1
00:00:00,000 --> 00:00:04,080
Welcome to the Deep Dive. Today we're diving into something pretty cool if you're

2
00:00:04,080 --> 00:00:04,880
interested in,

3
00:00:04,880 --> 00:00:09,360
you know, taking back control of your digital communication. We're looking at Synapse.

4
00:00:09,360 --> 00:00:09,600
It's

5
00:00:09,600 --> 00:00:13,470
the main home server for the Matrix Network. Basically, we want to make this whole

6
00:00:13,470 --> 00:00:13,920
complex

7
00:00:13,920 --> 00:00:19,010
topic a bit more, well, accessible for beginners. How do you actually run your own

8
00:00:19,010 --> 00:00:20,080
chat platform?

9
00:00:20,080 --> 00:00:23,600
But before we really jump in, just want to give a quick shout out to our supporter

10
00:00:23,600 --> 00:00:24,560
for this dive,

11
00:00:24,560 --> 00:00:28,960
Safe Server. They focus on hosting exactly this kind of open source software and

12
00:00:28,960 --> 00:00:29,360
helping with

13
00:00:29,360 --> 00:00:34,720
your digital transformation. You can check them out at www.safeserver.de. Yeah, and

14
00:00:34,720 --> 00:00:35,440
our goal here

15
00:00:35,440 --> 00:00:39,530
is really to filter out the noise. What is Synapse fundamentally? Why are the

16
00:00:39,530 --> 00:00:40,640
security rules so

17
00:00:40,640 --> 00:00:45,820
specific? And how does it handle who you are in this whole decentralized Matrix

18
00:00:45,820 --> 00:00:46,720
world? It's a

19
00:00:46,720 --> 00:00:49,980
bit different. Okay, let's definitely unpack that. Starting simple, Synapse, M, and

20
00:00:49,980 --> 00:00:50,480
Matrix, they get

21
00:00:50,480 --> 00:00:53,430
mentioned together all the time. What's the actual difference for someone just

22
00:00:53,430 --> 00:00:54,400
starting out? Okay,

23
00:00:54,400 --> 00:01:00,290
think of Matrix as the blueprint. It's the open standard, the set of rules for

24
00:01:00,290 --> 00:01:01,600
secure, real-time

25
00:01:01,600 --> 00:01:05,470
chat that can talk to anything else following the same rules. Right, the protocol.

26
00:01:05,470 --> 00:01:06,400
Exactly. Synapse

27
00:01:06,400 --> 00:01:10,710
N is the most well-known engine built using that blueprint. It's the software you

28
00:01:10,710 --> 00:01:11,680
actually install

29
00:01:11,680 --> 00:01:16,320
and run. It's open source, mostly written in Python, with some rust creeping in now,

30
00:01:16,320 --> 00:01:16,720
and it's where

31
00:01:16,720 --> 00:01:20,770
your account lives, where your messages are stored. And Element are the main folks

32
00:01:20,770 --> 00:01:21,680
behind Synapse,

33
00:01:21,680 --> 00:01:25,840
right? I saw it's got this interesting dual license thing going on. It's primarily

34
00:01:25,840 --> 00:01:27,280
AGPL 3.0,

35
00:01:27,280 --> 00:01:30,930
which means you can grab it, run it, modify it, all for free. Perfect for

36
00:01:30,930 --> 00:01:32,480
individuals or communities.

37
00:01:32,480 --> 00:01:37,200
Which is what most beginners will care about. For sure. But Element also offers a

38
00:01:37,200 --> 00:01:37,680
commercial

39
00:01:37,680 --> 00:01:43,040
license. If you're a big company, you might want their Element Server Suite, or ESS.

40
00:01:43,040 --> 00:01:44,000
Okay, so why

41
00:01:44,000 --> 00:01:49,610
would a company pay if the core is free? What does ESS add? It's less about core

42
00:01:49,610 --> 00:01:50,880
features and more

43
00:01:50,880 --> 00:01:57,230
about operational guarantees. Think professional support contracts, SLAs, fancy

44
00:01:57,230 --> 00:01:58,320
admin tools,

45
00:01:58,320 --> 00:02:03,680
audit logs for compliance, maybe advanced ways to manage user identities that big

46
00:02:03,680 --> 00:02:04,800
organizations need.

