Category: Tech

Setting up a Matrix server for Secure Encrypted Communications through almost all the channels you and your friends use.

With all the privacy issues these days I decided to check out alternatives to using standard services.

With that I found Matrix which allows for a secure ‘slack like’ service that also has ‘bridges’ that let you connect to iMessage, Slack, Signal, Facebook even Twitter and Instagram.

I have not fully configured this, this is mainly for my records purposes and I stole most of this from the excellent article I found called Running your own secure communication service with Matrix and Jitsi.

First I setup a Debian VPS over at Vultr (affiliate link). Which this assumes you’ve already done too.

So let’s begin!

First ssh to your server and update, upgrade, and install nginx.

apt-get update && apt -y install nginx lsb-release wget apt-transport-https

cd /etc/nginx/sites-enabled
rm default 
cp ../sites-available/default yourdomain.com
cp ../sites-available/default matrix.yourdomain.com
cp ../sites-available/default riot.yourdomain.com

Now we’re going to configure our settings. You should have a domain picked out already. In our example we’ll use ‘mydomain.com’ but this will obviously have to change.

First, you’re going to want to login to your DNS Registrar and setup these records. These will all have to be A Records.

  • TYPE: A IP: 190.190.190.1 POINTS TO: yourdomain.com
  • TYPE: A IP: 190.190.190.1 POINTS TO: matrix.yourdomain.com
  • TYPE: A IP: 190.190.190.1 POINTS TO: riot.yourdomain.com
  • TYPE: A IP: 190.190.190.1 POINTS TO: jitsi.yourdomain.com

** NOTE YOU WILL HAVE TO CHANGE ‘YOURDOMAIN.COM’ AND IP ADDRESS TO MATCH YOUR SETTINGS.

Once that is done we can continue with the rest of the setup. While you’re doing this the DNS records should propagate.

Now we’re going to need to edit each of our files in /etc/nginx/sites-available/

cd /etc/nginx/sites-available 
nano *

And in each file make it look like this, changing the domain and the path. Note that in the matrix configuration the location is proxy_pass instead of a directory.

matrix.yourdomain.com:

server {
        listen 80;
        listen [::]:80;
        root /var/www/matrix;
        index index.html index.htm;
        server_name matrix.yourdomain.com;
        location / {
                proxy_pass http://localhost:8008;
        }
}

yourdomain.com:

server {
        listen 80;
        listen [::]:80;
        root /var/www/html;
        index index.html index.htm;
        server_name yourdomain.com;
        location / {
                try_files $uri $uri/ =404;
        }
}

riot.yourdomain.com:

server {
        listen 80;
        listen [::]:80;
        root /var/www/riot;
        index index.html index.htm;
        server_name riot.yourdomain.com;
        location / {
                try_files $uri $uri/ =404;
        }
}

Now we go ahead and install certbot, and generate the certificates for your hosts with nginx. This gives you secure SSL connections on every new site you just created.

apt install -y python3-certbot-nginx && certbot --nginx -d yourdomain.com -d riot.yourdomain.com -d matrix.yourdomain.com

Now you can go ahead and create the directories you need.

cd /var/www
mkdir riot
mkdir matrix

Now we create the ‘.well-known’ file for the connector to authenticate your domain when you start everything up. You will have to modify your domain in the last command.

mkdir -p /var/www/html/.well-known/matrix
cd /var/www/html/.well-known/matrix
echo '{ "m.server": "matrix.yourdomain.com:443" }' > server

Now we get element (riot) going.

cd /var/www/riot
wget https://github.com/vector-im/element-web/releases/download/v1.7.22/element-v1.7.22.tar.gz
apt install -y gnupg
tar xzvf element-v1.7.22.tar.gz
ln -s element-v1.7.22 element
chown www-data:www-data -R riot

At this point you should be able to start nginx up and visit your domain to set everything up.

systemctl restart nginx 

Now open a browser and hit this url

https://riot.yourdomain.com

There you will make your account. Next we’ll setup Jitsi for video conferencing capabilities. First get the repository added.

echo 'deb https://download.jitsi.org stable/' >> /etc/apt/sources.list.d/jitsi-stable.list

Now install the gpg key needed.

wget -qO -  https://download.jitsi.org/jitsi-key.gpg.key | sudo apt-key add -

Now go ahead and update, and install Jitsi

apt-get update

During the installer you will want to make sure you give the installer the hostname of ‘jitsi.yourdomain.com‘ and make SURE the DNS is already setup (step 2 way up there) otherwise it _will_ fail on you here.

apt-get -y install jitsi-meet

Then you’re going to want to secure it using the provided script.

/usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh

After this, you should now be able to connect to the Jitsi server running on your domain by visiting it’s URL in your browser.

https://jitsi.yourdomain.com/

Now you’re going to want to set up Riot to use Jitsi. You can do this by performing the following.

nano /var/www/riot/config.json

Then change the ‘preferredDomain’ to your server. Change this block

"jitsi": {
        "preferredDomain": "https://jitsi.riot.im"
    }

To this instead

"jitsi": {
        "preferredDomain": "https://jitsi.yourdomain.com"
    }

That’s it. Just refresh your Riot screen in your browser and you are now ready to use Jitsi from within your server. No need for an integration manager to embed Jitsi!

Under the bridge downtown

Next we’re going to install some bridges.

I have not fully configured these (or any of this!!) again just noting this for future when I do have time to configure it fully and maybe it will help someone else!

Next, we’re going to install some bridge. So first off for the install we’re going to install a bunch of prerequisites.

sudo apt install python3 python3-venv
sudo apt install virtualenv python3-virtualenv
sudo apt install git
sudo apt install build-essential
sudo apt install python3-dev
sudo apt install python-olm 

Now add this to your source.list

nano /etc/apt/sources.list 

Paste this in

deb http://deb.debian.org/debian buster-backports main

Then you can install some more software you need.

sudo apt-get update 
sudo apt-get install libolm3/buster-backports
sudo apt-get install libolm-dev/buster-backports

Now configure your locales

dpkg-reconfigure locales

Configure all locales, and choose the default. Now we are ready to install whichever branch of the bridges we want to use. I’ll outline those below.

MASTER BRANCHES:

pip install --upgrade git+https://github.com/tulir/mautrix-instagram.git#egg=mautrix-instagram[all]
pip install --upgrade git+https://github.com/tulir/mautrix-telegram.git#egg=mautrix-telegram[all]
pip install --upgrade git+https://github.com/tulir/mautrix-facebook.git#egg=mautrix-facebook[all]
pip install --upgrade git+https://github.com/tulir/mautrix-signal.git#egg=mautrix-signal[all]

RELEASE BRANCHES:

pip install --upgrade mautrix-instagram[all]
pip install --upgrade mautrix-telegram[all]
pip install --upgrade mautrix-signal[all]
pip install --upgrade mautrix-facebook[all]

Then for each bridge run through the install

mkdir /var/www/bridge-fb 
cd /var/www/bridge-fb
virtualenv -p /usr/bin/python3 .
source ./bin/activate
pip install --upgrade mautrix-facebook[all]
deactivate
cd ..

and..

mkdir /var/www/bridge-telegram 
cd /var/www/bridge-telegram 
virtualenv -p /usr/bin/python3 .
source ./bin/activate
pip install --upgrade mautrix-telegram[all]
deactivate
cd ..

and..

mkdir bridge-signal 
cd bridge-signal 
virtualenv -p /usr/bin/python3 .
source ./bin/activate
pip install --upgrade mautrix-signal[all]
deactivate
cd ..

and finally…

mkdir bridge-insta
cd bridge-insta
virtualenv -p /usr/bin/python3 .
source ./bin/activate
pip install --upgrade mautrix-instagram[all]
deactivate
cd ..

So there you have it. Matrix. Riot/Elemment and Jitsi is installed and you have 4 bridges installed, but NOT configured so you can now begin experimenting!

Hope this can help someone else get it started on their journey to private communications .

How to setup a Chromium Kiosk Startup Mode for Raspberry Pi running Raspbian Server in 2021

I was tasked with creating a simple dashboard for a client of ours that auto runs on boot of the computer. This weekend I sat down to work on this and here’s what I found.

First, make sure you go with Rasbian Server edition of the OS. I tried with various other flavours and it was a convoluted process to remove GDM or install LXDE and actually have this run with minimal effort. This method takes around 15 minutes to setup and test, and I’m on a low speed satellite internet link – should be much faster if you have real Internet access!

Here’s how to do it;

The rest assumes you’ve already installed Vanilla Raspbian Server OS, connected to wifi if needed, and are at a shell prompt. Then you can begin by running the following commands

sudo apt-get update
sudo apt-get upgrade

That will get the system upgraded to the latest editions of everything you’re going to need next. Now let’s install the apps we need

# sudo apt-get install --no-install-recommends chromium-browser 
# sudo apt-get install --no-install-recommends xserver-xorg
# sudo apt-get install --no-install-recommends x11-xserver-utils 
# sudo apt-get install --no-install-recommends xinit 
# sudo apt-get install --no-install-recommends lxde
# sudo apt-get install lightdm screen aptitude rpd-plym-splash

Now you can go ahead and run raspi-config to edit some settings

# sudo raspi-config 

Here you’re going to want to do the following;

- setup the localization and timezone 
- setup splashscreen if desired 
- setup automatic login to x11 as the user 'pi' 

Then exit and save the settings.

