1. Setup jail(s) First, we’ll assume there’s already a jail running webserver nginx, which we’ll use as reverse-proxy for Matrix. We’ll assume you have postgresql in another jail already running, too.

We’ll fire up another jail for our matrix service. With bastille it’s nothing more than: bastille create matrix 13.0-RELEASE 192.168.1.220 bastille0 and log in to it bastille console matrix

  1. install matrix-synapse: 2.1 if you’ve got your (host-)ports mounted into the jail, a cd /usr/ports/net-im/py-matrix-synapse/ && make install clean will do it. I’ll describe how to do the mounting of ports tree into the ports in another article. 2.2 get the ports, either via portsnap fetch or via git clone and proceed as in 2.1.

  2. setup matrix 3.1 prepare database log into your database jail bastille console db and create a user and a database: su - postgres - switch to your postgres user createuser --pwprompt synapse_user - create a user for synapse psql - log into your db and create a database for synapse

    CREATE DATABASE synapse
     ENCODING 'UTF8'
     LC_COLLATE='C'
     LC_CTYPE='C'
     template=template0
     OWNER synapse_user;
    

    (From the official documentation: “Note that the PostgreSQL database must have the correct encoding set (as shown above), otherwise it will not be able to store UTF8 strings.”)

enable the password-secured connection between the database and the matrix server/jail: add the following line, adjusted to your settings, in your pg_hba.conf host synapse synapse_user 192.168.1.210 (your webserver IP) md5 # or `scram-sha-256` instead of `md5` if you use that this line should go before the line host all all ::1/128 ident because order matters for pg_hba.conf.

3.2 create and edit the synapse config file

3.3 setup reverse-proxy nginx I’ve got a vdomains setup, so it’s just a matter of adding another config file matrix.conf. My matrix setup is just barebones like on the docs and propably can and sould be tweaked.

server {
    listen 80;
    server_name matrix.example.net;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    # federation port:
    listen 8448 ssl http2 default_server;

    server_name matrix.example.net;
    root /usr/local/www/matrix;

    include       mime.types;
    default_type  application/octet-stream;
    access_log /dev/null;
    sendfile        on;
    keepalive_timeout  65;

    ssl_certificate /usr/local/etc/letsencrypt/live/matrix.example.net/fullchain.pem;
    ssl_certificate_key /usr/local/etc/letsencrypt/live/matrix.example.net/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem;

    ssl_protocols TLSv1.3 TLSv1.2;
    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;

    location ~* ^(\/_matrix|\/_synapse\/client) {
        proxy_pass http://192.168.1.220:8008; # IP of your matrix server jail
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;
        # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
        client_max_body_size 100M;
    }
}

now tell the jail to forward the ports:

bastille rdr matrix tcp 8448 8448

bastille rdr web tcp 8008 8008