first commit
This commit is contained in:
commit
66ab861d63
8 changed files with 351 additions and 0 deletions
30
Justfile
Normal file
30
Justfile
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
@_default:
|
||||||
|
{{just_executable()}} -f {{justfile()}} --list
|
||||||
|
|
||||||
|
# Run the instance [aliases: r]
|
||||||
|
@run:
|
||||||
|
sudo docker-compose up -d
|
||||||
|
|
||||||
|
# Stop the instance [aliases: s]
|
||||||
|
@stop:
|
||||||
|
sudo docker-compose rm -f -s
|
||||||
|
|
||||||
|
# Restart the instance
|
||||||
|
@restart:
|
||||||
|
sudo docker-compose restart
|
||||||
|
|
||||||
|
# Create Backup file [aliases: b]
|
||||||
|
@backup backup_name: stop && run
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
FILES="data postgresdata Justfile docker-compose.yml README.md"
|
||||||
|
7z a -t7z -m0=lzma2 -mx=9 -mfb=64 -md=32m -ms=on -mhe=on -p {{backup_name}}.7z $FILES
|
||||||
|
echo "Backup done..."
|
||||||
|
|
||||||
|
|
||||||
|
[private]
|
||||||
|
alias r := run
|
||||||
|
[private]
|
||||||
|
alias s := stop
|
||||||
|
[private]
|
||||||
|
alias b := backup
|
||||||
|
|
21
LICENSE
Normal file
21
LICENSE
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
The MIT License (MIT)
|
||||||
|
|
||||||
|
Copyright (c) 2024, Awiteb <a@4rs.nl>
|
||||||
|
|
||||||
|
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||||
|
of this software and associated documentation files (the "Software"), to deal
|
||||||
|
in the Software without restriction, including without limitation the rights
|
||||||
|
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||||
|
copies of the Software, and to permit persons to whom the Software is
|
||||||
|
furnished to do so, subject to the following conditions:
|
||||||
|
|
||||||
|
The above copyright notice and this permission notice shall be included in
|
||||||
|
all copies or substantial portions of the Software.
|
||||||
|
|
||||||
|
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||||
|
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||||
|
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||||
|
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||||
|
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||||
|
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
||||||
|
THE SOFTWARE.
|
141
README.md
Normal file
141
README.md
Normal file
|
@ -0,0 +1,141 @@
|
||||||
|
# 4rs matrix homeserver
|
||||||
|
|
||||||
|
This is my personal matrix homeserver. You can clone this repository and run the homeserver with docker-compose.
|
||||||
|
|
||||||
|
## Overview
|
||||||
|
In this repository I use `4rs.nl` (my domain) as an example. You should replace this with your own domain.
|
||||||
|
After reading this README you should have a `/.well-known/matrix/server` and `/.well-known/matrix/client` file on your domain (4rs.nl) and your matrix subdomain (matrix.4rs.nl). The client will use `matrix.4rs.nl` as the homeserver and the displayed homeserver will be `4rs.nl`.
|
||||||
|
|
||||||
|
## Requirements
|
||||||
|
- docker
|
||||||
|
- docker-compose
|
||||||
|
- nginx
|
||||||
|
|
||||||
|
## Domain requirements
|
||||||
|
- Have a `/.well-known/matrix/server` file on your domain that points to your homeserver. This is required for federation to work.
|
||||||
|
The content of the file should be:
|
||||||
|
```
|
||||||
|
{
|
||||||
|
"m.server": "matrix.4rs.nl:443"
|
||||||
|
}
|
||||||
|
```
|
||||||
|
- Have a `/.well-known/matrix/client` file on your domain that points to your homeserver. This is required for the client to work.
|
||||||
|
The content of the file should be:
|
||||||
|
```
|
||||||
|
{
|
||||||
|
"m.homeserver": {
|
||||||
|
"base_url": "https://matrix.4rs.nl"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
For me, I created the files in my static blog and then deployed it in GitHub pages. See the [justfile that I use to deploy the files to the domain](https://git.4rs.nl/awiteb/blog/src/branch/master/Justfile#L15-L17). You can use any other method to deploy the files and make them accessible on your domain, as long as they are accessible at `/.well-known/matrix/server` and `/.well-known/matrix/client`.
