<!DOCTYPE html>
<!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]-->
<head>
  <meta charset="utf-8">
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  
  
  <link rel="canonical" href="https://blog.trentsonlinedocs.xyz/posts/prosody-photo-uploads/">
  <link rel="shortcut icon" href="../../img/favicon.ico">
  <title>Prosody Photo Uploads - Trent's Blog</title>
  <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Lato:400,700|Roboto+Slab:400,700|Inconsolata:400,700" />

  <link rel="stylesheet" href="../../css/theme.css" />
  <link rel="stylesheet" href="../../css/theme_extra.css" />
  <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/10.5.0/styles/github.min.css" />
  <link href="../../extra.css" rel="stylesheet" />
  
  <script>
    // Current page data
    var mkdocs_page_name = "Prosody Photo Uploads";
    var mkdocs_page_input_path = "posts/prosody-photo-uploads.md";
    var mkdocs_page_url = "/posts/prosody-photo-uploads/";
  </script>
  
  <script src="../../js/jquery-2.1.1.min.js" defer></script>
  <script src="../../js/modernizr-2.8.3.min.js" defer></script>
  <script src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/10.5.0/highlight.min.js"></script>
  <script>hljs.initHighlightingOnLoad();</script> 
</head>

<body class="wy-body-for-nav" role="document">

  <div class="wy-grid-for-nav">

    
    <nav data-toggle="wy-nav-shift" class="wy-nav-side stickynav">
    <div class="wy-side-scroll">
      <div class="wy-side-nav-search">
        <a href="../.." class="icon icon-home"> Trent's Blog</a>
        <div role="search">
  <form id ="rtd-search-form" class="wy-form" action="../../search.html" method="get">
      <input type="text" name="q" placeholder="Search docs" title="Type search term here" />
  </form>
</div>
      </div>

      <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
                <p class="caption"><span class="caption-text">RSS</span></p>
                <ul>
                    <li class="toctree-l1"><a class="reference internal" href="../../rss/">RSS</a>
                    </li>
                </ul>
                <p class="caption"><span class="caption-text">Links</span></p>
                <ul>
                    <li class="toctree-l1"><a class="reference internal" href="../../links/">Links</a>
                    </li>
                    <li class="toctree-l1"><a class="" href="https://trentpalmer.org">TrentReads</a>
                    </li>
                    <li class="toctree-l1"><a class="" href="https://blog.trentpalmer.org">AttentionSpanHistory</a>
                    </li>
                    <li class="toctree-l1"><a class="" href="https://github.com/TrentSPalmer">GitHub</a>
                    </li>
                    <li class="toctree-l1"><a class="" href="https://twitter.com/boringtrent">Twitter</a>
                    </li>
                    <li class="toctree-l1"><a class="" href="https://www.facebook.com/trentspalmer">Facebook</a>
                    </li>
                    <li class="toctree-l1"><a class="" href="https://docs.trentsonlinedocs.xyz/">TrentDocs</a>
                    </li>
                    <li class="toctree-l1"><a class="" href="https://trentsonlinedocs.xyz/hugo-themes-report/hugo-themes-report.html">HugoThemesReport</a>
                    </li>
                    <li class="toctree-l1"><a class="" href="https://play.google.com/store/apps/details?id=org.trentpalmer.libre_gps_parser">LibreGpsParser</a>
                    </li>
                    <li class="toctree-l1"><a class="" href="https://concise-pdx.com/">ConcisePDX</a>
                    </li>
                    <li class="toctree-l1"><a class="" href="https://trentspalmer.github.io/fcc-challenges/">FreeCodeCampChallenges</a>
                    </li>
                    <li class="toctree-l1"><a class="" href="https://trentpalmer.work/6a57bbe24d8244289610bf57533d6c6f/">DeviceLayout</a>
                    </li>
                </ul>
                <p class="caption"><span class="caption-text">Posts</span></p>
                <ul class="current">
                    <li class="toctree-l1"><a class="reference internal" href="../trents-favorite-podcasts/">Trent's Favorite Podcasts</a>
                    </li>
                    <li class="toctree-l1"><a class="reference internal" href="../test-qr-svg-django/">Test QRCODE Svg in Django</a>
                    </li>
                    <li class="toctree-l1 current"><a class="reference internal current" href="./">Prosody Photo Uploads</a>
    <ul class="current">
    </ul>
                    </li>
                    <li class="toctree-l1"><a class="reference internal" href="../xmpp-apt-notifications/">Xmpp Apt Notifications</a>
                    </li>
                    <li class="toctree-l1"><a class="reference internal" href="../apache-virtual-hosts/">Apache Virtual Hosts</a>
                    </li>
                    <li class="toctree-l1"><a class="reference internal" href="../sendxmpp-handler-for-python-logging/">SENDXMPPHandler for Python Logging</a>
                    </li>
                    <li class="toctree-l1"><a class="reference internal" href="../instructions-for-tethering-from-phone/">Instructions For Tethering From Phone</a>
                    </li>
                    <li class="toctree-l1"><a class="reference internal" href="../lmde4-custom-partitions-disk-encryption/">LMDE4 Custom Partitions Disk Encryption</a>
                    </li>
                    <li class="toctree-l1"><a class="reference internal" href="../linux-move-cursor-with-keyboard/">Linux Move Cursor With Keyboard</a>
                    </li>
                    <li class="toctree-l1"><a class="reference internal" href="../simplified-raspberry-streaming/">Simplified Raspberry Streaming</a>
                    </li>
                    <li class="toctree-l1"><a class="reference internal" href="../clear-linux-encrypted-xfs-root/">Clear Linux Encrypted xfs Root</a>
                    </li>
                    <li class="toctree-l1"><a class="reference internal" href="../clear-linux-guest-virt-manager/">Clear Linux Guest Virt Manager</a>
                    </li>
                    <li class="toctree-l1"><a class="reference internal" href="../faster-partitioning-with-sgdisk/">Faster Partitioning With sgdisk</a>
                    </li>
                    <li class="toctree-l1"><a class="reference internal" href="../lmde3-xfs-full-disk-encryption/">LMDE3 xfs Full Disk Encryption</a>
                    </li>
                    <li class="toctree-l1"><a class="reference internal" href="../rewrite-hugo-themes-report-in-python/">Rewrite Hugo Themes Report in Python</a>
                    </li>
                </ul>
      </div>
    </div>
    </nav>

