Self-host an ejabberd XMPP server, a responsible and secure way of communicating w/ other JID's on a server that doesn't spy on you.
Ensure you have created A and AAAA records for all of the below subdomains with your registrar. A *.nargothrond.xyz will not suffice.
nargothrond.xyz - Your XMPP hostname
... Ask yourself what you want after the @ in your JID's
... of the form bombadil@nargothrond.xyz
conference.nargothrond.xyz - For Multi User Chats (MUCs)
upload.nargothrond.xyz - For mod_http_upload, file upload support
proxy.nargothrond.xyz - For mod_proxy65, SOCKS5 proxy support
pubsub.nargothrond.xyz- For mod_pubsub, publish-subscribe support
(A fancier RSS)
Next, install ejabberd, first by adding the ejabberd package repo:
curl -o /etc/apt/sources.list.d/ejabberd.list \
https://repo.process-one.net/ejabberd.list
curl -o /etc/apt/trusted.gpg.d/ejabberd.gpg \
https://repo.process-one.net/ejabberd.gpg
Then install the ejabberd package
apt update
apt install ejabberd
Ejabberd doesn't have a script to create and move certificates to a place where its server can read them so we do this manually. TODO: add this script to my crontab for auto-renewal of certificates.
DOMAIN=nargothrond.xyz
declare -a subdomains=("" "conference." "proxy." "pubsub." "upload.")
for i in "${subdomains[@]}"; do
certbot --nginx -d $i$DOMAIN certonly
mkdir -p /etc/ejabberd/certs/$i$DOMAIN
cp /etc/letsencrypt/live/$i$DOMAIN/fullchain.pem \
/etc/ejabberd/certs/$i$DOMAIN
cp /etc/letsencrypt/live/$i$DOMAIN/privkey.pem \
/etc/ejabberd/certs/$i$DOMAIN
done
Next, the ejabberd user must be able to read these certs:
chown -R ejabberd:ejabberd /etc/ejabberd/certs
And finally we update the ejabberd conf. The location of the conf seems to vary between ejabberd version but "/opt/ejabberd/conf/ejabberd.yml" seems to be the most recent.
vim /opt/ejabberd/conf/ejabberd.yml
certfiles:
- "/etc/ejabberd/certs/*/*.pem"
We will use the default Mnesia database with a 2GB limit.
Set your admin in the conf like below:
vim /opt/ejabberd/conf/ejabberd.yml
acl:
admin:
user: matthieu
And optionally enable archiving by uncommenting:
vim /opt/ejabberd/conf/ejabberd.yml
mod_mam:
assume_mam_usage: true
default: always
Next, register the admin from above via ejabberdctl
su -c "ejabberdctl register matthieu nargothrond.xyz password" ejabberd
Finally, restart ejabberd and make sure port 5280 is open (trickster)
ufw allow 5280
systemctl restart ejabberd
You can now visit:
http://nargothrond.xyz:5280/admin
Back to Home