Skip to content

Instantly share code, notes, and snippets.

@qubitrenegade

qubitrenegade/homeserver.yaml

Last active August 1, 2019 06:23
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save qubitrenegade/a16780803bb9662c7825ce9e5becd8fa to your computer and use it in GitHub Desktop.
Save qubitrenegade/a16780803bb9662c7825ce9e5becd8fa to your computer and use it in GitHub Desktop.
Download ZIP
Configuring Matrix and Riot for Private Chat
Raw
homeserver.yaml
## Server ##
# When running as a daemon, the file to store the pid in
pid_file: "/var/run/matrix-synapse.pid"
public_baseurl: https://matrix.example.com/
allow_public_rooms_without_auth: true
allow_public_rooms_over_federation: true
#federation_domain_whitelist:
# - lon.example.com
# - nyc.example.com
# - syd.example.com
federation_ip_range_blacklist:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '100.64.0.0/10'
- '169.254.0.0/16'
- '::1/128'
- 'fe80::/64'
- 'fc00::/7'
listeners:
- port: 8008
tls: false
bind_addresses: ['::1', '127.0.0.1']
type: http
x_forwarded: true
resources:
- names: [client, federation]
compress: false
## Homeserver blocking ##
admin_contact: 'mailto:your-email@example.com'
mau_stats_only: true
acme:
account_key_file: /var/lib/matrix-synapse/acme_account.key
## Database ##
database:
name: psycopg2
args:
user: synapse_user
password: synapse_user-password-for-pgsql-created-earlier
database: synapse
host: localhost
cp_min: 5
cp_max: 10
## Logging ##
log_config: "/etc/matrix-synapse/log.yaml"
## Ratelimiting ##
# Directory where in-progress uploads are stored.
uploads_path: "/var/lib/matrix-synapse/uploads"
# The largest allowed upload size in bytes
#max_upload_size: 10M
# Maximum number of pixels that will be thumbnailed
#max_image_pixels: 32M
url_preview_enabled: true
url_preview_ip_range_blacklist:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '100.64.0.0/10'
- '169.254.0.0/16'
- '::1/128'
- 'fe80::/64'
- 'fc00::/7'
url_preview_url_blacklist:
# blacklist any URL with a username in its URI
- username: '*'
# blacklist all *.google.com URLs
- netloc: 'google.com'
- netloc: '*.google.com'
# blacklist any URL with a literal IPv4 address
- netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'
max_spider_size: 10M
## TURN ##
turn_uris: ["turn.example.com"]
turn_shared_secret: "secure-password-for-turn-server"
#turn_user_lifetime: 1h
## Registration ##
enable_registration: true
registration_shared_secret: enter-a-secure-secret-for-user-registration-script-to-work
trusted_third_party_id_servers:
- vector.im
auto_join_rooms:
- "#general:example.com"
autocreate_auto_join_rooms: true
## Metrics ###
enable_metrics: true
## Signing Keys ##
signing_key_path: "/etc/matrix-synapse/homeserver.signing.key"
password_config:
email:
enable_notifs: true
smtp_host: "localhost"
smtp_port: 25 # SSL: 465, STARTTLS: 587
# smtp_user: "exampleusername"
# smtp_pass: "examplepassword"
# require_transport_security: False
notif_from: "Your Friendly %(app)s Home Server <noreply@example.com>"
app_name: Matrix
notif_for_new_users: True
riot_base_url: "http://chat.example.com"
trust_identity_server_for_password_resets: false
validation_token_lifetime: 1h
template_dir: /opt/venvs/matrix-synapse/lib/python3.6/site-packages/synapse/res/templates/
notif_template_html: notif_mail.html
notif_template_text: notif_mail.txt
expiry_template_html: notice_expiry.html
expiry_template_text: notice_expiry.txt
password_reset_template_html: password_reset.html
password_reset_template_text: password_reset.txt
password_reset_template_success_html: password_reset_success.html
password_reset_template_failure_html: password_reset_failure.html
push:
include_content: true
enable_group_creation: true
user_directory:
enabled: true
# search_all_users: false
stats:
enabled: true
bucket_size: 1d
retention: 1y
Raw
nginx-chat
server {
root /var/www/html/riot;
listen 443 ssl;
listen [::]:443 ssl;
server_name chat.example.com;
index index.html;
location / {
try_files $uri $uri/ =404;
}
ssl_certificate /etc/letsencrypt/live/example.comfullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
# redirect everything to SSL, unnecessary for CloudFlare
server {
if ($host = chat.example.com) {
return 301 https://$host$request_uri;
}
listen 80;
listen [::]:80;
server_name chat.example.com;
return 404;
}
Raw
