Prosody

Prosody is a XMPP (aka jabber) server, that aims to be simple and fast. It's written in lua. Further documentation is available from https://prosody.im/. Configuration documentation from https://prosody.im/doc/configure and details on creating accounts from https://prosody.im/doc/creating_accounts.

$ doas pkg_add prosody

Read /usr/local/share/doc/pkg-readmes/prosody

Downloading modules using mercurial?:

$ doas pkg_add mercurial
$ hg clone https://hg.prosody.im/prosody-modules/ prosody-modules
$ doas mkdir -p /usr/local/lib/prosody/extras/
$ doas cp -R mod_auto_accept_subscriptions mod_cloud_notify mod_csi mod_deny_omemo mod_group_bookmarks mod_http_upload mod_message_logging mod_muc_log mod_roster_allinall mod_roster_command mod_smacks mod_support_contact mod_throttle_presence mod_block_registrations mod_muc_limits mod_filter_chatstates mod_muc_ban_ip mod_captcha_registration mod_support_room mod_throttle_unsolicited mod_bookmarks mod_firewall mod_bookmarks2 mod_vcard_muc mod_http_upload /usr/local/lib/prosody/extras/

DNS Configuration

xmpp works a lot like email. Each virtual domain you want to support on your server needs the xmpp equivalent to an email mx record. Full details can be found here, but it will look something like this:

xmpp                3600    IN      A       38.87.162.191
                    3600    IN      AAAA    2602:fccf:1:1191::
_xmpp-client._tcp   3600    IN      SRV     0   5   5222     xmpp
_xmpp-server._tcp   3600    IN      SRV     0   5   5269     xmpp

You will need a section like this in the SOA of every domain you wish to support accounts on. This allows you to point xmpp clients and servers to the correct host to handle the connection. The address used should be the address of your prosody server.

Lets Encrypt Certificats

Prosody needs special handling for Certificate as explained here https://prosody.im/doc/certificates, especially if you are using letsencrypt certificates as explained here https://prosody.im/doc/letsencrypt. Specifically, there is a conflict with permissions as explained

Generally Prosody is unable to use certificates directly from the letsencrypt directory, because for security reasons the clients always ensure that the private key is only accessible by the root user. Meanwhile, also for security, Prosody does not run as root.

This cron job solves the problem by making a copy of the cert in prosody's directory.

# echo "~	*	*	*	*	acme-client -v xmpp.example.com && cp /etc/ssl/{xmpp.example.com.fullchain.pem,private/xmpp.example.com.key} /etc/prosody/certs/ && chown _prosody:_prosody /etc/prosody/certs/*.{pem,key}" >> /var/cron/tabs/root