389 lines
8.8 KiB
Markdown
389 lines
8.8 KiB
Markdown
# Service XMPP
|
|
|
|
Service XMPP de l'association Libre en communs.
|
|
|
|
Responsable: Adrien Bourmault (@neox)
|
|
|
|
Déployé sur la machine `xmpp` (voir la [documentation spécifique](https://git.a-lec.org/a-lec/commissions/infrastructure/doc-infra/-/blob/master/Machines%20virtuelles/xmpp.md)).
|
|
|
|
Le contenu de ce répertoire est publié sous licence libre GNU AGPL3+.
|
|
|
|
[TOC]
|
|
|
|
# Installation
|
|
|
|
## Prérequis
|
|
|
|
On aura besoin de quelques paquets de base :
|
|
|
|
```
|
|
sudo apt install postgresql erlang-p1-pgsql
|
|
sudo apt install certbot
|
|
sudo apt install -y tor tor-geoipdb
|
|
```
|
|
|
|
On crée un utilisateur pour la base de données postgres :
|
|
|
|
```
|
|
sudo -u postgres createuser -P ejabberd
|
|
sudo -u postgres createdb -O ejabberd ejabberd
|
|
```
|
|
|
|
## Installation du serveur XMPP ejabberd
|
|
|
|
Installer le paquet `ejabberd` des dépôts de Debian stable :
|
|
|
|
```
|
|
sudo apt install ejabberd
|
|
```
|
|
|
|
Initialiser la base de données avec le schéma récupéré dans les fichiers installés par le paquet :
|
|
|
|
```
|
|
psql -U ejabberd ejabberd < /usr/share/ejabberd/sql/pg.new.sql
|
|
```
|
|
|
|
Éditer ensuite la configuration dans `/etc/ejabberd/ejabberd.yml`.
|
|
|
|
Afin de pouvoir réaliser des statistiques sur l'utilisation des appels audio/vidéo, renforcer la verbosité tout en masquant le maximum de données privées :
|
|
|
|
```
|
|
# loglevel: Verbosity of log files generated by ejabberd
|
|
loglevel: info
|
|
hide_sensitive_log_data: true
|
|
```
|
|
|
|
Paramétrer les domaines couverts par le service :
|
|
|
|
```
|
|
hosts:
|
|
- a-lec.org
|
|
```
|
|
|
|
Paramétrer les `acl` pour configurer la liste des admins, et les bannissements de serveurs et/ou de comptes :
|
|
```
|
|
acl:
|
|
admin:
|
|
- user: "admin@a-lec.org"
|
|
|
|
local:
|
|
user_regexp: ""
|
|
loopback:
|
|
ip:
|
|
- 127.0.0.0/8
|
|
- ::1/128
|
|
|
|
banned_forever:
|
|
- user: destroytrannies@jabber.systemli.org
|
|
- user: truman@chatterboxtown.us
|
|
- user: abortionismurder@chatterboxtown.us
|
|
- user: peacefulashell@chatterboxtown.us
|
|
- user: whitepower@jabber.systemli.org
|
|
- user: blackbubonicplauge@chatterboxtown.us
|
|
- user: templeos@magicbroccoli.de
|
|
- user: killniggers@magicbroccoli.de
|
|
- user: killniggers@chatterboxtown.us
|
|
- user: blackbubonicplauge@chatterboxtown.us
|
|
- user: killblackpeople@jabber.systemli.org
|
|
- user: censorship@magicbroccoli.de
|
|
- user: killniggers@magicbroccoli.de
|
|
- user: killniggers@chatterboxtown.us
|
|
- user: dietrannies@chatterboxtown.us
|
|
|
|
problematic_hosts:
|
|
- server: creep.im
|
|
- server: 0nl1ne.cc
|
|
- server: aegir.tech
|
|
- server: blackjabber.cc
|
|
- server: blug.moe
|
|
- server: chat.hoferr.ch
|
|
- server: vremsg.com
|
|
```
|
|
|
|
On paramètre ensuite les règles d'accès, utilisant les `acl` :
|
|
```
|
|
access_rules:
|
|
local:
|
|
- allow: local
|
|
c2s:
|
|
- deny: blocked
|
|
- allow
|
|
s2s:
|
|
- deny: problematic_hosts
|
|
- allow
|
|
announce:
|
|
- allow: admin
|
|
configure:
|
|
- allow: admin
|
|
muc_create:
|
