Open Infrastructure

h1. Ungleich Matrix-as-a-Service (MaaS)

{{toc}}

*%{color:green}This document concerns end-users/customers. See [[The ungleich Matrix infrastructure]] page for server-side documentation.%*

h2. Status

This document is *in PRODUCTION*

h2. Overview

"Matrix":https://matrix.org/ is an open and decentralized IM system supporting modern features such as end-to-end encryption, message history, bridging to other networks, VoIP and more. It is based a federated structure, similar to what is done with emails: users use a home server as 'gateway' to the network. Our MaaS offer provides you with such a server as well as an hosted web client, "Element":https://element.io/.

"Element's features page":https://element.io/features gives you a good overview of Matrix's possibilities.

h2. Domain

h3. Q: What server name will I get?

You can either use your own domain name (see below) or ask us for $ORGANIZATION.0co2.cloud.

h3. Q: Can I use a custom domain name?

Yes! You will have to give us three domain names:

* a) *the homeserver*: this is where the actual server is running - this can be on domain "A" - in case of ungleich we use *ungleich.matrix.ungleich.cloud* and give away *YOURNAME.matrix.ungleich.cloud* for free

* b) *the address of the web client* - this is where people with their webbrowser go to - this should be different from "A". Often this is something like *chat.example.org* or *matrix.example.org*. In case of ungleich this domain is *matrix.ungleich.ch.*

* c) *the main matrix domain*: the one you use for users and rooms. This is usually your main domain and is different from A. For ungleich this is *ungleich.ch*. Most people will choose their "main domain", for instance *example.org* here.

You will also need to configure 2 files below *the main matrix domain*

- */.well-known/matrix/server* containing *{"m.server": "homeserver:443"}*.

       Example: <pre>$ curl https://ungleich.ch/.well-known/matrix/server

{"m.server": "ungleich.matrix.ungleich.cloud:443"}</pre>

   - */.well-known/matrix/client* containing *{ "m.homeserver": { "base_url": "https://homeserver" } }*. Example: <pre>

curl https://ungleich.ch/.well-known/matrix/client 

{ "m.homeserver": { "base_url": "https://ungleich.matrix.ungleich.cloud" } }

</pre>

h3. Q: Why can't I use the same domain for everything?

The home server should be on a different domain to prevent possible XSS (cross site scripting) attacks.

You can find details about it on https://github.com/matrix-org/synapse#security-note.

For this reason we offer YOURNAME.matrix.ungleich.cloud for free for all homeservers.

h3. Q: What if I only have one domain?

If you only have one domain, let's say chat.example.com, we can provide you with a domain for either the webclient or synapse.

h3. Q: How many domains do I need for a standard matrix setup?

Typically 3 domain names are used:

* The domain that defines your *room and user names* (for ungleich this is *ungleich.ch*)

* The domain that your users type in the web browser to join the chat (for ungleich this is *matrix.ungleich.ch*)

* The domain on which your *homeserver* (the server providing the matrix server) is reachable (for ungleich this is *ungleich.matrix.ungleich.cloud*)

The homeserver needs to be on a different domain than the other two to avoid possible XSS attacks.

h3. Q: Can I change the subdomain after the Matrix setup? 

No, since your homeserver will federate with the broader network.

h2. Registration

h3. Q: What kind of registration policy could be implemented for a matrix instance?

You can easily:

- Close registrations, create users by hand from the admin UI.

- Let anyone register.

- Use an external source for authentication (e.g. company directory / account system).

- Use a token based registration (https://matrix.org/docs/projects/other/matrix-registration)

- Filter spam users via CAPTCHA (the admin user will need to have a Google account for managing the registration)

If your use case is in the above list, you can get in touch with our team to find a fitting solution.

h3. Q: How can I create users if I public signup is disabled?

After setup you will receive a username/password pair from us on a secure channel. You can use this information to login to https://admin.matrix.ungleich.cloud.

h3. Q: We would like to be able to moderate registration requests. For example, we'll have a list of approved emails to reference against those submitted. Would this be possible?

There is no 'approval' system in matrix/synapse right now. Either:

Everyone can register.

You register new users via the admin interface.

Approval is handled on a third-party service, which provides an authentication backend to matrix/synapse.

h3. Q: We are receiving a lot of spam users in our Matrix. How can we control this at registration?

You could enable CAPTCHA to filter new accounts registration. You can send us your CAPTCHA key following the steps below, and we can change your configuration with it with a small config change fee of 30 CHF. For enabling CAPTCHA you would need a Google account.

