first commit
This commit is contained in:
commit
66ab861d63
8 changed files with 351 additions and 0 deletions
30
Justfile
Normal file
30
Justfile
Normal file
|
@ -0,0 +1,30 @@
|
|||
@_default:
|
||||
{{just_executable()}} -f {{justfile()}} --list
|
||||
|
||||
# Run the instance [aliases: r]
|
||||
@run:
|
||||
sudo docker-compose up -d
|
||||
|
||||
# Stop the instance [aliases: s]
|
||||
@stop:
|
||||
sudo docker-compose rm -f -s
|
||||
|
||||
# Restart the instance
|
||||
@restart:
|
||||
sudo docker-compose restart
|
||||
|
||||
# Create Backup file [aliases: b]
|
||||
@backup backup_name: stop && run
|
||||
#!/usr/bin/env bash
|
||||
FILES="data postgresdata Justfile docker-compose.yml README.md"
|
||||
7z a -t7z -m0=lzma2 -mx=9 -mfb=64 -md=32m -ms=on -mhe=on -p {{backup_name}}.7z $FILES
|
||||
echo "Backup done..."
|
||||
|
||||
|
||||
[private]
|
||||
alias r := run
|
||||
[private]
|
||||
alias s := stop
|
||||
[private]
|
||||
alias b := backup
|
||||
|
21
LICENSE
Normal file
21
LICENSE
Normal file
|
@ -0,0 +1,21 @@
|
|||
The MIT License (MIT)
|
||||
|
||||
Copyright (c) 2024, Awiteb <a@4rs.nl>
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in
|
||||
all copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
||||
THE SOFTWARE.
|
141
README.md
Normal file
141
README.md
Normal file
|
@ -0,0 +1,141 @@
|
|||
# 4rs matrix homeserver
|
||||
|
||||
This is my personal matrix homeserver. You can clone this repository and run the homeserver with docker-compose.
|
||||
|
||||
## Overview
|
||||
In this repository I use `4rs.nl` (my domain) as an example. You should replace this with your own domain.
|
||||
After reading this README you should have a `/.well-known/matrix/server` and `/.well-known/matrix/client` file on your domain (4rs.nl) and your matrix subdomain (matrix.4rs.nl). The client will use `matrix.4rs.nl` as the homeserver and the displayed homeserver will be `4rs.nl`.
|
||||
|
||||
## Requirements
|
||||
- docker
|
||||
- docker-compose
|
||||
- nginx
|
||||
|
||||
## Domain requirements
|
||||
- Have a `/.well-known/matrix/server` file on your domain that points to your homeserver. This is required for federation to work.
|
||||
The content of the file should be:
|
||||
```
|
||||
{
|
||||
"m.server": "matrix.4rs.nl:443"
|
||||
}
|
||||
```
|
||||
- Have a `/.well-known/matrix/client` file on your domain that points to your homeserver. This is required for the client to work.
|
||||
The content of the file should be:
|
||||
```
|
||||
{
|
||||
"m.homeserver": {
|
||||
"base_url": "https://matrix.4rs.nl"
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
For me, I created the files in my static blog and then deployed it in GitHub pages. See the [justfile that I use to deploy the files to the domain](https://git.4rs.nl/awiteb/blog/src/branch/master/Justfile#L15-L17). You can use any other method to deploy the files and make them accessible on your domain, as long as they are accessible at `/.well-known/matrix/server` and `/.well-known/matrix/client`.
|
||||
|
||||
|
||||
## Nginx configuration of the matrix subdomain
|
||||
You should have a nginx configuration for the matrix subdomain at `/etc/nginx/sites-available/matrix.4rs.nl` and symlinked to `/etc/nginx/sites-enabled/matrix.4rs.nl`, Also include it in the `nginx.conf` file with `include /etc/nginx/sites-enabled/*;` (the include is already in the `nginx.conf` file when you install nginx).
|
||||
|
||||
You also need to have a certificate for the domain. You can get a free certificate from [Let's Encrypt](https://letsencrypt.org/). You can use [Certbot](https://certbot.eff.org/) to get a certificate. (Generate a certificate for `4rs.nl` and `*.4rs.nl`)
|
||||
|
||||
The configuration should look like this (replace `4rs.nl` with your domain)
|
||||
```
|
||||
server {
|
||||
server_name matrix.4rs.nl;
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
location / {
|
||||
return 301 https://$server_name$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
server_name matrix.4rs.nl;
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
access_log /var/log/nginx/access.log;
|
||||
error_log /var/log/nginx/error.log warn;
|
||||
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m;
|
||||
ssl_session_tickets off;
|
||||
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/4rs.nl/chain.pem;
|
||||
ssl_certificate /etc/letsencrypt/live/4rs.nl/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/4rs.nl/privkey.pem;
|
||||
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
|
||||
ssl_prefer_server_ciphers off;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
gzip_vary on;
|
||||
gzip_proxied any;
|
||||
gzip_comp_level 6;
|
||||
gzip_buffers 16 8k;
|
||||
gzip_http_version 1.1;
|
||||
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml;
|
||||
|
||||
ignore_invalid_headers off;
|
||||
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
||||
client_body_timeout 5s;
|
||||
client_header_timeout 5s;
|
||||
|
||||
location /.well-known/matrix/server {
|
||||
return 200 '{"m.server": "matrix.4rs.nl:443"}';
|
||||
default_type application/json;
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
}
|
||||
location /.well-known/matrix/client {
|
||||
return 200 '{"m.homeserver": {"base_url": "https://matrix.4rs.nl}}';
|
||||
default_type application/json;
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
}
|
||||
location / {
|
||||
proxy_pass http://localhost:8008;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
client_max_body_size 200M;
|
||||
}
|
||||
}
|
||||
```
|
||||
After you have created the configuration file, reload nginx with `sudo systemctl reload nginx`. You should now be able to access the homeserver at `matrix.4rs.nl`.
