• fr: Installer un serveur Synapse - Matrix/ Client Riot.im - Messagerie instantanée décentralisée - Arm64 - Rock64 ()
  • blog-image

    Matrix-Riot.im : How to install Synapse-Matrix server - Raspberry PI - Rock64

    • dHENRY
    • 23/04/2019
    • (Reading time : 22 mn)

    (**) Translated with www.DeepL.com/Translator

    Update 23/05/2019 - Show your Matrix-Synapse service on the Internet, as part of a self-hosting program. I refer you to this post:https://www.mytinydc.com/index.php/2019/05/23/nextcloud-exposez-votre-instance-sur-internet/(https://www.mytinydc.com/index.php/2019/05/23/nextcloud-exposez-votre-instance-sur-internet/) whose content is easily adaptable to this service.

    Update 18/05/2019 - Synapse-Matrix compilation works on a Raspberry PI3 armhf : the procedure is identical to that of Rock64 (compilation time > 20 minutes). This operation was performed as part of a load balancing test with HAPROXY. These tests revealed that it is impossible to use two servers simultaneously for the same database, be careful this damaged the integrity of the database, some rooms quickly became inaccessible.

    The Matrix/Riot.im service (https://matrix.org(https://matrix.org)) is an instant messaging service, such as Slack, Whatsapp, Messenger, Hangout, but entirely open source and decentralized. You have certainly heard about it, since it is the messaging system chosen by the French government to replace Whatsapp and which has been “hacked” since its launch (http://www.leparisien.fr/high-tech/tchap-la-messagerie-chiffree-du-gouvernement-deja-victime-d-une-faille-de-securite-18-04-2019-8056314.php). Coded in Python, the solution is very fast and can be installed on a rock64 (arm64 platform), or even a Raspberry but I haven’t tested it. The designers recommend 1 GB of RAM for a comfortable use. This post is therefore related to the installation of the Matrix service on an arm64 platform (Rock64).

    This video shows the operation and use of the Matrix/Riot.im package:https://youtu.be/TUgQ7Qh754

    Proposed topology

    The topology I propose is the one I use, the messaging is very fast (10 simultaneous users and federated to two other domains), the load is minimal, accessible from all over the world 247.
    My Datacenter is composed of 6 units. The instantaneous power consumption of the unit, including an 80mm fan, is 25 watts.
    The unit operates in a rather harsh environment, 33 degrees Celsius can exceed 38 degrees, and 80% humidity, without air conditioning, for the “proof of concept”, for 18 months without service interruptions.
    Activist for the decentralization of the Internet, this installation also proves that we can do without WhatsApp, Hangout, Messenger and other messaging held by the great leaders of the Internet.
    And fully encrypted from start to finish, for which only you (including your contacts) hold the encryption keys and the entire data storage.

    The topology presented here, implements 3 units (servers):

    • Haproxy Server
      • IP address :
      • Raspberry PI3 or Rock64
    • Postgresql Server 9.6 :
      • IP address :
      • Raspberry PI3 or Rock64
    • Matrix Server:
      • IP address :
      • Rock64 (arm64) in this topology
        The installation of the Riot-web web application is optional, since “mobile and desktop” clients do not require HTML support. If you decide to install Riot-web, it is because you want to access your email through a web browser.

    Postgresql service installation

    Nothing complicated, I’ll use the account “synapse”, password “synapse” (I recommend a more robust password), to access the database “synapse”. Connected root to the server, type the following instructions:

    Service installation

    apt install postgresql-9.6  
    su - postgres  
    #Creation of the user synapse and the database synapse  
    createuser synapse  
    ALTER USER synapse WITH ENCRYPTED password "synapse";  
    sys:> # 1 single line  
    CREATE DATABASE synapse ENCODING "UTF8" LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER synapse;  
    # 1 single line  

    Postgreql listening address setting

    If you are hosting the Postgresql service on the same server used to host the Matrix-Synapse service, skip this step.
    By default Postgresql listens on the address: localhost:5432. If you want to expose this service on your network you will need to change this configuration. If your server has the IP address:

     vi /etc/postgresql/9.6/main/postgresql.conf  

    Look for the line: listen_addresses =‘localhost’ and comment on this line :

    #listen_addresses = "localhost  

    Add (adapt to your configuration)

    listen_addresses =''.  

