Matrix/Synapse

https://www.upcloud.com/support/install-matrix-synapse/

Create synapse user and /home/synapse, then follow pip virtualenv steps


 * 1) This assumes that Synapse has been installed under the user synapse
 * 2) e.g. https://www.upcloud.com/support/install-matrix-synapse/

[Unit] Description=Synapse Matrix homeserver

[Service] Type=simple User=synapse Group=synapse WorkingDirectory=/home/synapse/.synapse ExecStart=/home/synapse/.synapse/bin/synctl start ExecStop=/home/synapse/.synapse/bin/synctl stop PIDFile=/home/synapse/.synapse/homeserver.pid
 * 1) ExecStart=/usr/bin/python2.7 -m synapse.app.homeserver --config-path=/home/synapse/.synapse/homeserver.yaml --log-config=/etc/synapse/log_config.yaml

[Install] WantedBy=multi-user.target

Automated LetsEncrypt
create /etc/pki/synapse with permissions to synapse user chmod 600

echo "Letsencrypt renewal hook running..." echo "RENEWED_DOMAINS=$RENEWED_DOMAINS" echo "RENEWED_LINEAGE=$RENEWED_LINEAGE"
 * 1) cat /usr/local/bin/synapse-renewal-hook
 * 2) !/bin/sh

if grep --quiet "matrix.bibanon.org" <<< "$RENEWED_DOMAINS"; then # copy over the certificate for matrix to the pki directory with correct permissions cat $RENEWED_LINEAGE/privkey.pem > /etc/pki/synapse/matrix.bibanon.org.key cat $RENEWED_LINEAGE/fullchain.pem > /etc/pki/synapse/matrix.bibanon.org.crt chown synapse:synapse /etc/pki/synapse/matrix.bibanon.org.key chown synapse:synapse /etc/pki/synapse/matrix.bibanon.org.crt chmod 600 /etc/pki/synapse/matrix.bibanon.org.key chmod 600 /etc/pki/synapse/matrix.bibanon.org.crt systemctl restart synapse echo "synapse matrix server.pem updated. synapse may need to be restarted." fi

Also use reverse proxy for easier client access without the port: https://github.com/matrix-org/synapse#using-a-reverse-proxy-with-synapse

https://community.letsencrypt.org/t/how-to-use-certs-in-non-root-services/2690

add it to /etc/sysconfig/certbot, enable certbot-renew service