From 202bec688047f0e3ced1c08752e423af7606bf4c Mon Sep 17 00:00:00 2001 From: Hans van Zijst Date: Tue, 22 Oct 2024 17:16:58 +0200 Subject: [PATCH 01/25] Copied the basis from another repo. --- .gitignore | 34 ++++++++++++++++++++++++++++++++++ README.md | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 81 insertions(+) create mode 100644 .gitignore create mode 100644 README.md diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..c234679 --- /dev/null +++ b/.gitignore @@ -0,0 +1,34 @@ +# Eerst: GEEN PDF/PS IN GIT! +*.pdf +*.ps + +# ---> LyX +# Ignore LyX backup and autosave files +# http://www.lyx.org/ +*.lyx~ +*.lyx# + +# ---> Vim +# Swap +[._]*.s[a-v][a-z] +!*.svg # comment out if you don't need vector files +[._]*.sw[a-p] +[._]s[a-rt-v][a-z] +[._]ss[a-gi-z] +[._]sw[a-p] + +# Session +Session.vim +Sessionx.vim + +# Temporary +.netrwhist +*~ +# Auto-generated tag files +tags +# Persistent undo +[._]*.un~ + +# En geen vaults +/ansible/group_vars/matrix/vault.yaml + diff --git a/README.md b/README.md new file mode 100644 index 0000000..1411139 --- /dev/null +++ b/README.md @@ -0,0 +1,47 @@ +--- +gitea: none +include_toc: true +--- + +# A complete Matrix installation + +This is going to be a Matrix installation with all bells and whistles. Not +just the server, but every other bit that you need or want. + +We're building it with workers, so it will scale. Everything will be in +containers, so all parts can be maintained individually. + +## Overview + +* Scalable ([workers](https://element-hq.github.io/synapse/latest/workers.html), containers) +* Webclient +* Element Call +* Moderation with [Draupnir](https://github.com/the-draupnir-project/Draupnir) +* [Consent +tracking](https://element-hq.github.io/synapse/latest/consent_tracking.html) +* Authentication via +[OpenID](https://element-hq.github.io/synapse/latest/openid.html) +* Several bridges + + +# Synapse + +We'll use Synapse, using the workers architecture and putting it in a +container. This will make it scalable, flexible and reusable. + +## Logging + +Logging is configured in `log.yaml`. Some logging should go to systemd, the +more specific logging to Synapse's own logfile(s). + + +# TURN + +We'll need a TURN server, and we'll use +[coturn](https://github.com/coturn/coturn) for that. Of course, also in a +container. + +# Wiki + +Of course there's a wiki in this repository. + From 6e29cfa07e38b71181cc3fca914a6f43784e36db Mon Sep 17 00:00:00 2001 From: Hans van Zijst Date: Tue, 22 Oct 2024 17:21:55 +0200 Subject: [PATCH 02/25] Forgot Synapse-Admin... --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 1411139..99196ec 100644 --- a/README.md +++ b/README.md @@ -16,6 +16,7 @@ containers, so all parts can be maintained individually. * Scalable ([workers](https://element-hq.github.io/synapse/latest/workers.html), containers) * Webclient * Element Call +* Management with [Synapse-Admin](https://github.com/Awesome-Technologies/synapse-admin) * Moderation with [Draupnir](https://github.com/the-draupnir-project/Draupnir) * [Consent tracking](https://element-hq.github.io/synapse/latest/consent_tracking.html) From 71890f521a3dea6f67b7e82e6fc47d4cd786852e Mon Sep 17 00:00:00 2001 From: Hans van Zijst Date: Tue, 22 Oct 2024 17:24:37 +0200 Subject: [PATCH 03/25] Removed mention of containers/Docker. --- README.md | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 99196ec..56da20c 100644 --- a/README.md +++ b/README.md @@ -8,12 +8,11 @@ include_toc: true This is going to be a Matrix installation with all bells and whistles. Not just the server, but every other bit that you need or want. -We're building it with workers, so it will scale. Everything will be in -containers, so all parts can be maintained individually. +We're building it with workers, so it will scale. ## Overview -* Scalable ([workers](https://element-hq.github.io/synapse/latest/workers.html), containers) +* Scalable: [workers](https://element-hq.github.io/synapse/latest/workers.html) * Webclient * Element Call * Management with [Synapse-Admin](https://github.com/Awesome-Technologies/synapse-admin) @@ -27,8 +26,8 @@ tracking](https://element-hq.github.io/synapse/latest/consent_tracking.html) # Synapse -We'll use Synapse, using the workers architecture and putting it in a -container. This will make it scalable, flexible and reusable. +We'll use Synapse, using the workers architecture