Matrix
Forgejo

    Generic deployment documentation

    Getting help

    If you run into any problems while setting up Continuwuity, ask us in #continuwuity:continuwuity.org or open an issue on Forgejo.

    Installing Continuwuity

    Prebuilt binary

    Download the binary for your architecture (x86_64 or aarch64) - run the uname -m to check which you need.

    Prebuilt binaries are available from:

    The binaries require jemalloc and io_uring on the host system. Currently we can't cross-build static binaries - contributions are welcome here.

    Performance-optimised builds

    For x86_64 systems with CPUs from the last ~15 years, use the -haswell- optimised binaries for best performance. These binaries enable hardware-accelerated CRC32 checksumming in RocksDB, which significantly improves database performance. The haswell instruction set provides an excellent balance of compatibility and speed.

    If you're using Docker instead, equivalent performance-optimised images are available with the -maxperf suffix (e.g. forgejo.ellis.link/continuwuation/continuwuity:latest-maxperf). These images use the release-max-perf build profile with link-time optimisation (LTO) and, for amd64, target the haswell CPU architecture.

    Nix

    Theres a Nix package defined in our flake, available for Linux and MacOS. Add continuwuity as an input to your flake, and use inputs.continuwuity.packages.${system}.default to get a working Continuwuity package.

    If you simply wish to generate a binary using Nix, you can run nix build git+https://forgejo.ellis.link/continuwuation/continuwuity to generate a binary in result/bin/conduwuit.

    Compiling

    Alternatively, you may compile the binary yourself.

    Using Docker

    See the Building Docker Images section in the development documentation.

    Manual

    Dependencies
    • Run nix develop to get a devshell with everything you need
    • Or, install the following:
      • (On linux) liburing-dev on the compiling machine, and liburing on the target host
      • (On linux) pkg-config on the compiling machine to allow finding liburing
      • A C++ compiler and (on linux) libclang for RocksDB
    Build

    You can now build Continuwuity using cargo build --release.

    Continuwuity supports various optional features that can be enabled during compilation. Please see the Cargo.toml file for a comprehensive list, or ask in our rooms.

    Adding a Continuwuity user

    While Continuwuity can run as any user, it is better to use dedicated users for different services. This also ensures that the file permissions are set up correctly.

    In Debian, you can use this command to create a Continuwuity user:

    sudo adduser --system continuwuity --group --disabled-login --no-create-home

    For distros without adduser (or where it's a symlink to useradd):

    sudo useradd -r --shell /usr/bin/nologin --no-create-home continuwuity

    Setting up a systemd service

    You can find an example unit for continuwuity below. You may need to change the ExecStart= path to match where you placed the Continuwuity binary if it is not in /usr/bin/conduwuit.

    On systems where rsyslog is used alongside journald (i.e. Red Hat-based distros and OpenSUSE), put $EscapeControlCharactersOnReceive off inside /etc/rsyslog.conf to allow color in logs.

    If you are using a different database_path than the systemd unit's configured default (/var/lib/conduwuit), you need to add your path to the systemd unit's ReadWritePaths=. You can do this by either directly editing conduwuit.service and reloading systemd, or by running systemctl edit conduwuit.service and entering the following:

    [Service]
ReadWritePaths=/path/to/custom/database/path

    Example systemd Unit File

    Click to expand systemd unit file (conduwuit.service)
    [Unit]
Description=Continuwuity - Matrix homeserver
Documentation=https://continuwuity.org/
Wants=network-online.target
After=network-online.target
Alias=matrix-conduwuit.service

[Service]
DynamicUser=yes
User=conduwuit
Group=conduwuit
Type=notify-reload
ReloadSignal=SIGUSR1

Environment="CONTINUWUITY_LOG_TO_JOURNALD=true"
Environment="CONTINUWUITY_JOURNALD_IDENTIFIER=%N"
Environment="CONTINUWUITY_DATABASE_PATH=%S/conduwuit"
Environment="CONTINUWUITY_CONFIG_RELOAD_SIGNAL=true"

LoadCredential=conduwuit.toml:/etc/conduwuit/conduwuit.toml
RefreshOnReload=yes

ExecStart=/usr/bin/conduwuit --config ${CREDENTIALS_DIRECTORY}/conduwuit.toml

AmbientCapabilities=
CapabilityBoundingSet=

DevicePolicy=closed
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
#ProcSubset=pid
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
ProtectSystem=strict
PrivateDevices=yes
PrivateMounts=yes
PrivateTmp=yes
PrivateUsers=yes
PrivateIPC=yes
RemoveIPC=yes
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service @resources
SystemCallFilter=~@clock @debug @module @mount @reboot @swap @cpu-emulation @obsolete @timer @chown @setuid @privileged @keyring @ipc
SystemCallErrorNumber=EPERM

# ConfigurationDirectory isn't specified here because it's created by
# the distro's package manager.
StateDirectory=conduwuit
RuntimeDirectory=conduwuit
RuntimeDirectoryMode=0750

Restart=on-failure
RestartSec=5

TimeoutStopSec=4m
TimeoutStartSec=10m

StartLimitInterval=1m
StartLimitBurst=5

[Install]
WantedBy=multi-user.target

    You can also view the file on Foregejo.