    Add (adapt to your configuration)

    listen_addresses =''.  

    Save and exit vi : ESC : wq

    Restart Postgresql

     systemctl restart postgresql  

    Setting up access to the postgresql service

    You use two separate servers - Matrix and Postgresql Server - Network access

    The access to the postgresql service is configured through parameters located in the file /etc/postgresql/9.6/main/pg_hba.conf

    vi /etc/postgresql/9.6/main/pg_hba.conf  

    Add at the end of the file

    host synapse synapse synapse md5  

    (*) is the IP address of the unit that will host the Matrix/Synapse service - adapt according to your configuration

    You use a single server for both services - Matrix and Postgresql Server - Local access

    Just after this line

    local all postgres peer  

    Add this line

    local synapse synapse synapse md5

    Reload the Postgresql configuration

    systemctl reload postgresql

    Schematic of the postgresql database

    The Matrix service is in charge of importing the schema from the database.

    HAPROXY and SSL Encryption

    If you don’t know what the HAPROXY application is in your architecture, skip this chapter.
    You will notice that the HAPROXY accesses to the final server (Matrix and Apache2) are configured for the “http” protocol and not “https”, while the access urls are of the “https” type. In my topology, it is the HAPROXY server that makes the https support, the communication between the HAPROXY server and the final servers remains “in clear”, since in my case the area is “secure”.
    This is done for optimization purposes, always try to use a number only once in the communication chain, as much as possible. This avoids unnecessary server loads and can have a significant impact on the cost of using Cloud resources. Encryption is not an insignificant operation for a microprocessor.

    Installation and configuration of the HAPROXY service

    If you don’t know what the HAPROXY application is in your architecture, skip this chapter.
    I don’t go into details about this service, the documentation is very rich on the internet, the following settings correspond to a reverse proxy service (Layer 7), for the Matrix service, and the web application Riot.im (Optionnel).

    HAPROXY installation

    apt install haproxy  

    Add the reverse proxy for the matrix and riot service, you must first have the domain names related to these services.
    In this example I have chosen: matrix.mydomain.com and riot.mydomain.com and you will need the corresponding SSL certificates, in HAPROXY (pem) format

    vi /etc/haproxy/haproxy/haproxy.cfg  

    and add this content by adapting it to your configuration:

       acl matrix.mydomain.comssl hdr(host) -i matrix.mydomain.com  
       acl riot.mydomain.comssl hdr(host) -i riot.mydomain.com  
       use_backend matrix.mydomain.comssl if matrix.mydomain.comssl  
       use_backend riot.mydomain.comssl if riot.mydomain.comssl  
      backend matrix.mydomain.mydomain.comssl  
            http mode  
            roundrobin balance  
            server matrix check weight 10 maxconn 500  
       backend riot.mydomain.comssl  
           http mode  
         roundrobin balance  
         server riot check weight 10 maxconn 500

    Synapse/Matrix service installation

    Project compilation

    The compilation of the project is carried out as indicated in the official documentation

    Environmental preparation

    Install the necessary packages:

    apt -y install build-essential make python3 python3-dev python3-dev python3-virtualenv python3-pip python3-setuptools libffi-dev libpq-dev postgresql-server-dev-9.6 python3-cffi zlib1g-dev libxml2-dev libxml2-dev libxslt1-dev libssl-dev libjpeg-dev python3-lxml virtualenv
    mkdir -p /opt/synapse
    virtualenv -p python3 /opt/synapse/env
    cd /opt/synapse
    source /opt/synapse/env/bin/activate
    pip install --upgrade pip
    pip install --upgrade setuptools
    pip install matrix-synapse[all]