to make it scalable, flexible and reusable. + ## Logging @@ -39,8 +38,8 @@ more specific logging to Synapse's own logfile(s). # TURN We'll need a TURN server, and we'll use -[coturn](https://github.com/coturn/coturn) for that. Of course, also in a -container. +[coturn](https://github.com/coturn/coturn) for that. + # Wiki From ef96f9861582fa36f60961837cf11b0f6dc154cc Mon Sep 17 00:00:00 2001 From: Hans van Zijst Date: Thu, 31 Oct 2024 17:14:37 +0100 Subject: [PATCH 04/25] Structure for Synapse documentation added. --- README.md | 3 +++ synapse/monolithic/README.md | 10 ++++++++++ synapse/workers/README.md | 11 +++++++++++ 3 files changed, 24 insertions(+) create mode 100644 synapse/monolithic/README.md create mode 100644 synapse/workers/README.md diff --git a/README.md b/README.md index 56da20c..3ba9f79 100644 --- a/README.md +++ b/README.md @@ -28,6 +28,9 @@ tracking](https://element-hq.github.io/synapse/latest/consent_tracking.html) We'll use Synapse, using the workers architecture to make it scalable, flexible and reusable. +Installation and configuration are documented under `synapse`, "monolithic" +for the standard installation, and "workers" for the advanced configuration. + ## Logging diff --git a/synapse/monolithic/README.md b/synapse/monolithic/README.md new file mode 100644 index 0000000..711116e --- /dev/null +++ b/synapse/monolithic/README.md @@ -0,0 +1,10 @@ +--- +gitea: none +include_toc: true +--- + +# Standard, monolithic configuration + +This configuration will be enough for most installations. + + diff --git a/synapse/workers/README.md b/synapse/workers/README.md new file mode 100644 index 0000000..3e93b67 --- /dev/null +++ b/synapse/workers/README.md @@ -0,0 +1,11 @@ +--- +gitea: none +include_toc: true +--- + +# Advanced configuration with workers + +This configuration allows optimizing performance, meant for big, busy +installations. + + From 6f8b889aad6d440c1b37bf338df92137e4278e5f Mon Sep 17 00:00:00 2001 From: Hans van Zijst Date: Thu, 31 Oct 2024 17:33:04 +0100 Subject: [PATCH 05/25] First little step added. --- README.md | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 3ba9f79..4cdffb2 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ We're building it with workers, so it will scale. ## Overview -* Scalable: [workers](https://element-hq.github.io/synapse/latest/workers.html) +* [Synapse](https://element-hq.github.io/synapse/latest/) * Webclient * Element Call * Management with [Synapse-Admin](https://github.com/Awesome-Technologies/synapse-admin) @@ -28,7 +28,29 @@ tracking](https://element-hq.github.io/synapse/latest/consent_tracking.html) We'll use Synapse, using the workers architecture to make it scalable, flexible and reusable. -Installation and configuration are documented under `synapse`, "monolithic" +Mind you: this an installation on Debian Linux (at least for now). + +Start by installing the latest Synapse server, see the [upstream +documentation](https://element-hq.github.io/synapse/latest/setup/installation.html). + +``` +apt install -y lsb-release wget apt-transport-https build-essential python3-dev libffi-dev \ + python3-pip python3-setuptools sqlite3 \ + libssl-dev virtualenv libjpeg-dev libxslt1-dev libicu-dev + +wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg + +echo "deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ $(lsb_release -cs) main" | + tee /etc/apt/sources.list.d/matrix-org.list + +apt update +apt install matrix-synapse-py3 +``` + + + + +Configuration is documented under `synapse`, "monolithic" for the standard installation, and "workers" for the advanced configuration. From 1e3d9f10556c2fbed41a93521a12b6a9dc03e043 Mon Sep 17 00:00:00 2001 From: Hans van Zijst Date: Mon, 4 Nov 2024 15:03:22 +0100 Subject: [PATCH 06/25] Attempt to do relative links... --- README.md | 9 +++++++++ synapse/README.md | 13 +++++++++++++ 2 files changed, 22 insertions(+) create mode 100644 synapse/README.md diff --git a/README.md b/README.md index 4cdffb2..e10281c 100644 --- a/README.md +++ b/README.md @@ -47,7 +47,16 @@ apt update apt install matrix-synapse-py3 ``` +This leaves a very basic configuration in `/etc/matrix-synapse/homeserver.yaml` +and two settings under `/etc/conf.d`. All other configuration items will also +be configured with yaml-files in this directory. +Configure the domain you with to use in `/etc/matrix-synapse/conf.d/server_name.yaml`. +What