Installation

yay -S matrix-synapse mx-puppet-discord-git nginx

Configuration

Matrix

/etc/synapse/homeserver.yaml :

# Configuration file for Synapse.
#
# This is a YAML file: see [1] for a quick introduction. Note in particular
# that *indentation is important*: all the elements of a list or dictionary
# should have the same indentation.
#
# [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html
#
# For more information on how to configure Synapse, including a complete accounting of
# each option, go to docs/usage/configuration/config_documentation.md or
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html
server_name: "nibel.fr"
pid_file: /var/lib/synapse/homeserver.pid
listeners:
  - port: 8008
    tls: false
    type: http
    x_forwarded: true
    bind_addresses: ['::1', '127.0.0.1']
    resources:
      - names: [client, federation]
        compress: false
database:
  name: sqlite3
  args:
    database: /var/lib/synapse/homeserver.db
log_config: "/etc/synapse/nibelheim.ddns.net.log.config"
media_store_path: /var/lib/synapse/media_store
### REGISTRATION ###
enable_registration: false
enable_registration_without_verification: false
### REGISTRATION ###
registration_shared_secret: "XXX"
report_stats: true
macaroon_secret_key: "XXX"
form_secret: "XXX"
signing_key_path: "/etc/synapse/.key"
trusted_key_servers:
  - server_name: "matrix.org"
url_preview_enabled: true
url_preview_ip_range_blacklist:
  - '127.0.0.0/8'
  - '10.0.0.0/8'
  - '172.16.0.0/12'
  - '192.168.0.0/16'
  - '100.64.0.0/10'
  - '192.0.0.0/24'
  - '169.254.0.0/16'
  - '192.88.99.0/24'
  - '198.18.0.0/15'
  - '192.0.2.0/24'
  - '198.51.100.0/24'
  - '203.0.113.0/24'
  - '224.0.0.0/4'
  - '::1/128'
  - 'fe80::/10'
  - 'fc00::/7'
  - '2001:db8::/32'
  - 'ff00::/8'
  - 'fec0::/10'
suppress_key_server_warning: true
app_service_config_files:
  - '/etc/mx-puppet-discord/registration.yaml'

# vim:ft=yaml
modules:
    - module: shared_secret_authenticator.SharedSecretAuthProvider
      config:
          shared_secret: "XXX"

          # By default, only login requests of type `com.devture.shared_secret_auth` are supported.
          # Below, we explicitly enable support for the old `m.login.password` login type,
          # which was used in v1 of matrix-synapse-shared-secret-auth and still widely supported by external software.
          # If you don't need such legacy support, consider setting this to `false` or omitting it entirely.
          # m_login_password_support_enabled: true

          # By default, only login requests of type `com.devture.shared_secret_auth` are supported.
          # Advertising support for such an authentication type causes a problem with Element, however.
          # See: https://github.com/vector-im/element-web/issues/19605
          #
          # Uncomment the line below to disable `com.devture.shared_secret_auth` support.
          # You will then need to:
          # - have `m_login_password_support_enabled: true` to enable the `m.login.password` login type
          # - authenticate using `m.login.password` requests, instead of ``com.devture.shared_secret_auth` requests
          # com_devture_shared_secret_auth_support_enabled: false

Nginx

/etc/nginx/nginx.conf :

#user http;
worker_processes  1;

events {
    worker_connections  1024;
    multi_accept on;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;
    charset utf-8;
    tcp_nopush on;
    tcp_nodelay on;
    server_tokens off;
    log_not_found off;
    types_hash_max_size 4096;
    client_max_body_size 16M;

    # logging
    #access_log /var/log/nginx/access.log;
    #error_log /var/log/nginx/error.log warn;

    # load configs
    #include /etc/nginx/conf.d/*.conf;
    #include /etc/nginx/sites-enabled/*;

    #gzip  on;

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    # For the federation port
    listen 8448 http2 default_server;
    listen [::]:8448 http2 default_server;

    server_name nibel.fr;

    location ~ ^(/_matrix|/_synapse/client) {
        # note: do not add a path (even a single /) after the port in `proxy_pass`,
        # otherwise nginx will canonicalise the URI and cause signature verification
        # errors.
        proxy_pass http://localhost:8008;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;

        # Nginx by default only allows file uploads up to 1M in size
        # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
        client_max_body_size 50M;

    # Synapse responses may be chunked, which is an HTTP/1.1 feature.
    proxy_http_version 1.1;
    }
    ssl_certificate /etc/letsencrypt/live/nibel.fr/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/nibel.fr/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