    Expected result :

    Collecting matrix-synapse[all]
    Successfully installed matrix-synapse-

    Generation of the configuration file for synapse-matrix

    This command will create the file: /opt/synapse/homeserver.yaml

    python3 -m synapse.app.homeserver --server-name matrix.mydomain.com --config-path homeserver.yaml --generate-config --report-stats=no

    Service configuration

    All Matrix settings are made in the file /opt/synapse/homeserver.yaml

    Attention the YAML syntax does not support tabulations

    vi /opt/synapse/homeserver.yaml  

    Adapt these parameters to your own:

    server_name: "matrix.mydomain.com"  
    #IP listening parameters :
    - port: 8008  
        tls: false  
        # Replace the IP address with the IP address of the server used to run Matrix-Synapse  
        bind_addresses: ['']  
        # Or for all interfaces: bind_addresses: ['']  
        type: http  
        x_forwarded: true 
           - names: [client, federation]  
             compress: false
    #Database parameters :
    ##Comment the sqlite3 part :
    #The database engine name  
    #name: "sqlite3"  
    #Arguments to pass to the engine  
    #Path to the database  
    #database: "/opt/synapse/homeserver.db"
    # And add: 
    name: psycopg2  
       user: synapse  
       password: synapse
       database: synapse  
       # Replace the IP address ( with the IP address used by the Postgresql database server.  
       # If the Posgresql and Matrix-Synapse services are on the same server specify: localhost as IP address  
       # By default Postgresql is set to listen on port 5432, if you have changed this setting indicate the port actually used  
            port: 5432  
            cp_min: 5  
            cp_max: 10

    Identity server (optional)

    Associating an account with an email is optional in Matrix. If you forget your password, you will need to connect to an identity server or change it directly in the database. By default the Riot-im application defines the Matrix.org organization’s server: https://vector.im but for having tried it, this service does not work, prefer: https://matrix.org
    You can also install your own identity server (not covered in this documentation).
    Add lines or uncomment existing lines:

    default_identity_server: https://matrix.org  
          - matrix.org

    Prometheus probe - Grafana display (optional)

    If you have a Prometheus monitoring service and want to enable metric collection, you will need to add a listener:

      - port: 9092  
        type: metrics  
        bind_addresses: ['']
    #and activate the "metrics"  
    enable_metrics: true  

    Then set up your Prometheus service. There is a dashboard at Grafana (ID 10046)

    Systemd configuration

    addgroup synapse
    adduser --system --home /opt/synapse/ --no-create-home --disabled-password --shell /bin/nologin --ingroup synapse synapse

    Create the systemd file

    vi /etc/systemd/system/system/matrix-synapse.service

    And add this content

    Description=Matrix Synapse service  
    ExecStart=/opt/synapse/env/bin/synctl start  
    ExecStop=/opt/synapse/env/bin/synctl stop  
    ExecReload=/opt/synapse/env/bin/synctl restart  

    Service activation at server startup

     systemctl enable matrix-synapse

    Media storage directory and permissions

    The generated configuration file automatically stores the media (photo, files, etc…) sent to the mailbox in the “/opt/synapse/media_store” and “/opt/synapse/uploads” directories. These directories do not exist. Create these directories:

    mkdir /opt/synapse/media_store /opt/synapse/uploads
    #Assign the necessary permissions to the account/group running the service (see the systemd file created above)
    chmod 770 /opt/synapse/media_store /opt/synapse/uploads
    # Allow matrix to write its logs in /opt/synapse
    chmod 755 /opt/synapse
    chown synapse:synapse /opt/synapse /opt/synapse/media_store /opt/synapse/uploads


