trents_blog/docs/posts/prosody-photo-uploads.md

253 lines
5.8 KiB
Markdown
Raw Normal View History

2021-01-25 08:37:39 -08:00
---
title: "Prosody Photo Uploads"
date: 2021-01-25
draft: false
tags: ["xmpp","prosody","debian","letsencrypt"]
authors: ["trent"]
---
date: 2021-01-25
## **Introduction**
Install [prosody](https://prosody.im/){target=_blank} on [Debian 10](https://www.debian.org/){target=_blank}
with photoupload, postgresql database, and letsencrypt certs.
## **DNS**
* Log into your dns provider and create A and AAAA records for *xmpp.example.com*
* Log into your dns provider and create A and AAAA records for *xmppupload.example.com*
## **FireWall**
Incidentally, you definitely do want to use a non-standard ssh port for connecting over the internet.
I would suggest that a firewall is important, because I couldn't figure out how to completely disable
port 5280 for the http protocol, in the clear, in the prosody config.
### ports
* `80/tcp`, `443/tcp` for certbot
* `4444/tcp` i.e. port 4444 for ssh
* `5222/tcp` for xmpp-client
* `5269/tcp` for xmpp-server
* `5281/tcp` for https connections to prosody for uploads and photos
### FireWall with UFW
* `ufw allow http`
* `ufw allow https`
* `ufw allow xmpp-client`
* `ufw allow xmpp-server`
* `ufw allow 5281/tcp`
* `ufw allow 4444/tcp` i.e. if 4444 for ssh
* `ufw enable` to start the firewall
## **Postgresql Database**
### Install the postgresql database.
```console
apt-get install postgresql postgresql-contrib
```
Log into the psql command line.
```console
sudo -u postgres psql
```
Create prosody database
```sql
postgres=# CREATE DATABASE prosody;
```
Creat prosody user
```sql
postgres=# CREATE ROLE prosody WITH LOGIN;
```
Set password for user
```sql
postgres=# \password prosody
```
Quit `psql`
```sql
postgres=# \q
```
### allow authentication in `pg_hba.conf`
To connect to postgresql via unix socket
```cfg
# /etc/postgresql/11/main/pg_hba.conf
# make sure this line is above
local prosody prosody md5
# make sure this line is below
local all all peer
```
or i.e. through a wireguard tunnel
```cfg
# /etc/postgresql/11/main/pg_hba.conf
# where 10.0.22.5 is the ip address of the machine that prosody will run on
host prosody prosody 10.0.22.5/32 md5
```
and then restart postgresql
```console
systemctl restart postgresql
```
## **Prosody**
### Install Prosody
```console
apt install prosody prosody-modules lua-dbi-postgresql
```
### Configure Prosody
backup the prosody config file
```console
cp /etc/prosody/prosody.cfg.lua /etc/prosody/prosody.cfg.lua.bak
```
if you want to disable advertising version and uptime, allow message archives,
and disallow registration, change this
```cfg
-- /etc/prosody/prosody.cfg.lua
modules_enabled = {
...
-- Nice to have
"version"; -- Replies to server version requests
"uptime"; -- Report how long server has been running
"time"; -- Let others know the time here on this server
"ping"; -- Replies to XMPP pings with pongs
"register"; -- Allow users to register on this server using a client and change passwords
--"mam"; -- Store messages in an archive and allow users to access it
--"csi_simple"; -- Simple Mobile optimizations
...
}
```
to this
```cfg
-- /etc/prosody/prosody.cfg.lua
modules_enabled = {
...
-- Nice to have
--"version"; -- Replies to server version requests
--"uptime"; -- Report how long server has been running
"time"; -- Let others know the time here on this server
"ping"; -- Replies to XMPP pings with pongs
--"register"; -- Allow users to register on this server using a client and change passwords
"mam"; -- Store messages in an archive and allow users to access it
--"csi_simple"; -- Simple Mobile optimizations
...
}
```
to force certificate authentication for server-to-server connections,
make the following edit around line 123
```cfg
-- /etc/prosody/prosody.cfg.lua
-- Force certificate authentication for server-to-server connections?
-- change this
s2s_secure_auth = false
-- to this
s2s_secure_auth = true
```
around line 147 enable sql
```cfg
-- /etc/prosody/prosody.cfg.lua
-- change this
--storage = "sql"
-- to this
storage = "sql"
```
and describe the database connection
```cfg
-- /etc/prosody/prosody.cfg.lua
-- change this
--sql = {
driver = "PostgreSQL",
database = "prosody",
username = "prosody",
password = "secret",
host = "localhost"
}
-- to this
sql = {
driver = "PostgreSQL",
database = "prosody",
username = "prosody",
password = "secret",
host = "localhost"
}
-- or to use a unix socket in Debian 10
sql = {
driver = "PostgreSQL",
database = "prosody",
username = "prosody",
password = "secret",
host = "/var/run/postgresql"
}
```
somewhere around line 196, describe the certificate file for the upoad subdomain
```cfg
-- /etc/prosody/prosody.cfg.lua
-- change this
--https_certificate = "/etc/prosody/certs/localhost.crt"
-- to this
https_certificate = "/etc/prosody/certs/xmppupload.example.com.crt"
```
somewhere around line 210 describe your virtualhost
```cfg
-- /etc/prosody/prosody.cfg.lua
VirtualHost "xmpp.example.com"
disco_items = {
{"xmppupload.example.com"},
}
```
add the following to the end of the file
```cfg
-- /etc/prosody/prosody.cfg.lua
Component "xmppupload.example.com" "http_upload"
```
and then restart prosody
```console
systemctl restart prososdy
```
## **Certbot**
install certbot
```console
apt install certbot
```
get certificates
```console
certbot certonly -d xmpp.example.com
certbot certonly -d xmppupload.example.com
```
import the certificates into prosody and restart prosody
```console
prosodyctl --root cert import /etc/letsencrypt/live
systemctl restart prosody
```
create the following renewal-hook for letsencrypt
```console
#!/bin/bash
# /etc/letsencrypt/renewal-hooks/deploy/prosody_deploy_hook
prosodyctl --root cert import /etc/letsencrypt/live
```