├── template
    ├── synapse
    │   ├── synapse.signing.key
    │   ├── synapse.log.config
    │   └── homeserver.yaml
    ├── postgresql
    │   └── env
    ├── containers
    │   ├── matrix.network
    │   ├── synapse.container
    │   ├── element-web.container
    │   ├── postgresql.container
    │   └── caddy.container
    ├── element-web
    │   ├── nginx.conf
    │   └── config.json
    └── caddy
    │   └── Caddyfile
├── .gitignore
├── secrets.example
├── config.bu
├── Makefile
├── LICENSE
└── README.md


/template/synapse/synapse.signing.key:
--------------------------------------------------------------------------------
1 | %%SYNAPSE_SIGNING_KEY%%
2 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | /secrets
2 | 
3 | /config.tmp
4 | /config*.ign
5 | 
6 | /generated
7 | 


--------------------------------------------------------------------------------
/template/postgresql/env:
--------------------------------------------------------------------------------
1 | POSTGRES_PASSWORD=%%POSTGRES_PASSWORD%%
2 | POSTGRES_USER=synapse
3 | POSTGRES_DB=synapse
4 | POSTGRES_INITDB_ARGS=--encoding='UTF8' --lc-collate='C' --lc-ctype='C'
5 | 


--------------------------------------------------------------------------------
/template/containers/matrix.network:
--------------------------------------------------------------------------------
1 | [Network]
2 | DisableDNS=false
3 | Internal=false
4 | 
5 | # Manual subnet to avoid issues with DNS resolution
6 | Subnet=10.89.1.0/24
7 | Gateway=10.89.1.1
8 | 


--------------------------------------------------------------------------------
/secrets.example:
--------------------------------------------------------------------------------
 1 | SSH_PUBKEY="ssh-rsa AAAA..."
 2 | POSTGRES_PASSWORD=a_passpharse_for_my_database
 3 | DOMAIN_NAME=my.matrix.domain
 4 | EMAIL=root@example.com
 5 | SYNAPSE_REGISTRATION_SHARED_SECRET=a_very_long_string_generated_by_synapse
 6 | SYNAPSE_MACAROON_SECRET_KEY=a_very_long_string_generated_by_synapse
 7 | SYNAPSE_FORM_SECRET=a_very_long_string_generated_by_synapse
 8 | SYNAPSE_SIGNING_KEY=a_key_generated_by_synapse
 9 | SYNAPSE_REGISTRATION=false
10 | 


--------------------------------------------------------------------------------
/template/containers/synapse.container:
--------------------------------------------------------------------------------
 1 | [Unit]
 2 | Description=Synapse (Matrix homeserver)
 3 | Wants=network-online.target
 4 | After=network-online.target
 5 | 
 6 | [Container]
 7 | ContainerName=synapse
 8 | NoNewPrivileges=true
 9 | Image=docker.io/matrixdotorg/synapse:latest
10 | ReadOnly=true
11 | Volume=/var/srv/matrix/synapse:/data:z
12 | AutoUpdate=registry
13 | Network=matrix.network
14 | IP=10.89.1.20
15 | 
16 | [Service]
17 | Restart=on-failure
18 | TimeoutStartSec=900
19 | 
20 | [Install]
21 | WantedBy=default.target
22 | 


--------------------------------------------------------------------------------
/template/synapse/synapse.log.config:
--------------------------------------------------------------------------------
 1 | version: 1
 2 | 
 3 | formatters:
 4 |   precise:
 5 |    format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
 6 | 
 7 | handlers:
 8 |   console:
 9 |     class: logging.StreamHandler
10 |     formatter: precise
11 | 
12 | loggers:
13 |     synapse.storage.SQL:
14 |         # beware: increasing this to DEBUG will make synapse log sensitive
15 |         # information such as access tokens.
16 |         level: INFO
17 | 
18 | root:
19 |     level: INFO
20 |     handlers: [console]
21 | 
22 | disable_existing_loggers: false


--------------------------------------------------------------------------------
/template/containers/element-web.container:
--------------------------------------------------------------------------------
 1 | [Unit]
 2 | Description=Element (Matrix web client)
 3 | Wants=network-online.target
 4 | After=network-online.target
 5 | 
 6 | [Container]
 7 | ContainerName=element-web
 8 | NoNewPrivileges=true
 9 | Image=docker.io/vectorim/element-web:latest
10 | Volume=/var/srv/matrix/element-web/nginx.conf:/etc/nginx/nginx.conf:ro,z
11 | Volume=/var/srv/matrix/element-web/config.json:/app/config.json:ro,z
12 | AutoUpdate=registry
13 | Network=matrix.network
14 | IP=10.89.1.40
15 | 
16 | [Service]
17 | Restart=on-failure
18 | TimeoutStartSec=900
19 | 
20 | [Install]
21 | WantedBy=default.target
22 | 


