The following ports have to be opened in your firewall:
5222/tcp # XMPP Client-to-Server 5269/tcp # XMPP Server-to-Server 5281/tcp # XMPP HTTPS (for file sharing)
Prosody (formerly lxmppd) is a cross-platform XMPP server written in Lua. Its development goals include low resource usage, ease of use, and extensibility.
sudo apt install prosody prosody-modules lua-unbound
Add the prosody
user to the ssl-cert
group:
sudo usermod -aG ssl-cert prosody
Create a virtual host configuration:
VirtualHost "quietlife.nl" admins = { "user1@quietlife.nl" } modules_enabled = { "carbons"; "cloud_notify"; "mam"; "seclabels"; "smacks"; } ssl = { certificate = "/etc/prosody/certs/quietlife.nl.crt"; key = "/etc/prosody/certs/quietlife.nl.key"; protocol = "tlsv1_2+"; ciphers = "EECDH+AESGCM:EDH+AESGCM"; dhparam = "/etc/ssl/dhparams.pem"; } Component "conference.quietlife.nl" "muc" Component "upload.quietlife.nl" "http_file_share" http_file_share_size_limit = 100000000
Enable the configuration:
cd /etc/prosody/conf.d/ sudo ln -s ../conf.avail/quietlife.nl.cfg.lua .
Generate a certificate with certbot
that contains your base hostname and subdomains conference and upload:
sudo certbot certonly -d quietlife.nl -d conference.quietlife.nl -d upload.quietlife.nl
If your base hostname is on a subdomain, use sub-subdomains:
sudo certbot certonly -d chat.quietlife.nl -d conference.chat.quietlife.nl -d upload.chat.quietlife.nl
If you already have a certificate for your base hostname, you can expand it to include these subdomains:
sudo certbot certonly --expand -d quietlife.nl -d conference.quietlife.nl -d upload.quietlife.nl
If you don't have one already, generate dhparams.pem
with openssl
:
cd /tmp/ openssl dhparam -out dhparams.pem 4096 sudo mv dhparams.pem /etc/ssl/ sudo chown root:ssl-cert /etc/ssl/dhparams.pem sudo chmod 640 /etc/ssl/dhparams.pem
Unlike Apache, nginx, Dovecot and Postfix, Prosody does not shortly run as root when started in order to read from /etc/letsencrypt/
. So certificates have to be copied to the /etc/prosody/certs/
directory:
sudo prosodyctl --root cert import quietlife.nl /etc/letsencrypt/live
If you use Let's Encrypt, you have to renew your certificates every three months. They also have to be re-imported by Prosody after every renewal. This can be automated with a script you put in /etc/letsencrypt/renewal-hooks/post/
:
#!/bin/sh prosodyctl --root cert import quietlife.nl /etc/letsencrypt/live
Make it executable:
sudo chmod +x /etc/letsencrypt/renewal-hooks/post/prosody.sh
sudo systemctl restart prosody.service
sudo prosodyctl adduser user1@quietlife.nl sudo prosodyctl adduser user2@quietlife.nl ...