|
||||
|
||||
Now you end up the Nginx configuration for the matrix subdomain. The next step is to clone this repository and run the homeserver.
|
||||
|
||||
## Clone the repository
|
||||
After you have set up the domain and the nginx configuration, you can clone this repository with `git clone https://4rs.nl/awiteb/synapse-config.git`. You should now have a directory called `synapse-config`.
|
||||
|
||||
## Configuration
|
||||
After you have cloned the repository, replace all `4rs.nl` with your domain also the files in the `./data` directory.
|
||||
|
||||
There is tow things only you need to change it, the first one is the secrets in `./data/homeserver.yaml` and the second one is the signing key in `./data/4rs.nl.signing.key`.
|
||||
|
||||
### Homeserver.yaml
|
||||
After replacing all `4rs.nl` with your domain, you need to generate a secret for each secret in the `homeserver.yaml` file. You can generate a secret with `openssl rand -base64 32`. Replace the secret with the generated secret.
|
||||
|
||||
### Signing key
|
||||
|
||||
> **Note:** You need `signedjson` dependency to generate a signing key. You can install it with `pip3 install signedjson`.
|
||||
|
||||
Change the content of the `4rs.nl.signing.key` file with a generated key. You can generate a key with `generate_signing_key` script in root of the repository. Run `python3 generate_signing_key` and replace the content of the `4rs.nl.signing.key` file with the generated key.
|
||||
|
||||
|
||||
## Run the homeserver and create the admin user
|
||||
After all above steps, you can run the homeserver with `docker-compose up -d`. You should now have a running homeserver on `matrix.4rs.nl`.
|
||||
|
||||
Now you need to create an admin user with `docker exec -it synapse register_new_matrix_user http://localhost:8008 -c /data/homeserver.yaml` and follow the instructions. You should now have an admin user on the homeserver and you can login with it on the client using the homeserver `matrix.4rs.nl`. Enjoy your homeserver!
|
||||
|
||||
## Backup
|
||||
|
||||
> **Note:** You need [`just`](https://just.systems/) to backup the homeserver. You can install it with `cargo install just`.
|
||||
|
||||
You can backup the homeserver with `just backup <backup-name>`. And it's will stored as encrypted AES256 7z file.
|
||||
|
||||
## Any questions?
|
||||
If you have any questions, you can contact with me at `@awiteb:4rs.nl` and I will try to help you. Have fun with your homeserver!
|
39
data/4rs.nl.log.config
Normal file
39
data/4rs.nl.log.config
Normal file
|
@ -0,0 +1,39 @@
|
|||
version: 1
|
||||
|
||||
formatters:
|
||||
precise:
|
||||
|
||||
format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
|
||||
|
||||
|
||||
handlers:
|
||||
|
||||
|
||||
console:
|
||||
class: logging.StreamHandler
|
||||
formatter: precise
|
||||
|
||||
loggers:
|
||||
# This is just here so we can leave `loggers` in the config regardless of whether
|
||||
# we configure other loggers below (avoid empty yaml dict error).
|
||||
_placeholder:
|
||||
level: "INFO"
|
||||
|
||||
|
||||
|
||||
synapse.storage.SQL:
|
||||
# beware: increasing this to DEBUG will make synapse log sensitive
|
||||
# information such as access tokens.
|
||||
level: INFO
|
||||
|
||||
|
||||
|
||||
|
||||
root:
|
||||
level: INFO
|
||||
|
||||
|
||||
handlers: [console]
|
||||
|
||||
|
||||
disable_existing_loggers: false
|
1
data/4rs.nl.signing.key
Normal file
1
data/4rs.nl.signing.key
Normal file
|
@ -0,0 +1 @@
|
|||
Paste `generate_signing_key` script output here (REMOVE THIS LINE)
