Poddery - Diaspora, Matrix and XMPP: Difference between revisions

(13 intermediate revisions by 3 users not shown)

Line 1:

We run decentralized and federated [https://diasporafoundation.org/ Diaspora] social ~~netowrk~~, [https://xmpp.org/ XMPP] and [https://matrix.org Matrix] instant messaging services at [https://poddery.com poddery.com]. Along with Diaspora, Poddery username and password can be used to access XMPP and Matrix services as well. [https://chat.poddery.com chat.poddery.com] provides ~~Riot~~ client (accessed by a web browser), which can be used to connect to any Matrix server without installing ~~a Riot~~ app~~/client~~.

We run decentralized and federated [https://diasporafoundation.org/ Diaspora] social network, [https://xmpp.org/ XMPP] and [https://matrix.org Matrix] instant messaging services at [https://poddery.com poddery.com]. Along with Diaspora, Poddery username and password can be used to access XMPP and Matrix services as well. [https://chat.poddery.com chat.poddery.com] provides Element client (accessed by a web browser), which can be used to connect to any Matrix server without installing the Element app.

= Environment =

Line 18:

=== Chat/XMPP ===

* ~~[https://prosody~~.~~im/ Prosody] is used as the XMPP~~ server ~~which is modern and lightweight~~.

* This is moved to Durare.org server Virtual Host. See https://gitlab.com/piratemovin/diasp.in/-/wikis/XMPP-durare.org-setup

* Currently installed version is 0.11.2 which is available in [https://~~packages.debian~~.~~org~~/~~buster~~/~~prosody Debian Buster]~~.

* All XEPs are enabled which the [https://~~conversations.im~~/ ~~Conversations app] support~~.

=== Chat/Matrix ===

Line 35:

Line 33:

== Backend Services ==

=== Web Server / Reverse Proxy ===

* Nginx web server which also acts as front-end (reverse proxy) for Diaspora and Matrix.

* Nginx web server which also acts as front-end (reverse proxy) for Diaspora and Matrix. By default all https requests to 443 are passed to diaspora. Requests starting with

*#_matrix|_synapse is passed to synapse main service and

*#_matrix/media is passed to synapse media worker

=== Database ===

Line 57:

= Coordination =

* [https://codema.in/g/2bjVXqAu/fosscommunity-in-poddery-com-maintainer-s-group Loomio group] - Mainly used for decision making

* Matrix room - [https://matrix.to/#/#poddery:poddery.com #poddery:poddery.com]

* Matrix room - [https://matrix.to/#/#poddery:poddery.com #poddery:poddery.com] also bridged to xmpp [xmpp:poddery.com-support@chat.yax.im?join poddery.com-support@chat.yax.im]

* [https://git.fosscommunity.in/community/poddery.com/issues Issue tracker] - Used for tracking progress of tasks

Line 234:

* These services must be enabled:

matrix-synapse@synchrotron.service matrix-synapse@federation_reader.service matrix-synapse@event_creator.service matrix-synapse@federation_sender.service matrix-synapse@pusher.service matrix-synapse@user_dir.service matrix-synapse@media_repository.service matrix-synapse@frontend_proxy.service matrix-synapse@client_reader.service matrix-synapse@synchrotron_2.service

matrix-synapse@synchrotron.service

matrix-synapse@federation_reader.service

matrix-synapse@event_creator.service

matrix-synapse@federation_sender.service

matrix-synapse@pusher.service

matrix-synapse@user_dir.service

matrix-synapse@media_repository.service

matrix-synapse@frontend_proxy.service

matrix-synapse@client_reader.service

matrix-synapse@synchrotron_2.service

To load balance between the 2 synchrotrons, We are running [https://github.com/Sorunome/matrix-synchrotron-balancer matrix-synchrotron-balancer]. It has a systemd file at <code>/etc/systemd/system/matrix-synchrotron-balancer</code>. The files are in <code>/opt/matrix-synchrotron-balancer</code>

Line 247:

Line 256:

== Chat/XMPP ==

* ~~Steps for setting up Prosody is given at~~ https://~~wiki~~.~~debian.org~~/~~Diaspora~~/~~XMPP~~

* See https://gitlab.com/piratemovin/diasp.in/-/wikis/XMPP-durare.org-setup

~~# Follow steps 1 to 6 from https://wiki~~.~~debian.org/Diaspora~~/~~XMPP and then run the following:~~

