Setting Up An Out-of-Band Channel for Incident Handling with Matrix
Getting started takes three steps:
Matrix Recorder is a recording bot using the Matrix API to archive short messages over time.
- Establish a back-end server on Digital Ocean
- Serve the Riot front-end website
- Establish a recording capability with Matrix Recorder
For the two first points, it is clever to use an approach that can
be easily reproduced and that provides exactly the same,
secure-by-default configuration each time. Due to this the
preferred method in this case is to manage the VPS that can be
established on anything with Debian or CentOS with Ansible. There
is a script available on Github, known as
matrix-docker-ansible-deploy. The latter have also been endorsed
by the Matrix project. Both 1 and 2 can be accomplished with
matrix-docker-ansible-deploy is an ansible role to deploy a Matrix server. In the Matrix Weekly there as a Matrix project endorsement for the ansible role.
So let’s get started.
For this example I created a domain on namesilo.com and pointed
(ns1|ns2|ns3).digitalocean.com. It would be ufortunate
for the continuity of the service if a domain was taken offline or
redirected somewhere, but due to the end to end encryption in
Matrix it would not compromise the content of the
conversations. Now that Digital Ocean has control of the primary
domain, make sure to add the following before continuing:
Type Hostname Value TTL
A <domain> <ip> 600
A riot.<domain> <ip> 600
A matrix.<domain> <ip> 600
SRV _matrix._tcp.<domain> 10 0 8448 matrix.<domain> 600
This can take some time to propagate, so make sure that the
DNS-infrastructure is readily resolvable before you continue
deploying the services.
Make sure to grab a copy of the current
matrix-docker-ansible-deploy by running:
git clone https://github.com/spantaleev/matrix-docker-ansible-deploy.git
Create the following files:
vars.yml should look like this:
matrix_coturn_turn_static_auth_secret: "<run pwgen -s 64 1>"
matrix_synapse_macaroon_secret_key: "<run pwgen -s 64 1>"
hosts file should be formatted like the following:
Deploy and Execute
Now that your configuration files and server are ready, you can
start deploying the Matrix Synapse server and start serving the
Riot HTML/JS client.
First deploy the services (Riot and Matrix Synapse) by running:
ansible-playbook -i inventory/hosts setup.yml --tags=setup-main
When that completes successfully, you can start the services by:
ansible-playbook -i inventory/hosts setup.yml --tags=start
After starting the services, the Riot web interface is available
https://riot.<domain> where metadata is protected by a
Let’s Encrypt certificate.
The two primary endpoints you now have exposed to the WWW is:
- The Matrix API which runs at https://matrix.
- The Riot UI which runs at https://riot.
https://riot.<domain> brings you to the Riot
Registration is disabled by default on the server, so new users
can be added by the following command:
ansible-playbook -i inventory/hosts setup.yml
It is better to use pseudonyms on such a platform to make sure no
information can be traced to a specific individual not involved in
the case. Each user needs to verify his private key fingerprint
with the other participants.
Vital Steps to Take as an Administrator
When using multiple servers, it is necessary to create an
#control channel that is a fallback if a server hosting a room
Setup Matrix Recorder
To make sure that all communications is stored for traceability
make sure to install the Matrix Recorded (MR). MR should be
installed locally and not on the Matrix server.
git clone https://gitlab.com/argit/matrix-recorder.git
To execute the recorder, run the following. The first time you
will be asked to enter the login credentials of the user.
$ node matrix-recorder.js <case-folder>
Your homeserver (give full URL): https://matrix.<domain>
Your username at the homeserver: <username>
Your password at the homeserver: <password>
No of items to retrieve for initial sync: 1000
View messages as HTML by running the Matrix Recorder conversion
node recorder-to-html.js <case-folder>
Access monitoring can be done in the console by e.g.
The Power of Disposability
At some point you have finished the information exchange. The
beauty of this setup is that is can now be safely deleted from the
Digital Ocean droplet console.