    • HAPROXY server
      • OUTPUT: TCP/80 (if using Riot-web web service) + INPUT Return Rule (STATE ESTABLISHED, RELATED)
    • Postgresql server
    • Matrix server
      • INPUT: TCP/80 (if using Riot-web web service) + OUTPUT Return Rule (STATE ESTABLISHED, RELATED)

    Starting the service

    #Enable continuous log reading  
    tail -f /var/log/syslog &  
    #Starting the Matrix service  
    systemctl start matrix-synapse  

    The log display shows:

    After 24 19:14:14:15 localhost systemd[1]: Starting Matrix Synapse service....  
    Apr 24 19:14:24 localhost synapse[3877]: 2019-04-24 19:14:24,693 - root - 211 - WARNING - None - _ STARTING SE  
    RVER _  
    Apr 24 19:14:24 localhost synapse[3877]: 2019-04-24 19:14:24,773 - root - 214 - WARNING - None - Server /opt/synapse  
    se/env/lib/python3.5/site-packages/synapse/app/homeserver.py version 0.99.3  
    Apr 24 19:14:24 localhost synapse[3877]: 2019-04-24 19:14:24,774 - root - 216 - INFO - None - Server hostname: mat  
    Apr 24 19:14:24 localhost synapse[3877]: 2019-04-24 19:14:24,779 - twisted - 242 - INFO - None - Redirected stdout  
    /stderr to logs  
    Apr 24 19:14:24 localhost synapse[3877]: 2019-04-24 19:14:24,937 - synapse.app.homeserver - 358 - INFO - None - Pr  
    eparing database: psycopg2....  
    After 24 19:14:25 localhost synapse[3877]: 2019-04-24 19:14:25,146 - synapse.storage.prepare_database - 223 - INFO -  
     None - Upgrading schema to v53  
    Apr 24 19:14:25 localhost synapse[3877]: 2019-04-24 19:14:25,167 - synapse.app.homeserver - 376 - INFO - None - Da  
    tabase prepared in psycopg2.  
    Apr 24 19:14:25 localhost synapse[3877]: 2019-04-24 19:14:25,168 - synapse.server - 222 - INFO - None - Setting up  
    Apr 24 19:14:25 localhost synapse[3877]: 2019-04-24 19:14:25,348 - synapse.storage.event_push_actions - 471 - INFO  
    None - Searching for stream ordering 1 month ago  
    Apr 24 19:14:25 localhost synapse[3877]: 2019-04-24 19:14:25,378 - synapse.storage.event_push_actions - 477 - INFO  
    None - Found stream ordering 1 month ago: it's 2  
    Apr 24 19:14:25 localhost synapse[3877]: 2019-04-24 19:14:25,380 - synapse.storage.event_push_actions - 479 - INFO  
    None - Searching for stream ordering 1 day ago  
    Apr 24 19:14:25 localhost synapse[3877]: 2019-04-24 19:14:25,407 - synapse.storage.event_push_actions - 485 - INFO  
    None - Found stream ordering 1 day ago: it's 2  
    Apr 24 19:14:25 localhost synapse[3877]: 2019-04-24 19:14:25,427 - synapse.server - 226 - INFO - None - Finished s  
    etting up.  
    After 24 19:14:14:26 localhost synapse[3877]: Starting...  
    Apr 24 19:14:14:26 localhost synapse[3877]: started synapse.app.homeserver('homeserver.yaml') 

    type now:

    then CRTL+C to stop the "tail" scrolling  

    If the start traces have a dependency error:

    systemctl stop matrix-synapse
    cd /opt/synapse
    source /opt/synapse/env/bin/activate
    pip3 install requests  
    systemctl daemon-reload  
    systemctl start matrix-synapse  

    Start your browser, then type the url : https://matrix.mondomaine.com, if you have a self-signed certificate on the HAPROXY server, you will have to accept the exclusion. Please note that the Matrix.org federation is only possible by using certificates from certification authorities. If you want to acquire an SSL certificate for free, look on the LetsEncrypt side. Matrix is not equipped with an HTML interface, so only this page will appear:

    Creating the first account

    It will be a question of creating the administrator account. The latter will have access to all the server parameters (create rooms, configure rooms, etc…).
    At this stage of the procedure, the following command will use the Domain Name Resolution System (DNS). In this example I decided to assign the domain name (FQDN) to the Matrix service: matrix.mydomain.com

    Domain name resolution

    The command that creates the first user will try to connect to the domain specified in its settings.
    If you have a DNS service on your network, set it so that this command can resolve the domain name provided as a parameter.
    You do not have a DNS service on your network? No problem, add this resolution to the “/etc/hosts” file.
    A line in a hosts file consists of an IP address and one or more names. Still in this example I will add (refer to the topology of this example):

    vi /etc/hosts   
    # and add matrix.mydomain.com      

    Register, and check immediately: ping matrix.mydomain.com, the answer must come from

    Account creation

    Connect to the server console, and type:
    Adapt this command with your parameters : domain name, port
    Example for the topology presented:

    /opt/synapse/env/bin/register_new_new_matrix_user -c /opt/synapse/homeserver.yaml http://matrix.mondomaine.com:8008

    The console asks you to enter the account name, password and answer “yes” to the question “Make admin”:

    New user localpart[root]: admin  
    Password: xxxxxxxxx  
    Confirm password: xxxxxxx  
    Make admin[no]: yes  
    Sending registration request....  

    Server administration

    As I mentioned earlier, the server does not have a management interface as such, you will have to go through a client. I advise you the most accomplished: Riot.IM.
    This application has (almost) all the functions to administer the server, access to the administration functions is managed according to the user’s authorization level in a room.

    Riot-web application installation

    This part is optional, and necessary only if you do not want to install the mobile or desktop application, but prefer to use it by web browser. This will require the installation of a web server, which will be responsible for sending the Riot application (html/javascript) to connected clients. Nothing complicated since it is a static site, no handler to set up.

    Apache2 web service installation

    Connected “root” to the “Matrix” server, type :

    apt install apache2  

    The websites are located in the directory /var/www/html/

    Static website installation

    Go to https://github.com/vector-im/riot-web/releases and copy the download url of the latest version of Riot-web (extension.tar.gz)

    cd /var/www/html/  
    wget[paste the url of the file to download] Ex: wget https://github.com/vector-im/riot-web/releases/download/v1.2.1/riot-v1.2.1.tar.gz   
    #extract the archive  
    tar xfz[name of the tar.gz archive] Ex: tar xfz riot-v1.2.2.1.tar.gz  
    chown -R www-data:www-data:www-data[name of the created directory] Ex: chown -R www-data:www-data riot-v1.2.1  
    # Deletion and creation of the symbolic link to the new version, this avoids the modification of the vhost each time the version is changed  
    rm riot;ln -s riot-v1.2.1 riot  

    Creation of the virtualhost file for the domain: riot.mydomain.com

    vi /etc/apache/site-available/riot.mydomain.com.conf 

    and add this content by adapting it to your settings:

    <VirtualHost default:80>>  
             ServerName riot.mydomain.com  
             ServerAdmin webmaster@localhost  
             DocumentRoot /var/www/html/riot  
             ErrorLog ${APACHE_LOG_DIR}/ error-riot.mydomain.com.log  
             CustomLog ${APACHE_LOG_DIR}/access-riot.mydomain.com.log combines   

    Vhost Activation

    a2ensite riot.mydomain.com  
    #Reloading the apache configuration  
    systemctl reload apache2  

    You can change the url presented automatically by the interface:

    #Copy the file config.sample.json to config.json  
    cp /var/www/html/riot/config.sample.json /var/www/html/riot/config.json  
    vi /var/www/html/riot/config.json  
    # and change the urls: in this example 
    "default_hs_url": "https://matrix.mondomaine.com",  
    "default_is_url": "https://matrix.org",

    For the other parameters, if you don’t know what they correspond to, consult the Riot-web documentation, or delete them from the configuration file.

