|
Size: 469
Comment: initial jabber admin notes
|
Size: 1790
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| = Jabber Admin = | ## page was renamed from JabberAdmin |
| Line 3: | Line 3: |
| == Jabber Daemon == | <<TableOfContents>> == Daemon == |
| Line 7: | Line 9: |
| == SSL Certificate == | We are compliant with [[https://xmpp.org/extensions/xep-0423.html|XEP-0423: XMPP Compliance Suites 2020]]. We have a STUN server, STUNS server, and TURNS (TURN over TLS) enabled, but not a UDP TURN server (unclear if using UDP TURN would result in some client sending member credentials unencrypted, or if only the temporary credentials offered by `mod_stun_disco` are used). If you think we should enable TURN over UDP, please contact the admins. |
| Line 9: | Line 11: |
| We require TLS communication with the jabber daemon to avoid exposing Kerberos passwords. | == Installation == |
| Line 11: | Line 13: |
| When installing a new node make sure to copy `/etc/ejabberd/ejabberd.pem` from another node. The current certificate is valid until 2018 and signed by the HCoop CA. | Installation is handled by Puppet class `hcoop::service::xmpp::ejabberd`. It will automatically use the HCoop TLS certificate, set up krb5 authentication, and open the needed firewall ports. |
| Line 13: | Line 15: |
| == PAM Configuration == | == Additional Config == |
| Line 15: | Line 17: |
| {{{#!wiki caution TODO }}} |
A few things are not managed by Puppet. === DNS Records === We need several DNS records for XMPP servers, stored in the `hcoop.net` domtool configuration. === Static files in hcoop.net/.well-known === [[https://xmpp.org/extensions/xep-0156.html|XEP-0156: Discovering Alternative XMPP Connection Methods (HTTP)]] requires two files to be accessible from https://hcoop.net: * https://hcoop.net/.well-known/host-meta * https://hcoop.net/.well-known/host-meta.json These list BOSH and WebSocket endpoints and may need to be adjusted when adding/removing ejabberd servers. == Old content == Might be relevant in the future -- we have a single server setup at the moment, and are not managing the erlang cookie for example. === Erlang Cookie === All nodes must have the same erlang cookie. When installing a new node replace the default Debian cookie with one copied from `~ejabberd/.erlang_cookie`. |
Contents
1. Daemon
We use ejabberd
We are compliant with XEP-0423: XMPP Compliance Suites 2020. We have a STUN server, STUNS server, and TURNS (TURN over TLS) enabled, but not a UDP TURN server (unclear if using UDP TURN would result in some client sending member credentials unencrypted, or if only the temporary credentials offered by mod_stun_disco are used). If you think we should enable TURN over UDP, please contact the admins.
2. Installation
Installation is handled by Puppet class hcoop::service::xmpp::ejabberd. It will automatically use the HCoop TLS certificate, set up krb5 authentication, and open the needed firewall ports.
3. Additional Config
A few things are not managed by Puppet.
3.1. DNS Records
We need several DNS records for XMPP servers, stored in the hcoop.net domtool configuration.
3.2. Static files in hcoop.net/.well-known
XEP-0156: Discovering Alternative XMPP Connection Methods (HTTP) requires two files to be accessible from https://hcoop.net:
These list BOSH and WebSocket endpoints and may need to be adjusted when adding/removing ejabberd servers.
4. Old content
Might be relevant in the future -- we have a single server setup at the moment, and are not managing the erlang cookie for example.
4.1. Erlang Cookie
All nodes must have the same erlang cookie. When installing a new node replace the default Debian cookie with one copied from ~ejabberd/.erlang_cookie.