|
||||||
|
|
||||||
|
|
||||||
|
## Nginx configuration of the matrix subdomain
|
||||||
|
You should have a nginx configuration for the matrix subdomain at `/etc/nginx/sites-available/matrix.4rs.nl` and symlinked to `/etc/nginx/sites-enabled/matrix.4rs.nl`, Also include it in the `nginx.conf` file with `include /etc/nginx/sites-enabled/*;` (the include is already in the `nginx.conf` file when you install nginx).
|
||||||
|
|
||||||
|
You also need to have a certificate for the domain. You can get a free certificate from [Let's Encrypt](https://letsencrypt.org/). You can use [Certbot](https://certbot.eff.org/) to get a certificate. (Generate a certificate for `4rs.nl` and `*.4rs.nl`)
|
||||||
|
|
||||||
|
The configuration should look like this (replace `4rs.nl` with your domain)
|
||||||
|
```
|
||||||
|
server {
|
||||||
|
server_name matrix.4rs.nl;
|
||||||
|
listen 80;
|
||||||
|
listen [::]:80;
|
||||||
|
location / {
|
||||||
|
return 301 https://$server_name$request_uri;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
server_name matrix.4rs.nl;
|
||||||
|
listen 443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
access_log /var/log/nginx/access.log;
|
||||||
|
error_log /var/log/nginx/error.log warn;
|
||||||
|
|
||||||
|
ssl_session_timeout 1d;
|
||||||
|
ssl_session_cache shared:MozSSL:10m;
|
||||||
|
ssl_session_tickets off;
|
||||||
|
|
||||||
|
ssl_trusted_certificate /etc/letsencrypt/live/4rs.nl/chain.pem;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/4rs.nl/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/4rs.nl/privkey.pem;
|
||||||
|
|
||||||
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
|
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
|
||||||
|
ssl_prefer_server_ciphers off;
|
||||||
|
ssl_stapling on;
|
||||||
|
ssl_stapling_verify on;
|
||||||
|
|
||||||
|
gzip_vary on;
|
||||||
|
gzip_proxied any;
|
||||||
|
gzip_comp_level 6;
|
||||||
|
gzip_buffers 16 8k;
|
||||||
|
gzip_http_version 1.1;
|
||||||
|
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml;
|
||||||
|
|
||||||
|
ignore_invalid_headers off;
|
||||||
|
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection "upgrade";
|
||||||
|
proxy_set_header Host $http_host;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
|
||||||
|
client_body_timeout 5s;
|
||||||
|
client_header_timeout 5s;
|
||||||
|
|
||||||
|
location /.well-known/matrix/server {
|
||||||
|
return 200 '{"m.server": "matrix.4rs.nl:443"}';
|
||||||
|
default_type application/json;
|
||||||
|
add_header Access-Control-Allow-Origin *;
|
||||||
|
}
|
||||||
|
location /.well-known/matrix/client {
|
||||||
|
return 200 '{"m.homeserver": {"base_url": "https://matrix.4rs.nl}}';
|
||||||
|
default_type application/json;
|
||||||
|
add_header Access-Control-Allow-Origin *;
|
||||||
|
}
|
||||||
|
location / {
|
||||||
|
proxy_pass http://localhost:8008;
|
||||||
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
|
client_max_body_size 200M;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
After you have created the configuration file, reload nginx with `sudo systemctl reload nginx`. You should now be able to access the homeserver at `matrix.4rs.nl`.
|
||||||
|
|
||||||
|
Now you end up the Nginx configuration for the matrix subdomain. The next step is to clone this repository and run the homeserver.
|
||||||
|
|
||||||
|
## Clone the repository
|
||||||
|
After you have set up the domain and the nginx configuration, you can clone this repository with `git clone https://4rs.nl/awiteb/synapse-config.git`. You should now have a directory called `synapse-config`.
|
||||||
|
|
||||||
|
## Configuration
|
||||||
|
After you have cloned the repository, replace all `4rs.nl` with your domain also the files in the `./data` directory.
|
||||||
|
|
||||||
|
There is tow things only you need to change it, the first one is the secrets in `./data/homeserver.yaml` and the second one is the signing key in `./data/4rs.nl.signing.key`.
|
||||||
|
|
||||||
|
### Homeserver.yaml
|
||||||
|
After replacing all `4rs.nl` with your domain, you need to generate a secret for each secret in the `homeserver.yaml` file. You can generate a secret with `openssl rand -base64 32`. Replace the secret with the generated secret.
|
||||||
|
|
||||||
|
### Signing key
|
||||||
|
|
||||||
|
> **Note:** You need `signedjson` dependency to generate a signing key. You can install it with `pip3 install signedjson`.