    Now open your browser and point it to your domain: http://riot.mondomaine.com to connect see the procedure below.

    Note that the apache server is configured for the “http” protocol and not “https”. This is a static site, intended to be downloaded once, in this case the web server is only used to send the html/javascript codes, and does not perform any action with the Matrix server. If you want to encrypt this part, see the previous chapter on SSL encryption.

    Installation of Riot.im clients (mobile and/or Desktop)

    I refer you to the sitehttps://about.riot.im/ from where you can download the client adapted to your platform.

    Connection to the Matrix server

    ATTENTION: The client on which you install Riot.im should be able to resolve domain names, if you use a name in your url. If you do not have a DNS service on your network infrastructure, specify the resolution in the “hosts” file of your system”.
    Start the Riot.im client, by default, it offers a connection to the Matrix.org servers, click on “change”, indicate in the “url of the host server” box: “httpS://matrix.mydomain.com, if you have set up a HAPROXY SSL service,
    if not, use the IP address of the server that hosts the Matrix application: “http://[IP address]:[Matrix Port]”
    Ex: when Matrix listens on port 8008.
    And in the “identity server url” box, enter “https://matrix.org" (Optional).

    Click on “Next”, then enter the “admin” account, and the password chosen previously.

    You are connected….

    Create your room. You will not be able to invite, via the “Invite to this room” button, users of your instance (see the chapter Add an account) and those connected to the identity server.
    You will discover a user-friendly, robust, fast, very complete space and I invite you to read the documentation of this tool (not covered in this post).

    Add an account

    In my context: private messaging, this implies that automatic registration has been disabled. This is the parameter: “enable_registration: false” located in the configuration file of the service matrix: /opt/synapse/homeserver.yaml.
    If you modify this file, execute the command :

    systemctl restart matrix-synapse 

    (restart of the service to take into account the configuration change).
    I therefore create accounts as and when requested. The procedure is the same as for creating the first account. Attention: To the question “Make admin[no]”, press “Enter” or indicate no. New users are not administrators in my context.
    I indicate a “strong password” (generated by apg) that I communicate to the user and specify that he must change it during his first visit.

    Resetting a password

    If you are connected to an identity server, follow the procedure on the home page, otherwise Matrix comes with a tool located here: /opt/synapse/env/bin/hash_password
    Just run it, provide a password, confirm.


    The tool will indicate the “hashage”, copy this value.
    Connect “root” to the postgresql server console, then type :

    su - postgres  
    psql synapse  
    SELECT * FROM users;  
    UPDATE users SET password_hash='[hash value]' WHERE name='[username such as @foo:matrix.mydomain.com';  

    source : https://blog.cavebeat.org/2018/02/reset-password-for-matrix-synapse-accounts

    Then log in with the password used to calculate the “hashage”.

    Integration of a Bot (go-neb)

    The bot allows you to extend the functionality of your messaging: integration of animated Gifs (Giphy), integration of Prometheus alert messages (monitoring application developed by Soundcloud), refer to this article:https://www.mytinydc.com/index.php/2019/04/25/installation-du-bot-go-neb-pour-synapse-matrix-arm64/

    Matrix-Synapse server update (update 04/05/2019)

    Before updating the Matrix-Synapse server, save the Postgresql database and the installation directory.

