Installation Script for XMPP Server With Tor Hidden Service and Off-the-Record Messaging
This script contains "Paranoid Prosody" settings for a Jabber/XMPP server configuration like OTR.im and is forked from https://github.com/NSAKEY/paranoid-prosody. It has been modified to force Prosody XMPP server to use strong SSL/TLS ciphers, disable logging, add OTR, and some other "paranoid" things. It also sets up Tor to provide a hidden service for Prosody.
This is a script to bootstrap a Debian server to be a set-and-forget Prosody server. It's been tested on Debian Bookworm and should work on any other maintained version (with minor tweaks for release and package names).
This script performs the following tasks:
- Upgrades all the software on the system
- Adds the deb.torproject.org and the packages.prosody.im/debian repositories to apt, so Prosody and Tor updates come directly from the source.
- Installs and configures Prosody with reasonably-paranoid defaults.
- Installs and configures Tor to be a hidden service for Prosody (You can also manually edit torrc to make SSH an authenticated hidden service)
- Configures sane default firewall rules
- Configures automatic updates
- Triggers Let's Encrypt certificate generation (You can skip if you want and create self-signed certs)
- Gives instructions on what the sysadmin needs to manually do at the end
To use it, set up a new Debian server, SSH into it, switch to the root user, and:
git clone https://github.com/seandiggity/xmpp-server-tor.git
cd xmpp-server-tor
./bootstrap.sh
- Try SSHing into this server again in a new window as well as connecting to XMPP, to confirm the firewall isn't broken.
- This script uses
certbot
and Let's Encrypt by default to generate SSL/TLS certificates. See: https://prosody.im/doc/letsencrypt
- If you used OpenSSL to generate certificates, run
cat /etc/prosody/certs/xmpp.crt
and submit its contents to your friendly neighborhood Certificate Authority.
- Configure DNS. Example (replace
example.org
with your domain):
SRV _xmpp-client._tcp 3600 10 0 5222 example.org.
SRV _xmpp-server._tcp 3600 10 0 5269 example.org.
-
Edit
/etc/prosody/prosody.cfg.lua
so that all cases ofexample.org
are replaced with your domain. -
After you reboot, you can run
aa-enforce /etc/apparmor.d/usr.bin.prosody
to update apparmor rules. -
After the reboot, be sure to run
cat /var/lib/tor/xmpp/hostname
to get your Tor hidden service address. -
The option to allow SSH as an authenticated Tor hidden service has been supplied. Just read the comments in
/etc/tor/torrc
-
To create an account, run
prosodyctl adduser [email protected]
See: https://prosody.im/doc/creating_accounts -
It is recommended to use a XMPP client like CoyIM to connect via OTR and Tor. See: https://coy.im
- Remember to reboot the server after you've made changes.