--------------------------------------------------------------------------------
/template/containers/postgresql.container:
--------------------------------------------------------------------------------
 1 | [Unit]
 2 | Description=PostgreSQL
 3 | Wants=network-online.target
 4 | After=network-online.target
 5 | 
 6 | [Container]
 7 | ContainerName=postgresql
 8 | NoNewPrivileges=true
 9 | Image=docker.io/library/postgres:15
10 | ReadOnly=true
11 | Tmpfs=/run
12 | Volume=/var/srv/matrix/postgresql/data:/var/lib/postgresql/data:z
13 | EnvironmentFile=/var/srv/matrix/postgresql/env
14 | Exec=-c listen_addresses='*'
15 | AutoUpdate=registry
16 | Network=matrix.network
17 | IP=10.89.1.30
18 | 
19 | [Service]
20 | Restart=on-failure
21 | TimeoutStartSec=900
22 | 
23 | [Install]
24 | WantedBy=default.target
25 | 


--------------------------------------------------------------------------------
/template/element-web/nginx.conf:
--------------------------------------------------------------------------------
 1 | user nginx;
 2 | 
 3 | worker_processes auto;
 4 | 
 5 | events {
 6 |     worker_connections 1024;
 7 | }
 8 | 
 9 | http {
10 |     include       /etc/nginx/mime.types;
11 |     default_type application/octet-stream;
12 | 
13 |     server_tokens off;
14 |     sendfile on;
15 |     tcp_nopush on;
16 |     reset_timedout_connection on;
17 |     charset utf-8;
18 |     types_hash_max_size 4096;
19 | 
20 |     server {
21 |         listen 8080 default_server;
22 |         listen [::]:8080 default_server;
23 | 
24 |         location / {
25 |             root /usr/share/nginx/html;
26 |         }
27 |     }
28 | }
29 | 


--------------------------------------------------------------------------------
/template/containers/caddy.container:
--------------------------------------------------------------------------------
 1 | [Unit]
 2 | Description=Caddy web server
 3 | Wants=network-online.target
 4 | After=network-online.target
 5 | 
 6 | [Container]
 7 | ContainerName=caddy
 8 | NoNewPrivileges=true
 9 | Image=docker.io/library/caddy:2
10 | PublishPort=80:80/tcp
11 | PublishPort=443:443/tcp
12 | PublishPort=443:443/udp
13 | PublishPort=8448:8448/tcp
14 | ReadOnly=true
15 | Volume=/var/srv/matrix/caddy/config:/config:z
16 | Volume=/var/srv/matrix/caddy/data:/data:z
17 | Volume=/var/srv/matrix/caddy/Caddyfile:/etc/caddy/Caddyfile:ro,z
18 | AutoUpdate=registry
19 | Network=matrix.network
20 | IP=10.89.1.10
21 | 
22 | [Service]
23 | Restart=on-failure
24 | TimeoutStartSec=900
25 | 
26 | [Install]
27 | WantedBy=default.target
28 | 


