Prosody XMPP server in the home lab
Local XMPP server on a Raspberry Pi Zero 2 W
This is an article about a local server only, not reachable from the internet.
The differences with a XMPP server that is connected to the internet and does federation with other XMPP servers is in the infrastructure: TLS-certificates from an official CA, and official DNS records. When providing a XMPP server on the internet, security and privacy protection are very important.
Light weight server
Prosody is a light weight, easy to administrate XMPP server. I had it running for years on a BeagleBone Black.
Due to circumstances I had to move that XMPP server to a location outside of our home network.
I still wanted a local XMPP server just for testing purposes and set up a Prosody server on a small Raspberry Pi Zero 2 W running Raspberry Pi OS Lite.
This page describes the use of a Raspberry Pi as server, but it is not limited to that platform. Prosody is available for all the open source operating systems.
The use of a local only XMPP server, not federated and not reachable from the internet is of course limited. It can be used for test purposes, local machine-to-machine communication, and it is fun!
The main objective is a server with the following capabilities:
- support for OMEMO encryption
- support for Multi-User Chat
- support for HTTP File Upload
Requirements
DNS
Three subdomains are needed:
- a subdomain for the XMPP server
- a subdomain for the Multi-User Chat
- a subdomain for the HTTP-File-Upload
All three subdomains can point to the same IP address, the address of the Raspberry Pi. Set it up for both the ipv4 and the ipv6 address. (Maybe only ipv6 works too, I have not tested that.)
The best solution is to set up a local DNS server in your local network.
If you don't have a local DNS server in your home lab, stop now and set one up first. It won't take much effort and is great for now and in the future. There a several open source servers available.
Unbound is a good DNS server, easy to set up, also for reverse look-ups.
Certificates
Each of the three subdomains needs a TLS certificate. In your home lab there is of course no need for certificates from an official CA.
The best solution is to set up a local CA.
When you run a local CA, you yourself can issue signed certificates for all the subdomains in your home lab.
Mkcert is an easy way to set up a CA and issue certificates. It can also be done from the command line with openssl.
Create and sign certificates for the three subdomains. Six files in
total, two for each subdomain. Place the certificate files in
/etc/prosody/certs/ or in /usr/local/etc/prosody/certs/,
depending on your operating system.
Install and configure Prosody
Just use the package manager to install Prosody. It is available as package on most systems.
The location of the configuration files and work directory depends
on your operating system. The configuration file
prosody.cfg.lua will most likely be in /etc/prosody or
in /usr/local/etc/prosody.
On the Raspberry Pi, the work directory is in /var/lib/.
Here is a complete configuration, for use in a home lab.
admins = { }
modules_enabled = {
"disco"; -- Service discovery
"roster"; -- Allow users to have a roster.
"saslauth"; -- Authentication for clients and servers.
"tls"; -- Add support for secure TLS on c2s/s2s connections
"blocklist"; -- Allow users to block communications with other users
"bookmarks"; -- Synchronise the list of open rooms between clients
"carbons"; -- Keep multiple online clients in sync
"dialback"; -- Support for verifying remote servers using DNS
"limits"; -- Enable bandwidth limiting for XMPP connections
"pep"; -- Allow users to store public and private data in their account
"private"; -- Legacy account storage mechanism (XEP-0049)
"smacks"; -- Stream management and resumption (XEP-0198)
"vcard4"; -- User profiles (stored in PEP)
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
"csi_simple"; -- Simple but effective traffic optimizations for mobile devices
"invites"; -- Create and manage invites
"invites_adhoc"; -- Allow admins/users to create invitations via their client
"invites_register"; -- Allows invited users to create accounts
"ping"; -- Replies to XMPP pings with pongs
"register"; -- Allow users to register on this server using a client and change passwords
"time"; -- Let others know the time here on this server
"uptime"; -- Report how long server has been running
"version"; -- Replies to server version requests
"mam"; -- Store recent messages to allow multi-device synchronization
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
"admin_shell"; -- Allow secure administration via 'prosodyctl shell'
"posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
"groups"; -- Shared roster support
"http"; -- Allow Prosody modules to expose various services over HTTP
"http_file_share"; -- Let users share files via HTTP
}
pidfile = "/run/prosody/prosody.pid";
c2s_require_encryption = true
s2s_secure_auth = true
limits = {
c2s = {
rate = "10kb/s";
};
s2sin = {
rate = "30kb/s";
};
}
authentication = "internal_hashed"
archive_expires_after = "1w" -- Remove archived messages after 1 week
log = {
debug = "/var/log/prosody/prosody.log";
error = "/var/log/prosody/prosody.err";
{ levels = { "error" }; to = "syslog"; };
}
certificates = "certs"
VirtualHost "xmpp.your-domain.home"
disco_items = {
{ "upload.your-domain.home", "file sharing service" },
{ "muc.your-domain.home", "chat room service" },
}
ssl = {
key = "/etc/prosody/certs/xmpp.your-domain.home.key";
certificate = "/etc/prosody/certs/xmpp.your-domain.home.crt";
}
Component "upload.your-domain.home" "http_file_share"
http_file_share_expire_after = 86400*28 -- 28 days
http_file_share_size_limit = 128*1024*1024+16 -- 128 MB
Component "muc.your-domain.home" "muc" name = "chat room service"
modules_enabled = { "muc", "muc_mam", "vcard_muc","pastebin" }
restrict_room_creation = false
Here we use three domains:
- xmpp.your-domain.home
- muc.your-domain.home
- upload.your-domain.home
Replace your-domain.home with the domain used in your home lab.
Make sure the line with the pidfile fits your operating system.
You can choose any name for the subdomains xmpp, muc, and
upload. Be sure the names are the same as set up in the DNS server.
Make sure that the element disco_items comes before the Component-sections
in your config. The order is important.
In this example, the logging is configured at the debug level.
When everything is running smoothly, you can replace that with info.
Check your settings with prosodyctl check.
Start the service
Depending on your system you need to give some commands to get the server running.
Firstly, enable the server with systemctl enable prosody on systems
with systemd, or f.e., add a line to /etc/rc.conf or
/etc/rc.conf.local.
Next, start the server with systemctl start prosody or
/etc/rc.d/prosody start or /usr/local/etc/rc.d/prosody start.
Check the service with prosodyctl status and check the log files.
Add a user
Add a user, in this example "alice", with:
prosodyctl adduser alice@xmpp.your-domain.home
This will prompt for a password and for a confirmation of the password.
Prepare for testing
Make sure the certificates are trusted on your desktop machine.
Install a XMPP client. Make sure it is ready for OMEMO and test that you can log in.
Have fun!
100% made with ♥ by a human — no cookies, no trackers.
Proud member of the 250kb.club,
the no-JS.club,
the Blogroll.Club,
and the Bukmark.Club.
Don’t let a billionaire’s algorithm control what you read — use an RSS feed reader.
Most recent pages All tags Sitemap RSS of Gophersite
