From 25945b8fead989cca09a23983623b63ce36dcc0c Mon Sep 17 00:00:00 2001
From: Christian Cleberg <hello@cleberg.net>
Date: Mon, 8 Jan 2024 20:11:17 -0600
Subject: feat: total re-write from Emacs org-mode to Zola markdown

---
 content/blog/2022-11-07-matrix-synapse.md | 219 ++++++++++++++++++++++++++++++
 1 file changed, 219 insertions(+)
 create mode 100644 content/blog/2022-11-07-matrix-synapse.md

(limited to 'content/blog/2022-11-07-matrix-synapse.md')

diff --git a/content/blog/2022-11-07-matrix-synapse.md b/content/blog/2022-11-07-matrix-synapse.md
new file mode 100644
index 0000000..28a8200
--- /dev/null
+++ b/content/blog/2022-11-07-matrix-synapse.md
@@ -0,0 +1,219 @@
++++
+date = 2022-11-07
+title = "Self-Hosting Matrix Synapse on Alpine Linux"
+description = "A guide to self-hosting the Matrix Synapse application on your own server."
++++
+
+## Synpase
+
+If you're reading this, you likely know that
+[Synapse](https://github.com/matrix-org/synapse/) is a popular
+[Matrix](https://matrix.org/) home server software that allows users to
+run their own Matrix home server.
+
+This post is a short guide describing how I was able to get Synapse
+working in a minimally-usable state on Alpine Linux.
+
+## Installation Process
+
+### Dependencies
+
+First, since there is no Alpine-specific package for Synapse, we need to
+ensure that Alpine has the required dependencies for the Python-based
+installation method.
+
+```sh
+doas apk -U update
+doas apk add python3 py3-virtualenv
+```
+
+Next, we need to set up a Python virtual environment for Synapse:
+
+```sh
+mkdir -p ~/synapse && cd ~/synapse
+virtualenv -p python3 ~/synapse/env
+source ~/synapse/env/bin/activate
+pip install --upgrade pip
+pip install --upgrade setuptools
+pip install matrix-synapse
+```
+
+### Running Synapse
+
+Once installed, running Synapse is easy. Simply execute the following
+command, replacing `example.com` with the domain name that
+will be used with this home server. This will generate the configuration
+files needed to run the server.
+
+```sh
+python -m synapse.app.homeserver \
+    --server-name example.com \
+    --config-path homeserver.yaml \
+    --generate-config \
+    --report-stats=no
+```
+
+Once the configuration is generated, we can start up the Synapse server:
+
+```sh
+synctl start
+```
+
+### Configuring Synapse
+
+To make any change to Synapse, we need to edit the `YAML`
+configuration file:
+
+```sh
+nano ~/synapse/homeserver.yaml
+```
+
+For now, we just need to ensure the `server_name` is
+accurate. However, there are a lot of other configuration options found
+in the [Configuring
+Synapse](https://matrix-org.github.io/synapse/develop/usage/configuration/config_documentation.html)
+documentation that can be enabled/disabled at any point.
+
+```yaml
+server_name: "example.com"
+```
+
+Make sure to restart Synapse when you make changes to the configuration:
+
+```sh
+synctl restart
+```
+
+### Nginx Reverse-Proxy
+
+To ensure that Synapse is reachable from the public, we need to connect
+our domain to the Synapse server. In my case, I use a Nginx
+reverse-proxy for this purpose.
+
+To use Nginx, we need to create a reverse-proxy configuration file:
+
+```sh
+doas nano /etc/nginx/http.d/example.com.conf
+```
+
+If you already have TLS certificates for this domain
+(`example.com`), you can simply use the SSL configuration and
+point toward your TLS certificates.
+
+```conf
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    # For the federation port
+    listen 8448 ssl http2;
+    listen [::]:8448 ssl http2;
+
+    server_name example.com;
+
+    location ~ ^(/_matrix|/_synapse/client) {
+        # note: do not add a path (even a single /) after the port in `proxy_pass`,
+        # otherwise nginx will canonicalise the URI and cause signature verification
+        # errors.
+        proxy_pass http://localhost:8008;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $host;
+
+        # Nginx by default only allows file uploads up to 1M in size
+        # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+        client_max_body_size 50M;
+    }
+
+    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
+    access_log /var/log/nginx/matrix.access.log;
+}
+
+server {
+    if ($host = example.com) {
+        return 301 https://$host$request_uri;
+    }
+
+  server_name example.com;
+  listen 80;
+    return 404;
+}
+```
+
+If you need to generate TLS certificates (I recommend
+[Certbot](https://certbot.eff.org/)), you'll need a more minimal Nginx
+conf file before you can use the TLS-enabled example above. Instead, use
+this configuration file during the Certbot certificate generation
+process:
+
+```conf
+server {
+  server_name example.com;
+  location / {
+      try_files $uri $uri/ =404;
+  }
+  listen 80;
+}
+```
+
+Once you're done editing the Nginx conf file, restart Nginx:
+
+```sh
+doas rc-service nginx restart
+```
+
+If you still need to generate TLS certificates, run `certbot`
+now and obtain the certificates. Certbot will ask if you want to use a
+webroot or spin up a temporary web server. I **highly** recommend using
+the temporary web server due to the many issues with using a webroot.
+
+You will need to stop Nginx in order to user the temporary web server
+option with Certbot:
+
+```sh
+# Stop Nginx so certbot can spin up a temp webserver for cert generation
+doas rc-service nginx stop
+doas certbot certonly -v
+doas rc-service nginx start
+```
+
+### Open Firewall & Router Ports
+
+If you use a firewall on the server, open the `8448` port for
+discovery and federation, as well as the normal web server ports if
+you're using a reverse proxy. If you want additional services, such as
+voice calls, you will need to read the Synapse documentation to see
+which ports need to be opened for those features.
+
+Here's an example of the Universal Firewall (UFW) software:
+
+```sh
+# Matrix port
+doas ufw allow 8448
+# Standard web server ports
+doas ufw allow "Nginx Full"
+```
+
+Remember to forward any Synapse ports, such as `8448`,
+`80`, and `443`, in your Router from the internet
+to your server's IP address.
+
+### Adding Matrix Users
+
+Finally, if you didn't enable public registration in the
+`homeserver.yaml` file, you can manually create users via the
+command-line:
+
+```sh
+cd ~/synapse
+register_new_matrix_user -c homeserver.yaml
+```
+
+Remember that the format for federated Matrix usernames is
+`@username:example.com` when logging in to client
+applications.
+
+Once Synapse is running, and you have a username, you are ready to log
+in to a Matrix client and start sending messages, joining rooms, and
+utilizing your very own Matrix server.
-- 
cgit v1.2.3-70-g09d2