Prosody post Signed-off-by: Anirudh Oppiliappan <x@icyphox.sh>
Anirudh Oppiliappan x@icyphox.sh
Tue, 18 Feb 2020 20:11:30 +0530
6 files changed,
445 insertions(+),
3 deletions(-)
M
bin/update_index.py
→
bin/update_index.py
@@ -65,5 +65,5 @@ url = "/blog/" + fname
new_line = f"| [{meta['title']}]({url}) | {meta['date']} |" lines.append(new_line) -#update_index(lines) +update_index(lines) update_blog(lines[0])
M
pages/_index.md
→
pages/_index.md
@@ -12,8 +12,8 @@ # latest posts ([see all](/blog))
| | | | :-- | --: | +| [Setting up Prosody for XMPP](/blog/prosody) | 2020-02-18 | | [Status update](/blog/2020-01-18) | 2020-01-18 | | [Vimb: my Firefox replacement](/blog/mnml-browsing) | 2020-01-16 | | [Five days in a TTY](/blog/five-days-tty) | 2020-01-13 | | [2019 in review](/blog/2019-in-review) | 2020-01-02 | -| [Disinfo war: RU vs GB](/blog/ru-vs-gb) | 2019-12-12 |
M
pages/blog/_index.md
→
pages/blog/_index.md
@@ -9,6 +9,7 @@ ## Computers, security & computer security.
| | | | :-- | --: | +| [Setting up Prosody for XMPP](/blog/prosody) | 2020-02-18 | | [Status update](/blog/2020-01-18) | 2020-01-18 | | [Vimb: my Firefox replacement](/blog/mnml-browsing) | 2020-01-16 | | [Five days in a TTY](/blog/five-days-tty) | 2020-01-13 |
M
pages/blog/feed.xml
→
pages/blog/feed.xml
@@ -11,7 +11,154 @@ <link>https://icyphox.sh/blog/</link>
</image> <language>en-us</language> <copyright>Creative Commons BY-NC-SA 4.0</copyright> - <item><title>Status update</title><description><![CDATA[<p>It’s only been a two weeks since I got back to campus, and we’ve + <item><title>Setting up Prosody for XMPP</title><description><![CDATA[<p>Remember the <a href="/blog/irc-for-dms/">IRC for DMs</a> article I wrote a while +back? Well…it’s safe to say that IRC didn’t hold up too well. It first +started with the bot. Buggy code, crashed a lot—we eventually gave up +and didn’t bring the bot back up. Then came the notifications, or lack +thereof. Revolution IRC has a bug where your custom notification rules +just get ignored after a while. In my case, this meant that +notifications for <code>#crimson</code> stopped entirely. Unless, of course, Nerdy +pinged me each time.</p> + +<p>Again, none of these problems are inherent to IRC itself. IRC is +fantastic, but perhaps wasn’t the best fit for our usecase. I still do +use IRC though, just not for 1-on-1 conversations.</p> + +<h2 id="why-xmpp">Why XMPP?</h2> + +<p>For one, it’s better suited for 1-on-1 conversations. It also has +support for end-to-end encryption (via OMEMO), something IRC doesn’t +have.<sup class="footnote-ref" id="fnref-otr"><a href="#fn-otr">1</a></sup> Also, it isn’t centralized (think: email).</p> + +<h2 id="soprosody">So…Prosody</h2> + +<p><a href="https://prosody.im">Prosody</a> is an XMPP server. Why did I choose this +over ejabberd, OpenFire, etc.? No reason, really. Their website looked +cool, I guess.</p> + +<h3 id="installing">Installing</h3> + +<p>Setting it up was pretty painless (I’ve <a href="/blog/mailserver">experienced +worse</a>). If you’re on a Debian-derived system, add:</p> + +<pre><code># modify according to your distro +deb https://packages.prosody.im/debian buster main +</code></pre> + +<p>to your <code>/etc/apt/sources.list</code>, and:</p> + +<pre><code># apt update +# apt install prosody +</code></pre> + +<h3 id="configuring">Configuring</h3> + +<p>Once installed, you will find the config file at +<code>/etc/prosody/prosody.cfg.lua</code>. Add your XMPP user (we will make this +later), to the <code>admins = {}</code> line.</p> + +<pre><code>admins = {"user@chat.example.com"} +</code></pre> + +<p>Head to the <code>modules_enabled</code> section, and add this to it:</p> + +<pre><code>modules_enabled = { + "posix"; + "omemo_all_access"; +... + -- uncomment these + "groups"; + "mam"; + -- and any others you think you may need +} +</code></pre> + +<p>We will install the <code>omemo_all_access</code> module later.</p> + +<p>Set <code>c2s_require_encryption</code>, <code>s2s_require_encryption</code>, and +<code>s2s_secure_auth</code> to <code>true</code>. +Set the <code>pidfile</code> to <code>/tmp/prosody.pid</code> (or just leave it as default?).