My partner is going over seas and wanted to be able to make video calls to me back in Australia. Unfortunately because I use F-Droid and don't have the Google Play store on my phone1 I don't have WhatsApp or Viber or Facebook Messanger or... But I recently came across Riot.im a messaging app with the concept rooms like IRC or Slack and that can do one to one video calls.
So I decided to setup my own Matrix / Synapse server at home on Debian 8 Jesse.
I went with the packages rather than installing from source because I like the idea of an easy sudo apt-get update && sudo apt-get dist-upgrade to keep everything up to date.
Add the matrix-synapse signing key
wget https://matrix.org/packages/debian/repo-key.asc
sudo apt-key add repo-key.asc
rm repo-key.asc
Edit your sources.list
sudo vim /etc/apt/sources.list.d/synapse.list
add
deb http://matrix.org/packages/debian/ jessie main
deb-src http://matrix.org/packages/debian/ jessie main
Refresh your sources and install
sudo apt-get update
sudo apt-get install matrix-synapse
The install ask you for a host name, and if it can report anonymized statistics back home.
Configure
That's pretty much it, most of the defaults are ok, I'd recomend reading through homeserver.yaml anyway.
sudo vim /etc/matrix-synapse/homeserver.yaml
I enabled registration, then removed it once I'd signed up (line 294).
# Enable registration for new users.
enable_registration: True
On this server I'm not using Let's Encrypt yet so I copied my SSL certificates over the top of homeserver.tls.crt and homeserver.tls.key
And started the server.
sudo systemctl enable matrix-synapse.service
sudo systemctl statrt matrix-synapse.service
DNS Entry
I setup a DNS entry to tell federated servers what port to connect on. For me that was just entering a SRV record in DNS Made Easy.
The exact steps steps will be a little different depending on your DNS provider.
Apache2
Lastly I setup Apache to proxy /_matrix from port 443 to port 8008, below is part of my Apache2 config from /etc/apache2/sites-enabled/000-default.conf but the important bit is after # Matrix Synapse
<VirtualHost *:443>
# Host settings
ServerName hybr.id.au
# SSL Settings
SSLEngine on
SSLOptions +StrictRequire
SSLHonorCipherOrder on
# Remove all, Add back only TLS1.2
SSLProtocol -ALL +TLSv1.2
# A fine selection of the choicest ciphers
SSLCipherSuite -ALL:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
SSLCertificateFile /etc/ssl/custom/example.com.crt
SSLCertificateChainFile /etc/ssl/custom/1_intermediate.crt
SSLCertificateKeyFile /etc/ssl/private/exmple.com.key
Header always add Strict-Transport-Security "max-age=31536000"
Header always set Public-Key-Pins "pin-sha256=\"f5uthPZ21VOlA6Bye2yvoe+6a/h9fKRK27SdFt43XHQ=\"; pin-sha256=\"ATwpV5xzLfkVs631iympx7q+JlvRePMgTcvFG7x3Eeo=\"; max-age=5184000; includeSubDomains"
ServerAdmin webmaster@example.com
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
################################################################################
# Matrix Synapse
################################################################################
ProxyPass /_matrix http://127.0.0.1:8008/_matrix
ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix
</VirtualHost>
Then you can go to https://riot.im/app/#/register pick the custom server radio button and away you go.
-
I've said it before, as this is a security blog I should point out that I use F-Droid and CyanogenMod for Open Source philosophical reasons and not for security reasons. If you want a secure Android phone get a modern Nexus phone or the Google Pixel and stick on the stock ROM with all the Google updates. ↩