~~mysql -u root~~ -~~p # Enter password from the access repo~~

~~CREATE USER 'prosody'@'localhost' IDENTIFIED BY '<passwd_in_repo>';~~

~~GRANT ALL PRIVILEGES ON diaspora_production.* TO 'prosody'@'localhost';~~

~~FLUSH PRIVILEGES;~~

~~systemctl restart prosody~~

* Install plugins

~~# Make sure <code>mercurial<~~/~~code> is installed~~

cd /~~etc && hg clone https://hg.prosody.im/prosody-modules/ prosody-modules~~

~~=== Set Nginx Conf for BOSH URLS ===~~

* Add the following in <code>nginx</code> configuration file to enable the BOSH URL to make JSXC Working:

~~upstream chat_cluster {~~

~~server localhost:5280;~~

}

~~location /http~~-~~bind {~~

~~proxy_set_header X-Real-IP $remote_addr;~~

~~proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;~~

~~proxy_set_header Host $http_host;~~

~~proxy_set_header X-Forwarded-Proto https;~~

~~proxy_redirect off;~~

~~proxy_connect_timeout 5;~~

~~proxy_buffering off;~~

~~proxy_read_timeout 70;~~

~~keepalive_timeout 70;~~

~~send_timeout 70;~~

~~client_max_body_size 4M;~~

~~client_body_buffer_size 128K;~~

~~proxy_pass http://chat_cluster;~~

}

* [https://wiki.diasporafoundation.org~~/Integration/Chat#Nginx See here] for more details on <code>nginx</code> configuration. Alternatively, <code>apache</code> settings can be found [https://github.com/jsxc/jsxc/wiki/Prepare~~-~~apache here].~~

== TLS ==

Line 319:

Line 292:

''34 2 * * 1 /etc/init.d/prosody reload''

* Manually updating TLS certificate:

===SSL certificate renewal===

~~letsencrypt certonly --webroot --agree-tos -w~~ /~~usr~~/~~share/diaspora~~/~~public -d poddery.com -d www.poddery.com -d test.poddery.com -d groups.poddery.com -~~d ~~fund.poddery.com -w~~ /~~usr~~/~~share/diaspora/public/save~~ -~~d save.poddery.com~~ -~~w /var/www/riot~~ -~~d chat~~.poddery.~~com~~

On the 12th of October 2025, all the certificates were removed and were recreated. [https://codema.in/d/XUfAOrPW/poddery-server-certificates-recreated This thread] documents all those steps.

* To include an additional subdomain such as fund.~~poddery.com use with --expand parameter as shown below~~

letsencrypt certonly --webroot --agree-tos --expand -w /usr/share/diaspora/public -d poddery.com -d www.poddery.com -d test.poddery.com -d groups.poddery.com -d fund.poddery.com -w /usr/share/diaspora/public/save/ -d save.poddery.com -w /var/www/riot/ -d chat.poddery.com

When renewing certificates on the poddery server, make sure to follow the following steps.

# Stop nginx by running

sudo systemctl stop nginx

# Renew certificates for all the domains

sudo certbot renew

Follow the prompts by certbot to renew certificates for all the domains.

# Start nginx after the renewal is successful

sudo systemctl start nginx

==Backup==

Line 453:

Line 437:

$ ps -ef | grep receiver

===Backup steps on 7th Jan 2025===

====Matrix-synapse====

For synapse, the following files were backed up:

* Dump of postgresql database using `pg_dump`

* `/etc/matrix-synapse` - contains config files

* `/var/lib/static/synapse/media` -- contains uploaded media files

In order to access the poddery server from the backup server (with your public ssh keys added to both the servers in `~/.ssh/authorized-keys`), run the following command in your local system:<syntaxhighlight lang="bash">

eval "$(ssh-agent -s)"

</syntaxhighlight>followed by<syntaxhighlight>

ssh user@server -o "ForwardAgent yes" -o "AddKeysToAgent yes"

</syntaxhighlight>on the local system.

