Synapse

by aidalgol
17 deployments · 4 still active · last rev. 3 days ago

Install Synapse

Compatible with: Debian 9
						#!/bin/bash
# <UDF name="server_name" label="Matrix homeserver name" example="example.net" />

# Explicitly tell dpkg that we are running non-interactively.
export DEBIAN_FRONTEND=noninteractive

# Set debconf selections
echo "matrix-synapse matrix-synapse/server-name string $SERVER_NAME" | debconf-set-selections

# Seems to be necessary on Linode's Debian 9 image for some reason.  Possibly
# the Linode package archive mirrors redirect to https.
apt-get install apt-transport-https

# Add the Matrix.org Debian package archive to our sources.
echo -e '\ndeb http://matrix.org/packages/debian/ stretch main' >> /etc/apt/sources.list

# and the Matrix.org archive key.
cat <<'EOF' | apt-key add -
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.12 (GNU/Linux)

mQINBFV5lQ8BEACgpLzr3qzb+RKXGrsQjAgmUHHyqgQ0B62TgB5S0xGd+7uaYZ1c
keNuO2MziklrQl9gpLqXuT+SljKf26DrRAeT8VJGH1AJ/xanxNn/6G/vrXWTFGI0
J1iL9dFszX6eU3Dg5ibxMR7xDIHs6xC67G99BmXkWllU8c9w4vsgJgG5kYK+fHhg
ng+tTEiiuhiObYp+keL1+6nRnpIIair0Dls1X37kQ8qbhEdH8C+V5edNw+1mNIky
u4y4SGSMhysTY5mWcOSGhcAdeb+h1Q/Y3Vi5HO6ElgU1ZIu0u7t11yfRh4RXjIt9
2+2jEK3qQnFQGTDVnxS3IHFxtFQCBzKiCBQtFYy0AAHOgAalopk2b39WTntGnvlA
jusbMjLr8eeaOKCohtd9ixRTiY0mCDT/RHhBL7+JSEiOuOYU9o1sKJxqMfheBq+l
SXJo1pcXkm4UFe/Ln5gCfcv308KnDKiPBy9LFvmo3mI10KfyrKv5/Sh43VAFxKWM
1aKupJ6GFAJM85zOsHlGJZOTC42A2JmqkV0UPpPMcRdAtCeBsVhFDUpgYu7QPnYO
QhaEb3B5G77jyUpoTWzaUkrUlCYG/hAW8pPjsYDFWfuZfXhyKAd63aOOxIV79Mob
GaaytSrs+OKWaoIVvLJOTIxtsNpX5nemHkhUptPYUme/9tgb6x9Sd3HxBQARAQAB
tDVtYXRyaXgub3JnIChEZWJpYW4gc2lnbmluZyBrZXkpIDxwYWNrYWdlc0BtYXRy
aXgub3JnPokCOAQTAQIAIgUCVXmVDwIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgEC
F4AACgkQrQWS/kfw32FAQw//YrWkqZFvgRRnhF1Qrh7rUO9Wh/8oyqeCgmH1Y9k6
+lScpjaosdSWitaOYRqquF2uwiK4XAhZRxM/da8veOVBRoVgHF+gz1q9F58twi3Z
RaJ9Qf5QxuvAb3fn2Rp8NIjlAYioWyV1xYFHY3tgGoR2eifcuzKbfK6gD2uIqghd
WTwIB1aigANSj/Kd3BxIGc0wMm3r6fE7FxAgFAJjiFR10DRrHM2j+CRavzqWfHFS
uIDvf1V+6Wap5ZaIf62nxNl9Vvs+Fc4MkCPEXyGJTCYjmiMveYJYPsn0fZTV1bAG
aahkxQSus2RlZ0yVLzWufj64H63Gb5R/dCCSnGj3EK/5+wHBAJnWFHYGkH+zzdxe
6cWgTubTaAMFIrp1k+XUS3LcWScBfxswOlpofyT15ESVEH7hBlkw44FvSihjc9hO
bv8CrAtAHxG2JX4vqNExLs1WJHr8/QxPHODEVSAtfCgEtWGPiTYJdd0C+7P4+4hf
j7hthd88ub8Uv5ZXcX3vi77cluO4oO2ZzLTGBZq7yYxEv6EL9JLb+RGorkd5w2I0
D6IfPCAaVCYBCm273sZtNKEGkPmjqazAKRvtbcCcE9BT6NKLcv3S+LJHOmeF+g8B
MH4xp1TRwsjre3bN2niq3l+WA+cU6KGxVgcB70mdloaQvyk/cmvv+oHhrDdaBTM6
Hca5Ag0EVXmVDwEQALL56DDZY4DYlzlf7U2F/crKYdmZ5doGr3XaE0F1whvLau2p
JpwOAmsLbeRuzzucx1AIfXFLN/C+QlacQd4BCuC0vAzM6DEYvGvUpD+CaZYM4g7F
Nh4GiPx5oy1AR+gvEJuqbWy5hi5XYL/rZQUZhXwQ+8xRZrMUZqWce+q+b5ZwtSLM
bt/f8ztUEerjSldxPzHFqtPJ8ETJSS77Hf7XuCMCOi5NDgvetPDLhFX5hjxP+ST+
U8YMtqCABvbG//rXnQ8hbsKukB/VMpJdi+z+WW00E1KWc5/ziNI16Y8C4QUfeRrq
nHDs6UZrKGEUVjgbVnhFX1w0VSSv9eTCJmFL2YgcbOQF90vVgjvHc6y2l9XT6d/c
RNQ1yJPmZjKLDOt8bmivj7uPmwYqdfC5ebKekHyg7tp14LruLEaqg8RmnsNsc0Ka
UrcbYvlufsXhvbnGmQbFaZHNwbzEI3JQ26eXq5mNTTtspKYHIaxrb2gcM2++KGV2
w0zkR+2oQBtkR1ag12CsF9mayyf5FMma8p7ZMbFisiGAiMWKsGugHRlhu5h5+4vo
ZIN2D/wPkPVqwJlfbXw9hpSoNi1OsT88CGubznKlWpslAMGMTVR1Z2e/VaB6kL0J
Y48qaHpWdI4w3wk5FdvnFUbcETapeuyu9aYS8qhuaGW/E+Ru2aZfC7c+JcaDABEB
AAGJAh8EGAECAAkFAlV5lQ8CGwwACgkQrQWS/kfw32HCXA//Tgh3/Nwlo3LsJYR4
DJwRf4/gwS1zqvNRCc8uXoPBjU/oylFr7SKuacuTSZjqHjPwRn4mpgXJ9j4n8fb5
duqKmDrUd/QetetGxwL8H/kBT2qvO+RyLTaMNCcKhxgaurH3KJsiMexmJrJwP+Xz
4FptxBntDMejls8X5TD6vTz/fa+TFR4RCmLH31LCLR/tvfQqatM5N52v+sApCyXj
w4wL+SPdT5DU2CV711RLpbRvpPbH2C+n226u9ehkm0dyVd+8FJjAmfpi8DXaA6qe
pYC62eQMZO1BIA9wKaT23NufJVlovN6/fNYvpst/aAKFBcDGyq3ClPbgRqwWup5e
j7fvgMQTQonGcF7KfeFx82H+qv+VWkTsQd6k08p72c5u5awK4LR3Uata67JV585X
7tIC+s1Z9fnSRD6iWoPEqEFVAYvFK9yr1t8gMmfvig2ObJ5SG3xIkgWYM5guKyhL
lXgNIrA7G+Tj6s1t7PyJnQgq4UrvJyCP7Kto87X5YZgQesVtzDsNkPDLeyWUBUSC
FWwuzCDg92NvOvhPkP1iV9be7YcUelSCLJ9wQnX1Vyr08Plsgu5pPBMerOPeZ8QE
XfsIbN80gUU9oriIQHfIGhZJuRkz7ky3TKpzFNWt88MkZ6H8g3QCItpFfs0Td5hm
hXNB5A3G9WgpNzW6oQHQGjBZ+s8=
=C77r
-----END PGP PUBLIC KEY BLOCK-----
EOF