|
||||||
|
|
||||||
|
Change the content of the `4rs.nl.signing.key` file with a generated key. You can generate a key with `generate_signing_key` script in root of the repository. Run `python3 generate_signing_key` and replace the content of the `4rs.nl.signing.key` file with the generated key.
|
||||||
|
|
||||||
|
|
||||||
|
## Run the homeserver and create the admin user
|
||||||
|
After all above steps, you can run the homeserver with `docker-compose up -d`. You should now have a running homeserver on `matrix.4rs.nl`.
|
||||||
|
|
||||||
|
Now you need to create an admin user with `docker exec -it synapse register_new_matrix_user http://localhost:8008 -c /data/homeserver.yaml` and follow the instructions. You should now have an admin user on the homeserver and you can login with it on the client using the homeserver `matrix.4rs.nl`. Enjoy your homeserver!
|
||||||
|
|
||||||
|
## Backup
|
||||||
|
|
||||||
|
> **Note:** You need [`just`](https://just.systems/) to backup the homeserver. You can install it with `cargo install just`.
|
||||||
|
|
||||||
|
You can backup the homeserver with `just backup <backup-name>`. And it's will stored as encrypted AES256 7z file.
|
||||||
|
|
||||||
|
## Any questions?
|
||||||
|
If you have any questions, you can contact with me at `@awiteb:4rs.nl` and I will try to help you. Have fun with your homeserver!
|
39
data/4rs.nl.log.config
Normal file
39
data/4rs.nl.log.config
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
version: 1
|
||||||
|
|
||||||
|
formatters:
|
||||||
|
precise:
|
||||||
|
|
||||||
|
format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
|
||||||
|
|
||||||
|
|
||||||
|
handlers:
|
||||||
|
|
||||||
|
|
||||||
|
console:
|
||||||
|
class: logging.StreamHandler
|
||||||
|
formatter: precise
|
||||||
|
|
||||||
|
loggers:
|
||||||
|
# This is just here so we can leave `loggers` in the config regardless of whether
|
||||||
|
# we configure other loggers below (avoid empty yaml dict error).
|
||||||
|
_placeholder:
|
||||||
|
level: "INFO"
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
synapse.storage.SQL:
|
||||||
|
# beware: increasing this to DEBUG will make synapse log sensitive
|
||||||
|
# information such as access tokens.
|
||||||
|
level: INFO
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
root:
|
||||||
|
level: INFO
|
||||||
|
|
||||||
|
|
||||||
|
handlers: [console]
|
||||||
|
|
||||||
|
|
||||||
|
disable_existing_loggers: false
|
1
data/4rs.nl.signing.key
Normal file
1
data/4rs.nl.signing.key
Normal file
|
@ -0,0 +1 @@
|
||||||
|
Paste `generate_signing_key` script output here (REMOVE THIS LINE)
