|
Size: 1174
Comment: updated docs, move to DaemonAdmin with others
|
Size: 1339
Comment: dust off a bit, collect details on everything configured outside of puppet here
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 2: | Line 2: |
| = Jabber Admin = | |
| Line 4: | Line 3: |
| == Jabber Daemon == | <<TableOfContents>> == Daemon == |
| Line 8: | Line 9: |
| == Erlang Cookie == | == Installation == Installation is handled by Puppet class `hcoop::service::xmpp::ejabberd`. It will automatically use the HCoop TLS certificate, set up krb5 authentication, and open the needed firewall ports. == Additional Config == A few things are not managed by Puppet. === DNS Records === We need several DNS records for XMPP servers, stored in the `hcoop.net` domtool configuration. === Static files in hcoop.net/.well-known === [[https://xmpp.org/extensions/xep-0156.html|XEP-0156: Discovering Alternative XMPP Connection Methods (HTTP)]] requires two files to be accessible from https://hcoop.net: * https://hcoop.net/.well-known/host-meta * https://hcoop.net/.well-known/host-meta.json These list BOSH and WebSocket endpoints and may need to be adjusted when adding/removing ejabberd servers. == Old content == Might be relevant in the future -- we have a single server setup at the moment, and are not managing the erlang cookie for example. === Erlang Cookie === |
| Line 12: | Line 39: |
| == SSL Certificate == | |
| Line 14: | Line 40: |
| We require TLS communication with the jabber daemon to avoid exposing Kerberos passwords. When installing a new node make sure to copy `/etc/ejabberd/ejabberd.pem` from another node. The current certificate is valid until 2018 and signed by the HCoop CA. == Firewall == The IANA service names `xmpp-client` (port 5222) and `xmpp-server` (port 5269) must be open to the world at large. For ferm: {{{ proto tcp dport (xmpp-client xmpp-server) ACCEPT; }}} Port `4369` (epam) must be open to all other `ejabberd` nodes, but should '''not''' be open to the world at large. Unfortunately this requires maintaining a list of IPs at present (we really should rewrite fwtool). {{{ proto tcp daddr (...) dport 4369 ACCEPT; }}} == PAM Configuration == {{{#!wiki caution TODO }}} |
Contents
1. Daemon
We use ejabberd
2. Installation
Installation is handled by Puppet class hcoop::service::xmpp::ejabberd. It will automatically use the HCoop TLS certificate, set up krb5 authentication, and open the needed firewall ports.
3. Additional Config
A few things are not managed by Puppet.
3.1. DNS Records
We need several DNS records for XMPP servers, stored in the hcoop.net domtool configuration.
3.2. Static files in hcoop.net/.well-known
XEP-0156: Discovering Alternative XMPP Connection Methods (HTTP) requires two files to be accessible from https://hcoop.net:
These list BOSH and WebSocket endpoints and may need to be adjusted when adding/removing ejabberd servers.
4. Old content
Might be relevant in the future -- we have a single server setup at the moment, and are not managing the erlang cookie for example.
4.1. Erlang Cookie
All nodes must have the same erlang cookie. When installing a new node replace the default Debian cookie with one copied from ~ejabberd/.erlang_cookie.