Debian Matrix server

It’s a chat network. As far as I’ve understood it, it’s like IRC, but Slack. Selfhosted, but also more like modern. It’s supposed to be safer, and in a way, kind of XMPP. It’s called Matrix.

I will not explain why I decided to deploy it. Deploy it, learn it, use it or discart it. It’s a lifecycle of technology. So let’s just skip to it. It’s supposed to be self-hosted communications infrastructure that you can scale and so on. So let’s see, how do I set it up.

I took the trivial approach and used Synapse as one of the servers. I know, it’s written in Python. You can also use Construct if you like C++ or Ruma if you like Rust.

So, after basic Debian install, i’ve got my head to the docs.

apt-get update && apt-get update -y && apt-get install -y git
git clone https://github.com/matrix-org/synapse.git

After doing this, and simultaneously reading “Install from source” section in INSTALL.md, I’ve discovered that there’s also a link to a section called Prebuilt packages. Therefore, following occured:

rm -rf synapse
apt-get install matrix-synapse

Lection: Never work faster than you can RTFM.

and the flow in configuration tool began:

name of server: matrix.kes.ovh
report statistics: no

and that was it, for an installation. Time to configure it!

As per the Docs, section Setting up, you either need to configure the SSL proxy, or use certificate on the Matrix server itself. I already have the proxy dedicated server (as such) with enabled SSL, so this was not a problem for me. I followed their wonderful SSL proxy guide:

Configure NginX proxy:

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name matrix.kes.ovh;

    location /_matrix {
        proxy_pass http://localhost:8008;
        proxy_set_header X-Forwarded-For $remote_addr;
    }
}

server {
    listen 8448 ssl default_server;
    listen [::]:8448 ssl default_server;
    server_name matrix.kes.ovh;

    location / {
        proxy_pass http://localhost:8008;
        proxy_set_header X-Forwarded-For $remote_addr;
    }
#
# Certificate parts go here
#
}

the DPKG config utility seems to put your decisions in /etc/matrix-synapse/conf.d.
Configure /etc/matrix-synapse/homeserver.yaml with following options.

# appended after the primary certificate in hierarchical order.
#tls_certificate_path: "/etc/matrix-synapse/homeserver.tls.crt"   #comment that

# PEM encoded private key for TLS
#tls_private_key_path: "/etc/matrix-synapse/homeserver.tls.key"   #comment that

# PEM dh parameters for ephemeral keys
#tls_dh_params_path: "/etc/matrix-synapse/homeserver.tls.dh"   #comment that

# Don't bind to the https port
no_tls: true  #set to true / uncomment

#...
listeners: 
#    ...
#    ...
  - port: 8008
  tls: false
  bind_addresses:
#    - '::1'
#    - '127.0.0.1'
    - '::'
    - '0.0.0.0'
  type: http
  x_forwarded: true #false

#...
#...
registration_shared_secret: # output of hash_password command you typed in cli.

And reload the service!

systemctl restart matrix-synapse.service

check that it’s working, and if not, check logs (ps aux | grep python and /var/log/syslog)

Matrix:root:[/etc/matrix-synapse]:# register_new_matrix_user -c homeserver.yaml http://localhost:8008
New user localpart [root]: ErikK
Password: 
Confirm password: 
Make admin [no]: yes
Sending registration request...
Success!

Great! so far, it seems to be working.

Reset password

First calculate the hash of the new password:

Matrix:root:[/etc/matrix-synapse]:# hash_password
Password:
Confirm password:
.........................

Then update the users table in the database:

Matrix:root:[/]:# cd /var/lib/matrix-synapse/              
Matrix:root:[/var/lib/matrix-synapse]:# sqlite3 homeserver.db 
.show
UPDATE users SET password_hash='......'
    WHERE name='@user:kes.ovh';
.exit

Don’t forget: it’s a good idea to set up email, switch to PostgreSQL and set up federation. To enable voice calls, you will also have to enable TURN.

