Заметка «для себя», но, может, кому-то ещё пригодится.
sudo apt update
sudo apt install -y matrix-synapse-py3 coturn socat curl
curl https://get.acme.sh | sh -s email=you@example.org
source ~/.bashrc
acme.sh --set-default-ca --server zerossl
acme.sh --register-account -m you@example.org --server zerossl
# Выпуск сертификата для домена
aсme.sh --issue -d example.org --standalone --server zerossl --keylength ec-256
# Установка в системную директорию
sudo mkdir -p /etc/ssl/zerossl/example.org
acme.sh --install-cert -d example.org --ecc \
--key-file /etc/ssl/zerossl/example.org/example.org.key \
--fullchain-file /etc/ssl/zerossl/example.org/fullchain.cer \
--reloadcmd "systemctl restart matrix-synapse || true; systemctl restart coturn || true"
server_name: "example.org"
public_baseurl: "https://example.org/"
listeners:
- port: 443
bind_addresses: ["0.0.0.0", "::"]
type: http
tls: true
tls_certificate_path: "/etc/ssl/zerossl/example.org/fullchain.cer"
tls_private_key_path: "/etc/ssl/zerossl/example.org/example.org.key"
resources:
- names: [client]
compress: false
registration_shared_secret: "SUPER_SECRET"
enable_registration: false
turn_uris:
- "turns:example.org:5349?transport=udp"
- "turns:example.org:5349?transport=tcp"
turn_shared_secret: "TURN_SECRET"
turn_user_lifetime: 86400000
federation_domain_whitelist: []
listening-port=3478
tls-listening-port=5349
listening-ip=0.0.0.0
relay-ip=0.0.0.0
realm=example.org
lt-cred-mech
use-auth-secret
static-auth-secret=TURN_SECRET
fingerprint
cert=/etc/ssl/zerossl/example.org/fullchain.cer
pkey=/etc/ssl/zerossl/example.org/example.org.key
no-tlsv1
no-tlsv1_1
# Проверить Synapse API
curl -sS https://example.org/_matrix/client/versions | jq .
# Проверить TURN/TLS
openssl s_client -connect example.org:5349 -alpn "stun.turn" -tls1_2 -brief