253 lines
5.8 KiB
Markdown
253 lines
5.8 KiB
Markdown
|
---
|
||
|
title: "Prosody Photo Uploads"
|
||
|
date: 2021-01-25
|
||
|
draft: false
|
||
|
tags: ["xmpp","prosody","debian","letsencrypt"]
|
||
|
authors: ["trent"]
|
||
|
---
|
||
|
date: 2021-01-25
|
||
|
|
||
|
## **Introduction**
|
||
|
|
||
|
Install [prosody](https://prosody.im/){target=_blank} on [Debian 10](https://www.debian.org/){target=_blank}
|
||
|
with photoupload, postgresql database, and letsencrypt certs.
|
||
|
|
||
|
## **DNS**
|
||
|
|
||
|
* Log into your dns provider and create A and AAAA records for *xmpp.example.com*
|
||
|
* Log into your dns provider and create A and AAAA records for *xmppupload.example.com*
|
||
|
|
||
|
## **FireWall**
|
||
|
|
||
|
Incidentally, you definitely do want to use a non-standard ssh port for connecting over the internet.
|
||
|
|
||
|
I would suggest that a firewall is important, because I couldn't figure out how to completely disable
|
||
|
port 5280 for the http protocol, in the clear, in the prosody config.
|
||
|
|
||
|
### ports
|
||
|
|
||
|
* `80/tcp`, `443/tcp` for certbot
|
||
|
* `4444/tcp` i.e. port 4444 for ssh
|
||
|
* `5222/tcp` for xmpp-client
|
||
|
* `5269/tcp` for xmpp-server
|
||
|
* `5281/tcp` for https connections to prosody for uploads and photos
|
||
|
|
||
|
### FireWall with UFW
|
||
|
|
||
|
* `ufw allow http`
|
||
|
* `ufw allow https`
|
||
|
* `ufw allow xmpp-client`
|
||
|
* `ufw allow xmpp-server`
|
||
|
* `ufw allow 5281/tcp`
|
||
|
* `ufw allow 4444/tcp` i.e. if 4444 for ssh
|
||
|
* `ufw enable` to start the firewall
|
||
|
|
||
|
## **Postgresql Database**
|
||
|
### Install the postgresql database.
|
||
|
```console
|
||
|
apt-get install postgresql postgresql-contrib
|
||
|
```
|
||
|
Log into the psql command line.
|
||
|
```console
|
||
|
sudo -u postgres psql
|
||
|
```
|
||
|
Create prosody database
|
||
|
```sql
|
||
|
postgres=# CREATE DATABASE prosody;
|
||
|
```
|
||
|
Creat prosody user
|
||
|
```sql
|
||
|
postgres=# CREATE ROLE prosody WITH LOGIN;
|
||
|
```
|
||
|
Set password for user
|
||
|
```sql
|
||
|
postgres=# \password prosody
|
||
|
```
|
||
|
Quit `psql`
|
||
|
```sql
|
||
|
postgres=# \q
|
||
|
```
|
||
|
### allow authentication in `pg_hba.conf`
|
||
|
To connect to postgresql via unix socket
|
||
|
```cfg
|
||
|
# /etc/postgresql/11/main/pg_hba.conf
|
||
|
# make sure this line is above
|
||
|
local prosody prosody md5
|
||
|
|
||
|
# make sure this line is below
|
||
|
local all all peer
|
||
|
```
|
||
|
or i.e. through a wireguard tunnel
|
||
|
```cfg
|
||
|
# /etc/postgresql/11/main/pg_hba.conf
|
||
|
# where 10.0.22.5 is the ip address of the machine that prosody will run on
|
||
|
host prosody prosody 10.0.22.5/32 md5
|
||
|
```
|
||
|
|
||
|
and then restart postgresql
|
||
|
```console
|
||
|
systemctl restart postgresql
|
||
|
```
|
||
|
|
||
|
## **Prosody**
|
||
|
### Install Prosody
|
||
|
```console
|
||
|
apt install prosody prosody-modules lua-dbi-postgresql
|
||
|
```
|
||
|
### Configure Prosody
|
||
|
backup the prosody config file
|
||
|
```console
|
||
|
cp /etc/prosody/prosody.cfg.lua /etc/prosody/prosody.cfg.lua.bak
|
||
|
```
|
||
|
|
||
|
if you want to disable advertising version and uptime, allow message archives,
|
||
|
and disallow registration, change this
|
||
|
```cfg
|
||
|
-- /etc/prosody/prosody.cfg.lua
|
||
|
modules_enabled = {
|
||
|
|
||
|
...
|
||
|
|
||
|
-- Nice to have
|
||
|
"version"; -- Replies to server version requests
|
||
|
"uptime"; -- Report how long server has been running
|
||
|
"time"; -- Let others know the time here on this server
|
||
|
"ping"; -- Replies to XMPP pings with pongs
|
||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||
|
|
||
|
...