    # Connected to the Matrix-Synapse server
    # Matrix-Synapse code location: /opt/synapse
    # backup as tar+gz archive
    tar cfz /root/backup-matrix-synapse-[datejour].tgz /opt/sysnapse
    # Log in to the Postgresql database server and save the "synapse" database
    # Matrix-Synapse service shutdown
    systemctl stop matrix-synapse
    # Code update
    cd /opt/synapse
    source /opt/synapse/env/bin/activate
    pip install --upgrade pip
    pip install --upgrade setuptools
    pip install --upgrade matrix-synapse[all]

    The update starts:

    Collecting matrix-synapse[all]
    Successfully built matrix-synapse 
    Installing collected packages: matrix-synapse   
    Found existing installation: matrix-synapse 0.99.3 Uninstalling matrix-synapse-0.99.3:       
    Successfully uninstalled matrix-synapse-0.99.3 Successfully installed matrix-synapse-

    Continue with these commands:

    #Delete the environment

    If the unit to which you are connected is not the Matrix server but a compilation unit, create a “/opt/synapse/env” archive and then deploy it on the final server

    tar cfz /root/matrix-synapse.tgz /opt/synapse/env/
    # connection to the Matrix-Synapse server: copy the previous archive into /root/ then : 
    systemctl stop matrix-synapse
    cd /
    tar xfz /root/root/root/matrix-synapse.tgz
    chown -R synapse:synapse /opt/synapse/env
    rm /root/matrix-synapse.tgz
    systemctl start matrix-synapse
    # Start Matrix-Synapse
    systemctl start matrix-synapse

    Expose the service on the Internet

    To configure the exposure of your Matrix messaging on the Internet, I refer you to the post dedicated to the Nextcloud exposure (to be adapted to your Matrix environment).


    (update 06/05/2019)
    The federation allows synapse servers to communicate with each other. To test this federation, I will attach as indicated in the documentation, the room “`#synapse:matrix.org”.
    Attention the federation only works when your Matrix service is exposed on the internet.
    By default servers communicate on port 8448, if you change this port, you will have to inform the network by creating specific DNS records, see the doc.

    HAPROXY and Firewall

    The service being distributed on several machines I will detail for each one the configuration to be modified.

    HAPROXY server and its firewall

    The topology does not change, the Haproxy server is responsible for intercepting client requests.
    I add the federation port (TCP/8448) in the HAPROXY configuration, the backend matrix does not change either and I use the same one. Mine is already set up for the HTTPS backend (TCP/443) and named “matrix.mydomain.comssl”

        http mode  
        bind ssl crt matrix.mydomain.com.pem  
        default_backend matrix.mydomain.comssl  

    I open the TCP/8448 port in the Firewall configuration of this server.
    The service is now available from other Matrix-Synapse servers.

    Matrix-Synapse Server

    This server will have to communicate with the federated servers. To allow federation with “matrix.org”, open the configuration file of your server:
    and uncomment the line: federation_domain_whitelist:
    Add above using spaces and not tabs: matrix.org, to get this:

          - matrix.org

    Save and exit, restart the matrix-synapse service

    systemct restart matrix-synapse  

    You must also set its firewall so that the matrix server can reach the port of the authorized federation, e. g. domain.federe.com: 8448 TCP

    Open your Riot.im application, connected to your server, then let’s try to join the room: #synapse:matrix.org

    Click on the “+” button after “Rooms”

    And enter the name of the room “`#synapse:matrix.org” located on the matrix.org server and I get an error :

    I restart the process by inspecting the Firewall traces of my matrix-synapse server, and I see attempts to connect to an IP address belonging to Cloudfare on the port…… 8443.

    Matrix.org does not federate on 8448 (it is allowed to federate on a different port (Matrix federation documentation). I modify the firewall settings of this server, by allowing access to port 8443 of the “matrix.org” domain, I do not specify the ip. If they use cloudflare, it is possible that the domain ip may change. And I repeat the process to join the room:

    I click on “Click here” to join the room

    The federation is in place for the matrix.org domain. The federation creates a copy of the salon of the federated site, I advise you against the federation from existing large salons, replication takes a lot of time and often does not succeed. There are several discussions on this subject, because today the federation is limited to very large computing units….
    To test the proper functioning of the federation you can use this url:

    https://federationtester.matrix.org/api/report?server_name=[domain name of your matrix server]

    This test gives a federation report.