    <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">

      
      <nav class="wy-nav-top" role="navigation" aria-label="top navigation">
        <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
        <a href="../..">Trent's Blog</a>
      </nav>

      
      <div class="wy-nav-content">
        <div class="rst-content">
          <div role="navigation" aria-label="breadcrumbs navigation">
  <ul class="wy-breadcrumbs">
    <li><a href="../..">Docs</a> &raquo;</li>
    
      
        
          <li>Posts &raquo;</li>
        
      
    
    <li>Prosody Photo Uploads</li>
    <li class="wy-breadcrumbs-aside">
      
    </li>
  </ul>
  
  <hr/>
</div>

          <div role="main">
            <div class="section">
              
                <p>date: 2021-01-25</p>
<h2 id="introduction"><strong>Introduction</strong></h2>
<p>Install <a href="https://prosody.im/" target="_blank">prosody</a> on <a href="https://www.debian.org/" target="_blank">Debian 10</a>
with photoupload, postgresql database, and letsencrypt certs.</p>
<h2 id="dns"><strong>DNS</strong></h2>
<ul>
<li>Log into your dns provider and create A and AAAA records for <em>xmpp.example.com</em></li>
<li>Log into your dns provider and create A and AAAA records for <em>xmppupload.example.com</em></li>
</ul>
<h2 id="firewall"><strong>FireWall</strong></h2>
<p>Incidentally, you definitely do want to use a non-standard ssh port for connecting over the internet.</p>
<p>I would suggest that a firewall is important, because I couldn't figure out how to completely disable
port 5280 for the http protocol, in the clear, in the prosody config.</p>
<h3 id="ports">ports</h3>
<ul>
<li><code>80/tcp</code>, <code>443/tcp</code> for certbot</li>
<li><code>4444/tcp</code> i.e. port 4444 for ssh</li>
<li><code>5222/tcp</code> for xmpp-client</li>
<li><code>5269/tcp</code> for xmpp-server</li>
<li><code>5281/tcp</code> for https connections to prosody for uploads and photos</li>
</ul>
<h3 id="firewall-with-ufw">FireWall with UFW</h3>
<ul>
<li><code>ufw allow http</code></li>
<li><code>ufw allow https</code></li>
<li><code>ufw allow xmpp-client</code></li>
<li><code>ufw allow xmpp-server</code></li>
<li><code>ufw allow 5281/tcp</code></li>
<li><code>ufw allow 4444/tcp</code> i.e. if 4444 for ssh</li>
<li><code>ufw enable</code> to start the firewall</li>
</ul>
<h2 id="postgresql-database"><strong>Postgresql Database</strong></h2>
<h3 id="install-the-postgresql-database">Install the postgresql database.</h3>
<p><div class="highlight"><pre><span></span><code><span class="go">apt-get install postgresql postgresql-contrib</span>
</code></pre></div>
Log into the psql command line.
<div class="highlight"><pre><span></span><code><span class="go">sudo -u postgres psql</span>
</code></pre></div>
Create prosody database
<div class="highlight"><pre><span></span><code><span class="n">postgres</span><span class="o">=#</span> <span class="k">CREATE</span> <span class="k">DATABASE</span> <span class="n">prosody</span><span class="p">;</span>
</code></pre></div>
Creat prosody user
<div class="highlight"><pre><span></span><code><span class="n">postgres</span><span class="o">=#</span> <span class="k">CREATE</span> <span class="k">ROLE</span> <span class="n">prosody</span> <span class="k">WITH</span> <span class="n">LOGIN</span><span class="p">;</span>