|
- allow: local
|
|
pubsub_createnode:
|
|
- allow: local
|
|
trusted_network:
|
|
- allow: loopback
|
|
|
|
api_permissions:
|
|
"console commands":
|
|
from:
|
|
- ejabberd_ctl
|
|
who: all
|
|
what: "*"
|
|
"admin access":
|
|
who:
|
|
access:
|
|
allow:
|
|
- acl: loopback
|
|
- acl: admin
|
|
oauth:
|
|
scope: "ejabberd:admin"
|
|
access:
|
|
allow:
|
|
- acl: loopback
|
|
- acl: admin
|
|
what:
|
|
- "*"
|
|
- "!stop"
|
|
- "!start"
|
|
"public commands":
|
|
who:
|
|
ip: 127.0.0.1/8
|
|
what:
|
|
- status
|
|
- connected_users_number
|
|
```
|
|
|
|
|
|
On indique l'emplacement des certificats (préalablement créés avec certbot) et on désactive le système interne de demande de certificat :
|
|
|
|
```
|
|
certfiles:
|
|
- /etc/letsencrypt/live/xmpp.a-lec.org/fullchain.pem
|
|
- /etc/letsencrypt/live/xmpp.a-lec.org/privkey.pem
|
|
- /etc/letsencrypt/live/a-lec.org/fullchain.pem
|
|
- /etc/letsencrypt/live/a-lec.org/privkey.pem
|
|
|
|
acme:
|
|
auto: false
|
|
```
|
|
|
|
On peut alors paramétrer les différents modules du service XMPP, c'est à dire le C2S, le S2S, TURN/STUN pour les appels audio/vidéo :
|
|
|
|
```
|
|
listen:
|
|
-
|
|
port: 5222
|
|
ip: "::"
|
|
module: ejabberd_c2s
|
|
max_stanza_size: 262144
|
|
shaper: c2s_shaper
|
|
access: c2s
|
|
starttls_required: true
|
|
protocol_options: 'TLS_OPTIONS'
|
|
-
|
|
port: 5223
|
|
ip: "::"
|
|
module: ejabberd_c2s
|
|
max_stanza_size: 262144
|
|
shaper: c2s_shaper
|
|
access: c2s
|
|
tls: true
|
|
protocol_options: 'TLS_OPTIONS'
|
|
-
|
|
port: 5269
|
|
ip: "::"
|
|
module: ejabberd_s2s_in
|
|
max_stanza_size: 524288
|
|
-
|
|
port: 5443
|
|
ip: "::"
|
|
module: ejabberd_http
|
|
tls: true
|
|
protocol_options: 'TLS_OPTIONS'
|
|
request_handlers:
|
|
/api: mod_http_api
|
|
/bosh: mod_bosh
|
|
/captcha: ejabberd_captcha
|
|
/upload: mod_http_upload
|
|
/ws: ejabberd_http_ws
|
|
custom_headers:
|
|
"Access-Control-Allow-Origin": "*"
|
|
"Access-Control-Allow-Methods": "OPTIONS, HEAD, GET, PUT"
|
|
"Access-Control-Allow-Headers": "Authorization"
|
|
"Access-Control-Allow-Credentials": "true"
|
|
-
|
|
port: 5280
|
|
ip: "::"
|
|
module: ejabberd_http
|
|
tls: true
|
|
protocol_options: 'TLS_OPTIONS'
|
|
request_handlers:
|
|
/admin: ejabberd_web_admin
|
|
-
|
|
port: 3478
|
|
ip: "::"
|
|
transport: udp
|
|
module: ejabberd_stun
|
|
use_turn: true
|
|
## The server's public IPv4 address:
|
|
turn_ipv4_address: "80.67.176.33"
|
|
## The server's public IPv6 address:
|
|
turn_ipv6_address: "2001:910:1021::211"
|
|
```
|
|
|
|
On active SCRAM pour les mots de passes utilisateurs et STARTTLS pour les connexions S2S :
|
|
|
|
```
|
|
s2s_use_starttls: required
|
|
|
|
## Store the plain passwords or hashed for SCRAM:
|
|
auth_password_format: scram
|
|
```
|
|
|
|
On met aussi en place la connexion à la base de données pour ejabberd :
|
|
|
|
```
|
|
auth_method: sql
|
|
|
|
sql_type: pgsql
|
|
sql_server: "localhost"
|
|
sql_database: "ejabberd"
|
|
sql_username: "ejabberd"
|
|
sql_password: "XXXXXXXXXXXXXXXXXXXXX"
|
|
|
|
sql_pool_size: 10
|
|
new_sql_schema: true
|
|
default_db: sql
|
|
```
|
|
|
|
|
|
On paramètre les quotas pour le téléversement de fichiers :