    Because Matrix did the “Buzz”, I became interested in their product very ready. I have chosen to install this service, to replace RocketChat. Which is also a good product, but in the end, not very suitable for the small units I use. Rocketchat takes more than 5 minutes to start, and spontaneously consumes all CPU power several times a minute, for no good reason. The Mongolian base (also for arm64) crashed several times, and after three months of use, it seemed a little slow.
    The installation of the Matrix/Riot.im couple is quite simple, no significant difficulties encountered during installation. During the first hours of use (3 people), we posted about a hundred messages, photos and the server load remained very low. Response times have nothing to do with RocketChat response times, especially for image uploads, and Gifs. Very interesting feature in Riot, you can disable the automatic start of Gifs and videos. Markdown support is excellent, as well as message response tracking.
    Mobile notifications are very reactive. I would like to come back to this point. Some have criticized, and for good reason, the fact that the French government’s messaging system was not really sovereign, in the sense that the notification mechanism (PUSH system) goes through Google’s Firebase services (https://firebase.google.com/docs/cloud-messaging/). Indeed, metadatas and their routing allow Google to know who is connected to this private network, and the title of the group concerned, but in no case, the ability to read the message. The French government should have chosen and maybe have done so, an installation on Android with the opensource package manager “FDroid”, which offers a Riot.im client not using Google’s FireBase network. But uses a mechanism of repeated interrogation of the server (non push). If you too are concerned about the metadata passing through Google in this way, be aware that the “Fdroid” installation option is the answer to your question. And last but not least, metrics are quite important in a data center. The Matrix service is not to be outdone on this side. It provides very relevant and above all very complete information (CPU usage, Garbage collector, database access statistics, etc…). And obviously, I abandoned Rocketchat.

    * This curve shows the descent after stopping RocketChat and starting Matrix…. (Monitoring carried out with Prometheus and Grafana on Raspberry PI3)
    * Waiting time for connections to the postgresql database (Rock64/4GB)

    Expose your Matrix-Synapse service on the Internet

    As part of a self-hosting, you will expose your email service on the Internet. I refer you to this post:https://www.mytinydc.com/index.php/2019/05/23/nextcloud-exposez-votre-instance-sur-internet/(https://www.mytinydc.com/index.php/2019/05/23/nextcloud-exposez-votre-instance-sur-internet/) whose content is easily adaptable to this service.
    Be careful if you use a VPN, modify the configuration of Matrix, so that it listens on all interfaces:
    modify the “bind_addresses” parameter of the /opt/synapse/homeserver.yaml file as follows: “bind_addresses: [‘’]”
    and restart the service: **_systemctl restart matrix-synapse

    Going further

    • Load balancing of the Matrix service (be careful, I started this chapter and damaged the service by starting two instances on separate servers and “loadbalanced” with Haproxy, this implementation is not enough and has caused access errors to active rooms…). For the moment I have two servers, with only one instance started and “hearbeat” between the two. When the master stops, the slave starts the matrix-synapse service. To return to the initial state, stop the matrix-synapse service on the slave and then start the matrix-synapse service on the master. This configuration works… but is not suitable for “pure” load balancing.
    • Load balancing of the Postgres database (postgres-XL - multi master) * Automatic database backup
    • Access security with HIDS (Ossec for example)
    • Implementation of “rate limiters”
    • Integrate Bots for the collection of monitoring information, Giphy support, etc…

    This document was reviewed by Tristan, who performed the complete “from scratch” installation on a Rock64 unit from a fully reset operating system. Please leave your comments if you are confronted with cases not specified in this document.

    Document licence : Creative Commons (CC BY-NC-ND 4.0)


    (**) Translated with www.DeepL.com/Translator

    Post a comment

    Sorry, the answer to the Captcha question is incorrect
    Thank you. The Mailman is on His Way :)
    Sorry, don't know what happened. Please to try later :(
    One field is not valid

    Comments (not translated)

    No comments