--------------------------------------------------------------------------------
/config.bu:
--------------------------------------------------------------------------------
 1 | variant: fcos
 2 | version: 1.5.0
 3 | passwd:
 4 |   users:
 5 |     - name: core
 6 |       ssh_authorized_keys:
 7 |         - %%SSH_PUBKEY%%
 8 | storage:
 9 |   directories:
10 |     - path: /var/srv/matrix
11 |       mode: 0700
12 |     - path: /var/srv/matrix/synapse/media_store
13 |       mode: 0777
14 |     - path: /var/srv/matrix/caddy/config
15 |     - path: /var/srv/matrix/caddy/data
16 |     - path: /var/srv/matrix/postgresql/data
17 |   trees:
18 |     - local: containers
19 |       path: /etc/containers/systemd
20 |     - local: caddy
21 |       path: /var/srv/matrix/caddy
22 |     - local: synapse
23 |       path: /var/srv/matrix/synapse
24 |     - local: element-web
25 |       path: /var/srv/matrix/element-web
26 |     - local: postgresql
27 |       path: /var/srv/matrix/postgresql
28 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
 1 | .PHONY: all
 2 | 
 3 | include secrets
 4 | 
 5 | all:
 6 | 	rm -rf ./config.tmp
 7 | 	cp -a template config.tmp
 8 | 	find config.tmp/ -type f -print0 | xargs -0 sed -i 's/%%DOMAIN_NAME%%/${DOMAIN_NAME}/g'
 9 | 	find config.tmp/ -type f -print0 | xargs -0 sed -i 's/%%EMAIL%%/${EMAIL}/'
10 | 	find config.tmp/ -type f -print0 | xargs -0 sed -i 's/%%POSTGRES_PASSWORD%%/${POSTGRES_PASSWORD}/'
11 | 	find config.tmp/ -type f -print0 | xargs -0 sed -i 's/%%SYNAPSE_REGISTRATION_SHARED_SECRET%%/${SYNAPSE_REGISTRATION_SHARED_SECRET}/'
12 | 	find config.tmp/ -type f -print0 | xargs -0 sed -i 's/%%SYNAPSE_MACAROON_SECRET_KEY%%/${SYNAPSE_MACAROON_SECRET_KEY}/'
13 | 	find config.tmp/ -type f -print0 | xargs -0 sed -i 's/%%SYNAPSE_FORM_SECRET%%/${SYNAPSE_FORM_SECRET}/'
14 | 	find config.tmp/ -type f -print0 | xargs -0 sed -i 's/%%SYNAPSE_REGISTRATION%%/${SYNAPSE_REGISTRATION}/'
15 | 	echo ${SYNAPSE_SIGNING_KEY} > config.tmp/synapse/synapse.signing.key
16 | 	sed 's|%%SSH_PUBKEY%%|${SSH_PUBKEY}|' config.bu | butane --files-dir config.tmp --strict --output config.ign
17 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License 
 2 | 
 3 | Permission is hereby granted, free of charge, to any person obtaining a copy
 4 | of this software and associated documentation files (the "Software"), to deal
 5 | in the Software without restriction, including without limitation the rights
 6 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 7 | copies of the Software, and to permit persons to whom the Software is furnished
 8 | to do so, subject to the following conditions:
 9 | 
10 | The above copyright notice and this permission notice (including the next
11 | paragraph) shall be included in all copies or substantial portions of the
12 | Software.
13 | 
14 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
16 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS
17 | OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
18 | WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF
19 | OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
20 | 


--------------------------------------------------------------------------------
/template/element-web/config.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "default_server_config": {
 3 |         "m.homeserver": {
 4 |             "base_url": "https://matrix.%%DOMAIN_NAME%%",
 5 |             "server_name": "%%DOMAIN_NAME%%"
 6 |         },
 7 |         "m.identity_server": {
 8 |             "base_url": "https://vector.im"
 9 |         }
10 |     },
11 |     "disable_guests": true,
12 |     "brand": "Element",
13 |     "integrations_ui_url": "https://scalar.vector.im/",
14 |     "integrations_rest_url": "https://scalar.vector.im/api",
15 |     "integrations_widgets_urls": [
16 |         "https://scalar.vector.im/_matrix/integrations/v1",
17 |         "https://scalar.vector.im/api",
18 |         "https://scalar-staging.vector.im/_matrix/integrations/v1",
19 |         "https://scalar-staging.vector.im/api",
20 |         "https://scalar-staging.riot.im/scalar/api"
21 |     ],
22 |     "showLabsSettings": true,
23 |     "default_federate": true,
24 |     "default_theme": "light",
25 |     "roomDirectory": {
26 |         "servers": [
27 |             "matrix.org",
28 |             "gitter.im"
29 |         ]
30 |     },
31 |     "enable_presence_by_hs_url": {
32 |         "https://matrix.org": false,
33 |         "https://matrix-client.matrix.org": false
34 |     }
35 | }
36 | 


