README.rst 8.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209
  1. What is Sydent?
  2. ===============
  3. Sydent is an `identity server <https://spec.matrix.org/v1.6/identity-service-api/>`_ for the `Matrix communications protocol <matrix.org>`_. It allows Matrix users to prove that they own an email address or phone number, and allows _other_ Matrix users to look them up using that email address or phone number.
  4. Do I need to run Sydent to run my own homeserver?
  5. -------------------------------------------------
  6. Short answer: **no**.
  7. Medium answer: **probably not**. Most homeservers and clients use the Sydent
  8. instance run by `matrix.org`, or use no identity server whatsoever.
  9. Longer answer: if you want to allow user lookup via emails and phone numbers in
  10. a private federation of multiple homeservers, Sydent _might_ be useful for you.
  11. If you want your homeserver to be able to verify phone numbers via SMS and
  12. you have an API token for the `OpenMarket HTTP SMS API
  13. <https://www.openmarket.com/docs/Content/apis/v4http/overview.htm>`_, then
  14. Sydent might be useful for you.
  15. Installation
  16. ============
  17. Installing the system dependencies
  18. ----------------------------------
  19. To install Sydent's dependencies on a Debian-based system, run::
  20. sudo apt-get install build-essential python3-dev libffi-dev \
  21. sqlite3 libssl-dev python3-virtualenv libxslt1-dev
  22. From here, you can either install Sydent by using a PyPI release, or by recreating Sydent's locked runtime environment.
  23. Installing the latest Sydent release from PyPI
  24. ----------------------------------------------
  25. To create the virtual environment in which Sydent will run::
  26. virtualenv -p python3 ~/.sydent
  27. source ~/.sydent/bin/activate
  28. pip install --upgrade pip
  29. pip install --upgrade setuptools
  30. Sydent and its dependencies can be installed using ``pip`` by running::
  31. pip install matrix-sydent
  32. With the virtualenv activated, you can run Sydent using::
  33. python -m sydent.sydent
  34. Installing from source
  35. ~~~~~~~~~~~~~~~~~~~~~~
  36. Alternatively, Sydent can be installed using ``poetry`` from a local git checkout.
  37. First install `poetry`. See `poetry's documentation <https://python-poetry.org/docs/#installation>`_ for details; we recommend installing via `pipx`. Once that's done::
  38. git clone https://github.com/matrix-org/sydent.git
  39. cd sydent
  40. poetry install --no-dev
  41. # For development, pull in extra tools with
  42. # poetry install
  43. To start Sydent::
  44. poetry run sydent
  45. Running Sydent
  46. ==============
  47. When Sydent is first run, it will create a configuration file in ``sydent.conf`` with some defaults.
  48. If a setting is defined in both the ``[DEFAULT]`` section and another section in the configuration file,
  49. then the value in the other section is used.
  50. You'll most likely want to change the server name (``server.name``) and specify an email server
  51. (look for the settings starting with ``email.``).
  52. By default, Sydent will listen on ``0.0.0.0:8090``. This can be changed by changing the values for
  53. the configuration settings ``clientapi.http.bind_address`` and ``clientapi.http.port``.
  54. Sydent uses SQLite as its database backend. By default, it will create the database as ``sydent.db``
  55. in its working directory. The name can be overridden by modifying the ``db.file`` configuration option.
  56. Sydent is known to be working with SQLite version 3.16.2 and later.
  57. Listening for HTTPS connections
  58. -------------------------------
  59. Most homeservers and clients will expect identity servers to be reachable using HTTPS.
  60. Sydent does not currently support listening for HTTPS connection by itself. Instead, it
  61. is recommended to use a reverse proxy to proxy requests from homeservers and clients to
  62. Sydent. It is then possible to have this reverse proxy serve Sydent's API over HTTPS.
  63. When using a reverse proxy, it is recommended to limit the requests proxied to Sydent to
  64. ones which paths start with ``/_matrix/identity`` for security reasons.