#    # For the federation port
#    listen 8448 http2 default_server;
#    listen [::]:8448 http2 default_server;

    server_name www.nibel.fr;

    location ~ ^(/_matrix|/_synapse/client) {
        # note: do not add a path (even a single /) after the port in `proxy_pass`,
        # otherwise nginx will canonicalise the URI and cause signature verification
        # errors.
        proxy_pass http://localhost:8008;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;

        # Nginx by default only allows file uploads up to 1M in size
        # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
        client_max_body_size 50M;

    # Synapse responses may be chunked, which is an HTTP/1.1 feature.
    proxy_http_version 1.1;
    }

    ssl_certificate /etc/letsencrypt/live/www.nibel.fr/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/www.nibel.fr/privkey.pem; # managed by Certbot
}

    server {
        server_name  nibel.fr;

        location / {
            root   /usr/share/nginx/html;
            index  index.htm index.html;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /usr/share/nginx/html;
        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #    root           html;
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/nibelheim.ddns.net/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/nibelheim.ddns.net/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    listen [::]:443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    server_name blog.nibel.fr;
    root /usr/share/nginx/html/blog.nibel.fr;
    index index.php;

    #access_log /var/log/nginx/example.log;
    #error_log /var/log/nginx/example.log;

    ssl_certificate /etc/letsencrypt/live/blog.nibel.fr/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/blog.nibel.fr/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

#    ssl_session_cache       shared:SSL:50m;
#    ssl_session_timeout     10m;

#    ssl_prefer_server_ciphers   on;
#    ssl_stapling            on;
#    ssl_stapling_verify     on;
#    ssl_protocols           TLSv1.1 TLSv1.2;
#    ssl_ciphers         "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

    add_header Strict-Transport-Security "max-age=31557600; includeSubDomains";

    location ~ \.(jpg|jpeg|gif|png|css|js|ico|svg|eot|ttf|woff|woff2|otf)$ {
        access_log        off;
        expires           30d;
    }

    location ~ \.php$ {
        fastcgi_pass    unix:/run/php-fpm/php-fpm.sock;
        fastcgi_index   index.php;
        include         fastcgi.conf;
        fastcgi_param   HTTPS on;
    }

    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    location ^~ /bl-content/databases/ { deny all; }
    location ^~ /bl-content/workspaces/ { deny all; }
    location ^~ /bl-content/pages/ { deny all; }
    location ^~ /bl-kernel/*.php { deny all; }
}

    server {
    if ($host = nibel.fr) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

        listen       80;
        server_name  nibel.fr;
    return 404; # managed by Certbot

}

server {
    if ($host = blog.nibel.fr) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    listen [::]:80;

    server_name blog.nibel.fr

    root /usr/share/nginx/html/blog.nibel.fr;
    return 301; # managed by Certbot
}}

Services Systemd

/etc/systemd/system/synapse.target.wants/synapse.service :

[Unit]
Description=Synapse Matrix homeserver (master)
After=network-online.target
Wants=network-online.target
PartOf=synapse.target
ReloadPropagatedFrom=synapse.target

[Service]
Type=notify
User=synapse
Group=synapse
SyslogIdentifier=synapse
Environment=LANG=en_US.UTF-8
WorkingDirectory=/var/lib/synapse
ExecStart=/usr/bin/python3 -m synapse.app.homeserver --config-path=/etc/synapse/homeserver.yaml
ExecReload=/usr/bin/kill -HUP $MAINPID
ExecStop=/usr/bin/synctl stop /etc/synapse/homeserver.yaml
EnvironmentFile=-/etc/default/synapse
Restart=always
RestartSec=3

[Install]
WantedBy=multi-user.target synapse.target

/usr/lib/systemd/system/mx-puppet-discord.service :

[Unit]
Description=Matrix-Discord puppeting bridge
After=network-online.target
After=synapse.service

[Service]
ExecStart=node /usr/lib/node_modules/mx-puppet-discord/build/index.js -c /etc/mx-puppet-discord/config.yaml -f /etc/mx-puppet-discord/registration.yaml
User=mx-puppet-discord
WorkingDirectory=~

LockPersonality=yes
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=no
ProtectHostname=yes
ProtectSystem=full
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RemoveIPC=true
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
Restart=always
RestartSec=3

ReadWritePaths=/var/lib/mx-puppet-discord

[Install]
WantedBy=multi-user.target

Ressources utiles

• Documentation Archlinux
• Documentation Matrix Admin API