|
67
data/homeserver.yaml
Normal file
67
data/homeserver.yaml
Normal file
|
@ -0,0 +1,67 @@
|
||||||
|
# Configuration file for Synapse.
|
||||||
|
#
|
||||||
|
# For more information on how to configure Synapse, including a complete accounting of
|
||||||
|
# each option, go to docs/usage/configuration/config_documentation.md or
|
||||||
|
# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html
|
||||||
|
|
||||||
|
server_name: "4rs.nl"
|
||||||
|
pid_file: /data/homeserver.pid
|
||||||
|
listeners:
|
||||||
|
- port: 8008
|
||||||
|
tls: false
|
||||||
|
type: http
|
||||||
|
x_forwarded: true
|
||||||
|
resources:
|
||||||
|
- names: [client, federation]
|
||||||
|
compress: false
|
||||||
|
|
||||||
|
database:
|
||||||
|
name: psycopg2
|
||||||
|
args:
|
||||||
|
user: synapse
|
||||||
|
password: somepassword
|
||||||
|
host: postgresql
|
||||||
|
database: synapse
|
||||||
|
cp_min: 5
|
||||||
|
cp_max: 10
|
||||||
|
|
||||||
|
log_config: "/data/4rs.nl.log.config"
|
||||||
|
media_store_path: /data/media_store
|
||||||
|
signing_key_path: "/data/4rs.nl.signing.key"
|
||||||
|
|
||||||
|
# Run `openssl rand -base64 32` for each one
|
||||||
|
registration_shared_secret: "<YOUR_SECRET_HERE>"
|
||||||
|
macaroon_secret_key: "<YOUR_SECRET_HERE>"
|
||||||
|
form_secret: "<YOUR_SECRET_HERE>"
|
||||||
|
|
||||||
|
enable_registration: false
|
||||||
|
url_preview_enabled: true
|
||||||
|
url_preview_ip_range_blacklist:
|
||||||
|
- '127.0.0.0/8'
|
||||||
|
- '10.0.0.0/8'
|
||||||
|
- '172.16.0.0/12'
|
||||||
|
- '192.168.0.0/16'
|
||||||
|
- '100.64.0.0/10'
|
||||||
|
- '192.0.0.0/24'
|
||||||
|
- '169.254.0.0/16'
|
||||||
|
- '192.88.99.0/24'
|
||||||
|
- '198.18.0.0/15'
|
||||||
|
- '192.0.2.0/24'
|
||||||
|
- '198.51.100.0/24'
|
||||||
|
- '203.0.113.0/24'
|
||||||
|
- '224.0.0.0/4'
|
||||||
|
- '::1/128'
|
||||||
|
- 'fe80::/10'
|
||||||
|
- 'fc00::/7'
|
||||||
|
- '2001:db8::/32'
|
||||||
|
- 'ff00::/8'
|
||||||
|
- 'fec0::/10'
|
||||||
|
|
||||||
|
presence:
|
||||||
|
enabled: false
|
||||||
|
report_stats: false
|
||||||
|
trusted_key_servers:
|
||||||
|
- server_name: "matrix.org"
|
||||||
|
|
||||||
|
delete_stale_devices_after: 1y
|
||||||
|
admin_contact: 'mailto:a@4rs.nl'
|
25
docker-compose.yml
Normal file
25
docker-compose.yml
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
version: "3.3"
|
||||||
|
services:
|
||||||
|
synapse:
|
||||||
|
image: "matrixdotorg/synapse:latest"
|
||||||
|
container_name: "synapse"
|
||||||
|
volumes:
|
||||||
|
- "./data:/data"
|
||||||
|
environment:
|
||||||
|
- VIRTUAL_HOST=matrix.4rs.nl
|
||||||
|
- VIRTUAL_PORT=8008
|
||||||
|
- SYNAPSE_SERVER_NAME=4rs.nl
|
||||||
|
- SYNAPSE_REPORT_STATS=no
|
||||||
|
ports:
|
||||||
|
- "8008:8008/tcp"
|
||||||
|
- "8448:8448/tcp"
|
||||||
|
postgresql:
|
||||||
|
image: postgres:latest
|
||||||
|
restart: always
|
||||||
|
environment:
|
||||||
|
POSTGRES_PASSWORD: somepassword
|
||||||
|
POSTGRES_USER: synapse
|
||||||
|
POSTGRES_DB: synapse
|
||||||
|
POSTGRES_INITDB_ARGS: "--encoding='UTF8' --lc-collate='C' --lc-ctype='C'"
|
||||||
|
volumes:
|
||||||
|
- "./postgresdata:/var/lib/postgresql"
|
27
generate_signing_key
Normal file
27
generate_signing_key
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
# Generate a signing key for synapse from the command line
|
||||||
|
#
|
||||||
|
# Usage: python3 generate_signing_key
|
||||||
|
#
|
||||||
|
# You must have the signedjson package installed:
|
||||||
|
# apt install python3-signedjson
|
||||||
|
# pip3 install signedjson
|
||||||
|
#
|
||||||
|
# Author: Abel Luck <abel@guardianproject.info>
|
||||||
|
# Created: April 25 2019
|
||||||
|
# Updated: October 11 2021
|
||||||
|
|
||||||
|
import random
|
||||||
|
import string
|
||||||
|
import io
|
||||||
|
from signedjson.key import generate_signing_key, write_signing_keys
|
||||||
|
|
||||||
|
|
||||||
|
def random_string(length):
|
||||||
|
return ''.join(random.choice(string.ascii_letters) for _ in range(length))
|
||||||
|
|
||||||
|
|
||||||
|
key_id = "a_" + random_string(4)
|
||||||
|
with io.StringIO() as f:
|
||||||
|
write_signing_keys(f, (generate_signing_key(key_id),),)
|
||||||
|
f.seek(0)
|
||||||
|
print(f.read())
|
Loading…
Reference in a new issue