Home Explore Blog Models CI



nixpkgs
4th chunk of `nixos/modules/services/matrix/synapse.md`
8a46b26c1c6fb67fbf67581e3228352a2829386c636207500000000100000c1b
In the example, this would create a user with the Matrix Identifier
`@your-username:example.org`.

::: {.warning}
When using [](#opt-services.matrix-synapse.settings.registration_shared_secret), the secret
will end up in the world-readable store. Instead it's recommended to deploy the secret
in an additional file like this:

  - Create a file with the following contents:

    ```
    registration_shared_secret: your-very-secret-secret
    ```
  - Deploy the file with a secret-manager such as
    [{option}`deployment.keys`](https://nixops.readthedocs.io/en/latest/overview.html#managing-keys)
    from {manpage}`nixops(1)` or [sops-nix](https://github.com/Mic92/sops-nix/) to
    e.g. {file}`/run/secrets/matrix-shared-secret` and ensure that it's readable
    by `matrix-synapse`.
  - Include the file like this in your configuration:

    ```nix
    {
      services.matrix-synapse.extraConfigFiles = [ "/run/secrets/matrix-shared-secret" ];
    }
    ```
:::

::: {.note}
It's also possible to user alternative authentication mechanism such as
[LDAP (via `matrix-synapse-ldap3`)](https://github.com/matrix-org/matrix-synapse-ldap3)
or [OpenID](https://element-hq.github.io/synapse/latest/openid.html).
:::

## Element (formerly known as Riot) Web Client {#module-services-matrix-element-web}

[Element Web](https://github.com/element-hq/element-web) is
the reference web client for Matrix and developed by the core team at
matrix.org. Element was formerly known as Riot.im, see the
[Element introductory blog post](https://element.io/blog/welcome-to-element/)
for more information. The following snippet can be optionally added to the code before
to complete the synapse installation with a web client served at
`https://element.myhostname.example.org` and
`https://element.example.org`. Alternatively, you can use the hosted
copy at <https://app.element.io/>,
or use other web clients or native client applications. Due to the
`/.well-known` urls set up done above, many clients should
fill in the required connection details automatically when you enter your
Matrix Identifier. See
[Try Matrix Now!](https://matrix.org/docs/projects/try-matrix-now.html)
for a list of existing clients and their supported featureset.
```nix
{
  services.nginx.virtualHosts."element.${fqdn}" = {
    enableACME = true;
    forceSSL = true;
    serverAliases = [ "element.${config.networking.domain}" ];

    root = pkgs.element-web.override {
      conf = {
        default_server_config = clientConfig; # see `clientConfig` from the snippet above.
      };
    };
  };
}
```

::: {.note}
The Element developers do not recommend running Element and your Matrix
homeserver on the same fully-qualified domain name for security reasons. In
the example, this means that you should not reuse the
`myhostname.example.org` virtualHost to also serve Element,
but instead serve it on a different subdomain, like
`element.example.org` in the example. See the
[Element Important Security Notes](https://github.com/element-hq/element-web/tree/v1.10.0#important-security-notes)
for more information on this subject.
:::
Title: Matrix User Registration Security, Alternative Authentication, and Element Web Client Deployment
Summary
This chunk emphasizes a critical security warning for Matrix Synapse's `registration_shared_secret`, advising against storing it directly in the world-readable Nix store. Instead, it recommends deploying the secret using a secret manager (like `nixops`'s `deployment.keys` or `sops-nix`) to a secure, separate file. It also briefly mentions alternative authentication mechanisms such as LDAP and OpenID. The latter part of the chunk introduces Element Web (formerly Riot), the reference Matrix web client, providing a configuration snippet for deploying it via Nginx in NixOS, and importantly, reiterates the security best practice of hosting Element on a separate fully-qualified domain name (subdomain) from the Matrix homeserver.