you configure here will also be the global part of your Matrix handles +(the part after the colon). + +You now have a standard Matrix server that uses sqlite. You really don't want +to use this in production, so probably want to replace this with PostgreSQL. Configuration is documented under `synapse`, "monolithic" diff --git a/synapse/README.md b/synapse/README.md new file mode 100644 index 0000000..8a326a6 --- /dev/null +++ b/synapse/README.md @@ -0,0 +1,13 @@ +--- +gitea: none +include_toc: true +--- + +# Installation and configuration of Synapse + +There are two different ways to install Synapse, documented here: + +* [Monolithic](monolithic) +* [Workers](workers) + + From a108300eff39aa1c298901d9f0705030eb0cdad4 Mon Sep 17 00:00:00 2001 From: Hans van Zijst Date: Mon, 4 Nov 2024 15:09:34 +0100 Subject: [PATCH 07/25] Relative links work ;) --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index e10281c..ca4a332 100644 --- a/README.md +++ b/README.md @@ -59,8 +59,7 @@ You now have a standard Matrix server that uses sqlite. You really don't want to use this in production, so probably want to replace this with PostgreSQL. -Configuration is documented under `synapse`, "monolithic" -for the standard installation, and "workers" for the advanced configuration. +Further configuration is documented under [synapse](synapse). ## Logging From 68e4e127ab570cb68cd74be51ca81846265fa85b Mon Sep 17 00:00:00 2001 From: Hans van Zijst Date: Mon, 4 Nov 2024 15:13:18 +0100 Subject: [PATCH 08/25] Moved Synapse documentation to 'synapse'. --- README.md | 35 +---------------------------------- synapse/README.md | 34 ++++++++++++++++++++++++++++++++-- 2 files changed, 33 insertions(+), 36 deletions(-) diff --git a/README.md b/README.md index ca4a332..33e4209 100644 --- a/README.md +++ b/README.md @@ -26,40 +26,7 @@ tracking](https://element-hq.github.io/synapse/latest/consent_tracking.html) # Synapse -We'll use Synapse, using the workers architecture to make it scalable, flexible and reusable. - -Mind you: this an installation on Debian Linux (at least for now). - -Start by installing the latest Synapse server, see the [upstream -documentation](https://element-hq.github.io/synapse/latest/setup/installation.html). - -``` -apt install -y lsb-release wget apt-transport-https build-essential python3-dev libffi-dev \ - python3-pip python3-setuptools sqlite3 \ - libssl-dev virtualenv libjpeg-dev libxslt1-dev libicu-dev - -wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg - -echo "deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ $(lsb_release -cs) main" | - tee /etc/apt/sources.list.d/matrix-org.list - -apt update -apt install matrix-synapse-py3 -``` - -This leaves a very basic configuration in `/etc/matrix-synapse/homeserver.yaml` -and two settings under `/etc/conf.d`. All other configuration items will also -be configured with yaml-files in this directory. - -Configure the domain you with to use in `/etc/matrix-synapse/conf.d/server_name.yaml`. -What you configure here will also be the global part of your Matrix handles -(the part after the colon). - -You now have a standard Matrix server that uses sqlite. You really don't want -to use this in production, so probably want to replace this with PostgreSQL. - - -Further configuration is documented under [synapse](synapse). +Configuration is documented under [synapse](synapse). ## Logging diff --git a/synapse/README.md b/synapse/README.md index 8a326a6..25e374f 100644 --- a/synapse/README.md +++ b/synapse/README.md @@ -5,9 +5,39 @@ include_toc: true # Installation and configuration of Synapse -There are two different ways to install Synapse, documented here: +Mind you: this an installation on Debian Linux (at least for now). + +Start by installing the latest Synapse server, see the [upstream +documentation](https://element-hq.github.io/synapse/latest/setup/installation.html). + +``` +apt install -y lsb-release wget apt-transport-https build-essential python3-dev libffi-dev \ + python3-pip python3-setuptools sqlite3 \ + libssl-dev virtualenv libjpeg-dev libxslt1-dev libicu-dev + +wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg + +echo "deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ $(lsb_release -cs) main" | + tee /etc/apt/sources.list.d/matrix-org.list + +apt update +apt install matrix-synapse-py3 +``` + +This leaves a very basic