1 files changed, 215 insertions, 0 deletions

diff --git a/content/blog/2022-11-07-self-hosting-matrix.org b/content/blog/2022-11-07-self-hosting-matrix.org
new file mode 100644
index 0000000..379d6a7
--- /dev/null
+++ b/content/blog/2022-11-07-self-hosting-matrix.org
@@ -0,0 +1,215 @@
+#+date: <2022-11-07>
+#+title: Self-Hosting Matrix Synapse on Alpine Linux
+#+description: 
+
+
+* Synapse
+
+If you're reading this, you likely know that
+[[https://github.com/matrix-org/synapse/][Synapse]] is a popular
+[[https://matrix.org/][Matrix]] home server software that allows users
+to run their own Matrix home server.
+
+This post is a short guide describing how I was able to get Synapse
+working in a minimally-usable state on Alpine Linux.
+
+* Installation Process
+
+** Dependencies
+
+First, since there is no Alpine-specific package for Synapse, we need to
+ensure that Alpine has the required dependencies for the Python-based
+installation method.
+
+#+begin_src sh
+doas apk -U update
+doas apk add python3 py3-virtualenv
+#+end_src
+
+Next, we need to set up a Python virtual environment for Synapse:
+
+#+begin_src sh
+mkdir -p ~/synapse && cd ~/synapse
+virtualenv -p python3 ~/synapse/env
+source ~/synapse/env/bin/activate
+pip install --upgrade pip
+pip install --upgrade setuptools
+pip install matrix-synapse
+#+end_src
+
+** Running Synapse
+
+Once installed, running Synapse is easy. Simply execute the following
+command, replacing =example.com= with the domain name that will be used
+with this home server. This will generate the configuration files needed
+to run the server.
+
+#+begin_src sh
+python -m synapse.app.homeserver \
+    --server-name example.com \
+    --config-path homeserver.yaml \
+    --generate-config \
+    --report-stats=no
+#+end_src
+
+Once the configuration is generated, we can start up the Synapse server:
+
+#+begin_src sh
+synctl start
+#+end_src
+
+** Configuring Synapse
+
+To make any change to Synapse, we need to edit the =YAML= configuration
+file:
+
+#+begin_src sh
+nano ~/synapse/homeserver.yaml
+#+end_src
+
+For now, we just need to ensure the =server_name= is accurate. However,
+there are a lot of other configuration options found in the
+[[https://matrix-org.github.io/synapse/develop/usage/configuration/config_documentation.html][Configuring
+Synapse]] documentation that can be enabled/disabled at any point.
+
+#+begin_src yaml
+server_name: "example.com"
+#+end_src
+
+Make sure to restart Synapse when you make changes to the configuration:
+
+#+begin_src sh
+synctl restart
+#+end_src
+
+** Nginx Reverse-Proxy
+
+To ensure that Synapse is reachable from the public, we need to connect
+our domain to the Synapse server. In my case, I use a Nginx
+reverse-proxy for this purpose.
+
+To use Nginx, we need to create a reverse-proxy configuration file:
+
+#+begin_src sh
+doas nano /etc/nginx/http.d/example.com.conf
+#+end_src
+
+If you already have TLS certificates for this domain (=example.com=),
+you can simply use the SSL configuration and point toward your TLS
+certificates.
+
+#+begin_src conf
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    # For the federation port
+    listen 8448 ssl http2;
+    listen [::]:8448 ssl http2;
+
+    server_name example.com;
+
+    location ~ ^(/_matrix|/_synapse/client) {
+        # note: do not add a path (even a single /) after the port in `proxy_pass`,
+        # otherwise nginx will canonicalise the URI and cause signature verification
+        # errors.
+        proxy_pass http://localhost:8008;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $host;
+
+        # Nginx by default only allows file uploads up to 1M in size
+        # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+        client_max_body_size 50M;
+    }
+
+    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
+    access_log /var/log/nginx/matrix.access.log;
+}
+
+server {
+    if ($host = example.com) {
+        return 301 https://$host$request_uri;
+    }
+
+  server_name example.com;
+  listen 80;
+    return 404;
+}
+#+end_src
+
+If you need to generate TLS certificates (I recommend
+[[https://certbot.eff.org/][Certbot]]), you'll need a more minimal Nginx
+conf file before you can use the TLS-enabled example above. Instead, use
+this configuration file during the Certbot certificate generation
+process:
+
+#+begin_src conf
+server {
+  server_name example.com;
+  location / {
+      try_files $uri $uri/ =404;
+  }
+  listen 80;
+}
+#+end_src
+
+Once you're done editing the Nginx conf file, restart Nginx:
+
+#+begin_src sh
+doas rc-service nginx restart
+#+end_src
+
+If you still need to generate TLS certificates, run =certbot= now and
+obtain the certificates. Certbot will ask if you want to use a webroot
+or spin up a temporary web server. I *highly* recommend using the
+temporary web server due to the many issues with using a webroot.
+
+You will need to stop Nginx in order to user the temporary web server
+option with Certbot:
+
+#+begin_src sh
+# Stop Nginx so certbot can spin up a temp webserver for cert generation
+doas rc-service nginx stop
+doas certbot certonly -v
+doas rc-service nginx start
+#+end_src
+
+** Open Firewall & Router Ports
+
+If you use a firewall on the server, open the =8448= port for discovery
+and federation, as well as the normal web server ports if you're using a
+reverse proxy. If you want additional services, such as voice calls, you
+will need to read the Synapse documentation to see which ports need to
+be opened for those features.
+
+Here's an example of the Universal Firewall (UFW) software:
+
+#+begin_src sh
+# Matrix port
+doas ufw allow 8448
+# Standard web server ports
+doas ufw allow "Nginx Full"
+#+end_src
+
+Remember to forward any Synapse ports, such as =8448=, =80=, and =443=,
+in your Router from the internet to your server's IP address.
+
+** Adding Matrix Users
+
+Finally, if you didn't enable public registration in the
+=homeserver.yaml= file, you can manually create users via the
+command-line:
+
+#+begin_src sh
+cd ~/synapse
+register_new_matrix_user -c homeserver.yaml
+#+end_src
+
+Remember that the format for federated Matrix usernames is
+=@username:example.com= when logging in to client applications.
+
+Once Synapse is running, and you have a username, you are ready to log
+in to a Matrix client and start sending messages, joining rooms, and
+utilizing your very own Matrix server.