If you care about privacy, you probably already know the Matrix protocol.
The federated structure of the decentralized network loosely resembles IRC networks.
Matrix ships with spaces, rooms, user management, and much more.
Most of you don’t host it because of its complexity.
I break it down to simple, actionable steps.
Prerequisites
- Debian or compatible system.
rootorsudopermission.- DNS record pointing to the server.
- Python virtual environments.
- Postgresql DB backend (optional, but recommended).
- Nginx (reverse proxy, TLS, recommended).
certbotfor Let’s Encrypt.
Read and examine the Synapse server documentation.
Install The Python Environment
You will use Python and PyPi to install the Synapse matrix server later.
sudo apt install -y python3 python3-pip python3-venv
Install The Postgresql Packages
Postgresql is the recommended DB backend for production Synapse servers.
sudo apt install postgresql libpq-dev
Configure The Postgresql User And DB
Create a dedicated user and the Synapse database.
sudo -u postgres bashcreateuser --pwprompt synapse_usercreatedb --encoding=UTF8 --locale=C --template=template0 --owner=synapse_user synapseexit
Install The Nginx
Nginx will give you TLS termination as a reverse proxy.
Moreover nginx can handle rate limiting as well.
sudo apt install nginx
Install certbot
Certbot will handle the Let’s Encrypt certificates.
sudo apt install certbot python3-certbot-nginx
Create The Synapse User
A user (non-root) will be dedicated for the Synapse service.
useradd -m -d /var/lib/synapse -s /bin/bash synapse
Create The Virtual Environment
Create the Python virtual environment in the synapse user’s home.
Do this as the synapse user.
sudo -iu synapsemkdir -p /var/lib/synapsecd /var/lib/synapsepython3 -m venv .venvsource .venv/bin/activate
Install The Synapse Software
After activated the venv, you can install Synapse with pip.
pip install --upgrade pippip install "matrix-synapse[postgres]"
Generate The Initial Configuration
You generate the initial configuration with a single command.
python3 -m synapse.app.homeserver \ --server-name tomsitcafe.com \ --config-path homeserver.yaml \ --generate-config \ --report-stats=no
It generates a basic configuration and the server keys.
- registration_shared_secret
- macaroon_secretkey
- form_secret
- signing_keypath (signing key)
Save these keys in a credential store safely.
Configure Your Synapse Homeserver
Visit the end of the article for a full working configuration example.
Server Name And URL
server_name: "tomsitcafe.com" # Domain realm for your instancepublic_baseurl: https://matrix.tomsitcafe.com # Users find your server here
Listener
listeners: - port: 8008 tls: false type: http x_forwarded: true bind_addresses: ['127.0.0.1'] # Only local, nginx will serve https resources: - names: [client] compress: false
Database
database: name: psycopg2 args: user: <user> password: <pass> dbname: <db> host: localhost cp_min: 5 cp_max: 10 keepalives_idle: 10 keepalives_interval: 10 keepalives_count: 3
Configure The Nginx Proxy
For rate limiting set zones in the /etc/nginx/nginx.conf:
# General API (generous)limit_req_zone $binary_remote_addr zone=matrix_zone:10m rate=300r/m;# Auth (tight)limit_req_zone $binary_remote_addr zone=auth_zone:10m rate=10r/m;# Make throttled requests return 429limit_req_status 429;
Create a matrix site configuration in /etc/nginx/sites-available/matrix:
server { listen 80; listen [::]:80; server_name matrix.tomsitcafe.com; location /.well-known/matrix/client { default_type application/json; add_header Access-Control-Allow-Origin *; return 200 '{"m.homeserver": {"base_url": "https://matrix.tomsitcafe.com"}}'; } # Strict: limit brute-force attempts for login/register location ~ ^/_matrix/client/(v3|r0)/(login|register)$ { limit_req zone=auth_zone burst=6 nodelay; proxy_pass http://127.0.0.1:8008; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; proxy_http_version 1.1; client_max_body_size 50M; } # General API: higher allowance location ~ ^(/_matrix|/_synapse/client) { limit_req zone=matrix_zone burst=100; proxy_pass http://127.0.0.1:8008; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; client_max_body_size 50M; proxy_http_version 1.1; }}
It’s port 80 only because certbot will handle the port 443 TLS config with Let’s Encrypt.