</p> + +<p>By default, Prosody stores passwords in plain-text, so fix that by +setting <code>authentication</code> to <code>"internal_hashed"</code></p> + +<p>Head to the <code>VirtualHost</code> section, and add your vhost. Right above it, +set the path to the HTTPS certificate and key:</p> + +<pre><code>certificates = "certs" -- relative to your config file location +https_certificate = "certs/chat.example.com.crt" +https_key = "certs/chat.example.com.key" +... + +VirtualHost "chat.example.com" +</code></pre> + +<p>I generated these certs using Let’s Encrypt’s <code>certbot</code>, you can use +whatever. Here’s what I did:</p> + +<pre><code># certbot --nginx -d chat.example.com +</code></pre> + +<p>This generates certs at <code>/etc/letsencrypt/live/chat.example.com/</code>. You can +trivially import these certs into Prosody’s <code>/etc/prosody/certs/</code> directory using:</p> + +<pre><code># prosodyctl cert import /etc/letsencrypt/live/chat.example.com +</code></pre> + +<h3 id="plugins">Plugins</h3> + +<p>All the modules for Prosody can be <code>hg clone</code>’d from +<a href="https://hg.prosody.im/prosody-modules.">https://hg.prosody.im/prosody-modules.</a> You will, obviously, need +Mercurial installed for this.</p> + +<p>Clone it somewhere, and: </p> + +<pre><code># cp -R prosody-modules/mod_omemo_all_access /usr/lib/prosody/modules +</code></pre> + +<p>Do the same thing for whatever other module you choose to install. Don’t +forget to add it to the <code>modules_enabled</code> section in the config.</p> + +<h3 id="adding-users">Adding users</h3> + +<p><code>prosodyctl</code> makes this a fairly simple task:</p> + +<pre><code>$ prosodyctl adduser user@chat.example.com +</code></pre> + +<p>You will be prompted for a password. You can optionally, enable +user registrations from XMPP/Jabber clients (security risk!), by setting +<code>allow_registration = true</code>.</p> + +<p>I may have missed something important, so here’s <a href="https://x.icyphox.sh/prosody.cfg.lua">my +config</a> for reference.</p> + +<h2 id="closing-notes">Closing notes</h2> + +<p>That’s pretty much all you need for 1-on-1 E2EE chats. I don’t know much +about group chats just yet—trying to create a group in Conversations +gives a “No group chat server found”. I will figure it out later.</p> + +<p>Another thing that doesn’t work in Conversations is adding an account +using an <code>SRV</code> record.<sup class="footnote-ref" id="fnref-srv"><a href="#fn-srv">2</a></sup> Which kinda sucks, because having a <code>chat.</code> +subdomain isn’t very clean, but whatever.</p> + +<p>Oh, also—you can message me at +<a href="xmpp:icy@chat.icyphox.sh">icy@chat.icyphox.sh</a>.</p> + +<div class="footnotes"> +<hr /> +<ol> +<li id="fn-otr"> +<p>I’m told IRC supports OTR, but I haven’t ever tried. <a href="#fnref-otr" class="footnoteBackLink" title="Jump back to footnote 1 in the text.">↩</a></p> +</li> + +<li id="fn-srv"> +<p><a href="https://prosody.im/doc/dns">https://prosody.im/doc/dns</a> <a href="#fnref-srv" class="footnoteBackLink" title="Jump back to footnote 2 in the text.">↩</a></p> +</li> +</ol> +</div> +]]></description><link>https://icyphox.sh/blog/prosody</link><pubDate>Tue, 18 Feb 2020 00:00:00 +0000</pubDate><guid>https://icyphox.sh/blog/prosody</guid></item><item><title>Status update</title><description>< article I wrote a while +back? Well...it's safe to say that IRC didn't hold up too well. It first +started with the bot. Buggy code, crashed a lot---we eventually gave up +and didn't bring the bot back up. Then came the notifications, or lack +thereof. Revolution IRC has a bug where your custom notification rules +just get ignored after a while. In my case, this meant that +notifications for `#crimson` stopped entirely. Unless, of course, Nerdy +pinged me each time. + +Again, none of these problems are inherent to IRC itself. IRC is +fantastic, but perhaps wasn't the best fit for our usecase. I still do +use IRC though, just not for 1-on-1 conversations. + +## Why XMPP? + +For one, it's better suited for 1-on-1 conversations. It also has +support for end-to-end encryption (via OMEMO), something IRC doesn't +have.