469
Comment: initial jabber admin notes
|
← Revision 11 as of 2020-08-29 20:43:11 ⇥
1782
|
Deletions are marked like this. | Additions are marked like this. |
Line 1: | Line 1: |
= Jabber Admin = | ## page was renamed from JabberAdmin |
Line 3: | Line 3: |
== Jabber Daemon == | <<TableOfContents>> == Daemon == |
Line 7: | Line 9: |
== SSL Certificate == | We are compliant with [[https://xmpp.org/extensions/xep-0423.html|XEP-0423: XMPP Compliance Suites 2020]]. We have STUN, STUNS, and TURNS (TURN over TLS) enabled, but have left UDP TURN disabled (unclear if using UDP TURN would result in some clients sending member credentials unencrypted, or if only the temporary credentials offered by `mod_stun_disco` are used). If you think we should enable TURN over UDP, please contact the admins. |
Line 9: | Line 11: |
We require TLS communication with the jabber daemon to avoid exposing Kerberos passwords. | == Installation == |
Line 11: | Line 13: |
When installing a new node make sure to copy `/etc/ejabberd/ejabberd.pem` from another node. The current certificate is valid until 2018 and signed by the HCoop CA. | Installation is handled by Puppet class `hcoop::service::xmpp::ejabberd`. It will automatically use the HCoop TLS certificate, set up krb5 authentication, and open the needed firewall ports. |
Line 13: | Line 15: |
== PAM Configuration == | == Additional Config == |
Line 15: | Line 17: |
{{{#!wiki caution TODO }}} |
A few things are not managed by Puppet. === DNS Records === We need several DNS records for XMPP servers, stored in the `hcoop.net` domtool configuration. === Static files in hcoop.net/.well-known === [[https://xmpp.org/extensions/xep-0156.html|XEP-0156: Discovering Alternative XMPP Connection Methods (HTTP)]] requires two files to be accessible from https://hcoop.net: * https://hcoop.net/.well-known/host-meta * https://hcoop.net/.well-known/host-meta.json These list BOSH and WebSocket endpoints and may need to be adjusted when adding/removing ejabberd servers. == Old content == Might be relevant in the future -- we have a single server setup at the moment, and are not managing the erlang cookie for example. === Erlang Cookie === All nodes must have the same erlang cookie. When installing a new node replace the default Debian cookie with one copied from `~ejabberd/.erlang_cookie`. |
Contents
1. Daemon
We use ejabberd
We are compliant with XEP-0423: XMPP Compliance Suites 2020. We have STUN, STUNS, and TURNS (TURN over TLS) enabled, but have left UDP TURN disabled (unclear if using UDP TURN would result in some clients sending member credentials unencrypted, or if only the temporary credentials offered by mod_stun_disco are used). If you think we should enable TURN over UDP, please contact the admins.
2. Installation
Installation is handled by Puppet class hcoop::service::xmpp::ejabberd. It will automatically use the HCoop TLS certificate, set up krb5 authentication, and open the needed firewall ports.
3. Additional Config
A few things are not managed by Puppet.
3.1. DNS Records
We need several DNS records for XMPP servers, stored in the hcoop.net domtool configuration.
3.2. Static files in hcoop.net/.well-known
XEP-0156: Discovering Alternative XMPP Connection Methods (HTTP) requires two files to be accessible from https://hcoop.net:
These list BOSH and WebSocket endpoints and may need to be adjusted when adding/removing ejabberd servers.
4. Old content
Might be relevant in the future -- we have a single server setup at the moment, and are not managing the erlang cookie for example.
4.1. Erlang Cookie
All nodes must have the same erlang cookie. When installing a new node replace the default Debian cookie with one copied from ~ejabberd/.erlang_cookie.