Matrix Administration¶
Адміністрування Matrix сервера: Admin API, MAS, backup.
Admin API¶
Аутентифікація¶
# Отримати access token
export TOKEN="syt_..."
# Або через login
curl -X POST \
-H "Content-Type: application/json" \
-d '{"type":"m.login.password","user":"admin","password":"password"}' \
https://matrix.example.com/_matrix/client/v3/login
Користувачі¶
# Список користувачів
curl -s -H "Authorization: Bearer $TOKEN" \
"https://matrix.example.com/_synapse/admin/v2/users?limit=100" | jq
# Інформація про користувача
curl -s -H "Authorization: Bearer $TOKEN" \
"https://matrix.example.com/_synapse/admin/v2/users/@user:example.com" | jq
# Створити користувача
curl -X PUT \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"password": "securepassword",
"displayname": "New User",
"admin": false
}' \
"https://matrix.example.com/_synapse/admin/v2/users/@newuser:example.com"
# Змінити пароль
curl -X PUT \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"password": "newpassword"}' \
"https://matrix.example.com/_synapse/admin/v2/users/@user:example.com"
# Деактивувати
curl -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"erase": false}' \
"https://matrix.example.com/_synapse/admin/v1/deactivate/@user:example.com"
Кімнати¶
# Список кімнат
curl -s -H "Authorization: Bearer $TOKEN" \
"https://matrix.example.com/_synapse/admin/v1/rooms?limit=50" | jq
# Деталі кімнати
curl -s -H "Authorization: Bearer $TOKEN" \
"https://matrix.example.com/_synapse/admin/v1/rooms/!roomid:example.com" | jq
# Учасники кімнати
curl -s -H "Authorization: Bearer $TOKEN" \
"https://matrix.example.com/_synapse/admin/v1/rooms/!roomid:example.com/members" | jq
# Видалити кімнату
curl -X DELETE \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"purge": true,
"message": "Room deleted by admin"
}' \
"https://matrix.example.com/_synapse/admin/v2/rooms/!roomid:example.com"
# Заблокувати кімнату
curl -X PUT \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"block": true}' \
"https://matrix.example.com/_synapse/admin/v1/rooms/!roomid:example.com/block"
Медіа¶
# Статистика медіа
curl -s -H "Authorization: Bearer $TOKEN" \
"https://matrix.example.com/_synapse/admin/v1/statistics/users/media" | jq
# Видалити медіа користувача
curl -X DELETE \
-H "Authorization: Bearer $TOKEN" \
"https://matrix.example.com/_synapse/admin/v1/users/@user:example.com/media"
# Очистити remote media cache
curl -X POST \
-H "Authorization: Bearer $TOKEN" \
"https://matrix.example.com/_synapse/admin/v1/purge_media_cache?before_ts=$(date -d '30 days ago' +%s)000"
Server¶
# Версія
curl -s "https://matrix.example.com/_matrix/federation/v1/version" | jq
# Background jobs
curl -s -H "Authorization: Bearer $TOKEN" \
"https://matrix.example.com/_synapse/admin/v1/background_updates/status" | jq
# Purge history
curl -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"delete_local_events": true,
"purge_up_to_ts": 1609459200000
}' \
"https://matrix.example.com/_synapse/admin/v1/purge_history/!roomid:example.com"
MAS (Matrix Authentication Service)¶
Встановлення¶
version: '3.8'
services:
mas:
image: ghcr.io/element-hq/matrix-authentication-service:latest
container_name: mas
restart: unless-stopped
ports:
- "8080:8080"
volumes:
- ./mas-config.yaml:/config.yaml:ro
- mas-data:/data
environment:
- MAS_CONFIG=/config.yaml
volumes:
mas-data:
Конфігурація¶
mas-config.yaml:
http:
listeners:
- name: web
binds:
- address: "[::]:8080"
proxy_protocol: false
resources:
- name: discovery
- name: human
- name: oauth
- name: compat
- name: graphql
- name: assets
