Create a Chat Server Using Matrix Synapse and Element on Ubuntu 22.04
Introduction
Matrix is a set of open APIs for decentralized and end-to-end encrypted communication. It works across a collection of federation servers to deliver Instant messages, Voice over IP (VoIP), and Internet of Things (IoT) communication in real time. It uses homeservers to store the account information and chat history. Federation works like email, which means you can either use a server hosted by somebody or host your Matrix server that provides greater control over your data. The decentralized nature of servers ensures that if one server hosting a chat goes offline, the communication continues on other servers.
Synapse is a popular homeserver implementation of Matrix written in Python and created by the Matrix.org team. This guide will teach you to install Matrix Synapse and Element web client on a Ubuntu 22.04 server.
Prerequisites
- Deploy a Ubuntu 22.04 server with at least 2 GB of RAM and one vCPU core.
- Create a non-root user with sudo privileges.
- Update the server.
- Create subdomains
matrix.example.com,element.example.com, andcoturn.example.compointing to your server.
1. Configure Firewall
Matrix Synapse needs HTTP and HTTPS ports to work.
Open them using the Uncomplicated Firewall (UFW).
$ sudo ufw allow http
$ sudo ufw allow httpsOpen port 8448, as required by Matrix.
$ sudo ufw allow 8448Check the firewall status to confirm.
$ sudo ufw status2. Install Matrix Synapse
Download and import the GPG key.
$ sudo wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg https://packages.matrix.org/debian/matrix-org-archive-keyring.gpgAdd the Matrix official APT repository.
$ echo "deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/matrix-org.listUpdate the system repositories list.
$ sudo apt updateInstall Matrix Synapse.
$ sudo apt install matrix-synapse-py3Enter your Matrix domain name during installation as the server name. You can change it later in the /etc/matrix-synapse/conf.d/server_name.yaml file. Enter N to stop the reporting of anonymized statistics.
3. Install and Configure PostgreSQL
Synapse supports SQLite database by default which isn't suitable for a production environment because of performance issues.
Install PostgreSQL server.
$ sudo apt install postgresql postgresql-contribLog in to the PostgreSQL shell.
$ sudo -su postgres psqlCreate a Synapse SQL user.
# CREATE ROLE syanpse LOGIN PASSWORD 'yourpassword`;Create a Synapse Database.
# CREATE DATABASE synapsedb OWNER synapse LOCALE 'C' ENCODING 'UTF-8' TEMPLATE template0;Exit the shell.
# exit4. Install Nginx
Ubuntu 22.04 ships with an older version of Nginx. Add the official Nginx repository to install the latest version.
$ curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
| sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
$ echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg arch=amd64] \
http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" \
sudo tee /etc/apt/sources.list.d/nginx.listUpdate the system repository list.
$ sudo apt updateInstall Nginx.
$ sudo apt install nginxStart the Nginx server.
$ sudo systemctl start nginx5. Install SSL
Issue the following commands to ensure that you have the latest version of snapd required to install Certbot.
$ sudo snap install core
$ sudo snap refresh coreInstall Certbot.
$ sudo snap install --classic certbotCreate a symlink for Certbot to the /usr/bin directory.
$ sudo ln -s /snap/bin/certbot /usr/bin/certbotIssue the SSL Certificate.
$ sudo certbot certonly --nginx --agree-tos --no-eff-email --staple-ocsp --preferred-challenges http -m name@example.com -d matrix.example.comGenerate a Diffie-Hellman group certificate.
$ sudo openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096Do a dry run of the SSL renewal process to ensure it works.
$ sudo certbot renew --dry-run6. Configure Synapse
You can configure Snypase using the /etc/matrix-synapse/homeserver.yaml file, but you shouldn't use it in a production environment because it gets overwritten during an APT update.
You should configure Synapse by creating files in /etc/matrix-synapse/conf.d/ directory.
Create a database configuration file.
$ sudo nano /etc/matrix-synapse/conf.d/database.yamlPaste the following lines in the editor. Replace yourpassword with the database user set in Step 3.
database:
name: psycopg2
args:
user: synapse
password: 'yourpassword'
database: synapsedb
host: localhost
cp_min: 5
cp_max: 10Save the file by pressing Ctrl+X, then Y.
