Run a Matrix homeserver on OpenBSD with PostgreSQL server. This documents installing either:
- Synapse the Matrix reference homeserver written in python
- Dendrite the Matrix second-generation Matrix homeserver written in Go
Note:
- Replace
server.chat
with your domain name in all config and commands. - PostgreSQL is remote to the dendrite server.
- You will need postgres:
- hostname
- username and password
- database name
- postgres
pg_hba.conf
configured for your server to connect
- You will need postgres:
pkg_add nginx certbot
Setup nginx with initial config nginx.initial.conf
in /etc/nginx/nginx.conf
Make directory for Lets Encrypt challenge:
mkdir -p /var/www/letsencrypt/.well-known/acme-challenge
Point you domain A record to the IP of the server.
Start nginx it will listen on port 80
:
rcctl start nginx
Test you can hit the server on http://server.chat/.well-known/acme-challenge/test.html and you will get a 200
.
$ echo "working" > /var/www/letsencrypt/.well-known/acme-challenge/test.html
$ curl -I http://server.chat/.well-known/acme-challenge/test.html
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 01 Feb 2021 02:59:17 GMT
Content-Type: text/html
Content-Length: 8
Last-Modified: Mon, 01 Feb 2021 02:55:58 GMT
Connection: keep-alive
ETag: "60176dbe-8"
Accept-Ranges: bytes
Delete the test
rm /var/www/letsencrypt/.well-known/acme-challenge/test.html
Edit the base config in /etc/letsencrypt/cli.ini
rsa-key-size = 4096
email = webmaster@server.chat
text = True
authenticator = webroot
webroot-path = /var/www/letsencrypt
Request cert:
$ certbot certonly -d server.chat
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for server.chat
Using the webroot path /var/www/letsencrypt for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/server.chat/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/server.chat/privkey.pem
Your cert will expire on 2021-05-02. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
Generate a dhparam file for NGINX:
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
Setup nginx with full config nginx.full.conf
in /etc/nginx/nginx.conf
, pointing the following three files to the cert, key and dhparams you just generated:
ssl_certificate /etc/letsencrypt/live/server.chat/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/server.chat/privkey.pem;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
Reload nginx:
rcctl reload nginx
Check the secured response
$ curl https://server.chat/.well-known/matrix/server
{ "m.server": "server.chat:443" }
Create user
adduser -group wheel -class daemon -batch matrix
From here you can install and configure: