aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorpukkamustard <pukkamustard@posteo.net>2021-05-06 16:54:03 +0200
committerpukkamustard <pukkamustard@posteo.net>2021-05-06 16:54:03 +0200
commit62fcd5047caa4bcf2b9fa25304219e5222bfc14e (patch)
treec11db7c2a2612797ef619c13bc9246203c406c1c
parentee11464b9991fd330f2d814ec11498e31dfa5e77 (diff)
warli: switch XMPP from qfwq to warli
-rw-r--r--README.org11
-rw-r--r--machines/qfwfq.org2
-rw-r--r--machines/warli/README.org (renamed from machines/warli.org)85
-rw-r--r--machines/warli/etc/ejabberd/.gitattributes1
-rw-r--r--machines/warli/etc/ejabberd/ejabberd.ymlbin0 -> 7784 bytes
5 files changed, 77 insertions, 22 deletions
diff --git a/README.org b/README.org
index 6d98970..6885ff3 100644
--- a/README.org
+++ b/README.org
@@ -17,17 +17,8 @@ Contains things like the TOR hidden service keys and other assets.
Secrets are encrypted using [[https://github.com/AGWA/git-crypt][git-crypt]].
** [[./machines][Machines]]
-*** [[./machines/qfwfq.org][qfwfq.jblis.org]]
-Alpine Linux VM running the Prosody XMPP server.
-
-Currently being tested.
-
-*** [[./machines/warli.org][warli.jblis.org]]
-
-Debian Linux VM running the Ejabberd XMPP server.
-
-Being prepared to replace qfwfq.
+The servers that make jblis.xyz run.
** [[./utils][Utils]]
diff --git a/machines/qfwfq.org b/machines/qfwfq.org
index 910bfc1..41b726e 100644
--- a/machines/qfwfq.org
+++ b/machines/qfwfq.org
@@ -5,6 +5,8 @@ qfwfq.jblis.xyz is a virtual machine hosted by [[https://ungleich.ch/][ungleich]
- IPv4 :: 185.203.114.50
- IPv6 :: 2a0a:e5c0:2:2:0:c8ff:fe68:bf53
+qfwfq used to host the XMPP service now hosted on warli. qfwfq is schedule for retirement.
+
* Alpine Linux
qfwfq runs Alpine Linux 3.12.
diff --git a/machines/warli.org b/machines/warli/README.org
index 4d6424b..beeda8a 100644
--- a/machines/warli.org
+++ b/machines/warli/README.org
@@ -2,12 +2,10 @@
warli.jblis.xyz is a virtual machine hosted at [[https://www.hetzner.com/cloud][Hetzner Cloud]].
-* Motivation
+warli hosts:
-warli is an experiment to figure out:
-
-- ejabberd: As alternative to Prosody.
-- OpenLDAP: As directory service and used by ejabberd for authentication.
+- OpenLDAP directory service.
+- ejabberd XMPP server
* Machine
@@ -108,8 +106,13 @@ sudo ufw allow mosh
sudo ufw enable
#+END_SRC
-** Nginx
+*** Backports
+
+We need newer versions of certain packages (ejabberd). These are available from backports
+
+Follow the guide at https://wiki.debian.org/Backports to enable backports.
+** Nginx
*** Install
#+BEGIN_SRC shell
@@ -130,7 +133,7 @@ sudo apt install certbot python3-certbot-nginx
sudo cerbot
#+END_SRC
-*** TODO Setup automatic renew
+This will also install a systemd timer that will renew certificates periodically (see ~systemctl list-timers~).
** OpenLDAP
@@ -165,14 +168,17 @@ ou: groups
ldapadd -x -D cn=admin,dc=jblis,dc=xyz -W -f basedn.ldif
#+END_SRC
-** TODO ejabberd
+** ejabberd
+*** Intallation
-https://www.kuketz-blog.de/ejabberd-installation-und-betrieb-eines-xmpp-servers/
+Use more recent version from backports:
#+BEGIN_SRC shell
-sudo apt install ejabberd
+sudo apt -t buster-backports install ejabberd
#+END_SRC
+*** Firewall
+
#+BEGIN_SRC shell
sudo ufw allow 'ejabberd'
sudo ufw allow 'ejabberd S2S'
@@ -181,10 +187,60 @@ sudo ufw allow 'ejabberd SSL'
# for ejabberd http(s)
sudo ufw allow 5280/tcp
+# for XMPP S2S over TLS
+sudo ufw allow 5270/tcp
+
+# for ejabberd stun
+sudo ufw allow 3478/udp
+sudo ufw allow 5349/tcp
+#+END_SRC
+
+*** Certbot renewal hook
+
+Add the file ~/etc/letsencrypt/renewal-hooks/post/ejabberd-certs.sh~ with following content:
+
+#+BEGIN_SRC sh
+#!/usr/bin/sh
+
+# ejabberd requires certs and key in one single pem
+
+HOST="warli.jblis.xyz"
+CERT_FILES="/etc/letsencrypt/live/$HOST/fullchain.pem /etc/letsencrypt/live/$HOST/privkey.pem"
+EJABBERD_CERT="/etc/ejabberd/ejabberd.pem"
+
+cat $CERT_FILES > $EJABBERD_CERT
+
+# set permissions
+chown root:ejabberd $EJABBERD_CERT
+chmod 640 $EJABBERD_CERT
+
+# reload config and certificates
+ejabberdctl reload_config
#+END_SRC
+Run ~chmod +x ejabberd-certs.sh~.
+
+This hook will copy the Let's Encrypt certificates so that ejabberd can use them.
+
+*** ejabberd.yml
+
+Upload [[./etc/ejabberd/ejabberd.yml][ejabberd.yml]] to warli.
+
+*** See also
+
+https://www.kuketz-blog.de/ejabberd-installation-und-betrieb-eines-xmpp-servers/
+
+** TODO TOR
* Tasks
-** Add an user
+** User managment
+
+#+BEGIN_SRC
+./utils/jblis-directory.py --server ldap://localhost:3890 add USERNAME
+#+END_SRC
+
+This uses a SSH forwarded connection to the LDAP server (~ssh -L 3890:localhost:389~).
+
+*** Manually
#+BEGIN_SRC ldif :tangle basedn.ldif
dn: cn=pukkamustard,ou=users,dc=jblis,dc=xyz
@@ -203,9 +259,14 @@ The password can be generated with ~slappasswd~
https://tylersguides.com/guides/how-to-change-an-openldap-password/
* Log
-
** [2021-04-13 Tue] Init
- Created Virtual machine
- Deployed base system
- Basic ejabberd setup with OpenLDAP works! Letting it run in test mode for a couple of days.
+
+** [2021-05-06 Thu] Prepare for XMPP migration from qfwfq.jblix.xyz to warli.jblis.xyz
+
+- Created ~jblis-directory.py~ tool
+- Update ejabberd to 21.01 from buster-backports
+- Migrated XMPP service from qfwfq.jblis.xyz to warli
diff --git a/machines/warli/etc/ejabberd/.gitattributes b/machines/warli/etc/ejabberd/.gitattributes
new file mode 100644
index 0000000..755927c
--- /dev/null
+++ b/machines/warli/etc/ejabberd/.gitattributes
@@ -0,0 +1 @@
+ejabberd.yml filter=git-crypt diff=git-crypt
diff --git a/machines/warli/etc/ejabberd/ejabberd.yml b/machines/warli/etc/ejabberd/ejabberd.yml
new file mode 100644
index 0000000..8a42fe6
--- /dev/null
+++ b/machines/warli/etc/ejabberd/ejabberd.yml
Binary files differ