Create a registration key and store it in the /etc/matrix-synapse/conf.d/registration_shared_secret.key file.
$ echo "registration_shared_secret: '$(cat /dev/urandom | tr -cd '[:alnum:]' | fold -w 256 | head -n 1)'" | sudo tee /etc/matrix-synapse/conf.d/registration_shared_secret.yamlCreate a new Matrix user. Type yes to set it as administrator.
$ register_new_matrix_user -c /etc/matrix-synapse/conf.d/registration_shared_secret.yaml http://localhost:8008Synapse doesn't allow public registration by default. Create a configuration file to enable it.
$ sudo nano /etc/matrix-synapse/conf.d/registration.yamlPaste the following line.
enable_registration: trueSynapse requires verification for new users. To enable email verification, paste the following lines.
registrations_require_3pid:
- email
email:
smtp_host: mail.example.com
smtp_port: 587
# If mail server has no authentication, skip these 2 lines
smtp_user: 'noreply@example.com'
smtp_pass: 'password'
# Optional, require encryption with STARTTLS
require_transport_security: true
app_name: 'Example Chat' # defines value for %(app)s in notif_from and email subject
notif_from: "%(app)s <noreply@example.com>"You can disable user verification using the following code.
enable_registration_without_verification: trueSave the file by pressing Ctrl+X, then Y.
Synapse shows the user's online status by default which can cause high CPU usage. To disable the status, create a new configuration file.
$ sudo nano /etc/matrix-synapse/conf.d/presence.yamlPaste the following lines.
presence:
enabled: falseSave the file by pressing Ctrl+X, then Y.
Restart Synapse to apply the changes.
$ sudo systemctl restart matrix-synapse7. Configure Nginx
Open the Nginx configuration file.
$ sudo nano /etc/nginx/nginx.confAdd the following line before the line /etc/nginx/conf.d/*.conf.
server_names_hash_bucket_size 64;Save the file by pressing Ctrl+X, then Y.
Create an Nginx configuration file for Synapse.
$ sudo nano /etc/nginx/conf.d/synapse.confPaste the following lines.
# enforce HTTPS
server {
# Client port
listen 80;
listen [::]:80;
server_name matrix.example.com;
return 301 https://$host$request_uri;
}
server {
server_name matrix.example.com;
# Client port
listen 443 ssl http2;
listen [::]:443 ssl http2;
# Federation port
listen 8448 ssl http2 default_server;
listen [::]:8448 ssl http2 default_server;
access_log /var/log/nginx/synapse.access.log;
error_log /var/log/nginx/synapse.error.log;
# TLS configuration
ssl_certificate /etc/letsencrypt/live/matrix.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/matrix.example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/matrix.example.com/chain.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
location ~ ^(/_matrix|/_synapse/client) {
proxy_pass http://localhost:8008;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size 50M;
}
}Save the file by pressing Ctrl+X, then Y.
Verify the configuration file syntax.
$ sudo nginx -tRestart the Nginx server.
$ sudo systemctl restart nginx8. Install Coturn
You need to install a Traversal Using Relays around NAT (TURN) server to use video and voice calls.
Install Coturn.
$ sudo apt install coturnOpen the TURN and UDP ports.
$ sudo ufw allow 3478
$ sudo ufw allow 5349
$ sudo ufw allow 49152:65535/udpIssue an SSL certificate for Coturn.
$ sudo certbot certonly --nginx -d coturn.example.comBack up the default configuration file.
$ sudo mv /etc/turnserver.conf /etc/turnserver.conf.bakGenerate an authentication secret and store it in the configuration file.
$ echo "static-auth-secret=$(cat /dev/urandom | tr -cd '[:alnum:]' | fold -w 256 | head -n 1)" | sudo tee /etc/turnserver.confOpen the Coturn configuration file.
$ sudo nano /etc/turnserver.confPaste the following lines below the authentication secret.
use-auth-secret
realm=coturn.example.com
cert=/etc/letsencrypt/live/coturn.example.com/fullchain.pem
pkey=/etc/letsencrypt/live/coturn.example.com/privkey.pem
# VoIP is UDP, no need for TCP
no-tcp-relay
# Do not allow traffic to private IP ranges
no-multicast-peers
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=192.88.99.0-192.88.99.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255
denied-peer-ip=240.0.0.0-255.255.255.255
denied-peer-ip=::1
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
# Limit number of sessions per user
user-quota=12
# Limit total number of sessions
total-quota=1200Save the file by pressing Ctrl+X, then Y.
Restart Coturn to apply the settings.
$ sudo systemctl restart coturnCreate a Synapse configuration file for Coturn.
$ sudo nano /etc/matrix-synapse/conf.d/turn.yamlPaste the following lines in the editor. Replace the turn_shared_secret value with the value of the static-auth-secret variable from the \etc\turnserver.conf file.
turn_uris: [ "turn:coturn.example.com?transport=udp", "turn:coturn.example.com?transport=tcp" ]
turn_shared_secret: 'static-auth-secret'
turn_user_lifetime: 86400000
turn_allow_guests: TrueSave the file by pressing Ctrl+X, then Y.
Restart Synapse to apply the configuration.
$ sudo systemctl restart matrix-synapse9. Use Matrix
You can use Synapse using any of the available Matrix clients. Element is the most popular client and is available as a web app, desktop, and mobile app.
Add your homeserver address https://matrix.example.com while logging in. Use the credentials you created in step 6. Create a secure backup for your encrypted messages and data using a security key or a phrase after logging in.
If you want to host your instance of Element web client, follow the instructions below.
10. Install Element
Install JSON text processor.
$ sudo apt install jqCreate a public directory for Element.
$ sudo mkdir -p /var/www/elementSwitch to the directory.
$ cd /var/www/elementGrab the latest version of Element from its GitHub releases page.
$ latest="$(curl -s https://api.github.com/repos/vector-im/element-web/releases/latest | jq -r .tag_name)"Download Element.
$ sudo wget https://github.com/vector-im/element-web/releases/download/${latest}/element-${latest}.tar.gzExtract the archive.
$ sudo tar xf element-${latest}.tar.gzCreate another directory as a soft link.
$ sudo ln -s element-${latest} currentTo update Element in the future, run the following command to update the soft link after extracting the archive.
$ sudo ln -nfs element-${latest} current11. Configure Element
Switch to the current directory.
$ cd currentCreate the Element configuration file using the sample.
$ sudo cp config.sample.json config.jsonOpen the configuration file.
$ sudo nano config.jsonEdit the base_url and server_name attributes referencing your matrix subdomain and the base domain.
"m.homeserver": {
"base_url": "https://matrix.example.com",
"server_name": "matrix.element.com"
},Change the brand name if you want to customize the website title.
"brand": "My Example Chat",Edit the disable_guests variable to disallow Guests from using Element.
"disable_guests": true,Save the file by pressing Ctrl+X, then Y.
Generate an SSL certificate for the Element client.
$ sudo certbot certonly --nginx -d element.example.comCreate and open the file /etc/nginx/conf.d/element.conf for editing.
$ sudo nano /etc/nginx/conf.d/element.confPaste the following lines in it.
server {
listen 80;
listen [::]:80;
server_name element.example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name element.example.com;
root /var/www/element/current;
index index.html;
access_log /var/log/nginx/element.access.log;
error_log /var/log/nginx/element.error.log;
add_header Referrer-Policy "strict-origin" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
# TLS configuration
ssl_certificate /etc/letsencrypt/live/element.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/element.example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/element.example.com/chain.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
}Save the file by pressing Ctrl+X, then Y.
Verify the Nginx configuration file syntax.
$ sudo nginx -tRestart the Nginx server.
$ sudo systemctl restart nginxYou can access Element via the URL https://element.example.com.
Conclusion
Following this guide, you have installed a Matrix Synapse server and an Element client on a Ubuntu 22.04 server. For more information, check out the following resources.