oxeo0/selfhosting-blogposts
1
0
Fork 0
mirror of http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/selfhosting-blogposts.git synced 2025-05-16 12:16:59 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
selfhosting-blogposts/matrixnew/index.md

248 lines
8.2 KiB
Markdown
Raw Blame History

---
search:
exclude: true
---
# Matrix Chat Setup
![](0.png)
In this tutorial we're going to setup a private matrix chat server along with VoIP support for the element desktop client.
_Disclaimer:_ If you want this service to remain anonymous, make sure you at least keep [TOR between you and the service](../../opsec/sensitiveremotevshome/index.md) from the [VPS acquisition](../../opsec/anonymousremoteserver/index.md) to actual service usage.
## **Initial Setup**
First install the required packages:
apt install docker.io docker-compose
Then create the directories required:
mkdir /srv/matrix/data -p
chown -R 755 /srv/matrix/data
cd /srv/matrix
Then we'll create the docker-compose.yml file and the generateconfig.sh script:
[ nowhere.moe ] [ /dev/pts/1 ] [/srv/matrix]
→ cat docker-compose.yml
version: "3.3"
services:
synapse:
image: "matrixdotorg/synapse:latest"
container_name: "matrix_synapse"
ports:
- 8008:8008
volumes:
- "./data:/data" #it will look at the current directory where you save the file and look for the data folder inside
environment:
VIRTUAL_HOST: "m.nowhere.moe"
VIRTUAL_PORT: 8008
LETSENCRYPT_HOST: "m.nowhere.moe"
SYNAPSE_SERVER_NAME: "m.nowhere.moe"
SYNAPSE_REPORT_STATS: "yes"
coturn:
image: instrumentisto/coturn:latest
restart: unless-stopped
volumes:
- ./coturn/turnserver.conf:/etc/coturn/turnserver.conf
ports:
- 47160-47200:47160-47200/udp
- 3478:3478
- 5349:5349
networks:
- mybridge
networks:
mybridge:
driver: bridge
[ nowhere.moe ] [ /dev/pts/1 ] [/srv/matrix]
→ cat generateconfig.sh
#!/bin/bash
docker-compose run --rm -e SYNAPSE_SERVER_NAME=m.nowhere.moe -e SYNAPSE_REPORT_STATS=yes synapse generate
My matrix server will have the "m.nowhere.moe" domain name. The coturn config mentioned here is used for the VOIP support. Now let's generate the initial keys of the matrix server like so:
[ nowhere.moe ] [ /dev/pts/1 ] [/srv/matrix]
→ ./generateconfig.sh
Creating network "matrix_default" with the default driver
Creating network "matrix_mybridge" with driver "bridge"
Setting ownership on /data to 991:991
Creating log config /data/m.nowhere.moe.log.config
Generating config file /data/homeserver.yaml
Generating signing key file /data/m.nowhere.moe.signing.key
A config file has been generated in '/data/homeserver.yaml' for server name 'm.nowhere.moe'. Please review this file and customise it to your needs.
[ nowhere.moe ] [ /dev/pts/1 ] [/srv/matrix]
→ ls
coturn data docker-compose.yml docker-compose.yml.coturn generateconfig.sh m.nowhere.moe.conf.nginx
[ nowhere.moe ] [ /dev/pts/1 ] [/srv/matrix]
→ ls data -lash
total 20K
4.0K drwxr-xr-x 2 991 991 4.0K Jan 14 11:12 .
4.0K drwxr-xr-x 4 root root 4.0K Jan 4 13:50 ..
