docker-compose for Matrix+Synapse+Element+SynapseAdmin using Traefik Reverse Proxy autoconfiguration, with let's encrypt, HSTS, and fail2ban.
This stack will deploy everything necessary to get a working Matrix installation.
Your installation will have:
- Synapse server
- Element web access
- Synapse-admin
- Redis
- Fail2ban
- Emails
- Federation
- Automatic update
- Password complexity requirements
The information provided here uses example.com as an example. You need to have your own domain name and a docker server, preferably with Portainer installed.
In your DNS server, create entries for:
- "A" entry for:
matrix.example.com
- "A" entry for:
element.example.com
- "SRV" entry for:
_matrix._tcp.matrix
0 443 matrix.example.com
You'll need to ajust with your own domain name and wanted subdomain.
See https://github.com/NOP4/Docker-Traefik-Reverse-Proxy for Traefik deployment.
Then add the following line in the "command" section of your Traefik docker-compose stack:
- "--entrypoints.matrixfederation.address=:8448"
Restart the Traefik stack.
Port 8448 is used for Feredaction, we need to allow it in our firewall rules:
ufw allow 8443
In this example, we will create users and groups starting at 900. Adapt to your liking the names, UID and GID.
addgroup docker_example_matrix --gid 900
adduser docker_example_matrix --uid 900 --gid 900 --shell /dev/null --no-create-home --disabled-login
addgroup docker_example_element --gid 901
adduser docker_example_element --uid 901 --gid 901 --shell /dev/null --no-create-home --disabled-login
addgroup docker_example_element_admin --gid 902
adduser docker_example_element_admin --uid 902 --gid 902 --shell /dev/null --no-create-home --disabled-login
Use the provided docker-compose.yml file.
This file assumes you deploy:
- Synapse server at: matrix.example.com
- Element server at: element.matrix.com
- Synapse Admin at: matrix.example.com/synapseadmin
You will need to change a few items:
POSTGRES_PASSWORD=STRONG-PASSWORD
set your own strong passwordSYNAPSE_SERVER_NAME=matrix.example.com
change to your own domain name- change all
matrix.example.com
to your domain name - change all
element.exaple.com
to your domain name - change all
example.com
to match your domain name - change all
*.example.com
to match your domain name - adapt traefik labels changing
example
to your domain name (optional) - change
MY-ADMIN-IP-ADDRESS/32
to the IP address from which you can access the admin interface - adapt user and groups according to what you created on previous step
Deploy the stack then stop it when the config files and database entries are created.
Edit the docker-compose.yml and comment or remove line command: "generate"
Modify the synapse config.json
and element homeserver.yaml
files to look similar to the two provided examples.
In Synapse config.json
you'll have to:
- check your server name and URL.
In Element homeserver.yaml
you'll have to:
- check server name and URL
- change database to psycopg2 instead of sqlite
- set registration random shared secret
- set email SMTP server settings
- set password pepper random string
- ajust password policy as required
In examples provided, your Element web page will be force to only serve your domain (that's preferable), and the public registration is disabled. This can be easily changed in the config files.
Redeploy stack. You can delete the sqlite database file.
Check with Matrix federation tester that the federation is working fine: https://federationtester.matrix.org
In your portainer GUI, start the command line for your synapse server and execute this command to create an admin user. Make it admin when prompted. All other users will be created using the synapseadmin URL.
register_new_matrix_user -c /data/homeserver.yaml http://localhost:8008
Connect to your server admin URL: https://matrix.example.com/synapseadmin
Login with your admin user and create your end user accounts. Don't forget to add their email address.
You can create the accounts with random passwords, as the users will be able to use the "forgot password" option to set their own.
They should receive a welcome email.
Deploy a watchtower stack for automatic update. It as as simple as deploying this stack:
version: '3'
services:
watchtower:
image: containrrr/watchtower
restart: always
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /etc/timezone:/etc/timezone:ro
environment:
- WATCHTOWER_CLEANUP=true
- WATCHTOWER_LABEL_ENABLE=true
- WATCHTOWER_INCLUDE_RESTARTING=true
labels:
- "com.centurylinklabs.watchtower.enable=true"
If not alredy installed on your server, install fail2ban.
apt install fail2ban
Copy the provided files in your /etc/fail2ban/ folders, you'll need to edit them to adapt path to your matrix path logfiles.
Activate and start fail2ban:
systemctl enable fail2ban
systemctl start fail2ban
Get the status of your filtering:
fail2ban-client status example-matrix-synapse
Test some bad passwords to check the filtering is working fine. Then unban the IP with:
fail2ban-client set example-matrix-synapse unbanip IP-TO-UNBAN