Matrix/Synapse

From Bibliotheca Anonoma
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

https://www.upcloud.com/support/install-matrix-synapse/

Create synapse user and /home/synapse, then follow pip virtualenv steps

# This assumes that Synapse has been installed under the user synapse
# e.g. https://www.upcloud.com/support/install-matrix-synapse/

[Unit]
Description=Synapse Matrix homeserver

[Service]
Type=simple
User=synapse
Group=synapse
WorkingDirectory=/home/synapse/.synapse
ExecStart=/home/synapse/.synapse/bin/synctl start
ExecStop=/home/synapse/.synapse/bin/synctl stop
PIDFile=/home/synapse/.synapse/homeserver.pid
#ExecStart=/usr/bin/python2.7 -m synapse.app.homeserver --config-path=/home/synapse/.synapse/homeserver.yaml --log-config=/etc/synapse/log_config.yaml

[Install]
WantedBy=multi-user.target

Automated LetsEncrypt

create /etc/pki/synapse with permissions to synapse user chmod 600

# cat /usr/local/bin/synapse-renewal-hook 
#!/bin/sh
echo "Letsencrypt renewal hook running..."
echo "RENEWED_DOMAINS=$RENEWED_DOMAINS"
echo "RENEWED_LINEAGE=$RENEWED_LINEAGE"

if grep --quiet "matrix.bibanon.org" <<< "$RENEWED_DOMAINS"; then
  # copy over the certificate for matrix to the pki directory with correct permissions
  cat $RENEWED_LINEAGE/privkey.pem > /etc/pki/synapse/matrix.bibanon.org.key
  cat $RENEWED_LINEAGE/fullchain.pem > /etc/pki/synapse/matrix.bibanon.org.crt
  chown synapse:synapse /etc/pki/synapse/matrix.bibanon.org.key
  chown synapse:synapse /etc/pki/synapse/matrix.bibanon.org.crt
  chmod 600 /etc/pki/synapse/matrix.bibanon.org.key
  chmod 600 /etc/pki/synapse/matrix.bibanon.org.crt
  systemctl restart synapse
  echo "synapse matrix server.pem updated. synapse may need to be restarted."
fi

Also use reverse proxy for easier client access without the port: https://github.com/matrix-org/synapse#using-a-reverse-proxy-with-synapse

https://community.letsencrypt.org/t/how-to-use-certs-in-non-root-services/2690

add it to /etc/sysconfig/certbot , enable certbot-renew service