The dump was taken using the command from the [https://element-hq.github.io/synapse/latest/usage/administration/backups.html#quick-and-easy-database-backup-and-restore official docs]:<syntaxhighlight>

ssh user@poddery-server 'sudo -u postgres pg_dump -Fc --exclude-table-data e2e_one_time_keys_json synapse' > synapse-2025-01-07.dump

</syntaxhighlight>

====Prosody====

For backing up prosody, the following were copied:

* Dump of the database using `mysqldump`

* `/var/lib/prosody` for media files

* `/etc/prosody` for config files

For taking the dump, the following was run from the backup-server

ssh user@poddery-server 'mysqldump -u prosody --password="$(cat <path/to/password-file>)" prosody | gzip' > backups/prosody-backup.sql.gz

</syntaxhighlight>

Backup of `/var/lb/prosody` was taken using following steps:

* Create a tar file of prosody directory

cd /var/lib && sudo tar -czvf ~user/var.lib.prosody-2025-01-07.tar.gz prosody

</syntaxhighlight>

* Make user as owner of compressed file:

cd && chown user: var.lib.prosody-2025-01-07.tar.gz

</syntaxhighlight>

* Use `scp` to transfer tar file to the backup-server

scp -P <port-for-ssh-on-backup-server> ./var.lib.prosody-2025-01-07.tar.gz backup-user@backup-server:directory-to-backup

</syntaxhighlight>

= Troubleshooting =

== Allow XMPP login even if diaspora account is closed ==

Diaspora has a [https://github.com/diaspora/diaspora/blob/develop/Changelog.md#new-maintenance-feature-to-automatically-expire-inactive-accounts default setting] to close accounts that have been inactive for 2 years. At the time of writing, there seems [https://github.com/diaspora/diaspora/issues/5358#issuecomment-371921462 no way] to reopen a closed account. This also means that if your account is closed, you will no longer be able to login to the associated XMPP service as well. Here we discuss a workaround to get access back to the XMPP account.

The prosody module [https://gist.github.com/jhass/948e8e8d87b9143f97ad#file-mod_auth_diaspora-lua mod_auth_diaspora] is used for diaspora-based XMPP auth. It checks if <code>locked_at</code> value in the <code>users</code> table of diaspora db is <code>null</code> [https://gist.github.com/jhass/948e8e8d87b9143f97ad#file-mod_auth_diaspora-lua-L89 here] and [https://gist.github.com/jhass/948e8e8d87b9143f97ad#file-mod_auth_diaspora-lua-L98 here]. If your account is locked, it will have the <code>datetime</code> value that represents the date and time at which your account is locked. Setting it back to <code>null</code> will let you use your XMPP account again.

-- Replace <username> with actual username of the locked account

UPDATE users SET locked_at=NULL WHERE username='<username>';

NOTE: Matrix account won't be affected even if the associated diaspora account is closed because it uses a [https://pypi.org/project/synapse-diaspora-auth/ custom auth module] which works differently.

