In this tutorial, we will focus on installing a Matrix Synapse homeserver with the domain matrix.example.com.
This tutorial does not show how to install an identity server or any application server.
For more information, check the official Matrix Synapse documentation
Recommended hardware
- 2 vCPU
- 2 GB of RAM
- 32GB of storage
Matrix synapse installation
Update the apt cache ans install required packages
sudo apt update && sudo apt upgrade -y
sudo apt install -y lsb-release wget apt-transport-https
Add the Matrix repository to your system and install Matrix Synapse
sudo wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/matrix-org.list
sudo apt update
sudo apt install matrix-synapse-py3
Generate a SSL certificate with certbot
sudo certbot certonly --no-verify-ssl -d matrix.example.com
Generate a registration shared key
Store the key in a temporal notepad
openssl rand -base64 48
Configuring Matrix Synapse
The server configuration is stored in homeserver.yaml
Base configuration example
pid_file: "/var/run/matrix-synapse.pid"
tls_certificate_path: "/etc/letsencrypt/live/matrix.example.com/fullchain.pem" # changeme
tls_private_key_path: "/etc/letsencrypt/live/matrix.example.com/privkey.pem" # changeme
server_name: matrix.example.com # changeme
report_stats: True
listeners:
- port: 8008
tls: false
type: http
x_forwarded: true
bind_addresses: ['0.0.0.0'] # Or 127.0.0.1 when running with a local reverse-proxy
resources:
- names: [client, federation]
compress: false
database:
name: sqlite3
args:
database: /var/lib/matrix-synapse/homeserver.db
log_config: "/etc/matrix-synapse/log.yaml"
media_store_path: /var/lib/matrix-synapse/media
signing_key_path: "/etc/matrix-synapse/homeserver.signing.key"
trusted_key_servers:
- server_name: "matrix.org"
registration_shared_secret: <registration shared key> # changeme
Don’t forget to edit the fileds marked with a # changeme comment.
sudo systemctl restart matrix-synapse
If you don’t plan to use a local reverse proxy, you can change bind-address to 0.0.0.0
bind_addresses: ['0.0.0.0']
You can now check if your server works by going to http://<matrix ip>:8008
Configuring reverse proxy
Configuring a TURN server
TURN servers are used to connect clients to each other for calls.
You can either use a public TURN server or host your own.
In this example we will setup our own TURN server with coturn.\
Install coturn
sudo apt install coturn
Generate a static auth secret and save it somewhere
openssl rand -base64 48
Ask for a SSL certificate with certbot
sudo certbot certonly --no-verify-ssl -d turn.example.com
Edit /etc/turnserver.conf
use-auth-secret
static-auth-secret= <static auth secret>
realm=turn.nobell.fr
no-tcp-relay
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
user-quota=12
total-quota=1200
cert=/etc/letsencrypt/live/turn.example.com/fullchain.pem
pkey=/etc/letsencrypt/live/turn.example.com/privkey.pem
syslog
no-rfc5780
no-stun-backward-compatibility
response-origin-only-with-rfc5780
Restart coturn
sudo systemctl restart coturn
Add following lines to your homeserver.yaml
turn_uris: [ "turn:turn.example.com?transport=udp" ]
turn_shared_secret: " <static auth secret> "
turn_user_lifetime: 86400000
turn_allow_guests: True
Creating user accounts
You can either create users directly from the terminal or enable registration by configuring captcha
register_new_matrix_user --user admin --password somepassword --config /etc/matrix-synapse/homeserver.yaml
To enable captcha, you will need to generate a recaptcha key pair in the recaptcha console, after that, you can add the following lines to your homeserver.yaml.
recaptcha_public_key: <public key>
recaptcha_private_key: <private key>
enable_registration_captcha: true
Hope this simple tutorial helped, I plan to add a tutorial on how to install your own matrix identity server.