|
|
|
|
```
|
|
shaper_rules:
|
|
max_user_sessions: 10
|
|
max_user_offline_messages:
|
|
50000: admin
|
|
5000: all
|
|
c2s_shaper:
|
|
none: admin
|
|
normal: all
|
|
s2s_shaper: fast
|
|
|
|
mod_http_upload:
|
|
host: "xmpp.a-lec.org"
|
|
put_url: "https://xmpp.a-lec.org:5443/upload"
|
|
get_url: "https://xmpp.a-lec.org:5443/upload"
|
|
docroot: /var/www/upload
|
|
max_size: 500000000 # 250 MB
|
|
file_mode: "0644"
|
|
dir_mode: "2755"
|
|
secret_length: 20
|
|
jid_in_url: sha1
|
|
custom_headers:
|
|
"Access-Control-Allow-Origin": "https://@HOST@"
|
|
"Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS"
|
|
"Access-Control-Allow-Headers": "Content-Type"
|
|
```
|
|
|
|
On paramètre les accès aux salons de discussion :
|
|
```
|
|
mod_muc:
|
|
hosts: ["salons.a-lec.org"]
|
|
access:
|
|
- deny: banned_forever
|
|
- deny: problematic_hosts
|
|
- allow: all
|
|
access_admin:
|
|
- allow: admin
|
|
access_create: muc_create
|
|
access_persistent: muc_create
|
|
access_mam:
|
|
- allow
|
|
default_room_options:
|
|
mam: true
|
|
lang: "fr"
|
|
max_users: 500
|
|
```
|
|
|
|
|
|
On corrige la configuration de PEP :
|
|
```
|
|
mod_pubsub:
|
|
hosts:
|
|
- "pubsub.@HOST@"
|
|
- "news.@HOST@"
|
|
- "comments.@HOST@"
|
|
access_createnode: pubsub_createnode
|
|
ignore_pep_from_offline: false
|
|
last_item_cache: false
|
|
max_items_node: 1000
|
|
default_node_config:
|
|
max_items: 1000
|
|
plugins:
|
|
- flat
|
|
- pep
|
|
force_node_config:
|
|
"eu.siacs.conversations.axolotl.*":
|
|
access_model: open
|
|
## Avoid buggy clients to make their bookmarks public
|
|
storage:bookmarks:
|
|
access_model: whitelist
|
|
"urn:xmpp:bookmarks:0":
|
|
access_model: whitelist
|
|
send_last_published_item: never
|
|
persist_items: true
|
|
max_items: infinity
|
|
"urn:xmpp:bookmarks:1":
|
|
access_model: whitelist
|
|
send_last_published_item: never
|
|
persist_items: true
|
|
max_items: infinity
|
|
"urn:xmpp:pubsub:movim-public-subscription":
|
|
access_model: whitelist
|
|
persist_items: true
|
|
max_items: infinity
|
|
"storage:bookmarks":
|
|
access_model: whitelist
|
|
"urn:xmpp:microblog:0":
|
|
max_items: infinity
|
|
access_model: presence
|
|
notify_retract: true
|
|
persist_items: true
|
|
"urn:xmpp:microblog:0:comments*":
|
|
max_items: infinity
|
|
access_model: open
|
|
notify_retract: true
|
|
persist_items: true
|
|
```
|
|
|
|
Et enfin, pour que les appels audio/vidéo fonctionnent correctement :
|
|
|
|
```
|
|
mod_stun_disco: {}
|
|
```
|
|
|
|
Une fois la configuration effectuée on recharge ejabberd avec :
|
|
|
|
```
|
|
sudo ejabberdctl reload_config
|
|
```
|
|
|
|
Le débogage peut se faire à l'aide du fichier journal `/var/log/ejabberd/ejabberd.log`.
|
|
|
|
## Mise en place du `hidden service` pour l'accès au service via tor
|
|
|
|
Dans `/etc/tor/torrc`, on indique la configuration de tor :
|
|
|
|
```
|
|
HiddenServiceDir /var/lib/tor/xmpp/
|
|
HiddenServicePort 5222 127.0.0.1:5222
|
|
```
|
|
|
|
On démarre le service : `sudo systemctl start tor.service`
|
|
|
|
## Création d'un premier compte
|
|
|
|
```
|
|
sudo ejabberdctl register admin@a-lec.org mot_de_passe
|
|
```
|