Now you’re going to want to edit the xsession file so you can include the auto start of the browser

# sudo nano /etc/xdg/lxsession/LXDE/autostart

Then you’re going to want to make sure it looks like this (usually the top three lines will already be there on a typical install)

@lxpanel --profile LXDE-pi
@pcmanfm --desktop --profile LXDE-pi
@xscreensaver -no-splash
/usr/bin/chromium-browser --kiosk  --disable-restore-session-state https://google.ca

Then exit, and save the file (ctrl+x, enter to save).

Now we’ll go ahead and install unclutter, this will make sure the mouse pointer doesn’t display after a few minutes of inactivity.

# sudo apt-get install unclutter

Now we’ll remove anything we don’t need, just for good measure!

# sudo apt autoremove

And now you can reboot and wait a few seconds for it to boot into X11 and then start Chromium and display the site you listed above.

# sudo reboot

If you want to change the url to something else, just edit the autostart file again and change the url at the end of the line, exit, save, and reboot again to see the changes.

Using two ODROID HC2’s to create a small NAS with GLUSTERFS for PLEX server

My Mac Mini acting as a PLEX server was from late 2009 and had began stuttering when playing some recent high quality rips or transcoding.

It was time to upgrade.

Luckily I had an old i7-4790K processor laying around. I bought a case from amazon, and sourced a cheap 1150 motherboard locally. I also already had a 250gb SSD I wasn’t using. All I needed was some ram and I was in business.

I also wanted some form of storage and had heard about the ODroid HC2. I picked up the following gear from their site which came surprisingsly fast via DHL (a few days).

Then, from Amazon I picked up everything else.

Once I had everything wired up, and running I booted to the default OS using the DHCP addresses they got. Then I changed the IP to something static DHCP on my dhcp server, then added DNS through PFsense so my shared drives would be resolvable by name. Shit’s gettin’ real now dawg.

Then, I performed the following steps to get everything going.

  1. Install Arch Linux on Plex Server and configure (this would be a separate howto entirely). Install Plex Server or PlexPass Server.
  2. Plug your Odroids in, and get them on the network.
  3. SSH to both Odroids and then issue these commends on each one.
    # passwd
    # sudo apt-get install glusterfs-server
    # sudo service glusterfs-server start
    # sudo service glusterfs-server status
    # sudo apt-get install xfsprogs
    # gdisk /dev/sda
    
    p
    d
    n
    <enter><enter><enter><enter>
    w
    y
    
    # sudo mkfs.xfs /dev/sda1
    # sudo mkdir /data
    # sudo mount /dev/sda1 /data/
    # df -T
    # blkid /dev/sda1
    
    UUID=1234abc
  4. Now you’ll want to run the following differently on each odroid.
    droid1:
    echo "UUID=1234abc /data xfs defaults 1 1" | sudo tee --append /etc/fstab
    
    droid2:
    echo "UUID=5678xyz /data xfs defaults 1 1" | sudo tee --append /etc/fstab
  5. Then run these commands on both odroids
    # mount -a 
    # df -T
    # sudo mkdir -p /data/vol0
  6. Now run this on just one of the Odroids. Logically, I chose to do it on odroid1. Where mylocal.lan is my domain I use on pfsense.
    # sudo gluster peer probe droid2.mylocal.lan 
    # sudo gluster peer probe droid1.mylocal.lan
    # sudo gluster volume create vol0 replica 2 transport tcp droid1.mylocal.lan:/data/vol0 droid2.mylocal.lan:/data/vol0
    # sudo gluster volume info vol0
    # sudo gluster volume start vol0
  7. Then on your PLEX server, run these commands to mount up your gluster network, and auto mount it.
    # sudo mkdir -p /mnt/gluster 
    # sudo mount -t glusterfs -o acl droid1.mylocal.lan:/vol0 /mnt/gluster
    # df -hP /mnt/gluster
    # cat /proc/mounts
    # echo "droid1.mylocal.lan:/vol0 /mnt/gluster glusterfs defaults,_netdev,noauto,x-systemd.automount 0 0" | sudo tee --append /etc/fstab
  8. Now add some files to your gluster drive on the plex server. Then take a look at both your odroids. You should see the file exists in /data/vol0 as well on each of them. Congratulations you now have a replicating filesystem spread out over your two Odroids and used by Plex for storage.
  9. Now you should reboot all three devices to make sure everything comes up on a reboot, and that everything still functions. If it doesn’t check your logs and repeat anything above.

Here she is in all it’s glory on my Lack-Rack (heh).