Prosody tutorial.

This commit is contained in:
John Livingston 2021-03-12 14:10:51 +01:00
parent 29af35ab97
commit 2bf8926fa7

View File

@ -0,0 +1,262 @@
# Tutorial: quick setup for Prosody XMPP server on your Peertube's instance
## Abstract
This tutorial is meant to help you configure [Prosody](https://prosody.im)
on your Peertube server.
This tutorial is for debian-like systems (debian, ubuntu, ...).
It was tested with Debian 10 (Buster).
## Important notes about this tutorial
### File editor
I use the `editor` command to edit files. This is a command that switch to
the configured editor («vi», «vim», «nano», ...).
If you don't have the `editor` command, you can replace with your favorite
editor command.
To change the editor used by `editor`, you can do:
```bash
sudo update-alternatives --config editor
```
If you don't know which editor to choose, the Nano editor is often a good choice
for non-sysadmin users.
If you run `vi` or `vim` accidentaly and are stuck withing (that is a *very*
common mistake), type `:q!` to exit.
## Step 1: install Prosody
Prosody is a XMPP server. XMPP is a communication protocol.
It is a robust instant messaging protocol, used by many softwares.
```bash
sudo apt-get update
sudo apt-get install -y prosody
```
## Step 2: configure Prosody
Prosody works with a «virtualhosts» mecanism. You can define multiple
virtualhosts, each one having his own configuration.
**Imporante note**: some settings are global. If you have already a
prosody installed (using it as a Jabber server, or because you installed Jisti),
some settings may affect existing services. In such case, please read Prosody
documentation and be sure to understand what you are doing.
First step, we are going to create a configuration file.
```bash
sudo editor /etc/prosody/conf.avail/peertube.cfg.lua
```
Then you can add this content to the file:
```lua
-- these global settings can affect an existing Prosody installation.
-- Use them with care.
-- NB: prosody http will be behind the nginx reverse proxy.
cross_domain_bosh = false;
consider_bosh_secure = true;
cross_domain_websocket = false;
consider_websocket_secure = true;
https_ports = {};
trusted_proxies = { "127.0.0.1", "::1" }
VirtualHost "${PEERTUBE_DOMAIN}"
authentication = "anonymous"
allow_anonymous_s2s = false
ssl = {
key = "/etc/prosody/certs/${PEERTUBE_DOMAIN}.key";
certificate = "/etc/prosody/certs/${PEERTUBE_DOMAIN}.crt";
}
modules_enabled = {
"http";
"bosh";
"ping";
-- TODO: does not work for now "websocket";
}
http_host = "${PEERTUBE_DOMAIN}"
http_external_url = "http://${PEERTUBE_DOMAIN}"
-- if you have an external XMPP account
-- that you want to be moderator,
-- uncomment this line and set your adress
-- admins = { "admin@your_xmpp_provider_domain" }
Component "room.${PEERTUBE_DOMAIN}" "muc"
-- if you have an external XMPP account
-- that you want to be moderator,
-- uncomment this line and set your adress
-- admins = { "admin@your_xmpp_provider_domain" }
-- if you want room persistence, uncomment these lines
-- (requires prosody>=11, for older version there is the mam_muc module)
-- modules_enabled = { "muc_mam" }
-- muc_log_by_default = true
-- muc_log_presences = true
-- log_all_rooms = true
-- muc_log_expires_after = "1w"
-- muc_log_cleanup_interval = 4 * 60 * 60
restrict_room_creation = "local"
muc_room_locking = false
muc_tombstones = false
muc_room_default_language = "fr"
muc_room_default_public = true
muc_room_default_persistent = false
muc_room_default_members_only = false
muc_room_default_moderated = false
muc_room_default_public_jids = false
muc_room_default_change_subject = false
muc_room_default_history_length = 20
```
You have to replace `${PEERTUBE_DOMAIN}` with your actual Peertube server
domain name. You can do it by hand, or with the following command
(replace `[peertube-domain]` with your domain):
```bash
sudo sed -i 's/${PEERTUBE_DOMAIN}/[peertube-domain]/g' /etc/prosody/conf.avail/peertube.cfg.lua
```
By default, if a chat room is empty, it content will be dropped.