    Creating the Continuwuity configuration file

    Now you need to create the Continuwuity configuration file in /etc/conduwuit/conduwuit.toml. You can find an example configuration at conduwuit-example.toml.

    Please take a moment to read the config. You need to change at least the server name.

    Setting the correct file permissions

    If you are using a dedicated user for Continuwuity, you need to allow it to read the configuration. To do this, run:

    sudo chown -R root:root /etc/conduwuit
sudo chmod -R 755 /etc/conduwuit

    If you use the default database path you also need to run this:

    sudo mkdir -p /var/lib/conduwuit/
sudo chown -R continuwuity:continuwuity /var/lib/conduwuit/
sudo chmod 700 /var/lib/conduwuit/

    Exposing ports in the firewall or the router

    Matrix's default federation port is :8448, and clients use port :443. You will need to expose these ports on your firewall or router. If you use UFW, the commands to allow them are: ufw allow 8448/tcp and ufw allow 443/tcp.

    Alternative port/domain setups

    If you would like to use only port 443, a different port, or a subdomain for the homeserver, you will need to set up .well-known delegation. Consult the [global.well_known] section of the config file, and the Delegation/Split-domain page to learn more about these kinds of deployments.

    Setting up the Reverse Proxy

    Caddy

    Caddy is the recommended reverse proxy as it is easy to use, has good defaults, and handle TLS certificates automatically. After installing Caddy via your preferred method, create /etc/caddy/conf.d/conduwuit_caddyfile and enter the following (substitute example.com with your actual server name):

    example.com, example.com:8448 {
    # TCP reverse_proxy
    reverse_proxy 127.0.0.1:8008
}

    That's it! Just start and enable the service and you're set.

    sudo systemctl enable --now caddy

    Other Reverse Proxies

    Normally, your reverse proxy should route everything from port :8448 and :443 back to Continuwuity.

    For more granular controls, you will need to proxy everything under these following routes:

    • /_matrix/ - core Matrix APIs, which includes:

      • /_matrix/federation and /_matrix/key - core Server-Server APIs. These should be available on port :8448

      • /_matrix/client - core Client-Server APIs. These should be available on port :443

    • /_conduwuit/ and /_continuwuity/ - ad-hoc Continuwuity routes for password resets, email verification, and server details such as /local_user_count and /server_version.

    You can optionally reverse proxy the following individual routes:

    • /.well-known/matrix/client and /.well-known/matrix/server if using Continuwuity to perform delegation (see the [global.well_known] config section)
    • /.well-known/matrix/support if using Continuwuity to send the homeserver admin contact and support page
    • / and /_continuwuity/logo.svg if you would like to see the Continuwuity landing page

    Refer to the respective software's documentation and online guides on how to do so.

    Caveats for specific reverse proxies

    • Lighttpd is not supported as it appears to interfere with the X-Matrix Authorization header, making federation non-functional. If you find a workaround, please share it so we can add it to this documentation.

    • If using Apache, you need to use nocanon in your ProxyPass directive to prevent httpd from interfering with the X-Matrix header (note that Apache is not ideal as a general reverse proxy, so we discourage using it if alternatives are available).

    • If using Nginx, you need to pass the request URI to Continuwuity using $request_uri, like this:

      • proxy_pass http://127.0.0.1:6167$request_uri;
      • proxy_pass http://127.0.0.1:6167;

      Furthermore, Nginx users need to increase the client_max_body_size setting (default is 1M) to match the max_request_size defined in conduwuit.toml.

    Starting Your Server

    Now you can start Continuwuity with:

    sudo systemctl start conduwuit

    Set it to start automatically when your system boots with:

    sudo systemctl enable conduwuit

    Check Continuwuity logs with the following command:

    sudo journalctl -u conduwuit.service

    If Continuwuity has successfully initialized, you'll see output as below.

    In order to use your new homeserver, you need to create its
first user account.
Open your Matrix client of choice and register an account
on example.com using registration token x5keUZ811RqvLsNa .
Pick your own username and password!

    You can then open a Matrix client, enter your homeserver address, and register with the provided token. By default, the first user is the instance's first admin. They will be added to the #admin:example.com room and be able to issue admin commands.

    How do I know it works?

    To check if your server can communicate with other homeservers, use an external testing tool:

    If you can register your account but cannot join federated rooms, check your configuration and verify that your federation endpoints are opened and forwarded correctly.

    As a quick health check, you can also use these cURL commands:

    curl https://example.com/_conduwuit/server_version

# If using port 8448
curl https://example.com:8448/_conduwuit/server_version

# If federation is enabled
curl https://example.com:8448/_matrix/federation/v1/version

# For client-server endpoints
curl https://example.com/_matrix/client/versions

    What's next?

    • For smooth federation, set up a caching resolver according to the DNS tuning guide (recommended)
    • For Audio/Video call functionality see the Calls page.
    • Consult the Maintenance page for guidance on maintaining your homeserver.
    • If you want to set up an appservice, take a look at the Appservice Guide.