  65. An exception to this is Sydent's internal replication API, see `<docs/replication.md>`_.
  66. SMS originators
  67. ---------------
  68. Defaults for SMS originators will not be added to the generated config file, these should
  69. be added to the ``[sms]`` section of that config file in the form::
  70. originators.<country code> = <long|short|alpha>:<originator>
  71. Where country code is the numeric country code, or ``default`` to specify the originator
  72. used for countries not listed. For example, to use a selection of long codes for the
  73. US/Canada, a short code for the UK and an alphanumertic originator for everywhere else::
  74. originators.1 = long:12125552368,long:12125552369
  75. originators.44 = short:12345
  76. originators.default = alpha:Matrix
  77. Docker
  78. ======
  79. A Dockerfile is provided for sydent. To use it, run ``docker build -t sydent .`` in a sydent checkout.
  80. To run it, use ``docker run --env=SYDENT_SERVER_NAME=my-sydent-server -p 8090:8090 sydent``.
  81. Persistent data
  82. ---------------
  83. By default, all data is stored in ``/data``. To persist this to disk, bind `/data` to a
  84. Docker volume.
  85. .. code-block:: shell
  86. docker volume create sydent-data
  87. docker run ... --mount type=volume,source=sydent-data,destination=/data sydent
  88. But you can also bind a local directory to the container.
  89. However, you then have to pay attention to the file permissions.
  90. .. code-block:: shell
  91. mkdir /path/to/sydent-data
  92. chown 993:993 /path/to/sydent-data
  93. docker run ... --mount type=bind,source=/path/to/sydent-data,destination=/data sydent
  94. Environment variables
  95. ---------------------
  96. .. warning:: These variables are only taken into account at first start and are written to the configuration file.
  97. +--------------------+-----------------+-----------------------+
  98. | Variable Name | Sydent default | Dockerfile default |
  99. +====================+=================+=======================+
  100. | SYDENT_SERVER_NAME | *empty* | *empty* |
  101. +--------------------+-----------------+-----------------------+
  102. | SYDENT_CONF | ``sydent.conf`` | ``/data/sydent.conf`` |
  103. +--------------------+-----------------+-----------------------+
  104. | SYDENT_PID_FILE | ``sydent.pid`` | ``/data/sydent.pid`` |
  105. +--------------------+-----------------+-----------------------+
  106. | SYDENT_DB_PATH | ``sydent.db`` | ``/data/sydent.db`` |
  107. +--------------------+-----------------+-----------------------+
  108. Internal bind and unbind API
  109. ============================
  110. It is possible to enable an internal API which allows for binding and unbinding
  111. between identifiers and matrix IDs without any validation.
  112. This is open to abuse, so is disabled by
  113. default, and when it is enabled, is available only on a separate socket which
  114. is bound to ``localhost`` by default.
  115. To enable it, configure the port in the config file. For example::
  116. [http]
  117. internalapi.http.port = 8091
  118. To change the address to which that API is bound, set the ``internalapi.http.bind_address`` configuration
  119. setting in the ``[http]`` section, for example::
  120. [http]
  121. internalapi.http.port = 8091
  122. internalapi.http.bind_address = 192.168.0.18
  123. As already mentioned above, this is open to abuse, so make sure this address is not publicly accessible.
  124. To use bind::
  125. curl -XPOST 'http://localhost:8091/_matrix/identity/internal/bind' -H "Content-Type: application/json" -d '{"address": "matthew@arasphere.net", "medium": "email", "mxid": "@matthew:matrix.org"}'
  126. The response has the same format as
  127. `/_matrix/identity/api/v1/3pid/bind <https://matrix.org/docs/spec/identity_service/r0.3.0#deprecated-post-matrix-identity-api-v1-3pid-bind>`_.
  128. To use unbind::
  129. curl -XPOST 'http://localhost:8091/_matrix/identity/internal/unbind' -H "Content-Type: application/json" -d '{"address": "matthew@arasphere.net", "medium": "email", "mxid": "@matthew:matrix.org"}'
  130. The response has the same format as
  131. `/_matrix/identity/api/v1/3pid/unbind <https://matrix.org/docs/spec/identity_service/r0.3.0#deprecated-post-matrix-identity-api-v1-3pid-unbind>`_.
  132. Replication
  133. ===========
  134. It is possible to configure a mesh of Sydent instances which replicate identity bindings
  135. between each other. See `<docs/replication.md>`_.
  136. Discussion
  137. ==========
  138. Matrix room: `#sydent:matrix.org <https://matrix.to/#/#sydent:matrix.org>`_.