date: 2021-01-25

Introduction

Install prosody on Debian 10 with photoupload, postgresql database, and letsencrypt certs.

DNS

  • Log into your dns provider and create A and AAAA records for xmpp.example.com
  • Log into your dns provider and create A and AAAA records for xmppupload.example.com

FireWall

Incidentally, you definitely do want to use a non-standard ssh port for connecting over the internet.

I would suggest that a firewall is important, because I couldn't figure out how to completely disable port 5280 for the http protocol, in the clear, in the prosody config.

ports

  • 80/tcp, 443/tcp for certbot
  • 4444/tcp i.e. port 4444 for ssh
  • 5222/tcp for xmpp-client
  • 5269/tcp for xmpp-server
  • 5281/tcp for https connections to prosody for uploads and photos

FireWall with UFW

  • ufw allow http
  • ufw allow https
  • ufw allow xmpp-client
  • ufw allow xmpp-server
  • ufw allow 5281/tcp
  • ufw allow 4444/tcp i.e. if 4444 for ssh
  • ufw enable to start the firewall

Postgresql Database

Install the postgresql database.

apt-get install postgresql postgresql-contrib
Log into the psql command line.
sudo -u postgres psql
Create prosody database
postgres=# CREATE DATABASE prosody;
Creat prosody user
postgres=# CREATE ROLE prosody WITH LOGIN;
Set password for user
postgres=# \password prosody
Quit psql
postgres=# \q

allow authentication in pg_hba.conf

To connect to postgresql via unix socket

# /etc/postgresql/11/main/pg_hba.conf
# make sure this line is above
local   prosody         prosody                                 md5

# make sure this line is below
local   all             all                                     peer
or i.e. through a wireguard tunnel
# /etc/postgresql/11/main/pg_hba.conf
# where 10.0.22.5 is the ip address of the machine that prosody will run on 
host    prosody         prosody         10.0.22.5/32            md5

and then restart postgresql

systemctl restart postgresql

Prosody

Install Prosody

apt install prosody prosody-modules lua-dbi-postgresql

Configure Prosody

backup the prosody config file

cp /etc/prosody/prosody.cfg.lua /etc/prosody/prosody.cfg.lua.bak

if you want to disable advertising version and uptime, allow message archives, and disallow registration, change this

-- /etc/prosody/prosody.cfg.lua
modules_enabled = {

    ...

    -- Nice to have
      "version"; -- Replies to server version requests
      "uptime"; -- Report how long server has been running
      "time"; -- Let others know the time here on this server
      "ping"; -- Replies to XMPP pings with pongs
      "register"; -- Allow users to register on this server using a client and change passwords
      --"mam"; -- Store messages in an archive and allow users to access it
      --"csi_simple"; -- Simple Mobile optimizations

    ...
}

to this

-- /etc/prosody/prosody.cfg.lua
modules_enabled = {

    ...

    -- Nice to have
      --"version"; -- Replies to server version requests
      --"uptime"; -- Report how long server has been running
      "time"; -- Let others know the time here on this server
      "ping"; -- Replies to XMPP pings with pongs
      --"register"; -- Allow users to register on this server using a client and change passwords
      "mam"; -- Store messages in an archive and allow users to access it
      --"csi_simple"; -- Simple Mobile optimizations

    ...
}

to force certificate authentication for server-to-server connections, make the following edit around line 123

-- /etc/prosody/prosody.cfg.lua
-- Force certificate authentication for server-to-server connections?

-- change this
s2s_secure_auth = false
-- to this
s2s_secure_auth = true

around line 147 enable sql

-- /etc/prosody/prosody.cfg.lua

-- change this
--storage = "sql"

-- to this
storage = "sql"

and describe the database connection

-- /etc/prosody/prosody.cfg.lua

-- change this
--sql = {
  driver = "PostgreSQL",
  database = "prosody",
  username = "prosody",
  password = "secret",
  host = "localhost"
}

-- to this
sql = {
  driver = "PostgreSQL",
  database = "prosody",
  username = "prosody",
  password = "secret",
  host = "localhost"
}

-- or to use a unix socket in Debian 10
sql = {
  driver = "PostgreSQL",
  database = "prosody",
  username = "prosody",
  password = "secret",
  host = "/var/run/postgresql"
}

somewhere around line 196, describe the certificate file for the upoad subdomain

-- /etc/prosody/prosody.cfg.lua

-- change this
--https_certificate = "/etc/prosody/certs/localhost.crt"

-- to this
https_certificate = "/etc/prosody/certs/xmppupload.example.com.crt"

somewhere around line 210 describe your virtualhost

-- /etc/prosody/prosody.cfg.lua
VirtualHost "xmpp.example.com"

disco_items = {
    {"xmppupload.example.com"},
}

add the following to the end of the file

-- /etc/prosody/prosody.cfg.lua
Component "xmppupload.example.com" "http_upload"

and then restart prosody

systemctl restart prososdy

Certbot

install certbot

apt install certbot
get certificates
certbot certonly -d xmpp.example.com
certbot certonly -d xmppupload.example.com
import the certificates into prosody and restart prosody
prosodyctl --root cert import /etc/letsencrypt/live
systemctl restart prosody
create the following renewal-hook for letsencrypt
#!/bin/bash
# /etc/letsencrypt/renewal-hooks/deploy/prosody_deploy_hook

prosodyctl --root cert import /etc/letsencrypt/live