Jump to content

Navigation menu

Note: Currently new registrations are closed, if you want an account Contact us

Difference between revisions of "Poddery - Diaspora, Matrix and XMPP"

Poddery - Diaspora, Matrix and XMPP (view source)

Revision as of 00:19, 2 May 2019

1,706 bytes added ,  00:19, 2 May 2019
→‎Configuration and Maintenance
Line 124: Line 124:
  ufw allow ssh
  ufw allow ssh
  ufw enable
  ufw enable
# Verify everything is setup properly
ufw status


* <code>fail2ban</code> configured against brute force attacks:
* <code>fail2ban</code> configured against brute force attacks:
Line 132: Line 135:
   
   
  # Restart SSH and enable fail2ban
  # Restart SSH and enable fail2ban
  sudo systemctl restart ssh
  systemctl restart ssh
  sudo systemctl enable fail2ban
  systemctl enable fail2ban
  sudo systemctl start fail2ban
  systemctl start fail2ban
   
   
  # To unban an IP, first check <code>/var/log/fail2ban.log</code> to get the banned IP and then run the following
  # To unban an IP, first check <code>/var/log/fail2ban.log</code> to get the banned IP and then run the following
Line 144: Line 147:
  apt install diaspora-installer
  apt install diaspora-installer


* Move MySQL data to encrypted partition
* Move MySQL data to encrypted partition:
  # Make sure <code>/dev/data/db</code> is mounted to <code>/var/lib/db</code>
  # Make sure <code>/dev/data/db</code> is mounted to <code>/var/lib/db</code>
  systemctl stop mysql
  systemctl stop mysql
  mv /var/lib/mysql /var/lib/db
systemctl disable mysql
  ln -s /var/lib/db/mysql /var/lib/mysql
  mv /var/lib/mysql /var/lib/db/
  ln -s /var/lib/db/mysql /var/lib/
  systemctl start mysql
  systemctl start mysql
* Move static files to encrypted partition:
# Make sure <code>/dev/data/static</code> is mounted to <code>/var/lib/static</code>
mkdir /var/lib/static/diaspora
mv /usr/share/diaspora/public/uploads /var/lib/static/diaspora
ln -s /var/lib/static/diaspora/uploads /usr/share/diaspora/public/
chown -R diaspora: /var/lib/static/diaspora


* Modify configuration files at <code>/etc/diaspora</code> and <code>/etc/diaspora.conf</code> as needed (backup of the current configuration files are available in the [[#Server_Access|access repo]]).
* Modify configuration files at <code>/etc/diaspora</code> and <code>/etc/diaspora.conf</code> as needed (backup of the current configuration files are available in the [[#Server_Access|access repo]]).
Line 155: Line 166:
  # Make sure <code>git</code> and <code>acl</code> packages are installed
  # Make sure <code>git</code> and <code>acl</code> packages are installed
  # Grant <code>rwx</code> permissions for the ssh user to <code>/usr/share/diaspora/public</code>
  # Grant <code>rwx</code> permissions for the ssh user to <code>/usr/share/diaspora/public</code>
  sudo setfacl -m "u:<ssh_user>:rwx" /usr/share/diaspora/public
  setfacl -m "u:<ssh_user>:rwx" /usr/share/diaspora/public
   
   
  # Clone poddery.com repo
  # Clone poddery.com repo
Line 173: Line 184:
* Nginx is used as reverse proxy to send requests that has <code>/_matrix/*</code> in URL to Synapse on port <code>8008</code>. This is configured in <code>/etc/nginx/sites-enabled/diaspora</code>.
* Nginx is used as reverse proxy to send requests that has <code>/_matrix/*</code> in URL to Synapse on port <code>8008</code>. This is configured in <code>/etc/nginx/sites-enabled/diaspora</code>.
* Shamil's [https://git.fosscommunity.in/necessary129/synapse-diaspora-auth Synapse Diaspora Auth] script is used to authenticate Synapse with Diaspora database.
* Shamil's [https://git.fosscommunity.in/necessary129/synapse-diaspora-auth Synapse Diaspora Auth] script is used to authenticate Synapse with Diaspora database.
* Move PostgreSQL data to encrypted partition:
# Make sure <code>/dev/data/db</code> is mounted to <code>/var/lib/db</code>
systemctl stop postgresql
systemctl disable postgresql
mv /var/lib/postgres /var/lib/db/
ln -s /var/lib/db/postgres /var/lib/
systemctl start postgresql