[^otr] Also, it isn't centralized (think: email). + +[^otr]: I'm told IRC supports OTR, but I haven't ever tried. + +## So...Prosody + +[Prosody](https://prosody.im) is an XMPP server. Why did I choose this +over ejabberd, OpenFire, etc.? No reason, really. Their website looked +cool, I guess. + +### Installing + +Setting it up was pretty painless (I've [experienced +worse](/blog/mailserver)). If you're on a Debian-derived system, add: +``` +# modify according to your distro +deb https://packages.prosody.im/debian buster main +``` + +to your `/etc/apt/sources.list`, and: + +``` +# apt update +# apt install prosody +``` + +### Configuring + +Once installed, you will find the config file at +`/etc/prosody/prosody.cfg.lua`. Add your XMPP user (we will make this +later), to the `admins = {}` line. + +``` +admins = {"user@chat.example.com"} +``` + +Head to the `modules_enabled` section, and add this to it: + +``` +modules_enabled = { + "posix"; + "omemo_all_access"; +... + -- uncomment these + "groups"; + "mam"; + -- and any others you think you may need +} +``` + +We will install the `omemo_all_access` module later. + +Set `c2s_require_encryption`, `s2s_require_encryption`, and +`s2s_secure_auth` to `true`. +Set the `pidfile` to `/tmp/prosody.pid` (or just leave it as default?). + +By default, Prosody stores passwords in plain-text, so fix that by +setting `authentication` to `"internal_hashed"` + +Head to the `VirtualHost` section, and add your vhost. Right above it, +set the path to the HTTPS certificate and key: + +``` +certificates = "certs" -- relative to your config file location +https_certificate = "certs/chat.example.com.crt" +https_key = "certs/chat.example.com.key" +... + +VirtualHost "chat.example.com" +``` + +I generated these certs using Let's Encrypt's `certbot`, you can use +whatever. Here's what I did: + +``` +# certbot --nginx -d chat.example.com +``` + +This generates certs at `/etc/letsencrypt/live/chat.example.com/`. You can +trivially import these certs into Prosody's `/etc/prosody/certs/` directory using: + +``` +# prosodyctl cert import /etc/letsencrypt/live/chat.example.com +``` + +### Plugins + +All the modules for Prosody can be `hg clone`'d from +https://hg.prosody.im/prosody-modules. You will, obviously, need +Mercurial installed for this. + +Clone it somewhere, and: + +``` +# cp -R prosody-modules/mod_omemo_all_access /usr/lib/prosody/modules +``` + +Do the same thing for whatever other module you choose to install. Don't +forget to add it to the `modules_enabled` section in the config. + +### Adding users + +`prosodyctl` makes this a fairly simple task: + +``` +$ prosodyctl adduser user@chat.example.com +``` + +You will be prompted for a password. You can optionally, enable +user registrations from XMPP/Jabber clients (security risk!), by setting +`allow_registration = true`. + +I may have missed something important, so here's [my +config](https://x.icyphox.sh/prosody.cfg.lua) for reference. + +## Closing notes + +That's pretty much all you need for 1-on-1 E2EE chats. I don't know much +about group chats just yet---trying to create a group in Conversations +gives a "No group chat server found". I will figure it out later. + +Another thing that doesn't work in Conversations is adding an account +using an `SRV` record.[^srv] Which kinda sucks, because having a `chat.` +subdomain isn't very clean, but whatever. + +Oh, also---you can message me at +[icy@chat.icyphox.sh](xmpp:icy@chat.icyphox.sh). + +[^srv]: https://prosody.im/doc/dns
A
pages/txt/prosody.txt
@@ -0,0 +1,140 @@