47
00:02:04,800 --> 00:02:10,720
It's SAN apps, but sort of enterprise hardened. Gotcha. So support and specific

48
00:02:10,720 --> 00:02:11,680
business tools on

49
00:02:11,680 --> 00:02:16,260
top. But the key thing for our listeners maybe is that you can run this powerful

50
00:02:16,260 --> 00:02:17,040
server yourself.

51
00:02:17,040 --> 00:02:21,280
That's the real magic, isn't it? That digital autonomy. Absolutely. So someone's

52
00:02:21,280 --> 00:02:21,760
convinced

53
00:02:21,760 --> 00:02:26,200
they want to run it. What's the path of least resistance for getting it installed?

54
00:02:26,200 --> 00:02:27,600
Like day one,

55
00:02:27,600 --> 00:02:32,420
easiest method. Definitely the official Docker images or the Debian packages from

56
00:02:32,420 --> 00:02:33,280
matrix.org.

57
00:02:33,280 --> 00:02:38,160
The documentation points you straight there. Okay. Those options kind of bundle up

58
00:02:38,160 --> 00:02:38,400
all the

59
00:02:38,400 --> 00:02:43,140
tricky dependencies. Yeah. Gets you a running server much quicker than, you know,

60
00:02:43,140 --> 00:02:43,520
compiling

61
00:02:43,520 --> 00:02:47,050
everything from scratch. Right. Avoid the compiling nightmare first time around.

62
00:02:47,050 --> 00:02:48,960
Please do. But just

63
00:02:48,960 --> 00:02:52,680
having it running isn't quite enough if you want it to talk to the rest of the

64
00:02:52,680 --> 00:02:53,440
world, right? Which

65
00:02:53,440 --> 00:02:58,420
is kind of the point of major. So you absolutely need what's called a reverse proxy.

66
00:02:58,420 --> 00:02:59,280
Think Jinx,

67
00:02:59,280 --> 00:03:04,060
Caddy, Apache, something sitting in front of Synapse. Now, the docs are really

68
00:03:04,060 --> 00:03:04,720
strong on

69
00:03:04,720 --> 00:03:10,180
this. Is it just a nice to have or truly essential? Oh, it's essential. Seriously.

70
00:03:10,180 --> 00:03:11,040
For security. For

71
00:03:11,040 --> 00:03:17,040
practicality. Synapse listens on specific ports, like maybe 8448 or something. But

72
00:03:17,040 --> 00:03:18,160
your users and

73
00:03:18,160 --> 00:03:23,440
other servers, they expect to connect on the standard web port, 443 for HTTPS. Okay,

74
00:03:23,440 --> 00:03:23,760
so the

75
00:03:23,760 --> 00:03:29,150
proxy handles that connection. It handles mapping that clean port 443 traffic to

76
00:03:29,150 --> 00:03:30,320
Synapse's internal

77
00:03:30,320 --> 00:03:35,520
port. And here's the critical bit. It means you can expose port 443 without running

78
00:03:35,520 --> 00:03:36,400
Synapse itself

79
00:03:36,400 --> 00:03:40,540
as the root user, the super admin. Ah, the principle of least privilege. Big

80
00:03:40,540 --> 00:03:41,520
security win.

81
00:03:41,520 --> 00:03:45,280
If Synapse somehow gets compromised, the damage is more contained because it doesn't

82
00:03:45,280 --> 00:03:45,680
have root

83
00:03:45,680 --> 00:03:49,860
powers. Precisely. Keep Synapse's privileges as low as possible. And while we're on

84
00:03:49,860 --> 00:03:50,320
setup,

85
00:03:50,320 --> 00:03:53,650
just a quick heads up on maintenance, running your own server means you got to keep

86
00:03:53,650 --> 00:03:54,080
it updated.

87
00:03:54,080 --> 00:03:56,640
Right. And with Synapse, you really need to read the release notes before you

88
00:03:56,640 --> 00:03:57,520
upgrade. Sometimes

89
00:03:57,520 --> 00:04:02,140
it's just a simple update, but other times you might need to do manual database

90
00:04:02,140 --> 00:04:03,200
stuff or update

91
00:04:03,200 --> 00:04:07,760
Python or PostgreSQL first. You can just blindly update. Good warning. Okay.

