2020-04-08 13:59:26 +03:00
|
|
|
# Setting up Synapse with Workers and Systemd
|
|
|
|
|
|
|
|
This is a setup for managing synapse with systemd, including support for
|
|
|
|
managing workers. It provides a `matrix-synapse` service for the master, as
|
|
|
|
well as a `matrix-synapse-worker@` service template for any workers you
|
|
|
|
require. Additionally, to group the required services, it sets up a
|
|
|
|
`matrix-synapse.target`.
|
|
|
|
|
2023-12-13 19:37:10 +03:00
|
|
|
See the folder [system](https://github.com/element-hq/synapse/tree/develop/docs/systemd-with-workers/system/)
|
2021-06-16 15:15:52 +03:00
|
|
|
for the systemd unit files.
|
2020-04-08 13:59:26 +03:00
|
|
|
|
2023-12-13 19:37:10 +03:00
|
|
|
The folder [workers](https://github.com/element-hq/synapse/tree/develop/docs/systemd-with-workers/workers/)
|
2022-04-14 15:09:07 +03:00
|
|
|
contains an example configuration for the `generic_worker` worker.
|
2020-04-08 13:59:26 +03:00
|
|
|
|
|
|
|
## Synapse configuration files
|
|
|
|
|
2021-07-15 14:47:55 +03:00
|
|
|
See [the worker documentation](../workers.md) for information on how to set up the
|
2021-07-13 13:55:48 +03:00
|
|
|
configuration files and reverse-proxy correctly.
|
2022-04-14 15:09:07 +03:00
|
|
|
Below is a sample `generic_worker` worker configuration file.
|
2021-07-13 13:55:48 +03:00
|
|
|
```yaml
|
2022-04-14 15:09:07 +03:00
|
|
|
{{#include workers/generic_worker.yaml}}
|
2021-07-13 13:55:48 +03:00
|
|
|
```
|
2020-04-08 13:59:26 +03:00
|
|
|
|
|
|
|
Systemd manages daemonization itself, so ensure that none of the configuration
|
|
|
|
files set either `daemonize` or `worker_daemonize`.
|
|
|
|
|
|
|
|
The config files of all workers are expected to be located in
|
|
|
|
`/etc/matrix-synapse/workers`. If you want to use a different location, edit
|
|
|
|
the provided `*.service` files accordingly.
|
|
|
|
|
|
|
|
There is no need for a separate configuration file for the master process.
|
|
|
|
|
|
|
|
## Set up
|
|
|
|
|
|
|
|
1. Adjust synapse configuration files as above.
|
2023-12-13 19:37:10 +03:00
|
|
|
1. Copy the `*.service` and `*.target` files in [system](https://github.com/element-hq/synapse/tree/develop/docs/systemd-with-workers/system/)
|
2021-06-16 15:15:52 +03:00
|
|
|
to `/etc/systemd/system`.
|
2021-01-07 18:31:01 +03:00
|
|
|
1. Run `systemctl daemon-reload` to tell systemd to load the new unit files.
|
2020-04-08 13:59:26 +03:00
|
|
|
1. Run `systemctl enable matrix-synapse.service`. This will configure the
|
|
|
|
synapse master process to be started as part of the `matrix-synapse.target`
|
|
|
|
target.
|
|
|
|
1. For each worker process to be enabled, run `systemctl enable
|
|
|
|
matrix-synapse-worker@<worker_name>.service`. For each `<worker_name>`, there
|
2020-11-02 15:56:16 +03:00
|
|
|
should be a corresponding configuration file.
|
2020-04-08 13:59:26 +03:00
|
|
|
`/etc/matrix-synapse/workers/<worker_name>.yaml`.
|
|
|
|
1. Start all the synapse processes with `systemctl start matrix-synapse.target`.
|
2020-11-02 15:56:16 +03:00
|
|
|
1. Tell systemd to start synapse on boot with `systemctl enable matrix-synapse.target`.
|
2020-04-08 13:59:26 +03:00
|
|
|
|
|
|
|
## Usage
|
|
|
|
|
|
|
|
Once the services are correctly set up, you can use the following commands
|
|
|
|
to manage your synapse installation:
|
|
|
|
|
|
|
|
```sh
|
|
|
|
# Restart Synapse master and all workers
|
|
|
|
systemctl restart matrix-synapse.target
|
|
|
|
|
|
|
|
# Stop Synapse and all workers
|
|
|
|
systemctl stop matrix-synapse.target
|
|
|
|
|
|
|
|
# Restart the master alone
|
|
|
|
systemctl start matrix-synapse.service
|
|
|
|
|
2022-04-14 15:09:07 +03:00
|
|
|
# Restart a specific worker (eg. generic_worker); the master is
|
2020-04-08 13:59:26 +03:00
|
|
|
# unaffected by this.
|
2022-04-14 15:09:07 +03:00
|
|
|
systemctl restart matrix-synapse-worker@generic_worker.service
|
2020-04-08 13:59:26 +03:00
|
|
|
|
|
|
|
# Add a new worker (assuming all configs are set up already)
|
|
|
|
systemctl enable matrix-synapse-worker@federation_writer.service
|
|
|
|
systemctl restart matrix-synapse.target
|
|
|
|
```
|
2021-05-19 13:44:16 +03:00
|
|
|
|
|
|
|
## Hardening
|
|
|
|
|
|
|
|
**Optional:** If further hardening is desired, the file
|
|
|
|
`override-hardened.conf` may be copied from
|
2023-12-13 19:37:10 +03:00
|
|
|
[contrib/systemd/override-hardened.conf](https://github.com/element-hq/synapse/tree/develop/contrib/systemd/)
|
2021-07-13 13:55:48 +03:00
|
|
|
in this repository to the location
|
2021-05-19 13:44:16 +03:00
|
|
|
`/etc/systemd/system/matrix-synapse.service.d/override-hardened.conf` (the
|
|
|
|
directory may have to be created). It enables certain sandboxing features in
|
|
|
|
systemd to further secure the synapse service. You may read the comments to
|
2021-07-13 13:55:48 +03:00
|
|
|
understand what the override file is doing. The same file will need to be copied to
|
2021-05-19 13:44:16 +03:00
|
|
|
`/etc/systemd/system/matrix-synapse-worker@.service.d/override-hardened-worker.conf`
|
|
|
|
(this directory may also have to be created) in order to apply the same
|
|
|
|
hardening options to any worker processes.
|
|
|
|
|
|
|
|
Once these files have been copied to their appropriate locations, simply reload
|
|
|
|
systemd's manager config files and restart all Synapse services to apply the hardening options. They will automatically
|
|
|
|
be applied at every restart as long as the override files are present at the
|
|
|
|
specified locations.
|
|
|
|
|
|
|
|
```sh
|
|
|
|
systemctl daemon-reload
|
|
|
|
|
|
|
|
# Restart services
|
|
|
|
systemctl restart matrix-synapse.target
|
|
|
|
```
|
|
|
|
|
|
|
|
In order to see their effect, you may run `systemd-analyze security
|
|
|
|
matrix-synapse.service` before and after applying the hardening options to see
|
|
|
|
the changes being applied at a glance.
|