We use ejabberd
We are compliant with XEP-0423: XMPP Compliance Suites 2020. We have STUN, STUNS, and TURNS (TURN over TLS) enabled, but have left UDP TURN disabled (unclear if using UDP TURN would result in some clients sending member credentials unencrypted, or if only the temporary credentials offered by mod_stun_disco are used). If you think we should enable TURN over UDP, please contact the admins.
Installation is handled by Puppet class hcoop::service::xmpp::ejabberd. It will automatically use the HCoop TLS certificate, set up krb5 authentication, and open the needed firewall ports.
3. Additional Config
A few things are not managed by Puppet.
3.1. DNS Records
We need several DNS records for XMPP servers, stored in the hcoop.net domtool configuration.
3.2. Static files in hcoop.net/.well-known
XEP-0156: Discovering Alternative XMPP Connection Methods (HTTP) requires two files to be accessible from https://hcoop.net:
These list BOSH and WebSocket endpoints and may need to be adjusted when adding/removing ejabberd servers.
4. Old content
Might be relevant in the future -- we have a single server setup at the moment, and are not managing the erlang cookie for example.
4.1. Erlang Cookie
All nodes must have the same erlang cookie. When installing a new node replace the default Debian cookie with one copied from ~ejabberd/.erlang_cookie.