Work in progress proposal for Kraftland MoeChat Next server, scheduled around mid 2025

It has been about half a year since we migrated our server to conduwuit, a successor of Conduit. We are moving again due to ongoing End to End encryption, Element Call and other potential issues, plus some differences between philosophy choices on releases. The checklist below describes the progress of migration.

Preparation

  • Spin up Keycloak instance for unified OIDC backend

The first stage - Spooling up

  • Serve a well-known configuration on kimiblock.top/.well-known/client and kimiblock.top/.well-known/server
  • Set the correct CORS headers for well-known
  • Stop the old Synapse homeserver and it’s sliding sync proxy
  • Startup Matrix Authentication Server
    • Set up correct well-knowns
    • Compile and package matrix-authentication-service
    • Install on target machine and update dependencies
    • Generate configuration
    • Adjust configuration
      • Configure upstream homeserver
      • Configure database access
      • Configure NGINX UNIX socket proxy
      • Load config as credentials
      • Configure upstream Kraftland authenticator
      • Hope for the best
    • systemd hardening
    • Dependency resolution
  • Start the Synapse homeserver
    • Drop previous matrix & syncv3 database
    • systemd: depend on MAS
    • Start over and modify service to use a new directory
    • Load config as a credential
    • Configure appropriate media retention
    • Disable message retention because it can introduce database corruptions
    • Configure NGINX for revese proxy
    • Configure Synapse to use Matrix Authentication Service
    • Configure Legacy Compat layer for OIDC authentication on NGINX
    • Enable Element Call for all users
    • Configure server for Element Call: namely the delayable events feature
  • Configure Synapse Rust Compressor
  • (Optional) Run the legacy sliding sync proxy for legacy users of Element Web and older Element X versions
  • Test if authentication works at all
  • Change 2 web client’s register homeserver

Stage 2 - Migrating

  • Advise all local users about this migration via server notice.

  • Migrate Bridge ownership

  • Verify all users have migrated

  • Test Element Call and legacy VoIP

  • In tether.kimiblock.top’s configuration, disable room directory federating

  • News Flash space

    • Change primary address for the space and every room in such spaces
    • Un-publish all rooms from the room directory

  • Kraftland space

    • Change primary address for the space and every room in such spaces
    • Un-publish all rooms from the room directory