http is forwarded to https. + +Be sure to substitute the correct values for `server_name`, `base_url` and the +certificate files. + +For the actual proxy in front of Synapse, this is what you need: + +``` +server { + listen 443 ssl; + listen [::]:443 ssl; + + # For the federation port + listen 8448 ssl default_server; + listen [::]:8448 ssl default_server; + + ssl_certificate /etc/letsencrypt/live/vm02199.procolix.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/vm02199.procolix.com/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/ssl/dhparams.pem; + + server_name vm02199.procolix.com; + + location ~ ^(/_matrix|/_synapse/client) { + proxy_pass http://localhost:8008; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + client_max_body_size 50M; + proxy_http_version 1.1; + } + +} +``` + +Again, substitute the correct values. Don't forget to open the relevant ports +in the firewall. Ports 80 and 443 may already be open, 8448 is probably not. + + +# Firewall + +For normal use, at least ports 80 and 443 must be openend, see [Firewall](../firewall). diff --git a/matrix/postgresql/README.md b/matrix/postgresql/README.md new file mode 100644 index 0000000..ae86a94 --- /dev/null +++ b/matrix/postgresql/README.md @@ -0,0 +1,82 @@ +--- +gitea: none +include_toc: true +--- + +# Installing PostgreSQL and creating database and user + +Installing [PostgreSQL](https://www.postgresql.org/) on Debian is very easy: + +``` +apt install postgresql python3-psycopg + +sudo -u postgres bash + +createuser --pwprompt synapse +createdb --encoding=UTF8 --locale=C --template=template0 --owner=synapse synapse + +``` + +After this, PostgreSQL is installed, the database `synapse` exists and so does +the database user `synapse`. Make sure you choose a strong password. + + +# Configuring access + +After a clean installation, PostgreSQL will listen on localhost, both IPv4 and +IPv6 (if available). In many cases, this is exactly what you want. + +## Network + +PostgreSQL will listen on localhost, this is configured in +`/etc/postgresql//main/postgresql.conf`: + +``` +listen_addresses = 'localhost' +``` + +This line is usually commented out, but as it is the default, it's really +there. + + +## UNIX socket + +If you want PostgreSQL to listen only to a local UNIX socket (more efficient +than network and -depending on the configuration of the rest of you system- +easier to protect), make the aforementioned option explicitly empty and +uncomment it: + +``` +listen_addresses = '' +``` + +Check these options to make sure the socket is placed in the right spot and +given the correct permissions: + +``` +unix_socket_directories = '/var/run/postgresql' +#unix_socket_group = '' +#unix_socket_permissions = 0777 +``` + + +## Permissions + +Add permission for the user to connect to the database from localhost (if +PostgreSQL listens on localhost), or the socket (if you use that). This is +configured in `/etc/postgresql//main/pg_hba.conf`: + +``` +local synapse synapse password # for use with UNIX sockets +host synapse synapse localhost md5 # for use with localhost network +``` + +Make sure you add these lines under the one that gives access to the postgres +superuser, the first line. + + +# Tuning + +This is for later, check [Tuning your PostgreSQL Server](https://wiki.postgresql.org/wiki/Tuning_Your_PostgreSQL_Server) +on the PostgreSQL wiki. + diff --git a/matrix/synapse/README.md b/matrix/synapse/README.md new file mode 100644 index 0000000..a0835d6 --- /dev/null +++ b/matrix/synapse/README.md @@ -0,0 +1,120 @@ +--- +gitea: none +include_toc: true +--- + +# Installation and configuration of Synapse + +Mind you: this an installation on Debian Linux (at least for now). + +Start by installing the latest Synapse server, see the [upstream +documentation](https://element-hq.github.io/synapse/latest/setup/installation.html). + +``` +apt install -y lsb-release wget apt-transport-https build-essential python3-dev libffi-dev \ + python3-pip python3-setuptools sqlite3 \ + libssl-dev virtualenv libjpeg-dev libxslt1-dev libicu-dev + +wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg + +echo "deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ $(lsb_release -cs) main" | + tee /etc/apt/sources.list.d/matrix-org.list + +apt update +apt install matrix-synapse-py3 +``` + +This leaves a very basic configuration in `/etc/matrix-synapse/homeserver.yaml` +and two settings under `/etc/conf.d`. All other configuration items will also +be configured with yaml-files in this directory. + +Configure the domain you with to use in `/etc/matrix-synapse/conf.d/server_name.yaml`. +What you configure here will also be the global part of your Matrix handles +(the part after the colon). + +You now have a standard Matrix server that uses sqlite. You really don't want +to use this in production, so probably want to replace this with PostgreSQL. + +There are two different ways to configure Synapse, documented here: + +* [Monolithic](monolithic) +* [Workers](workers) + +We'll use Synapse, using the workers architecture to make it scalable, flexible and reusable. + + +## Listeners + +A fresh installation configures one listener, for both client and federation +traffic. This listens on port 8008 on localhost (IPv4 and IPv6) and does not +do TLS: + +``` +listeners: + - port: 8008 + tls: false + type: http + x_forwarded: true + bind_addresses: ['::1', '127.0.0.1'] + resources: + - names: [client, federation] + compress: false +``` + + + + +# Database + +The default installation leaves you with an sqlite3 database. Nice for experimenting, but +unsuitable for a production environment. + +[Here's how you setup PostgreSQL](../postgresql). + +Once you've created a database and user in PostgreSQL, you configure Synapse +to use it. + +First delete (or comment out) the SQLITE datbase in `homeserver.yaml`: + +``` +#database: +# name: sqlite3 +# args: +# database: /var/lib/matrix-synapse/homeserver.db +``` + +Then create the database configuration for PostgreSQL in +`conf.d/database.yaml`: + +``` +database: + name: psycopg2 + args: + user: synapse + password: + dbname: synapse + host: /var/run/postgresql + cp_min: 5 + cp_max: 10 +``` + +Note: you configure the directory where the UNIX socket file lives, not the +actual file. + +Of course, if you use localhost, you should configure it like this: + +``` + host: localhost + port: 5432 +``` + +After changing the database, restart Synapse and check whether it can connect +and create the tables it needs. + + +# Logging + +Logging is configured in `log.yaml`. Some logging should go to systemd, the +more specific logging to Synapse's own logfile(s). + + diff --git a/matrix/synapse/monolithic/README.md b/matrix/synapse/monolithic/README.md new file mode 100644 index 0000000..711116e --- /dev/null +++ b/matrix/synapse/monolithic/README.md @@ -0,0 +1,10 @@ +--- +gitea: none +include_toc: true +--- + +# Standard, monolithic configuration + +This configuration will be enough for most installations. + + diff --git a/matrix/synapse/workers/README.md b/matrix/synapse/workers/README.md new file mode 100644 index 0000000..3e93b67 --- /dev/null +++ b/matrix/synapse/workers/README.md @@ -0,0 +1,11 @@ +--- +gitea: none +include_toc: true +--- + +# Advanced configuration with workers + +This configuration allows optimizing performance, meant for big, busy +installations. + +