Matrix (Synpase)

available at matrix.altpeter.me, hosted at Hetzner (IP 116.203.84.17)

Setup

The setup is based on this tutorial (archived).

sudo apt install -y lsb-release wget apt-transport-https
sudo wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ $(lsb_release -cs) main" |
    sudo tee /etc/apt/sources.list.d/matrix-org.list

sudo sh -c 'apt update && apt upgrade'
sudo apt install matrix-synapse-py3 # Name of the server: `matrix.altpeter.me`, Report anonymous statistics: Yes

sudo systemctl start matrix-synapse.service
sudo systemctl enable matrix-synapse.service

# Skip "Set up well.known", this will be done directly in Nginx.

# Create the following DNS record: `_matrix._tcp.altpeter.me. 3600 IN SRV 10 5 443 matrix.altpeter.me.`

# Copy the value generated by:
cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1

# Then, in:
sudo nano /etc/matrix-synapse/homeserver.yaml
# Set `enable_registration: false` and `registration_shared_secret` to the generated value from before.

sudo systemctl restart matrix-synapse.service

sudo add-apt-repository ppa:certbot/certbot
sudo apt install nginx letsencrypt certbot python-certbot-nginx
sudo certbot --nginx # Make sure to include both `altpeter.me` and `matrix.altpeter.me`. Cronjob is automatically installed in `/etc/cron.d/certbot`

sudo systemctl start nginx.service
sudo systemctl enable nginx.service

sudo nano /etc/nginx/sites-available/matrix # Copy the Nginx config from below
sudo ln -s /etc/nginx/sites-available/matrix /etc/nginx/sites-enabled/
sudo rm /etc/nginx/sites-enabled/default
sudo nginx -t
sudo systemctl restart nginx.service

sudo apt install postgresql
sudo -i -u postgres
psql
> CREATE USER "matrix" WITH PASSWORD 'pw';
> CREATE DATABASE synapse ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER "matrix";
> \q
exit

sudo apt install python3-psycopg2

sudo nano /etc/matrix-synapse/homeserver.yaml
# Set the `database` section as follows:
# database:
#     name: psycopg2
#     args:
#         user: matrix
#         password: pw
#         database: synapse
#         host: 127.0.0.1
#         cp_min: 5
#         cp_max: 10

sudo systemctl restart matrix-synapse.service

sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw allow 8448

sudo ufw enable
sudo ufw status

register_new_matrix_user -c /etc/matrix-synapse/homeserver.yaml http://localhost:8008

Nginx config

server {
       listen 80;
       server_name altpeter.me;
       return 301 https://$server_name$request_uri;
}

server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name matrix.altpeter.me;

        ssl_certificate /etc/letsencrypt/live/matrix.altpeter.me/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/matrix.altpeter.me/privkey.pem;
        ssl_trusted_certificate /etc/letsencrypt/live/matrix.altpeter.me/fullchain.pem;

        location /_matrix {
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_pass http://localhost:8008;
        }

        location /.well-known/matrix/server {
                return 200 '{"m.server": "matrix.altpeter.me:443"}';
                add_header Content-Type application/json;
        }
        location /.well-known/matrix/client {
                return 200 '{"m.homeserver": {"base_url": "https://matrix.altpeter.me"},"m.identity_server": {"base_url": "https://vector.im"}}';
                add_header Content-Type application/json;
                add_header "Access-Control-Allow-Origin" *;
        }
}

server {
        listen 8448 ssl default_server;
        listen [::]:8448 ssl default_server;
        server_name altpeter.me;

        ssl_certificate /etc/letsencrypt/live/matrix.altpeter.me/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/matrix.altpeter.me/privkey.pem;
        ssl_trusted_certificate /etc/letsencrypt/live/matrix.altpeter.me/fullchain.pem;

        location / {
                proxy_pass http://localhost:8008;
                proxy_set_header X-Forwarded-For $remote_addr;
        }
}

server {
       listen 443 ssl http2;
       listen [::]:443 ssl http2;
       server_name altpeter.me;

       ssl_certificate /etc/letsencrypt/live/altpeter.me/fullchain.pem;
       ssl_certificate_key /etc/letsencrypt/live/altpeter.me/privkey.pem;
       ssl_trusted_certificate /etc/letsencrypt/live/altpeter.me/fullchain.pem;
       
       return 301 https://benjamin-altpeter.de;
}

Upgrading

Check if there are update notes for the new version.
Updates are done using APT: apt update && apt upgrade

To check the server version: curl -kv http://localhost:8008/_matrix/client/versions 2>&1 | grep "Server:"

References