If you want to activate room persistence (chat room content will be kept even
if there is no more users), uncomment the lines in the config file,
and change the `muc_log_expires_after` parameter as you want. Please refer to
the [muc_mam module documentation](https://prosody.im/doc/modules/mod_muc_mam).
This requires Prosody >= 11. For older version, see
[mam_muc](https://modules.prosody.im/mod_mam_muc.html).
We have now to activate this configuration file:
```bash
sudo ln -s /etc/prosody/conf.avail/peertube.cfg.lua /etc/prosody/conf.d/
```
You have now to import your ssl certificates from your web server.
Prosody use a different certificate format than your web server.
See [Prosody certificates documentation](https://prosody.im/doc/certificates)
or [Prosody letsencrypt documentation](https://prosody.im/doc/letsencrypt)
**Important note**: This assume you are using letsencrypt certificates and
`certbot` to update them.
If you are using other certificates, you have to change the commande. Please
reffer to the [Prosody](https://prosody.im) documentation
([Prosody certificates documentation](https://prosody.im/doc/certificates)
or [Prosody letsencrypt documentation](https://prosody.im/doc/letsencrypt)).
```bash
sudo prosodyctl --root cert import /etc/letsencrypt/live/
```
To do this automatically after each certificate renewall, you can create
this file:
```bash
sudo touch /etc/letsencrypt/renewal-hooks/deploy/prosody.sh
sudo chmod u+x /etc/letsencrypt/renewal-hooks/deploy/prosody.sh
sudo editor /etc/letsencrypt/renewal-hooks/deploy/prosody.sh
```
With this content:
```bash
#!/bin/sh
/usr/bin/prosodyctl --root cert import /etc/letsencrypt/live
```
You can now restart Prosody.
```bash
sudo systemctl restart prosody
```
And you can check prosody status with:
```bash
sudo systemctl status prosody
```
## Step 3: Configure nginx
Open your peertube's nginx config file:
```bash
sudo editor /etc/nginx/sites-enabled/peertube
```
At the end of the `server { ... }` section, **just before the final curly bracket (`}`)**
(assuming you have no custom modification in this file), add:
```nginx
location /http-bind {
proxy_pass http://localhost:5280/http-bind;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_buffering off;
tcp_nodelay on;
}
location /xmpp-websocket {
proxy_pass http://localhost:5280/xmpp-websocket;
proxy_http_version 1.1;
proxy_set_header Connection "Upgrade";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_read_timeout 900s;
}
```
Save the file, and reload nginx:
```bash
sudo systemctl reload nginx
```
## Step 4: Configure the plugin
**NB**: If you have not installed peertube-plugin-livechat it is time to do so
now.
Now log in to your peertube instance, and go to the plugin settings page
(/admin/plugins/show/peertube-plugin-livechat).
Change settings has you want (`Automatically open the chat`, ...).
Check `Use builtin ConverseJS`.
Set `Builtin webchat: XMPP service server` to `PEERTUBE_DOMAIN`,
replacing `PEERTUBE_DOMAIN` by your actual peertube domain.
Don't add `https://` before, you should only set your domain (example.com).
Set `Builtin webchat: XMPP room template` to something like
`video_{{VIDEO_UUID}}@room.PEERTUBE_DOMAIN`, once again by replacing
`PEERTUBE_DOMAIN` by your actual peertube domain.
Set `Builtin webchat: BOSH uri` to `https://PEERTUBE_DOMAIN/http-bind`
(you got the point... replace `PEERTUBE_DOMAIN` by your actual peertube domain).
**TODO: does not work for now**
~~Set `Builtin webchat: WS uri` to `wss://PEERTUBE_DOMAIN/xmpp-websocket`
(/!\\ the scheme is `wss`, not `https`!).~~
Save the settings.
That's it!
## TODOs
* TODO: mention that the first user will be granted with moderator rights and
how to handle this.
* TODO: how to open with jabber clients (or prevent that).
* TODO: firewall configuration.
* TODO: talk about security issues
(for now, rooms can be created without restriction).
* TODO: talk about legal notices (specially in case of persistent rooms).