|
67
data/homeserver.yaml
Normal file
67
data/homeserver.yaml
Normal file
|
@ -0,0 +1,67 @@
|
|||
# Configuration file for Synapse.
|
||||
#
|
||||
# For more information on how to configure Synapse, including a complete accounting of
|
||||
# each option, go to docs/usage/configuration/config_documentation.md or
|
||||
# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html
|
||||
|
||||
server_name: "4rs.nl"
|
||||
pid_file: /data/homeserver.pid
|
||||
listeners:
|
||||
- port: 8008
|
||||
tls: false
|
||||
type: http
|
||||
x_forwarded: true
|
||||
resources:
|
||||
- names: [client, federation]
|
||||
compress: false
|
||||
|
||||
database:
|
||||
name: psycopg2
|
||||
args:
|
||||
user: synapse
|
||||
password: somepassword
|
||||
host: postgresql
|
||||
database: synapse
|
||||
cp_min: 5
|
||||
cp_max: 10
|
||||
|
||||
log_config: "/data/4rs.nl.log.config"
|
||||
media_store_path: /data/media_store
|
||||
signing_key_path: "/data/4rs.nl.signing.key"
|
||||
|
||||
# Run `openssl rand -base64 32` for each one
|
||||
registration_shared_secret: "<YOUR_SECRET_HERE>"
|
||||
macaroon_secret_key: "<YOUR_SECRET_HERE>"
|
||||
form_secret: "<YOUR_SECRET_HERE>"
|
||||
|
||||
enable_registration: false
|
||||
url_preview_enabled: true
|
||||
url_preview_ip_range_blacklist:
|
||||
- '127.0.0.0/8'
|
||||
- '10.0.0.0/8'
|
||||
- '172.16.0.0/12'
|
||||
- '192.168.0.0/16'
|
||||
- '100.64.0.0/10'
|
||||
- '192.0.0.0/24'
|
||||
- '169.254.0.0/16'
|
||||
- '192.88.99.0/24'
|
||||
- '198.18.0.0/15'
|
||||
- '192.0.2.0/24'
|
||||
- '198.51.100.0/24'
|
||||
- '203.0.113.0/24'
|
||||
- '224.0.0.0/4'
|
||||
- '::1/128'
|
||||
- 'fe80::/10'
|
||||
- 'fc00::/7'
|
||||
- '2001:db8::/32'
|
||||
- 'ff00::/8'
|
||||
- 'fec0::/10'
|
||||
|
||||
presence:
|
||||
enabled: false
|
||||
report_stats: false
|
||||
trusted_key_servers:
|
||||
- server_name: "matrix.org"
|
||||
|
||||
delete_stale_devices_after: 1y
|
||||
admin_contact: 'mailto:a@4rs.nl'
|
25
docker-compose.yml
Normal file
25
docker-compose.yml
Normal file
|
@ -0,0 +1,25 @@
|
|||
version: "3.3"
|
||||
services:
|
||||
synapse:
|
||||
image: "matrixdotorg/synapse:latest"
|
||||
container_name: "synapse"
|
||||
volumes:
|
||||
- "./data:/data"
|
||||
environment:
|
||||
- VIRTUAL_HOST=matrix.4rs.nl
|
||||
- VIRTUAL_PORT=8008
|
||||
- SYNAPSE_SERVER_NAME=4rs.nl
|
||||
- SYNAPSE_REPORT_STATS=no
|
||||
ports:
|
||||
- "8008:8008/tcp"
|
||||
- "8448:8448/tcp"
|
||||
postgresql:
|
||||
image: postgres:latest
|
||||
restart: always
|
||||
environment:
|
||||
POSTGRES_PASSWORD: somepassword
|
||||
POSTGRES_USER: synapse
|
||||
POSTGRES_DB: synapse
|
||||
POSTGRES_INITDB_ARGS: "--encoding='UTF8' --lc-collate='C' --lc-ctype='C'"
|
||||
volumes:
|
||||
- "./postgresdata:/var/lib/postgresql"
|
27
generate_signing_key
Normal file
27
generate_signing_key
Normal file
|
@ -0,0 +1,27 @@
|
|||
# Generate a signing key for synapse from the command line
|
||||
#
|
||||
# Usage: python3 generate_signing_key
|
||||
#
|
||||
# You must have the signedjson package installed:
|
||||
# apt install python3-signedjson
|
||||
# pip3 install signedjson
|
||||
#
|
||||
# Author: Abel Luck <abel@guardianproject.info>
|
||||
# Created: April 25 2019
|
||||
# Updated: October 11 2021
|
||||
|
||||
import random
|
||||
import string
|
||||
import io
|
||||
from signedjson.key import generate_signing_key, write_signing_keys
|
||||
|
||||
|
||||
def random_string(length):
|
||||
return ''.join(random.choice(string.ascii_letters) for _ in range(length))
|
||||
|
||||
|
||||
key_id = "a_" + random_string(4)
|
||||
with io.StringIO() as f:
|
||||
write_signing_keys(f, (generate_signing_key(key_id),),)
|
||||
f.seek(0)
|
||||
print(f.read())
|
Loading…
Reference in a new issue