5.8 KiB
title | date | draft | tags | authors | post | |||||
---|---|---|---|---|---|---|---|---|---|---|
Prosody Photo Uploads | 2021-01-25 | false |
|
|
18 |
date: 2021-01-25
Introduction
Install prosody{target=_blank} on Debian 10{target=_blank} with photoupload, postgresql database, and letsencrypt certs.
DNS
- Log into your dns provider and create A and AAAA records for xmpp.example.com
- Log into your dns provider and create A and AAAA records for xmppupload.example.com
FireWall
Incidentally, you definitely do want to use a non-standard ssh port for connecting over the internet.
I would suggest that a firewall is important, because I couldn't figure out how to completely disable port 5280 for the http protocol, in the clear, in the prosody config.
ports
80/tcp
,443/tcp
for certbot4444/tcp
i.e. port 4444 for ssh5222/tcp
for xmpp-client5269/tcp
for xmpp-server5281/tcp
for https connections to prosody for uploads and photos
FireWall with UFW
ufw allow http
ufw allow https
ufw allow xmpp-client
ufw allow xmpp-server
ufw allow 5281/tcp
ufw allow 4444/tcp
i.e. if 4444 for sshufw enable
to start the firewall
Postgresql Database
Install the postgresql database.
apt-get install postgresql postgresql-contrib
Log into the psql command line.
sudo -u postgres psql
Create prosody database
postgres=# CREATE DATABASE prosody;
Creat prosody user
postgres=# CREATE ROLE prosody WITH LOGIN;
Set password for user
postgres=# \password prosody
Quit psql
postgres=# \q
allow authentication in pg_hba.conf
To connect to postgresql via unix socket
# /etc/postgresql/11/main/pg_hba.conf
# make sure this line is above
local prosody prosody md5
# make sure this line is below
local all all peer
or i.e. through a wireguard tunnel
# /etc/postgresql/11/main/pg_hba.conf
# where 10.0.22.5 is the ip address of the machine that prosody will run on
host prosody prosody 10.0.22.5/32 md5
and then restart postgresql
systemctl restart postgresql
Prosody
Install Prosody
apt install prosody prosody-modules lua-dbi-postgresql
Configure Prosody
backup the prosody config file
cp /etc/prosody/prosody.cfg.lua /etc/prosody/prosody.cfg.lua.bak
if you want to disable advertising version and uptime, allow message archives, and disallow registration, change this
-- /etc/prosody/prosody.cfg.lua
modules_enabled = {
...
-- Nice to have
"version"; -- Replies to server version requests
"uptime"; -- Report how long server has been running
"time"; -- Let others know the time here on this server
"ping"; -- Replies to XMPP pings with pongs
"register"; -- Allow users to register on this server using a client and change passwords
--"mam"; -- Store messages in an archive and allow users to access it
--"csi_simple"; -- Simple Mobile optimizations
...
}
to this
-- /etc/prosody/prosody.cfg.lua
modules_enabled = {
...
-- Nice to have
--"version"; -- Replies to server version requests
--"uptime"; -- Report how long server has been running
"time"; -- Let others know the time here on this server
"ping"; -- Replies to XMPP pings with pongs
--"register"; -- Allow users to register on this server using a client and change passwords
"mam"; -- Store messages in an archive and allow users to access it
--"csi_simple"; -- Simple Mobile optimizations
...
}
to force certificate authentication for server-to-server connections, make the following edit around line 123
-- /etc/prosody/prosody.cfg.lua
-- Force certificate authentication for server-to-server connections?
-- change this
s2s_secure_auth = false
-- to this
s2s_secure_auth = true
around line 147 enable sql
-- /etc/prosody/prosody.cfg.lua
-- change this
--storage = "sql"
-- to this
storage = "sql"
and describe the database connection
-- /etc/prosody/prosody.cfg.lua
-- change this
--sql = {
driver = "PostgreSQL",
database = "prosody",
username = "prosody",
password = "secret",
host = "localhost"
}
-- to this
sql = {
driver = "PostgreSQL",
database = "prosody",
username = "prosody",
password = "secret",
host = "localhost"
}
-- or to use a unix socket in Debian 10
sql = {
driver = "PostgreSQL",
database = "prosody",
username = "prosody",
password = "secret",
host = "/var/run/postgresql"
}
somewhere around line 196, describe the certificate file for the upoad subdomain
-- /etc/prosody/prosody.cfg.lua
-- change this
--https_certificate = "/etc/prosody/certs/localhost.crt"
-- to this
https_certificate = "/etc/prosody/certs/xmppupload.example.com.crt"
somewhere around line 210 describe your virtualhost
-- /etc/prosody/prosody.cfg.lua
VirtualHost "xmpp.example.com"
disco_items = {
{"xmppupload.example.com"},
}
add the following to the end of the file
-- /etc/prosody/prosody.cfg.lua
Component "xmppupload.example.com" "http_upload"
and then restart prosody
systemctl restart prososdy
Certbot
install certbot
apt install certbot
get certificates
certbot certonly -d xmpp.example.com
certbot certonly -d xmppupload.example.com
import the certificates into prosody and restart prosody
prosodyctl --root cert import /etc/letsencrypt/live
systemctl restart prosody
create the following renewal-hook for letsencrypt
#!/bin/bash
# /etc/letsencrypt/renewal-hooks/deploy/prosody_deploy_hook
prosodyctl --root cert import /etc/letsencrypt/live