=== Workers ===
* Move static files to encrypted partition:
For scalability, Poddery running [https://github.com/matrix-org/synapse/blob/master/docs/workers.rst workers]. Currently all workers specified in that page, expect <code>synapse.app.appservice</code> is running on poddery.com
# Make sure <code>/dev/data/static</code> is mounted to <code>/var/lib/static</code>
 
mkdir /var/lib/static/synapse
A new service [https://gist.github.com/necessary129/5dfbb140e4727496b0ad2bf801c10fdc <code>matrix-synapse@.service</code>] is installed for the workers (Save the <code>synape_worker</code> file somewhere like <code>/usr/local/bin/</code> or something).
mv /var/lib/matrix-synapse/uploads /var/lib/static/synapse/
ln -s /var/lib/static/synapse/uploads /var/lib/matrix-synapse/
mv /var/lib/matrix-synapse/media /var/lib/static/synapse/
ln -s /var/lib/static/synapse/media /var/lib/matrix-synapse/
chown -R matrix-synapse: /var/lib/static/synapse


The worker config can be found at <code>/etc/matrix-synapse/workers</code>
* Install identity server <code>mxisd</code> (<code>deb</code> package available [https://github.com/kamax-matrix/mxisd/blob/master/docs/install/debian.md here])
 
Synapse needs to be put under a reverse proxy see <code>/etc/nginx/sites-enabled/matrix</code>. A lot of <code>/_matrix/</code> urls needs to be overridden too see <code>/etc/nginx/sites-enabled/diaspora</code>
 
These lines must be added to <code>homeserver.yaml</code> as we are running <code>media_repository</code>, <code>federation_sender</code>, <code>pusher</code>, <code>user_dir</code> workers respectively:


=== Workers ===
* For scalability, Poddery running [https://github.com/matrix-org/synapse/blob/master/docs/workers.rst workers]. Currently all workers specified in that page, expect <code>synapse.app.appservice</code> is running on poddery.com
* A new service [https://gist.github.com/necessary129/5dfbb140e4727496b0ad2bf801c10fdc <code>matrix-synapse@.service</code>] is installed for the workers (Save the <code>synape_worker</code> file somewhere like <code>/usr/local/bin/</code> or something).
* The worker config can be found at <code>/etc/matrix-synapse/workers</code>
* Synapse needs to be put under a reverse proxy see <code>/etc/nginx/sites-enabled/matrix</code>. A lot of <code>/_matrix/</code> urls needs to be overridden too see <code>/etc/nginx/sites-enabled/diaspora</code>
* These lines must be added to <code>homeserver.yaml</code> as we are running <code>media_repository</code>, <code>federation_sender</code>, <code>pusher</code>, <code>user_dir</code> workers respectively:
   enable_media_repo: False
   enable_media_repo: False
   send_federation: False
   send_federation: False
Line 190: Line 214:
   update_user_directory: false
   update_user_directory: false


These services must be enabled, and added to <code>Requires</code> and <code>Before</code> sections of the original <code>matrix-synapse.service</code>:
* These services must be enabled, and added to <code>Requires</code> and <code>Before</code> sections of the original <code>matrix-synapse.service</code>:
  matrix-synapse@synchrotron.service matrix-synapse@federation_reader.service matrix-synapse@event_creator.service matrix-synapse@federation_sender.service matrix-synapse@pusher.service matrix-synapse@user_dir.service matrix-synapse@media_repository.service matrix-synapse@frontend_proxy.service matrix-synapse@client_reader.service
  matrix-synapse@synchrotron.service matrix-synapse@federation_reader.service matrix-synapse@event_creator.service matrix-synapse@federation_sender.service matrix-synapse@pusher.service matrix-synapse@user_dir.service matrix-synapse@media_repository.service matrix-synapse@frontend_proxy.service matrix-synapse@client_reader.service


=== Synapse Updation ===
=== Synapse Updation ===
First check [https://github.com/matrix-org/synapse/blob/master/UPGRADE.rst synapse/UPGRADE.rst] to see if anything extra needs to be done. Then, just run <code>/root/upgrade-synapse</code>
* First check [https://github.com/matrix-org/synapse/blob/master/UPGRADE.rst synapse/UPGRADE.rst] to see if anything extra needs to be done. Then, just run <code>/root/upgrade-synapse</code>


=== Riot-web Updation ===  
=== Riot-web Updation ===  
* https://chat.poddery.com/#/welcome
* Just run <code>/var/www/get-riot</code> and reload <code>nginx</code>
  # Backup current riot-web folder from <code>riot</code> to <code>riot-backup</code>
  wget https://github.com/vector-im/riot-web/releases/download/v1.0.1/riot-v1.0.1.tar.gz
  tar -xvf riot-v1.01.tar.gz
  cp -r riot-v1.0.1/* /var/www/riot/
  rm -rf ./riot-v1.0.1*
  # Transfer the old <code>config.json</code>, <code>home.html</code>, <code>home-status.html</code> from <code>riot-backup</code> to <code>/var/www/riot/</code>
  systemctl reload nginx