= History =

@@ Line 1: / Line 1: @@
-We run decentralized and federated [https://diasporafoundation.org/ Diaspora] social netowrk, [https://xmpp.org/ XMPP] and [https://matrix.org Matrix] instant messaging services at [https://poddery.com poddery.com]. Along with Diaspora, Poddery username and password can be used to access XMPP and Matrix services as well. [https://chat.poddery.com chat.poddery.com] provides Riot client (accessed by a web browser), which can be used to connect to any Matrix server without installing a Riot app/client.
+We run decentralized and federated [https://diasporafoundation.org/ Diaspora] social network, [https://xmpp.org/ XMPP] and [https://matrix.org Matrix] instant messaging services at [https://poddery.com poddery.com]. Along with Diaspora, Poddery username and password can be used to access XMPP and Matrix services as well. [https://chat.poddery.com chat.poddery.com] provides Element client (accessed by a web browser), which can be used to connect to any Matrix server without installing the Element app.
 = Environment =
@@ Line 18: / Line 18: @@
 === Chat/XMPP ===
-* [https://prosody.im/ Prosody] is used as the XMPP server which is modern and lightweight.
+* This is moved to Durare.org server Virtual Host. See https://gitlab.com/piratemovin/diasp.in/-/wikis/XMPP-durare.org-setup
-* Currently installed version is 0.11.2 which is available in [https://packages.debian.org/buster/prosody Debian Buster].
-* All XEPs are enabled which the [https://conversations.im/ Conversations app] support.
 === Chat/Matrix ===
@@ Line 35: / Line 33: @@
 == Backend Services ==
 === Web Server / Reverse Proxy ===
-* Nginx web server which also acts as front-end (reverse proxy) for Diaspora and Matrix.
+* Nginx web server which also acts as front-end (reverse proxy) for Diaspora and Matrix. By default all https requests to 443 are passed to diaspora. Requests starting with
+*#_matrix|_synapse is passed to synapse main service and
+*#_matrix/media is passed to synapse media worker
 === Database ===
@@ Line 57: / Line 57: @@
 = Coordination =
 * [https://codema.in/g/2bjVXqAu/fosscommunity-in-poddery-com-maintainer-s-group Loomio group] - Mainly used for decision making
-* Matrix room - [https://matrix.to/#/#poddery:poddery.com #poddery:poddery.com]
+* Matrix room - [https://matrix.to/#/#poddery:poddery.com #poddery:poddery.com] also bridged to xmpp [xmpp:poddery.com-support@chat.yax.im?join poddery.com-support@chat.yax.im]
 * [https://git.fosscommunity.in/community/poddery.com/issues Issue tracker] - Used for tracking progress of tasks
@@ Line 234: / Line 234: @@
 * These services must be enabled:
-  matrix-synapse@synchrotron.service matrix-synapse@federation_reader.service matrix-synapse@event_creator.service matrix-synapse@federation_sender.service matrix-synapse@pusher.service matrix-synapse@user_dir.service matrix-synapse@media_repository.service matrix-synapse@frontend_proxy.service matrix-synapse@client_reader.service matrix-synapse@synchrotron_2.service
+  matrix-synapse@synchrotron.service
+ matrix-synapse@federation_reader.service
+ matrix-synapse@event_creator.service
+ matrix-synapse@federation_sender.service
+ matrix-synapse@pusher.service
+ matrix-synapse@user_dir.service
+ matrix-synapse@media_repository.service
+ matrix-synapse@frontend_proxy.service
+ matrix-synapse@client_reader.service
+ matrix-synapse@synchrotron_2.service
 To load balance between the 2 synchrotrons, We are running [https://github.com/Sorunome/matrix-synchrotron-balancer matrix-synchrotron-balancer]. It has a systemd file at <code>/etc/systemd/system/matrix-synchrotron-balancer</code>. The files are in <code>/opt/matrix-synchrotron-balancer</code>
@@ Line 247: / Line 256: @@
 == Chat/XMPP ==
-* Steps for setting up Prosody is given at https://wiki.debian.org/Diaspora/XMPP
+* See https://gitlab.com/piratemovin/diasp.in/-/wikis/XMPP-durare.org-setup
- # Follow steps 1 to 6 from https://wiki.debian.org/Diaspora/XMPP and then run the following:
- mysql -u root -p # Enter password from the access repo
- CREATE USER 'prosody'@'localhost' IDENTIFIED BY '<passwd_in_repo>';
- GRANT ALL PRIVILEGES ON diaspora_production.* TO 'prosody'@'localhost';
- FLUSH PRIVILEGES;
- systemctl restart prosody
-* Install plugins
- # Make sure <code>mercurial</code> is installed
- cd /etc && hg clone https://hg.prosody.im/prosody-modules/ prosody-modules
-=== Set Nginx Conf for BOSH URLS ===
-* Add the following in <code>nginx</code> configuration file to enable the BOSH URL to make JSXC Working:
- upstream chat_cluster {
-   server localhost:5280;
- }
- location /http-bind {
-   proxy_set_header X-Real-IP $remote_addr;
-   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-   proxy_set_header Host $http_host;
-   proxy_set_header X-Forwarded-Proto https;
-   proxy_redirect off;
-   proxy_connect_timeout 5;
-   proxy_buffering       off;
-   proxy_read_timeout    70;
-   keepalive_timeout     70;
-   send_timeout          70;
-   client_max_body_size 4M;
-   client_body_buffer_size 128K;
-   proxy_pass http://chat_cluster;
- }
-* [https://wiki.diasporafoundation.org/Integration/Chat#Nginx See here] for more details on <code>nginx</code> configuration. Alternatively, <code>apache</code> settings can be found [https://github.com/jsxc/jsxc/wiki/Prepare-apache here].