Next up, time to set up Riot, Matrix client, and try to connect to it.

In the Getting Started, we can see following hint:

To host your own copy of Riot, the quickest bet is to use a pre-built released version of Riot:

- Download the latest version from https://github.com/vector-im/riot-web/releases
- Untar the tarball on your web server
- Move (or symlink) the riot-x.x.x directory to an appropriate name
- If desired, copy config.sample.json to config.json and edit it as desired. See the configuration docs for details.
- Enter the URL into your browser and log into Riot!

Let’s see..

wget https://github.com/vector-im/riot-web/releases/download/v1.3.3/riot-v1.3.3.tar.gz
tar -xvf riot-v1.3.3.tar.gz
apt-get install nginx -y
mv riot-v1.3.3 riot
mv riot /var/www/html
cd /var/www/html/riot
cp config.sample.json config.json
vim config.json

{
    "default_server_config": {
        "m.homeserver": {
            "base_url": "https://matrix.kes.ovh",
            "server_name": "matrix.kes.ovh"
        },
        "m.identity_server": {
            "base_url": "http://matrix.kes.ovh:8090"
        }
    },
    "disable_custom_urls": false,
    "disable_guests": true,
    "disable_login_language_selector": false,
    "disable_3pid_login": false,
    "brand": "Riot",
    "integrations_ui_url": "https://scalar.vector.im/",
    "integrations_rest_url": "https://scalar.vector.im/api",
    "integrations_jitsi_widget_url": "https://scalar.vector.im/api/widgets/jitsi.html",
    "bug_report_endpoint_url": "https://riot.im/bugreports/submit",
    "defaultCountryCode": "SI",
    "showLabsSettings": false,
    "features": {
        "feature_pinning": "labs",
        "feature_custom_status": "labs",
        "feature_custom_tags": "labs",
        "feature_state_counters": "labs"
    },
    "default_federate": true,
    "default_theme": "light",
    "roomDirectory": {
        "servers": [
            "matrix.kes.ovh"
        ]
    },
    "welcomeUserId": "@riot-bot:matrix.kes.ovh",
    "piwik": {
        "url": "https://piwik.riot.im/",
        "whitelistedHSUrls": ["https://matrix.kes.ovh"],
        "whitelistedISUrls": ["https://matrix.kes.ovh"],
        "siteId": 1
    },
    "enable_presence_by_hs_url": {
        "https://matrix.org": false
    }
}

visit macine/riot to see if it works.

But wait, there’s more!

We have to set up an Identity server to float fully abroad. Enter Sydent!

sudo apt-get install build-essential python2.7-dev python-pip libffi-dev sqlite3 libssl-dev python-virtualenv libxslt1-dev
# eyeroll, more Python.
pip install https://github.com/matrix-org/sydent/tarball/master
python -m sydent.sydent
ctr-C
vim sydent.conf

[http]
replication.https.bind_address = 0.0.0.0
internalapi.http.port = 8091
replication.https.port = 4434
replication.https.certfile = 
obey_x_forwarded_for = True 
clientapi.http.bind_address = 0.0.0.0
clientapi.http.port = 8090
federation.verifycerts = True
replication.https.cacert = 

[db]
db.file = sydent.db

[sms]
bodytemplate = Your code is {token}

[crypto]
ed25519.signingkey = .....  . .............................................

[general]
log.path = 
terms.path = 
log.level = INFO
pidfile.path = sydent.pid
server.name = matrix.kes.ovh

[email]
email.smtppassword = 
email.tlsmode = 0
email.template = res/email.template
email.invite.subject = %(sender_display_name)s has invited you to chat
email.smtphost = localhost
email.hostname = 
email.from = Sydent Validation <noreply@{hostname}>
email.smtpusername = 
email.smtpport = 25
email.subject = Your Validation Token

Refresh the Riot page and that should be it!