hans/Fediversity
1
0
Fork 0
forked from Fediversity/Fediversity
Code Pull requests Activity

Add 'matrix/' from commit '0a991a5140236eda995e05b5e1a5c38ed54b7a60'

Browse source 
git-subtree-dir: matrix
git-subtree-mainline: c1d2cdc7c1
git-subtree-split: 0a991a5140
This commit is contained in:
Valentin Gagarin 2024-11-13 15:28:58 +01:00
parent c1d2cdc7c1 0a991a5140
commit 184e89e586
9 changed files with 468 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
matrix/.gitignore vendored Normal file
View file

@ -0,0 +1,34 @@
# Eerst: GEEN PDF/PS IN GIT!
*.pdf
*.ps
# ---> LyX
# Ignore LyX backup and autosave files
# http://www.lyx.org/
*.lyx~
*.lyx#
# ---> Vim
# Swap
[._]*.s[a-v][a-z]
!*.svg # comment out if you don't need vector files
[._]*.sw[a-p]
[._]s[a-rt-v][a-z]
[._]ss[a-gi-z]
[._]sw[a-p]
# Session
Session.vim
Sessionx.vim
# Temporary
.netrwhist
*~
# Auto-generated tag files
tags
# Persistent undo
[._]*.un~
# En geen vaults
/ansible/group_vars/matrix/vault.yaml

51
matrix/README.md Normal file
View file

@ -0,0 +1,51 @@
---
gitea: none
include_toc: true
---
# A complete Matrix installation
This is going to be a Matrix installation with all bells and whistles. Not
just the server, but every other bit that you need or want.
We're building it with workers, so it will scale.
## Overview
A complete Matrix environment consists of many parts. Other than the Matrix
server itself (Synapse) there are all kinds of other things that we need:
* [Synapse](https://element-hq.github.io/synapse/latest/)
* Webclient ([Element Web](https://github.com/element-hq/element-web))
* [Element Call](https://github.com/element-hq/element-call) for audio/video
conferencing
* Management with [Synapse-Admin](https://github.com/Awesome-Technologies/synapse-admin)
* Moderation with [Draupnir](https://github.com/the-draupnir-project/Draupnir)
* [Consent
tracking](https://element-hq.github.io/synapse/latest/consent_tracking.html)
* Authentication via
[OpenID](https://element-hq.github.io/synapse/latest/openid.html)
* Several [bridges](https://matrix.org/ecosystem/bridges/)
# Synapse
This is the core component: the Matrix server itself.
Installation and configuration is documented under [synapse](synapse).
# TURN
We may need a TURN server, and we'll use
[coturn](https://github.com/coturn/coturn) for that.
It's apparently also possible to use the built-in TURN server in Livekit,
which we'll use if we use [Element Call](call). It's either/or, so make sure
you pick the right approach.
# Wiki
Of course there's a wiki in this repository.

16
matrix/call/README.md Normal file
View file

@ -0,0 +1,16 @@
---
gitea: none
include_toc: true
---
# Element Call
Element Call enables users to have audio and videocalls with groups, while
maintaining full E2E encryption.
It requires several bits of software and entries in .well-known/matrix/client
This bit is for later, but here's a nice bit of documentation to start:
https://sspaeth.de/2024/11/sfu/

13
matrix/firewall/README.md Normal file
View file

@ -0,0 +1,13 @@
# Firewall
This page is mostly a placeholder for now, but configuration of the firewall
is -of course- very important.
First idea: the ports that need to be opened are:
| Port(s) / range | Protocol | Application |
| :--: | :--: | :-- |
| 80, 443 | TCP | Reverse proxy |
| 8443 | TCP | Synapse, federation |

