Synapse Docker Deployement

Not Production Ready

A Synapse Docker deployment with:

• Hardened Synapse image
• Hardened worker images
• Mjolnir & Mjolnir module
• Multi-threaded Synapse process via workers
• Privacy-respecting registration captcha
• Manage Docker variables inside of .env
• Manage state with the state compressor
• Manage server via synadm
• Images built locally
• Matrix Maubot
• Matrix integration manager

Getting Started

Dependencies: cargo docker docker-compose git python

Subdomains: matrix dimension maubot

Clone the repository:

git clone https://git.anonymousland.org/deathrow/synapse-docker-deployement

CD into the repository:

cd synapse-docker-deployment

Execute the init script to:

• git clone the docker images
• Build the docker images
• Build auto-state-compressor
• Install synadm

Will take a long time!

bash init.sh

Modify variables inside .env.sample and move to .env

Run this command to generate the Synapse configuration file:

docker-compose run --rm -e SYNAPSE_SERVER_NAME=example.tld -e SYNAPSE_REPORT_STATS=no synapse generate

Synapse Configuration

The Synapse config file will be located at ./files/homeserver.yaml.

Modify the following:

You will need to uncomment (#) these

web_client_location: https://element.example.tld

public_baseurl: https://matrix.example.tld

serve_server_wellknown: true

Under the listeners: section, add the following:

  - port: 9093
    type: http
    resources:
     - names: [replication]

Under the retention: section, you are able to set retention of messages. Uncomment enabled: false if you wish to keep messages indefinitely. (will take up more disk space)

For the purge_jobs: section, add:

  purge_jobs:
    - longest_max_lifetime: 1h
      interval: 30m
    - shortest_max_lifetime: 1h
      longest_max_lifetime: 12h
      interval: 1h
    - shortest_max_lifetime: 12h
      longest_max_lifetime: 1d
      interval: 12h
    - shortest_max_lifetime: 1d
      longest_max_lifetime: 10y
      interval: 24h

For caches: set the following:

caches:
  global_factor: 2.0

  per_cache_factors:
    get_users_who_share_room_with_user: 5.0

  sync_response_cache_duration: 2m

Under the databases: section, remove the default database and add the following:

(change with the postgres values set inside .env)

Keep the host set to postgres as this is the name specified in the docker-compose.yml

database:
  name: psycopg2
  txn_limit: 10000
  args:
    user: user
    password: password
    database: db
    host: postgres
    port: 5432
    cp_min: 5
    cp_max: 10

Under the ## Ratelimiting ## section, add the following:

rc_federation:
  window_size: 1000
  sleep_limit: 10
  sleep_delay: 500
  reject_limit: 50
  concurrent: 3

federation_rr_transactions_per_room_per_second: 50

Uncomment the url_preview_enabled: true and the setting to go with it:

url_preview_ip_range_blacklist:
  - '127.0.0.0/8'
  - '10.0.0.0/8'
  - '172.16.0.0/12'
  - '192.168.0.0/16'
  - '100.64.0.0/10'
  - '192.0.0.0/24'
  - '169.254.0.0/16'
  - '192.88.99.0/24'
  - '198.18.0.0/15'
  - '192.0.2.0/24'
  - '198.51.100.0/24'
  - '203.0.113.0/24'
  - '224.0.0.0/4'
  - '::1/128'
  - 'fe80::/10'
  - 'fc00::/7'
  - '2001:db8::/32'
  - 'ff00::/8'
  - 'fec0::/10'

If you wish to use the url_preview_url_blacklist: to blacklist certain URLs from being previewed, you can use the following settings:

# blacklist all *.google.com URLs
  - netloc: 'google.com'
  - netloc: '*.google.com'

# blacklist all plain HTTP URLs
  - scheme: 'http'

# blacklist any URL with a literal IPv4 address
  - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'

If you wish to change the number of rounds used to generate a password hash, you may modify the bcrypt_rounds: setting.

Uncomment inhibit_user_in_use_error: true

Uncomment suppress_key_server_warning: true

Uncomment send_federation: false and add the following:

federation_sender_instances:
  - federation1
  - federation2
  - federation3

Under the redis: section, uncomment enabled: true and add the following settings:

  host: redis
  port: 6379

Nginx

The path for NGINX is /swag/nginx.

Ensure to review each file before you use it, some variables may need changed such as the matrix.example.tld and such.

Start the server

To start the server, type:

docker-compose up -d, you may wish to omit the -d on the first run to ensure there are no errors.

Pantalaimon

Modify the pantalaimon_data/pantalaimon.conf to change the matrix.example.tld

Mjolnir

Create a new user on your server with the username mjonlir.

Mjolnir Configuration

Inside of mjolnir/config/production.yaml modify:

Set homeserverUrl: "http://pantalaimon:8008",

Under pantalaimon: set use: true with the username mjolnir and password:

Create a new encrypted room on your server and copy the ID and set it as managementRoom: !123:example.tld

Under web: set enabled: true

Set displayReports: true

In homeserver.yaml add the following modules:

modules:
  - module: mjolnir.Module
    config:
      # Prevent servers/users in the ban lists from inviting users on this
      # server to rooms. Default true.
      block_invites: true
      # Flag messages sent by servers/users in the ban lists as spam. Currently
      # this means that spammy messages will appear as empty to users. Default
      # false.
      block_messages: true
      # Remove users from the user directory search by filtering matrix IDs and
      # display names by the entries in the user ban list. Default false.
      block_usernames: true
      # The room IDs of the ban lists to honour. Unlike other parts of Mjolnir,
      # this list cannot be room aliases or permalinks. This server is expected
      # to already be joined to the room - Mjolnir will not automatically join
      # these rooms.
      ban_lists:
         - "!123:example.tld"
         - "!456:example.tld"
      message_max_length:
         # Limit the characters in a message (event body) that a client can send in an event on this server.
         # By default there is no limit (beyond the the limit the spec enforces on event size).
         # Uncomment if you want messages to be limited to 510 characters.
         #threshold: 510

         # Limit messages only in certain rooms rooms.
         # By default all rooms will enforce the limit.
         # Uncomment if you want messages to only be subject to character limits in certain rooms.
         rooms:
           - "!123:localhost:9999"
           - "!456:localhost:9999"

         # Also hide messages from remote servers that are over the `message_limit`.
         # By default only events from this server will be limited.
         # WARNING: Remote users on other servers will still be able to messages over the limit.
         # Uncomment to enforce the `message_limit` on events from remote servers.
         remote_servers: false

Captcha

The synapse-captcha is included with this deployment. Refer to this for configuration.

Dimension

To setup dimension, refer to the official documentation

For the database:

database:
    uri: "postgres://admin:password@dimension:5432/dbname"
    botData: "/data/bot.json"

These values are set in the .env file.

Additional

To bypass ratelimits for certain users:

docker exec -it postgres psql insert into ratelimit_override values ('@user:example.tld', 0, 0);

Your mjolnir and any other admin accounts should be set in the example above.

For synapse state compressor: ./synapse_auto_compressor -p postgresql://user:password@localhost/db -c 500 -n 100

Todo

• stream workers

• Proper sync load balancing

Links

• Synapse-Docker-Compose

• Matrix-org Synapse Docker Compose Workers

• matrix-conf