configuration in `/etc/matrix-synapse/homeserver.yaml` +and two settings under `/etc/conf.d`. All other configuration items will also +be configured with yaml-files in this directory. + +Configure the domain you with to use in `/etc/matrix-synapse/conf.d/server_name.yaml`. +What you configure here will also be the global part of your Matrix handles +(the part after the colon). + +You now have a standard Matrix server that uses sqlite. You really don't want +to use this in production, so probably want to replace this with PostgreSQL. + +There are two different ways to configure Synapse, documented here: * [Monolithic](monolithic) * [Workers](workers) - +We'll use Synapse, using the workers architecture to make it scalable, flexible and reusable. From 4f54f529ab3a6551e1c2452c73573e6e77cb3e88 Mon Sep 17 00:00:00 2001 From: Hans van Zijst Date: Mon, 4 Nov 2024 15:18:52 +0100 Subject: [PATCH 09/25] Last bit moved. --- README.md | 6 ------ synapse/README.md | 8 ++++++++ 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 33e4209..887e8ee 100644 --- a/README.md +++ b/README.md @@ -29,12 +29,6 @@ tracking](https://element-hq.github.io/synapse/latest/consent_tracking.html) Configuration is documented under [synapse](synapse). -## Logging - -Logging is configured in `log.yaml`. Some logging should go to systemd, the -more specific logging to Synapse's own logfile(s). - - # TURN We'll need a TURN server, and we'll use diff --git a/synapse/README.md b/synapse/README.md index 25e374f..b2ac1c1 100644 --- a/synapse/README.md +++ b/synapse/README.md @@ -41,3 +41,11 @@ There are two different ways to configure Synapse, documented here: * [Workers](workers) We'll use Synapse, using the workers architecture to make it scalable, flexible and reusable. + + +## Logging + +Logging is configured in `log.yaml`. Some logging should go to systemd, the +more specific logging to Synapse's own logfile(s). + + From d76482767002844b62b353d7786a3e9384aae8c9 Mon Sep 17 00:00:00 2001 From: Hans van Zijst Date: Mon, 4 Nov 2024 15:25:28 +0100 Subject: [PATCH 10/25] Relative links to a lower level..? --- postgresql/README.md | 10 ++++++++++ synapse/README.md | 9 ++++++++- 2 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 postgresql/README.md diff --git a/postgresql/README.md b/postgresql/README.md new file mode 100644 index 0000000..855ee8a --- /dev/null +++ b/postgresql/README.md @@ -0,0 +1,10 @@ +--- +gitea: none +include_toc: true +--- + +# PostgreSQL database + + + + diff --git a/synapse/README.md b/synapse/README.md index b2ac1c1..e2781d0 100644 --- a/synapse/README.md +++ b/synapse/README.md @@ -42,8 +42,15 @@ There are two different ways to configure Synapse, documented here: We'll use Synapse, using the workers architecture to make it scalable, flexible and reusable. +# Database -## Logging +The default installation leaves you with an sqlite3 database. Nice for experimenting, but +unsuitable for a production environment. + +[Here's how you setup PostgreSQL](../postgres). + + +# Logging Logging is configured in `log.yaml`. Some logging should go to systemd, the more specific logging to Synapse's own logfile(s). From da354f1efbd4f251ec098194620d9f7e1e5d2902 Mon Sep 17 00:00:00 2001 From: Hans van Zijst Date: Mon, 4 Nov 2024 15:27:00 +0100 Subject: [PATCH 11/25] Typo corrected. --- synapse/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/synapse/README.md b/synapse/README.md index e2781d0..b3e6bac 100644 --- a/synapse/README.md +++ b/synapse/README.md @@ -47,7 +47,7 @@ We'll use Synapse, using the workers architecture to make it scalable, flexible The default installation leaves you with an sqlite3 database. Nice for experimenting, but unsuitable for a production environment. -[Here's how you setup PostgreSQL](../postgres). +[Here's how you setup PostgreSQL](../postgresql). # Logging From 387c3586564476dc1ea346c2a59601005f78a767 Mon Sep 17 00:00:00 2001 From: Hans van Zijst Date: Mon, 4 Nov 2024 16:39:42 +0100 Subject: [PATCH 12/25] First bit of documentation for PostgreSQL added. --- postgresql/README.md | 68 +++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 67 insertions(+), 1 deletion(-) diff --git a/postgresql/README.md b/postgresql/README.md index 855ee8a..84e5511 100644 --- a/postgresql/README.md +++ b/postgresql/README.md @@ -3,8 +3,74 @@ gitea: none include_toc: true --- -# PostgreSQL database +# Installing