Synapse Self-Hosted Server For The Ghosts

ops-tactics.jpg

Encrypted communication is the first line of defense against surveillance and compromise.

When data travels unencrypted, it becomes a breadcrumb trail for anyone watching the path.

Small and medium enterprises hold trade secrets, client lists, and financial records.
A single leak can destroy trust, reputation, and revenue.

Matrix is a federated protocol built on open standards.

Its end-to-end encryption relies on Olm and Megolm.
Messages are encrypted on the sender's device and can only be decrypted by intended recipients.
No central authority ever stores plaintext.

Synapse, the reference Matrix homeserver, is light enough for a single node yet robust enough to scale.

It supports:

  • TLS for all HTTP traffic
  • WebSocket encryption for real-time sync
  • Optional TURN via coturn for media relay

Deploying with Let's Encrypt keeps certificates valid and trusted at no cost.
A simple certbot job renews them automatically.

TURN is required for voice and video when NAT traversal fails.
coturn can run on the same host or a dedicated relay.
Use shared-secret authentication instead of static credentials and bind it to your Synapse instance.
This keeps media encrypted end-to-end while routing through TURN.

Hardening

  • Disable unused Synapse modules
  • Enforce TLS for all clients
  • Restrict inbound traffic to ports 8448 (Synapse) and 3478/5349 (coturn)
  • Enable two-factor authentication for admin users
  • Back up the homeserver database, configuration, and media store

Encrypt backups with GPG, rotate daily, and keep at least one copy offline for disaster recovery.

PostgreSQL Backend

Synapse defaults to SQLite, but PostgreSQL is recommended for production.
ACID guarantees keep data consistent under load.
Encrypt the database at rest if the host is shared or untrusted.
Use pg_dump with GPG for secure, portable snapshots.
Regularly VACUUM and ANALYZE to maintain performance.

Federation Off

Disable federation to eliminate metadata leaks.

In homeserver.yaml: 

 federation_ip_range_blacklist: [ "0.0.0.0/0"]
 federation_domain_whitelist: []

The server will then accept only local users and rooms.
No external lookups or pings leave your network.

Element Call Beta

Room-level conference calls use WebRTC through Element Call.

coturn manages ICE candidates.
Beta status means occasional instability - test in a staging room before production.

Final Whisper

Every ghost deserves silence that only they can hear.
Privacy is not a luxury; it is a right.

Secure your conversations.
Stay quiet. Stay alive.

DeadSwitch | The Silent Architect
In silence, I rise. In the storm, I endure.