database:
uri: sqlite:///data/mas.db
secrets:
encryption: "32-byte-random-key-here"
keys:
- kid: "key1"
key: |
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
clients:
- client_id: synapse
client_auth_method: client_secret_basic
client_secret: "synapse-client-secret"
upstream_oauth2:
providers:
- id: oidc
issuer: https://accounts.google.com
client_id: your-google-client-id
client_secret: your-google-secret
scope: "openid email profile"
matrix:
homeserver: matrix.example.com
secret: "shared-secret-with-synapse"
endpoint: http://synapse:8008
Synapse інтеграція¶
# homeserver.yaml
experimental_features:
msc3861:
enabled: true
issuer: https://auth.example.com/
client_id: synapse
client_auth_method: client_secret_basic
client_secret: "synapse-client-secret"
admin_token: "mas-admin-token"
Перевірка¶
# OIDC discovery
curl https://auth.example.com/.well-known/openid-configuration | jq
# Health
curl https://auth.example.com/health
Backup¶
Що бекапити¶
| Компонент | Шлях | Критичність |
|---|---|---|
| Database | PostgreSQL dump | Критично |
| Media | /data/media_store | Важливо |
| Signing keys | *.signing.key | Критично |
| Config | homeserver.yaml | Важливо |
PostgreSQL¶
# Backup
docker exec postgres pg_dump -U synapse synapse | gzip > synapse_$(date +%Y%m%d).sql.gz
# Автоматичний backup (cron)
0 3 * * * docker exec postgres pg_dump -U synapse synapse | gzip > /backup/synapse_$(date +\%Y\%m\%d).sql.gz
# Restore
gunzip -c synapse_20240101.sql.gz | docker exec -i postgres psql -U synapse synapse
Media Store¶
# Backup
tar -czvf media_$(date +%Y%m%d).tar.gz /var/lib/docker/volumes/synapse-data/_data/media_store
# Incremental з rsync
rsync -av --progress /var/lib/docker/volumes/synapse-data/_data/media_store/ /backup/media/
Signing Keys¶
# Критично! Зберегти окремо
cp /var/lib/docker/volumes/synapse-data/_data/*.signing.key /backup/keys/
# Якщо втратити — federation зламається
Повний backup скрипт¶
#!/bin/bash
BACKUP_DIR="/backup/matrix/$(date +%Y%m%d)"
mkdir -p $BACKUP_DIR
# Database
docker exec postgres pg_dump -U synapse synapse | gzip > $BACKUP_DIR/database.sql.gz
# Media
tar -czf $BACKUP_DIR/media.tar.gz /var/lib/docker/volumes/synapse-data/_data/media_store
# Keys
cp /var/lib/docker/volumes/synapse-data/_data/*.signing.key $BACKUP_DIR/
# Config
cp /opt/matrix/homeserver.yaml $BACKUP_DIR/
# Retention (keep 7 days)
find /backup/matrix -type d -mtime +7 -exec rm -rf {} +
echo "Backup completed: $BACKUP_DIR"
Restore¶
# 1. Зупинити Synapse
docker compose stop synapse
# 2. Restore database
gunzip -c database.sql.gz | docker exec -i postgres psql -U synapse synapse
# 3. Restore media
tar -xzf media.tar.gz -C /
# 4. Restore keys
cp *.signing.key /var/lib/docker/volumes/synapse-data/_data/
# 5. Запустити
docker compose up -d synapse
Моніторинг¶
Метрики¶
# homeserver.yaml
enable_metrics: true
# Prometheus scrape
curl http://localhost:9000/metrics
Alerting¶
# Prometheus rules
groups:
- name: synapse
rules:
- alert: SynapseDown
expr: up{job="synapse"} == 0
for: 5m
- alert: SynapseFederationFailed
expr: synapse_federation_last_successful_stream_position == 0
for: 15m
Maintenance¶
Очистка¶
# Видалити стару історію (старше 180 днів)
docker exec synapse python -m synapse.storage.purge_events \
--config-path /data/homeserver.yaml \
--before $(date -d '180 days ago' +%s)000
# Docker cleanup
docker system prune -af --volumes
Оновлення¶
# Backup перед оновленням!
./backup.sh
# Оновити
docker compose pull
docker compose up -d
# Перевірити логи
docker compose logs -f synapse
Шлях: services/matrix/admin.md