131
matrix/nginx/README.md Normal file
View file

@ -0,0 +1,131 @@
---
gitea: none
include_toc: true
---
# Reverse proxy with nginx
Clients connecting from the Internet to our Matrix environment will usually
use SSL/TLS to encrypt whatever they want to send. This is one thing that
nginx does better than Synapse.
Furthermore, granting or denying access to specific endpoints is much easier
in nginx.
Synapse listens only on localhost, so nginx has to pass connections on from
the wild west that is the Internet to our server listening on the inside.
# Installing
Installing nginx and the [Let's Encrypt](https://letsencrypt.org/) plugin is
easy:
```
apt install nginx python3-certbot-nginx
```
Get your certificate:
```
certbot certonly --nginx --agree-tos -m systeemmail@procolix.com --non-interactive -d matrixdev.procolix.com
```
Substitute the correct e-mailaddress and FQDN, or course.
# Configuration
Almost all traffic should be encrypted, so a redirect from http to https seems
like a good idea.
However, `.well-known/matrix/client` has to be available via http and https,
so that should *NOT* be redirected to https. Some clients don't understand the
redirect and will therefore not find the server if you redirect everything.
Under the `server_name` (the "domain name", the part after the username) you
will need a configuration like this:
```
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/matrixdev.procolix.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/matrixdev.procolix.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/ssl/dhparams.pem;
server_name matrixdev.procolix.com;
location /.well-known/matrix/client {
return 200 '{
"m.homeserver": {"base_url": "https://vm02199.procolix.com"},
"org.matrix.msc3575.proxy": {"url": "https://vm02199.procolix.com"}
}';
default_type application/json;
}
location /.well-known/matrix/server {
return 200 '{"m.server": "vm02199.procolix.com"}';
default_type application/json;
}
location / {
if ($scheme = http) {
return 301 https://$host$request_uri;
}
}
access_log /var/log/nginx/matrixdev-access.log;
error_log /var/log/nginx/matrixdev-error.log;
}
```
This defines a server that listens on both http and https. It hands out two
.well-known entries over both http and https, and every other request over
http is forwarded to https.
Be sure to substitute the correct values for `server_name`, `base_url` and the
certificate files.
For the actual proxy in front of Synapse, this is what you need:
```
server {
listen 443 ssl;
listen [::]:443 ssl;
# For the federation port
listen 8448 ssl default_server;
listen [::]:8448 ssl default_server;
ssl_certificate /etc/letsencrypt/live/vm02199.procolix.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/vm02199.procolix.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/ssl/dhparams.pem;
server_name vm02199.procolix.com;
location ~ ^(/_matrix|/_synapse/client) {
proxy_pass http://localhost:8008;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
client_max_body_size 50M;
proxy_http_version 1.1;
}
}
```
Again, substitute the correct values. Don't forget to open the relevant ports
in the firewall. Ports 80 and 443 may already be open, 8448 is probably not.
# Firewall
For normal use, at least ports 80 and 443 must be openend, see [Firewall](../firewall).

82
matrix/postgresql/README.md Normal file
View file

@ -0,0 +1,82 @@
---
gitea: none
include_toc: true
---
# Installing PostgreSQL and creating database and user
Installing [PostgreSQL](https://www.postgresql.org/) on Debian is very easy:
```
apt install postgresql python3-psycopg
sudo -u postgres bash
createuser --pwprompt synapse
createdb --encoding=UTF8 --locale=C --template=template0 --owner=synapse synapse
```
After this, PostgreSQL is installed, the database `synapse` exists and so does
the database user `synapse`. Make sure you choose a strong password.
# Configuring access
After a clean installation, PostgreSQL will listen on localhost, both IPv4 and
IPv6 (if available). In many cases, this is exactly what you want.
## Network
PostgreSQL will listen on localhost, this is configured in
`/etc/postgresql/<version>/main/postgresql.conf`:
```
listen_addresses = 'localhost'
```
This line is usually commented out, but as it is the default, it's really
there.
## UNIX socket
If you want PostgreSQL to listen only to a local UNIX socket (more efficient
than network and -depending on the configuration of the rest of you system-
easier to protect), make the aforementioned option explicitly empty and
uncomment it:
```
listen_addresses = ''
```
Check these options to make sure the socket is placed in the right spot and
given the correct permissions:
```
unix_socket_directories = '/var/run/postgresql'
#unix_socket_group = ''
#unix_socket_permissions = 0777
```
## Permissions
Add permission for the user to connect to the database from localhost (if
PostgreSQL listens on localhost), or the socket (if you use that). This is
configured in `/etc/postgresql/<version>/main/pg_hba.conf`:
```
local synapse synapse password # for use with UNIX sockets
host synapse synapse localhost md5 # for use with localhost network
```
Make sure you add these lines under the one that gives access to the postgres
superuser, the first line.
# Tuning
This is for later, check [Tuning your PostgreSQL Server](https://wiki.postgresql.org/wiki/Tuning_Your_PostgreSQL_Server)
on the PostgreSQL wiki.

