###################
Prosody XMPP Server
###################

Initial Installation
####################

Install the following packages::

  apt-get install prosody lua-dbi-sqlite3 lua-zlib lua-cyrussasl libsasl2-modules-gssapi-mit

Grant the host permission to the service/xmpp directory::

  fs sa /afs/acm.jhu.edu/service/xmpp rcmd.crimea rl
  fs sa /afs/acm.jhu.edu/service/xmpp/snapshot rcmd.crimea rlidwk

SSL Setup
---------

Follow the instructions in :ref:`jhu-upstreams_ssl` to get an SSL certificate.
Land the key in ``/etc/prosody/certs/xmpp.acm.jhu.edu.key`` and the cert,
followed by intermediate certs, in ``/etc/prosody/certs/xmpp.acm.jhu.edu.crt``.
Check your work with (yes, the file needs to be given twice) ::

  openssl verify -CAfile /etc/prosody/certs/xmpp.acm.jhu.edu.crt /etc/prosody/certs/xmpp.acm.jhu.edu.crt

.. note:: Prosody is particular about the order of the certificates in its key
   file.  Make sure that its comes first by running ``openssl x509 -noout -text
   -in /etc/prosody/certs/xmpp.acm.jhu.edu.crt`` and making sure that the
   Subject is as expected.  If it doesn't, you will get mysterious "no shared
   cipers" failures!

Build dhparams::

  openssl dhparam -out /etc/prosody/certs/dh-2048.pem 2048

Set up SASL
-----------

In ``/etc/prosody/prosody.cfg.lua``, set the following options globally::

  authentication = "cyrus"
  cyrus_service_name = "prosody"
  cyrus_service_realm = ""

  c2s_require_encryption = true
  s2s_secure_auth = true

Create ``/etc/sasl/prosody.conf`` with the following contents::

  pwcheck_method: saslauthd
  mech_list: PLAIN GSSAPI

Adjust ``/etc/default/saslauthd`` ::

  START=yes
  MECHANISMS=kerberos5

And run ::

  addgroup prosody sasl

Set up virtual host
-------------------

In ``/etc/prosody/prosody.cfg.lua``, add the following stanza::

  VirtualHost "xmpp.acm.jhu.edu"
    enabled = true
  
    -- Assign this host a certificate for TLS, otherwise it would use the one
    -- set in the global section (if any).
    -- Note that old-style SSL on port 5223 only supports one certificate, and will always
    -- use the global one.
  
    ssl = {
            key = "/etc/prosody/certs/xmpp.acm.jhu.edu.key";
            certificate = "/etc/prosody/certs/xmpp.acm.jhu.edu.crt";
            options = { "no_sslv2", "no_ticket", "no_compression", "no_sslv3" };
            dhparam = "/etc/prosody/certs/dh-2048.pem";
            protocl = "tlsv1_2+";
    }

Add to XMPP glue in DNS
-----------------------

Add a SRV record or two for XMPP clients and servers in DNS::

  _xmpp-client._tcp IN SRV 5 0 5222 crimea.acm.jhu.edu.