PostgreSQL and creating database and user + +Installing [PostgreSQL](https://www.postgresql.org/) on Debian is very easy: + +``` +apt install postgresql python3-psycopg + +sudo -u postgres bash + +createuser --pwprompt synapse +createdb --encoding=UTF8 --locale=C --template=template0 --owner=synapse synapse + +``` + +After this, PostgreSQL is installed, the database `synapse` exists and so does +the database user `synapse`. Make sure you choose a strong password. +# Configuring access + +After a clean installation, PostgreSQL will listen on localhost, both IPv4 and +IPv6 (if available). In many cases, this is exactly what you want. + +## Network + +PostgreSQL will listen on localhost, this is configured in +`/etc/postgresql//main/postgresql.conf`: + +``` +listen_addresses = 'localhost' +``` + +This line is usually commented out, but as it is the default, it's really +there. +## UNIX socket + +If you want PostgreSQL to listen only to a local UNIX socket (more efficient +than network and -depending on the configuration of the rest of you system- +easier to protect), make the aforementioned option explicitly empty and +uncomment it: + +``` +listen_addresses = +``` + +Check these options to make sure the socket is placed in the right spot and +given the correct permissions: + +``` +unix_socket_directories = '/var/run/postgresql' +#unix_socket_group = '' +#unix_socket_permissions = 0777 +``` + + +## Permissions + +Add permission for the user to connect to the database from localhost (if +PostgreSQL listens on localhost), or the socket (if you use that). This is +configured in `/etc/postgresql//main/pg_hba.conf`: + +``` +local synapse synapse password # for use with UNIX sockets +host synapse synapse localhost md5 # for use with localhost network +``` + +Make sure you add these lines under the one that gives access to the postgres +superuser, the first line. + From 125bfb3892f6e14eaab191ed57ea2765bece3411 Mon Sep 17 00:00:00 2001 From: Hans van Zijst Date: Mon, 4 Nov 2024 16:49:15 +0100 Subject: [PATCH 13/25] Syntax corrected: empty value needs to be quoted. --- postgresql/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/postgresql/README.md b/postgresql/README.md index 84e5511..92f3e6c 100644 --- a/postgresql/README.md +++ b/postgresql/README.md @@ -47,7 +47,7 @@ easier to protect), make the aforementioned option explicitly empty and uncomment it: ``` -listen_addresses = +listen_addresses = '' ``` Check these options to make sure the socket is placed in the right spot and From abf672101ae79faac7be9f2f8ec6e7626237771c Mon Sep 17 00:00:00 2001 From: Hans van Zijst Date: Mon, 4 Nov 2024 17:18:18 +0100 Subject: [PATCH 14/25] Added switch from sqlite to pg. --- synapse/README.md | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/synapse/README.md b/synapse/README.md index b3e6bac..ac59da7 100644 --- a/synapse/README.md +++ b/synapse/README.md @@ -49,6 +49,46 @@ unsuitable for a production environment. [Here's how you setup PostgreSQL](../postgresql). +Once you've created a database and user in PostgreSQL, you configure Synapse +to use it. + +First delete (or comment out) the SQLITE datbase in `homeserver.yaml`: + +``` +#database: +# name: sqlite3 +# args: +# database: /var/lib/matrix-synapse/homeserver.db +``` + +Then create the database configuration for PostgreSQL in +`conf.d/database.yaml`: + +``` +database: + name: psycopg2 + args: + user: synapse + password: + dbname: synapse + host: /var/run/postgresql + cp_min: 5 + cp_max: 10 +``` + +Note: you configure the directory where the UNIX socket file lives, not the +actual file. + +Of course, if you use localhost, you should configure it like this: + +``` + host: localhost + port: 5432 +``` + +After changing the database, restart Synapse and check whether it can connect +and create the tables it needs. + # Logging From 098d1e47911da293e1f6396fbe9f652f31e98dc5 Mon Sep 17 00:00:00 2001 From: Hans van Zijst Date: Mon, 4 Nov 2024 17:33:39 +0100 Subject: [PATCH 15/25] Added Tuning, mostly for layout purposes. --- postgresql/README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/postgresql/README.md b/postgresql/README.md index 92f3e6c..671128d 100644 --- a/postgresql/README.md +++ b/postgresql/README.md @@ -74,3 +74,9 @@ host synapse synapse localhost md5 # for use with loc Make sure you add these lines under the one that gives access to the postgres