</code></pre></div>
Set password for user
<div class="highlight"><pre><span></span><code><span class="n">postgres</span><span class="o">=#</span> <span class="err">\</span><span class="n">password</span> <span class="n">prosody</span>
</code></pre></div>
Quit <code>psql</code>
<div class="highlight"><pre><span></span><code><span class="n">postgres</span><span class="o">=#</span> <span class="err">\</span><span class="n">q</span>
</code></pre></div></p>
<h3 id="allow-authentication-in-pg_hbaconf">allow authentication in <code>pg_hba.conf</code></h3>
<p>To connect to postgresql via unix socket
<div class="highlight"><pre><span></span><code><span class="c1"># /etc/postgresql/11/main/pg_hba.conf</span>
<span class="c1"># make sure this line is above</span>
<span class="na">local   prosody         prosody                                 md5</span>

<span class="c1"># make sure this line is below</span>
<span class="na">local   all             all                                     peer</span>
</code></pre></div>
or i.e. through a wireguard tunnel
<div class="highlight"><pre><span></span><code><span class="c1"># /etc/postgresql/11/main/pg_hba.conf</span>
<span class="c1"># where 10.0.22.5 is the ip address of the machine that prosody will run on </span>
<span class="na">host    prosody         prosody         10.0.22.5/32            md5</span>
</code></pre></div></p>
<p>and then restart postgresql
<div class="highlight"><pre><span></span><code><span class="go">systemctl restart postgresql</span>
</code></pre></div></p>
<h2 id="prosody"><strong>Prosody</strong></h2>
<h3 id="install-prosody">Install Prosody</h3>
<div class="highlight"><pre><span></span><code><span class="go">apt install prosody prosody-modules lua-dbi-postgresql</span>
</code></pre></div>
<h3 id="configure-prosody">Configure Prosody</h3>
<p>backup the prosody config file
<div class="highlight"><pre><span></span><code><span class="go">cp /etc/prosody/prosody.cfg.lua /etc/prosody/prosody.cfg.lua.bak</span>
</code></pre></div></p>
<p>if you want to disable advertising version and uptime, allow message archives,
and disallow registration, change this
<div class="highlight"><pre><span></span><code><span class="na">-- /etc/prosody/prosody.cfg.lua</span>
<span class="na">modules_enabled</span> <span class="o">=</span> <span class="s">{</span>

    <span class="na">...</span>

    <span class="na">-- Nice to have</span>
      <span class="na">&quot;version&quot;; -- Replies to server version requests</span>
      <span class="na">&quot;uptime&quot;; -- Report how long server has been running</span>
      <span class="na">&quot;time&quot;; -- Let others know the time here on this server</span>
      <span class="na">&quot;ping&quot;; -- Replies to XMPP pings with pongs</span>
      <span class="na">&quot;register&quot;; -- Allow users to register on this server using a client and change passwords</span>
      <span class="na">--&quot;mam&quot;; -- Store messages in an archive and allow users to access it</span>
      <span class="na">--&quot;csi_simple&quot;; -- Simple Mobile optimizations</span>