+--- +date: '2020-02-18' +subtitle: 'I setup Prosody yesterday---here''s how I did it' +title: Setting up Prosody for XMPP +url: prosody +--- + +Remember the [IRC for DMs](/blog/irc-for-dms/) article I wrote a while +back? Well...it's safe to say that IRC didn't hold up too well. It first +started with the bot. Buggy code, crashed a lot---we eventually gave up +and didn't bring the bot back up. Then came the notifications, or lack +thereof. Revolution IRC has a bug where your custom notification rules +just get ignored after a while. In my case, this meant that +notifications for `#crimson` stopped entirely. Unless, of course, Nerdy +pinged me each time. + +Again, none of these problems are inherent to IRC itself. IRC is +fantastic, but perhaps wasn't the best fit for our usecase. I still do +use IRC though, just not for 1-on-1 conversations. + +Why XMPP? +--------- + +For one, it's better suited for 1-on-1 conversations. It also has +support for end-to-end encryption (via OMEMO), something IRC doesn't +have.[^1] Also, it isn't centralized (think: email). + +So...Prosody +------------ + +[Prosody](https://prosody.im) is an XMPP server. Why did I choose this +over ejabberd, OpenFire, etc.? No reason, really. Their website looked +cool, I guess. + +### Installing + +Setting it up was pretty painless (I've [experienced +worse](/blog/mailserver)). If you're on a Debian-derived system, add: + + # modify according to your distro + deb https://packages.prosody.im/debian buster main + +to your `/etc/apt/sources.list`, and: + + # apt update + # apt install prosody + +### Configuring + +Once installed, you will find the config file at +`/etc/prosody/prosody.cfg.lua`. Add your XMPP user (we will make this +later), to the `admins = {}` line. + + admins = {"user@chat.example.com"} + +Head to the `modules_enabled` section, and add this to it: + + modules_enabled = { + "posix"; + "omemo_all_access"; + ... + -- uncomment these + "groups"; + "mam"; + -- and any others you think you may need + } + +We will install the `omemo_all_access` module later. + +Set `c2s_require_encryption`, `s2s_require_encryption`, and +`s2s_secure_auth` to `true`. Set the `pidfile` to `/tmp/prosody.pid` (or +just leave it as default?). + +By default, Prosody stores passwords in plain-text, so fix that by +setting `authentication` to `"internal_hashed"` + +Head to the `VirtualHost` section, and add your vhost. Right above it, +set the path to the HTTPS certificate and key: + + certificates = "certs" -- relative to your config file location + https_certificate = "certs/chat.example.com.crt" + https_key = "certs/chat.example.com.key" + ... + + VirtualHost "chat.example.com" + +I generated these certs using Let's Encrypt's `certbot`, you can use +whatever. Here's what I did: + + # certbot --nginx -d chat.example.com + +This generates certs at `/etc/letsencrypt/live/chat.example.com/`. You +can trivially import these certs into Prosody's `/etc/prosody/certs/` +directory using: + + # prosodyctl cert import /etc/letsencrypt/live/chat.example.com + +### Plugins + +All the modules for Prosody can be `hg clone`'d from +https://hg.prosody.im/prosody-modules. You will, obviously, need +Mercurial installed for this. + +Clone it somewhere, and: + + # cp -R prosody-modules/mod_omemo_all_access /usr/lib/prosody/modules + +Do the same thing for whatever other module you choose to install. Don't +forget to add it to the `modules_enabled` section in the config. + +### Adding users + +`prosodyctl` makes this a fairly simple task: + + $ prosodyctl adduser user@chat.example.com + +You will be prompted for a password. You can optionally, enable user +registrations from XMPP/Jabber clients (security risk!), by setting +`allow_registration = true`. + +I may have missed something important, so here's [my +config](https://x.icyphox.sh/prosody.cfg.lua) for reference. + +Closing notes +------------- + +That's pretty much all you need for 1-on-1 E2EE chats. I don't know much +about group chats just yet---trying to create a group in Conversations +gives a "No group chat server found". I will figure it out later. + +Another thing that doesn't work in Conversations is adding an account +using an `SRV` record.[^2] Which kinda sucks, because having a `chat.` +subdomain isn't very clean, but whatever. + +Oh, also---you can message me at +[icy\@chat.icyphox.sh](xmpp:icy@chat.icyphox.sh). + +[^1]: I'm told IRC supports OTR, but I haven't ever tried. + +[^2]: https://prosody.im/doc/dns