superuser, the first line. + +## Tuning + +This is for later, check [Tuning your PostgreSQL Server](https://wiki.postgresql.org/wiki/Tuning_Your_PostgreSQL_Server) +on the PostgreSQL wiki. + From 487bda45a3c529ef7ad5c99445a6beba506059cb Mon Sep 17 00:00:00 2001 From: Hans van Zijst Date: Mon, 4 Nov 2024 17:34:21 +0100 Subject: [PATCH 16/25] Wrong layout, fixed. --- postgresql/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/postgresql/README.md b/postgresql/README.md index 671128d..ae86a94 100644 --- a/postgresql/README.md +++ b/postgresql/README.md @@ -75,7 +75,7 @@ Make sure you add these lines under the one that gives access to the postgres superuser, the first line. -## Tuning +# Tuning This is for later, check [Tuning your PostgreSQL Server](https://wiki.postgresql.org/wiki/Tuning_Your_PostgreSQL_Server) on the PostgreSQL wiki. From 28836cc1bc470446c2af85581b4080ad2a74852e Mon Sep 17 00:00:00 2001 From: Hans van Zijst Date: Mon, 4 Nov 2024 17:41:00 +0100 Subject: [PATCH 17/25] Added some links. --- README.md | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 887e8ee..e29e262 100644 --- a/README.md +++ b/README.md @@ -12,21 +12,27 @@ We're building it with workers, so it will scale. ## Overview +A complete Matrix environment consists of many parts. Other than the Matrix +server itself (Synapse) there are all kinds of other things that we need: + * [Synapse](https://element-hq.github.io/synapse/latest/) -* Webclient -* Element Call +* Webclient ([Element Web](https://github.com/element-hq/element-web)) +* [Element Call](https://github.com/element-hq/element-call) for audio/video +conferencing * Management with [Synapse-Admin](https://github.com/Awesome-Technologies/synapse-admin) * Moderation with [Draupnir](https://github.com/the-draupnir-project/Draupnir) * [Consent tracking](https://element-hq.github.io/synapse/latest/consent_tracking.html) * Authentication via [OpenID](https://element-hq.github.io/synapse/latest/openid.html) -* Several bridges +* Several [bridges](https://matrix.org/ecosystem/bridges/) # Synapse -Configuration is documented under [synapse](synapse). +This is the core component: the Matrix server itself. + +Installation and configuration is documented under [synapse](synapse). # TURN From 8c74191c9d54b147376acdcb2171e011813ed27f Mon Sep 17 00:00:00 2001 From: Hans van Zijst Date: Mon, 4 Nov 2024 17:54:42 +0100 Subject: [PATCH 18/25] Added something about the firewall. --- firewall/README.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 firewall/README.md diff --git a/firewall/README.md b/firewall/README.md new file mode 100644 index 0000000..72ffd2e --- /dev/null +++ b/firewall/README.md @@ -0,0 +1,13 @@ +# Firewall + +This page is mostly a placeholder for now, but configuration of the firewall +is -of course- very important. + +First idea: the ports that need to be opened are: + + +| Port(s) / range | Protocol | Application | +| :--: | :--: | :-- | +| 80/443 | TCP | Reverse proxy | +| 8443 | TCP | Synapse, federation | + From 417acb59b45cf5873aad28273b66f2e8a8b88381 Mon Sep 17 00:00:00 2001 From: Hans van Zijst Date: Mon, 4 Nov 2024 17:55:48 +0100 Subject: [PATCH 19/25] Comma separated, rather than a slash. --- firewall/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/firewall/README.md b/firewall/README.md index 72ffd2e..7d0f09f 100644 --- a/firewall/README.md +++ b/firewall/README.md @@ -8,6 +8,6 @@ First idea: the ports that need to be opened are: | Port(s) / range | Protocol | Application | | :--: | :--: | :-- | -| 80/443 | TCP | Reverse proxy | +| 80, 443 | TCP | Reverse proxy | | 8443 | TCP | Synapse, federation | From f2c9761bb938c9018572d446c416cf21b6a1fa1f Mon Sep 17 00:00:00 2001 From: Hans van Zijst Date: Mon, 4 Nov 2024 18:13:40 +0100 Subject: [PATCH 20/25] Basic reverse proxy (nginx) documentation added. --- nginx/README.md | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 nginx/README.md diff --git a/nginx/README.md b/nginx/README.md new file mode 100644 index 0000000..1f21583 --- /dev/null +++ b/nginx/README.md @@ -0,0 +1,41 @@ +--- +gitea: none +include_toc: true +--- + +# Reverse proxy with nginx + +Clients connecting from the Internet to our Matrix environment will usually +use SSL/TLS to encrypt whatever they want to send. This is one thing that +nginx does better than Synapse. + +Furthermore, granting or denying access to specific