    <span class="na">...</span>
<span class="na">}</span>
</code></pre></div></p>
<p>to this
<div class="highlight"><pre><span></span><code><span class="na">-- /etc/prosody/prosody.cfg.lua</span>
<span class="na">modules_enabled</span> <span class="o">=</span> <span class="s">{</span>

    <span class="na">...</span>

    <span class="na">-- Nice to have</span>
      <span class="na">--&quot;version&quot;; -- Replies to server version requests</span>
      <span class="na">--&quot;uptime&quot;; -- Report how long server has been running</span>
      <span class="na">&quot;time&quot;; -- Let others know the time here on this server</span>
      <span class="na">&quot;ping&quot;; -- Replies to XMPP pings with pongs</span>
      <span class="na">--&quot;register&quot;; -- Allow users to register on this server using a client and change passwords</span>
      <span class="na">&quot;mam&quot;; -- Store messages in an archive and allow users to access it</span>
      <span class="na">--&quot;csi_simple&quot;; -- Simple Mobile optimizations</span>

    <span class="na">...</span>
<span class="na">}</span>
</code></pre></div></p>
<p>to force certificate authentication for server-to-server connections,
make the following edit around line 123
<div class="highlight"><pre><span></span><code><span class="na">-- /etc/prosody/prosody.cfg.lua</span>
<span class="na">-- Force certificate authentication for server-to-server connections?</span>

<span class="na">-- change this</span>
<span class="na">s2s_secure_auth</span> <span class="o">=</span> <span class="s">false</span>
<span class="na">-- to this</span>
<span class="na">s2s_secure_auth</span> <span class="o">=</span> <span class="s">true</span>
</code></pre></div></p>
<p>around line 147 enable sql
<div class="highlight"><pre><span></span><code><span class="na">-- /etc/prosody/prosody.cfg.lua</span>

<span class="na">-- change this</span>
<span class="na">--storage</span> <span class="o">=</span> <span class="s">&quot;sql&quot;</span>

<span class="na">-- to this</span>
<span class="na">storage</span> <span class="o">=</span> <span class="s">&quot;sql&quot;</span>
</code></pre></div></p>
<p>and describe the database connection
<div class="highlight"><pre><span></span><code><span class="na">-- /etc/prosody/prosody.cfg.lua</span>

<span class="na">-- change this</span>
<span class="na">--sql</span> <span class="o">=</span> <span class="s">{</span>
  <span class="na">driver</span> <span class="o">=</span> <span class="s">&quot;PostgreSQL&quot;,</span>
  <span class="na">database</span> <span class="o">=</span> <span class="s">&quot;prosody&quot;,</span>
  <span class="na">username</span> <span class="o">=</span> <span class="s">&quot;prosody&quot;,</span>
  <span class="na">password</span> <span class="o">=</span> <span class="s">&quot;secret&quot;,</span>
  <span class="na">host</span> <span class="o">=</span> <span class="s">&quot;localhost&quot;</span>
<span class="na">}</span>

<span class="na">-- to this</span>
<span class="na">sql</span> <span class="o">=</span> <span class="s">{</span>
  <span class="na">driver</span> <span class="o">=</span> <span class="s">&quot;PostgreSQL&quot;,</span>
  <span class="na">database</span> <span class="o">=</span> <span class="s">&quot;prosody&quot;,</span>
  <span class="na">username</span> <span class="o">=</span> <span class="s">&quot;prosody&quot;,</span>
  <span class="na">password</span> <span class="o">=</span> <span class="s">&quot;secret&quot;,</span>
  <span class="na">host</span> <span class="o">=</span> <span class="s">&quot;localhost&quot;</span>
<span class="na">}</span>

<span class="na">-- or to use a unix socket in Debian 10</span>
<span class="na">sql</span> <span class="o">=</span> <span class="s">{</span>
  <span class="na">driver</span> <span class="o">=</span> <span class="s">&quot;PostgreSQL&quot;,</span>
  <span class="na">database</span> <span class="o">=</span> <span class="s">&quot;prosody&quot;,</span>
  <span class="na">username</span> <span class="o">=</span> <span class="s">&quot;prosody&quot;,</span>
  <span class="na">password</span> <span class="o">=</span> <span class="s">&quot;secret&quot;,</span>
  <span class="na">host</span> <span class="o">=</span> <span class="s">&quot;/var/run/postgresql&quot;</span>
<span class="na">}</span>
</code></pre></div></p>
<p>somewhere around line 196, describe the certificate file for the upoad subdomain
<div class="highlight"><pre><span></span><code><span class="na">-- /etc/prosody/prosody.cfg.lua</span>