Enable the matrix site.
sudo ln -s /etc/nginx/sites-available/matrix /etc/nginx/sites-enabled/sudo systemctl reload nginx
Obtain The Let’s Encrypt Certificates
Use certbot to obtain the Let’s Encrypt certificates for your domain.
The port 80/tcp must be open for the ACME challenge.
Example:
sudo certbot --nginx -d matrix.tomsitcafe.com
Change the domain to your own one, follow the instructions.
The certificates will be installed under /etc/letsencrypt.
Firewall Configuration
sudo ufw allow 80sudo ufw allow 443sudo ufw enable
certbot requires port 80 for cert renew.
Test The Server Configuration
Run the following commands as synapse user to verify the configuration works.
cd /var/lib/synapsesource .venv/bin/activatesynctl start
Create A Systemd Synapse Unit
In /etc/systemd/system/synapse.service:
# /etc/systemd/system/synapse.service[Unit]Description=Matrix Synapse ServerAfter=network.targetRequires=postgresql.service[Service]Type=forkingUser=synapseWorkingDirectory=/var/lib/synapseExecStart=/var/lib/synapse/.venv/bin/synctl startExecStop=/var/lib/synapse/.venv/bin/synctl stopPIDFile=/var/lib/synapse/homeserver.pidRestart=on-failure[Install]WantedBy=multi-user.target#+end_exampleReload systemd & enable, start Synapse:#+begin_src shellsudo systemctl daemon-reloadsudo systemctl enable synapsesudo systemctl start synapsesudo systemctl status synapse
Example Homeserver Configuration
Example homeserver.yaml configuration:
server_name: "tomsitcafe.com"pid_file: /var/lib/synapse/homeserver.pidpublic_baseurl: https://matrix.tomsitcafe.comsuppress_key_server_warning: trueserve_client_wellknown: truelisteners: - port: 8008 tls: false type: http x_forwarded: true bind_addresses: ['127.0.0.1'] resources: - names: [client] compress: falsetls_certificate_path: nulltls_private_key_path: nulldatabase: name: psycopg2 args: user: <user> password: <pass> dbname: <db> host: localhost cp_min: 5 cp_max: 10 keepalives_idle: 10 keepalives_interval: 10 keepalives_count: 3log_config: "/var/lib/synapse/tomsitcafe.com.log.config"media_store_path: /var/lib/synapse/media_storeregistration_shared_secret: "<secret1>"report_stats: falsemacaroon_secret_key: "<key>"form_secret: "<secret2>"signing_key_path: "/var/lib/synapse/tomsitcafe.com.signing.key"trusted_key_servers: - server_name: "matrix.org"federation_domain_whitelist: []federation_ip_range_blacklist: ["0.0.0.0/0"]forgotten_room_retention_period: 28duser_ips_max_age: 14dmedia_retention: local_media_lifetime: 90d remote_media_lifetime: 14ddelete_stale_devices_after: 30d
Final Thoughts
This Synapse setup is very basic and secure.
- Federation is blocked.
- Telemetry is disabled.
- The homeserver is private.
- Ratelimiting is configured.
Possible next operational steps:
- Automatic backups.
- Fail2ban configuration.
- Gateways and bots.
Privacy is not hiding. It’s deciding what to show.
The Silent Architect IRC network is a quiet place.
Discussion is slow.
Silence is normal.
People speak when they have something worth saying.
Idle minds are welcome.
Noise is not.
Server: irc.silentarchitect.org
Port: 6697 (TLS)
Channel: #ghostops
Discord invite link: https://discord.gg/nxvna45STM
Discover more from Tom's IT Cafe
Subscribe to get the latest posts sent to your email.
Tom's IT Cafe 