From 90d7c5f40f49497a4b78e00a29c1601982c4d3ff Mon Sep 17 00:00:00 2001
From: Elena ``of Valhalla'' Grandi <valhalla@trueelena.org>
Date: Fri, 1 Dec 2023 15:11:26 +0100
Subject: Upgrade xmpp server instructions to bookworm

---
 source/self_hosting/modern_xmpp_server/index.rst | 95 +++++++++++++++++-------
 1 file changed, 70 insertions(+), 25 deletions(-)

(limited to 'source/self_hosting/modern_xmpp_server')

diff --git a/source/self_hosting/modern_xmpp_server/index.rst b/source/self_hosting/modern_xmpp_server/index.rst
index 3f752e9..79977d4 100644
--- a/source/self_hosting/modern_xmpp_server/index.rst
+++ b/source/self_hosting/modern_xmpp_server/index.rst
@@ -7,8 +7,9 @@ supported in Debian <https://www.debian.org/security/>`_ and 100%
 compliant with the `tests for XEP-0459: XMPP Compliance Suites 2022 on
 conversations' website <https://compliance.conversations.im>`_.
 
-This guide was written for prosody 0.9 under Debian jessie, but is being
-kept up to date as I upgrade my server to new Debian releases.
+This guide was originally written for prosody 0.9 under Debian jessie,
+but is being kept up to date as I upgrade my server to new Debian
+releases.
 
 .. only:: html
 
@@ -26,7 +27,7 @@ reached with ejabberd_ and other servers.
 .. _ejabberd: https://www.ejabberd.im/
 
 I'm also targetting Debian_ stable (+ backports_); currently that's
-bullseye and prosody 0.11 (upgrade to bookworm is planned soon).
+bookworm and prosody 0.12.
 
 .. _Debian: https://www.debian.org
 .. _backports: https://backports.debian.org/
@@ -35,9 +36,8 @@ bullseye and prosody 0.11 (upgrade to bookworm is planned soon).
 Installation and prerequisites
 ------------------------------
 
-You will need to install the packages ``prosody`` and
-``prosody-modules``; on jessie the versions in backports were needed,
-but currently not on buster.
+You will need to install the packages ``prosody``, ``prosody-modules``,
+and ``coturn``.
 
 You also need to setup some TLS certificates (I used `Let's Encrypt`_); 
 and make them readable by the ``prosody`` user; you can see `Chapter 12 
@@ -52,6 +52,10 @@ certificate for https with a configuration stanza such as::
        certificate = "/etc/ssl/public/example.org.pem";
        key = "/etc/ssl/private/example.org-key.pem";
    }
+   legacy_ssl_ssl = {
+       certificate = "/etc/ssl/public/example.org.pem";
+       key = "/etc/ssl/private/example.org-key.pem";
+   }
 
 or see the `prosody documentation on certificates
 <https://prosody.im/doc/certificates>`_ to see where to put certificates
@@ -62,11 +66,17 @@ so that prosody is able to autodetect them.
 On your firewall, you'll need to open the following TCP ports:
 
 * 5222 (client2server)
+* 5223 (client2server, https)
 * 5269 (server2server)
 * 5280 (default http port for prosody)
 * 5281 (default https port for prosody)
+* 3478 (coturn)
+
+As well as the following port for UDP
 
-The latter two are needed to enable some services provided via http(s),
+* 3478 (coturn)
+
+The http ports are needed to enable some services provided via http(s),
 including rich media transfers.
 
 With just a handful of users, I didn't bother to configure LDAP or
@@ -74,11 +84,6 @@ anything else, but just created users manually via::
 
    prosodyctl adduser alice@example.org
 
-In-band registration is disabled by default (and I've left it that way,
-to prevent my server from being used to send spim_).
-
-.. _spim: https://en.wikipedia.org/wiki/Messaging_spam
-
 prosody configuration
 ---------------------
 
@@ -86,18 +91,55 @@ You can then start configuring prosody by editing
 ``/etc/prosody/prosody.cfg.lua`` and changing a few values from the
 distribution defaults.
 
-First of all, enforce the use of encryption and certificate checking
-both for client2server and server2server communications with::
+First of all, enforce the use of certificate checking for server2server
+communications with::
 
-   c2s_require_encryption = true
    s2s_secure_auth = true
 
 and then, if you need to, add to the whitelist any server that you want
 to talk to and doesn't support secure s2s communication (but note that
-gmail.com is no longer needed, as it doesn't support xmpp any longer)::
+gmail.com is no longer needed nor useful, as it doesn't support xmpp any
+longer)::
 
    s2s_insecure_domains = { "gmail.com" }
 
+Also add at least an user (that you have already created with ``prosodyctl
+adduser`` as described above) as an admin::
+
+   admins = { "alice@example.org" }
+
+disabling in-band registration
+-------------------------------
+
+``mod_register`` is now enabled by default to provide password changing
+services, but unless you have the resources to moderate new users you
+probably want to disable registration to prevent the server from being
+used to send spim_; to do so add the line::
+
+   allow_registration = false
+
+.. _spim: https://en.wikipedia.org/wiki/Messaging_spam
+
+TURN/STUN
+---------
+
+Support for video calls requires an external STUN / TURN server such as
+coturn_, which can be installed on the same machine; its configuration
+require setting a realm and a secret for auth in
+``/etc/turnserver.conf``::
+
+   realm=turn.chat.example.org
+   use-auth-secret
+   static-auth-secret=<a long random string>
+
+And then you will have to set the same values in
+``/etc/prosody/prosody.cfg.lua``::
+
+  turncredentials_host = 'turn.chat.example.org'
+  turncredentials_secret = '<the same long string as above>'
+
+.. _coturn: https://github.com/coturn/coturn/
+
 virtualhosts
 ------------
 
@@ -159,15 +201,8 @@ modules inside ``/etc/prosody/prosody.cfg.lua`` (under
    "something";
 
 Most of these come from the ``prosody-modules`` package (and thus from
-https://modules.prosody.im/ ) and some may require changing when prosody
-0.10 will be available; when this is the case it is mentioned below.
-
-``mod_blocklist`` (XEP-0191)
-   To allow user-controlled blocking of users, including as an anti-spim
-   measure.
-``mod_smacks`` (XEP-0198)
-   Allow clients to resume a disconnected session before a customizable
-   timeout and prevent message loss.
+https://modules.prosody.im/ ).
+
 ``mod_mam`` (XEP-0313)
    Archive messages on the server for a limited period of time (default
    1 week) and allow clients to retrieve them; this is required to
@@ -186,6 +221,16 @@ https://modules.prosody.im/ ) and some may require changing when prosody
    Allow clients to register an “app server” that is notified about new
    messages
 
+Proxied file transfers
+----------------------
+
+To enable proxied file transfers for clients behind NAT or firewalls,
+you need to add ``"proxy65";`` to the list of additional modules, and
+then enable it in at least one virtual host with the lines::
+
+   Component "proxy.chat.trueelena.org" "proxy65"
+           proxy65_address = "proxy.chat.trueelena.org"
+
 See also
 ========
 
-- 
cgit v1.2.3