4.0K -rw-r--r-- 1 root root 1.3K Jan 14 11:12 homeserver.yaml
4.0K -rw-r--r-- 1 root root 694 Jan 14 11:12 m.nowhere.moe.log.config
4.0K -rw-r--r-- 1 root root 59 Jan 14 11:12 m.nowhere.moe.signing.key
Now that's done, we can edit the homeserver.yaml if you want to remove trust into the "matrix.org" keys for federation to make it a truly private server:
[ nowhere.moe ] [ /dev/pts/1 ] [/srv/matrix]
→ cat data/homeserver.yaml | grep server
trusted_key_servers:
- server_name: ""
Then we can edit the coturn config like so:
[ nowhere.moe ] [ /dev/pts/1 ] [/srv/matrix]
→ ls
coturn data docker-compose.yml docker-compose.yml.coturn generateconfig.sh m.nowhere.moe.conf.nginx
[ nowhere.moe ] [ /dev/pts/1 ] [/srv/matrix]
→ cat coturn/turnserver.conf
use-auth-secret
static-auth-secret=cuAWWAAWWAAWWAWADDWADWADWADWADWADWAWADDWADWWADWADDWADWDWoy
realm=m.nowhere.moe
listening-port=3478
tls-listening-port=5349
min-port=47160
max-port=47200
verbose
allow-loopback-peers
cli-password=cuAWWAAWWAAWWAWADDWADWADWADWADWADWAWADDWADWWADWADDWADWDWoy
external-ip=116.202.216.190
[ nowhere.moe ] [ /dev/pts/1 ] [/srv/matrix]
→ cat data/homeserver.yaml | grep turn
turn_uris: [ "turn:m.nowhere.moe?transport=udp", "turn:m.nowhere.moe?transport=tcp" ]
turn_shared_secret: "cuAWWAAWWAAWWAWADDWADWADWADWADWADWAWADDWADWWADWADDWADWDWoy"
turn_user_lifetime: 86400000
turn_allow_guests: true
Make sure the ports match the ones in the docker-compose.yml file, and the external IP is the one of your server:
[ nowhere.moe ] [ /dev/pts/1 ] [/srv/matrix]
→ curl ifconfig.me -4
116.202.216.190
Then we start the docker-compose:
[ nowhere.moe ] [ /dev/pts/1 ] [/srv/matrix]
→ docker-compose up -d
Creating matrix_coturn_1 ... done
Creating matrix_synapse ... done
Then we create the accounts like so:
[ nowhere.moe ] [ /dev/pts/1 ] [/srv/matrix]
→ docker container ls | grep matrixdot
134d440b1480 matrixdotorg/synapse:latest "/start.py" About a minute ago Up 25 seconds (healthy) 8009/tcp, 0.0.0.0:8008->8008/tcp, :::8008->8008/tcp, 8448/tcp matrix_synapse
[ nowhere.moe ] [ /dev/pts/1 ] [/srv/matrix]
→ docker exec -it 134 bash
root@134d440b1480:/#
[ nowhere.moe ] [ /dev/pts/1 ] [/srv/matrix]
→ docker exec -it 134 bash
root@134d440b1480:/# register_new_matrix_user -c /data/homeserver.yaml http://localhost:8008
New user localpart [root]: nihilist
Password:
Confirm password:
Make admin [no]: yes
Sending registration request...
Success!
root@134d440b1480:/# exit
exit
Then we make sure that we can access the matrix server via nginx:
[ nowhere.moe ] [ /dev/pts/1 ] [/srv/matrix]
→ cat /etc/nginx/sites-enabled/m.nowhere.moe.conf
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# For the federation port
listen 8448 ssl http2;
listen [::]:8448 ssl http2;
server_name m.nowhere.moe;
ssl_certificate /etc/acme/certs/m.nowhere.moe/fullchain.cer;
ssl_certificate_key /etc/acme/certs/m.nowhere.moe/m.nowhere.moe.key;
location ~ ^(/_matrix|/_synapse/client) {
# note: do not add a path (even a single /) after the port in `proxy_pass`,
# otherwise nginx will canonicalise the URI and cause signature verification
# errors.
proxy_pass http://localhost:8008;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size 50M;
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
proxy_http_version 1.1;
}
}
[ nowhere.moe ] [ /dev/pts/1 ] [/srv/matrix]
→ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Then we test that we can login from a matrix client (which can be installed inside a [whonix VM](../../opsec/whonixqemuvms/index.md)), let's use [element](https://element.io/download) because we want to be able to do voicecalls:
![](1.png) ![](2.png) ![](3.png) ![](4.png) ![](5.png)
Here we will setup a secure backup password, that is a separate password, for end to end encryption purposes. Then you can do the following steps:
![](6.png)
Make sure you log out of every unverified session:
![](7.png) ![](8.png)
You may need to log in and log out before being able to send messages so do that, then create the space along with the chatroom
![](9.png) ![](10.png) ![](11.png) ![](12.png) ![](13.png) ![](14.png) ![](15.png)
Reference in a new issue View git blame Copy permalink