endpoints is much easier +in nginx. + +Synapse listens only on localhost, so nginx has to pass connections on from +the wild west that is the Internet to our server listening on the inside. + + +# Installing + +Installing nginx and the [Let's Encrypt](https://letsencrypt.org/) plugin is +easy: + +``` +apt install nginx python3-certbot-nginx +``` + +# Configuration + +Almost all traffic should be encrypted, so a redirect from http to https seems +like a good idea. + +However, `.well-known/matrix/client` has to be available via http and https, +so that should *NOT* be redirected to https. Some clients don't understand the +redirect and will therefore not find the server if you redirect everything. + + + +# Firewall + +For normal use, at least ports 80 and 443 must be openend, see [Firewall](../firewall). From b7e29f3250d68ea8262f7b74ebfca67ca1e5c28e Mon Sep 17 00:00:00 2001 From: Hans van Zijst Date: Tue, 12 Nov 2024 15:38:05 +0100 Subject: [PATCH 21/25] Added page for Element Call. --- call/README.md | 16 ++++++++++++++++ nginx/README.md | 9 +++++++++ synapse/README.md | 22 ++++++++++++++++++++++ 3 files changed, 47 insertions(+) create mode 100644 call/README.md diff --git a/call/README.md b/call/README.md new file mode 100644 index 0000000..049dcb5 --- /dev/null +++ b/call/README.md @@ -0,0 +1,16 @@ +--- +gitea: none +include_toc: true +--- + +# Element Call + +Element Call enables users to have audio and videocalls with groups, while +maintaining full E2E encryption. + +It requires several bits of software and entries in .well-known/matrix/client + +This bit is for later, but here's a nice bit of documentation to start: + +https://sspaeth.de/2024/11/sfu/ + diff --git a/nginx/README.md b/nginx/README.md index 1f21583..62185a5 100644 --- a/nginx/README.md +++ b/nginx/README.md @@ -25,6 +25,15 @@ easy: apt install nginx python3-certbot-nginx ``` +Get your certificate: + +``` +certbot certonly --nginx --agree-tos -m systeemmail@procolix.com --non-interactive -d matrixdev.procolix.com +``` + +Substitute the correct e-mailaddress and FQDN, or course. + + # Configuration Almost all traffic should be encrypted, so a redirect from http to https seems diff --git a/synapse/README.md b/synapse/README.md index ac59da7..a0835d6 100644 --- a/synapse/README.md +++ b/synapse/README.md @@ -42,6 +42,28 @@ There are two different ways to configure Synapse, documented here: We'll use Synapse, using the workers architecture to make it scalable, flexible and reusable. + +## Listeners + +A fresh installation configures one listener, for both client and federation +traffic. This listens on port 8008 on localhost (IPv4 and IPv6) and does not +do TLS: + +``` +listeners: + - port: 8008 + tls: false + type: http + x_forwarded: true + bind_addresses: ['::1', '127.0.0.1'] + resources: + - names: [client, federation] + compress: false +``` + + + + # Database The default installation leaves you with an sqlite3 database. Nice for experimenting, but From 39de5b2cc12411792fe3770d51a6c6adcad53337 Mon Sep 17 00:00:00 2001 From: Hans van Zijst Date: Tue, 12 Nov 2024 15:41:54 +0100 Subject: [PATCH 22/25] Link to Element Call. --- README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index e29e262..1d564cb 100644 --- a/README.md +++ b/README.md @@ -37,9 +37,13 @@ Installation and configuration is documented under [synapse](synapse). # TURN -We'll need a TURN server, and we'll use +We may need a TURN server, and we'll use [coturn](https://github.com/coturn/coturn) for that. +It's apparently also possible to use the built-in TURN server in Livekit, +which we'll use if we use [Element Call](call). It's either/or, so make sure +you pick the right approach. + # Wiki From 76d4e1b29fe0721519c13b07fb23816fa57f65c0 Mon Sep 17 00:00:00 2001 From: Hans van Zijst Date: Tue, 12 Nov 2024 15:56:33 +0100 Subject: [PATCH 23/25] Added part for server_name in nginx. --- nginx/README.md | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/nginx/README.md b/nginx/README.md index 62185a5..c612846 100644 --- a/nginx/README.md +++ b/nginx/README.md @@ -43,6 +43,53 @@ However, `.well-known/matrix/client` has to be available via http and https, so that should *NOT* be redirected to https. Some clients don't understand the redirect and will therefore not find the server if you redirect everything. +Under the `server_name` (the "domain name", the part after the username) you +will need a configuration like this: + +``` +server { + listen 80; + listen [::]:80; + listen 443 ssl; + listen [::]:443 ssl; + + ssl_certificate /etc/letsencrypt/live/matrixdev.procolix.