1. Register a new site at https://www.google.com/recaptcha/admin/create

* Set the label to anything you want

* Set the type to reCAPTCHA v2 using the "I'm not a robot" Checkbox option. This is the only type of captcha that works with Synapse.

* Add the domain of element web(if you have) /  if you don't have element-web, you should public hostname for your server, as set in public\_baseurl, to the list of authorized domains. If you have not set public\_baseurl, use server\_name.

* Agree to the terms of service and submit.

2. Copy your site key and secret key and send it to us.

h2. Encryption

h3. Q: Are video/audio calls in Matrix End-to-end-encrypted(E2EE)?

Video & Phone is handled by a jitsi server by default - matrix adds it as an integration, but does not handle video/audio directly. So the answer is: not E2EE for audio/video.

h3. Q: Does ungleich have access to my Matrix admin UI? How does my chat content stay secure?

Once you change the initial password we do not have external access to the software anymore but we have access to the underlying server since we manage it: we can read and change things in the database 'by hand' since we have physical access to it. However end-to-end encrypted rooms stay secure. The content is encrypted with the user's keys and to us it will be shown in ciphertext.

h2. Configuration changes

Changing your Matrix configurations after setup requires manual work from our team. The configuration can be supported with following pricing.

* Small configuration change: 30 CHF (ex: adding CAPTCHA to registration for spam control)

* Medium configuration change: 70 CHF (ex: adding single sign-on or changing the authentication method)

* Other configuration changes are charged on hourly basis with an order of a minimum of 1 hour. The rate for Matrix configuration work is 250 CHF per hour.

h2. FAQ

h3. Q: How many users can I have? What are the resources allocated to my matrix server?

We do not enforce a limit of the number of users: you can do anythign you want as long as you fit the resources allocated to your homeserver. You are provided with 1GB of memory, 1vCPU and 20GB of storage with the base offer, which can be extended on demand (Pricing is the same as ipv6onlyhosting VMs, since that's what we use underneath).

h3. Q: What server implementation and version do you use?

We use the "synapse reference homeserver":https://github.com/matrix-org/synapse/ package "provided by docker hub.(https://hub.docker.com/r/matrixdotorg/synapse)

h3. Q: What client can I use? Do you recommend one?

We recommend and provide you a web version of the "Element client":https://element.io/ (desktop and mobile) but you can use "any matrix client":https://matrix.org/clients/.

h3. Q: Can I set option X in synapse/riot?

Yes! Contact the ungleich support with the requested changes, which we will apply to the deployment configuration of your instance.

h3. Q: Do you provide a TURN server for VoIP?

Yes.

h3. Q: What are application services can I use?

We support bridging to other services (IRC, Matrix, Telegram, Slack, ...) via "matterbridge":https://github.com/42wim/matterbridge, deployed on demand.

h3. Q: If I do not use an LDAP directory, can I still manage my users?

Yes! We provide you with a management UI on https://admin.matrix.ungleich.cloud. You will have to use the full address of your matrix homeserver (e.g. ungleich.matrix.ungleich.cloud).

h3. Q: How can I delete rooms in Matrix?

To delete a room, simply everybody in the room needs to leave the room. Then the room gets removed from the server. If you are admin, you can kick everybody in the room if you want to force remove the room.

h2. Matrix UI/UX development support program

On 2020-04-21 we started our new support program to specifically enhance the UI and UX of Matrix. With this program we want to enhance the usability of the web client and the apps.

h3. How the matrix support program works

If you want to support UI/UX improvements of Matrix, you can support the work financially with 15 CHF (roughly about 15 USD) as a one time or monthly payment (below 15 CHF is costing too much in transfer fees).

To do so, write an email with the subject "I want to support the Matrix UI/UX improvements" to support -at- ungleich.ch and include the amount that you are willing to contribute and whether you want to pay via credit card or wire transfer.

Also mention whether you want to be publicly listed as a supporter on this website.

h3. Development and transparency

All money that comes in will only be used to finance development and design work related to Matrix. We will continuously update this website with contributions and which tasks we work on.

h3. Why is ungleich doing this?

We at ungleich think that Matrix has one really, really huge edge over almost all other solutions: it is really decentralised and federated. It finally solves the problems of data silos that exists in many places in IT.

However we do acknowledge that Matrix can benefit a lot from UI/UX improvements and thus we wanted to create an easy way for anyone to contribute to it.

h3. List of tasks / work

"UI/UX improvement suggestions for matrix":https://redmine.ungleich.ch/issues/7876