120
matrix/synapse/README.md Normal file
View file

@ -0,0 +1,120 @@
---
gitea: none
include_toc: true
---
# Installation and configuration of Synapse
Mind you: this an installation on Debian Linux (at least for now).
Start by installing the latest Synapse server, see the [upstream
documentation](https://element-hq.github.io/synapse/latest/setup/installation.html).
```
apt install -y lsb-release wget apt-transport-https build-essential python3-dev libffi-dev \
python3-pip python3-setuptools sqlite3 \
libssl-dev virtualenv libjpeg-dev libxslt1-dev libicu-dev
wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ $(lsb_release -cs) main" |
tee /etc/apt/sources.list.d/matrix-org.list
apt update
apt install matrix-synapse-py3
```
This leaves a very basic configuration in `/etc/matrix-synapse/homeserver.yaml`
and two settings under `/etc/conf.d`. All other configuration items will also
be configured with yaml-files in this directory.
Configure the domain you with to use in `/etc/matrix-synapse/conf.d/server_name.yaml`.
What you configure here will also be the global part of your Matrix handles
(the part after the colon).
You now have a standard Matrix server that uses sqlite. You really don't want
to use this in production, so probably want to replace this with PostgreSQL.
There are two different ways to configure Synapse, documented here:
* [Monolithic](monolithic)
* [Workers](workers)
We'll use Synapse, using the workers architecture to make it scalable, flexible and reusable.
## Listeners
A fresh installation configures one listener, for both client and federation
traffic. This listens on port 8008 on localhost (IPv4 and IPv6) and does not
do TLS:
```
listeners:
- port: 8008
tls: false
type: http
x_forwarded: true
bind_addresses: ['::1', '127.0.0.1']
resources:
- names: [client, federation]
compress: false
```
# Database
The default installation leaves you with an sqlite3 database. Nice for experimenting, but
unsuitable for a production environment.
[Here's how you setup PostgreSQL](../postgresql).
Once you've created a database and user in PostgreSQL, you configure Synapse
to use it.
First delete (or comment out) the SQLITE datbase in `homeserver.yaml`:
```
#database:
# name: sqlite3
# args:
# database: /var/lib/matrix-synapse/homeserver.db
```
Then create the database configuration for PostgreSQL in
`conf.d/database.yaml`:
```
database:
name: psycopg2
args:
user: synapse
password: <password>
dbname: synapse
host: /var/run/postgresql
cp_min: 5
cp_max: 10
```
Note: you configure the directory where the UNIX socket file lives, not the
actual file.
Of course, if you use localhost, you should configure it like this:
```
host: localhost
port: 5432
```
After changing the database, restart Synapse and check whether it can connect
and create the tables it needs.
# Logging
Logging is configured in `log.yaml`. Some logging should go to systemd, the
more specific logging to Synapse's own logfile(s).

10
matrix/synapse/monolithic/README.md Normal file
View file

@ -0,0 +1,10 @@
---
gitea: none
include_toc: true
---
# Standard, monolithic configuration
This configuration will be enough for most installations.

11
matrix/synapse/workers/README.md Normal file
View file

@ -0,0 +1,11 @@
---
gitea: none
include_toc: true
---
# Advanced configuration with workers
This configuration allows optimizing performance, meant for big, busy
installations.