 == TLS ==
@@ Line 319: / Line 292: @@
   ''34 2 * * 1 /etc/init.d/prosody reload''
-* Manually updating TLS certificate:
+===SSL certificate renewal===
- letsencrypt certonly --webroot --agree-tos -w /usr/share/diaspora/public  -d poddery.com -d www.poddery.com -d test.poddery.com -d groups.poddery.com -d fund.poddery.com -w /usr/share/diaspora/public/save -d save.poddery.com -w /var/www/riot -d chat.poddery.com
+On the 12th of October 2025, all the certificates were removed and were recreated. [https://codema.in/d/XUfAOrPW/poddery-server-certificates-recreated This thread] documents all those steps.
-* To include an additional subdomain such as fund.poddery.com use with --expand parameter as shown below
-  letsencrypt certonly --webroot --agree-tos --expand -w /usr/share/diaspora/public -d poddery.com -d www.poddery.com -d test.poddery.com -d groups.poddery.com -d fund.poddery.com -w /usr/share/diaspora/public/save/ -d save.poddery.com -w /var/www/riot/ -d chat.poddery.com
+When renewing certificates on the poddery server, make sure to follow the following steps.
+# Stop nginx by running
+ sudo systemctl stop nginx
+# Renew certificates for all the domains
+ sudo certbot renew
+Follow the prompts by certbot to renew certificates for all the domains.
+# Start nginx after the renewal is successful
+  sudo systemctl start nginx
 ==Backup==
@@ Line 453: / Line 437: @@
   $ ps -ef | grep receiver
+===Backup steps on 7th Jan 2025===
+====Matrix-synapse====
+For synapse, the following files were backed up:
+* Dump of postgresql database using `pg_dump`
+* `/etc/matrix-synapse` - contains config files
+* `/var/lib/static/synapse/media` -- contains uploaded media files
+In order to access the poddery server from the backup server (with your public ssh keys added to both the servers in `~/.ssh/authorized-keys`), run the following command in your local system:<syntaxhighlight lang="bash">
+eval "$(ssh-agent -s)"
+</syntaxhighlight>followed by<syntaxhighlight>
+ssh user@server -o "ForwardAgent yes" -o "AddKeysToAgent yes"
+</syntaxhighlight>on the local system.
+The dump was taken using the command from the [https://element-hq.github.io/synapse/latest/usage/administration/backups.html#quick-and-easy-database-backup-and-restore official docs]:<syntaxhighlight>
+ssh user@poddery-server 'sudo -u postgres pg_dump -Fc --exclude-table-data e2e_one_time_keys_json synapse' > synapse-2025-01-07.dump
+</syntaxhighlight>
+====Prosody====
+For backing up prosody, the following were copied:
+* Dump of the database using `mysqldump`
+* `/var/lib/prosody` for media files
+* `/etc/prosody` for config files
+For taking the dump, the following was run from the backup-server
+<syntaxhighlight lang="bash">
+ssh user@poddery-server 'mysqldump -u prosody --password="$(cat <path/to/password-file>)" prosody | gzip' > backups/prosody-backup.sql.gz
+</syntaxhighlight>
+Backup of `/var/lb/prosody` was taken using following steps:
+* Create a tar file of prosody directory
+<syntaxhighlight>
+cd /var/lib && sudo tar -czvf ~user/var.lib.prosody-2025-01-07.tar.gz prosody
+</syntaxhighlight>
+* Make user as owner of compressed file:
+<syntaxhighlight>
+cd && chown user: var.lib.prosody-2025-01-07.tar.gz
+</syntaxhighlight>
+* Use `scp` to transfer tar file to the backup-server
+<syntaxhighlight>
+scp -P <port-for-ssh-on-backup-server> ./var.lib.prosody-2025-01-07.tar.gz backup-user@backup-server:directory-to-backup
+</syntaxhighlight>
+= Troubleshooting =
+== Allow XMPP login even if diaspora account is closed ==
+Diaspora has a [https://github.com/diaspora/diaspora/blob/develop/Changelog.md#new-maintenance-feature-to-automatically-expire-inactive-accounts default setting] to close accounts that have been inactive for 2 years. At the time of writing, there seems [https://github.com/diaspora/diaspora/issues/5358#issuecomment-371921462 no way] to reopen a closed account. This also means that if your account is closed, you will no longer be able to login to the associated XMPP service as well. Here we discuss a workaround to get access back to the XMPP account.
+The prosody module [https://gist.github.com/jhass/948e8e8d87b9143f97ad#file-mod_auth_diaspora-lua mod_auth_diaspora] is used for diaspora-based XMPP auth. It checks if <code>locked_at</code> value in the <code>users</code> table of diaspora db is <code>null</code> [https://gist.github.com/jhass/948e8e8d87b9143f97ad#file-mod_auth_diaspora-lua-L89 here] and [https://gist.github.com/jhass/948e8e8d87b9143f97ad#file-mod_auth_diaspora-lua-L98 here]. If your account is locked, it will have the <code>datetime</code> value that represents the date and time at which your account is locked. Setting it back to <code>null</code> will let you use your XMPP account again.
+ -- Replace <username> with actual username of the locked account
+ UPDATE users SET locked_at=NULL WHERE username='<username>';
+NOTE: Matrix account won't be affected even if the associated diaspora account is closed because it uses a [https://pypi.org/project/synapse-diaspora-auth/ custom auth module] which works differently.
 = History =