== Chat/XMPP ==
== Chat/XMPP ==
Line 210: Line 227:
  # Follow steps 1 to 6 from https://wiki.debian.org/Diaspora/XMPP and then run the following:
  # Follow steps 1 to 6 from https://wiki.debian.org/Diaspora/XMPP and then run the following:
  mysql -u root -p # Enter password from the access repo
  mysql -u root -p # Enter password from the access repo
 
  CREATE USER 'prosody'@'localhost' IDENTIFIED BY '<passwd_in_repo>';
  CREATE USER 'prosody'@'localhost' IDENTIFIED BY '<passwd_in_repo>';
  GRANT ALL PRIVILEGES ON diaspora_production.* TO 'prosody'@'localhost';
  GRANT ALL PRIVILEGES ON diaspora_production.* TO 'prosody'@'localhost';
  FLUSH PRIVILEGES;
  FLUSH PRIVILEGES;
 
  systemctl restart prosody
  systemctl restart prosody
* Install plugins
# Make sure <code>mercurial</code> is installed
cd /etc && hg clone https://hg.prosody.im/prosody-modules/ prosody-modules


=== Set Nginx Conf for BOSH URLS ===
=== Set Nginx Conf for BOSH URLS ===
Line 242: Line 263:


== TLS ==
== TLS ==
 
* Install <code>letsencrypt</code>.
* Ensure proper permissions are set for <code>/etc/letsencrypt</code> and its contents.
* Ensure proper permissions are set for <code>/etc/letsencrypt</code> and its contents.
  chown -R root:ssl-cert /etc/letsencrypt
  chown -R root:ssl-cert /etc/letsencrypt
  chmod g+r -R /etc/letsencrypt
  chmod g+r -R /etc/letsencrypt
  chmod g+x /etc/letsencrypt/{archive,live}
  chmod g+x /etc/letsencrypt/{archive,live}
 
* Generate certificates. For more details see https://certbot.eff.org.
* Make sure the certificates used by <code>diaspora</code> are symbolic links to letsencrypt default location:
* Make sure the certificates used by <code>diaspora</code> are symbolic links to letsencrypt default location:
ls -l /etc/diaspora/ssl
''total 0
''lrwxrwxrwx 1 root root 47 Apr  2 22:47 poddery.com-bundle.pem -> /etc/letsencrypt/live/poddery.com/fullchain.pem''
''lrwxrwxrwx 1 root root 45 Apr  2 22:48 poddery.com.key -> /etc/letsencrypt/live/poddery.com/privkey.pem''
# If you don't get the above output, then run the following:
  cp -L /etc/letsencrypt/live/poddery.com/fullchain.pem /etc/diaspora/ssl/poddery.com-bundle.pem
  cp -L /etc/letsencrypt/live/poddery.com/fullchain.pem /etc/diaspora/ssl/poddery.com-bundle.pem
  cp -L /etc/letsencrypt/live/poddery.com/privkey.pem /etc/diaspora/ssl/poddery.com.key
  cp -L /etc/letsencrypt/live/poddery.com/privkey.pem /etc/diaspora/ssl/poddery.com.key
Line 257: Line 284:
  ''lrwxrwxrwx 1 root root 40 Mar 28 01:16 poddery.com.crt -> /etc/letsencrypt/live/poddery.com/fullchain.pem''
  ''lrwxrwxrwx 1 root root 40 Mar 28 01:16 poddery.com.crt -> /etc/letsencrypt/live/poddery.com/fullchain.pem''
  ''lrwxrwxrwx 1 root root 33 Mar 28 01:16 poddery.com.key -> /etc/letsencrypt/live/poddery.com/privkey.pem''
  ''lrwxrwxrwx 1 root root 33 Mar 28 01:16 poddery.com.key -> /etc/letsencrypt/live/poddery.com/privkey.pem''
# If you don't get the above output, then run the following:
cp -L /etc/letsencrypt/live/poddery.com/fullchain.pem /etc/prosody/certs/poddery.com.crt
cp -L /etc/letsencrypt/live/poddery.com/privkey.pem /etc/prosody/certs/poddery.com.key


* Cron jobs:
* Cron jobs:
Retrieved from "https://wiki.fsci.in/Special:MobileDiff/10804"