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/matrixdev.procolix.com/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/ssl/dhparams.pem; + + server_name matrixdev.procolix.com; + + location /.well-known/matrix/client { + return 200 '{ + "m.homeserver": {"base_url": "https://vm02199.procolix.com"}, + "org.matrix.msc3575.proxy": {"url": "https://vm02199.procolix.com"} + }'; + default_type application/json; + } + + location /.well-known/matrix/server { + return 200 '{"m.server": "vm02199.procolix.com"}'; + default_type application/json; + } + + location / { + if ($scheme = http) { + return 301 https://$host$request_uri; + } + } + + access_log /var/log/nginx/matrixdev-access.log; + error_log /var/log/nginx/matrixdev-error.log; +} +``` + +This defines a server that listens on both http and https. It hands out two +.well-known entries over both http and https, and every other request over +http is forwarded to https. + +Be sure to substitute the correct values for `server_name`, `base_url` and the +certificate files. # Firewall From a58b3ac17f07dee857c314ed5394b9b1e18d220f Mon Sep 17 00:00:00 2001 From: Hans van Zijst Date: Tue, 12 Nov 2024 15:57:32 +0100 Subject: [PATCH 24/25] Layout corrected. --- nginx/README.md | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/nginx/README.md b/nginx/README.md index c612846..79c37ec 100644 --- a/nginx/README.md +++ b/nginx/README.md @@ -58,29 +58,29 @@ server { include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/ssl/dhparams.pem; - server_name matrixdev.procolix.com; + server_name matrixdev.procolix.com; - location /.well-known/matrix/client { - return 200 '{ - "m.homeserver": {"base_url": "https://vm02199.procolix.com"}, - "org.matrix.msc3575.proxy": {"url": "https://vm02199.procolix.com"} - }'; - default_type application/json; + location /.well-known/matrix/client { + return 200 '{ + "m.homeserver": {"base_url": "https://vm02199.procolix.com"}, + "org.matrix.msc3575.proxy": {"url": "https://vm02199.procolix.com"} + }'; + default_type application/json; + } + + location /.well-known/matrix/server { + return 200 '{"m.server": "vm02199.procolix.com"}'; + default_type application/json; + } + + location / { + if ($scheme = http) { + return 301 https://$host$request_uri; } + } - location /.well-known/matrix/server { - return 200 '{"m.server": "vm02199.procolix.com"}'; - default_type application/json; - } - - location / { - if ($scheme = http) { - return 301 https://$host$request_uri; - } - } - - access_log /var/log/nginx/matrixdev-access.log; - error_log /var/log/nginx/matrixdev-error.log; + access_log /var/log/nginx/matrixdev-access.log; + error_log /var/log/nginx/matrixdev-error.log; } ``` From 0a991a5140236eda995e05b5e1a5c38ed54b7a60 Mon Sep 17 00:00:00 2001 From: Hans van Zijst Date: Tue, 12 Nov 2024 17:02:29 +0100 Subject: [PATCH 25/25] Config for Synapse-proxy added. --- nginx/README.md | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/nginx/README.md b/nginx/README.md index 79c37ec..10a30b4 100644 --- a/nginx/README.md +++ b/nginx/README.md @@ -81,6 +81,7 @@ server { access_log /var/log/nginx/matrixdev-access.log; error_log /var/log/nginx/matrixdev-error.log; + } ``` @@ -91,6 +92,39 @@ http is forwarded to https. Be sure to substitute the correct values for `server_name`, `base_url` and the certificate files. +For the actual proxy in front of Synapse, this is what you need: + +``` +server { + listen 443 ssl; + listen [::]:443 ssl; + + # For the federation port + listen 8448 ssl default_server; + listen [::]:8448 ssl default_server; + + ssl_certificate /etc/letsencrypt/live/vm02199.procolix.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/vm02199.procolix.com/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/ssl/dhparams.pem; + + server_name vm02199.procolix.com; + + location ~ ^(/_matrix|/_synapse/client) { + proxy_pass http://localhost:8008; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + client_max_body_size 50M; + proxy_http_version 1.1; + } + +} +``` + +Again, substitute the correct values. Don't forget to open the relevant ports +in the firewall. Ports 80 and 443 may already be open, 8448 is probably not. + # Firewall