--------------------------------------------------------------------------------
/template/caddy/Caddyfile:
--------------------------------------------------------------------------------
 1 | {
 2 | 	# Only renew certificates once a week
 3 | 	renew_interval 7d
 4 | 	# Disable admin interface
 5 | 	admin off
 6 | 	# Only use the explicitly provided config
 7 | 	persist_config off
 8 | 	# Set email for Let's Encrypt
 9 | 	email %%EMAIL%%
10 | 	# Use the staging endpoint to get certificates by default
11 | 	# Remove once ready to go to production
12 | 	acme_ca "https://acme-staging-v02.api.letsencrypt.org/directory"
13 | 	# Only use certificates from Let's Encrypt by default
14 | 	cert_issuer acme
15 | }
16 | 
17 | %%DOMAIN_NAME%% {
18 | 	respond /.well-known/matrix/server <<JSON
19 | 	  {
20 | 	    "m.server": "matrix.%%DOMAIN_NAME%%"
21 | 	  }
22 | 	  JSON 200
23 | 	respond /.well-known/matrix/client <<JSON
24 | 	  {
25 | 	    "m.homeserver": {
26 | 	      "base_url": "https://matrix.%%DOMAIN_NAME%%"
27 | 	    },
28 | 	    "m.identity_server": {
29 | 	      "base_url": "https://vector.im"
30 | 	    }
31 | 	  }
32 | 	  JSON 200
33 | }
34 | 
35 | chat.%%DOMAIN_NAME%% {
36 | 	reverse_proxy 10.89.1.40:8080
37 | }
38 | 
39 | https://matrix.%%DOMAIN_NAME%%:8448 {
40 | 	reverse_proxy /_matrix/* 10.89.1.20:8008
41 | }
42 | 
43 | matrix.%%DOMAIN_NAME%% {
44 | 	reverse_proxy /_matrix/* 10.89.1.20:8008
45 | 	reverse_proxy /_synapse/client/* 10.89.1.20:8008
46 | }
47 | 