92
00:04:07,760 --> 00:04:08,640
Installation handled,

93
00:04:08,640 --> 00:04:13,550
reverse proxy in place. Now, this security bit you mentioned, the docs have this

94
00:04:13,550 --> 00:04:14,080
huge warning

95
00:04:14,080 --> 00:04:18,220
about domains. This seems really important. It's probably the most critical

96
00:04:18,220 --> 00:04:18,720
security

97
00:04:18,720 --> 00:04:23,880
configuration detail. You absolutely, positively must not host your Synapse home

98
00:04:23,880 --> 00:04:24,640
server on the

99
00:04:24,640 --> 00:04:29,920
same base domain, the ETLD plus one, like example.com as other sensitive web apps.

100
00:04:29,920 --> 00:04:33,440
Whoa. Okay. Like webmail or maybe even the element web client itself?

101
00:04:33,440 --> 00:04:37,920
Exactly. Don't put your Synapse server on matrix.example.com if your webmail is on

102
00:04:37,920 --> 00:04:42,240
mail.example.com or your element web is on app.example.com.

103
00:04:42,240 --> 00:04:45,440
Why? What's the risk there? It boiled down to cross-site scripting,

104
00:04:45,440 --> 00:04:49,840
XSS. Matrix handles tons of potentially untrusted content from users all over the

105
00:04:49,840 --> 00:04:50,400
federation.

106
00:04:50,400 --> 00:04:56,160
If, hypothetically, someone found an XSS bug in Synapse and your Synapse server

107
00:04:56,160 --> 00:04:56,480
shared

108
00:04:56,480 --> 00:05:00,560
that example.com base domain with your webmail, that attacker might be able to

109
00:05:00,560 --> 00:05:01,040
leverage the

110
00:05:01,040 --> 00:05:04,400
Synapse vulnerability to steal cookies or credentials from your WebL session

111
00:05:04,400 --> 00:05:08,560
or other apps on that same domain. It breaks the security isolation between apps.

112
00:05:08,560 --> 00:05:15,600
Oof. Okay, so that's a huge blast radius. So, ideally, if my web client is app.mydomain.com,

113
00:05:15,600 --> 00:05:22,560
my Synapse should live on something totally separate, like my-matrix-server.net.

114
00:05:22,560 --> 00:05:27,120
That's the gold standard. Using a different subdomain on the same base domain like

115
00:05:27,120 --> 00:05:28,640
matrix.mydomain.com,

116
00:05:28,640 --> 00:05:32,830
it offers some protection, but it's not as good as a completely separate registered

117
00:05:32,830 --> 00:05:33,440
domain.

118
00:05:33,440 --> 00:05:37,200
And this applies specifically to whatever domain you put in Synapse's public base

119
00:05:37,200 --> 00:05:37,840
or all setting.

120
00:05:37,840 --> 00:05:38,480
Get this wrong.

121
00:05:38,480 --> 00:05:40,400
And you're undermining a key security layer.

122
00:05:40,400 --> 00:05:44,480
Crystal clear. That's a non-negotiable, then. Now, let's switch gears slightly to

123
00:05:44,480 --> 00:05:45,280
identity.

124
00:05:45,280 --> 00:05:48,960
People often confuse the home server Synapse with the identity server.

125
00:05:48,960 --> 00:05:50,640
What does the IS actually do?

126
00:05:50,640 --> 00:05:53,680
Right. They're distinct. Synapse, your home server, hold your account, your

127
00:05:53,680 --> 00:05:54,240
username,

128
00:05:54,240 --> 00:05:56,400
your password hash, your chat history.

129
00:05:56,400 --> 00:05:57,360
The core stuff.

130
00:05:57,360 --> 00:06:00,160
Yeah. The identity server, or IS like the common one,

131
00:06:00,160 --> 00:06:04,080
its only job is mapping things like your email address or phone number,

132
00:06:04,080 --> 00:06:10,480
what we call third-party IDs or 3P IDs, your matrix ID, like at yourname.my.domain.name.

133
00:06:10,480 --> 00:06:14,880
And crucially, it verifies you actually own that email address or phone number.