# Bring packages up to date and install non-Matrix system stuff.
apt-get update
apt-get -y upgrade
apt-get -y install fail2ban\
                   unattended-upgrades\
                   iptables-persistent

# Enable unattended upgrades
sed --in-place 's,^//Unattended-Upgrade::Automatic-Reboot "false";$,Unattended-Upgrade::Automatic-Reboot "true";,' /etc/apt/apt.conf.d/50unattended-upgrades

# Write iptables rules.
cat <<'EOF' > /etc/iptables/rules.v4
*filter

# Default chain targets
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT

# Allow all loopback
-A INPUT -i lo -j ACCEPT

# Accept all established inbound connections
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID             -j REJECT

# Allow ping
-A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT

# Allow all outbound traffic
-A OUTPUT -j ACCEPT

# Allow incoming SSH connections
-A INPUT -p tcp -m tcp --dport 22 -m comment --comment SSH -j ACCEPT

# Allow incoming Matrix traffic
-A INPUT -p tcp -m tcp --dport 443 -m comment --comment HTTPS -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8448 -m comment --comment "Matrix federation HTTPS" -j ACCEPT

COMMIT
EOF

cat <<'EOF' > /etc/iptables/rules.v6
*filter

# Default chain targets
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP

COMMIT
EOF

# Reload firewall rules.
systemctl restart netfilter-persistent
systemctl restart fail2ban

# Install Synapse and friends.
apt-get -y install matrix-synapse\
                   nginx

# Configure Synapse
sed --in-place 's,bind_address:.*,bind_address: "127.0.0.1",' /etc/matrix-synapse/homeserver.yaml
sed --in-place 's,x_forwarded:.*,x_forwarded: true,' /etc/matrix-synapse/homeserver.yaml

systemctl restart matrix-synapse

# Configure Nginx
rm /etc/nginx/sites-enabled/default
cat <<'EOF' > /etc/nginx/sites-available/matrix-synapse
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name qhx.space;

    location /_matrix {
        proxy_pass http://localhost:8008;
        proxy_set_header X-Forwarded-For $remote_addr;
    }
}
EOF
ln -s ../sites-available/matrix-synapse /etc/nginx/sites-enabled/matrix-synapse
systemctl restart nginx