--------------------------------------------------------------------------------
/template/synapse/homeserver.yaml:
--------------------------------------------------------------------------------
 1 | # Configuration file for Synapse.
 2 | #
 3 | # This is a YAML file: see [1] for a quick introduction. Note in particular
 4 | # that *indentation is important*: all the elements of a list or dictionary
 5 | # should have the same indentation.
 6 | #
 7 | # [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html
 8 | #
 9 | # For more information on how to configure Synapse, including a complete accounting of
10 | # each option, go to docs/usage/configuration/config_documentation.md or
11 | # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html
12 | server_name: "%%DOMAIN_NAME%%"
13 | pid_file: /data/homeserver.pid
14 | listeners:
15 |   - port: 8008
16 |     tls: false
17 |     type: http
18 |     x_forwarded: true
19 |     resources:
20 |       - names: [client, federation]
21 |         compress: false
22 | database:
23 |   name: psycopg2
24 |   args:
25 |     user: synapse
26 |     password: %%POSTGRES_PASSWORD%%
27 |     database: synapse
28 |     host: 10.89.1.30
29 |     cp_min: 5
30 |     cp_max: 10
31 | log_config: "/data/synapse.log.config"
32 | media_store_path: "/data/media_store"
33 | registration_shared_secret: "%%SYNAPSE_REGISTRATION_SHARED_SECRET%%"
34 | report_stats: true
35 | macaroon_secret_key: "%%SYNAPSE_MACAROON_SECRET_KEY%%"
36 | form_secret: "%%SYNAPSE_FORM_SECRET%%"
37 | signing_key_path: "/data/synapse.signing.key"
38 | trusted_key_servers:
39 |   - server_name: "matrix.org"
40 | 
41 | enable_registration: %%SYNAPSE_REGISTRATION%%
42 | 
43 | web_client_location: https://chat.%%DOMAIN_NAME%%/
44 | public_baseurl: https://matrix.%%DOMAIN_NAME%%/
45 | 
46 | # vim:ft=yaml
47 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Butane config to host a Matrix homeserver on Fedora CoreOS
  2 | 
  3 | Example Butane config to host a Matrix homeserver on Fedora CoreOS. This will
  4 | setup:
  5 |   * nginx with Let's Encrypt for HTTPS support
  6 |   * Synapse with PostgreSQL and elements-web
  7 | 
  8 | For this setup, you need a domain name and two sub-domains:
  9 |   * example.tld
 10 |   * matrix.example.tld
 11 |   * chat.example.tld
 12 | 
 13 | For Let's Encrypt support, those domains must be configured beforehand to
 14 | resolve to the IP address that will be assigned to your server. If you do not
 15 | know what IP address will be assigned to your server in advance, you might want
 16 | to use another ACME challenge method to get Let's Encrypt certificates (see
 17 | [DNS Plugins][plugins]).
 18 | 
 19 | If you already have certificates from Let's Encrypt or another provider, see
 20 | the [in progress PR](https://github.com/travier/fedora-coreos-matrix/pull/10)
 21 | for an alternative with existing certificates.
 22 | 
 23 | ## How to use
 24 | 
 25 | To generate the Ignition configs, you need `make` and [Butane][butane]:
 26 | 
 27 | Then, you need to provide values for each variable in the secrets file:
 28 | 
 29 | ```
 30 | $ cp secrets.example secrets
 31 | $ ${EDITOR} secrets
 32 | # Fill in values not marked as generated by Synapse
 33 | ```
 34 | 
 35 | ### Configuring Synapse
 36 | 
 37 | The Synapse configuration requires to setup a few secrets, you can generate
 38 | these secret using the following command :
 39 | 
 40 | ```
 41 | $ source secrets
 42 | $ mkdir generated
 43 | $ podman run -it --rm -v $PWD/generated:/data:z \
 44 |       -e SYNAPSE_SERVER_NAME="${DOMAIN_NAME}" \
 45 |       -e SYNAPSE_REPORT_STATS=yes \
 46 |       docker.io/matrixdotorg/synapse:latest \
 47 |       generate
 48 | ```
 49 | This command will generate 3 files
 50 | 
 51 | - `generated/homeserver.yaml`
 52 | - `generated/my.matrix.host.log.config`
 53 | - `generated/my.matrix.host.signing.key`
 54 | 
 55 | #### Configuration
 56 | 
 57 | A template version of the generated `homeserver.yaml` is included in
 58 | `template/synapse/homeserver.yaml`.
 59 | 
 60 | First we want to replace the secrets with values that were generated for you by
 61 | Synapse.
 62 | Note that the generated secrets may contain characters which are currently not
 63 | handled well by the Makefile. Problematic characters include `&` and `#` and
 64 | possibly others. Always manually verify that the final config files contain
 65 | the correct secrets.
 66 | See [isssue #14](https://github.com/travier/fedora-coreos-matrix/issues/14)
 67 | for details.
 68 | 
 69 | In the `secrets` file, edit the following variables:
 70 | 
 71 | - `SYNAPSE_REGISTRATION_SHARED_SECRET`, with the content of
 72 |   `registration_shared_secret` in `homeserver.yaml`
 73 | - `SYNAPSE_MACAROON_SECRET_KEY`, with the content of `macaroon_secret_key` in
 74 |   `homeserver.yaml`
 75 | - `SYNAPSE_FORM_SECRET`, with the content of `form_secret` in `homeserver.yaml`
 76 | - `SYNAPSE_SIGNING_KEY`, with the content of `my.matrix.host.signing.key`
 77 | - `SYNAPSE_REGISTRATION`, whether or not to enable open registration
 78 | 
 79 | ```
 80 | SSH_PUBKEY="ssh-rsa AAAA..."
 81 | POSTGRES_PASSWORD=a_passpharse_for_my_database
 82 | DOMAIN_NAME=my.matrix.domain
 83 | EMAIL=root@example.com
 84 | SYNAPSE_REGISTRATION_SHARED_SECRET=a_very_long_string_generated_by_synapse
 85 | SYNAPSE_MACAROON_SECRET_KEY=a_very_long_string_generated_by_synapse