134
00:06:14,880 --> 00:06:20,300
It sends you a confirmation link or code, but it never sees or stores your matrix

135
00:06:20,300 --> 00:06:21,200
password.

136
00:06:21,200 --> 00:06:23,840
So it's just a look up and validation service. Got it.

137
00:06:23,840 --> 00:06:26,000
But here's the kind of weird part.

138
00:06:26,000 --> 00:06:30,960
We're building this decentralized thing, but the docs strongly suggest using a

139
00:06:30,960 --> 00:06:32,160
centralized IS,

140
00:06:32,160 --> 00:06:35,920
like the one run by matrix.org or vector.im.

141
00:06:35,920 --> 00:06:38,480
Why? Why not run my own IS too?

142
00:06:38,480 --> 00:06:41,840
It's about trust and network effects, really.

143
00:06:41,840 --> 00:06:45,920
You can run your own IS, like Sident, and you can associate your email with your

144
00:06:45,920 --> 00:06:46,880
matrix ID on your

145
00:06:46,880 --> 00:06:51,590
server. But the problem is, nobody else on the matrix network trusts your little IS

146
00:06:51,590 --> 00:06:51,920
to be telling

147
00:06:51,920 --> 00:06:55,500
the truth about who owns what email address. If someone on a different server wants

148
00:06:55,500 --> 00:06:55,760
to find

149
00:06:55,760 --> 00:07:00,240
you by searching for your email, they'll query an IS they trust, like matrix.org,

150
00:07:00,240 --> 00:07:03,280
and if your email isn't registered there, they won't find your matrix ID.

151
00:07:03,280 --> 00:07:07,270
So for discoverability across the whole network right now, using one of the big

152
00:07:07,270 --> 00:07:08,240
established IS

153
00:07:08,240 --> 00:07:11,640
instances is kind of necessary if you want people to easily find you via email or

154
00:07:11,640 --> 00:07:12,160
phone.

155
00:07:12,160 --> 00:07:16,400
Ah, so it's a practical compromise. You trade a bit of pure decentralization

156
00:07:16,400 --> 00:07:19,920
for actually being findable in the wider ecosystem.

157
00:07:19,920 --> 00:07:23,760
Pretty much sums it up, yeah. It's a known limitation, and there's work towards

158
00:07:23,760 --> 00:07:24,000
more

159
00:07:24,000 --> 00:07:28,880
decentralized solutions, but for now, that's the reality for easy federation.

160
00:07:28,880 --> 00:07:33,360
Makes sense. Okay, installed, secured the domain, understood identity. How do I

161
00:07:33,360 --> 00:07:33,760
actually,

162
00:07:33,760 --> 00:07:35,760
you know, use this thing, test it out?

163
00:07:35,760 --> 00:07:40,160
Easiest way is probably a web client like Element Web. Just go to app.element.io in

164
00:07:40,160 --> 00:07:44,240
your browser, and this trips people up. You can't just use the default login page.

165
00:07:44,240 --> 00:07:46,960
Right, because that points to matrix.org's home server.

166
00:07:46,960 --> 00:07:50,640
Exactly. You need to find the option to specify a custom home server. It might be

167
00:07:50,640 --> 00:07:51,360
under advanced

168
00:07:51,360 --> 00:07:59,600
or other. Then you put in your server's address, usually something like https.your.server.name.8448.

169
00:07:59,600 --> 00:08:03,360
Got it. And then I try to sign up, but it won't let me by default, will it?

170
00:08:03,360 --> 00:08:07,600
Correct. Default setting is enable registration.false. Safety first.

171
00:08:07,600 --> 00:08:12,480
You have to go into your home server.yml configuration file and flip that to true.

172
00:08:12,480 --> 00:08:14,560
Okay. Registration enabled. Now what?

173
00:08:14,560 --> 00:08:19,760
Now you have a choice. Option one, strongly recommended if your server is reachable

174
00:08:19,760 --> 00:08:23,520
from the internet. Set up a cappie TCHA. To stop the bots.

175
00:08:23,520 --> 00:08:28,240
Absolutely. Option two is you can set enable registration without verification.

176
00:08:29,920 --> 00:08:35,940
Good. But honestly, don't do that unless your server is purely internal and locked

177
00:08:35,940 --> 00:08:36,400
down.

