--- title: "Prosody Photo Uploads" date: 2021-01-25 draft: false tags: ["xmpp","prosody","debian","letsencrypt"] authors: ["trent"] --- date: 2021-01-25 ## **Introduction** Install [prosody](https://prosody.im/){target=_blank} on [Debian 10](https://www.debian.org/){target=_blank} with photoupload, postgresql database, and letsencrypt certs. ## **DNS** * Log into your dns provider and create A and AAAA records for *xmpp.example.com* * Log into your dns provider and create A and AAAA records for *xmppupload.example.com* ## **FireWall** Incidentally, you definitely do want to use a non-standard ssh port for connecting over the internet. I would suggest that a firewall is important, because I couldn't figure out how to completely disable port 5280 for the http protocol, in the clear, in the prosody config. ### ports * `80/tcp`, `443/tcp` for certbot * `4444/tcp` i.e. port 4444 for ssh * `5222/tcp` for xmpp-client * `5269/tcp` for xmpp-server * `5281/tcp` for https connections to prosody for uploads and photos ### FireWall with UFW * `ufw allow http` * `ufw allow https` * `ufw allow xmpp-client` * `ufw allow xmpp-server` * `ufw allow 5281/tcp` * `ufw allow 4444/tcp` i.e. if 4444 for ssh * `ufw enable` to start the firewall ## **Postgresql Database** ### Install the postgresql database. ```console apt-get install postgresql postgresql-contrib ``` Log into the psql command line. ```console sudo -u postgres psql ``` Create prosody database ```sql postgres=# CREATE DATABASE prosody; ``` Creat prosody user ```sql postgres=# CREATE ROLE prosody WITH LOGIN; ``` Set password for user ```sql postgres=# \password prosody ``` Quit `psql` ```sql postgres=# \q ``` ### allow authentication in `pg_hba.conf` To connect to postgresql via unix socket ```cfg # /etc/postgresql/11/main/pg_hba.conf # make sure this line is above local prosody prosody md5 # make sure this line is below local all all peer ``` or i.e. through a wireguard tunnel ```cfg # /etc/postgresql/11/main/pg_hba.conf # where 10.0.22.5 is the ip address of the machine that prosody will run on host prosody prosody 10.0.22.5/32 md5 ``` and then restart postgresql ```console systemctl restart postgresql ``` ## **Prosody** ### Install Prosody ```console apt install prosody prosody-modules lua-dbi-postgresql ``` ### Configure Prosody backup the prosody config file ```console cp /etc/prosody/prosody.cfg.lua /etc/prosody/prosody.cfg.lua.bak ``` if you want to disable advertising version and uptime, allow message archives, and disallow registration, change this ```cfg -- /etc/prosody/prosody.cfg.lua modules_enabled = { ... -- Nice to have "version"; -- Replies to server version requests "uptime"; -- Report how long server has been running "time"; -- Let others know the time here on this server "ping"; -- Replies to XMPP pings with pongs "register"; -- Allow users to register on this server using a client and change passwords --"mam"; -- Store messages in an archive and allow users to access it --"csi_simple"; -- Simple Mobile optimizations ... } ``` to this ```cfg -- /etc/prosody/prosody.cfg.lua modules_enabled = { ... -- Nice to have --"version"; -- Replies to server version requests --"uptime"; -- Report how long server has been running "time"; -- Let others know the time here on this server "ping"; -- Replies to XMPP pings with pongs --"register"; -- Allow users to register on this server using a client and change passwords "mam"; -- Store messages in an archive and allow users to access it --"csi_simple"; -- Simple Mobile optimizations ... } ``` to force certificate authentication for server-to-server connections, make the following edit around line 123 ```cfg -- /etc/prosody/prosody.cfg.lua -- Force certificate authentication for server-to-server connections? -- change this s2s_secure_auth = false -- to this s2s_secure_auth = true ``` around line 147 enable sql ```cfg -- /etc/prosody/prosody.cfg.lua -- change this --storage = "sql" -- to this storage = "sql" ``` and describe the database connection ```cfg -- /etc/prosody/prosody.cfg.lua -- change this --sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" } -- to this sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" } -- or to use a unix socket in Debian 10 sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "/var/run/postgresql" } ``` somewhere around line 196, describe the certificate file for the upoad subdomain ```cfg -- /etc/prosody/prosody.cfg.lua -- change this --https_certificate = "/etc/prosody/certs/localhost.crt" -- to this https_certificate = "/etc/prosody/certs/xmppupload.example.com.crt" ``` somewhere around line 210 describe your virtualhost ```cfg -- /etc/prosody/prosody.cfg.lua VirtualHost "xmpp.example.com" disco_items = { {"xmppupload.example.com"}, } ``` add the following to the end of the file ```cfg -- /etc/prosody/prosody.cfg.lua Component "xmppupload.example.com" "http_upload" ``` and then restart prosody ```console systemctl restart prososdy ``` ## **Certbot** install certbot ```console apt install certbot ``` get certificates ```console certbot certonly -d xmpp.example.com certbot certonly -d xmppupload.example.com ``` import the certificates into prosody and restart prosody ```console prosodyctl --root cert import /etc/letsencrypt/live systemctl restart prosody ``` create the following renewal-hook for letsencrypt ```console #!/bin/bash # /etc/letsencrypt/renewal-hooks/deploy/prosody_deploy_hook prosodyctl --root cert import /etc/letsencrypt/live ```