 86 | SYNAPSE_FORM_SECRET=a_very_long_string_generated_by_synapse
 87 | SYNAPSE_SIGNING_KEY=a_key_generated_by_synapse
 88 | SYNAPSE_REGISTRATION=false
 89 | ```
 90 | 
 91 | If you wish to change other Synapse settings you can edit directly
 92 | `template/synapse/homeserver.yaml` and `template/synapse/synapse.log.config` to
 93 | change the logging configuration.
 94 | 
 95 | ### System and container updates
 96 | 
 97 | By default, Fedora CoreOS systems are updated automatically to the latest
 98 | released update. This makes sure that the system is always on top of security
 99 | issues (and updated with the latest features) wthout any user interaction
100 | needed. The containers, as defined in the systemd units in the config, are
101 | updated on each service startup. They will thus be updated at least once after
102 | each system update as this will trigger a reboot approximately every two week.
103 | 
104 | To maximise availability, you can set an [update strategy][updates] in
105 | Zincati's configuration to only allow reboots for updates during certain
106 | periods of time.  For example, one might want to only allow reboots on week
107 | days, between 2 AM and 4 AM UTC, which is a timeframe where reboots should have
108 | the least user impact on the service. Make sure to pick the correct time for
109 | your timezone as Fedora CoreOS uses the UTC timezone by default.
110 | 
111 | See this example config that you can append to `config.bu`:
112 | 
113 | ```
114 | [updates]
115 | strategy = "periodic"
116 | 
117 | [[updates.periodic.window]]
118 | days = [ "Mon", "Tue", "Wed", "Thu", "Fri" ]
119 | start_time = "02:00"
120 | length_minutes = 120
121 | ```
122 | 
123 | ## Generate the ignition configuration
124 | 
125 | Finally, you can generate the final Ignition config with:
126 | 
127 | ```
128 | $ make
129 | ```
130 | 
131 | You are now ready to deploy your Fedora CoreOS Matrix home server.
132 | 
133 | ## Deploying
134 | 
135 | See the [Fedora CoreOS docs][deploy] for instructions on how to use this
136 | Ignition config to deploy a Fedora CoreOS instance on your prefered platform.
137 | 
138 | ## Registering new users
139 | 
140 | Registration is disabled by default for security and to avoid mistakes. If you
141 | want to create an instance with open registration, you can set the
142 | `SYNAPSE_REGISTRATION` value to `true` in your `secrets` file.
143 | 
144 | Otherwise, you can still add accounts to an instance by running the following
145 | command directly on the server:
146 | 
147 | ```
148 | $ sudo podman run --rm --tty --interactive \
149 |       --pod=matrix \
150 |       -v /var/srv/matrix/synapse:/data:z,ro \
151 |       --entrypoint register_new_matrix_user \
152 |       docker.io/matrixdotorg/synapse:latest \
153 |       -c /data/homeserver.yaml http://127.0.0.1:8008
154 | ```
155 | 
156 | ## PostgreSQL major version updates
157 | 
158 | Major PostgreSQL version updates require manual intervention to dump the
159 | database with the current version and then import it in the new version. We
160 | thus can not use the `latest` tag for this container image and manual
161 | intervention will be required approximately once a year to update the PostreSQL
162 | container version.
163 | 
164 | See this example to dump the current database and import it when moving from
165 | version 13 to 14:
166 | 
167 | ```
168 | # Stop Synapse server to ensure no-one is writing to the database
169 | $ systemctl stop synapse
170 | 
171 | # Dump the database
172 | $ mkdir /var/srv/matrix/postgres.dump
173 | $ cat /etc/postgresql_synapse
174 | $ podman run --read-only --pod=matrix --rm --tty --interactive \
175 |       -v /var/srv/matrix/postgres.dump:/var/data:z \
176 |       docker.io/library/postgres:13 \
177 |       pg_dump --file=/var/data/dump.sql --format=c --username=synapse \
178 |       --password --host=localhost synapse
179 | 
180 | # Stop the PostgreSQL container
181 | $ systemctl stop postgres
182 | 
183 | # Keep existing database as backup
184 | $ mv /var/srv/matrix/postgres /var/srv/matrix/postgres.bak
185 | $ mkdir /var/srv/matrix/postgres
186 | 
187 | # Edit the PostgreSQL unit to update the container version
188 | $ vi /etc/systemd/system/postgres.service
189 | 
190 | # Start the new PostgreSQL container
191 | $ systemctl start postgres
192 | 
193 | # Import the database. Make sure to use the new PostgreSQL container image
194 | $ podman run --read-only --pod=matrix --rm --tty --interactive \
195 |       -v /var/srv/matrix/postgres.dump:/var/data:ro,z \
196 |       docker.io/library/postgres:14 \
197 |       pg_restore --username=synapse --password --host=localhost \
198 |       --dbname=synapse /var/data/dump.sql
199 | 
200 | # Start Synapse again
201 | $ systemctl start synapse
202 | 
203 | # Cleanup once everything is confirmed working
204 | $ rm -rf /var/srv/matrix/postgres.dump /var/srv/matrix/postgres.bak
205 | ```
206 | 
207 | [deploy]: https://docs.fedoraproject.org/en-US/fedora-coreos/getting-started/
208 | [plugins]: https://certbot.eff.org/docs/using.html#dns-plugins
209 | [updates]: https://coreos.github.io/zincati/usage/updates-strategy/#periodic-strategy
210 | [butane]: https://coreos.github.io/butane/getting-started/#getting-butane
211 | 
212 | ## License
213 | 
214 | See [LICENSE](LICENSE) or [CC0](https://creativecommons.org/public-domain/cc0/).
215 | 


--------------------------------------------------------------------------------