|
||
|
}
|
||
|
```
|
||
|
|
||
|
to this
|
||
|
```cfg
|
||
|
-- /etc/prosody/prosody.cfg.lua
|
||
|
modules_enabled = {
|
||
|
|
||
|
...
|
||
|
|
||
|
-- Nice to have
|
||
|
--"version"; -- Replies to server version requests
|
||
|
--"uptime"; -- Report how long server has been running
|
||
|
"time"; -- Let others know the time here on this server
|
||
|
"ping"; -- Replies to XMPP pings with pongs
|
||
|
--"register"; -- Allow users to register on this server using a client and change passwords
|
||
|
"mam"; -- Store messages in an archive and allow users to access it
|
||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||
|
|
||
|
...
|
||
|
}
|
||
|
```
|
||
|
|
||
|
to force certificate authentication for server-to-server connections,
|
||
|
make the following edit around line 123
|
||
|
```cfg
|
||
|
-- /etc/prosody/prosody.cfg.lua
|
||
|
-- Force certificate authentication for server-to-server connections?
|
||
|
|
||
|
-- change this
|
||
|
s2s_secure_auth = false
|
||
|
-- to this
|
||
|
s2s_secure_auth = true
|
||
|
```
|
||
|
|
||
|
around line 147 enable sql
|
||
|
```cfg
|
||
|
-- /etc/prosody/prosody.cfg.lua
|
||
|
|
||
|
-- change this
|
||
|
--storage = "sql"
|
||
|
|
||
|
-- to this
|
||
|
storage = "sql"
|
||
|
```
|
||
|
|
||
|
and describe the database connection
|
||
|
```cfg
|
||
|
-- /etc/prosody/prosody.cfg.lua
|
||
|
|
||
|
-- change this
|
||
|
--sql = {
|
||
|
driver = "PostgreSQL",
|
||
|
database = "prosody",
|
||
|
username = "prosody",
|
||
|
password = "secret",
|
||
|
host = "localhost"
|
||
|
}
|
||
|
|
||
|
-- to this
|
||
|
sql = {
|
||
|
driver = "PostgreSQL",
|
||
|
database = "prosody",
|
||
|
username = "prosody",
|
||
|
password = "secret",
|
||
|
host = "localhost"
|
||
|
}
|
||
|
|
||
|
-- or to use a unix socket in Debian 10
|
||
|
sql = {
|
||
|
driver = "PostgreSQL",
|
||
|
database = "prosody",
|
||
|
username = "prosody",
|
||
|
password = "secret",
|
||
|
host = "/var/run/postgresql"
|
||
|
}
|
||
|
```
|
||
|
|
||
|
somewhere around line 196, describe the certificate file for the upoad subdomain
|
||
|
```cfg
|
||
|
-- /etc/prosody/prosody.cfg.lua
|
||
|
|
||
|
-- change this
|
||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||
|
|
||
|
-- to this
|
||
|
https_certificate = "/etc/prosody/certs/xmppupload.example.com.crt"
|
||
|
```
|
||
|
|
||
|
somewhere around line 210 describe your virtualhost
|
||
|
```cfg
|
||
|
-- /etc/prosody/prosody.cfg.lua
|
||
|
VirtualHost "xmpp.example.com"
|
||
|
|
||
|
disco_items = {
|
||
|
{"xmppupload.example.com"},
|
||
|
}
|
||
|
```
|
||
|
|
||
|
add the following to the end of the file
|
||
|
```cfg
|
||
|
-- /etc/prosody/prosody.cfg.lua
|
||
|
Component "xmppupload.example.com" "http_upload"
|
||
|
```
|
||
|
|
||
|
and then restart prosody
|
||
|
```console
|
||
|
systemctl restart prososdy
|
||
|
```
|
||
|
|
||
|
## **Certbot**
|
||
|
install certbot
|
||
|
```console
|
||
|
apt install certbot
|
||
|
```
|
||
|
get certificates
|
||
|
```console
|
||
|
certbot certonly -d xmpp.example.com
|
||
|
certbot certonly -d xmppupload.example.com
|
||
|
```
|
||
|
import the certificates into prosody and restart prosody
|
||
|
```console
|
||
|
prosodyctl --root cert import /etc/letsencrypt/live
|
||
|
systemctl restart prosody
|
||
|
```
|
||
|
create the following renewal-hook for letsencrypt
|
||
|
```console
|
||
|
#!/bin/bash
|
||
|
# /etc/letsencrypt/renewal-hooks/deploy/prosody_deploy_hook
|
||
|
|
||
|
prosodyctl --root cert import /etc/letsencrypt/live
|
||
|
```
|