nginx-default
server {
root /var/www/html;
listen [::]:443 ssl ipv6only=on;
listen 443 ssl;
index index.html;
server_name example.com
www.example.com;
location /.well-known/matrix/ {
add_header 'Content-Type' 'application/json'; # Required to tell the requesting entity we're replying with JSON data
add_header 'Access-Control-Allow-Origin' '*'; # Required to allow loading from Riot Web through CLI
# The following settings are Optional
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
autoindex on;
autoindex_exact_size on;
autoindex_format json;
autoindex_localtime on;
}
location /_matrix {
return 301 https://matrix.example.com$request_uri;
}
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
server {
if ($host = www.example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = example.com) {
return 301 https://$host$request_uri;
}
listen 80 default_server;
listen [::]:80 default_server;
server_name example.com
www.example.com
_;
return 404; # managed by Certbot
}
Raw
nginx-matrix
server {
gzip off;
listen 443 ssl;
listen [::]:443 ssl;
server_name matrix.example.com;
location / {
proxy_pass http://localhost:8008;
proxy_set_header X-Forwarded-For $remote_addr;
}
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
server {
if ($host = matrix.example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name matrix.example.com;
return 404; # managed by Certbot
}
Raw
tf-digital-ocean-rules.tf
variable "do_token" {}
variable "cf_addresses" {
type = list(string)
default = [
"173.245.48.0/20", "103.21.244.0/22", "103.22.200.0/22", "103.31.4.0/22",
"141.101.64.0/18", "108.162.192.0/18", "190.93.240.0/20", "188.114.96.0/20",
"197.234.240.0/22", "198.41.128.0/17", "162.158.0.0/15", "104.16.0.0/12",
"172.64.0.0/13", "131.0.72.0/22",
"2400:cb00::/32", "2606:4700::/32", "2803:f800::/32", "2405:b500::/32",
"2405:8100::/32", "2a06:98c0::/29", "2c0f:f248::/32"]
}
provider "digitalocean" {
token = var.do_token
}
resource "digitalocean_tag" "inbound-cloudflare" {
name = "inbound-cloudflare"
}
resource "digitalocean_tag" "inbound-ssh" {
name = "inbound-ssh"
}
resource "digitalocean_tag" "inbound-turn" {
name = "inbound-turn"
}
resource "digitalocean_tag" "outbound-all" {
name = "outbound-all"
}
resource "digitalocean_firewall" "inbound-cloudflare" {
name = "inbound-cloudflare"
tags = ["inbound-cloudflare"]
# HTTP/s from CF only
inbound_rule {
protocol = "tcp"
port_range = "80"
source_addresses = var.cf_addresses
}
inbound_rule {
protocol = "tcp"
port_range = "443"
source_addresses = var.cf_addresses
}
inbound_rule {
protocol = "tcp"
port_range = "8443"
source_addresses = var.cf_addresses
}
}
resource "digitalocean_firewall" "inbound-ssh" {
name = "inbound-ssh"
tags = ["inbound-ssh"]
# SSH access
inbound_rule {
protocol = "tcp"
port_range = "22"
source_addresses = ["0.0.0.0/0", "::/0"]
}
}
resource "digitalocean_firewall" "inbound-turn" {
name = "inbound-turn"
tags = ["inbound-turn"]
# TURN server
inbound_rule {
protocol = "tcp"
port_range = "3478"
source_addresses = ["0.0.0.0/0", "::/0"]
}
inbound_rule {
protocol = "udp"
port_range = "3478"
source_addresses = ["0.0.0.0/0", "::/0"]
}
inbound_rule {
protocol = "tcp"
port_range = "5349"
source_addresses = ["0.0.0.0/0", "::/0"]
}
inbound_rule {
protocol = "udp"
port_range = "5349"
source_addresses = ["0.0.0.0/0", "::/0"]
}
}
resource "digitalocean_firewall" "outbound-all" {
name = "outbound-all"
tags = ["outbound-all"]
# Outbound to everything
outbound_rule {
protocol = "tcp"
port_range = "1-65535"
destination_addresses = ["0.0.0.0/0", "::/0"]
}
outbound_rule {
protocol = "udp"
port_range = "1-65535"
destination_addresses = ["0.0.0.0/0", "::/0"]
}
outbound_rule {
protocol = "icmp"
destination_addresses = ["0.0.0.0/0", "::/0"]
}
}
Raw
turnserver.conf
listening-port=3478
tls-listening-port=5349
listening-ip=IPv6
listening-ip=IPv4
listening-ip=IPv4local-address
use-auth-secret
static-auth-secret=<generated password>
server-name=turn.example.com
realm=turn.example.com
user-quota=12
total-quota=1200
no-tcp-relay
cert=/etc/letsencrypt/live/example.com/fullchain.pem
pkey=/etc/letsencrypt/live/example.com/privkey.pem
dh-file=/etc/letsencrypt/ssl-dhparams.pem
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
allowed-peer-ip=IPv4local-address
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment