From 5690a5c438ae5b67a60857e72866b95acd1723aa Mon Sep 17 00:00:00 2001
From: Elena ``of Valhalla'' Grandi <valhalla@trueelena.org>
Date: Wed, 14 Jun 2023 21:17:47 +0200
Subject: new article: modern xmpp server

---
 source/index.rst                                 |   3 +-
 source/self_hosting/index.rst                    |   9 +
 source/self_hosting/modern_xmpp_server/index.rst | 205 +++++++++++++++++++++++
 3 files changed, 216 insertions(+), 1 deletion(-)
 create mode 100644 source/self_hosting/index.rst
 create mode 100644 source/self_hosting/modern_xmpp_server/index.rst

diff --git a/source/index.rst b/source/index.rst
index 9f748d5..d70e647 100644
--- a/source/index.rst
+++ b/source/index.rst
@@ -62,9 +62,10 @@ Creative Commons, PO Box 1866, Mountain View, CA 94042, USA.
 -----
 
 .. toctree::
-   :maxdepth: 3
+   :maxdepth: 2
    :caption: Contents:
 
+   self_hosting/index
    bibliography/index
 
 .. only:: draft
diff --git a/source/self_hosting/index.rst b/source/self_hosting/index.rst
new file mode 100644
index 0000000..1267fcc
--- /dev/null
+++ b/source/self_hosting/index.rst
@@ -0,0 +1,9 @@
+##############
+ Self Hosting
+##############
+
+.. toctree::
+   :maxdepth: 2
+   :caption: Contents:
+
+   modern_xmpp_server/index
diff --git a/source/self_hosting/modern_xmpp_server/index.rst b/source/self_hosting/modern_xmpp_server/index.rst
new file mode 100644
index 0000000..3f752e9
--- /dev/null
+++ b/source/self_hosting/modern_xmpp_server/index.rst
@@ -0,0 +1,205 @@
+*******************
+Modern XMPP Server
+*******************
+
+This is what I did to configure my XMPP server, using only `packages
+supported in Debian <https://www.debian.org/security/>`_ and 100%
+compliant with the `tests for XEP-0459: XMPP Compliance Suites 2022 on
+conversations' website <https://compliance.conversations.im>`_.
+
+This guide was written for prosody 0.9 under Debian jessie, but is being
+kept up to date as I upgrade my server to new Debian releases.
+
+.. only:: html
+
+   .. contents::
+
+How
+===
+
+I've decided to install prosody_, mostly because it was recommended by
+the `RTC QuickStart Guide`_; I've heard that similar results can be
+reached with ejabberd_ and other servers.
+
+.. _prosody: https://prosody.im/
+.. _`RTC QuickStart Guide`: http://rtcquickstart.org/
+.. _ejabberd: https://www.ejabberd.im/
+
+I'm also targetting Debian_ stable (+ backports_); currently that's
+bullseye and prosody 0.11 (upgrade to bookworm is planned soon).
+
+.. _Debian: https://www.debian.org
+.. _backports: https://backports.debian.org/
+
+
+Installation and prerequisites
+------------------------------
+
+You will need to install the packages ``prosody`` and
+``prosody-modules``; on jessie the versions in backports were needed,
+but currently not on buster.
+
+You also need to setup some TLS certificates (I used `Let's Encrypt`_); 
+and make them readable by the ``prosody`` user; you can see `Chapter 12 
+of the RTC QuickStart Guide
+<http://rtcquickstart.org/guide/multi/xmpp-server-prosody.html>`_ for
+more details.
+
+With prosody 0.10+ you will also need to configure the location of the
+certificate for https with a configuration stanza such as::
+
+   https_ssl = {
+       certificate = "/etc/ssl/public/example.org.pem";
+       key = "/etc/ssl/private/example.org-key.pem";
+   }
+
+or see the `prosody documentation on certificates
+<https://prosody.im/doc/certificates>`_ to see where to put certificates
+so that prosody is able to autodetect them.
+
+.. _`Let's Encrypt`: https://letsencrypt.org/
+
+On your firewall, you'll need to open the following TCP ports:
+
+* 5222 (client2server)
+* 5269 (server2server)
+* 5280 (default http port for prosody)
+* 5281 (default https port for prosody)
+
+The latter two are needed to enable some services provided via http(s),
+including rich media transfers.
+
+With just a handful of users, I didn't bother to configure LDAP or
+anything else, but just created users manually via::
+
+   prosodyctl adduser alice@example.org
+
+In-band registration is disabled by default (and I've left it that way,
+to prevent my server from being used to send spim_).
+
+.. _spim: https://en.wikipedia.org/wiki/Messaging_spam
+
+prosody configuration
+---------------------
+
+You can then start configuring prosody by editing
+``/etc/prosody/prosody.cfg.lua`` and changing a few values from the
+distribution defaults.
+
+First of all, enforce the use of encryption and certificate checking
+both for client2server and server2server communications with::
+
+   c2s_require_encryption = true
+   s2s_secure_auth = true
+
+and then, if you need to, add to the whitelist any server that you want
+to talk to and doesn't support secure s2s communication (but note that
+gmail.com is no longer needed, as it doesn't support xmpp any longer)::
+
+   s2s_insecure_domains = { "gmail.com" }
+
+virtualhosts
+------------
+
+For each virtualhost you want to configure, create a file
+``/etc/prosody/conf.avail/chat.example.org.cfg.lua`` with contents like
+the following::
+
+   VirtualHost "chat.example.org"
+	   enabled = true
+	   ssl = {
+	       key = "/etc/ssl/private/example.org-key.pem";
+	       certificate = "/etc/ssl/public/example.org.pem";
+           }
+
+For the domains where you also want to enable MUCs, add the follwing
+lines::
+
+   Component "conference.chat.example.org" "muc"
+           restrict_room_creation = "local"
+           modules_enabled = {
+               "mam_muc",
+               "vcard_muc",
+           }
+
+the ``"local"`` configures prosody so that only local users are allowed
+to create new rooms (but then everybody can join them, if the room
+administrator allows it): this may help reduce unwanted usages of your
+server by random people.
+
+Enabling the ``mam_muc`` module (on prosody 0.10 only) allows people to
+syncronize message history between multiple clients (XEP-0313)
+
+You can also add the following line to enable rich media transfers via
+http uploads (XEP-0363_)::
+
+   Component "upload.chat.example.org" "http_upload"
+
+The defaults are pretty sane, but see
+https://modules.prosody.im/mod_http_upload.html for details on what
+knobs you can configure for this module; you may want e.g. to change the
+maximum file size limit and setup an expiry date::
+
+   Component "upload.chat.example.org" "http_upload"
+       http_upload_file_size_limit = 1024 * 1024 * 2
+       http_upload_expire_after = 60 * 60 * 24 * 7
+
+.. _XEP-0363: https://xmpp.org/extensions/xep-0363.html
+
+Don't forget to enable the virtualhost by linking the file inside
+``/etc/prosody/conf.d/``.
+
+additional modules
+------------------
+
+Most of the other interesting XEPs are enabled by loading additional
+modules inside ``/etc/prosody/prosody.cfg.lua`` (under
+``modules_enabled``); to enable ``mod_something`` just add a line like::
+
+   "something";
+
+Most of these come from the ``prosody-modules`` package (and thus from
+https://modules.prosody.im/ ) and some may require changing when prosody
+0.10 will be available; when this is the case it is mentioned below.
+
+``mod_blocklist`` (XEP-0191)
+   To allow user-controlled blocking of users, including as an anti-spim
+   measure.
+``mod_smacks`` (XEP-0198)
+   Allow clients to resume a disconnected session before a customizable
+   timeout and prevent message loss.
+``mod_mam`` (XEP-0313)
+   Archive messages on the server for a limited period of time (default
+   1 week) and allow clients to retrieve them; this is required to
+   syncronize message history between multiple clients.
+
+   With prosody 0.9 only an in-memory storage backend is available,
+   which may make this module problematic on servers with many users.
+   prosody 0.10 will fix this by adding support for an SQL backed
+   storage with archiving capabilities.
+``mod_throttle_presence`` + ``mod_filter_chatstates`` (XEP-0352)
+   Filter out presence updates and chat states when the client announces
+   (via Client State Indication) that the user isn't looking.
+   This is useful to reduce power and bandwidth usage for "useless"
+   traffic.
+``cloud_notify`` (XEP-0357)
+   Allow clients to register an “app server” that is notified about new
+   messages
+
+See also
+========
+
+* `The State of Mobile XMPP in 2016 <https://gultsch.de/xmpp_2016.html>`_
+  (blog post by the maintainer of Conversations)
+* `Prosody installation instructions in the FreedomBox wiki
+  <https://wiki.debian.org/FreedomBox/Configs/Prosody>`_
+  (for basic prosody configuration)
+* `What Prosody modules do I need to support Conversations?
+  <https://serverfault.com/questions/835635/what-prosody-modules-do-i-need-to-support-conversations/835636>`_
+  (on Server Fault)
+* `This HOWTO on my old website
+  <https://www.trueelena.org/computers/howto/modern_xmpp_server.html>`_
+* `Enrico's post on how we configured the server before compliance.conversations.im was a thing <http://www.enricozini.org/blog/2017/debian/modern-and-secure-instant-messaging/>`_
+
+..
+   vim: set filetype=rst: 
-- 
cgit v1.2.3