<span class="na">-- change this</span>
<span class="na">--https_certificate</span> <span class="o">=</span> <span class="s">&quot;/etc/prosody/certs/localhost.crt&quot;</span>

<span class="na">-- to this</span>
<span class="na">https_certificate</span> <span class="o">=</span> <span class="s">&quot;/etc/prosody/certs/xmppupload.example.com.crt&quot;</span>
</code></pre></div></p>
<p>somewhere around line 210 describe your virtualhost
<div class="highlight"><pre><span></span><code><span class="na">-- /etc/prosody/prosody.cfg.lua</span>
<span class="na">VirtualHost &quot;xmpp.example.com&quot;</span>

<span class="na">disco_items</span> <span class="o">=</span> <span class="s">{</span>
    <span class="na">{&quot;xmppupload.example.com&quot;},</span>
<span class="na">}</span>
</code></pre></div></p>
<p>add the following to the end of the file
<div class="highlight"><pre><span></span><code><span class="na">-- /etc/prosody/prosody.cfg.lua</span>
<span class="na">Component &quot;xmppupload.example.com&quot; &quot;http_upload&quot;</span>
</code></pre></div></p>
<p>and then restart prosody
<div class="highlight"><pre><span></span><code><span class="go">systemctl restart prososdy</span>
</code></pre></div></p>
<h2 id="certbot"><strong>Certbot</strong></h2>
<p>install certbot
<div class="highlight"><pre><span></span><code><span class="go">apt install certbot</span>
</code></pre></div>
get certificates
<div class="highlight"><pre><span></span><code><span class="go">certbot certonly -d xmpp.example.com</span>
<span class="go">certbot certonly -d xmppupload.example.com</span>
</code></pre></div>
import the certificates into prosody and restart prosody
<div class="highlight"><pre><span></span><code><span class="go">prosodyctl --root cert import /etc/letsencrypt/live</span>
<span class="go">systemctl restart prosody</span>
</code></pre></div>
create the following renewal-hook for letsencrypt
<div class="highlight"><pre><span></span><code><span class="gp">#</span>!/bin/bash
<span class="gp"># </span>/etc/letsencrypt/renewal-hooks/deploy/prosody_deploy_hook

<span class="go">prosodyctl --root cert import /etc/letsencrypt/live</span>
</code></pre></div></p>
              
            </div>
          </div>
          <footer>
  
    <div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
      
        <a href="../xmpp-apt-notifications/" class="btn btn-neutral float-right" title="Xmpp Apt Notifications">Next <span class="icon icon-circle-arrow-right"></span></a>
      
      
        <a href="../test-qr-svg-django/" class="btn btn-neutral" title="Test QRCODE Svg in Django"><span class="icon icon-circle-arrow-left"></span> Previous</a>
      
    </div>
  

  <hr/>

  <div role="contentinfo">
    <!-- Copyright etc -->
    
  </div>

  Built with <a href="https://www.mkdocs.org/">MkDocs</a> using a <a href="https://github.com/snide/sphinx_rtd_theme">theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>.
</footer>
      
        </div>
      </div>

    </section>

  </div>

  <div class="rst-versions" role="note" aria-label="versions">
  <span class="rst-current-version" data-toggle="rst-current-version">
    
    
      <span><a href="../test-qr-svg-django/" style="color: #fcfcfc">&laquo; Previous</a></span>
    
    
      <span><a href="../xmpp-apt-notifications/" style="color: #fcfcfc">Next &raquo;</a></span>
    
  </span>
</div>
    <script>var base_url = '../..';</script>
    <script src="../../js/theme_extra.js" defer></script>
    <script src="../../js/theme.js" defer></script>
      <script src="../../search/main.js" defer></script>
    <script defer>
        window.onload = function () {
            SphinxRtdTheme.Navigation.enable(true);
        };
    </script>

</body>
</html>