178
00:08:36,400 --> 00:08:41,080
Why is the cappie TCHA so important, even for a small server, maybe just for

179
00:08:41,080 --> 00:08:41,600
friends?

180
00:08:41,600 --> 00:08:45,360
Because spam bots will find your open registration endpoint eventually.

181
00:08:45,360 --> 00:08:49,200
And if they can create accounts without a cappie TCHA, they won't just spam your

182
00:08:49,200 --> 00:08:49,760
users.

183
00:08:49,760 --> 00:08:53,410
They'll use your server as a launchpad to spew spam across the entire Matrix

184
00:08:53,410 --> 00:08:53,920
Federation.

185
00:08:53,920 --> 00:08:56,560
Ah, so you become part of the problem. You really do.

186
00:08:56,560 --> 00:08:59,520
Running a server comes with a bit of responsibility to the network's health.

187
00:09:00,160 --> 00:09:02,480
Use a cappie TCHA if it's public, please.

188
00:09:02,480 --> 00:09:05,280
Message received. Okay, so I registered successfully.

189
00:09:05,280 --> 00:09:08,800
My Matrix ID will look like at my username.my.server.name.

190
00:09:08,800 --> 00:09:12,240
Right, exactly that format. Username, colon, your server's domain name.

191
00:09:12,240 --> 00:09:14,160
And if you hit snags, setting this all up.

192
00:09:14,160 --> 00:09:14,720
Where do I go?

193
00:09:14,720 --> 00:09:19,680
The main community support room is hashtag sendapps.matrix.org on Matrix itself.

194
00:09:19,680 --> 00:09:21,120
Lots of helpful folks there.

195
00:09:21,120 --> 00:09:25,390
Just remember, GitHub issues are really for actual bugs, not general how-do-I

196
00:09:25,390 --> 00:09:26,240
questions.

197
00:09:26,240 --> 00:09:27,360
Good distinction.

198
00:09:27,360 --> 00:09:33,440
And if you're a developer looking to contribute, there's hashtag synapse-dev.matrix.org.

199
00:09:33,440 --> 00:09:36,560
Okay, so wrapping this up, Synapse is powerful.

200
00:09:36,560 --> 00:09:40,910
It gives you this amazing open source foundation for your own secure communication

201
00:09:40,910 --> 00:09:41,600
platform.

202
00:09:41,600 --> 00:09:43,920
But you have to nail the setup.

203
00:09:43,920 --> 00:09:45,600
Get the reverse proxy right.

204
00:09:45,600 --> 00:09:49,120
Absolutely follow that domain separation rule for security.

205
00:09:49,120 --> 00:09:53,280
And understand the current trade-offs with identity servers for discoverability.

206
00:09:53,280 --> 00:09:56,320
Yeah, and if you look at the bigger picture, reading between the lines in the docs,

207
00:09:57,360 --> 00:10:01,280
The Matrix Project wants to solve that identity server centralization issue.

208
00:10:01,280 --> 00:10:05,550
The long-term goal is clearly full decentralization, even for finding people via

209
00:10:05,550 --> 00:10:06,320
email.

210
00:10:06,320 --> 00:10:10,640
The current reliance on servers like matrix.org is pragmatic, but you can see they're

211
00:10:10,640 --> 00:10:11,520
aiming beyond that.

212
00:10:11,520 --> 00:10:13,360
That is definitely something interesting to think about.

213
00:10:13,360 --> 00:10:17,200
What does truly decentralized identity actually look like?

214
00:10:17,200 --> 00:10:21,900
And how does trust work in that kind of future network compared to today's hybrid

215
00:10:21,900 --> 00:10:22,400
model?

216
00:10:22,400 --> 00:10:23,840
Something for you to ponder.

217
00:10:23,840 --> 00:10:26,800
And remember, this deep dive was supported by Safe Server.

218
00:10:26,800 --> 00:10:29,760
They're there to help you manage hosting for software like Synapse

219
00:10:29,760 --> 00:10:32,000
and support your digital transformation efforts.

220
00:10:32,000 --> 00:10:35,200
Check them out at www.safeserver.de.

221
00:10:35,200 --> 00:10:37,280
Thanks for tuning in to this deep dive on Synapse.

222
00:10:37,280 --> 00:10:38,560
We'll catch you on the next one.