Here we are going to install a Synapse server using docker + nginx + cloudflare argo tunnel + oauth.
In this part we'll deploy a working Synapse server, so you don't need to wait for other parts, if it's enough to you. Keep in mind that in this way you will expose your real server's IP.
Let's ssh on our linux server with docker and let's deploy the synapse's docker-compose.yaml
# mkdir /opt/vector
# cd /opt/vetor
# docker network create matrix
# vim docker-compose.yaml
Here is the docker-compose.yaml content:
version: "3.3"
services:
synapse:
image: "ghcr.io/element-hq/synapse:develop"
networks:
- default
- matrix
restart: always
container_name: "matrix"
volumes:
- "./data:/data"
environment:
VIRTUAL_HOST: "matrix.cyberveins.eu"
VIRTUAL_PORT: 8008
SYNAPSE_SERVER_NAME: "matrix.cyberveins.eu"
SYNAPSE_REPORT_STATS: "yes"
ports:
- "9008:8008/tcp" # <-- Change these if your ports are already busy
- "8448:8448/tcp" # <-- Change these if you ports are already busy
depends_on:
- postgresql
postgresql:
image: postgres:15.5-bullseye
restart: always
networks:
- default
environment:
POSTGRES_PASSWORD: __CHANGEME__
POSTGRES_USER: synapse
POSTGRES_DB: synapse
POSTGRES_INITDB_ARGS: "--encoding='UTF8' --lc-collate='C' --lc-ctype='C'"
volumes:
- "./data/postgresdata:/var/lib/postgresql/data"
networks:
default:
matrix:
external: true
Now we have to generate the very first config file:
# docker run -it --rm -v ./data:/data -e SYNAPSE_SERVER_NAME=matrix.cyberveins.eu -e SYNAPSE_REPORT_STATS=yes ghcr.io/element-hq/synapse:develop generate
Let's get into data
and let's modify homeserver.yaml
# cd data
# vim homeserver.yaml
Here is its content:
# Configuration file for Synapse.
#
# This is a YAML file: see [1] for a quick introduction. Note in particular
# that *indentation is important*: all the elements of a list or dictionary
# should have the same indentation.
#
# [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html
#
# For more information on how to configure Synapse, including a complete accounting of
# each option, go to docs/usage/configuration/config_documentation.md or
# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html
server_name: "matrix.cyberveins.eu"
public_baseurl: "https://matrix.cyberveins.eu"
pid_file: /data/homeserver.pid
listeners:
- port: 8008
tls: false
type: http
x_forwarded: true
resources:
- names: [client, federation]
compress: false
database:
name: psycopg2
args:
user: synapse
password: __CHANGEME__ # <-- this has to be the same as the one in docker-compose.yaml
host: postgresql
database: synapse
cp_min: 5
cp_max: 10
allow_public_rooms_over_federation: true
#federation_domain_whitelist: # <-- remove the comment if you want to whitelist only some domains. If the list is empty, no federation is allowed
enable_registration: false # <-- registration with mail is inhibited by now.
log_config: "/data/matrix.cyberveins.eu.log.config"
media_store_path: /data/media_store
registration_shared_secret: "__REDACTED__"
report_stats: true
macaroon_secret_key: "__REDACTED__"
form_secret: "__REDACTED__"
signing_key_path: "/data/matrix.cyberveins.eu.signing.key"
trusted_key_servers:
- server_name: "matrix.org"
email: #< -- This block is not mandatory: it's just to send mail in case of registration, lost password and such
smtp_host: "smtp-relay.brevo.com"
smtp_port: 587
smtp_user: "__REDACTED__"
smtp_pass: "__REDACTED__"
require_transport_security: true
notif_from: "[email protected]"
app_name: cyberveins
client_base_url: https://element.cyberveins.eu
invite_client_location: https://element.cyberveins.eu
supress_key_server_warning: true
Let's get back into docker-compose.yaml
directory and let's fire up the instance
# cd ../
# docker compose up -d; docker compose logs -f
Check that everything's ok and press CTRL+C
.
Now let's ssh on the nginx's server and let's create a site config file:
# cd /etc/nginx/sites-available
# vim matrix.cyberveins.eu.conf
Here is the content:
server {
listen 80;
server_name matrix.cyberveins.eu;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
#listen 8448 ssl http2;
server_name matrix.cyberveins.eu;
http2_push_preload on; # Enable HTTP/2 Server Push
ssl_certificate /etc/letsencrypt/live/matrix.cyberveins.eu/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/matrix.cyberveins.eu/privkey.pem;
ssl_session_timeout 1d;
access_log /var/log/nginx/matrix.cyberveins.eu.access.log;
error_log /var/log/nginx/matrix.cyberveins.eu.error.log;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_early_data on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
location ^~ /.well-known {
root /var/www/html/matrix;
}
location ~ ^(/_matrix|/_synapse/client|/_synapse/admin) {
proxy_pass http://192.168.153.3:9008; # <-- This is the server that is running synapse. If it's on the same host, write 127.0.0.1:9008;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
client_max_body_size 50M;
proxy_http_version 1.1;
}
}
We don't want to expose port 8008 nor 8448 for federation, we want to expose only port 443, thus:
# mkdir -p /var/www/html/matrix/.well-known/matrix
# cd /var/www/html/matrix/.well-known/matrix
# vim server
It's content is:
{
"m.server": "matrix.cyberveins.eu:443"
}
This will inform other servers that our federation port is 443.
Let's request a letsencrypt certificate (YES even if you're behind argo tunnel, if you want to provide oauth):
# certbot certonly --nginx --preferred-challenges http -d matrix.cyberveins.eu
# ln -sf /etc/nginx/sites-available/matrix.cyberveins.eu.conf /etc/nginx/sites-enabled
# nginx -t
If it's all ok:
# systemctl restart nginx
Now let's get back in the synapse server and create our admin user:
# docker exec -it matrix register_new_matrix_user https://matrix.cyberveins.eu -c /data/homeserver.yaml -u admin -p _PASSWORD_
At this point you can use your brand new synapse server with the client you prefer. On next arcticles we'll configure the rest (that is argo tunnel followed by oauth providers).